Examining Internet Voting in the State of Washington
By David M. Elliott, Assistant Director of Elections
Office of the Secretary of State
Published June 1998
The internet is quickly changing the face of citizen relations with the government. New technology offers instant information at little or no cost. The on-line environment creates new levels of efficiency and speed in communication and dissemination of.
As information is ported to the web, people can quickly locate anything they want. One source of information (web-sites) can serve many users who can select the level of detail they need. People expect to find answers to all of their questions on the web. Web enabled citizens also desire government services. Agencies are actively developing sites to renew licenses, and file documents over the web.
One government process that is becoming web enabled is elections. Voter Registration cards, Candidate and Voter pamphlet information and election results are all being posted on web sites. Using web technology to facilitate the voting process is an idea with many supporters. Groups have proposed on-line voter registration, Initiative petition signing, and on-line voting. Proponents argue that this technology would deliver increased voter participation, better voter convenience, and improved voter interest at reduced costs.
Another area of improvement in elections is accessibility to the ballot for the sensory and mobility impaired. Senate Bill 511 is an indicator of the strong interest in this area. This bill mandates much higher levels of accessibility than current systems can provide. Fortunately, an additional capability of the web is the ability to improve access for those with sensory or mobility impairment. If a person with special needs already has web access designed for their needs, they will be voting enabled when voting and election capability comes to the web. In order to meet this goal voting system designers must be cognizant of this issue.
PROCESS IMPROVEMENT IN WASHINGTON
In most other areas of the voting process a great deal of effort has been expended to reduce barriers to participation. The National Voter Registration Act (NVRA) of 1993 for example. The NVRA mandates active Voter Registration programs in all state agencies and offices and makes voter registration a part of nearly every face to face transaction in government. Additionally, Voter Registration by mail and Voter Registration in disability offices are mandated. The NVRA also goes to great length to improve address maintenance and requires "fail safe" voting for all states.
In Washington state, voting by mail and permanent on-going absentee voting has become very popular. The portion of the population that is permanently receiving their ballot in the mail for every election will soon be the majority. Additionally, entire elections are conducted through the mail and voters may request absentee ballots by telephone. These provisions are all driven by the desire to provide convenient balloting options for the public at a time and place that serve the voter. The result of these efforts is increased voter participation. Another improvement in the area of voter convenience is Washington’s reduction of the Voter Registration cutoff period from 30 days to 15 days before an election.
All of the trends toward voter service in elections are further served by the concept of online or internet voting. Most County Auditors and the State Election Office have a web presence. Voters can find information about the logistics of Voting and Voter Registration in addition to contact numbers and e-mail addresses for other questions on-line. Additionally, Online Voter Pamphlets and election results are becoming ubiquitous. Someday we will vote this way.
THE VOTING PROCESS AS IT EXISTS
There are several possible models for employing web technology in the voting process. Each has advantages and each presents challenges. I will open this discussion with a description of the current voting system.
Voter registration is accomplished through "hard card" forms completed and returned to election offices for inclusion in Voter Registration lists. The forms allow the voter to provide information about their qualifications for voting and the voter provides a signature on the form. The signature performs two important tasks. First the signature attests to an oath, under penalty of perjury, that the voter has answered truthfully and therefore qualified for the franchise. The second task is positive identification, securing the voter’s absentee ballot and Initiative rights. The Voter Registration system is an honor system. Each county election department accepts the form at face value and enters the voter onto the rolls with no further investigation.
Absentee Voting: Voters request absentee ballots in person, via letter, via telephone, or on-going absentee ballot request. The on-going request allows the voter to receive a ballot for all elections. Absentee ballots are either handed to the voter over the counter or delivered via the USPS. The voter fills out their ballot and then seals the ballot inside a "security" envelope. This envelope is sealed inside another envelope that has an oath for the voter to sign and the ballot is returned to the election office either in person or via USPS.
At the election office, the absentee ballot signature is checked against the voter’s file signature. Providing security that the ballot is from the voter. Once checked, it is the only ballot that will be accepted from the voter. The signature check confirms identity and secures the process simultaneously. The outer envelope is then opened and removed leaving the security envelope sealed with the ballot inside for later opening. This separation of the ballot from all identifying materials insures the voter’s secrecy and anonymity. Later all of the security envelopes are opened and the ballots processed and counted.
THREE INTERNET VOTING MODELS
1. Automating the current process. Web voting could be accomplished as an imitation of the current absentee process, using ballots requested and distributed via secure e-mail. The ballot would be marked by the voter and either printed out and returned via hardcopy with hard signatures through the USPS, or returned to the election office via secure e-mail. The main advantages of this method are that it is easily understood by the voter and less susceptible to transmission bottlenecks during high internet traffic times at the end of the voting period. Also, each vote would be handled as an individual transaction. Procedures would be needed to insure that only one vote was accepted from each voter and voter secrecy and anonymity is maintained.
