California Internet Voting Task Force
Technical Committee Recommendations
Table of Contents
Today, registered voters in California cast ballots in public elections either by going to the polls in person on election day, or else by requesting in advance an absentee ballot, filling it out, and sending it back to the county, usually by mail. Internet voting would allow voters a third option: to vote electronically, with their ballots transmitted securely over the Internet.5.1 What is Internet voting?
Internet voting (i-voting) refers to any method of voting in a public election in which the voters ballot is retrieved via the Internet from a countys vote server, presented to the voter electronically on a computer screen, marked electronically by the voter, and then transmitted back to the vote server via the Internet. There are several variations of i-voting that should be distinguished in any discussion, because they have markedly different security properties.
It is important to distinguish direct recording equipment (DRE) systems from i-voting systems. With DRE systems voters also make their choices on a computer, but only at the polls, only on election day; and the votes are stored in the machine in the precinct for later retrieval by election officials, rather than being transmitted over the Internet one by one as they are cast. DRE systems are electronic alternatives to the well-known mechanical voting machines still in use in some jurisdictions in the U.S., and do not present the more serious security problems we will be discussing here that pertain to i-voting.5.2 What is the value of Internet voting?
Internet voting is intended as a service to the electorate, so that voters might vote more conveniently. Some systems permit voting from more convenient sites than the precinct polling places. Some permit early voting, for a period of time before election day. Some permit home voting, workplace voting, and in general, voting from anywhere that there is an Internet-connected computer.
The hope is that with added convenience and flexibility, voter participation in elections may increase. In addition, the latency of voting should be dramatically reduced from several days for the traditional mailed absentee ballot to a few seconds for an Internet ballot, allowing remote voters to wait until much later in the campaign before committing their votes. Finally, we may expect that the speed and accuracy of the election canvass may be increased, since all Internet ballots can be counted within minutes of the closing of Internet voting; furthermore there should be fewer ways to spoil ballots and fewer ways to miscount them than with the current paper-based equipment, all contributing to an improved elections process.5.3Comprehensive vs. incremental approaches to Internet voting
There are at least two stances one could take toward i-voting: comprehensive and incremental. A comprehensive approach would involve rethinking all parts of the elections process from an online perspective, with an eye toward fielding a unified system for online (a) voter registration and district assignment, (b) voter pamphlets and sample ballots, (c) candidate-, initiative-, referendum and recall petition signing, (d) ballot production, (e) voting, (f) canvass, and (g) perhaps even registration as a candidate for office. It might include administering electoral systems at the state level to achieve economies of scale, rather than at the county level, as is traditional. And it might be accompanied by recommendations for other reforms in the electoral process.
An incremental approach, on the other hand, starts with the current electoral system and introduces Internet voting in stages, extending its reach as experience is gained and technology improves. It proposes minimal changes to the California Elections Code, and attempts to minimize the costs for the new infrastructure, new training for officials, and public education that would be required. An incremental approach retains the current county administration of elections, so that i-voting might be adopted at different times and in different forms to suit each countys needs. If early county experiences with i-voting are successful, cost effective, and supported by the public, the early systems can be improved and extended to more comprehensive ones later.
This task force has come down firmly on the side of an incremental approach to i-voting. Because large-scale i-voting in public elections has not been tried as of this writing, and because fair elections, and elections perceived to be fair, are so vital to government, it seems prudent that we adopt a conservative stance, modeling the requirements for any Internet-based voting system as closely as possible on the current systems that both the public and election officials understand and trust. Wherever possible we propose that Internet-based voting processes be analogous to those used with paper ballots, e.g. for preventing most forms of double voting; for dealing with the rare double votes that do happen (usually unintentionally); for keeping records to prepare for election challenges; and for preventing election agency personnel from violating voter privacy or tampering with votes. Internet voting should be an evolutionary, not a revolutionary change in the voting process.
