In 2004, the Department of Defense
(DoD) had an Internet voting system ready for use, in a secure location in Reston, Virginia.
A test system had been tried in 2000, and had worked without a hitch. The new system was called “SERVE,” the
Secure Electronic Registration and Voting Experiment. About 100,000 overseas military personnel and
civilians from various counties in seven states volunteered to vote from their
remote locations on their own PCs in the November elections. Congress had authorized the funds in 2002,
after extensive hearings concerning the need, the feasibility, and security of
the proposed system. Teams of experts from
the business sector, academia, the military, and government agencies federal,
state, and local, had collaborated on the project for two years.[1]
The Federal Voting Assistance
Program (FVAP), a department within the DoD, had the responsibility for the
project. Just to make sure that no stone
was left unturned, FAVP decided to bring in a team of civilian computer
security experts, tell them how the system would work, and let them examine the
secure server in Virginia. FVAP officials knew that some of these
computer scientists had criticized the very idea of Internet voting because
they considered it too vulnerable to attack and manipulation. Nevertheless, the experts who had built the
system, including specialists in secure communications from the military, were
confident that these outsiders would marvel at what had been accomplished.
The folks in FAVP, and all the
people who had worked on SERVE, were stunned when, after only the second of a
planned series of meetings, four of the computer scientists published a report,
summarized in the New York Times, condemning the system as “inherently
insecure” and calling for a halt to the project.[2]
The four critics were David
Jefferson, Barbara Simons, David Wagner, and Avi Rubin. While the report praised the accomplishment
of FVAP and its colleagues on constructing a secure and operable server, it
proclaimed that “the very architecture of the Internet” as we now know it is
irreparably insecure, and any election based on Internet voting would be
vulnerable to such a variety of attacks and manipulations that the public could
have no confidence in it. To hold such an election would surely precipitate a
crisis of legitimacy for the office-holders and the government.
During the few days following the
release of the report, its conclusions were disseminated all over the web. A widespread public distrust of any kind of
electronic voting system had already developed in the US as a result of revelations about the
insecurities of Diebold touch screen voting machines, and the irresponsible
remarks of that company’s president, Wally O’Dell, promising to deliver Ohio’s electoral votes
to Bush in 2004.[3] After a week of
controversy, and in the absence of any defensive response from the stupefied
members of the SERVE team, Undersecretary of State Paul Wolfowitz, who was then
politicking for the presidency of the World Bank, ordered the project stopped.
Despite its defeat in the US, Internet voting was still considered worth a
try by several nations in Europe and some provinces in Canada. Not only is online voting more convenient for
the voter, who may be housebound, or out of the country, but it is far less
costly for the election officials to conduct.
The cost of paper for ballots, and printing thousands, even millions, of
copies would not be incurred with online voting. Even more expensive is the cost of labor for
poll site workers, renting the polling places, security guards for the
collection and transport of ballots, and counting all those ballots by
hand. Then there are the machines, like
punch card machines and lever machines, which require year round storage and
maintenance. Printers, ballot scanning
machines, and touch screen machines (“DREs”) are at least as costly to store
and maintain as the products they have replaced. With Internet voting, only an initial
investment is made for setting up the voting precinct’s secure server, and the
rest is done by the voter from home or anywhere else. Huge cost savings can be had by election
administrators over the lifetime of the server, which could be decades.
Indeed, those provinces in Canada and at
least eight European nations have been using Internet voting systems, without
malfunction or security breeches, throughout the past decade.[4] To be
exact, there was one incident in a Toronto
election in which a denial of service attack bogged down the server for about
45 minutes, until the attack was warded off and full service resumed.[5] But this was using
2003 technology, and security savvy has improved greatly since that time.
Based on the facts of experience,
then, one may wonder how wise it was to shelve the SERVE project. The successes of the Canadian and European
trials now cast doubt on the dire warnings of the four alarm bell ringers. Was
there anything to their claims, or were they just part of a ploy used to sell
newspapers, and get themselves, in Warhol’s famous phrase, “fifteen minutes of
fame”?
On the other hand, wasn’t it
better to be safe than sorry? After all,
what were the consequences of canceling SERVE?
If these consequences were not significant, then no real harm was
done. Of course, this depends upon what
one considers to be “significant harm.”
