When Hurricane Sandy hit in 2012, it threw New Jersey into an ad hoc experiment in online voting.
The storm made landfall just days before the presidential election, and along with an estimated $30 billion in damages, it also wiped out hundreds of polling places, leaving many people without a place to vote. Beyond that, many residents were displaced from their homes, unable to even receive or cast an absentee ballot by mail.
In a bid to keep the displaced from becoming disenfranchised, the state turned to the internet for help. New Jersey Lt. Gov. Kim Guadagno launched the U.S. into an impromptu experiment in mass online voting—designating the citizens as “overseas voters” and thereby granting them the ability to request and return ballots online, either by email or by fax.
Had New Jersey’s experiment gone well, it would have been a major victory for advocates of online voting, who’ve long argued that the internet could be a valuable tool to protect the right to vote and increase dismal U.S. voting rates.
It did not, however, go well at all: Email servers were overwhelmed, leaving voters unable to request or return their ballots. In an attempt to fix the situation, one elections official gave out his personal email address to voters to submit their ballot requests—and a security researcher discovered that his password recovery question was apparently his mother’s maiden name after looking at Hotmail’s password-reset form. The official says he was never hacked.
A report from the Constitutional Rights Clinic at Rutgers School of Law also challenged the online-voting experiment, questioning both the constitutionality of allowing voters to cast their ballots online and raising concerns about the validity and security of the elections.
And they were not alone. Security experts cried foul at the election, which saw an estimated 50,000 ballots cast electronically. They were concerned that voters’ personal data was potentially exposed, and were worried that there was an opportunity for ballots to go uncounted.
“We don’t know how many of these votes were actually counted or shouldn’t have been counted versus lost, or how many people tried to use this system but were unable to get ballots,” Ed Felten, who was then the director of Princeton University’s Center for Information Technology Policy, told Al Jazeera in 2014. “We can’t measure it, but certainly there are indications of overflowing mailboxes, big backlogs and problems processing requests. So I don’t think you could conclude at all that this was a successful experiment.”
The incident underscores both the potential and the peril of online voting. The advantages are many: it is convenient for a lot of voters, more accessible for the elderly or those who can’t get off from work and still works in the case of a national disaster.
But this butts up against one big, recurring problem: despite its promise, the possibility of security failures has thus far proved a nearly insurmountable hurdle. And that’s why, at a time when more Americans are using the internet for their shopping, banking, and even dating, the voting process has been almost entirely untouched by the digital revolution.
One step forward, two steps back
“I don’t think we’re ready for it right now, in terms of security,” said Commissioner Christy McCormick of the Election Assistance Commission, a federal agency that develops voluntary voting-system guidelines and a system for accrediting voting system testing laboratories, along with providing election-administration assistance. “I think the risk is still too high. Especially when you see things like Anthem and Target and OPM … One of the most-desirable hacking scandals would be to hack into the voting systems.”
That’s why mass experiments in digital balloting have been few and far between.
A majority of states already allow certain voters—typically service members and overseas voters—to return ballots online, either by email or by fax. Past that, there’s been limited experimentation with an online-voting system independent from just emailing a ballot in—local jurisdictions like Honolulu, Hawaii, and the District of Columbia have tested systems, and Alaska started to allow voters to submit absentee ballots electronically in 2012—all to varying degrees of success.
In 2010, Washington D.C. planned on rolling out an online voting system of its own. The system was intended to allow overseas and absentee voters to file their ballot electronically through the system. To test the security, the election board held a mock election and invited the public to test the system.
Within 36 hours, a group from the University of Michigan hacked the trial site. They changed the site to play the Michigan fight song after a voter cast their ballot. But the fight song was merely a demonstration for the larger damage the group could have done. They were able to trash all the ballots submitted before their hack, replacing them with ballots that had write-in candidates like “Skynet” and “Hal 9000.” For the ballots that were submitted after the hack? They were able to view the encrypted ballot that a test voter submitted, with that voter’s personal information still attached. The system was scrapped.
