Internet Voting: Security, Experimentation and Innovation
SUMMARY REPORT ON THE e-Voting Workshop
Sponsored by the National Science Foundation
And hosted by the Freedom Forum
October 11 and 12, 2000
Prepared by Thomas Bryer
This meeting took place over two days at the Freedom Forum. Attached are the names and affiliation of panelists as well as guests. The panelists consisted of social scientists, computer scientists, and state election administration officials.
The format was as follows: a sub-panel presented an overview of issues dealing either with a subset of social science issues or technology issues relating to Internet voting, followed by general discussion and comment among and between the full panel. Limited interaction was held between the guests and the panelists during the formal proceedings.
This summary report will be broken down into two components: social science issues and technology issues. These subjects were alternated over the two-day meeting and many subjects within the overarching issues indeed are entangled. For ease of reporting and reading I will separate them out here.
Observations and commentary in this summary report will focus on the discussion of the meeting, but I may from time to time refer to external but related documentation. I will provide a summary report on the literature sourced in preparation for this meeting in a later document.
Social Science Issues
The key question considered was this: what problem(s) are we trying to solve with Internet voting? Six answers are:
1. Voting is inconvenient;
2. Handicapped voters have access difficulty;
3. Voters overseas often do not receive ballots or receive ballots too late to vote;
4. Voting times and locations are inflexible;
5. Registering to vote can be confusing and updating registration information can be time-consuming;
6. Election and candidate information can be difficult to find.
Internet voting should seek to:
1. Make voting easier/more convenient (to increase turnout);
2. Better accommodate handicapped voters;
3. Allow for more timely overseas voting;
4. Provide more flexibility in voting;
5. Make voter registration easier/easier to update registration information;
6. Make election/candidate information easier to find.
The overall goal was seen, inclusive of the above six, to increase voter turnout. This led to the obvious question: would Internet voting actually increase turnout?
Consider the following turnout and registration numbers:
51.5% turnout of registered voters
36.4% turnout of eligible voters
70.6% of eligible voters registered
66% turnout of registered voters
49.8% turnout of eligible voters
74.4% of eligible voters registered
78.02% turnout of registered voters
55.23% turnout of eligible voters
70.7% of eligible voters registered
72.5% turnout of registered voters
50.15% turnout of eligible voters
69.20% of eligible voters registered
These numbers indicate that the voting turnout problem is not entirely one of getting more people to the polls, because 65% up to nearly 80% of registered voters have voted in recent presidential election years. The challenge instead is increasing the number of registered voters that are of voting age. The technology issues around electronic registration will be discussed later.
Experiences on college campuses have shown an increase in turnout among student voters for campus elections when the Internet was used. This does not necessarily translate into similar participation and voting patterns among college students for a public election, should that election be held over the Internet. Similarly turnout in the binding Democratic Arizona primary saw higher turnout than usual, but this was relative to the 1992 non-competitive primary and the Republican primaries of past years. A confounding variable in the Arizona primary election was that Democratic candidate Bill Bradley dropped out of the race in the middle of the ten day Internet voting period. Final statewide voting statistics are being withheld from the public by the voting system vendor election.com until such time as all legal action has been resolved.
The digital divide needs to be addressed in the design of any Internet voting system. This divide cannot be defined explicitly as Internet users versus non-Internet users; political participants and non-participants need to be inserted into the equation as well. Non-participants/non-users are a group that will need more than access to get to the polls; non-participants/users might be "wooed" into the process while they are working on or surfing the web; participants/non-users will likely not quit participating but find access; participants/users will remain in the fold with no change.
If turnout does not increase there is a threat of disillusionment among voting system reformers, technology experts, and others investing time and energy into the e-voting movement.
Overall any Internet voting system needs to have public acceptance, positive public perception of security on the Internet, and the system needs to be transparent in its operation to the public. These issues all relate to the multi-faceted technological design of an Internet voting system.
"The inevitability of death, taxes, and software errors…."
Issues to consider when contemplating and testing various technological designs of an Internet voting system consist of:
5. Verifiability & Auditing;
6. Eligibility & Authentication;
9. Trusted Authority;
12. Platforms & Standards.
There are several conflicting desires named above and within the traditional desires of voting. If a voter votes from their personal home computer (item number 3 - convenience) there exist three sacrifices: 1) guaranteed privacy; 2) non-coercibility; and 3) verifiability. You may be in the comfort of your home, but in a relatively open environment compared to the voting booth in a polling station. If a voter needs use a computer in a public library it may be even less private. On the same note, who is to say who is with an individual voter when casting their vote away from the eye of a poll watcher? Campaign officials buying votes? Voters selling votes? The election.com web site with good intention but poor design uses an image on their site showing a voter sitting at a computer and two dark-suited men standing behind her, one pointing at the screen. Is this an image of things to come? Lastly and also on the same note is the issue of verifiability. How can election officials be sure about who actually submitted the vote?
