Internet Voting: How Far Can We Go Safely?
By Ed Felten, Princeton University
June 05, 2009
This article was posted at the Freedom to Tinker blog and is rreposted here with permission.
Yesterday I chaired an interesting panel on Internet Voting at CFP.
Participants included Amy Bjelland and Craig Stender (State of
Arizona), Susan Dzieduszycka-Suinat (Overseas Vote Foundation) Avi
Rubin (Johns Hopkins), and Alec Yasinsac (Univ. of South Alabama).
Thanks to David Bruggeman and Cameron Wilson at USACM for setting up the panel.
Nobody advocated a full-on web voting system that would allow voting
from any web browser. Instead, the emphasis was on more modest steps,
aimed specifically at overseas voters. Overseas voters are a good
target population, because there aren't too many of them -- making
experimentation less risky -- and because vote-by-mail serves them
Discussion focused on two types of systems: voting kiosks, and Internet transmission of absentee ballots.
A voting kiosk is a computer-based system, running carefully
configured software, that is set up in a securable location overseas.
Voters come to this location, authenticate themselves, and vote just as
they would in a polling place back home. A good kiosk system keeps an
electronic record, which is transmitted securely across the Internet to
voting officials in the voter's home jurisdiction. It also keeps a
paper record, verifiable by the voter, which is sent back to voting
officials after the elections, enabling a post-election audit. A kiosk
can use optical-scan technology or it can be a touch-screen machine
with a paper trail -- essentially it's a standard voting system with a
paper trail, connected to home across the Internet. If the engineering
is done right, if the home system that receives the electronic ballots
is walled off from the central vote-tabulating system, and if
appropriate post-election auditing is done, this system can be secure
enough to use. All of the panelists agreed that this type of system is
worth trying, at least as a pilot test.
The other approach is use ordinary absentee ballots, but to
distribute them and allow voters to return them online. A voter goes to
a web site and downloads a file containing an absentee ballot and a
cover sheet. After printing out the file, the voter fills out the cover
sheet (giving his name and other information) and the ballot. He scans
the cover sheet and ballot, and uploads the scan to a web site.
Election officials collect and print the resulting file, and treat the
printout like an ordinary absentee ballot.
Kevin Poulsen and Eric Rescorla
criticize the security of this system, and for good reason. Internet
distribution of blank ballots can be secure enough, if done very
carefully, but returning filled-out ballots from an ordinary computer
and browser is risky. Eric summarizes the risks:
We have integrity issues here as well: as Poulsen suggests (and quotes
Rubin as suggesting), there are a number of ways for things to go wrong
here: an attacker could subvert your computer and have it modify the
ballots before sending them; you could get phished and the phisher
could modify your ballot appropriately before passing it on to the
central site. Finally, the attacker could subvert the central server
and modify the ballots before they are printed out.
Despite the risks, systems of this sort are moving forward in
various places. Arizona has one, which Amy and Craig demonstrated for
the panel's audience, and the Overseas Vote Foundation has one as well.
Why is this less-secure alternative getting more traction than
kiosk-based systems? Partly it's due to the convenience of being able
to vote from anywhere (with a Net connection) instead of having to
visit a kiosk location. That's understandable. But another part of the
reason seems to be that people don't realize what can go wrong, and how
often things actually do go wrong, in online interactions.
In the end, there was a lot of agreement among the panelists -- a
rare occurrence in public e-voting discussions -- but disagreement
remained about how far we can go safely. For overseas voters at least,
the gap between what is convenient and what can be made safe is smaller
than it is elsewhere, but that gap does still exist.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
There are no comments currently....