Internet voting for American citizens is exceedingly dangerous.
That's the opinion of David Jefferson, a computer scientist and chairman of Verified Voting, an election watchdog group based in Carlsbad, Calif.
"I consider voting security to be a national-security issue," said Jefferson. "So it has to be treated with that level of seriousness."
Special cases only, for now
Members of the U.S. military and private U.S. citizens who live abroad can submit absentee ballots via email to 27 states and the District of Columbia, according to Verified Voting. Two more states are considering accepting emailed absentee ballots from those groups.
Arizona allows members of the same two groups to upload scanned images of completed absentee ballots to a state website, which then routes the images to county election boards.
No one can yet simply log onto a website and click on his or her preferred candidates, but some states are considering developing such systems for military and overseas voters.
Those in favor of expanding Internet voting or emailed ballot submissions to the general population point to its speed and convenience.
But computer and network security experts like Jefferson argue that election officials can't guarantee that online-voting technology can meet the security, privacy and transparency requirements necessary for elections — at least not in the near future.
Email voting: The worst of the worst?
Although no Internet-based voting systems are completely secure, email voting is the worst of the worst, and the easiest to attack in any number of ways, Jefferson said.
Jefferson explained that in most cases, a citizen eligible to vote online receives a blank ballot over the Internet, makes his choices and then submits the completed ballot to a server, where it is rendered into a PDF.
The PDF of the completed ballot then returns to the voter's computer. Depending on a particular state's system, the voter could have the option of sending the PDF file back to the local election officials via email.
"There are a whole lot of concerns here regarding the privacy and the integrity of the ballot, and the lack of guaranteed delivery," Jefferson said.
Privacy concerns arise because ballots sent via email travel " in the clear," he said, which means they're not encrypted.
"This enables large-scale vote buying and selling," Jefferson said. "The reason we don’t have that now is that ballots are really secret. … Although you can tell people how you voted, you can't prove it.
"That means if your vote choices have been sent to a computer somewhere that you don't control, you don't know if [someone] has made a copy of your ballot and sent it on to some third party," he said. "Once you've given your vote to a server somewhere, people can prove how you voted."
Because the email isn't encrypted, others can easily modify or manipulate ballots while they're being emailed from the voter to the local election officials, Jefferson said.
An opposing view
Bob Carey, president of Abraham & Roetzel, a government-relations firm in Washington, D.C., and the former director of the Defense Department's Federal Voting Assistance Program, thinks the risks of Internet voting are wildly exaggerated.
"The risks associated with Internet voting on a widespread basis are characterized [in] the same way as the risks associated with military and overseas Internet voting," Carey said. "I would expect that the risks for widespread Internet voting are also exaggerated, because the risks of military voting are wildly exaggerated."
When people discuss Internet voting, Carey said, they assume that there is no risk in the existing, traditional voting system — an assumption he calls patently false.
"The fact of the matter is that anywhere between two hundred thousand and two hundred and fifty thousand military personnel, who otherwise would have cast an absentee ballot, are not able to do so because they are hamstrung and shackled by the system that Verified Voting Foundation demands and perpetuates," Carey said.
"That's because it's dependent on postal-mail delivery and it's dependent on a reduced time for the voter to be able to review, vote and return their ballot," he added. "It seems to me that these critics will only be happy when we go back to gathering at the public house by candlelight around a barrelhead, throwing black and white stones into a wooden bowl."
Malware, DDoS attacks
But what if a voter's computer is infected with malware, as millions of computers are at any given time? Someone could create and distribute a piece of malware that could copy or modify a ballot before it even gets sent to election officials, Jefferson said.
Jefferson said a number of other things could also go wrong.
Someone could remotely attack a server that's collecting emailed votes, for example, replacing the actual voted ballots with fakes. Infected PDF-format ballots could introduce malware into the election network.
Jefferson said email servers can fall also victim to denial-of-service attacks. Anyone with a large botnet can launch a "mail bomb," flooding the mail server with useless email and delaying the receipt of email ballots until it's too late to count them.
Because email ballots can't be audited, Jefferson said, election officials have no way of knowing whether a ballot was intercepted, modified or cast at all — even if the attacks are detected.
The right to vote outweighs the risks
Although he acknowledged the risks inherent in Internet voting, Carey said there are other relevant questions to ask.
"How extensive are those risks? What is the impact of those risks? How do those risks compare to the risks of the current system? What can be done to mitigate against those risks?" he asked.
"Let's assume there are a quarter-million military personnel who are unable to cast their ballots," Carey said. "If it was any other group where a quarter-million people were systematically denied their right to vote, we'd have riots.
"But the military can't do that, because it's called mutiny. The risk of the current system is that a quarter-million military personnel are denied their right to vote."
Carey said that while military computers do get infected with malware, they don't stay infected for long. And it's not as if members of the military are going to cast their votes on the same computers that their teenage children use to surf the Internet, he said.
Rather, military personnel will use the Defense Information Security Network (DISN), which is constantly monitored and checked for malware.
"The idea that client server can be infected with malware that changes the voter's vote without them knowing about it, I think [the risk] is pretty low in a military environment," he said. "And you can transmit the ballots over virtual private networks.
"Sure it can be subject to hacking. But is it subject to hacking without [officials] knowing about it? Virtually impossible," Carey added. "So you can cut it off. If the VPN [ virtual private network ] is hacked, you terminate the transaction. Does that mean the voter can't cast his ballot? Sure. But he can try again the next day because there will be a new VPN."
Carey is skeptical of Internet-voting skeptics.
"Verified Voting has shifted its requirements as each of its requirements got shot down," he said. "Previously, they said a system shouldn't be dependent on any software. Well, the corollary to that is that they're making it hardware-dependent, and the hardware they're choosing is paper and pen."
Looks good on paper, but ...
"Internet voting sounds like it would be so convenient and such a modern application of technology," said J. Alex Halderman, an assistant professor of electrical engineering and computer science at the University of Michigan.
"But when we get down into the details about what it would take for Internet voting to do well, it turns out to be an incredibly difficult security problem."
An election is an attractive target for a well-resourced attacker, Halderman said, adding that there has been a rise in very sophisticated attacks sponsored by governments, usually targeting high-profile victims.
"Over the past few years, Google, the Pentagon [and] the White House, have all fallen victim to this kind of attack, where a sophisticated adversary has been able to breach their security and steal information," Halderman said.
In 2010, elections officials in Washington, D.C., decided to drop plans to use an e-voting system as a direct result of Halderman's research on e-voting's security vulnerabilities.
"A major election conducted over the Internet would be a very appealing target for just this kind of an attack," he said. The attack could come from "foreign governments, for instance, that might want to influence the outcome of the election, or private entities that have a financial interest in it, organized crime and the lot.
"So protecting against that kind of threat if you're doing Internet voting is going be very hard," Halderman said, "especially if Google and the Pentagon can't get this right."