Email and Internet Voting: The Overlooked Threat to Election Security [By ACM US Technology Policy Committee; National Election Defense Coalition, Common Cause Education Fund and R Street Institute]

This report reviews the research conducted by the federal government concluding that secure online voting is not yet feasible.

Findings:

· ƒ Federal government, military and private sector studies have examined the feasibility of internet-based voting and have concluded it is not secure and should not be used in U.S. government elections.

· ƒ Thirty-two states permit online voting for some subset of voters.

· ƒ In the 2016 general election, over 100,000 ballots were reported to have been cast online, according to data collected in the EAC’s Election Administration and Voting Survey. The actual number is likely much higher.

· ƒ The federal agencies supporting states in improving their election security have not issued any warnings regarding the online return of voted ballots.

· ƒ Ballots returned online can be undetectably changed by a variety of cyberattacks, including via malware on a user’s computer and server penetration attacks. The latter has been demonstrated live and in a “test” election.

· ƒ Internet voting expands the opportunity for an attacker to engage in damaging disruption and denial-of-service attacks, aimed at disabling the system, prohibiting voters from casting ballots, and undermining voter trust in the election.

· ƒ Receiving ballots as attachments can also expose a state or county election system to systemic election system attacks. Sophisticated attackers can spoof a legitimate voter’s emails and use fake ballots to deliver malware that can be used to gain entry into county or state election infrastructure.

· ƒ New technologies, including blockchain, fail to resolve the insoluble security issues inherent with online voting. These issues include server penetration attacks, client-device malware, denial-of-service attacks and disruption attacks.

Conclusion:

"Until there is a major technological breakthrough in or fundamental change to the nature of the internet, the best method for securing elections is a tried-and-true one: mailed paper ballots. Paper ballots are not tamper-proof, but they are not vulnerable to the same wholesale fraud or manipulation associated with internet voting. Tampering with mailed paper ballots is a one-at-a-time attack. Infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots are both effective methods for large-scale corruption."

Though the severe vulnerabilities that exist with online voting have been well documented for years, by both Federal Agencies and Private Sector organizations alike, only two U.S. states have taken action on this issue: Washington and Alaska. Other countries (notably France) have astutely outlawed any sort of internet based voting systems all together in order to protect the integrity of their elections.

Why is the U.S. behind the ball on this?

https://www-hsdl-org.ezproxy.umgc.edu/c/abstract/?docid=845700