Of course, there are some issues unique to electronic voting with no analog in current paper-based balloting systems, such as communication failures, potential overloading of voting infrastructure, potential denial of service attacks on voting servers and clients, and potential malicious code attacks on vote clients. We will make detailed recommendations on these issues.5.4 Strawman architecture for i-voting system
Figure 1 represents a possible general architecture for the infrastructure of an Internet voting system. It is presented for illustrative purposes only, to give us vocabulary for talking about i-voting in the rest of the document; it is not a recommendation or expectation that this architecture be strictly followed.
Figure 1: Possible i-voting infrastructure
On the left are vote client machines, i.e. the computers used by voters to cast their ballots. These will generally be small machines (initially PCs of some kind) located in public places such as schools or libraries, or, eventually, in voters homes or workplaces, etc.
Each client will be connected to an Internet Service Provider (ISP). The ISPs will be connected to other networks that are in turn connected to the ISPs used by the Vote Server Data Center. The complex of ISPs along with the regional and national network service providers they connect to is the Internet. Ballots and related information will travel between the vote clients and the vote servers through the Internet.
We expect (but do not require) that the infrastructure for receiving and counting votes will be divided into two parts, at least logically if not physically. The Vote Server Data Center (VSDC) may be run by the county itself or, perhaps because of the technical skill required to run it, by a vendor under contract with the county. The job of the VSDC is to do the following:
The VSDC, as we envision it, only handles encrypted ballots, and must have no access to any cryptographic keys that could be used to check, read, forge, or modify any ballots. Hence, voter privacy and ballot integrity cannot be compromised at the VSDC without detection. The most vital requirement then remaining is that the VSDC not lose any ballots.
From the VSDC, the ballots, still encrypted, are sent to the county office. This transfer can take place in the background, or just after the close of Internet voting, since high speed is not required.
Canvass of the Internet ballots can be done at the county election offices in a way that is analogous to the handling of paper absentee ballots. Although procedures vary from county to county, in the case of absentee ballots it generally involves checking the signature on the ballot envelope against the signature on file for the voter in the registration records, and checking the database of voters who have already voted. If for some reason a vote has already been recorded for that voter, then the absentee ballot is saved, but not counted; but if not, then a notation is made in the database that he or she has now voted, and the ballot is removed and separated from the envelope. The ballot is put in a pile with other ballots for counting, and the envelope is saved for cross-checking and audit. Once the ballot is separated from the envelope, it is never again possible to match a ballot with the voter who cast it.
In the case of Internet ballots, a similar procedure is necessary to verify that the ballot came from a registered voter from whom no other ballot has been received. The ballot must somehow be tied beyond any reasonable doubt to the voters registration form, but different i-voting systems will accomplish the linkage differently. It may involve checking the voters digital signature, or comparing a digitized biometric of some kind to a stored biometric key, etc. Once the ballots legitimacy has been verified, it should be decrypted and separated computationally from the voters identity so that they cannot be put back.
Once the ballots are separated from the voter identification information, they are ready for counting. Except that it is accomplished by software, this process is little different from counting of other types of ballots.5.5 Classification of i-voting systems
This task force has identified four distinct types of Internet voting systems that we believe will work in California. They can be placed in a sequence of increasing complexity leading from relatively simple systems providing modest new services to the electorate with few security concerns, all the way to very sophisticated systems providing unprecedented new convenience to voters, but with more complex security issues to be overcome. These four types of systems are:
While the space of i-voting systems can be sliced in other ways, this classification has the virtue of suggesting a long-term implementation strategy as well: the simpler systems can be implemented first, and the more complex ones can later be built upon the foundations of the earlier, simpler ones when the technology is ready.
In the next four sections we describe these types of i-voting systems in a little more detail.5.5.1 (a) Internet voting at voters precinct polling place
The simplest i-voting system is basically a computer set up at precinct polls on election day as an alternative voting device to whatever system is traditionally employed by the county. Voters would enter the polls on election day and identify themselves as usual to poll workers; then they would choose to vote using either the traditional system is employed in the county, or one of the Internet voting terminals. (Eventually some counties may eliminate the traditional voting methods, but that would be very unwise in the first few election cycles because of the possibility of problems with or failures of the Internet systems.)
