PFIR - People For Internet Responsibility
PFIR Statement on
Internet Voting

February 26, 2000

See also: "The Coming Electoral Blackout?" (20 Jan 2001)

PFIR Home Page

Greetings. As the election season gets into full swing, the concept of voting via the Internet has been receiving a great deal of attention. The Arizona Democratic Party is in fact about to hold what they say is the first legally-binding U.S. public election (their presidential primary in early March) which will allow Web-based voting. This is being touted as a major and obvious step forward. In reality, this rush to permit such voting could be a highly risky proposition, riddled with serious technical pitfalls that have rarely been discussed.

Some of these issues are fairly obvious, such as the need to provide for accurate and verifiable vote counts and simultaneously enforcing rigorous authentication of voters (while still making it impossible to retroactively determine how a given person voted). Certainly all software involved in the election process (even when online voting is not contemplated) should have its source code subject to inspection by trusted experts unrelated to the firms providing those software systems. When "off-the-shelf" software is being used for such applications, this presents an interesting set of problems, to say the least.

But even with such inspections, these systems are likely to have bugs and problems of various sorts, some of which will not be found and fixed quickly. This is just an inescapable fact when it comes to virtually all software, but could have remarkably serious consequences if such unavoidably complex software systems become integral to virtually all aspects of the actual voting process.

Perhaps of far greater concern is the apparent lack of understanding suggested by permitting the use of ordinary PC operating systems and standard Web browsers for Internet voting. While the use of digital certificates and "secure" Web sites for such voting can do a reasonable job of identifying the connections and protecting the communications between voters and the voting servers, those are unfortunately not where the biggest risks are lurking.

In recent cases of mass releases of credit card numbers and other customer information, it wasn't the communications paths that were compromised, but security at the servers themselves, even though they were touted as secure and used advanced encryption technology for communications with customers. Even with the best of intentions and efforts at good software design, the same kinds of security failures leading to private information disclosure or unauthorized modifications are possible in an Internet voting environment, just as we've seen in the commercial arena.

Another area of serious concern is the ease with which voters' PCs could be compromised prior to elections by hostile software (which could be inadvertently loaded onto these systems via e-mail attachments, innocent-appearing Web downloads, or many other means) and could be designed to silently and invisibly alter the voter's input, ballot selections, and displayed output, with no clue to the voter or the voting server that this has occurred. Deployed on a sufficiently large scale (which might actually not need to be very large in the case of tight races) election results could actually be altered through such software manipulations. There is no obvious technique for avoiding the possibility of such tampering without resorting to "single-use" operating systems and specialized voting software, which would need to be specially booted (from distributed floppy disks or CD-ROMs) on voters' systems, presenting significant configuration complexities.

The recent rash of Internet distributed denial of service attacks provides vivid evidence of how simple it is for "invisible" malevolent software to be distributed to unsuspecting users' computers. Even existing versions of such software could potentially be altered to subvert Internet voting in the manner described above. Which brings up another point--imagine the ideal targets that Internet voting servers would make for denial of service attacks. What better way to demonstrate power over the Internet than to prevent people from voting as they had expected? At the very least it would foster inconvenience and anger. Such attacks would also be likely to foster increased concerns regarding how Internet voting might skew voter participation in elections--between those persons who are Internet-equipped and those who do not have convenient Internet access.

Trust in the election process is at the very heart of the world's democracies. Internet voting is perhaps the perfect example of an application where rushing into deployment could have severe negative repercussions of enormous importance.

Lauren Weinstein
Co-Founder, PFIR - People For Internet Responsibility -
Moderator, PRIVACY Forum -
Member, ACM Committee on Computers and Public Policy