How the Internet might alter U.S. democratic institutions, including how Americans get information about and even vote for their public officials in general elections, has been the subject of much debate in recent months. Online voting is one of the more controversial aspects of this debate—a subject that began to claim international attention in March 2000 when the Arizona Democratic Party allowed for the first time remote Internet voting in its presidential preference primary.
The prospect of being able to vote “in your pajamas,” as it’s been described, captured the imagination of political leaders, technology innovators, and voters around the world. Proponents heralded Internet-based elections as a way to boost voter participation by updating aging voting techniques and accommodating the changing needs of the citizenry. Opponents questioned the assumption that online elections would increase turnout, as well as the dependability of the related security, privacy, and equality of access.
Here, we explore the Arizona presidential preference primary as a case study, addressing the main public concerns about online voting, sharing the lessons we learned from our experience, and suggesting improvements for future online elections.
First Legally Binding Political Election
The primary last March 711 was the first time voters anywhere in the world were able to cast their ballots from the location of their choice, whether home, work, a public library, or a traditional polling place. Although this first legally binding political election using remote Internet voting took place in the U.S., it clearly promised global effects. Political leaders and policymakers worldwide have since been investigating the viability of using the Internet for public elections in their own countries, looking to Arizona for insight into managing the process.
As the company selected by the Arizona Democratic Party to actually conduct its primary, election.com, Inc., experienced firsthand the pros and cons of Internet voting. As a result, we now feel that Internet voting—implemented responsibly and judiciously—can dramatically increase voter access and reinvigorate voter participation in the political process around the world. We also recognize that the prospect of widespread Internet voting raises serious questions among election officials and voting-rights advocates alike.
As opponents of Internet voting point out, state and federal laws governing elections today are not geared toward overseeing Internet voting and the vendors that run them per se. Lacking clear and explicit guidelines, we therefore went to great lengths in Arizona to implement rigorous procedures and protocols to ensure ballot sanctity and universal accessibility. However, the Arizona primary did not obviate the need for universal guidelines governing best political election practices, third-party risk analysis, intrusion-detection software standards, code migration, or other critical factors.
Increasing Access and Participation
Our first challenge was ensuring that Internet voting would ameliorate, rather than aggravate, disparities in access to power and government participation. Of particular concern in the Arizona context was ballot accessibility for people of color, whose rights to equal inclusion in the democratic process are protected not only by the broad tenets of democracy itself but by the Voting Rights Act of 1965 as well.
The Internet has the potential to increase voter participation and access for all communities. Nevertheless, opponents of online voting rightly point out the Internet is not in and of itself a panacea for the root causes of political cynicism and voter apathy.1 Disparate access to the Internet itself raises serious and legitimate concerns about the fairness of using the technology for voting. For this reason, we worked closely with the Arizona Democratic Party to implement an aggressive outreach program to educate voters across the state about the technology and ensure they would have equal access to the ballot.
In January 2000, the Arizona Democratic Party sent (via sealed first-class mail) notice of its upcoming presidential preference primary election to the state’s 849,000 registered Democrats. The text was in Spanish and English and included an Official Voting Certificate with unique credentials for each voter’s authentication and a detachable “vote-by-mail” application, so non-Internet users could enjoy the same convenience as their Internet-connected counterparts. The Party also outlined a range of voting options for the voters, including returning the “vote-by-mail” request; voting remotely via the Internet March 710; and casting a ballot at a physical polling place via Internet or paper on Election Day, March 11.
Unregistered voters were allowed to register at the polls and, for the first time in Arizona, Democrats were able to vote at any location throughout the state. During the election period, paper ballots and the voter interface on both the Democratic Party’s voting Web site and the election.com Web site were in Spanish and English as were the instructional posters at every polling station where administrative personnel were available to guide and assist voters.
