1. Voting is not like any other transaction.
The first remark I usually hear on the subject of Internet voting is, “I
can shop online, I can bank online, why can’t I vote online?” The answer
is that voting is not like those transactions. Credit card companies and
banks tolerate a degree of fraud in all of their transactions. We could
not similarly accept some degree of fraud in the voting process. And,
when you make a deposit to your checking account over the Internet, your
bank sends you back a message confirming the transaction and the amount
of your deposit. But if we are to preserve our right to cast a secret
ballot, then we would not want to vote online and have our election
agencies send back to us a note confirming our choices.
Casting a secret ballot in a fair and democratic election is, in fact,
unlike any other kind of transaction. Think about it: each person only
gets to vote once, in a limited time frame, and every voter must be
authenticated while at the same time preserving that voter’s right to
cast a secret ballot. Voters must be confident that their votes have
been accurately recorded and the voting system must create an audit
trail in case a recount is needed that also preserves the secret ballot.
It is not impossible to build an online voting system, but it’s
important to realize that to do so creates unique challenges because
voting is unlike any other transaction.
2. There are two kinds of Internet voting: polling place Internet
voting, and remote Internet voting.
It’s important to distinguish between polling place Internet voting and
remote Internet voting, which is voting from home or work. Both remote
and polling place Internet voting use computers in the voting process
and both use the Internet to transfer ballots to the central counting
center. The important difference between the two methods is ownership of
the computer that’s acting as a voting machine. With polling place
Internet voting, the voting machine is owned and controlled by election
officials. With remote Internet voting, the voting machine is owned and
controlled by either the voter or their employer.
In our January 2000 report, the California Internet Voting Task Force
made this important distinction between polling place and remote
Internet voting, and concluded that while polling place Internet voting
can and should be explored, remote Internet voting could greatly expose
the voting process to fraud. For this reason we made no prediction of
when, if ever, remote Internet voting would be possible.
3. Remote Internet voting is highly susceptible to voter fraud.
A voting machine owned and maintained by a county election office can be
controlled, but a third party machine, owned by the voter or their
employer, is highly susceptible to attack. For example, a remote
Internet voter could unknowingly download a “Trojan Horse” or virus that
sits on the voter’s computer. When the voter opens his Internet ballot
on his computer desktop, at that point the ballot is no longer encrypted
and would therefore be susceptible to manipulation by a virus or
malicious code. A Trojan horse could then, for example, rearrange the
appearance of the voting boxes on the ballot, leading you to believe,
for example, that you voted for the incumbent but actually returning
your ballot with a vote for the challenger. You would then send your
ballot back encrypted to your election agency, and since we cast a
secret ballot neither you nor your election agency would know that your
vote had not been properly recorded.
If you think this scenario is far-fetched, consider this: already some
Internet users have unknowingly downloaded programs known as “spyware”
that keep track of their computer usage and page visits without their
knowing it and report this information via the the user’s Internet
connection to commercial and marketing interests. Already the vast
majority of Internet users visit web sites that set “cookies” in their
web browsers used to track their online movements. Few even know what a
cookie is, let alone know how to remove one or how to set their browser
preferences to refuse them altogether.
Consider also the fact that remote Internet voting will give rise to a
whole new wave of voter fraud attacks from people living in foreign
countries as well as those who previously had no interest in elections
but enjoy a good hacking challenge. The Pentagon detected more than
22,000 attempts to probe, scan, hack into, infect with viruses or
disable its computers in 1999 alone, and anticipates the number of
attacks will only increase with time. And let’s not be naive about our
country’s record on voter fraud. Though voter fraud is not as much of a
problem here as it has been in other countries, history shows that in
close races some campaigns do resort to cheating in order to win.
Automating the voting process gives one person the ability to make a
much greater impact when they attempt to cheat.
When you consider the likely increase in attempts at voter fraud,
combined with the low level of computer literacy we have now, both among
users and the election community, it is unrealistic to think we are
ready for remote Internet voting anytime soon.
4. Remote Internet voting may erode our right to cast a secret ballot
and lead to political coercion in the workplace.
Currently we cast our ballots in a private polling booth, and in some
counties voters place their ballots inside an envelope so that poll
workers and other voters won’t catch a glimpse of their votes before
they drop their ballot into the ballot box. Polling place Internet
voting can preserve the secret ballot and the sanctity and privacy of
the polling place. Remote Internet voting, on the other hand, can lead
to voting from work, which is where most of us connect to the Internet
during the day. And for many of us, our workplace computers are far from
private.
If we were to vote from work, our coworkers or supervisors might
casually or deliberately watch us as we make our choices. Even if they
aren’t standing over your shoulder, the company intranet could easily
retain a copy of your ballot. These are not insurmountable obstacles,
but it does mean that if we allow for voting in the workplace, we’ll
need new policies to protect employees from potential political coercion
in the workplace. New policies would need to be developed to protect the
right to cast a secret ballot in the workplace on your employer’s
computer, and such policies would contradict with existing laws that
assert an employer’s right to review any material their employees create
on a company computer, including personal email. Simply put, voting in
the workplace could be a nightmare for employers and employees alike,
and if we were to move forward with remote Internet voting in the future
we’d be wise to prohibit voting in the workplace altogether.
5. Remote Internet voting poses a threat to personal privacy.
How would we authenticate remote Internet voters? Authenticating voters
is one of the primary steps we take to protect our elections from fraud.
We have to make sure that people are eligible to vote, vote only once,
and cast their own ballots. Using a pin number in combination with other
pieces of personally identifiable information, as the Arizona Democratic
Party did in its March 2000 Primary, is not sufficient to protect our
elections from vote selling, vote swapping, and voter fraud. Digital
signatures may be an option, and we have a long way to go before that
technology is widely understood and accepted by the public, and digital
signatures still cannot protect Internet voters’ ballots from a Trojan
horse attack.
The most secure way to authenticate voters is to use biometric scanning
procedures, such as retinal or finger-printing scans. I, like many
Americans, find such security measures invasive, and believe it would be
unwise to sanction government agencies to begin collecting sensitive
biometric data on American citizens. There is a general rule I follow:
for every degree of convenience we gain through technology there is
usually a corresponding loss of privacy. Remote Internet voting would
make voting more convenient, but that convenience will come at a price
that, in my opinion, is too high.
6. There is a huge politics and technology information gap.
In my seven years of working in politics and technology, I have found
there are unfortunately too few people who have a working knowledge of
both fields. This huge gap between politics and technology appears to be
widening, not closing over time, and is becoming increasingly evident
around the issue of Internet voting. Many of the political experts who
talk about Internet voting don’t appreciate the technological dangers of
voting online. Then there’s the technologically-savvy but politically
naive people who say, “Wouldn’t it be great if we could vote on
everything?”, failing to understand either the benefits of
representative democracy or the complexities of the voting process. If
we are going to close the politics and technology gap, we are all going
to have to make a great effort to educate the experts and bring people
from diverse fields together online and offline through conferences and
public meetings. It’s going to take a lot of work, but if we address the
politics and technology information gap it will make for better public
policy in every area impacted by technology.
7. There is a generational technology gap.
Older people are not as familiar with new technology as younger people
are, and surveys show that younger voters are sometimes intimidated by
existing voting technology. The generational technology gap turns up in
many places. The Democracy Online Project’s post-2000 general election
survey found that the younger the voter, the more likely they used the
Internet to access election information.
Internet voting polls also find that younger voters find the idea of
Internet voting much more appealing than older voters do. For example, a
poll conducted by ABC News in 1999 found that only 19 percent of
Americans age 65 and over would support Internet voting even if it could
be made secure from fraud. Similarly, a year ago the Public Policy
Institute of California surveyed Californians and found that public
support for Internet voting is highest among 18-34 year olds (59
percent) and lowest among those 55 and over (27 percent). There is no
doubt that new technology provides an unprecedented opportunity to
engage alienated young people in the democratic process, but we must be
careful that we don’t alienate older voters along the way.
8. Changing technology alone isn’t enough; voter education is also
needed.
It made me angry to hear people ridicule Florida’s voters for casting
their votes incorrectly. As an experienced voter educator, it no longer
surprises me to hear about the elements in our voting process that
voters find confusing. There is an intolerable lack of reliable,
nonpartisan voting information available for U.S. voters; most of what
passes for election information comes in the form of campaign mailers
and thirty second spots designed to confuse, manipulate or scare voters
and do just about anything but inform them.
We take so much for granted when it comes to voter education, and it is
shameful that the United States poses as a model democracy for other
countries to emulate when we make virtually no effort to educate our own
voters and prepare them to vote on Election Day. We can begin to address
this problem by appropriating federal and state funds to nonpartisan
voter education efforts. We already spend $31 million a year on the
National Endowment for Democracy to advance democracy abroad; we can
certainly afford to spend at least the same amount to advance democracy
at home.
9. Transparency in the voting process fosters voter confidence and
security.
Whatever changes we make to our voting technology, we must not sacrifice
the trust that is gained by having a transparent vote casting and
counting process. The old voting technology that we are talking about
replacing, in particular the punch card ballot, functions in a way that
is transparent to the voter. You mark or punch your ballot, you drop it
into a locked box, and the box is transported to the central counting
center by pollworkers where the public can (and often does) watch the
counting of ballots.
