Testimony In Opposition of H. 600
An act relative to UOCAVA voters
Pamela H. Wilmot, Executive Director, Common Cause Massachusetts
Joint Committee on Election Laws
October 19, 2015
Thank you for the opportunity to testify today on H. 600, an act relative to UOCAVA voters. The proposed legislation seeks to amend chapter 54 of the General Laws to permit the delivery of a blank ballot by email, facsimile, or “secure website” and to allow the return of any voted ballot to the clerk’s office also by email, facsimile or “secure website.” We do not oppose the delivery of a blank ballot by any electronic means, but we oppose Section 2 of H. 600 which would permit the return of any voted ballot via email, facsimile and “secure website.”
Extending the options for UOCAVA voters to return any voted ballot by email, fax and “secure website” is likely to significantly increase the number of ballots returned electronically, a method that has been identified as too insecure for the transmission of voted ballots by the Department of Defense, the National Institute of Standards and Technology and senior cyber security officials at the Department of Homeland Security. Moreover, the term “secure website” is an oxymoron. The endless string of high profile network breaches including, Sony, Target, Scottrade, Centcom, the CIA, the FBI the Office of Personnel and Management and so many others illustrates starkly how difficult it is to safeguard any online system from malicious intrusion.
In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so the Department of Defense and its Federal Voting Assistance Program (FVAP) may develop a secure online voting system for UOCAVA voters. NIST has published numerous reports on its research and documented several security issues which cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded its research found that until these challenges are overcome, secure Internet voting is not yet feasible. [i]
For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.”[ii] In addition, the Department of Defense’s Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”[iii] method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal a directive to the Department of Defense to pursue online voting for military and overseas voters in the 2015 National Defense Authorization Act.
The federal government is not alone in its assessment that secure online voting is not presently possible. Utah’s Lieutenant Governor has been a proponent of expanding Internet voting in his state, supporting its use for military, overseas and disabled voters. In 2014 he assembled an advisory committee consisting of legislators, election officials, county clerks and security and technology experts to explore extending online voting to all voters in the state. The Lt. Governor’s own committee recently released its report which stated in no uncertain terms that Utah’s current practice of online ballot return is not secure. The report went on to illustrate exactly how unrealistic the challenge of creating a secure online voting system continues to be.
“Given that sufficiently secure Internet voting systems do not yet exist, they would need to be built. Of course, some systems, like a stone bridge to the moon, are impossible to build. Others, like a stone bridge to Hawaii, are so exorbitantly expensive as to remain a fool’s errand. However, other systems, like spacecraft, aircraft, and the newer Sam White Bridge, are much more affordable. Unfortunately, with the four challenges mentioned in the preceding section, the unconstrained nirvana of Internet voting, “from any device, entirely online,” is so impossible, or at least infeasible, as to be a fool’s errand.”[iv]
The public may ask, ‘if I can bank online, why can’t I vote online?’ But voting includes some critical differences that make it a much more difficult enterprise than online banking or commerce. Online banking or shopping are not secret or anonymous; a customer can check her statement at any point to detect and address fraudulent charges. In voting we vote by secret ballot and there is no mechanism for the voter or election official to check to ensure ballots were not manipulated or hacked in transit and that the votes are legitimate. This makes online elections especially vulnerable to undetectable hacking. And even if an attack were detected, there would be no way for election officials to determine which ballots were manipulated and which are legitimate, making an online attack uncorrectable. In addition, the banks can calculate an acceptable level of fraud and factor that into the cost of doing business or take out insurance to cover their losses. We can’t do this with voting; we can’t be willing to accept 2 or 3% of falsified ballots. Elections are often decided by very small margins and there is no acceptable level of election fraud. Finally, the assumption that online banking can be done securely is faulty. It is estimated that banks lose millions or even billions of dollars every year to online attacks. High profile hacks like that on Citibank, JP Morgan Chase and Bank of America prove that even system with high cyber security budgets, (much higher than the Massachusetts Department of State,) cannot resist determined attackers.
Supporters of online voting often cite Estonia as an example of secure online voting but there are some important caveats and differences to consider. First, Estonian citizens all possess a government issued ID card with a chip in it which can offer a higher level of online voter authentication than is possible in the U.S. But more importantly, the Estonian system cannot correctly be described as “secure” as computer security researchers have identified vulnerabilities in the system which make it susceptible to manipulation and undetectable hacking.[v] Finally, it is important to note that there is considerable public distrust of the system in Estonia. Many citizens contend that the online voting system has been manipulated by Russian operatives. Public confidence in our election process is essential. We should not be willing to accept a system which cannot be trusted to be legitimate.
We know much more today than we did five or ten years ago about the insecurity of systems on the Internet. Ten years ago secure Internet voting seemed an attainable goal but in 2015 experts have come the consensus that the secure online return of voted ballots is a much more difficult problem to solve and that the likelihood of a malicious attack is all too real. Section 2 of H. 600 would further expand the electronic return of voted ballots over the Internet, a process that we know now is highly vulnerable to manipulation or tampering. The mounting evidence that secure online voting is not yet achievable led the U.S. congress to abandon it as a project. Now is the time to limit or end the electronic return of voted ballots, not to further expand this insecure practice. We urge the committee to remove Section 2 of H. 600 and not expand the electronic return of voted ballots.
[ii] Pentagon spokesman Lt. Commander Nathan Christensen, April 16, 2015
Gordon, Greg, “As states warm to online voting, experts warn of trouble ahead,” The Olympian, April 16, 2015
[iii] Federal Voting Assistance Program, May 2013, “2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress http://www.fvap.gov/uploads/FVAP/Reports/evsw_report.pdf
[iv] iVote Advisory Committee Final Report, Aug. 21, 2015, Utah Lt. Governor Spencer J. Cox
[v] Security Analysis of the Estonian Internet Voting System, Drew Springal, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Maggie MacAlpine, J. Alex Haldermann. Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS ’14), November 2014 https://estoniaevoting.org/findings/paper/