In addition to increasing the number of voting options available to the state’s Democrats, the Party also increased the number of physical polling places from 92 in the 1996 election to 124 in 2000, seeking especially to increase the numbers in predominantly African-American, Hispanic, and Native-American communities. In communities with only limited Internet access, 30 early voting sites were identified and made available to provide voters the opportunity to vote via the Internet March 710. Moreover, to ensure full participation by the state’s Native Americans, the Party worked with the Arizona Intertribal Council to establish special additional voting sites on reservations and in communities with large off-reservation Native-American populations.
The Party also sought to ensure the state’s Democrats were aware of the election itself through awareness and tutorial advertising in 20 target publications, extensive media outreach to more than 170 Arizona print, broadcast, and radio outlets, postings on African-American, Hispanic, and Native-American Web sites, and information on how to cast a vote in English and in Spanish on both its own and on the election.com Web sites. The Party also sponsored traditional and innovative grassroots organizing, training, and educational activities to ensure inclusiveness and inspire voter turnout in all the various communities.
Oversight and Security
Before detailing the security measures we ultimately designed and implemented in Arizona, it is important to note that the Arizona Democratic Party had total access to the election process and was welcome by election.com to invite citizen observers to monitor the integrity of the election. In the interests of understanding the implications of Internet voting, election.com invited several third-party groups to attend and observe the election, including the Benton Foundation, which focuses on communications policy in Washington, DC, Gartner Group, an information technology consulting firm in Stamford, CT, the NAACP, a civil rights organization in Baltimore, and the National Coalition on Black Voter Participation in Washington, DC.
Voter authentication. To ensure the security of each vote and the privacy of each voter, we implemented several measures to ensure that voters really were who they said they were and that each vote would be as private and secure as possible. Specific controls often exceeded their counterparts in traditional polling places and absentee-ballot voting, including:
Personal identification numbers. Every registered Democrat in the state received a unique and randomly generated, seven-digit alphanumeric personal identification number (PIN) generated and sent by the Party working with election.com. Because there are approximately two billion permutations on such a seven-digit number, it is practically impossible to single out the actual numbers used in the election and associate them with individual voters. These “nonforwardable” PINs were mailed by the Party and election.com to voters’ addresses of record, a method similar to the way ballot materials and absentee ballots are sent out. Randomization assured the numbers were not sequential, making it impossible to assume the next logical PIN, a measure especially important when more than one voter shared a physical street address. The voters were given two challenge questions—possibly date of birth or last four digits of a social security number—randomly selected from a strictly confidential field of five.
Ballot consumption. To prevent over-voting or ballot stuffing, the system voided ballots from reuse once they were cast. In addition, the electronic ballots were also “consumed,” or voided, when a voter performed either of the following two actions:
- Requested a mail-in ballot;
- Disclosed that his/her name or address was incorrect; in this case, the voter would then be directed to vote in-person at the polls.
Disclosure of penalties for misuse. A clear statement appeared on the logon page of the Party’s and election.com‘s Internet voting Web sites to confirm voter eligibility and highlight the penalty for falsifying information. It asked voters to positively confirm their voting eligibility, providing a clear warning that falsifying this information is a Class 6 felony, worthy of jail time. This procedure was more proactive and explicit than those frequently used in traditional polling-place elections.
Digital signatures. Digital signatures helped identify the specific voting servers to which the Java-based voting application and remote facilities were connected. The server certificates were used to establish a secure-socket-layer connection as well. While digital certificates may help identify voters in the future, the process of securely and efficiently distributing the hundreds of thousands of digital certificates to registered voters is still not perfected.
Ballot protection and privacy. With the Party’s approval, we selected KPMG, one of the Big Five accounting firms, as the independent third party for monitoring the system’s security throughout the primary and maintaining control over the remote Internet ballot process (see www.kpmg.com for KPMG’s Risk Management practice). As part of its duties, KPMG generated a pair of encryption keys—a public key for encrypting the vote and a private key for decrypting the vote. The private key was available only to the third party (in this case, KPMG); at no time did election.com have access to the private key or the hardware and variables used to generate it. The encryption keys were generated using Certicom’s elliptic curve algorithm. As a result, only the third party (KPMG) could unlock or decrypt the vote. election.com did not have access to the decrypted Arizona ballots at any time, and the independent third party (KPMG) did not have access to the encrypted database of votes until the close of the election on March 11.
