– Internet Voting: Risks and Why It’s Unsuitable for Public Elections

Signed by a group of 21 computer scientists expert in election security

Executive summary

Scientists ⁤have understood⁤ for‌ many⁤ years that internet ⁢voting is insecure and that there is no ‌known or foreseeable ​technology that can make it secure. Still, vendors ‌of internet voting keep claiming that, somehow, ⁣their‍ new system ‍is different, or the insecurity doesn’t matter. Bradley ‍Tusk and his Mobile Voting Foundation keep touting internet voting to journalists and‌ election administrators; this whole effort is misleading⁢ and hazardous.

Part I. All internet voting systems are insecure. The ⁣insecurity is worse ⁣than a well-run ⁤conventional paper ballot system, ⁤because a⁢ very small number of‍ people may have the power to ⁢change any ​(or all) votes that go ⁤through the system, without detection. This insecurity has been⁤ known⁤ for years; every internet voting system yet proposed suffers ⁣from it, for basic reasons that cannot be ⁤fixed with existing technology.

Part⁢ II. Internet voting⁣ systems known as “End-to-End Verifiable Internet Voting” are also insecure, in their own special ‌ways.

Part III. Recently,Tusk announced an E2E-VIV​ system ‌called “VoteSecure.”  It suffers ⁣from all the same insecurities.  Even its⁣ developers admit that in their advancement documents.  Furthermore, VoteSecure isn’t a complete, usable product, it’s just a ⁤”cryptographic ​core” that someone might someday incorporate⁣ into a usable product.

Conclusion. Recent announcements by Bradley Tusks’s ‌Mobile Voting Foundation ‍suggest that the ⁣development⁢ of VoteSecure somehow makes‍ internet voting safe‍ and appropriate ‍for use in ‌public elections.  This is untrue​ and dangerous.  All deployed Internet voting systems‌ are unsafe, VoteSecure is unsafe and isn’t even a deployed voting  system, and⁣ there​ is no known (or⁣ foreseeable) ‍technology that can make Internet voting safe.

Part I.  All internet voting systems are ⁤insecure

Internet voting systems (including vote-by-smartphone) have three⁤ very serious weaknesses:

1. malware on the voter’s‌ phone⁣ (or computer) can transmit different votes than the voter selected and reviewed. Voters use a variety of devices (Android, iPhone, Windows, Mac) which are⁤ constantly being attacked by malware.
2. Malware (or insiders) at the server can change⁣ votes. internet servers are ⁤constantly being ⁤hacked from all over the world,frequently enough with serious⁢ results.
3. Malware at the ⁤county election office can change votes (in those systems ⁣where the internet ‌ballots ‌are printed in the county office for scanning). County election computers are not more secure than other government or commercial servers,which are regularly hacked with disastrous results.

Although conventional ballots (marked​ on paper with a pen) ⁤are not perfectly‌ secure​ either, the⁢ problem with internet ballots is the ability ​for⁣ a ‍single attacker (from anywhere ‌in the​ world) to alter a very large number of ballots ‍with​ a single scaled-up attack.  That’s much ⁣harder to do with hand-marked paper ballots; occasionally people⁤ try⁤ large-scale absentee ballot fraud, typically resulting in their​ being caught, prosecuted, and convicted.

Part II.  E2E-VIV internet voting systems⁢ are also insecure

Years⁢ ago, the concept‍ of “End-to-End Verifiable Internet Voting” (E2E-VIV) was proposed, which was supposed to remedy‌ some of‌ these weaknesses by allowing ⁤voters to check ⁤that their vote was recorded and counted