As governments struggle to adapt to the election challenges surrounding COVID-19, a number of states have launched Internet voting pilots. But many experts argue that these programs could easily be co-opted by malicious actors.
Government officials have expressed mounting concerns for how the COVID-19 virus could diminish voter turnout during the 2020 presidential election.
As a partial solution, a handful of states have turned to Internet voting pilot programs: New Jersey, Delaware and West Virginia have all recently launched pilots, most of which are limited in scope and focus mainly on alleviating barriers for disabled and overseas voters.
However, the computer science community — long critical of internet voting — sees the programs as a slippery slope towards a looming security risk.
David Dill, a computer science professor at Stanford University, is one of the prolific naysayers. Having spent much of his career researching holes in software code, Dill said that there is just simply no way to ensure that devices and apps are free of malware that might manipulate a voter's choices. Similarly, a hacker from an adversarial foreign government could always theoretically hack their way into these systems and change or manipulate votes.
"Between your keyboard and your vote going into an electronic ballot box on the other end of the Internet, there are a lot of bad things that could happen," he said. "This problem is not fixable, at least not in practical terms."
Cybersecurity and national security organizations tend to agree with that assessments. A joint statement provided to Government Technology by the FBI, EAC, NIST and the Department of Homeland Security's CISA, all warn against the wholesale embrace of such technologies.
"While there are effective risk management controls to enable electronic ballot delivery and marking, we recommend paper ballot returns as electronic ballot return technologies are high-risk even with controls in place," the statement reads.
Many Internet voting pilots use vendor products that company representatives say have been aptly tested, but being certain of such security can be difficult, experts warn.
The Delaware program uses Democracy Live, a Seattle-based vendor that allows voters to mark and submit their vote from their own devices, including phones and laptops. Democracy Live could not be reached for comment at the writing of this article, but has argued in other media appearances that its cloud-based product had been through a rigorous process of security testing.
Dill is less than impressed with claims like this.
"Doing a security evaluation is a hard process, and responsible companies don't make guarantees," he said. "They don't say, 'This is guaranteed to be secure software.' They will say, 'We did the following things, and we didn't find any problems in the software.' Or, more frequently, 'We found these problems with the software and you can mitigate them in the following ways.'"
"But I know without the security evaluation that it's not possible to make this stuff secure," he concluded.
Marian Schneider, president of Verified Voting, agrees that such voting practices are simply not a risk worth taking because, "in general, the Internet is not a secure place," she said.
"There are threats to online transactions every day. Commercial retailers, online banking, all of those organizations that offer their services spend hundreds of millions of dollars protecting their networks and yet still have losses," she said. "Additionally, we are coming off the 2016 election in which the consensus of the security community is that a nation-state attacked us and attempted to interfere in our election."
As a result, use of this technology could have serious implications for the democratic process and national security, she said.
"Any wholesale adoption of Internet voting is just an invitation to bad actors to attack our elections again," Schneider went on. "There would be two results of that: No. 1 is that they could potentially change the outcome of the election, but the second impact of that is that it would create serious doubt about the election results. And we don't need that right now."
A little like a vampire, this idea has been around for a long time and refuses to die, said Barbara Simons, former president of the Association for Computing Machinery, who has been a longtime critic of Internet voting, as well as overly mechanized voting systems, generally.
"This [Internet voting] idea has been around for a very long time," Simons said, explaining that she was originally asked to sit on a study group on Internet voting way back in the 1990s, at which point she deduced that it was a "terrible idea."
There are numerous secure alternatives to this idea, she added. The most straightforward alternative, even for the disabled community, is vote-by-mail, she said.
"Given the threat of the virus, vote-by-mail seems like the safest way for voters to cast their ballots in November," Simons said, while noting that not all states are going to be able to move to vote-by-mail due to the expense and preparation necessary.
"It's a major undertaking if it has not already been set up. So there also has to be a focus on making the polling places secure," she said. "That's going to require a lot of planning — we need to have large spaces, masks and gloves for poll workers and voters as well — and preparations so that people can go to the polls without fear of being sick."
"I believe its doable, but it's going to require a lot of planning and money, and I'm not hearing a lot about that right now," she said.
Never miss a story with the daily Govtech Today Newsletter.