[Reproduced from Dave Farber's IP distribution,
Date: Tue, 12 Dec 2000 20:36:19 -0500.]
A recurring mantra heard from some entities involved in the development
promotion of Internet-based voting systems is that they have conducted
"public tests" and thus their systems are secure. If hackers don't break
into such systems, the tests are declared a success.
This is of course illogical on its face, because it seems unlikely that
people (both U.S. and internationally based) with an interest in subverting
the U.S. election process would care to tip their hands by participating in
what are essentially publicity stunts. These might attract your average
12-year old hacker, but not the pros who wait for production systems for
their carefully mounted attacks.
In fact, using such "tests" as any sort of validation technique runs
contrary to long-established computer and engineering verification
practices, and makes a mockery of the rigorous design and testing that is
required of systems that are to be deemed secure through extensive and
methodical processes (e.g., to gain certification under the ISO Common
Criteria or its predecessors TCSEC/ITSEC). "I left my Porsche out in the
parking lot with the doors unlocked and the key in the ignition and since it
doesn't appear to have been stolen this must be a safe neighborhood," would
be an equally nonsensical statement of supposed validation. All proposed
voting systems should be subjected to rigorous evaluation, public inspection,
and *open-source code* license agreements. Some applicable methodologies
do exist, but have not been required. For example, Level 4 Common Criteria
should be a *minimum* standard, although even that is not enough.
Security is only as strong as its weakest links. Internet voting
will *always* be limited in its integrity by factors beyond the I-voting
algorithms. For example, encryption can be an important part of an overall
election system. However, although we have strong cryptographic algorithms,
we do not have systems with adequate security into which the cryptography
can be embedded. Furthermore, voter authentication, vote integrity, voter
anonymity, auditability, accountability, recountability, and so on, are all
involved, and many of these requirements operate at cross-purposes with
one another. The massive vulnerabilities of standard personal-computer
operating systems represent very serious concerns, in terms of hidden
viruses, worms, Trojan horses, and further surprises unknowingly downloaded
by the user with other packages, and waiting to pounce on election day. One
proposed solution would be to boot a fresh system from external media in
order to vote, but even such an approach does not adequately address these
Deficient network protocols and the opportunities for insider fraud
accidental misuse abound. In addition to the issues noted above are
the weaknesses that result from inadequate operational environments.
Neither the client nor the server systems will be adequately secure under
foreseeable technology -- including Internet Service Providers and Web
servers. For example, proposals such as the use of rotating IP numbers and
multiple systems to try to defend against denial of service attacks can be
rendered impotent by similar attacks on network concentration points.
As always in any election environment, there are many opportunities
fraud, mischief, and manipulation -- despite ostensible checks and balances.
These problems are exacerbated with electronic and Internet voting, where
the lack of any physical ballots makes such manipulations impossible to
detect and correct -- because there is no meaningful recount capability.
Extraordinary vigilance is necessary, but never sufficient.
In the wake of the recent Presidential election problems, the knee-jerk
reaction of "gee, can't we modernize and solve all this with electronic and/or
Internet voting?" is predictable, but still wrongheaded. The shining lure
of these "hype-tech" voting schemes is only a technological fool's gold that
will create new problems far more intractable than those they claim to solve.
Peter Neumann, Rebecca Mercuri, and Lauren Weinstein
Peter Neumann moderates the ACM Risks Forum, Chairs the ACM Committee
on Computers and Public Policy, and is a cofounder of PFIR --
People For Internet Responsibility <http://www.pfir.org>.
Rebecca Mercuri is a Professor of Computer Science at Bryn Mawr College.
She has provided expert testimony on voting systems throughout the past
decade. For information on her Penn doctoral thesis and other writings
on this subject, see <http://www.notablesoftware.com>.
Lauren Weinstein <email@example.com> and <firstname.lastname@example.org> moderates
Privacy Forum <http://www.vortex.com> and is a cofounder of PFIR -- People
For Internet Responsibility <http://www.pfir.org>, and Member of the ACM
Committee on Computers and Public Policy.
Information on the Common Criteria is at:
An earlier statement on I-voting is at: