Response to Formal Request for Comment by the CESG (UK) on Internet Voting
Issued October 31, 2002

I received notification of the request for comment regarding the e-Voting Security Study submitted by the CESG. Although my work was cited in the report, I was not contacted to provide input during its preparation, and feel compelled to submit a written statement that directly addresses its content.  I had also provided general comment regarding this topic in a meeting held with the Office of the e-Envoy e-Government on October 17, for which a transcript has been prepared.   I hope that your office will review the material here as well as the extensive writings on my website at http://www.notablesoftware.com/evote.html and continue to communicate with me on this matter.

I believe that the conclusions of the study are erroneous.  It is not presently (nor in the foreseeable future) possible to construct a secure, Internet-based system for remote electronic voting.  The system described in the report is typical of the proposals that have been deemed flawed by noted cryptographers such as Bruce Schneier and David Chaum, and security expert Peter Neumann, as well as many other computer scientists and researchers who have been commenting on this subject for the past decade.  It is well-understood (except by those who are promoting remote voting solutions) that crypto add-ons can not effectively thwart the numerous problems posed in assuring adequate ballot distribution, vote collection, and accurate vote-tallying, over the Internet.  The proposed system further introduces numerous avenues for attack that are well-beyond the risks present in traditional local voting or remote postal voting.  As I said in my doctoral dissertation (referenced but not quoted in the report):

“The Internet differs from a controlled local or even wide-area network in that it is globally accessible for transmission and reception of data to/from any and all other Internet connected devices.  Internet security features are largely add-ons (authentication, firewalls, encryption) and problems are numerous (denial-of-service attacks, spoofing, monitoring).  Hence, interfacing to the Internet could be, in itself, considered to constitute a security breach, in that wide attack and monitoring opportunities are provided that would not be possible with individual voting kiosks, or in a closed network setting where all clients and servers are known and identified prior to system operation.  The movement of information over the Internet involves routing through dynamically determined and difficult-to-trace paths, whereas a controlled network can establish and track data transmissions.  The Internet includes systems that are not subject to local laws and whose operators can not be expected to comply with local voting regulations.”

“Off-site balloting methods are a first step toward the elimination of the community-based poll watching process, which is so essential in providing checks and balances in assuring that the voters are who they say they are; that they are voting only once and not casting ballots for other parties; that privacy is maintained and coercion is not occurring.  The remote vote throws open the door for organizations to create their own convenient balloting locations and to consider intimidation of the members who don’t use them, thus enhancing the role of special interest groups in determining the outcome of elections.  Off-site balloting also provides opportunities for vote-selling, a powerful way to throw an election to the highest bidder, an unintentional side-effect of increased voter-turnout.”

As an aside, I would like to note that the e-Voting report refers to the XML OASIS study that is presently being performed.  XML is yet another add-on, that can incorporate crypto, but it does not create an appropriate platform for voting on the Internet, hence, any effort to use it for elections is necessarily doomed to failure. It is like basing a product on the denial of the laws of gravity – what would be produced is still an inherently flawed system.  XML is appropriate for business applications where other methods of auditing coexist, not for anonymous (or semi-anonymous) ballot casting.

With regard to the report’s comment that the Federal Election Commission is planning to phase Internet Voting into the US guidelines and likely to adopt it in the US at some point – this is wholly untrue.  Because of the various sociological and technological problems, it was strongly recommended by the National Science Foundation to NOT use Internet voting in the USA at any time in the foreseeable future.  Although the FEC has not yet entirely precluded the use of Internet voting, it has confirmed the sentiment that it is not presently viable, in their 2002 standards documents. This misleading remark in the e-Voting report is only one of many that I believe stem from a lack of thorough investigation on the part of the researchers.

The described scheme essentially takes a simple process – make a mark on a piece of paper, deposit it into a ballot box or the mail – and proposes to shroud it in a veil of complexity and obfuscation.  Monitoring of the election process by the public and those officials authorized to secure the elections will be turned over, in large part, to the voting system vendors and their suppliers, or technologists rather than members of the general public.  Auditing and recounts, instead of a true checking process, will be merely procedural – since there will not be any real way to perform an independent verification of the election results.  Electronic voting has failed miserably in recent trials in the United States.  Communities now must pay millions of dollars to hire workers to operate the new confusing devices that replaced traditional methods that could be used simply and effectively.  Votes mysteriously disappear from these electronic gizmos on a routine basis – on the order of 3% to 10% or more.  Is this really what the UK needs?  A scandal such as we have seen in the USA will likely disillusion the UK public and increase voter apathy, thus defeating the stated purpose of such systems.

The prospect of adopting such a closed and complex approach should be shocking and horrifying to those who are accustomed to open and straight-forward elections.  To say that (as the report does) “it is probably impossible to make any system perfect” and then use this as an excuse to impose a horribly imperfect and flawed process on the voting public, is sorely misguided.  Although the intentions were admirable, the fact remains that the infrastructure necessary for the success of remote electronic voting does not exist.   I hope that these strong words will motivate concerns sufficient to cease the introduction of e-Voting into the UK.

Respectfully submitted,
Rebecca Mercuri, Ph.D.
mercuri@acm.org
P.O. Box 1166
Philadelphia, PA 19105 USA
609/895-1375