Consequences
To take the measure of the harm
done by canceling SERVE, remember that the war in Iraq had begun in March
2003. By Election Day, in November of
2004, there were roughly 150,000 combat troops in Iraq.[6] Add to that another
150,000 Americans providing some kind of support to the troops, either
logistical or diplomatic, in that war-torn country, and the result is roughly
300,000 eligible US
voters. The war in Afghanistan
then was still in its infancy, with about a tenth as many Americans of voting
age, or roughly 30,000.[7] The 100,000
Americans who had volunteered to vote online in the SERVE project included some
of these folks in combat zones.
When SERVE was shut down, all the
men and women in harm’s way, as well as the other overseas volunteers, lost
their opportunity to vote conveniently, and had to vote by mail or not at all.
This lost opportunity is not the
only harm the cancellation of SERVE caused.
Nothing on the scale of SERVE has come along for overseas voters since
2004; hence, the frustrations of overseas voters have continued almost unabated
for the six years since that project was shut down. I say “almost” because, as I will discuss
below, some remedial steps are now being taken.
Overseas Americans have always had
a hard time voting. From the days when
Ben Franklin, John Jay, and Thomas Jefferson were diplomats in Europe, to now, Americans abroad have had to rely on
snail mail to vote, if they could. Many
states made no provision for absentee voting until well into the 20th
Century. During WWII the federal
government did its best to help GIs to participate in the democracy they were
fighting and sometimes dying for. A law
was passed requiring the states to provide absentee ballots for our citizens in
uniform. But a few years later, when the
law expired, it was not renewed.
Finally, Congress enacted the
Uniformed and Overseas Citizen Voting Act in 1986. States were supposed to provide absentee ballots
to their overseas citizens, upon request, in time for the citizen to vote and
return it by mail. But a shocking number
of states have displayed a callous indifference to their citizens abroad,
including soldiers during the wars we were fighting. One study, released in 2009, found that 25
states and the District of Columbia routinely sent out absentee ballots so late
that by the time the voters received them it was too late for most of the voted
ballots to be returned and counted.[8] Even when absentee ballots could be mailed back in time to
be counted, they were often set aside and ignored, or not counted unless the
race was so close that they could make a difference.
In 2002, Congress had intended the
SERVE project to be the beginning of the end of this abuse and neglect. If SERVE had been successful in 2004, like
the European and Canadian trials have been, then 100,000 overseas Americans
would have finally been included in our democratic process. Beyond that, the opportunity to vote
conveniently would probably have been expanded to every overseas American by
2008. Of course, that didn’t happen.
Returning to SERVE
Since 2004, pressure has been
mounting in the states and in Congress to treat our men and women in uniform,
and at war, as well as all Americans abroad, with more dignity, and to honor
their right to take part in our democratic processes. As a result, some states began taking the
initiative to improve conditions for their overseas citizens. Arizona,
for example, became one of the leaders by offering a website with voter
information. It took requests for
absentee ballots via email or fax. It
sent out ballots by fax or email. A few
other states followed, but the ballot still had to be returned by ground
mail. Then some states even began to
allow voted ballots to be returned by fax or email attachment.
In October 2009, President Obama
signed into law the MOVE Act; that is, the Military and Overseas Voter
Empowerment Act. This law requires the
states to, among other things, send out absentee ballots at least 45 days
before a federal election (so that they can be returned in time to be counted),
and to provide electronic means for requesting and sending out absentee
ballots.[9]
Consequently, in 2010, 33 states
offered some form of Internet voting to their overseas citizens. About half of these allowed fax or email
return of voted ballots. In these cases,
an absentee ballot can be requested, sent out, voted, and returned all on
Election Day. US troops, and all
overseas Americans, certainly deserve such convenience. However, this method of ballot return is far
from ideal. One shortcoming is that in California, and other
states, for a voter to return his or her voted ballot by fax or email
attachment, a privacy waiver must be signed. Somebody in the Secretary of State’s office is
going to see that “Private Jones” voted Libertarian or Socialist when the
ballot comes in, and the state doesn’t want to get sued for violating the
voter’s right to privacy.
A more positive omen, however, is
that some states will offer voting at their secure website, just as SERVE would
have done in 2004. For example, in July
of this year the website for West Virginia Secretary of State Natalie E.
Tennant announced the results of her office’s recent Internet voting
trial. Five county clerks volunteered to
offer the option to their overseas voters, including military and civilians.