To ensure anonymity, voters’ identities and their actual vote selections were separated into two tables in a relational database that could not be rejoined at the election.com server (see Figure 1). Both tables were then doubly encrypted with the public key and transmitted over a secure socket layer to the election.com server.
The table with the actual vote selection was then physically transferred on a Zip disk to the KPMG hosting site where the votes were tallied. The table containing voters’ identities remained at the election.com server. KPMG read the encrypted votes and decrypted them on computers physically isolated from the election.com network. Physically separating the tables guaranteed that neither the election host nor KPMG could determine how a voter voted.
To be decrypted successfully, a vote could not have been altered in any way. Even a single bit difference would cause a vote to be “negated,” or rejected; it is notable that not a single vote was rejected during the election.
Despite these measures, the issues involved in ensuring voter (and vote) privacy could not be resolved through technology alone. As with the traditional paper-based absentee-ballot system, there is no way today to prevent other members of a person’s household or work environment from knowing how he or she voted unless the voter votes in private. Consequently, public policymakers have to weigh whether or not legislation offers a desirable remedy.
Preventing wholesale insider fraud. No one person was able to get into the database tables alone; all updates to the tables could be performed only through stored procedures tested by technicians separate from the development process. election.com engineers designed the system to provide for the complete compartmentalization of the votes, preventing even themselves from having access to the decrypted vote data at any time. Only KPMG was authorized and able to decrypt and actually count the votes.
We have been working with a number of organizations around the world to develop comprehensive and transparent audit trails. During development and implementation of the Arizona primary system, we engaged KPMG Limited Liability Partnership’s Information Risk Management practice to help review the security and internal controls of the application. Our engineers used all three types of standard audit trails:
- Data. Audit logs tracked who voted, not who they voted for. Only KPMG was authorized and able to unlock or decrypt the votes. Access to the data was strictly limited; database audit trails were used to track changes in the data.
- Hardware. Access to the database server was monitored via the server’s audit logs.
- Source code. Source code was controlled through commercial source-code management software that tracked its versions and changes.
Denial-of-service attacks. The voting system was also designed to anticipate and deflect denial-of-service (DOS) attacks in which, say, a potential hacker attempts to flood the Internet-access lines during an election. The Arizona Democratic primary experienced such attacks, deflecting them all [2]. Intrusion-detection software monitored activity on the voting network, detecting when unusual activity occurred and filtering it out, thus preventing it from interfering with the servers. We also configured the system’s firewalls and external routers to minimize the effect of a distributed DOS attack. In implementing the DOS strategy, we followed the SANS Institute’s Consensus Roadmap for Defeating Denial of Service Attacks (see www.sans.org/ddos_roadmap.htm).
Due to the open nature of the Internet, no one is absolutely immune to DOS attacks. Intrusion-detection software responds but also slows service. Such a possibility is one reason we advocate the use of multiple voting options in any legally binding election and was one of the factors behind our decision to extend remote Internet voting for the four days—March 710—before Election Day. Remote Internet voting was not allowed on March 11 to ensure everyone would have the same opportunity to vote on Election Day. We didn’t want to put any voters in the position of waiting until the last day of the election to vote from their home computers, say, a minute before the polls closed but for some reason couldn’t because the computer broke down. They would have been denied their franchise.
Along with the Arizona Democratic Party, we were committed to ensuring that all registered Democrats were able to exercise their franchise during the four days of Internet voting, by mail ballot, or at polling places on Election Day. Internet voting was allowed only at the designated polling sites on Election Day, March 11. In every Arizona Democratic primary prior to March 2000, registered Democrats had only one day and a limited number of polling sites to exercise their franchise.
