Appendix A

California Internet Voting Task Force

Technical Committee Recommendations


Table of Contents

2  General conclusions of the Technical Committee

The Technical Committee has reached a number of general conclusions about Internet-based registration, petition signing, and voting systems. Before detailing all of the reasoning in support of those conclusions, we provide here a quick summary. Each of these conclusions will be expanded upon in later sections.

2.1   Incremental approach to Internet voting

If Internet voting is instituted in California, it should be added in an incremental manner. It should be designed as an additional option for voters, not a replacement either for absentee balloting or balloting at the polls; and it should work in the context of the current (paper-based) voter registration system.

Internet voting should, at least initially, remain county-based for greater security and for proper integration with the current registration and voting systems, even though some economies of scale could be realized with a regional- or state-level system.

2.2   Internet voter registration not recommended

The Task Force strongly discourages any consideration of an all-electronic Internet voter registration system. Without online infrastructure for strong verification of the identity, citizenship, age, and residence of the person doing the registering, essentially any all-electronic voter registration system would be vulnerable to large-scale and automated vote fraud, especially through the possible registration of large numbers of phantom voters.

2.3   Internet petition-signing more difficult to make secure than Internet voting

Besides voting, registered voters in California have the right to formally sign petitions of various kinds, e.g. initiative petitions, recall petitions, etc. Potential systems for Internet-based petition-signing would face essentially all of the same privacy and security issues that arise in Internet voting systems, so most of the recommendations made here regarding security for Internet voting systems apply to any proposed Internet petition-signing system. But because of several structural differences between voting and petition signing that increase the security risks associated with Internet petition signing, we recommend even greater caution be exercised in considering any Internet-based petition signing system.

2.4  Privacy and security issues in voting

Security (including privacy) and reliability are the most important engineering considerations in the design for i-voting systems. Security in this case means (1) voter authentication (verification that the person voting by Internet is a registered voter in the district in which s/he is voting), (2) vote integrity (assuring that an electronic ballot is not forged or modified surreptitiously), (3) vote privacy (assuring that no one can learn how any individual voter voted), (4) vote reliability (assuring that no Internet ballot is lost), (5) non-duplication (assuring that no voter can vote twice), (6) defense against denial of service attacks on vote servers and clients, and (7) defense against malicious code attacks on vote clients.

Reliability means (1) that the entire system, from end to end, operates properly even in the face of most kinds of local (single point) failures; (2) that its performance tends to degrades smoothly, rather than catastrophically, with additional failures; (3) that voters have solid feedback so that they know unambiguously whether their vote was affected by a failure of some kind; (4) the probability of a global system-wide failure is remote; (5) the rarest of all technical failures are those that result in votes being lost after the voter has received feedback that the vote was accepted; and (6) procedures are in place to protect against human failure, either accidental or malicious, that might result in incorrect results of the canvass.

Each of these issues requires specific architectural features (hardware and software) in the design of any system for Internet voting. Most of them are well-understood, with satisfactory technical solutions readily available, which we expand upon in the recommendations below. However some of them require special attention in the case of non-county-controlled (e.g. home or office) voting.

2.5  Internet voting systems should be modeled on the absentee ballot system

The Task Force views Internet voting as being in many ways analogous to (paper) absentee balloting, in that the voter might vote remotely and/or early, and without a personal appearance at the polls. The analogy is even stronger in the case of vote-from-anywhere systems in which the ballot passes through many hands on the way from the voter to the canvass. We therefore recommend modeling some i-voting procedures on established California procedures for absentee ballots, including these requirements:

See Section 5.8, Internet voting compared to absentee ballots.

2.6  Two broad classes of i-voting platforms

There are two broad categories of i-voting systems that must be distinguished in any discussion of Internet voting. The difference is based on whether or not the county election agency has full control of the client-side infrastructure and software used for voting:

This distinction is fundamental because with systems that are not county-controlled, the voting environment is difficult to secure against some very important privacy hazards and security attacks that can arise from infection with malicious code or use of remote control software. Hence, "vote from anywhere" systems must be substantially more complex to achieve the same degree of privacy and security as is achievable with a county-controlled system.

2.7  Four-stage approach to implementing Internet Voting

We recommend a four-stage approach to possible introduction of i-voting in California. Each stage is a technical advance on the previous ones, but provides better service to more voters. These four types of systems are:

  1. Internet voting at voterís precinct polling place: Internet-connected computers are deployed at regular precinct polling places alongside traditional voting systems on election day. Voters identify themselves to clerks as usual with the traditional system, and then have their choice of voting methods. Each vote cast on the voting computers is transmitted directly to the county.
  2. Internet voting at any polling place in the county: Systems of this type are similar to (a), except that the voter need not show up at his or her own precinct polling place on election day, but may vote at any county precinct polling place equipped for i-voting, or at any other polling place the county might set up at shopping centers, schools, or other places convenient to voters. Non-precinct polling places might be open for early voting for days or weeks in advance of election day, possibly with extended hours. Such sites would still be manned by county personnel, but they would have to have access to the entire voter roll of the county to check registration and prevent duplicate voting, rather than just the roll for one precinct. This might itself be implemented by Internet access to the countyís voter registration database.
  3. Remote Internet voting at county-controlled computers or kiosks: Systems of this type are similar to (b) except that the polling places should not have to be manned by trained county personnel, but only be responsible lower-level clerks whose job is to safeguard the voting computers from tampering, restart them when necessary, and call for help if needed. A voter would request Internet voting authorization by mail (as with absentee ballots), bring that authorization to the polling place, and then use it to authenticate themselves to the voting computer just before actually voting.
  4. Remote Internet voting from home, office, or any Internet-connected computer: These systems permit voting from essentially any Internet-connected PC, anywhere, including home, office, school, hotel, etc.. As with (c), voters would request Internet voting authorization in advance. Later, when it is time to vote, they must first secure the computer against malicious code and remote control software somehow, then connect to the proper county voting site, authenticate themselves, retrieve an image of the proper ballot, and vote.

The first three of these system types are "county-controlled systems", as defined in Section 2.6. We believe that these systems can reasonably be deployed, at least for trial purposes, as soon as they can be built and certified as satisfying not only the current requirements of the California Elections Code, but also the additional requirements we recommend in this document. If the current Elections Code is found to contain language or provisions that prohibit Internet voting, then the legislature will have to act before any trials can occur in which the votes actually count.

The last type of system, (d), is in the category of "vote from anywhere" systems as described in Section 2.6. We do not recommend deploying these systems until a satisfactory solution to the malicious code and remote control software problems is offered.