May 26, 2020

Can Legislatures Safely Vote by Internet?

It is a well understood scientific fact that Internet voting in public elections is not securable: “the Internet should not be used for the return of marked ballots. … [N]o known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.

But can legislatures (city councils, county boards, or the U.S. Congress) safely vote by Internet? Perhaps they can. To understand why, let’s examine two important differences between legislature votes and public elections:

  1. Public elections require the secret ballot; legislatures can vote by public roll-call vote.
  2. Internet voting requires digital credentials; the U.S. has no effective way to distribute digital credentials to the public, but it is feasible to provide credentials to members of a legislature.

The cyberthreats facing any kind of Internet voting include:

  • (A) hackers impersonating a voter,
  • (B) hackers exploiting server vulnerabilities to fraudulently change the software that counts votes,
  • (C) hackers exploiting (voter’s phones and laptops) client vulnerabilities to fraudulently change the software that transmits votes, and
  • (D) Other attacks, such as denial of service: prevent some legislators from acccessing the Internet.

(Blockchain can’t solve these problems; see pages 103-105 )

But suppose a legislative body wished to avoid meeting in person during a pandemic. Could these threats be mitigated sufficiently?

(A) It is feasible to distribute security tokens to the 15 members of a county commission or the 435 members of the House of Representatives, in a way that’s not feasible for 235 million registered voters. Even without security tokens, a Member who is personally known to the clerk of the legislature could vote by video chat, in an emergency. (Caveats: Security tokens are highly secure but not perfect; video chat could be subject to deep fakes; but see below for mitigations.)

(B,C) Attacks that compromise the client or server computers can be detected and corrected, if everyone’s vote is displayed on a “public bulletin board.” That is, each member of the legislature would transmit his or her vote, then must check the public roll-call display to make sure the vote was reported and recorded accurately.

Checking the public roll-call display isn’t so simple, since hackers could alter the member’s client device (e.g., laptop computer or phone) to make it lie about what’s downloaded from the roll-call display. A Member should check the roll-call from a variety of devices in a variety of locations, or (perhaps) coordinate with other Members to make sure they’re getting a consistent report.

This remote workaround would not be simple and easy. Careful protocols must be designed to limit the amount of time for members to contest their vote; one must consider what happens if Members game the system (by falsely claiming their vote was altered); one must consider what happens if lobbyists are literally sitting next to the member during voting (which is less likely when the member is gathered in a public place for a traditional vote). What do the legislatures quorum rules mean in this context? And many legislatures prefer to take many votes by “voice vote” where each member’s individual vote is not recorded.

And just because Internet roll-call votes may be feasible to secure, that doesn’t mean they’re automatically a good idea, or legal: see this report by the Majority staff of the House of Representatives.

Conclusion: we know that Internet voting by the public is impossible to secure, and thus we must not vote by Internet even during the COVID-19 epidemic. But Internet voting by legislatures is not necessarily impossible to secure, and could reasonably be considered. If legislative bodies desire to meet and vote remotely, there is still plenty of work to do to actually secure the process. And that’s difficult to do in a hurry.

Comments

  1. David Jefferson says:

    I do think it is feasible to allow legislators to vote remotely along these lines, at least as far as security is concerned. But there is one security problem that I find vexing and that perhaps deserves special attention.

    A denial of service (DoS) attack on the infrastructure of a legislator’s home or remote office could prevent him or her from voting on a crucial bill. There are many ways to do that, either by insiders, such as employees of the legislator’s ISP, or by remote attacks on the home or office router, etc. Such attacks could be very hard to distinguish from other temporary communication failures.

    In a close vote, the disenfranchisement of a few legislators on one side of the vote could switch the outcome.