Besides D.C., several local jurisdictions have allowed their citizens, and not just absentee ones, to vote online—including Honolulu’s neighborhood-board-system elections.
The elections for the 33 Honolulu neighborhood boards switched from a mailed paper ballot to a purely online system run by Everyone Counts, a private online-voting company, in 2009 after the city council cut the budget of the office that administers the election, according to Bryan Mick, a community relations specialist with the Honolulu Neighborhood Commission Office. In 2007, they had a system that allowed for both mail and online voting.
Mick said that the purely online system only cost them a third to a half of what the absentee system cost—but they saw turnout rates drop down to 8.5 percent in the first purely online election, which has gradually increased to over 10 percent in the most recent one. Earlier elections, where the mail-voting system was used, saw turnout rates in the low 20s.
He says that on the upside, these elections showed Honolulu voters that online voting can be done safely online after Everyone Counts flew into the community to give lessons on online security.
The 2013 Honolulu elections also received a Bright Ideas award from the Ash Center at the Harvard Kennedy School.
Perhaps the most durable foray into online democracy thus far comes in Estonia, where citizens have been voting electronically for parliamentary elections since 2007. Their system verifies voters either through a scannable ID card or a mobile phone, lets them cast a ballot online and then encrypts and removes a voter’s signature from the ballot for the National Electoral Committee to count. The country saw a record 176,328 ballots cast online in 2015, roughly 20 percent of the total number of ballots.
But cybersecurity experts don’t paint as rosy of a picture of the system as Estonian officials do. An independent review of the system in 2014 found a laundry list of problems that included a crippling flaw for an online-voting system: the fact that researchers were able to demonstrate how to rig the vote count on a dummy Estonian system. The report also found that there was not a sufficient level of “basic security practices” by administrators of the system and there was not enough transparency built into the system to “provide compelling proof that election outcomes are correct.”
Ultimately, the team suggested pulling the plug on online voting. “What Estonia would come back and say is ‘Well, no one has hacked it, so it is OK,’” said Jason Kitcat, one of the members of the Estonian report team. “That is a non-proof. If it was a state level attacker … they’re not going to say ‘Hey everyone. By the way, we’ve hacked your online votes.’ That’s not in their interests. If they are going to do it, they’re going to do it undetectably.”
Hope for the future?
For proponents of online voting, the struggles in D.C. and after Sandy do not mean that online voting is impossible to do correctly. Instead, they see them as cautionary tales, proof of the necessity for careful security.
“The D.C. example is a perfect example because the reality of online voting isn’t that it either is or isn’t secure. It is how you deploy it, just like any election,” said Lori Steele Contorer, the president of Everyone Counts. “Each of the important security protocols within the [D.C.] system would breach Security 101.”
Steele Contorer also said that emailing ballots, like in the contingency plan implemented in the wake of Sandy, is an incredible insecure way to transmit ballots—something that both online voting advocates and cybersecurity experts broadly agree on.
Everyone Counts, which did not run the D.C. system, has also made inroads with online elections in the United States. The company has facilitated limited online voting in states such as West Virginia and Alabama as well as internationally. They also run private-sector elections, including the votes for the Academy Awards and the Emmys.
Steele Contorer says Everyone Counts protects their ballots using “military-grade” encryption, and have multiple levels of preventive measures in place to catch and reverse any potential ballot tampering.
But the cybersecurity community is still not convinced that online voting is ready for prime time.
“They’re pretending like voting is no different than buying a book on Amazon, and they’re completely, by virtue of ignorance or malice, ignoring the truth of the world,” said Joe Kiniry, a cybersecurity researcher. “The simplest way to check the veracity of their statements is to call up any security researcher in the world that you find online who has made public statements about end-to-end verifiable elections and ask them. And you will find that 999 out of 1000 will tell you that [the likes of] Everyone Counts, [other online voting venders], and Estonia are full of shit.”
One concern of cybersecurity experts is protecting both the anonymity of a voter, and allowing the voter to prove that their vote was actually cast. In an online purchase, both the merchant and credit-card company or bank attach the customer’s name to the purchase. Purchases are tied back to individuals—something customers want so that they can verify their purchases.
