ONLINE VOTING: A DANGEROUS PATH

The push to vote online is growing worldwide, but there is no such thing as a "secure" virtual voting system, despite what vendors claim.

Tom Scott lays out why e-voting and Internet voting is such a bad idea.


According to leading cybersecurity professionals, Internet voting is an exciting idea whose time has not come, and may never.

But that has not hampered private online voting systems manufacturers such as Accenture, Election.com, EveryoneCounts.com, SafeVote, Scytl, Votenet, and VotingPlace.net from peddling their purportedly "secure" systems to elections officials, while appealing to the love of Internet technology among younger generations.

Once they learn the facts, however, young voters are not so easily persuaded to send their ballots into the digital void just because it's easy or "cool."

A comprehensive article in Verified Voting's Internet Voting section explains that simply because we bank and buy online, that doesn't mean we should vote online. 

Young voters deserve a voice in decisions on the future of democracy. But the move to Internet voting will be made without public input or consent—unless we demand otherwise.

Leading computer technologists said the following about online voting:

  • The entire system must be reliable and verifiable even though Internet-based attacks can be mounted by anyone, anywhere in the world.
  • There must be reliable, unforgeable, unchangeable voter-verified records of votes that are at least as effective for auditing as paper ballots, without compromising ballot secrecy.
  • There must be strong mechanisms to prevent undetected changes to votes, not only by outsiders but also by insiders.
  • There must be a satisfactory way to prevent large-scale or selective disruption of vote transmission over the Internet.
  • The voting system as a whole must be verifiably accurate in spite of the fact that client systems can never be guaranteed to be free of malicious logic.

Verified Voting recommends not even pursuing online voting pilot projects until those preconditions are met.


The internet has the potential to transform democracy in many ways, but permitting it to be used for public elections without assurance that the results are verifiably accurate is an extraordinary and unnecessary risk to democracy.
— Verified Voting

INTERNET VOTING News


SHOULD WE TRUST THE VENDORS?

Before we do, we should learn the facts.

For decades, for-profit private vendors of electronic voting machines in the United States have been exposed as a compromised group. 

The corporations that sell voting systems have employed criminals, political candidates, religious extremists, and concealed their partisan ties. Key players in these companies have been accused and convicted of perjury, bribery, kickbacks, computer fraud, lying to elections officials, and rigging elections. Their voting systems have been repeatedly denounced by leading security teams as wide open to insider fraud.

Susannah Goodman, director of a voting integrity project for Common Cause, believes state election officials, most of them lacking technical expertise, are easily manipulated by the Internet voting vendors.

“I’ve seen the vendors characterize their products as being secure when the most prominent cybersecurity experts in the country will tell you they’re not,” said Goodman. “The state legislators and the election officials are only hearing from one side. ... That’s putting our democracy at risk.”


Vendors may come and they may say they’ve solved the Internet voting problem for you, but I think that, by and large, they are misleading you, and misleading themselves as well.
— Ron Rivest, MIT computer scientist and cryptography pioneer

AS GOES ESTONIA... 

According to the National Democratic Institute, a total of 14 countries have used remote Internet voting, four of them over several elections: Canada, Estonia, France, and Switzerland. Numerous pilot projects have failed, including in France, and recent studies gave Canada's system a failing grade for security.

The remaining ten countries have either recently adopted or are piloting Internet voting, have not pursued it, or have discontinued its use.  

Vendors often point to the supposed success of Estonia, the only country to offer online voting to its entire electorate. In the video below, professional analysis is presented from a "Security Analysis of the Estonian E-Voting System."


We never thought we would see as many vulnerabilities and problems as we did.
— EstoniaVoting.org security researchers

ONLINE VOTING SPREADS IN AMERICA

Despite global failures and widespread expert agreement on security vulnerability, the pressure is on in the United States to adopt Internet voting.

Yet there is resistance, even from the top levels of government.

The U.S. Department of Defense abandoned the idea of Internet voting entirely in 2004, citing security concerns, and in 2012 the Pentagon canceled plans to allow Internet voting by overseas military personnel after a security team audited a $22 million system developed by Accenture and found it vulnerable to cyberattacks.
 

INFILTRATING AT THE STATE LEVEL

Online voting is making inroads at the state level where election officials have leeway over what voting systems they choose. Washington is among 29 states that have embraced some form of Internet voting, mostly for military service members and other Americans living abroad.

In 2015, big news came from the e-voting company Everyone Counts which pulled in $20 million in angel investment to push its "secure" online voting systems into American counties and states.

The Pentagon's Federal Voting Assistance Program (FVAP) tested the Everyone Counts system in 2011, along with other vendors, but then refused congressional and state requests to release the results.

FVAP dispenses tens of millions of grant dollars to states and counties to upgrade their voting systems. 

In 2014, the Electronic Privacy Information Center (EPIC) sued FVAP to release the results of the e-voting study. In 2015 they obtained the report, announcing:

The report recommends several changes, including accessibility and user interface, but does little to address privacy and security concerns except for recommending "visible security features" to "give users greater confidence in the privacy and security of their ballots." EPIC will continue to pursue the documents that have been withheld from the public about the risks of online voting. (Apr. 3, 2015)


Damning Report from Standards Agency

In early 2011, the National Institute of Standards and Technology (NIST) released NISTIR 7770, which studied Internet voting in detail. It found that cyberattacks could flood election email servers to block incoming ballots, or infect computers with malicious code that changes ballots.

According to the NIST study:

  •  Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems.
  • Malware on voters' personal computers poses a serious threat that could compromise the secrecy or integrity of voters' ballots.
  • The United States currently lacks a public infrastructure for secure electronic voter authentication. 

 

PILOT PROJECTS Fail

Recent online voting pilot projects in the United States have failed entirely:


No existing commercial Internet voting system is open to public review. Independent parties cannot verify that these systems function and count correctly, nor can they audit and verify election results.
— U.S. Vote Foundation