Now, as we consider introducing computers into the voting process, we
must look at how transparency may be affected. Whether we are talking
about Internet voting or any kind of computerized voting, one inevitable
result is that very few people, and certainly not your typical voter,
have the expertise to review the software used for a computerized system
and know that it is functioning properly. Consequently, it will require
much more faith on the part of the voter in both the voting technology
and their election officials to trust that a computerized system
accurately records and counts their votes. And faith, unfortunately, is
something that’s in short supply right now in our democracy, so we must
be careful that we don’t erode it any further when we upgrade our voting
technology.
10. Software used in the voting process should be open to public
inspection.
One way to build public confidence in computerized voting is to require
voting software code be made public. Election officials often cringe at
this suggestion for two reasons: they think that making voting
technology source code public will undermine the security of the voting
process; and they expect that voting technology companies will object to
revealing their source code because it undermines their competitiveness
in the marketplace. In fact, many of the leading voting technology
companies are not necessarily opposed to public source software, and
some have already indicated they will comply with a public source code
requirement if it’s imposed on everyone.
The first concern — the public source undermines the security of the
voting process — reflects the misguided “security through obscurity”
approach to software, which is the idea that keeping your source code
secret makes your technology more secure. In fact, there is consensus in
the security industry that public source code leads to more secure
computer systems than closed source.
In fact, the Pentagon, our number one military agency, recently decided
to no longer purchase closed source, commercial software programs from
companies such as Microsoft, Netscape and Lotus to use in its most
sensitive systems. The reason given by a Pentagon official, speaking
anonymously to the Washington Post, is because they found that these
closed source programs had too many holes, backdoors and trapdoors that
place the department in greater danger of a computer attack than using
public and open source software would.
No software program is perfect, and any voting software program will
inevitably have holes and some problems. If the source code is closed,
those who want to manipulate the outcome of an election will eventually
find and exploit those holes. If the source code is open and public,
then the good guys in the security industry can find the holes first and
help fix the software.
One high-profile example of this shift toward public source for
high-security operations is the National Security Agency’s initiative to
develop “Security Enhanced Linux”. This is a new, security-enhanced
operating system that was just released this month. It’s based on Linux,
a very successful open source operating system, and anyone in the world
can go online to www.nsa.gov/selinux/ and download its source code. If
the agency entrusted with protecting our national security finds public
source code more secure than closed source code, it should be a clear
signal that the election community would be wise to follow suit.
Of course, we can’t assume the good guys are going to forever be
reviewing voting software code, so it’s crucial that a continuous
recertification process is also established. Computerized voting
machines, unlike punch cards, are based on dynamic, not static
technology. We must anticipate that any computerized system will need to
have security holes fixed, upgrades made, and new computer and Internet
protocols supported. Even if we have public source voting software, we
will still have a limited number of experts capable of evaluating its
reliability. And what some security experts are saying is that it will
be difficult, if not impossible to know for certain if the software
that’s been certified and is publicly available is the same software
that’s running on your voting machine. It’s worth noting that some of
the strongest objections to computerized voting are made by computer
security experts. For this reason, and also to foster voter confidence
in new voting technology, it would be wise to consider a way to use a
mix of paper ballots and computers in the voting process, and to require
that paper ballots be counted along with digital ballots so that we
could create a paper audit trail and thwart attempts to rig voting
software.
III. Conclusion
New voting technology has many advantages, but it also brings new
challenges to the voting process. And not all current voting technology
is inadequate. Many voters in the U.S. cast ballots using optical scan
systems, which are affordable, accurate, have a paper audit trail that
can provide for a recount, and some of which feature a ballot scanner at
the polling place that helps voters avoid overvoting or spoiling their
ballots. Whatever we do to upgrade voting technology, we must ensure
that all voters have an equal chance of having their votes counted.
We need to close the politics and technology gap and continue to bring
experts from different fields together to share information and learn
from each other. We need our elected representatives to demonstrate
patience, good judgment and leadership, and we need the media and public
to pay close attention to voting technology policy as it develops. And
we need to get serious about voter education in this country and spend
the public resources needed to prepare people to vote on Election Day.
It is remarkable that the first Presidential election of the new
millennium came down to the question of whether we have more faith in
people or machines to accurately and fairly count votes. The U.S.
Supreme Court decided the answer was machines. This ruling sets a
dangerous precedent. Technology can do a lot for us, but it cannot and
should not trump human judgment.
I raise concerns about Internet voting not because I am pessimistic; on
the contrary, I am very optimistic about the opportunities before us to
advance and transform democracy using computers and the Internet. I am
critical of voting technology not because I am opposed to it, but
because I cherish democracy and think computerized voting is both one of
the most exciting and potentially dangerous ideas of our time.
– – – – – – – – – – – – – – – – – – – – – – – – –
The California Voter Foundation is an independent, non-profit
organization advancing new technologies to improve democracy and
providing non-partisan voter information on the Internet at
www.calvoter.org. CVF-NEWS is the California Voter Foundation’s free,
electronic newsletter featuring news and updates about politics and the
Internet, emphasizing activities taking place in California.