Efforts to allow members of the U.S. military and other overseas voters cast ballots by e-mail or on the Internet face serious security problems, according to a new U.S. government report.
Even though voting by standard mail has its own problems, the report, from the U.S. National Institute of Standards and Technology (NIST), says that electronic transmission of completed ballots, also including telephone and fax, "present significant challenges to the integrity of the election."
The U.S. Department of Defense experimented with Internet voting in 2003, but dropped a pilot program the next year after security concerns surfaced. A handful of states have experimented with Internet voting, including Florida and Alabama in 2008, prompted by concerns about military mail ballots not being delivered in time to be counted.
The Help America Vote Act of 2002 (HAVA) requires the U.S. Election Assistance Commission (EAC) to study methods of overseas voting, and the NIST report is part of that effort. "IT security is an important aspect of this issue, so EAC asked NIST to conduct a study that would explore the security threats associated with potential electronic technologies for overseas voting, and identify possible ways of mitigating the threats," said Nelson Hastings, co-author of the report.
The NIST report says it's relatively safe to transmit unfilled ballots by fax or e-mail or put them on the Web, but sending filled-in ballots by those methods present problems with security or privacy.
Voting by telephone would require PINs, and PINs can be lost or stolen, the report says. In addition, telephone calls can be tapped, especially VoIP (voice over Internet Protocol) calls, the report says.
Fax transmissions can be relatively secure, but faxed ballots may be left unattended "for several hours," the report says. "Fax machines would likely be left in a room at the election office receiving faxes throughout the day," the report says. "This gives would-be attackers time to view sensitive personal information or destroy valid registration forms."
E-mail can be intercepted or blocked, the report adds. "E-mail does not provide any guarantee that the intended recipient will receive the message," the report says. "An attack on DNS [Domain Name System] servers could route e-mails to an attacking party. This would not only result in voter disenfranchisement, but also the loss of sensitive voter information."
While there are no reports of such an attack being successful, a recent vulnerability was discovered in DNS servers that could have been used to create such an attack, the report says.
There are also a number of less sophisticated attacks that could disrupt e-mail voting, the report says. "A denial-of-service attack could flood election officials with a massive number of fraudulent e-mails," the report says. "The number of e-mails could quickly overwhelm the election officialâ€™s e-mail server, preventing legitimate registration forms from reaching election officials."
Web-based voting could use encryption to guard against data leaks, but denial-of-service attacks powered by botnets are still a potential problem. "A successful denial-of-service attack would overwhelm the election Web server with traffic, preventing legitimate voters from sending registration and ballot request materials," the report says. "It is very difficult to protect against denial of service attacks from an attacker with a large amount of resources."
Several states already distribute ballots by e-mail or fax, and the NIST report recommends the Election Assistance Commission develop guidelines for doing so. It offers little advice for alternatives to traditional mail for returning ballots, however, saying improvements in security need to be monitored.
"Fax, e-mail and Web-based systems could distribute blank ballots quickly and reliably to voters, significantly reducing the ballot delivery times faced by mailing ballots to voters and improving the ... voting experience for citizens overseas," the report says. "In addition, registration and ballot requests can also take advantage of these distribution methods, but there are more threats when handling personal information from voters. Voted ballot return remains a more difficult issue to address."
NIST's role in election systems is "purely technical," said report co-author Andrew Regenscheid. "NIST does not set or recommend policy decisions," he said. "It is up to state and local election officials to decide what level of risk they are willing to assume, based on the procedures and controls they put in place."