California Internet Voting Task Force
Technical Committee Recommendations
Table of Contents
The Technical Committee has reached a number of general conclusions about Internet-based registration, petition signing, and voting systems. Before detailing all of the reasoning in support of those conclusions, we provide here a quick summary. Each of these conclusions will be expanded upon in later sections.2.1 Incremental approach to Internet voting
If Internet voting is instituted in California, it should be added in an incremental manner. It should be designed as an additional option for voters, not a replacement either for absentee balloting or balloting at the polls; and it should work in the context of the current (paper-based) voter registration system.
Internet voting should, at least initially, remain county-based for greater security and for proper integration with the current registration and voting systems, even though some economies of scale could be realized with a regional- or state-level system.
2.2 Internet voter registration not recommended
The Task Force strongly discourages any consideration of an all-electronic Internet voter registration system. Without online infrastructure for strong verification of the identity, citizenship, age, and residence of the person doing the registering, essentially any all-electronic voter registration system would be vulnerable to large-scale and automated vote fraud, especially through the possible registration of large numbers of phantom voters.2.3 Internet petition-signing more difficult to make secure than Internet voting
Besides voting, registered voters in California have the right to formally sign petitions of various kinds, e.g. initiative petitions, recall petitions, etc. Potential systems for Internet-based petition-signing would face essentially all of the same privacy and security issues that arise in Internet voting systems, so most of the recommendations made here regarding security for Internet voting systems apply to any proposed Internet petition-signing system. But because of several structural differences between voting and petition signing that increase the security risks associated with Internet petition signing, we recommend even greater caution be exercised in considering any Internet-based petition signing system.2.4 Privacy and security issues in voting
Security (including privacy) and reliability are the most important engineering considerations in the design for i-voting systems. Security in this case means (1) voter authentication (verification that the person voting by Internet is a registered voter in the district in which s/he is voting), (2) vote integrity (assuring that an electronic ballot is not forged or modified surreptitiously), (3) vote privacy (assuring that no one can learn how any individual voter voted), (4) vote reliability (assuring that no Internet ballot is lost), (5) non-duplication (assuring that no voter can vote twice), (6) defense against denial of service attacks on vote servers and clients, and (7) defense against malicious code attacks on vote clients.
Reliability means (1) that the entire system, from end to end, operates properly even in the face of most kinds of local (single point) failures; (2) that its performance tends to degrades smoothly, rather than catastrophically, with additional failures; (3) that voters have solid feedback so that they know unambiguously whether their vote was affected by a failure of some kind; (4) the probability of a global system-wide failure is remote; (5) the rarest of all technical failures are those that result in votes being lost after the voter has received feedback that the vote was accepted; and (6) procedures are in place to protect against human failure, either accidental or malicious, that might result in incorrect results of the canvass.
Each of these issues requires specific architectural features (hardware and software) in the design of any system for Internet voting. Most of them are well-understood, with satisfactory technical solutions readily available, which we expand upon in the recommendations below. However some of them require special attention in the case of non-county-controlled (e.g. home or office) voting.2.5 Internet voting systems should be modeled on the absentee ballot system
The Task Force views Internet voting as being in many ways analogous to (paper) absentee balloting, in that the voter might vote remotely and/or early, and without a personal appearance at the polls. The analogy is even stronger in the case of vote-from-anywhere systems in which the ballot passes through many hands on the way from the voter to the canvass. We therefore recommend modeling some i-voting procedures on established California procedures for absentee ballots, including these requirements:
See Section 5.8, Internet voting compared to absentee ballots.2.6 Two broad classes of i-voting platforms
There are two broad categories of i-voting systems that must be distinguished in any discussion of Internet voting. The difference is based on whether or not the county election agency has full control of the client-side infrastructure and software used for voting:
This distinction is fundamental because with systems that are not county-controlled, the voting environment is difficult to secure against some very important privacy hazards and security attacks that can arise from infection with malicious code or use of remote control software. Hence, "vote from anywhere" systems must be substantially more complex to achieve the same degree of privacy and security as is achievable with a county-controlled system.2.7 Four-stage approach to implementing Internet Voting
We recommend a four-stage approach to possible introduction of i-voting in California. Each stage is a technical advance on the previous ones, but provides better service to more voters. These four types of systems are:
The first three of these system types are "county-controlled systems", as defined in Section 2.6. We believe that these systems can reasonably be deployed, at least for trial purposes, as soon as they can be built and certified as satisfying not only the current requirements of the California Elections Code, but also the additional requirements we recommend in this document. If the current Elections Code is found to contain language or provisions that prohibit Internet voting, then the legislature will have to act before any trials can occur in which the votes actually count.
The last type of system, (d), is in the category of "vote from anywhere" systems as described in Section 2.6. We do not recommend deploying these systems until a satisfactory solution to the malicious code and remote control software problems is offered.