1540-7993/13/$31.00 © 2013 IEEE
Published by the IEEE Computer Society
Are All Types of Internet Voting Unsafe?
IEEE, like many other professional organizations, uses a third-party vendor to conduct elections over the Internet to elect its leaders. This initially gave me pause. After all, as scientists and technologists, we know the risks of online voting better than most. But then I remembered the key differences between public elections (those run by governments to elect leaders, decide on referenda, and perform similar actions) and private elections (those run by private organizations to elect their leaders and perform other activities):
• Compared to private elections, public elections are high stakes—the traditional values of being elected (power, money) are much lower in private elections, such as for IEEE, than in even a relatively minor public election. Hence, the motives to cheat are low. Likewise, the budgets are much smaller.
• Public elections have a long history of manipulation in nearly all countries. While there's no doubt that manipulation happens in private elections (for example, the 2013 US Rowing election), the history is not nearly so rich, largely as a result of the low stakes and lower budgets.
• The need for ballot secrecy is not nearly as strong in private elections. While it would be unusual for a professional organization to examine ballots, there's no promise that they'll be secret. If tampering were suspected, the organization could more easily verify it from voter sampling.
• Public elections often have a legal requirement for when the election must be held and the results finalized. In contrast, an association can simply delay replacement of officers—any legal issues requiring timely elections are fairly minor.
• Associations typically have a reasonably strong tie to their members. Unlike public elections in which a voter might participate infrequently (such as every four years for many US voters), association members have more of an incentive to stay in touch because they pay for membership. The result is that associations will have more accurate rosters of their members, including email addresses, than will election offices.
Corporate elections differ slightly. Most (if not all) publicly traded corporations hold their board of directors' elections online, although in many cases, shareholders have the option of sending in a paper ballot. With rare exceptions, corporate election results favor management recommendations, so any election that doesn't favor management by a wide margin is immediately suspect. In contrast, public and association election results are much less predictable.
Moreover, the voters who really matter—the institutional shareholders who typically hold a large majority of shares and therefore votes—frequently make their votes public if they're voting against management recommendations. With the one person/one vote rule in both public and association elections, this model of a relatively small number of voters who advertise their selections and control the election doesn't exist.
Finally, although corporate elections are run by third-party companies that specialize in such activities, voter selections aren't private. The corporation is allowed to know who has voted and how, so if an election's results differ from those expected, it can look at the results and determine if something unusual happened. If an institutional shareholder voted against management, it's quite easy to verify if that was indeed the desired vote. Hence, anyone manipulating an election is quite likely to be caught—and the results can be "corrected" by consulting with the voters.
Let's look at how the differences between public and private elections translate into differing risks when moving public, private, and corporate elections online. There are enough variations and unusual cases to make it much tougher to come up with a single solution.
Avoiding Internet Voting Fraud
Other considerations could play into the decision of whether to use Internet voting—for example, there's some indication that it causes modest increases in private election voting, but in public elections, it seems to simply shift the voting method to younger voters who are more familiar with technology. Internet voting might have the advantage of providing a level of confidence in election outcomes in communities in which the populace doesn't trust the authorities running elections, but the converse can also be the case. Internet voting could also centralize election control, but that could translate into attacks that were infeasible on multiple polling places becoming feasible due to centralization.
Private elections present additional problems because they aren't always the same. Voting for the Academy Awards is a private election, but results aren't clearly predictable; there are no large block voters, voter selections are private, and the financial stakes are large in the form of increased box office revenue for award winners (and the amount of money spent on campaigns). The Academy has no obligation to conduct its elections in any particular fashion, but the very factors that make the risks relatively low for corporate and professional elections don't appear to apply in their case.
Union elections are also unusual. Although the financial stakes in individual (union local) elections are relatively small, they have a history of being manipulated in the US, or at least of such manipulation being caught and prosecuted. Consequently, legal protections for union elections are in many cases stronger than for public elections, with the US Department of Labor enforcing standards for how they're held. In particular, union elections have very strong guarantees of ballot secrecy, lest there be undue coercion of union members, as well as strong requirements that only authorized voters can cast ballots. The result is that union elections generally aren't allowed to be performed over the Internet.
So given that there's a fuzzy line between what appears to be reasonably safe online voting environments (association elections, corporate elections) and unsafe ones (union elections, public elections), with things like the Academy Awards in between, how and what should we communicate to the public? I'm surprised that Internet voting vendors haven't turned to technical experts who oppose Internet voting and asked, "If Internet voting is good enough for IEEE, why isn't it good enough for the mayor?"
Some have suggested that the boundary between safe and unsafe use of Internet elections is public versus private elections (with union elections defined as public), but that doesn't satisfy me. As the Academy Awards case demonstrates, private elections can be high value enough to be worth manipulating. And conversely, perhaps some public elections are low value enough that the risk is acceptable. If we assume that the cost of tampering with an Internet election is $ X, and we ignore the legal implications of tampering, perhaps any election where the candidates spend less than N$ X is low risk, because candidates would be unlikely to spend 1/ N percent of their budget on tampering. Would a candidate spend 10 percent of his or her budget on fixing the election? The cost of tampering with an election can be debated (in particular, depending on whether the goal is to tamper without being caught!), but this type of model might be useful for developing an understanding about which types of Internet elections can be used safely and when they should be avoided.
Not surprisingly, as more elections move online, the risk increases. Assuming that jurisdictions use common platforms to reduce their development costs, attackers will amortize their election-fixing software over more elections, hence reducing $ X, requiring an offsetting increase in N to keep the overall risk (relatively) constant.
The question remains how to educate the public to understand the difference. Suppose we explain that a magic key to reliably change election results on the Internet costs $100,000 or $1 million—it will then become clear that neighborhood and other local elections don't make sense for anyone to manipulate, but that large-scale elections are obviously at risk. Although this is a tremendous simplification, it could help the average person understand the level of risk involved and that the cost is relatively fixed regardless of the importance of the election.
Like nearly all scientists who have looked at the issue of Internet voting, I'm strongly opposed to its use for national-scale elections. But if we can figure out a way to prevent the slide from local low-risk elections and association elections to national-scale elections, then perhaps Internet voting for those lower-risk elections is workable.
My thoughts in this column have been shaped in conversations with colleagues including Barbara Simons, Simson Garfinkel, David Jefferson, Dan Wallach, Alex Halderman, Vanessa Teague, and Joseph Lorenzo Hall. The conclusions here are mine, and don't necessarily reflect their opinions.