According to a New York Times editorial published last Friday, a county in Florida is trying to implement an Internet voting (which I will refer to as IV) system so that its active-military residents may vote more easily. As they say, the goal is laudable, and I agree: allowing greater access to the polls should be a goal for any functioning democracy.
However, they soon point out the potential pitfalls of IV. Again, I have no choice but to agree, and I should know. I have administered such a system, and know just how easily things can go wrong.
The following is split into two general sections. The first is my story, and the second is an analysis of the issues around IV in general.
I am a student at a major university that has long been a leader in the fields of computer science and energy. In fact, it is considered one of the most wired campuses in the country. It is possible to engage in just about any school-related function from your computer, anywhere in the world (sometimes with the use of a VPN). Voting for student government officials is one of those functions. Heck, on a campus like mine, most students wouldn't even bother voting if they couldn't do so from their own computers (and many don't anyway, but that's another issue entirely). But I digress.
In March of 2007, I found myself on the Student Government Elections Board for this particular university. We five students (out of almost 10,000) were charged with ensuring that the entire process ran smoothly. Well, long story short, it didn't. After two false starts, we were finally set to run the election in the last week of classes before all of campus left town for the summer.
At first, all seemed to go smoothly. In fact, turnout looked stellar, at nearly 40% of the undergraduate student body (I wasn't kidding when I said students at this school don't bother to vote). When we went to unlock the results, however, it became clear that all of those efforts had been for naught, as disaster had struck (link to story not provided in the interest of anonymity):
The results of this week’s student government elections were deemed inaccessible Wednesday evening, possibly due to malicious tampering with the electronic key that decodes the results.
Well over two thousand votes had been rendered worthless in an instant -- most even before they had been cast. It turned out that the tampering had not been entirely malicious in intent, but the result was the same: the election had to be repeated.
The whole incident occurred because someone was able to gain unauthorized access to the election server. One machine was compromised, and the election was rendered invalid. If it can happen here, it can happen anywhere -- especially in a state as infamous for electoral shenanigans as Florida.
Thus ends part one of my saga. Now, let's take a look at the issues that IV has to surmount in order to become viable.
First, any election system has to solve the following problems in order to run smoothly: authentication (or identification), ballot security, and tabulation. We have dealt with all of these problems in one form or another several times over the last few years, and without question well before then.
In order for any one person to vote, we must be able to verify that they are eligible to vote where they are trying to vote, and that they only vote once. This is authentication. Issues here are generally the reason that a provisional ballot will be cast: Someone isn't on the rolls for whatever reason (maybe they moved, maybe some partisan operative kicked them off), so they can't authenticate.
Now, in a closed environment like a college campus where everyone is given a user account for the network, authentication is not difficult: when someone goes to vote, they are asked to log in. If they have already voted, they are then told that they have done so (maybe given the opportunity to change their vote if they wish). In a national online election, one could possibly use Social Security Numbers, as that piece of information is about as close as one could get to a universal, unique identifier.
This gets a little trickier when you're talking about a state or local election, though, as there are generally no such identifiers on the state level (driver's licenses are close but don't cover everyone). Unless states track every person who enters and leaves their borders constantly, there will have to be some standardized state-issued identifier like the SSN. This is possible, though privacy advocates won't like it.
In summary, authentication: Surmountable, though likely contentious and difficult.
Tabulation is the one advantage of any electronic system, networked or otherwise: Once voting closes, the results can be known instantaneously (barring any paper balloting or, of course, a fiasco like what happened to me). IV can also allow vote tallies to be updated in real time. Of course, that in itself is a double-edged sword.
In summary, tabulation: IV might make it too easy.
Finally, let's move on to ballot security. We've all heard the stories of ballots being stuffed into trash bags with no indication that they've been counted -- nor that they will be. With IV, there's another possible problem, which is the fact that the ballots could be intercepted between client and server. Going back to the Okaloosa proposal, we learn the following:
The plan would set up Internet voting kiosks near American military bases in Germany, Japan and Britain. The votes would be sent to the United States over secure lines similar to ones used for bank transactions.
This is better than it could be, but let's imagine that we have such a system set up for the bulk of voters stateside. Then you'd need... a set of centralized locations where people would go vote. Sound familiar?
The only way that internet voting would provide any sort of location advantage (avoiding the need for polling places) is if people can vote from their own computers. Then, of course, you have to protect every one of those computers from malicious use. Remember that the elections server itself, which should have been the most secure part of the system, was hacked. Securing even one computer is already difficult, if not impossible; imagine trying to keep 100 million computers free from all of the threats that exist online.
Add in the facts that hackers are almost always one step ahead of computer security experts, and that the vigilance required to keep the most critical parts of the system safe seems to be beyond the will of this country's election officials... forgive my pessimism, but it just doesn't seem possible to keep the system secure.
In summary, ballot security: Extremely difficult, probably impossible.
Final thought: We know that electronic voting is problematic enough as it is, with almost no accountability built in to most of the systems. Americans all across the country have little to no confidence that their votes will be recorded reliably. What makes Okaloosa County, FL think that IV will help, rather than hurt, in this regard?