By Barbara Simons, Former President Association for Computing Machinery (ACM); Jeremy Epstein, Vice Chair of ACM US Public Policy Council (USACM); and Alec Yasinsac, Chair, USACM Security Committee
Yahoo, the DNC, Federal Reserve, Ashley Madison, US Office of Personnel Management, Google, Sony, Jeep, Charles Schwab, JP Morgan, Target, Symantec, Northrop-Grumman, the US State Department...
The above is a partial list of corporations and agencies that have been hacked in the past few years. Given the incredible computer security resources available to each of them, it is reasonable to expect that it is not a matter of “if” but of “when” any widely used Internet voting system will be hacked.
This year 30 states plus Washington, DC are allowing overseas military and civilians to return their voted ballots over the Internet; Alaska allows any Alaskan to vote over the Internet. States typically implement Internet voting with the hope of increasing voter access, especially of military voters, or reducing electoral costs. But it is critical to consider the prospective impact of hacks on election outcomes before allowing voted ballots to be delivered over the Internet.
A safer option for military voters with access to postal mail is provided by the 2009 MOVE Act, which requires the posting of blank ballots online at least 45 days in advance of an election. Overseas voters can download the blank ballot, print it, mark it, and then return the marked ballot via postal mail.
There is no required Federal government oversight of Internet voting vendors, and there is no special legal accountability. When asked to develop standards for Internet voting, the National Institute of Standards and Technology (NIST) concluded that today’s technology cannot mitigate against many of the threats. NIST also stated that malware on the voters’ computers could compromise the secrecy or integrity of the ballots.
Malware is one of a multitude of Internet voting threats. A voter casting a ballot on a malware-infected machine might select candidate A, but the malware could change the vote to candidate B without the voter’s knowledge and submit the rigged ballot over the Internet. If the malware is pervasive, election outcomes could be decided by the malware creator, while the malicious activity goes undetected. Even if a successful hack is detected, correction could be difficult or impossible; ultimately, any Internet voting hack could create doubt about election outcomes and cynicism among the voting public.
Another threat to Internet voting is “phishing” attacks. Phishing typically involves sending the victim a cleverly designed email with a link to a fake website. For example, according to Buzzfeed, the recent hack of the DNC was accomplished by a fake email telling the recipient to reset his/her password. Anyone who clicked on the link ended up at a fake Google login page that stole the victim’s password and downloaded malware onto the victim’s computer. A more direct phishing attack could attract prospective voters to a fake Internet voting site where the application could collect voter credentials, discard the voter’s selections, and vote on behalf of the voter at the official voting site.
Still another threat is a Distributed Denial of Service (DDoS) attack. A successful DDoS attack may prevent voters from accessing the election server by tying up the server with an overwhelming number of communications. In mid-October a major DDoS attack essentially removed Twitter, Spotify, and many other popular sites from the Internet for hours at a time. Internet voting schemes are susceptible to the same type of DDoS attacks.
Internet voting has many properties that distinguish it from other web or networked applications. For example, when you buy a book online, you want the seller to know who you are and what book you are purchasing. However, if you vote online, your ballot must be kept secret. The secrecy requirement makes casting a ballot over the Internet very difficult. The voter must first be authenticated to prevent ballot box stuffing and unauthorized voting. But the process of authentication tells the receiving computer who you are. Once the “identity cat” is out of the bag, it is very difficult to control where it goes.
We frequently hear: “I can bank online. Why can’t I vote online?” In fact, online banking applications are regularly, successfully hacked, and banks lose millions of dollars annually from money-stealing malware on customers’ computers. For example, the Zeus Virus is so clever that it can steal money from your online bank account, but when you access your online statement, it looks correct. You won’t know that money has been stolen until a check bounces or something else unpleasant occurs. Because customized versions of Zeus are available on the black market, it may be relatively easy to obtain a version that, say, changed votes from one political party to another.
Banks continue to use Internet systems in spite of successful hacks because they can cover significant loss and still realize substantial profit; for voting systems, there is no similar or acceptable margin of error.
Despite hopes to the contrary, evidence suggests that Internet voting will likely not appreciably increase turnout in general or voting by young people in particular.
Maybe someday we will be able to vote over the Internet securely. But developing a secure system would require solving some major cybersecurity open problems. We should not implement Internet voting systems unless and until we can ensure their security.
* This article reflects the individual views of the authors and does not necessarily represent the views of the ACM U.S. Public Policy Council or the Association.