Response 900288732

Back to Response listing

About You

1. What is your name?

Name (Required)
Professor Steve Schneider

2. What is your email address?

Email
s.schneider@surrey.ac.uk

3. Are you responding on behalf of an organisation or as an individual?

Organisation
UK Computing research Committee

Online voting (eg, on computers and mobile devices)

6. What are the potential benefits and drawbacks of online voting (eg, voting via the internet using a computer or mobile device)?

Comment:
Online voting presents significant security risks, some of which we list here. 1. Online voting currently provides no way to independently audit or recount the votes, or to provide assurance that the vote has been received, stored and processed correctly, though research on “end-to-end-verifiability” (see below) may provide an adequate solution 2. Attacks on election servers may be undetectable because there is no externally independent record of the election data. Votes might be invisibly altered, by insider fraud or external attack. Again, “end-to-end-verifiability”, is a potential solution to these problems 3. Voters’ devices are vulnerable and almost impossible to secure. They can be subject to malware and virus attacks (e.g. the 2012 Zeus virus), which could provide the capability to invisibly steal or alter votes. 4. Online election servers may be vulnerable to cyber-attacks such as denial of service attacks, or penetration and vote-tampering. They are also vulnerable to insider attacks. Attacks on well-known highly secure sites of major organisations including banks and commercial sites are reported with alarming regularity. Election systems provide a very high-stakes target, and there is no reason to expect that election systems are any more secure than others that have suffered attack. 5. Software bugs could change the outcome of an election, with no way of proving that the declared candidates were wrongly elected. 6. Voting from a private device in an unsupervised environment potentially enables vote buying and selling and coercion of voters, and provides no guarantee that the vote is provided by the claimed voter. This would be the case even for a fully secure voting system. 7. Voters can be subject to social engineering or phishing attacks to reveal their credentials or to have their vote captured by a fake website. 8. Any special equipment (e.g. a dongle or cryptographic keypad) needed for online voting will be infrequently used by voters. Vulnerabilities may arise through lost and stolen items, as well as forgotten passwords and PINs. The consensus among computer security experts and electronic voting researchers is that online voting is currently unsafe. For example, the `Dagstuhl Accord’ of 2007 signed by 21 researchers attending the Dagstuhl Conference on Frontiers of E-Voting, agreed that: "Voting over electronic networks has various attractions, is starting to be deployed, and is regarded by some as inevitable. No solution, however, has yet been proposed that provides safeguards adequate against various known threats. Problems include attacks against the security of the computers used as well as attacks that impede communication over the network. Improper influence of remote voters is also a significant problem, although it is tolerated with vote by mail in numerous jurisdictions. Securing network voting is clearly an important research challenge. We cannot, however, prudently recommend any but unavoidable use of online voting systems in elections of significant consequence until effective means are developed to address these vulnerabilities." The concerns raised then remain current today. More recently, in December 2012, an open letter to President Barack Obama had 51 signatories encompassing elections officials, experts in cyber security, election law, post-election audits, election integrity, and accessible technologies. The letter included the following paragraph expressing opposition to Internet voting: "Internet voting (the return of voted ballots over the Internet including fax and e-mail) has been proposed as a solution to long lines at the polls. But since it is vulnerable to attacks from anyone/anywhere, Internet voting must not be allowed at this time. In addition to security and accuracy risks, Internet voting threatens the secret ballot, which is key to avoiding voter coercion and vote buying and selling. The secret ballot was originally instituted not as a right that an individual can waive, but rather as an obligation of the government to protect all citizens from coercion and intimidation as they cast their votes. Because of multiple intrinsic risks, Internet voting should be forbidden unless and until proposed systems have undergone extensive, independent public review and open testing to ensure that they have solved the fundamental problems of security, privacy, authentication, and verification." All these arguments refer to the technologies that have been developed so far. But researchers around the world are working to develop new methods, and the topic of electronic voting is evolving fast in the academic literature. It is likely that research done over the next decade will produce systems which are able to satisfy the stringent security properties that electronic voting demands.

7. What impact, if any, would online voting have on voter turnout?

Comment:
Insufficient research has been carried out to date on this question. The recent trials in online voting in Norway (2011, 2013) concluded that turnout was not increased by online voting. The February 2014 Recommendations Report to the Legislative Assembly of British Columbia reached a similar conclusion, stating (p 12) "While there have been some Internet voting elections where voter turnout has increased, when other factors such as the apparent closeness of the race and interest in particular contests (e.g., a mayoral election without an incumbent) are taken into consideration, research suggests that Internet voting does not generally cause non- voters to vote. Instead, Internet voting is mostly used as a tool of convenience for individuals who have already decided to vote." It also states (p 13): "Researchers have also looked at the demographics of Canadian voters who have used Internet voting and have found that Internet voting is most popular among middle-age voters and least popular among youth and therefore reflects traditional voter turnout demographics. These findings run contrary to the widely expressed belief that Internet voting will lead to increased participation by youth."

8. Would online voting increase the ‘digital divide’ or increase accessibility in elections?

Comment:
Electronic voting has the potential to provide improved accessibility for voter groups who would benefit from electronic assistance in completing a ballot form or casting a vote, including blind, partially sighted and motor impaired voters, and those who cannot read English. Accessibility can be improved by the provision of a computer with a suitable user interface to capture the vote. It is not provided by online voting specifically. However, it is important to note that accessibility is not automatically provided by electronic voting. Care must be taken to design interfaces that conform to accessibility standards such as the Web Content Accessibility Guidelines WCAG 2.0, and any proposed system must be required to meet such a standard.

Electronic voting at the ballot box (eg, using a voting machine at a polling station)

10. What are the advantages and disadvantages to using electronic voting machines in polling stations instead of paper ballots?

Comment:
Advantages of introducing electronic voting machines into polling stations include: 1. accessibility for blind, partially sighted and motor impaired voters through custom user interfaces; 2. the opportunity to present the voting interface in a variety of languages; 3. guidance through the voting process and a consequent reduction of accidentally spoiled ballots, particularly for unfamiliar instructions; 4. the ability to collect votes promptly from overseas locations (e.g. embassies); 5. the collection of votes in electronic form can enable faster and more accurate tallying of the result; 6. savings on the cost of printing paper ballots. Disadvantages include: 1. the challenge of building a system in which manipulations of the outcome by an attacker are detectable by voters and observers. In the literature, this is called "end-to-end verifiability". 2. the challenge of obtaining and maintaining public trust in a system whose internal workings are not well-understood, especially if there are early problems in introducing a system; 3. the need for robust system and procedural security

11. Would electronic voting at the ballot box be a useful step towards online voting?

Comment:
We do not consider online voting to be an appropriate option at present. From a technological point of view, electronic voting in supervised polling stations under controlled conditions should not be considered as a step towards online voting, because the methods that are developed for poll-station voting are not the same as the ones needed for online voting. However, from a sociological point of view, poll station voting could be a useful stepping stone in order to allow voters to get used to the technology. It can help voters get used to the verifiability requirements that they will later encounter in online voting.

Best practice and troubleshooting

13. What safeguards would be needed to reassure the public that their digital vote was secure?

Comment:
End-to-end verifiability: The ideal would be to provide independently auditable evidence that the election has been conducted correctly. Reassurance will be obtained from end-to-end verifiability: that voters can check their votes have been correctly included in the count, and that the votes have been correctly tallied. There are ways developed in the academic literature of achieving verifiability of the election outcome while maintaining ballot secrecy, using verifiable cryptographic techniques. Examples of systems with this verifiability property include: JCJ (2005), Pret-a-Voter (2005), Helios (2008) and Scantegrity (2008). Other proposals (and refinements of these ones) have also been made. However, combining verifiability with anti-coercion properties and user-friendly interfaces remains a challenge. Transparency: Election systems code is complex, and is often proprietary and closed. Making election systems code and documentation open to security and electronic experts and the public for analysis and review would provide some confidence in the expected behaviour of the system. Openness does not automatically ensure that the system is correct or secure, but the opportunity for external scrutiny allows for vulnerabilities and bugs to be identified and corrected, and enables well-informed discussion about the technical properties of the system. Malware tolerance: the ability to use computers and devices reliably even if they have been infected with malware. This is not available with existing technology, but it is an active research area and is likely to be available within five to ten years.