Two years ago, Hurricane Sandy hit New Jersey just before an election. In the chaos following the storm, the state decided to allow voters to use “electronic voting” to cast ballots. I was enthusiastic.
Now, a study has been released that says that “Internet voting should never be permitted, especially in emergencies when governmental infrastructure is already compromised.”
That conclusion is unwarranted by the events of November 2012.
The NJ election was not a test of Internet voting
The emergency measures involving email voting were based on an existing procedure for overseas military voters. According to the study, that procedure “permits citizens living abroad and serving in the military to cast ballots by email or fax as long as they submit a voted paper ballot.”
This seems reasonable: voters unable to get to a polling station by the deadline can indicate their vote ahead of time and verify their vote by mail. Voting by (physical) mail is standard practice in most states and is certainly not Internet voting.
To be sure, there was massive confusion about the procedure by election officials and, as documented in the study, ballots received by email were counted as votes without verifying that the correct paper ballots were ever received.
This is not a failure of Internet voting; it is a failure of non-Internet voting that produced Internet-only voting. In other words, the fact that Internet voting occurred was a symptom, not a cause.
There are many problems with Internet voting, but the failures of New Jersey’s emergency voting procedures don’t tell us much about Internet voting. Instead, they tell us about the pitfalls of holding an election in the aftermath of a natural disaster, and the wisdom of planning emergency voting measures well in advance rather than at the last minute.
The study ignores non-Internet voting failures
As a NJ resident, I know that there were many problems with the election. Basic services like water and electricity were out, there were gasoline shortages, and the election was not the top priority for most of us. Because of storm damage, polling locations were changed, and many residents lost phone and Internet service, so it was not easy to determine your polling location in advance.
In short, there were many, many voting problems beyond those involving email voting. We don’t know how many email votes were improperly counted, or failed to reach election officials; but we also do not know how many voters were unable to get to their polling station because of Sandy and its aftermath. My guess is that the email voting problems are not significant compared to the other problems in that election.
At the very least, the study should have told us how well email voting worked for overseas voters, who have been voting that way for years.
A better way forward
Voting experts and computer scientists should certainly study the New Jersey election to learn about failures in email voting, but it would be a mistake to stop there.
The classic blunder of computer security experts is to consider only computers when evaluating the security of a system. That’s wrong because most of the insecurity in voting is happening outside of computers, and it’s a missed opportunity because the voting attacks that happen in practice have a lot of parallels with computer attacks.
Since another election is being held tomorrow, many of these attacks are in the news right now:
- Last week another study
was released saying that “the outcome of the 2012 US House of
Representatives elections in North Carolina would have been very
different had the state’s congressional districts been drawn with only
the legal requirements of redistricting in mind.” Namely, the study
showed that if districts were drawn to have equal population and to be
geographically compact, then North Carolina would have 7-8 Democratic
districts and 5-6 Republican districts. But North Carolina’s
districts are not drawn in this way. Instead, they are gerrymandered,
and so North Carolina has 9 Republican and 4 Democratic districts.
Gerrymandering has similarities to attacks in distributed computer systems, which often become vulnerable when more than half of the participants collude.
- In Georgia, an estimated 40,000 voter registrations are missing from the state’s database of voters. A judge has denied a petition to force the state to process the registrations, so those people won’t be able to vote. In computer security language, this is a denial of service attack.
- Researchers conducting yet another academic study of voting are
in trouble for sending mailers to voters in Montana, New Hampshire,
and California describing the political ideologies of candidates.
One of the main objections is that they used
state seals in their mailers. This gave the impression that the
mailers were official documents from the state.
The computer security equivalent is of course the spam and phishing emails we all have in our inboxes.
- Facebook has been encouraging people to vote, and “has
also been quietly conducting experiments on how the company’s actions
can affect the voting behavior of its users. In particular, Facebook
has studied how changes in the news feed seen by its users—the
constant drip-drip-drip of information shared by friends that is heart
of their Facebook experience—can affect their level of interest in
politics and their likelihood of voting.” One of their studies
“concluded that Facebook’s nudging had increased voter turnout by at
least 340,000.”
Clearly, Facebook has enough influence to swing some elections. Isn’t this a topic that should be studied by computer security experts?
- Campaigns
are using “big data” to target voters with tailored political ads.
This means that each voter is receiving different (and possibly false)
messages about the election; each voter is living in their own “filter
bubble.”
The computer security analog here is a forced network partition: the target network is cut off from the rest of the world, and fed only the information desired by the attacker.
Conclusion
Computer security experts should not insist that computer voting systems be 100% secure; our current, non-computer voting systems are very far from that standard. It makes no sense to throw out possible improvements because they have some flaws that our current system also has, in spades. For example, we should study fault tolerant voting systems that do not guarantee to capture every vote (just like current systems), but have a high probability of achieving the correct result.
More importantly, we should study the entire voting system and not just computer vote tallying. As you can see from the examples above, the significant voting attacks taking place today mostly involve influencing who will vote: encouraging your supporters to vote and preventing your opponents from voting. This completely sidesteps the issue of the accuracy of vote tallying, which is main concern of computer voting experts. We should be trying to understand how computers could be used to address this, for example, by making voting and voter registration easier.