Public elections conducted over the Internet need to be end-to-end verifiable in order to be truly effective, a team of election officials, systems engineers, cryptographers, and election watchdogs said in report outlining a set of recommendations for Internet voting.
The 65-page report, released today, highlights several fundamental challenges that need to be overcome before Internet voting can become a reality on a mass scale. Key among them is finding a way to guarantee the integrity of election data, protect voter information, secure systems against attacks, and make the systems user-friendly enough to be accepted broadly.
"As election technology evolves and more states evaluate Internet voting, caution on compromises to integrity and security is warranted," the U.S. Vote Foundation, which commissioned the report said in a statement Friday. "Existing proprietary systems that meet only a subset of the requirements cannot be considered secure enough for use in the U.S."
Remote voting, including voting over the Internet, is becoming increasingly common in the U.S., the reported noted. It is has typically been used to enable military personnel and American citizens based overseas to participate in the election process, but is beginning to be used more broadly. As a result, more attention needs to be placed on ensuring speed, security, and integrity of such voting systems.
One of the major problems currently is that no existing commercially available Internet voting system is truly open for public review. As a result, there is no way to verify if the systems are functioning in the intended manner, the report's authors said.
For Internet voting to be truly effective, the system needs to ensure that the ballot received by and displayed to the voter matches the ballot sent out originally by election officials. It also needs to make sure that the computer used by the voter accurately records the voter's intention and that the filled in ballot received by election officials is the same one that was submitted by the voter.
Because the voting takes place on the public Internet, the voting system also needs to have a way to ensure that intermediary systems and networks do not have an opportunity to intercept, modify, or peek at, the ballot.
Another concern that has to be addressed is malware. Voters often may not be aware of malware on their systems that could potentially change the way the ballot is displayed or the way the vote is recorded.
"Internet voting substantially exacerbates the risk of remote voting by making it possible for small problems to be magnified and replicated on a large scale," Josh Beneloh, senior cryptographer at Microsoft, wrote in the report. "Careless or malicious errors, intrusive malware, and unforeseen omissions – all of which can be caused by individuals or very small groups – can cause very large numbers of votes to be changed and the privacy of large numbers of voters to be compromised."
According to the report’s authors, who include technologists from Lawrence Livermore, IBM, and NIST as well, there are 10 technical requirements that need to be met for truly end-to-end verifiable Internet voting. Among them are: functionality, usability, security, authentication, auditability, and interoperability.
Functionally for instance, an Internet voting system must ensure that recorded ballots and voters listed as having voted must correspond with each other. Similarly, the system must maintain voter anonymity and make it impossible for election officials or anyone to link an individual vote back to the source.
On the security and authentication front, a truly verifiable Internet voting system should ensure that no voting data is ever lost even in the event of a system failure. It should have a way to properly authenticate voters to ensure that individuals are properly identified and to protect against attackers impersonating voters even if the entire database used for authentication becomes compromised.
"There is tremendous pressure to build Internet voting systems and use them in public elections," the report said. But the use of such systems "without end-to-end verifiability—including all Internet voting systems that jurisdictions are experimenting with and using at the time of this writing—is irresponsible."