Risks in computer-related voting have been discussed here by Peter Neumann in November 1990 and by Rebecca Mercuri in November 1992 and 1993. Recently we've seen the rise of a new class of likely risks in this area, directly related to the massive expansion of the Internet and Web.
This is not a theoretical issuethe Arizona Democratic Party recently held their (relatively small) presidential primary, which was reported to be the first legally binding U.S. public election allowing Web-based voting. Whereas there were problems related to confused voters and overloaded systems, the supporters of the AZ project (including firms providing the technology) touted the election as a major success. In their view, the proof was the increased voter turnout over the party's primary four years earlier (reportedly more than a six-fold increase). But the comparison is basically meaningless, since the previous primary involved an unopposed President Clintonhardly a cliffhanger.
Now other states and even the federal government seem to be on the fast track toward converting every Web browser into a voting machine. In reality, this rush to permit such voting remains a highly risky proposition, riddled with serious technical pitfalls that are rarely discussed.
Some of these issues are fairly obvious, such as the need to provide for accurate and verifiable vote counts and simultaneously enforcing rigorous authentication of voters (while still making it impossible to retroactively determine how a given person voted). All software involved in the election process should have its source code subject to inspection by trusted outside expertsnot always simple with proprietary "off-the-shelf" software. But even with such inspections, these systems are likely to have bugs and problems of various sorts, some of which will not be found and fixed quickly; it's an inescapable aspect of complex software systems.
Perhaps of far greater concern is the apparent lack of understanding suggested by permitting the use of ordinary PC operating systems and standard Web browsers for Internet voting. The use of digital certificates and secure Web sites for such voting can help identify connections and protect the communications between voters and the voting servers, but those are not where the biggest risks are lurking. In the recent mass releases of credit-card numbers and other customer information, it was typically the security at the servers themselves at fault, not communications security. The same kinds of security failures leading to private information disclosure or unauthorized modifications are possible with Internet voting, just as in the commercial arena.
Another serious concern is the ease with which voters' PCs could be compromised prior to elections by hostile software (perhaps surreptitiously loaded onto these systems via email attachments, innocent-appearing Web downloads, or other means) that could invisibly alter the voter's input, ballot selections, and displayed output, with no clue to the voter or the voting server that this has occurred. Software for such purposes, similar to that used to implement distributed denial-of-service attacks, could be straightforward to design. Deployed on a sufficiently large scale (which might actually not need to be very large in the case of tight races), election results could be altered through such manipulations. There isn't an obvious technique for avoiding the possibility of such tampering without resorting to "single-use" operating systems and specialized voting software, which would need to be specially booted (from distributed floppy disks or CD-ROMs) on voters' systems, presenting significant configuration complexities.
Also, imagine the ideal targets that Internet voting servers would indeed make for denial-of-service attacks. What better way to demonstrate power over the Internet than to prevent people from voting as they had expected? At the very least, it would foster inconvenience and anger. Such attacks would also be likely to cause increased concerns regarding how Internet voting might skew voter participation in electionsbetween those persons who are Internet-equipped and those who do not have convenient Internet access. Other factors of fairness are also involved, such as the multiple days of voting allowed only for online voters in the Arizona case, or the ways in which online voting might significantly exacerbate the age-old scourge of votes being "sold" to other persons.
Trust in the election process is at the very heart of the world's democracies. Internet voting is a perfect example of an application for which rushing into deployment could have severe negative risks and repercussions of enormous importance.
©2000 ACM 0002-0782/00/0600 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2000 ACM, Inc.