One clarification, Eric, to an otherwise fair assessment pending more details except one small thing: the qualified overseas military voters who choose to participate in this assessment Pilot can still choose to return their ballots the usual way: paper by surface mails. Your last point suggested no paper return. Incorrect.
I followed up with John Sebes from OSDV and got some clarification on the situation. Voters have three ballot return options.
- Print the ballot out, fill it in on paper, then scan and return via the Internet.
- Fill out the ballot on your computer and return via the Internet.
- Print the ballot out, fill it in, and then mail it back.
So, you can return the ballot either via the Internet or via mail but not both.
I've already written about the first two cases, but not the third; hence this post. Clearly, paper mail return is more secure than Internet return, since we don't have to worry about tampering of the user's completed ballot either by his computer or by the board of election server. However, we still have to worry about tampering with the blank ballot, which can happen in either location.
The simplest attack is just to swap the descriptions for candidates. As I understand the situation, optical scanners only look at which opscan targets is filled in, but ignore marks outside of those regions. So, if I swap the names Jefferson and Burr, then when the voter thinks he's voting for Jefferson this turns into a vote for Burr. Since the voter has no real way of knowing what order candidates appear on the ballot it's unlikely the voter would detect this attack. The attack is trivially detectable at election central by examining the ballots (and possibly mechnically), provided you know the order of candidates on the ballot. (I don't know if any jurisdictions send out multiple ballots with rotated names, but if so, this detection becomes an accounting problem.)
Not only is the simple attack detectable, it's presumably recoverable: since the voter doesn't know what the ballot order is supposed to be, they're voting on the basis of the names on the ballot, so voter intent is clear and you can just process the ballots based on the names. OCR would probably work here, but in the worst case you could just process the ballots manually. However, we can imagine situations in which an attacker could damage the ballot in ways that wouldn't be plausibly recoverable. This is easiest with propositions: remember that voters don't know the exact wording of the propositions and may not remember the proposition numbers. So if, for instance you not only switch the targets but also swap proposition numbers or reword the propositions, then voter intent becomes a lot less clear. This is of course harder with candidates rather than propositions, but you could, for instance, swap political parties. It's important to remember that all an attacker has to do to affect the election is to preferentially remove the votes of voters who are likely to vote in a given way. Changing them is better, but just invalidating them is still powerful.
So while electronic ballot distribution is more secure than electronic ballot return, there still seem to be a number of potential attacks that would be more difficult to mount en masse with conventional paper-based ballot delivery.