Don't trust voting on the 'Net, speaker says

Cambridge, Mass.-- Internet voting is so open to manipulation that it should be avoided at all costs, according to a keynote speaker at this week's Usenix symposium on networked system design and implementation.

“It’s voting by mail made worse,” says Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology, because the Internet inherently is insecure.

Internet voting, like voting by mail, leaves open the possibility that someone other than the voter will cast the ballot, as well as that of coercion, Rivest says. “It’s important that voters have an enforced moment of privacy when they vote,” he says, something that can be assured within a voting booth, but not necessarily outside one.

In addition, Google's vice president and chief Internet evangelist Vinton Cerf recently said that as many as a quarter of all computers attached to the Internet might be participants in botnets, according to Rivest. “If that’s true, that’s a huge voting block,” he says.

Even when the Internet is avoided, secure electronic voting is fraught with other problems, including the security of voting machines and their millions of lines of private code. Source code for voting machines, as well as their underlying operating systems, should be available for security checks by testing labs, Rivest says.

The machines may be attached to networks that represent another point of attack, Rivest says. Voting machines at precinct polling places may be networked to local databases of voters, and those may in turn be connected to municipal databases of voters, he says, opening the machines to tampering over the network or denial-of-service attacks.

Electronic voting that leaves a paper trail also is hard because voters don’t want a receipt that violates the secrecy of their vote by showing in plain text how they voted. Rivest described a way to encrypt the results multiple times before they are counted, verifying at each step that votes are recorded accurately but without providing a direct link between voters and an unencrypted copy of how they voted.

Even designing verifiable paper-ballot systems is difficult, Rivest says. A big challenge to designing secure, verifiable voting systems is proving that votes are recorded as cast and that those votes are then tallied accurately.

He outlined methods being considered by academic researchers that include voters casting three ballots each, voting once for each candidate, but casting two ballots for the person they actually want to win. Each race on each ballot would have one or two marks on it, but voters would have to make sure that the candidate they really want gets a mark on two separate ballots.

People would take a copy of one of their three ballots as a receipt, which would not indicate how they actually voted but would serve as an integrity check of the vote as posted on a public bulletin board, Rivest says.

Voters are going to say there’s way too much math involved,” he says, “which is not to say that anyone understands the software of voting machines.”