December 14, 2024

Is Internet Voting Secure? The Science and the Policy Battles

I will be presenting a similarly titled paper at the 2022 Symposium Contemporary Issues in Election Law run by the University of New Hampshire Law review, October 7th in Concord, NH. The paper will be published in the UNH Law Review in 2023 and is available now on SSRN.

I have already serialized parts of this paper on Freedom-to-Tinker: Securing the Vote; unsurprising and surprising insecurities in Democracy Live’s OmniBallot; the New Jersey lawsuit (and settlement); the New York (et al.) lawsuit; lawsuits in VA, NJ, NY, NH, and in NC; inherent insecurity; accommodating voters with disabilities; and Switzerland’s system.

Now here it is in one coherent whole, with footnotes.

Abstract. No known technology can make internet voting secure, according to the clear scientific consensus. In some applications—such as e-pollbooks (voter sign-in), voter registration, and absentee ballot request—it is appropriate to use the internet, as the inherent insecurity can be mitigated by other means. But the insecurity of paperless transmission of a voted ballot through the internet, cannot be mitigated.

The law recognizes this in several ways. Courts have enjoined the use of certain paperless or internet-connected voting systems. Federal law requires states to allow voters to use the internet to request absentee ballots, but carefully stops short of internet ballot return (i.e., voting).

But many U.S. states and a few countries go beyond what is safe: they have adopted internet voting, for citizens living abroad and (in some cases) for voters with disabilities.

Most internet voting systems have an essentially common architecture, and they are insecure at least at the same key point, after the voter has reviewed the ballot but before it is transmitted. I review six internet voting systems deployed 2006-2021 that were insecure in practice, just as predicted by theory—and some were also insecure in surprising new ways, “unforced errors”.

We can’t get along without the assistance of computers. U.S. ballots are too long to count entirely by hand unless the special circumstances of a recount require it. So computer-counted paper ballots play a critical role in the security and auditability of our elections. But audits cannot be used to secure internet voting systems, which have no paper ballots that form an auditable paper trail.

So there are policy controversies: trustworthiness versus convenience, security versus accessibility. In 2019-22 there were lawsuits in Virginia, New Jersey, New York, New Hampshire, and North Carolina; legislation enacted in Rhode Island and withdrawn in California. There is a common pattern to these disputes, which have mostly resolved in a way that provides remote accessible vote by mail (RAVBM) but stops short of permitting electronic ballot return (internet voting).

What would it take to thoroughly review a proposed internet voting system to be assured whether it delivers the security it promises? Switzerland provides a case study. In Switzerland, after a few years of internet voting pilot projects, the Federal Chancellery commissioned several extremely thorough expert studies of their deployed system. These reports teach us not only about their internet voting system itself but about how to study those systems before making policy decisions.

Accessibility of election systems to voters with disabilities is a genuine problem. Disability-rights groups have been among those lobbying for internet voting (which is not securable) and other forms of remote accessible vote by mail (which can be adequately securable). I review statistics showing that internet voting is probably not the most effective way to serve voters with disabilities.

Comments

  1. You may be interested in the new Secure Internet Voting design @ siv.org/protocol
    It provides auditable results (incl. against malware on the voters’ devices), while preserving voters’ privacy.

  2. Dave Bernstein says

    Votes conducted over the internet and counted in real time – e.g. in New England Town Meetings – can be audited by voters in real time.

    • David Jefferson says

      I am not sure what you mean. How do you propose to authenticate voters over the Internet? What exactly do you mean by “audit”? Exactly what data will you check against what other data to verify what property of the outcome? (Without a paper ballot it’s certainly not a risk limiting audit.) How do you propose to “audit” the election in real time while authenticating voters in real time, and not reveal any information to anyone about who cast which vote?