Virus/Trojan Horse attacks. The vulnerability of the voting “platform” (a voter’s PC in most cases) is by far the most serious security concern to date with regard to remote Internet voting. Specifically, critics contend that a “malicious payload” in the form of a virus or a Trojan Horse could be delivered through the Internet, permitting a malefactor to view or, worse, manipulate a vote without the voter’s knowledge. As a result, they argue that remote Internet voting opens the door to unprecedented large-scale, automated fraud by a single person, possibly operating outside the law enforcement jurisdiction of the country holding the election.
The mere existence of this risk may be enough to argue against wholesale conversion of existing electoral processes to Internet voting on a national basis today. However, remote Internet voting is by no means an all-or-nothing proposition. Over the next two years, the most likely and advantageous deployment will be in smaller local elections for, say, municipal and school district officials. Historically, such elections suffer from extremely low turnout and the near absence of security, and the incumbents on the ballot are often in charge of counting the ballots. Moreover, they are often costly in terms of both financial and human resources. Internet voting promises to increase turnout, reduce costs, and significantly increase security. Nevertheless, we still have to ask about the vulnerability of the PC voting platform.
As critics of Internet voting have noted, the same properties that make PCs vulnerable as secure e-commerce platforms make them vulnerable as secure voting platforms. It is logical to assume that if it were easy to deploy a “malicious packet” to manipulate a voter’s vote, it would be just as easy to deploy one to manipulate an e-commerce transaction. Fortunately, this subterfuge has not proved to be the case in e-commerce transactions. The ability to develop a customized application that is targeted, undetectable, and specific in purpose is so difficult that, with the millions of financial transactions occurring online every day, there has not been a single high-profile case of fraud exploiting this vulnerability in the PC.2
The amount of risk tolerable to financial institutions (even those with billions of dollars of assets) is clearly not acceptable to a country’s democratic principles. Still, the vast majority of elections around the world are the smaller local elections in which there is virtually no threat that anyone with the technical sophistication to deploy a malicious software application would bother to do so. The vulnerability to fraud of these elections is not increased in any meaningful way through remote Internet voting and is arguably decreased in several important ways, such as having a trusted third party count the votes.
Application security. The Arizona voting application was designed to layer the system into user interface, business logic, and database access, thus allowing for increasing degrees of security, whereby the data (votes) were highly protected. Portions of the application, along with the voting data, resided behind several firewalls at unidentified locations. Added protection involved a source-code management system preventing unauthorized access that recorded and monitored each change made to the program.
Beyond firewalls and intrusion-detection systems, the application and related Web servers were continuously updated with the most current security patches and operating system fixes. The application and databases were all located at an undisclosed hosting site to prevent direct interference by hackers. In addition, a card key and biometric (thumbprint) access system helped prevent unwanted access to the site, and electrical power backup systems were in place in case of utility power failures. Data was replicated to a standby server throughout the five-day election period, ensuring that no information was lost.
Over the next two years, the most likely and advantageous deployment of Internet voting will be in smaller local elections for, say, municipal and school district officials.
The system was designed so each voting component had at least one and up to seven failover companions. Nevertheless, during the early morning hours on the first day of voting, March 7, a one-hour outage occurred due to a hardware failure in a router. The voting application and related network security configuration prevented the system’s failover component from communicating with its failover companion. The round-the-clock onsite emergency technical team assessed the situation, and the failover router was operational within an hour of the problem being identified. Ultimately, voters were prevented from accessing the site for one out of the 96 hours of remote Internet voting.
In the absence of Internet election guidelines, the procedures implemented by election.com and the Arizona Democratic Party were designed to ensure the highest ethical and security standards possible. We fully recognize, however, that these measures represent a work in progress in the development of comprehensive, uniform standards. We intend to propose standards for multimodal election audit trails to the Federal Election Commission, the Internet Electioneering Task Force, and the various state, provincial, and national certification bodies around the world. We are also soliciting comments from independent election-monitoring organizations, including the United Nations and the Carter Center in Atlanta.