According to the announcement, this pilot program saw an 80 percent ballot
return rate. Other methods of absentee voting, such as by mailed-out paper
ballots, saw return rates of about 40 percent.
The website also states that “Voter response was so positive, in her
report to the state legislature, Tennant asked lawmakers to consider allowing
additional counties to participate in the 2010 General Election.”[10]
Much ado has been made over a
hacking of Washington DC’s Internet voting server in September of 2010. But this was during its first trial run, and
no actual voting took place. (For an
accurate reporting of the event, see “Does the DC Fiasco Damn Internet Voting?” at http://tinyurl.com/DCin2010 )
The circle back to SERVE will be
completed by the DoD in the near future.
Bob Carey, the new Director of FVAP, recently announced that “the
decision has been made” to restore something like the old SERVE system, with
all the latest updates, of course.[11] No deadlines have
been set, yet, but planning is underway.
Old Security Worries
But, one may ask, what about all
those dire warnings that once brought down the SERVE project? Have Congress, the president, the Department
of Defense, the military, and all those state officials gone nuts? Think about the warnings those four computer
scientists proclaimed in 2004.
For example, David Wagner has
said, “One of the
problems with Internet voting is that it exposes the potential for a single
individual anywhere in the world, perhaps not even on US soil and not
subject to US law, to attack elections and change votes en masse.
Internet voting systems also tend to be subject to worms, viruses, and phishing
attacks.” (Italics added) He also warned
that, “SERVE is susceptible to large-scale
election fraud that could … go completely undetected.”[12]
In the same vein, Barbara Simons
warned the nation that Internet voting “is a threat to our democracy … The
bottom line is we could have our president selected by [hackers in] Iran…”[13]
Wired Magazine interviewed David
Jefferson about his views on SERVE, and drew attention to his concerns over a
possible slippery slope. The article
stated, “If the experiment experiences
no detectable attack, Jefferson fears it could mislead organizers to conclude
falsely that the system is secure and ready for expansion. ‘Just because
there wasn't an attack that you detected doesn't mean there won't be one or
that there wasn't one that you didn't detect,’ he said.”[14]
Now, these are scary stories. Think of it, a hacker in Iran could swing a presidential election in the US,
and go completely undetected. Because
the hacking went undetected, we would naively expand Internet voting so that
all US
elections could be controlled by hostile foreign governments, and we’d never
know it. That’s scary!
Indeed, as late as last year David
Jefferson implored the FCC not to allow even trials of Internet
voting. Using the very same scary
stories from the 2004 report, he again warned of the hidden dangers awaiting
such reckless experiments, and the slippery slope such trials can create.
He pled in the most earnest of
terms that, although he has been a computer security expert for nearly a half
century, his own mind gets “boggled” when he thinks of all the ways that
Internet voting can go wrong.[15] (One can understand
how such an expert’s mind can become boggled; all those scary stories overload
his flight response, and he wants to run from his own imagination!)
Today, however, the old trick bag
isn’t as effective as it used to be.
Jefferson et al have cried “wolf!” once too often. Calmer minds have been applying scientific
skepticism to those scary stories.
Science, of course, asks questions and demands facts and test-based
probabilities in the answers. Thus,
government officials have asked, “With all the mind boggling things that
allegedly can go wrong with Internet voting, why haven’t any of them actually
occurred in trials?”
The four critics have answers to
this question. First, as Wagner says, “If I was a bad guy who knew a
way to hack the election, I wouldn't attack a small-scale pilot and tip my
hand; I'd wait for the voting system to be used on a large scale in an
important election and then attack.”[16] In other words, the Evil Ones are skipping
the small fry in Europe and Canada,
and they are lying in wait for the United States to expand online
voting and fall into their trap. So,
that is why there haven’t been any problems with those Internet voting trials –
the bad guys just haven’t been motivated yet. But once the US goes national with Internet
voting, watch out! Not only that hacker
in Iran, but the Russian
Mafia and the government of China
will get into the action. We could end
up with some wild eyed Ayatollah or grey-capped Commissar in the White House,
and Commander-in-Chief of our armed forces!
How scary is that?
As if that is not scary enough, Jefferson would remind us of what all four agree, that
is, that an Evil One could just change or add enough votes to swing a close
election, and do so without ever being detected! Indeed, we cannot even know whether this has
already been done in Europe or Canada.