Such a system provides only modest service to voters, because they have to come to the precinct polls to take advantage of it. Its main benefit is to speed the vote canvass, since the votes are transmitted directly to the county instead of being held in the machine for transmission after the close of the polls. It will likely also have great value as a first step in the construction of more complex systems.5.5.2 (b) Internet voting at any polling place in the county
In this type of system the county sets up voting computers at places that might be convenient for voters around the region such as shopping centers, schools, town centers, and locations near large employers. County A might even be locate polling places in a neighboring County B if that would be convenient for voters registered in County A. These new sites would be in addition to the traditional precinct polls. Like precinct polls the new sites would be manned by election officials or poll workers, but unlike precinct polls, any voter in the county could vote at any of these sites. Furthermore, the sites might be available for voting in advance of election day as well as on election day, perhaps for several weeks, i.e. as long as the absentee balloting window is open.
Voters would identify themselves to poll workers at these sites exactly as they would at a precinct poll site, but the poll workers would have their own computers with Internet access to the county database of registered voters so they could verify eligibility, determine which ballot style the voter should get, and record that the voter has voted. The poll worker would then give the voter a code of some kind to take to the i-voting computer, both to authenticate the voter to the i-voting computer and to retrieve the proper ballot type.5.5.3 (c) Remote Internet voting at county-controlled computers or kiosks
This type of system is quite similar to (b) above, except that the voting sites need not be manned by official poll workers. Instead, the i-voting machines at the new polling places, perhaps enclosed in kiosks, would be tended by people with lower-level skills whose responsibility would be only to prevent tampering with the machines, prevent electioneering, prevent voter coercion, and to call for help if any problem develops.
For these systems to be secure, voters would have to have previously requested Internet voting authorization from the county, on a paper form with a live signature, much as voters may now request an absentee ballot. The county would return to the voter a code to be used at the time of voting, both to authenticate the voter and to enable retrieval of the proper ballot type. Presumably this code would be similar to that given to the voter by a poll worker in systems of type (b). Then, in order to vote, voters would simply walk up to an i-voting machine, authenticate themselves using the code provided by the county (without talking to any poll worker), make their choices, and transmit the ballot.
After voters get used to them, systems of this type should be lower in cost in the long run than those of type (b), because they do not require fully-trained poll workers to supervise them. They should therefore be of greater service to voters because presumably more voting sites could be fielded.5.5.4 (d) Remote Internet voting from home, office, or any Internet-connected computer
Systems of this type allow voters to vote from essentially any Internet-connected computer (with appropriate software) anywhere, including from PCs at the voters home, workplace, school or college, hotel, or even possibly from a voters handheld Internet appliance, etc. As with systems of type (c), voters will be required to request authorization for this type of voting in advance, so they can be given credentials (of some kind) by the county for use at the time of voting. In some systems it might be necessary for voters to be issued voting software as well and may also include provisions for the voters to provide the county with a personal identification number (P.I.N.) to be used for voting purposes.
These systems would provide by far the greatest convenience to voters, who could, in effect, vote any time, anywhere. But these systems also involve much more difficult security problems since the election agencies will not have full end-to-end control of the infrastructure for voting.5.6 County-controlled iVoting computers
For county-controlled i-voting computers, used in systems (a), (b), and (c) above, the most difficult security issues, malicious code and remote control/monitoring software, can be effectively avoided by running a "clean" copy of a stripped-down, minimal operating system and voting application. The software should come directly from a certified source on read-only media, and no software modules or functionality should be included beyond the minimum necessary for i-voting. No remote control or monitoring software should be loaded, nor any software for email, chat, audio (except perhaps in service to blind or illiterate voters), video, file transfer, printing, general web browsing, or other network services extraneous to voting. There should be no software for sharing files or devices over the network, and except for booting the operating system and launching the voting application, it should be possible to do without a file system at all! Unnecessary software that cannot be practically removed for some reason should be turned off or otherwise disabled. Since many of these features tend to be built into the operating systems or browsers of today, it may take some effort, and possibly the cooperation of software vendors, to procure a software base suitably stripped-down for voting. The details should be examined carefully at the time a system is presented for certification.
