Online voting could be really convenient. But it’s still probably a terrible idea.

Election Day can sometimes feel like more of a headache than a patriotic celebration. Long lines and scheduling conflicts may leave voters wondering why there isn’t an easier way to cast their ballots.

Some say there already is: online voting. Why head to the polls if you can vote from anywhere using your laptop or smartphone?

But even as online voting is on the rise in the United States and elsewhere, experts warn its convenience isn’t worth its costs.

Casting your vote online could mean sacrificing the right to a secret ballot and leaving elections more vulnerable to fraud, according to a report released Thursday by the Electronic Privacy Information Center, the Verified Voting Foundation and the Common Cause Education Fund. Security researchers also warn that online voting could be vulnerable to hackers who could digitally hijack elections.

“The Internet is already as messed up as we can imagine, and adding critical electoral systems is just a bad idea,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology.

Internet voting — either via email, electronic fax or online portals — is allowed in 32 states and the District, according to Verified Voting. Most often, the option is limited to military and overseas voters.

Current U.S. online voting availability. (Verified Voting Foundation)

The most expansive deployment of Internet voting in the United States is in Alaska, where any voter can request a digital absentee ballot and submit it online. In Utah this year, the Republican caucus tried online voting but ran into technical difficulties involving error messages and pages that wouldn’t load.

All 50 states have either constitutional or statutory provisions that guarantee voters the right to a secret ballot, according to the report. But “any method of Internet voting given the current technology makes it basically impossible to separate the identity of the voter from their vote,” said the report’s co-author Caitriona Fitzgerald, the chief technology officer and state policy coordinator at EPIC.

Twenty-eight of the states that offer Internet voting require citizens to waive their right to a secret ballot, but the other four “fail to acknowledge” that voting online compromises the secrecy of people’s votes, according to the report.

Without the privacy of a voting booth, elections are left more vulnerable to fraud because voters can be more easily coerced or bribed into voting one way or another, Fitzgerald said, behavior that was common in the late 1800s before secret ballots became an election mainstay.

However, Hall said the same sort of arguments about fraud potential can be made about other forms of remote voting, such as mail-in ballots.

Antonio Mugica, chief executive of online and electronic voting vendor Smartmatic, argued that online voting is better for people who can’t physically make it to the polls because vote-by-mail systems can result in “a significant amount of disenfranchisement” because of ballots that get lost or arrive too late to be counted.

But concerns about fraud in online voting are still very real. Since 2014, Smartmatic has worked with Estonia on the highest-profile example of online voting in the world. The small Eastern European nation started letting people vote online in 2005, and now about one-third of the country’s voters cast their ballots that way.

Some experts have warned that Estonia’s online voting system is vulnerable to hacking. Researchers from the University of Michigan and the Open Rights Group who evaluated Estonia’s 2013 election found so many issues with the system that they recommended shutting it down. Estonia, however, pushed back against the report. “In the past decade, our online balloting has stood up to numerous reviews and security tests,” the country’s National Electoral Committee said.

But the academics have stuck by their findings. And even if parts of the online voting system controlled by the government were safe, citizens’ personal devices might be infected with malware that could hijack their votes, said J. Alex Halderman, a University of Michigan professor who worked on the study.

Mugica acknowledges that the security of user devices is a potential problem. He said that Estonian voters, for example, receive a QR code they can use to verify their vote was correctly counted. Estonians also have government IDs associated with a unique online identity that helps authenticate votes, according to Estonian Information System Authority Anto Veldre. But Veldre “would still warn against hastily implementing” online voting in places without that kind of technical infrastructure.

Mugica said his company hasn’t uncovered any hacking incidents involving their systems. But Halderman argued that doesn’t mean it hasn’t happened. “A well-constructed attack is not going to leave evidence of fraud,” he said.

Lori Steele, the founder of an online voting vendor called Everyone Counts, agreed that online elections come with technical challenges, but she played down security concerns. “When people say it’s not ready, they’re wrong,” she said.

