Letter to Governors and Secretaries of State on the insecurity of online voting
We are writing to share information on the scientific evidence regarding the security of internet voting. Based on scientific evidence, we have serious concerns about the security of voting via the internet or mobile apps.
The COVID-19 pandemic presents an unprecedented challenge to American elections. At this time, internet voting is not a secure solution for voting in the United States, nor will it be in the foreseeable future. Vote manipulation that could be undetected and numerous security vulnerabilities including potential denial of service attacks, malware intrusions, and mass privacy violations, remain possible in internet voting.
We urge you to refrain from allowing the use of any internet voting system and consider expanding access to voting by mail and early voting to better maintain the security, accuracy, and voter protections essential for American elections in the face of an unprecedented public health crisis.
Internet voting is insecure.
Internet voting, which includes email, fax, and web-based voting as well as voting via mobile apps such as Voatz, remains fundamentally insecure. 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 Scientists and security experts express concern regarding a number of potential vulnerabilities facing any internet voting platform, including malware and denial of service attacks; voter authentication; ballot protection and anonymization; and how disputed ballots are handled. Importantly, there is no way to conduct a valid audit of the results due to the lack of a meaningful voter-verified paper record. If a blockchain architecture is used, serious questions arise regarding what content is stored in it, how the blockchain is decrypted for public access, and how votes are ultimately transferred to some type of durable paper record.11 No scientific or technical evidence suggests that any internet voting system could or does address these concerns.
A 2018 consensus study report on election security by the National Academies of Science, Engineering, and Medicine (NASEM), the most definitive and comprehensive report on the scientific evidence behind voting security in the U.S., stated:
“At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots. Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place, as no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.” 5
Federal researchers have also agreed that secure internet voting is not yet feasible.12 The Department of Defense suspended an Internet voting trial after concluding it could not ensure the legitimacy of votes cast over the Internet 13 and the Pentagon has stated it does not endorse the electronic return of voted ballots.14 Although the Department of Homeland Security has not published formal guidance on Internet voting, the Homeland Security cyber-division does not recommend the adoption of online voting for any level of government 14, 15 Unlike most voting systems currently used in the United States, there are no standards for internet voting and no internet voting systems have been certified by the U.S. Election Assistance Commission.
Blockchain systems do not address the fundamental issues with internet voting.
Blockchain-based voting systems introduce additional security vulnerabilities and do not address the fundamental security concerns scientists, election security experts, and government officials have expressed since the advent of internet voting.16 Rather than enhancing security, the 2018 NASEM report described the addition of blockchains to voting systems as “added points of attack for malicious actors.” 5 Experts and researchers have expressed significant concern over the perceived security of blockchain technology,17 more generally, but particularly regarding voting security.18, 19
MIT researchers reported a variety of potential vulnerabilities after examining a portion of Voatz code.20 Researchers easily circumvented Voatz’s malware detection software, demonstrating a potential avenue to exposing the voter’s private information or manipulating their ballot. Voatz’s servers are vulnerable to manipulation “surreptitiously violating user privacy, altering the user’s vote, and controlling the outcome of the election.” Additionally, attackers could intercept a voter’s transmitted ballot prior to receipt by Voatz’s servers and determine how the voter voted because the information transmitted “clearly leaks which candidate was selected.”
Beyond potential ballot manipulation, Voatz potentially exposes a voter’s email, physical address, exact birth date, IP address, driver’s license or passport number, mobile phone number, a current photo of themselves, a short video of themselves, a copy of their written signature, their device’s model and OS version, and preferred language to third parties. As a result, information captured from voters exposes them to serious risk of identity theft, and information from overseas military voters risks potentially providing adversaries with intelligence regarding military deployments, endangering the lives of service members and national security.
An in-depth technical study from a private security group contracted by Voatz confirmed vulnerabilities previously reported by MIT researchers, despite the app developer arguing these vulnerabilities did not exist following the MIT report. 21 In total, the security group’s review highlighted seventy-nine findings with a third of the findings labeled as “high severity.” 22 Importantly, the review “did not even constitute the entire Voatz system, as the code for certain components such as the audit portal were never furnished,” indicating still undiscovered vulnerabilities and a lack of transparency essential for faith in the electoral system. 23
Access to the ballot for all is an essential tenet of American democracy.