But an online-voting system would need to separate the two—a voter’s identity from their ballot—to protect voter anonymity. In that case, how can that voter be confident that their vote is counted at the end of the day?
“Voting is different from banking because of the privacy issue,” said McCormick. “The bank has to know who you are when you deal with them in banking. But when you vote, you still have to make sure that person still has the right to secrecy of the ballot. That part we haven’t figured out yet.”
Another concern of security experts is the potential reach of a voting system. Cybersecurity experts say that voting systems have many points of attack. A system would have to more to protect than one or two central computers—it would need to safeguard every machine that a voter uses to connect.
“Your voting system, for an internet voting system, is not some super secret locked down servers sitting in a room,” said Kiniry. “Your voting system is actually every computer ever used in the election talking to those servers. So suddenly instead of one locked down server you have to protect, it is every phone, every laptop, every unpatched Windows 98 system that any voter in that jurisdiction uses.”
A separate problem with the system is like the digital equivalent of long lines at a polling place. But when too many people try to access a voting system online there isn’t just a long wait. Instead, the whole system could go down.
A system could also be taken down by traffic both intentionally or unintentionally. Besides a wave of last minute, well-intentioned voters shutting down an online vote, the voting system could also suffer a denial of service attack—where someone looking to interfere with an election floods a server with traffic, making it inaccessible to a voter. If a denial of service attack happens, either benign or malicious, an entire election could be derailed.
“With election days, we don’t get to say ‘hey, we’re going to add another day’ because we had a denial-service problem,” said Pamela Smith, the president of Verified Voting, an election-transparency-advocacy group. “Most people tend to leave it for the last minute. If they did leave it for the end and then there was a denial-of-service attack on that day, they’re out of luck.”
However, election officials and cybersecurity experts are aware that the clamor for online voting probably can’t be held off forever.
“One way or the other, we’re headed in that direction, people want to vote the way we live. People expect it,” said McCormick. “But at this point, the security isn’t there. … I think we’ll get there at some point, but I don’t know when that will be. Whether that is 5 years or 20 years, I don’t know. But I don’t think we’re ready for it right now.”
What would the perfect system look like?
Kiniry and other researchers at Galois prepared a report for U.S. Vote Foundation that laid out their ideal online voting system to strive for, which crucially included a recommendation for making any future system open-source—meaning anyone can look at the coding of the system to hunt for insecurities or bugs.
The report also advocates that an online voting system be “end-to-end verifiable”, meaning voters can check that the system recorded their vote correctly, that their vote is included in the final tally, and that any voter can check the counted votes to make sure they match the end results of the election.
And both sides recognize that traditional voting methods are far from infallible. Besides the long lines at polling places, older voting methods have to grapple with mail fraud, machine error (like 2000’s infamous hanging chads), weather keeping voters away, people who want to vote being unable to commit the time to waiting, and other unforeseen problems.
And even those opposed to online voting see that there is some room for technology. Online voter registration is widespread and a welcomed practice, McCormick said.
“I think it is unreasonable to say you can’t use technology in any democratic participation whatsoever,” said Kitcat. “Just in the same way, you might be more than happy to send $100 through PayPal, you probably wouldn’t send $1 million through PayPal. You have to use the appropriate tool to the appropriate level of risk.”
Just like any online (or offline) transaction, an online system will never be 100 percent secure. Ultimately, election officials and voters will have to decide how much risk they’re willing to tolerate for the pure convenience and accessibility that an online system offers. And for many voting advocates and security specialists, that risk level is just too high right now to make the transition online.
“Online banking is a huge success, but we expect a relatively high cost in the sense of fraud and loss in any given day, but we still gain far more value out of that,” said Kathryn Peters, a cofounder and chief operating officer of Democracy Works, a group that aims to streamline elections. “The problem with online voting is … that’s a cost that historically we have not been willing to consider in terms of an election outcome, in being able to review that it is completely free and fair. To be honest, a zero- or minimal-risk tolerance in elections makes sense from a policy perspective.”