Steele and Mugica both said they got into the online voting market after the disputed 2000 election because they wanted to fix outdated polling technology. But their systems haven’t won over researchers like Halderman yet.

“Frankly, I think it’s ridiculously irresponsible for governments and voting system vendors to be pushing online voting with current technology,” he said.


Why You Can’t Vote Online

A decade and a half into the Web revolution, we do much of our banking and shopping online.   So why can’t we vote over the Internet? The answer is that voting presents specific kinds of very hard problems.

Even though some countries do it and there have been trial runs in some precincts in the United States, computer security experts at a Princeton symposium last week made clear that online voting cannot be verifiably secure, and invites disaster in a close, contentious race.

“Vendors may come and they may say they’ve solved the Internet voting problem for you, but I think that, by and large, they are misleading you, and misleading themselves as well,” Ron Rivest, the MIT computer scientist and cryptography pioneer, said at the symposium. “If they’ve really solved the Internet security and cybersecurity problem, what are they doing implementing voting systems? They should be working with the Department of Defense or financial industry. These are not solved problems there.”

The unsolved problems include the ability of malicious actors to intercept Internet communications, log in as someone else, and hack into servers to rewrite or corrupt code. While these are also big problems in e-commerce, if a hacker steals money, the theft can soon be discovered. A bank or store can decide whether any losses are an acceptable cost of doing business.

Voting is a different and harder problem. Lost votes aren’t acceptable. And a voting system is supposed to protect the anonymity of a person’s vote—quite unlike a banking or e-commerce transaction—while at the same time validating that it was cast accurately, in a manner that maintains records that a losing candidate will accept as valid and verified.

Given the well-understood vulnerabilities of networked computer systems, the problem is far from solved, says David Dill, a Stanford computer scientist. “Basically, it relies on the user’s computer being trustworthy. If a virus can intercept a vote at keyboard or screen, there is basically no defense,” Dill says. “There are really fundamental problems. Perhaps a system could be tightened so some particular hack won’t work. But overall, systems tend to be vulnerable.”

This year, the U.S. Department of Defense canceled plans to allow Internet voting by military personnel overseas after a security team audited a $22 million system developed by Accenture and found it vulnerable to cyberattacks.

While some nations, including Estonia, allow Internet voting—and other European nations and cities are pursuing projects (Italy is conducting a large test this year), Dill says these adoptions do not prove that they are secure. “I contend that nobody knows whether there is fraud in those nations, because there is no way to detect it,” Dill said.

Some of the theoretical hacking problems could already plague electronic voting systems that are widely used in the United States and other countries (see “The States with the Riskiest Voting Technology”), especially if the machines do not produce paper records. But these machines, because they are disconnected from the Internet, are vulnerable to a much narrower range of attacks.

The problems of Internet voting were made clear in a trial two years ago, when the District of Columbia set up a system that let voters go online, enter an ID code they’d received in the mail, cast a vote, and get a record of the result. Election officials invited computer scientists to try to hack the system in a mock election.

Alex Halderman, a computer scientist at the University of Michigan, and two grad students accepted that offer—and soon found an error in the source code that “allowed us to completely steal the election,” Halderman said at the Princeton symposium. They were even able to change the choice of candidates that appeared on people’s screens.

Rivest put the matter in plain terms. “I think when we talk about voting over the Internet, my gut reaction says: Why vote over the Internet? Why? Why are you doing this? Why? Really, why? Why? I think you need to ask that question a lot, just like a two-year-old,” he said. “There are other approaches to getting information back and forth that are better, and have better security properties. Voting over the Internet is rarely going to be the best choice. It’s very complicated, and you are asking for trouble. Would you connect your toaster to a high-tension power line? Putting a voting system online is very much like that. Would you invest your pension in credit default swaps? You want to stay away [from] complexity. You want something simple. You are entering a world of attacks and risk that you don’t want to be in.”


Will the Next Election Be Hacked?

Two years ago, hackers gained access to an online voting system created by the District of Columbia and altered every ballot on behalf of their own preferred candidates. On the “Thank You!” page that ran at the end of the voting protocol, they left their trademark—the University of Michigan fight song.

The online voting system was real, intended for use that November, but the compromised election, fortunately, was just a mock-up for testing security. The infiltrators were a team of graduate students led by University of Michigan computer scientist J. Alex Halderman. Which candidates got the fake votes? Skynet from the “Terminator” movies and Bender, the alcohol-fueled robot from TV’s “Futurama.”

In all, 31 states will offer some form of online voting, usually for overseas voters. ENLARGE
In all, 31 states will offer some form of online voting, usually for overseas voters. Oliver Munday

But the hackers had a serious point: that Internet voting systems were a real threat to the integrity of the democratic process. “The question of whether Internet voting is secure is really not a political question,” Dr. Halderman says. “It’s a technical question.”

As many as three million voters will be eligible to vote online this fall, according to Pamela Smith, executive director of the Verified Voting Foundation, a nonpartisan fair elections watchdog group. In all, 31 states will offer some form of online voting, usually for overseas voters.

Election administrators have shied away from full-fledged Internet portals for 2012. Most of the online systems planned for November require voters to download their ballots, print them, sign them, scan them back into their computers, and send them to election officials via email or fax. But many of these voting programs use unencrypted email and are even more vulnerable to hackers than online portals. “The use of email for transmitting voted ballots is actually the worst form of online voting, the least secure,” Ms. Smith says.

At least 16 states or counties have applied this year for grants from the Department of Defense to experiment with online ballot-marking “wizards.” These programs are essentially Internet voting portals that stop short of counting votes. Voters mark ballots online, and their voting information makes a round trip to a central server and back to them. They receive a digitally completed ballot to email or to print and send by post. “It’s a small step to go from this to online voting,” says Stanford computer scientist and e-voting critic David L. Dill. “They just have to flip a switch.”

Online voting critics like Drs. Dill and Halderman have grown more vocal as they have received more requests to consult on high-tech voting technologies. At a recent workshop on absentee overseas voting, Ronald L. Rivest of MIT, a leading cryptographer, compared election officials asking for advice on best practices for Internet voting to drunkards asking for help getting into their cars to drive home.

Still, it is not clear that the protests will slow the march of technological optimism. “I believe everyone will have the option of voting online, certainly within our lifetime,” says Lori Steele, chief executive of Everyone Counts, a high-tech voting systems vendor.

A number of computer scientists are working to develop a more secure alternative to Internet-based elections. In this model—what professors Philip B. Stark and David A. Wagner of the University of California, Berkeley, call “evidence-based elections”—it is less important which machines are used so long as a paper trail is maintained. This allows results to be verified independently through audits and recounts.

The controversy over the 2000 Bush-Gore recount in Florida looms large in discussions of Internet voting. Though the punch-card system used in many Florida precincts wasn’t high-tech by today’s standards, it lacked a voter-verified paper trail. Internet voting could be a further step toward electoral insecurity, critics say. While inside the D.C. voting system, Dr. Halderman and his team saw signs of attacks from IP addresses in Iran and China.

“Election systems are a critical piece of public infrastructure,” Dr. Halderman says. “As they’re more and more connected to the Internet, that’s exposing [them] to attacks from anywhere around the world.”


Why can’t Americans vote online?

Tuesday is Election Day in the United States, and although the mostly state and local races won’t stir the same passions as next year’s presidential contest, millions of people will cast ballots.
They’ll do it in much the same way that Americans have for centuries: by showing up at a polling place and ticking off boxes for their candidates of choice.
All of which raises the question: In an era when virtually every daily task can be done on the Internet, why can’t we vote online, too?
The answer depends on whom you ask.
Advocates say the time is right to seriously consider letting voters cast a ballot from the comfort of their homes or even on the screens of their mobile phones.
“We’ve voted the way we have for the past 200 years because we couldn’t do any better than that,” said Rob Weber, a former IT professional at IBM who runs the blog Cyber the Vote. “Now, we have this technology that has revolutionized the rest of our lives … (and) can revolutionize our voting system and could revolutionize our political system.”
A recipe for chaos?
But critics, many of them in the cybersecurity world, argue that letting people cast votes from their home computers is a recipe for chaos.
“My position hasn’t changed over the years,” said Avi Rubin, a professor of computer science at Johns Hopkins University who specializes in computer security. “Which is that online voting is a very unsafe idea and a very bad idea and something I think no technological breakthrough I can foresee can ever change.”
Rubin said that, in addition to politically motivated reasons for attempting to corrupt online votes, many hackers with no real political agenda could still see the challenge of tinkering with an election too attractive to pass up.
“People’s computers are not getting more secure,” Rubin said. “They’re getting more infected with viruses. They’re getting more under the control of malware.”
Canada and Estonia
Other countries, though, have gone further down the road toward online voting than U.S. election officials have.
Canada has been near the forefront. In all, 80 Canadian cities and towns have experimented with Internet voting in municipal elections. The town of Markham, in Ontario, has offered online ballots in local elections since 2003.
An independent report by digital-strategy firm Delvinia showed that early voting increased 300% the first year Internet voting was allowed. Twenty-five percent of the people who voted online in 2003 said they didn’t vote in the prior local election, and overall turnout rose nearly 10% from 2006 to 2010, according to the report.
“Not only is Markham a perfect example of how internet voting is being successfully implemented in a binding election; with other municipalities following suit, Canada is becoming a global leader in the implementation of Internet voting,” the report read.
Sweden, Latvia and Switzerland are among the countries that have tested Internet voting.
But when it comes to national elections, Estonia is the clear leader.
The tiny Baltic nation (its population of 1.3 million is roughly the size of San Diego) has allowed online voting for all of its citizens since 2007. In this year’s election, nearly one in four votes was cast online, according to its elections commission.
Risks and rewards
Priit Vinkel, an adviser to Estonia’s National Electoral Committee, said security is of the utmost concern.
“Internet voting relies basically on a single factor: trust,” Vinkel said. “Building and stabilizing this trust is the most important but also the most difficult task of the state.”
In Estonia, that security includes a national ID card that can be used remotely and a voting system built to recognize unusual activity, Vrinkel said. He said security officials have detected no serious attempts to tamper with the votes.
But, in Rubin’s mind, that’s not enough.
He says the Internet’s known security risks alone could be enough to call an election’s results into question.
“In any election, it’s important that the public perceive that the election is held fairly,” Rubin said. “If you allow online voting and you’re unable to detect any fraud, but it turns out later that many computers were compromised … there’s no way to audit or backtrack or recount or do anything to figure out what actually happened.
“The real question is whether you’re interested in providing more questions about the outcome of an election or less.”
Weber, who writes his blog from New York, acknowledges the difficulties but says they shouldn’t be enough to stop progress on Internet voting — which he and others believe will increase participation, particularly among younger voters.
“If there are concerns about any of this, the answer is to further work on those concerns, not declare that the Internet is entirely dangerous and will always be entirely dangerous, and you can never trust it,” he said.
He notes that trillions of dollars have been moved around via online banking and that functions as sensitive as air-traffic control take place on the Internet.
He also said that for critics to hold up the current U.S. voting system as a model of safety is laughable.
“Machines, memory cards, even things on paper” can be manipulated, he said. “How many times in our history have we found a box of ballots in someone’s garage a couple of weeks after an election?”
Experimental efforts
Experts don’t expect widespread voting by Internet to take hold in the U.S. anytime soon. But there have been some fledgling efforts at testing it.
In the early 2000s, the U.S. military began testing the Secure Electronic Registration and Voting Experiment, which would have let service members stationed overseas vote online. But it was scrapped by the Pentagon after its studies suggested security risks.
As recently as last year, West Virginia experimented with allowing a small number of military members from five counties to vote online, although that pilot program was criticized by some security experts. West Virginia’s Secretary of State Natalie Tennant has appeared to back away from pushing to make it statewide.