At this difficult time, election officials seek to protect citizens’ health and access to the ballot. COVID-19 presents significant barriers to voting. However, internet voting is not a viable solution given the longstanding and critical security issues it presents. Thoughtful implementation of alternative voting methods such as voting by mail and early voting can help support the diverse needs of the electorate, addressing both new concerns relating to COVID-19 and existing disparities in ballot access. 24, 25, 26, 27, 28 Incoming federal funding should help election officials implement alternative systems and offer increased flexibility to confront our ongoing challenges. 29
Two decades of scientific and technical analysis demonstrate that secure internet voting systems are not possible now or in the immediate future. In response to this evidence, we respectfully request that in your roles leading election security in your state, you refrain from allowing the use of any internet or voting app system.
If we can provide additional scientific evidence regarding internet voting or do anything else to be a resource, please let us know. Our organizations and the scientists, engineers, and statisticians we represent stand ready to assist you.
Signed,
Michael D. Fernandez, Director, Center for Scientific Evidence in Public Issues, AAAS
Deborah Frincke, Fellow, Association for Computing Machinery
Vinton Cerf, Internet Pioneer
Barbara B. Simons, Board of Advisors, U.S. Election Assistance Commission
Bruce W. McConnell, Executive Vice President, EastWest Institute, Former Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security
Andrew W. Appel, Professor of Computer Science, Princeton University
J. Alex Halderman, Director, Center for Computer Security and Society, University of Michigan
James Koppel, Ph.D. Candidate in Programming Languages, Massachusetts Institute of Technology
Bruce Schneier, Lecturer and Fellow, Harvard Kennedy School
Kevin Skoglund, President and Chief Technologist, Citizens for Better Elections*
William Ramirez, Executive Director, ACLU PR/ACLU of Puerto Rico National Chapter*
Michael A. Specter, Ph.D. Candidate in Electrical Engineering and Computer Science, Massachusetts Institute of Technology
Dan S. Wallach, Professor of Computer Science, Rice University
Ellen Zegura, Chair, Computing Research Association*
John C. Bonifaz, President, Free Speech For People*
Edward W. Felten, Director, Center for Information Technology Policy, Princeton University
Mark Ritchie, Former Minnesota Secretary of State
Candice Hoke, Founding Co-Director, Center for Cybersecurity & Privacy Protection, Cleveland State University
John E. Savage, An Wang Professor Emeritus of Computer Science, Brown University
Eugene H. Spafford, Professor and Executive Director, Center for Education and Research in Information Assurance and Security, Purdue University
Douglas W. Jones, Associate Professor of Computer Science, University of Iowa
David L. Dill, Donald E. Knuth Professor Emeritus, School of Engineering, Stanford University
John L. McCarthy, Lawrence Berkeley National Laboratory (retired); Board of Advisors, Verified Voting
David Jefferson, Lawrence Livermore National Laboratory (retired); Board of Directors, Verified, Voting
Larry Diamond, Senior Fellow, Hoover Institution and Freeman Spogli Institute, Stanford University
Daniel J. Weitzner, Founding Director, Internet Policy Research Initiative, Massachusetts Institute of Technology
Ronald L. Rivest, Institute Professor, Massachusetts Institute of Technology
James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute
Harry Hochheiser, Associate Professor, Department of Biomedical Informatics, University of Pittsburgh
Jeanna Neefe Matthews, Associate Professor, Department of Computer Science, Clarkson University
Matthew Blaze, McDevitt Chair of Computer Science and Law, Georgetown University
Steven M. Bellovin, Percy K. and Vida L. W. Hudson Professor of Computer Science, Columbia University
Brian Dean, Privacy Subcommittee Chair, Association for Computing Machinery, U.S. Technology Policy Committee
Andrew Grosso, J.D., M.S. Comp. Sci., M.S. Physics, Andrew Grosso Associates
Steve M. Newell, Policy Director, Center for Scientific Evidence in Public Issues, AAAS
Marian K. Schneider, President, Verified Voting
Ben Ptashnik, President, National Election Defense Coalition*
Karen Hobert Flynn, President, Common Cause*
Duncan Buell, NCR Professor of Computer Science and Engineering, University of South Carolina
David Mussington, Professor of the Practice and Director, Center for Public Policy and Private Enterprise, School of Public Policy, University of Maryland
Daniel M. Zimmerman, Principal Researcher, Galois
Paul Rosenzweig, Senior Fellow, R St. Institute
Richard Forno, Senior Lecturer and Director, UMBC Graduate Cybersecurity Program, UMBC
Kelley Misata, CEO and Founder, Sightline Security
O. Sami Saydjari, CEO, Cyber Defense Agency, Inc.
Matt Bishop, Professor of Computer Science, University of California at Davis
Patricia Youngblood Reyhan, Distinguished Professor of Law, Albany Law School
*Signing on behalf of org