But that alarming assertion incurs
an epistemological problem. If we cannot
know the truth or falsity of a proposition – such as whether an election has
been hacked – then the proposition is not a matter of scientific knowledge, but
only mythical speculation.
The Rise of Reason
Fortunately, Reason is coming back
to the debate over Internet voting, and Reason is beginning to prevail over
Fear. What might be conceivable in the
airy theoretical speculations of academic computer science, hasn’t happened in
the actual practice of online voting.
Why? The security experts who
construct online voting systems, as well as law enforcement experts, are just
as clever as the hackers. Indeed, one
reason we know there are hackers is because they get caught by the authorities.
Cases in point: Ten years ago, in
the olden days of security technology, Gary McKinnon, who was an unemployed
computer programmer on the dole in England,
hacked into some US
military files. As a result of his
cleverness, he is now wanted by the authorities in the US.
For the past eight years he has been paying his lawyers to fight
his extradition to the US,
where a costly trial, and likely fines and prison time, await him. During this unhappy experience, he even
developed a sudden case of Asperger’s Syndrome (useful to appeal for pity, no
doubt).[17]
Hackers beware! One former “Botnet
King,” John Schiefer, was so clever that he could control thousands of PCs, and
use them to send-out millions of spam emails with the click of a mouse. He thought he could out-smart the law, but he
is now serving a four year sentence in federal prison.[18]
The real reasons why Internet
voting trials around the world have been successful are plain to see. The security technology is effective, and so
is law enforcement. Where Internet
voting has been tried, the rational hacker calculates, when tempted, that
lawyer’s fees, fines, and time in prison aren’t worth changing a few votes in
one election. Those would-be hackers who
have been foolish enough to try to hack online voting systems have failed
because the security technology in place beats them. Computer memories show when unauthorized
intrusions have been attempted; thus proving that the security programs have
worked. The past successes of Internet
voting are a reliable harbinger of the way it will proceed in the future.
Conclusion
Every government official knows
that no voting system is going to work perfectly, someone is going to try to
cheat the game, or some technical hitch could occur somewhere. Nevertheless, the risks can be protected
against, so that they are quite minimal, as the experience in Canada shows. E-banking and e-commerce wouldn’t exist if
half the scary stories told by a few alarmists were true. When it comes to protecting profits, for example,
security technology is able to stay ahead of the hackers – otherwise the banks
would not still be in business. The kind
of security technology used in e-commerce can be, and has been, transferred to
online voting.
Of course, as we all know, hacking
does happen. But when hacking does occur
in e-commerce, a careful examination of the facts in the case generally turns
up some human error or wrongdoing, rather than a failure of the security
technology.
For example, 60 Minutes had a
piece on a woman who went online only to witness her bank account being drained
right before her eyes.[19] Turns out she
didn’t have security software in her PC, and her son was downloading pirated
music, which let the hackers into her computer.
Google’s bad experience in China was their
own fault, too. Lured into China
by greed, they conspired with the Chinese government to limit the freedom of
speech online. They allowed government
agents to block access to websites that either favored democracy or freedom of
religion. These agents made regular
reports to their government about what they had learned of, among other things,
Google’s email security codes. With that
information the government reverse engineered those codes.
Duh! What were they expecting? When you play with fire, you get burned.
Fortunately, local election
officials in the United
States are unlikely to give Chinese agents,
or Russian Mafioso, much less Iranian mullahs, access to the secure servers in
their state’s counties. If all goes well
with this year’s online voting trials, domestic trials are sure to begin. Yes folks, Internet voting is coming to the USA!
PS
Written in 2011, this post was
lost for a while. It is now being posted again (for the record). Now that Blockchain technology raises Internet security to new levels, maybe the optimism of this post can be renewed.
William J. Kelleher, Ph.D.
InternetVoting@gmail.com
Also blog at,
The
Political Science Interpretivist
https://interpretat.blogspot.com/
[1] Electronic Elections,
R. Michael Alvarez, Thad Hall. Princeton
University Press, 2008
See pages 77-85, also 68-72 and 98.
[4] Hall and Alvarez, ibid.
There have dozens of trials in the UK
and across Europe since 2002, for “a total of
eight nations.” Page 76 “In these trials, there had not been any
documented security problems, … the experiences were problem-free.” Page 71f.
[11]
csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/CAREY_FVAP_Presentation_to_NIST-EAC-FVAP.pdf,
at page 12.