“Your vote counts” is a snappy slogan just short enough to fit on a lapel button, but snappy is not the same as “secure.” As the 2016 campaign unfolds, there’s renewed interest in enabling voters to vote over the Internet. The notion that choosing a president could be as easy as using a smartphone to order a pizza is tempting to some, but until cybersecurity wizards prove that a vote cast is a vote counted, Internet balloting is unreliably risky.
Internet voting has its passionate advocates. One California pundit argues that since his bills, banking, shopping, even the data on his children’s homework is on the Internet, why shouldn’t his voting be there, too. It’s not safe to vote where he shops?
Exactly, says David Jefferson, a computer scientist at Lawrence Livermore National Laboratory who was the chairman of the technology committee of the California Internet Task Force. “It is not actually ‘safe’ to conduct e-commerce transactions online,” he says. “It is in fact very risky, and more so every day. Essentially all those risks apply equally to online voting transactions.” Millions of Americans, including the 21 million federal workers whose personal information was swiped from “secure” servers in the Office of Personnel Management, and the 110 million shoppers who fell prey to hack attacks on the retailer Target, might agree.
Chinese and Russian hackers have breached the top-quality defenses that protect Pentagon and White House networks, so it’s not difficult to imagine them making similar mischief with state election board tabulations on election night. “Such attacks could even be launched by an enemy agency beyond the reach of U.S. law and could cause significant voter disenfranchisement, privacy violations, vote buying and selling, and vote switching,” says Hans von Spakovsky of the Heritage Foundation. “The biggest danger, however, is that such attacks could be completely undetected.”
The Pentagon established a pilot program for online voting for the military in 2004, and canceled it when cybersecurity experts pointed out vulnerabilities. The Electronic Privacy Information Center has filed a Freedom of Information lawsuit to obtain the summary of the Pentagon’s findings, which could expose risks for online voting. Nevertheless, several states are experimenting with “I-voting” by accepting electronic absentee ballots from U.S. armed forces serving overseas.
Other nations have conducted Internet voting. France, Norway, Canada, Spain and Australia have experimented with it during the past several years, and all have been plagued with security vulnerabilities that might have led to falsified ballots and altered election results.
The U.S. Vote Foundation has recommended “End-to-End Verifiable Internet Voting” in which voters can verify that their ballots have not been altered. The foundation’s report, “The Future of Voting,” released early this month, recommends that “public elections should not be conducted over the Internet using systems that are not end-to-end verifiable.” To do otherwise belies the meaning of “your vote counts.” Internet voting is an idea whose time has not come.