Why A Pilot Internet Voting Project Won’t Tell Us What We Need to Know
Lots of folks have suggested running some elections using Internet voting as pilots, to see whether Internet voting will work. A pilot will not tell us this.
To see why, ask what makes an election “work”? Counting votes accurately is one thing. Another is recording the votes accurately — that is, each vote cast is counted correctly, and no votes are changed. Further, each person gets one vote, just as in a non-Internet election. The computer or smartphone used to cast the vote, casts the vote without change. And so forth.
Now, how can we tell when it “works”? How do we know the results are correct and have not been altered? This is the heart of the problem.
Let’s say we try an Internet voting pilot project in which people can vote from their home computer or a smartphone. If either contains a computer virus that will change the vote after the user casts it, but before it is transmitted to the vote counting system, how can we tell this? The only way is to record the vote of each voter as the voter casts it, and compare that with the election totals. And we can’t simply store the vote on the computer it is cast on; that could be tampered with. We would have to have an impartial, trusted observer watch each person vote, and record the votes cast on paper or on a separate, trusted system. Aside from being impractical, this means that how someone voted can (and undoubtedly will) become known, allowing vote selling and voter intimidation.
So that’s one problem. We have no way of verifying that the Internet voting system recorded and counted votes correctly — that is, we cannot check its accuracy.
So let’s ask a different question: will the pilot tell us if Internet voting is secure?
The “pilot” is really a test of Internet voting. Unfortunately, a basic principle of testing is that testing can never prove the absence of problems; it can only prove the presence of problems. When you test drive a car, you’re looking for problems that the car may have — perhaps it doesn’t accelerate fast enough, or the brake pedal is too stiff. You don’t buy the car. But if you don’t find any problems, you might well buy it — not realizing that the braking system will fail in a year or so due to a manufacturing defect. Your test drive didn’t show the car had no problems — that is, it didn’t prove the absence of problems. It simply showed you that you didn’t find any problems.
Back to the Internet voting pilot. If security folks analyze the pilot system after the election, they may find evidence of an attack that could have altered ballots or vote totals. This would prove the Internet voting system is not secure. But suppose they find nothing — there still could have been a successful attack, but one in which the attackers “cleaned up” after themselves, leaving nothing behind to be detected. The absence of evidence proves nothing.
There’s another issue. Suppose a company built a safe that they believed no-one could crack. They give a safe to anyone who asks, so that these people can try to crack the safe in the privacy of their home. The company has asked people who succeed to report it, and they will receive a check for $10,000. Now, some people who succeed will report it and get the money. But others who succeed will ask, “If a bank believes this safe to be uncrackable, might not the bank install the safe? And if so, think of how much money I could get by cracking the safe in the bank rather than here at home! I just find banks that use the safe, crack it, and take the money.”
This points out another problem. If someone did figure out how to compromise the Internet voting system, why do it on a pilot? Think of what would happen if that malefactor waited, and then compromised a gubernatorial or presidential election! And in history, a very few votes have made a difference; witness LBJ’s election to the U.S. Senate by 87 votes — an event that, had it not occurred, would have changed the course of American history drastically.
Finally, in a real test, experts (and, possibly, others) would attack the Internet voting system to see if they could change votes or block voters from voting. But no reputable computer security expert will ever attack a voting system during an election (it’s a crime), so we cannot test the security of the system and its procedures as actually used. If it's a “pilot” in a real election, the laws about trying to rig elections apply. So the pilot prevents people from testing the system for security and accuracy. It sounds strange, but it’s quite true.
So, we cannot tell if the Internet voting system counts votes correctly in the pilot; we cannot be sure that the voting system wasn’t broken into; and we can’t legally test the system by attacking it. But these are the purposes of a pilot project. Hence the pilot, done in a real election, is not useful. This is why I think having a pilot election using an Internet voting system is a bad idea: we learn nothing from it, and worse, if the pilot seems to go well as far as we can tell, people will (incorrectly) assume the system is secure and accurate. And that gives a completely false sense of security.
As for my credentials: I am a professor of computer science at the University of California at Davis, where I am a co-director of the Computer Security Laboratory. I have been in the field since 1978. I have been studying electronic and Internet voting since 2004, when I participated in the RABA study of electronic voting systems for the State of Maryland. I was also one of the co-leaders of the technical part of the California Secretary of State’s Top-to-Bottom Review of voting systems certified for use in the State of California. Currently, the National Science Foundation is funding our research on election processes. Our group works with election officials in Yolo and Marin Counties.
Any opinions expressed in this note are those of the author, and not necessarily those of anyone else.