The most serious remaining issue is tampering. County-controlled machines might in some situations be in service for up to several weeks prior to election day, might be physically handled by hundreds of voters per day, and might be unused during nights or weekends. A vendor of voting systems intended for use in a public place should provide the specific software configuration intended for that environment, and specific security and maintenance procedures to make sure the machines remain secure. Furthermore, the systems themselves should always be monitored by someone whose job it is to prevent tampering. Other anti-tampering precautions should be considered as well, such as:
The most serious problem in home environments is the possibility that the home PC might be "infected" with a malicious program designed specifically to interfere with voting. Home PCs are generally not professionally managed, and most home users are either not aware of security hazards that might affect voting, or may not know how to use the security tools available. As a result, their computers are frequently vulnerable to all kinds of malicious code attack. For more discussion of this problem, see Section 6.2, Malicious software.
The only way that home voting can be made safe is to have the voter deliberately secure his or her computer just before voting. There are a number of ways to accomplish this with current technology, but all of them require some inconvenience to the voter and some development complexity on the part of the i-voting vendor. See Section 6.2.2, Internet voting systems designed to thwart malicious software.
In the home setting, there is also some risk of loss of voting privacy, since one person might be able to spy on the voting of another. However, we believe that voters at home computers might be presumed to trust other people in the same household. While people might be able to spy over each others shoulders during voting, or monitor one computer from another on the same home network during voting, people can also spy on others filling out an absentee ballot, or steal each others absentee ballots. Voters must take some responsibility for guarding the privacy their own vote, and the household seems a reasonable boundary within which to expect them to take that responsibility.
In an institutional setting, where the network and the computers are owned and managed by someone other than the voter, it is usually the case that the computers must have a full complement of operating system and networking software for their primary mission. Although they are often just as vulnerable to malicious code attacks as home machines, a "clean system" approach, with an explicit step of securing the platform before voting, may not work well in a workplace environment because rebooting from a clean operating system would likely make the machine unavailable for its primary business purpose.
In addition, workplace voting introduces a new major concern about vote privacy. Institutional computers are often maintained, managed, and controlled by professional staff, rather than the primary user. They are likely to have remote control or monitoring software in place, which leads to the possibility of one employee surreptitiously monitoring (electronically) anothers voting. Vendors who expect their i-voting systems to be used in the workplace must go to some lengths to ensure that voter privacy is not compromised. Furthermore, voters in general should be educated about the fact that computers located in places where the security environment is totally unknown, or not trusted, are probably too risky to be used for i-voting. This would include other peoples homes, institutions, cybercafes, etc.
Institutions often have their internal networks separated from the Internet at large by a firewall that strongly restricts the kinds of traffic that can flow in and out. Yet another complication that vendors will have to deal with if they expect people to vote from workplace computers is to design their voting system to be compatible with the firewall configurations routinely in use.
Our discussion so far has tacitly assumed that the voting platform is a PC of some kind (including the Apple Macintosh). But new Internet-capable devices are beginning to appear, e.g. hand held electronic organizers, cell phones, "wearable computers", and perhaps "network computers" (NCs). These devices all have substantially different operating systems, screen sizes, and "browser" software than todays PC platform does. It is not likely that an Internet voting system that works from the PC platform will also work from all of these other platforms, at least without substantial adaptation. One risk in the design of Internet voting systems today is that the era of approximate uniformity in the technology base used for interacting with the Internet that is caused by the near ubiquity of the "Wintel" architecture will some day break down, and there will be no clear choices of platform from which to support voting. Vendors and counties should pay attention to this possibility before investing heavily; it is one of the risks caused by the speed of technical change.5.7 Steps in Internet voting
Internet voting, as we envision it, proceeds in the following sequence of steps, as viewed from the perspective of a voter. Different i-voting systems that satisfy our overall requirements may vary from this in detail, but will generally resemble the following outline:
Processing the ballot:
This task force has been consciously guided by experience with absentee balloting in the design of requirements for i-voting. In many ways Internet votes, as we conceive them, can be thought of as the electronic equivalent of paper absentee ballots. Both allow ballots to be cast remotely, in principle from anywhere in the world, and at any time convenient to the voter within a time window in advance of election day. With the current California voter registration process, there are inevitably similar procedures for requesting absentee ballots and i-voting authorization, similar mechanisms for prevention or detection of double voting, similar concerns about lost ballots or lost authorizations for i-voting, and analogous mechanisms for protecting ballot secrecy.
But similar as they are, there are some important differences between the two. One is that i-voting systems can give immediate feedback to the voter that his or her ballot was received and accepted; with absentee ballots sent through the mail there is no automatic indication to the voter that it arrived, or arrived on time. There are also ways of spoiling ballots, or over-voting with an absentee ballot, that have no analog with electronic ballots. But the most important difference is that there are security issues arising in i-voting that have no analog in the absentee ballot system. Much of this document will be devoted to discussion of these security issues.
5.9 Elections conducted at the county level
In the U.S. almost all public elections, whether municipal, county, state, federal, or other (e.g. school or utility districts), and whether primary, general, or special, are conducted by county governments. On major election days there are thus 58 parallel elections in California, with the counties reporting the results of state- and federal-level contests to the Secretary of States office in Sacramento, and the results of other contests to the appropriate officials in those jurisdictions.
Each county, based on its history and needs, makes its own choice of voting systems from among those certified by the Secretary of State. Most counties in California today use a punch card system. A large number of others use one of two mark-sense card systems. In the past, various counties have used mechanical voting machines. And recently several systems for voting at a computer-controlled touch screen and keyboard have been certified for use in California and are now being used by several counties. All counties in California permit absentee ballots as well. Internet voting systems would, from one point of view, be just another voting system.
It is tempting to recommend a system of i-voting to be administered at the state level, since there are substantial communication and computational economies of scale that could theoretically be achieved at that level. But barring major changes in the Election Code, Internet ballot types will have to be assembled and edited in the same way as paper ballot types (with sometimes hundreds of distinct types in up to six languages in one county). And Internet votes will still have to be aggregated with paper votes in contests at all jurisdictional levels. Currently the counties are set up to handle these complications, so it would greatly increase the logistical complexity of elections if i-voting were conducted at any level other than counties when the rest of the system is still county-based.
There is a strong security advantage as well to conducting Internet voting at the county level. If a uniform statewide system of i-voting were adopted and widely used, then certain security attacks, such as malicious code attacks against voters computers, or denial-of-service attacks against vote servers, could be much more effective, possibly swinging the results of statewide elections or electoral votes in a presidential election. Such a circumstance may be much more tempting to someone with a motive to interfere with an election. However, if i-voting is adopted at the county level, and different counties adopt different systems, or variations on the same system, and some counties do not adopt it at all, then a potential attacker has a much more difficult problem. Any single attack scheme is likely to work only in one county, or a few counties with nearly identical systems, with a corresponding reduction in payoff to the attacker. County-level attacks may not be worth the risk of jail to an attacker, whereas a state election conceivably might. Diversity in i-voting systems around a state, like genetic diversity in a biological system, tends to protect against large scale attacks against the system as a whole.
We therefore assume that any i-voting systems will also be administered at the county level. Each county should have the authority to choose, based on local circumstances, from among the set of i-voting systems certified by the Secretary of State. Some counties will adopt i-voting systems earlier than others; some may reject i-voting entirely; and conceivably some might adopt more than one i-voting system for any of a number of reasons, e.g. to give voters a choice, or because a more streamlined system is appropriate for some local or special elections.