2. Web site voting. Another model would use voting web sites in which the voter logs in through secure means, establishes their identity and votes a ballot during their visit to the web site. This could be accomplished through internet access from either the home, office or library. Voting could take place over a several day period ending at 8:00pm on election day. This method has the advantage of being similar to most other web transactions. The voter logs in, provides an identifying key through a secure pipeline from their browser, and votes. The transaction occurs in real time. The web site can provide on-line help to the voter as they complete their ballot. The ballot can also be presented in a variety of languages and the voter can take as much time as he or she needs.
The potential weaknesses of this system are its vulnerability to a variety of hacker created problems. These include "jamming", "man in the middle" hacks and "page jacking". Jams and bottlenecks may also occur due to high volumes of legitimate traffic during the final hours before the polls close. Jamming is caused by a hacker overloading a web site with requests for information thus jamming the lines and preventing legitimate interaction with the site. Man in the middle sites set themselves up to mislead the user into thinking they are on the correct website when in fact they are on the hacker’s website. The fake site collects the user’s identifying information for later fraudulent use and leaves the user thinking that he/she has properly completed business with the legitimate site. Later the hacker can use the identifying information gathered at the fake site to conduct fraudulent business at the real site. Page jacking consists of leading a user off to an imposter website. There the user’s browser is disabled and the user is shown advertising or other information. The user generally has some difficulty communicating with their intended web site because of the road blocks presented by the page jacker.
The bottleneck problem is similar to jamming except that the jam is caused by an overwhelming number of legitimate contacts occurring simultaneously. The solution to this is to create over-capacity, either by spreading the voting period over several weeks or through more equipment. Capacity problems have been experienced on election day from persons attempting to look at election results on the web. Research must be done to determine if web capacity is adequate for the volumes that will be experienced and to determine what adequate capacity is for web voting servers and equipment.
3. Regional Voting centers. This idea uses web technology to modernize poll-site voting. Voting would be conducted at computer equipped regional voting centers. The web would be used as the communications medium for security information, including signature images. Once the voter is positively identified the correct electronic ballot would be delivered over the web to the voting center. The voter would be identified by election employees via signature match. A voting terminal would be configured with the voter’s correct ballot, and the vote cast. This would provide security, and convenience for the voter.
The voter could utilize any polling site within his or her county because all ballot styles would be available at all sites. The voter could not vote at more than one polling location because the entire county would be linked via the central server. This disconnects delivery of the ballot from geographic location. Currently a voter’s ballot can only be found at the pollsite in his or her neighborhood. A commuter may leave their home area (precinct) before the polls open and return after they are closed, but if there is a regional voting center near their office they could vote at lunch or on a break. Furthermore, the voting centers could be open for business for a period of days before the election to provide additional opportunities to vote. The existence of web technologies makes this model possible by allowing for rapid identification of the voter and rapid return of their appropriate ballot. This is the ultimate model of NVRA "fail safe voting".
Advantages include convenience for the voter, improved security over present poll-site voting and reduced printing costs. The only concerns would be in providing complete security for the web connections between the poll-site and the central server and insuring adequate capacity. Some of the security concerns could be eliminated by employing a post election reconciliation of each voting center’s results independent of the web.
The number one concern voiced about Web voting is security. Everyone has read stories about computer hackers breaking into computer systems, the prospect of an election tainted by hacking is daunting, but there are many security concerns that are more relevant. Ensuring the privacy of the voter is of utmost concern. It must be provable that each ballot has been unexamined and is accurate. Methods must also be devised that provide verifiable privacy.
Another concern is verifying the accuracy of the voting system in collecting and counting the votes. Finally, there is the issue of authentication and verification of the voter. Is the voter the person that sent this ballot? Is this the only ballot that the voter sent? Digital signature systems accomplish most of these functions in one technology. The digital signature authenticates the voter at the same time that it protects privacy and secrecy. Unfortunately, cost remains an issue.
It has been suggested that digital signature technology is the key to securing the internet voting process. Digital signatures provide the best level of security in electronic transactions, however they are not inexpensive. Questions raised about funding are important. If the government provides a digital signature for all voters the cost would be very high. Conversely, if voters who own or are willing to buy a digital signature are the only ones allowed to vote this way, then economic barriers to participation are being created. Additionally, there are several "classes" or security levels of digital signature. Some digital signatures are obtained without requiring any personal identification, others require high levels of ID including personal interviews. There is some irony in the fact that in order to register to vote a person only need fill in a form and mail it, but an in person interview may be required before a person could vote this way.