Lessons Learned
The Arizona primary highlighted a good number of important lessons for the future use of remote Internet voting.
Don’t underestimate the importance of the human factor. In Arizona, help-desk lines were flooded until the early hours of the morning after the first remote Internet vote was cast at 12:01 A.M. on Tuesday, March 7, the first day of voting. In preparing for the election, we did not anticipate the around-the-clock lifestyles of many voters nor their widespread interest in being among the very first to vote online.
Sophisticated encryption technology is a challenge for older browsers. We require browsers used for voting be current enough to support security and privacy features. The browser market has been evolving rapidly for the past several years, with many enhancements and changes added to the most popular models. Ideally, while we would like to support all potential browsers at all version levels, it is not practical to do so. It is common in the Internet industry to support only certain browser models and versions, primarily for the sake of updating feature and functionality requirements and security. Current versions are freely distributed by both Netscape and Microsoft to enable voters to upgrade their browsers to a supported level. In Arizona, accommodating computer users with certain older Netscape browsers would have meant compromising the security of the election; scaling down the security of the election was not an option.
Several Macintosh users had problems casting their votes online and were urged to vote at a physical polling place on Election Day. Recognizing the need to account for such platform incompatibilities, we established a strong working relationship with Apple Computer immediately after the election to ensure all our voting applications would be accessible to Macintosh users. Multimodal and multiday voting options are important in legally binding political elections to ensure all voters have the opportunity to exercise their right to vote.
Ensuring accessibility for people with disabilities is a continuous process. Internet voting offers new opportunities for disabled people, including the home-bound and those in nursing homes, to participate in the political process. The World Wide Web Consortium has developed Web content accessibility guidelines to ensure the Web is available to the disabled (see www.w3.org/WAI/); we strive to ensure that our Web site complies. The need to make both our voting site and Web site accessible to the blind was an important lesson from Arizona. As a result, we are working with Henter-Joyce, a software firm specializing in computer access for the disabled, the National Federation of the Blind in Baltimore (see www.nfb.org), and Proactive Accessibility, an advocacy organization for the blind (see www.proactive-access.com), as well as Apple and Microsoft, on how best to implement accessibility, using a live test site to evaluate and resolve potential obstacles.
Internet voting at the polling place adds little or no value to the voting process while adding a substantial cost to an election. The cost of enabling Internet voting at polling places is high due to the need for dedicated Internet service. Yet Internet voting at polling places offers no significant improvement for voters relative to the status quo of voting on traditional machines and paper ballots, nor does it eliminate lines. It does not enable voters to surf the Web to study the issues or the candidates. It does not reduce the cost of extending the voting period or increase the number of polling locations [1]. At Arizona’s polling places in March 2000, paper ballots outnumbered Internet ballots more than three to one.
Voters prefer multiple voting options. Internet voting can enable election administrators to significantly extend the time period during which voters might cast their ballots. However, because such policy changes have profound implications for the political process, policymakers should consider not only the effect on voter convenience and election costs but on the cost of campaigns, media coverage, and reporting election results.
Conclusion
As the Internet continues to revolutionize communications, commerce, and recreation worldwide, equally dramatic changes are promised for the mechanisms of democracy worldwide. Given that the defining characteristics of this technology revolution include cost savings, improved efficiency, and consumer empowerment, the benefits of applying these advances to the democratic process are equally apparent.
But when? Where? At what cost? In what manner? The answers are for policymakers and the people who elect them, not technology developers and vendors, to sort out. Changes in the electoral process—especially Internet voting—should be evaluated with constant reference to the public trust. In every respect, implementation of Internet voting should reflect equal or improved levels of security, integrity, and transparency compared to our traditional machine- and paper-based electoral processes. Internet voting can be implemented only with absolute commitment to maximum inclusiveness and accessibility for all voters.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment