By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group

Since the recent election, conversations about online voting capabilities have peaked. Online voting holds out the promise of helping people find an easier and faster way to vote. However the security issues associated with this new voting method should cause one to proceed cautiously.

online voting and securityIn order to transition to an online voting system there are specific requirements that must be fulfilled. And yet, they may be difficult to satisfy completely.  In order for it to be compliant and secure the system should:

  1. Protect the privacy of each individual vote so that once cast, a vote cannot be associated with a voter (to protect against voter intimidation after the fact, and also to prevent voters from “selling” their votes)
  2. Provide verification to the voter that their vote was accurately cast
  3. Provide assurance that a voter has cast only one ballot
  4. Keep a record of votes to allow for recounts
  5. Provide accessibility for the disabled, particularly blind voters

No voting system is perfect.  For example, the old mechanical voting machines actually failed to satisfy #4 since they kept a running tally.  Recounts could only be made to the level of an individual machine, not to individual votes.  It has been proven that the mechanical machines had a non-zero error rate, especially when the party lever was pulled, rather than the individual levers for each race.  The problem was that the mechanical linkages would wear out, and in some cases would not increment the tally wheels simply because the metal inside was flexing rather than remaining rigid.

Optical scanners do a pretty good job of meeting these requirements, but obviously they cannot satisfy #5.  Special arrangements have to be made to accommodate blind voters.

Voting digitally is much more complicated. Voting by smartphone or through any online app or website will leave an audit trail, thus making it very difficult to fully satisfy #1.  Each voter will have to somehow authenticate in order to satisfy #3.  But in doing so over an electronic connection, they will create a potential association between their identity and their vote, thus violating #1.  Also, if the voter can save an image of the ballot, then they could use it to “prove” how they voted in the hopes of selling their vote.

The security of the entire back-end system should be transparent so that everyone can examine how the system works and gain assurance that there is no way to corrupt the result.  That will be very difficult to prove.

Now that we are a couple of months past the heat of the election season, it would be good to consider these issues in time for the next election cycle.  Where do you come down on the issue?