Voting system standards: All voting systems and their software are reviewed against the Federal Election Commission (FEC) guidelines for voting systems. These standards are promulgated by the National Association of State Election Directors (NASED) and the testing is performed by national testing laboratories in Huntsville, AL. Currently these standards do not contain any reference to this sort of voting system. Web voting will necessitate the creation of new areas of the standards. There will need to be software review benchmarks, platform review standards, standards for security systems, and standards for logic testing.
Criminalizing certain behaviors: In the same way we have laws that pertain to current voting systems, in order for an online voting system to be effective there will need to be new sections of the law created that criminalize certain behaviors.
- Stealing, Buying, Selling or Giving away your Digital Signature for the purpose of selling or stealing a vote.
- Coercion of a voter.
- Hacking voting systems or individual votes.
- "Jamming" a voting system by reducing or eliminating access to the system.
- "Spamming" the voting system in order to reduce the ability of election officials to respond to legitimate voter requests.
- Invasion of Privacy by attacking a ballot or web site with intent to examine votes or change votes.
CURRENT WEB VOTING EFFORTS
At this time there are several groups working on pieces of the web voting system. The Federal Voting Assistance Program (FVAP) at the Pentagon, The California Secretary of State internet voting task force, the NASED ITA subcommittee, and several private vendors are all researching and testing the models, software and ideas for standards. Each of these groups has a different solution with different security standards and risks. The web is being used in College and High School elections, corporate proxy votes, union membership elections, and several vendor sponsored test elections. All have had success and it is likely that in the next 24 months an internet vote will be cast in an official election.
Voter interest in Internet voting is growing and will continue to grow. Government’s job is to provide the convenience of an online voting system while making no compromise of the democratic election system. Current systems have the advantage of being based on commonly understood systems like the US Mail, poll sites, and the telephone. The internet, while people are learning how to use it, is largely unknown.
People do not understand all of the information that is moving in and out of their computers while they are online. Nor do they understand the underlying infrastructure or technology of the web. Recently it was revealed that some software products and some computer chips were surreptitiously marking documents and files with serial numbers. This process was intended for internal use by the chip and software companies, but the function was accidentally left active in the real world. In another case, "anonymous" e-mail transmissions to a media website were identified through the display if their unique web identifier.
When a person is online, information about the person is being stored on their computer and other identifying information is being read largely without the user’s knowledge. Hackers have found ways to use "Trojan Horse" type software to read and transmit an online user’s files without their knowledge. These issues are all real and must be addressed. This sort of thing presents real barriers to acceptance of the technology.
OTHER ASSORTED ISSUES
Government’s developmental and regulatory role: Clearly government regulators have a role in making sure that any voting system is accurate and secure. Guidelines and Standards must be developed to protect the integrity of the voting process. Historically most efforts in this area have come as reaction to problems experienced in the field. Historically, vendors have developed and sold systems to local election authorities and then regulations have developed to guarantee proper operation of these systems.
Government has not been a designer or creator, it has been a customer and regulator. There is an opportunity presented for Government with vendors to define standards in the area of internet voting. Government should not be involved in design, however setting minimum acceptable standards will be very important. These standards would need to be drawn from existing voting system experience, existing internet operating experience, minimum user friendliness/understandability standards and accessibility standards. Some work in this area has been done by the various internet voting companies and the California State committee. This work should move forward quickly. It is OK to have competing technologies and let the market sort it out as long as both systems function to at least the minimum acceptable levels.
Viruses. Obviously any system of this importance must be fully and robustly protected against all hacking including viruses.
Economic access. The distribution of equipment used in private web access is heavily slanted toward higher income groups. The use of library and other public access web terminals could bring some level of equality to the issue of access but this is an issue that must be acknowledged.
Confidence in the system. This is an issue for all voters, even the person who chooses to vote through the existing methods. People will likely question the overall effectiveness of the system if they do not trust or understand the internet voting piece of it.
No paper trail. All of the potential internet voting systems will have electronic audit trails. A traditional audit trail consists of a paper trail. All existing technologies used in Washington state provide a paper record of each vote, the ballot, and paper records exist for all voters signing their absentee envelope or the poll book at the poll-site. There are technologies in use in other states that do not have a paper trail (direct recording electronic devices) they are legal and covered under the FEC guidelines for voting equipment. Nonetheless, people in this state are not accustomed to a voting system without a paper trail and there may be some acceptance issues.