The loss of guaranteed privacy is a sacrifice that will have to be accepted as we move towards remote Internet voting systems. Non-coercibility is something that is a real issue. We can say: "It's your vote; if you want to sell it you can". Or else we can protect against forced votes that are against an individual's will by designing the voting system to allow vote changes up until the time the polls close; the final vote cast is the one that counts. This may enable a voter to sell their vote multiple times, but anybody willing to pay for it under the circumstances of the system setup may be better off separated from his or her money. There are technological solutions to the issue of verifiability.
The digital signature is used in commercial settings today and can be put to use for voting purposes as well. As all things digital are, however, the digital signature is a cryptographic device with a code that can be decrypted, a breach of security and a loss of guaranteed verifiability. Another option is to distribute to voters a CD ROM or smaller computer chip or piece of hardware to insert into a computer. This CD ROM or chip can contain voter identification information. This presents several difficulties: 1) How is the CD or chip inserted and run; 2) what if the device is broken; 3) what if it is lost?
Voters always find a way to incorrectly fill out a ballot. The same is true with Internet voting. Education will be necessary to erase any knowledge gaps, or else the system will need to be understandable easily to all. If the device is broken it will clearly need to be replaced, but near to the close of polls this may be difficult and cost a voter the opportunity to exercise his or her franchise. If lost a replacement may be more difficult, but, perhaps less realistic but possibly able to be implemented, the device can be programmed to beep two days before the election.
Outside a controlled environment where voters are left on their own to find a web site from which to officially cast their vote there are several risks. First is the risk of hacking. I could - if I didn't think any of my colleagues or friends were supporting the best candidate - hack into their personal and office computers and disable them, rendering their ability to vote impossible. Similarly if I thought the whole electoral process was no good (this is all hypothetical remember) I could hack into the server side and launch the equivalent of Armageddon.
Second is the risk of a voter walking into a false voting site - a spoofed site. This site would look identical to an official voting site and collect all personal information - name, address, voter ID code, and vote codes. The voter would submit his or her votes and believe his/her civic duty has been performed. Only the votes and personal information have ended up not in the official vote database but in the hands of somebody who will take the voter's information and resubmit it with a different vote. The web is fraught with perils such as this.
A solution to both problems on the client side (hacking and spoofing) is for a CD ROM to be loaded with the official voting program while also freezing all other computer programs - web browsers, email programs, etc. The only thing running would be the voting software. This option, while being highly secure, would be cumbersome for some, challenging to others, and simply insane to a few such as myself that would never load anything onto his/her computer whose partial function is to freeze all other computer operations (even if the source is known to be a government office).
Many of these issues are centered on the concept of remote Internet voting (the ability to vote from home or another location anywhere in the world). Since there are so many issues involved there is consensus among social scientists, computer scientists, and election officials that there currently does not exist the technology to fully and practically implement a remote Internet voting system.
Complete electronic voter registration is a more technological and security challenge than e-voting. Due to the need for absolute identity verification and to guard against fraudulent registrations there is no sight of online registration in the near future. As the movement towards same-day registration picks up and gain more acceptance in states and districts there will need to be some serious thought given on how to manage the need for verifiable registration with the opportunity at least and possible long-term requirement to vote via the Internet.
Instead the near-term progress in this field will bring us computers setup at polling stations and maybe voting kiosks setup throughout a voting precinct. For the time being the Internet voting exercise will be largely academic - can we securely send thousands of votes from a client computer to a server while maintaining voter anonymity and identification verifiability?
There are a couple more issues that need to be brought up in the discussion on Internet voting. First is that of existing election and communications laws. For example the law forbidding campaign material to be displayed within fifty feet of a voting station would need to be reexamined as we phase polling stations out and move towards remote voting. How can web-based candidate advertising be limited? Should it be? Can a candidate link from his or her web site to the official voting site? What about the good citizen in a rural or small town who owns the only computer in the area - can he or she display campaign signs on his or her property while inviting neighbors and friends to use his or her computer to vote? If not can a law to protect against that be enforced?
Encryption laws need also be considered. Are there any laws preventing the thorough testing of electronic voting systems?
Liability is another issue. If a voting system fails who is liable - the system vendor (e.g. - votehere.net, election.com), the election administration, somebody else?
There are many issues to consider when forging ahead with experimentation and design of Internet voting systems. I have named some of them here; there are others that nobody has of yet thought. Social scientists are not convinced that e-voting will have any great impact on voter turnout and civic participation; computer scientists are still struggling with the multiple technology challenges; and, election administration officials are skeptical of the ability to maintain a legitimate voting system and uphold the sanctity of the vote in the context of the Internet. The drive it is agreed for remote Internet voting will be brought by elected officials eager to make full use of new and advancing technologies.
Reform America, Inc.