Against Internet voting pilots

| Comments (1) |
As I mentioned earlier, the DC BOEE Internet ballot return project is just the latest in a series of pilots and attempted Internet voting pilots. Superficially, this sounds like a good idea: there's debate about whether Internet voting is a good idea, so let's only natural that we'd try it out and see how it works.

Unfortunately, this isn't likely to tell us anything very useful; while we have extremely strong theoretical reasons for believing that Internet voting is insecure, those reasons don't indicate that every single election is going to fail. [technical note: by Internet voting, I mean here online ballot return without the use of end-to-end cryptographic voting techniques. Those at least potentially would allow for secure elections, but that's not on the table in this case.] People routinely do unsafe stuff (skydiving, not wearing their seatbelt, texting while driving, etc.) and get away with them, but that doesn't mean that they weren't unsafe, it just means you got lucky. So, when we run a single trial and it doesn't end in disaster, that doesn't really tell us much. The situation is even more complicated here because the failure mode we're most concerned about isn't random but rather adversarial. By their nature pilots have relatively low stakes (a small number of voters, not particularly important election), which is what makes them seem "safe", but this also makes them much less attractive attack targets, so we shouldn't be surprised if they're not attacked, no matter how vulnerable they are.

This isn't to say that we won't learn anything: This sort of pilot is just fine for testing whether the software is functioning correctly in the ordinary non-security sense. That kind of testing is of course important for any widely deployed service, but we know in principle we can build a site like the one DC BOEE is apparently building, it's just a matter of routine software engineering. Indeed, that's part of what makes Internet voting so superficially attractive to people without a security background; it just looks like a less fancy version of online banking and we know we know how to do that (actually, we don't know how to do that securely against a dedicated attacker, but most people don't know that.)

No matter what the outcome, then, this kind of pilot doesn't tell us anything that useful about Internet voting. If it's attacked in some serious way, well, we already knew that was possible. If it's not attacked, that doesn't tell us it was secure, just that nobody bothered to attack it. If it fails for some non-security reason, that just means there were some development mistakes and the system wasn't tested enough before being rolled out. The only thing we're likely to learn, if everything goes smoothly, is that we this particular software functions correctly in some real-world non-adversarial conditions (which is about the most you can ever say for a piece of real-world software), but we already knew it was possible to build this kind of service and of course that doesn't tell us anything useful about Internet voting in general, since someone else's implementation might be disastrously bad.

At this point I've hopefully convinced you that this sort of pilot isn't very useful. However, I think the situation is worse than that. The problem is that while we don't learn very much from it we appear to. If, as is reasonably likely, all goes smoothly, then many people will take this as evidence that Internet voting is in fact safe. I'm speculating here, but since we used to and to some extent still do hear exactly this about paperless DRE machines, I think I'm on relatively safe ground. In other words, rather than just being useless, this kind of pilot has the potential to leave society as a whole less well informed than before the pilot, since it provides a form of unwarranted confidence in these techniques.

Since I'm using the DC pilot as a jumping off point for this discussion, I should mention that the OSDV guys appear to think of this not as an opportunity to test the Internet part of the system, but rather to field test their optical scan system, with the Internet just being used as an alternative way of getting the ballots into the system (see Greg Miller's post). As I said above, that's a kind of system functionality testing that is valuable, but that doesn't necessarily mean that it's best to do that testing in the context of an otherwise misleading pilot project.


This is kind of a pedantic point, but it lead to a mildly interesting insight. Strictly speaking, the pilot will yield some information about the practical security of Internet voting. People will be able to perform a Bayesian update on their priors.

However, you're probably right that potential magnitude of the update is small. Moreover, because policy makers and experts probably substantially disagree on their prior right now, it's not clear that a pilot would converge people's posterior distributions.

Here's the mildly interesting point regarding different priors. You may believe that no attack actually increases the chances the system is insecure. From a game theoretic perspective, potential future attackers who are very confident of their ability to breach a large scale version of the system may not try to attack a pilot in the hopes of a bigger payoff later. Conversely, if they think the security is good, they may think it's worthwhile to make the attempt to improve their information.

Leave a comment