Internet voting, a technology often cited as a solution to the United States' problematic voting machines, received failing security and accessibility grades in the latest in-depth audit conducted by the City of Toronto. Two of the three vendors audited by the city currently have contracts with over a dozen U.S. jurisdictions for similar technologies.
The accessibility report, prepared by researchers at the Inclusive Design Research Centre at OCAD University, and the security report, prepared by researchers at Concordia and Western universities, were obtained by Al Jazeera America through a Freedom of Information Act request.
Proponents of Internet voting, largely disabilities groups and advocates for military voters overseas, point to the apparent ease-of-use of other Internet-based activities, such as banking, and claim the technology would lead to higher turnout rates.
The reports highlight the difficulty in creating a voting system that isn't more susceptible to corruption than existing voting technology and that is easy enough to use for voters with a variety of personal computer setups, including those with disabilities who often use alternatives to traditional mice, keyboards and screens.
Thirty-one states in the U.S. allow overseas and military voters to print and deliver ballots electronically. A Pentagon unit, the Federal Voting Assistance Program (FVAP) has largely spearheaded the effort by funding state programs providing assistance to overseas troops and others. A nonprofit watchdog group, the Electronic Privacy Information Center, sued FVAP last month to force them to disclose their own audits of Internet voting conducted three years ago. In 2012 the program told Congress it would release the records to the public by the middle of 2013.
Other countries including Germany and the Netherlands have banned all forms of electronic voting, including Internet voting. Norway experimented with Internet voting in 2011 and 2013 for a select subset of voters. A recent government-commissioned report on the trial found that it did not increase voter turnout nor did it mobilize smaller demographic groups. Officials noted that increasing turnout was not an intended or expected outcome and it confirmed previous findings that voting was easier for some, but those with disabilities had issues with error messages, text contrast and other elements.
The city-commissioned reports were published in February in order to assess Internet voting for its September elections.
Despite these negative recommendations from the independent auditors as well as the City Clerk, in February the City Council selected one of the vendors, Scytl Canada, to implement their proposed system with an almost CAD$1 million contract (approximately $900,000 USD). The city halted the contract in July, however, stating that the system could not be developed in time for the September elections. A Scytl spokesperson said that the timeline was insufficient for full-scale deployment and their systems ”are fully secure and independently audited to comply with the highest security standards” but could not elaborate further.
The other vendors assessed were Dominion Systems and Everyone Counts. Scytl and Everyone Counts currently hold contracts providing a range of election services in the United States from voter registration in Washington D.C. to Internet voting for overseas and military voters in the Chicago area.
City Councilor Josh Matlow voted against the Internet voting proposal, citing the short time frame and reports from the City Clerk, the body in charge of implementing the proposal, that it was unfeasible.
"As you can see from the votes there were some that voted for it, some that voted against and there were several who abstained — who left the room. And I infer from that that obviously it is incredibly important to support those in our city who are in need of as much support as possible for accessibility," he said. "But I also didn’t want to vote for something just to look like I was doing something good. I wanted to make sure that it not only should be done but could be done."
Councilor Shelley Carroll voted yes on the proposal, characterizing it as a "pilot program" to test how Internet voting could work on a larger scale and a way to combat voter discrimination. "We are hearing more and more of incidences of folks with special needs who are being turned away from the polls even when they go there," she said. "While there’s a lot of hesitancy [around Internet voting] it is a thing that is definitely coming. So we just felt it was really important to give staff a bit of a kick, if you will, to get started finding some familiarity with it and when the day comes when the technology is ready for a city of this size, that they be well versed."
Opponents of Internet voting argue that security vulnerabilities and usability problems with existing proposals are a step backward for enfranchising those with disabilities or overseas.
"It's clear from the report for Toronto that the systems being considered don't meet the minimum accessibility standards required," said Barbara Simons, a board member of Verified Voting, and co-author of the book "Broken Ballots: Will your Vote Count?" who also obtained the reports through a Freedom of Information request.
"Even if these systems were fully accessible, that would still be providing voters with disabilities a system that is blatantly insecure according to the security tests. Is that really doing people a favor to provide them with a system on which their votes may not be counted or may even be wrongly counted when there are far safer alternatives? I don't think the city council properly investigated other options."
The reports found a number of flaws that question both whether a ballot submitted online would be properly counted and whether a disabled voter would be able to navigate the ballot interface.
The security report prepared by researchers at Concordia and Western Universities, found that none of the three proposals "provides adequate protection against the risks inherent in Internet voting" and recommended that "the City not proceed with Internet voting in the upcoming municipal elections." The report found numerous areas where an attacker could modify votes and avoid detection. The authors also note that at least one of the vendors, Everyone Counts, a firm that holds contracts with almost a dozen US jurisdictions "attended their demo day unprepared to answer questions related to statements made in their [proposal]." Lori Steele, Chairman and CEO of Everyone Counts said the criticism highlighted a "really embarrassing mistake." The person in charge of the proposal included outdated information that did not reflect their current system, she said, and has since been let go.
Flaws ranged from complex cryptographic problems to simple errors in design. Dominion voting systems, for instance, encrypts a voter's candidate choice but does not change the length of the candidate's name. For example, a voter's selection of "John Kerry" would be encrypted with ten characters such as "3z]Z8]x&27". But this selection would be identifiable against a vote for "George W. Bush", 14 characters, which would look something like "Hq#PYD#w[2(%9&" when encrypted. A hacker listening in could use this information to manipulate the vote count or deanonymize the voter rolls.
The report highlights general issues with Internet voting, as well, such as the danger in allowing people to vote from their home computers, which might be infected with malware. Another issue is the increased ease with which people can sell their votes. Instead of having to find a willing buyer who would then physically go to a polling place and claim to be someone else, pins could be exchanged anonymously online and an attacker could vote from anywhere, dramatically lowering the bar and widening the scope for voter fraud.
State-level actors are also a concern, the report states. "Although their various capabilities are not widely known, recent disclosures about the NSA's PRISM mass surveillance program and ANT catalogue of hardware, software and firmware exploits suggest that it is within the realm of possibility for a state-level actor to have a devastating effect on an online election."
Even if these problems are solved, assessing how such a system would perform on a larger scale is difficult. For example, Toronto only required their voting system to support a maximum of 6,000 concurrent voters. Toronto has approximately 1.6 million registered voters compared to over 150 million in the United States.
Other researchers are investigating how Internet voting could one day be more secure, but the current consensus among them is that it will only be possible for a small subset of voters, such as those overseas or with disabilities, if at all.
"All kinds of experimental systems have been designed in the last 15 years," said Joseph Kiniry, the principal investigator at the technology firm Galois who is researching the possibility of end-to-end verifiable online voting with the Overseas Vote Foundation. "But in general researchers are quite conservative about proposing that their system is ready for primetime. And most researchers don't actually build the systems they design — they just design them on paper."
"You can see the only place that we advocate its use is in elections that have low value and low risk." Kiniry said. "The real fundamental problem though is that as soon as you witness success electing your sheriff, why not elect your mayor? And if you can elect your mayor why not elect your governor? And I have serious concerns as an activist from that point of view. It's a slippery slope — the deployment of new technologies."
In a 2012 USA Today/IPSOS poll of non-voters, 28 percent said Internet voting would encourage them to vote more.
The field is testing new cryptography techniques that could potentially mitigate threats from things like home computers infected with malware, Kiniry said. One of those is so-called "code-voting."
"So for example when voting over the Internet or in some instances through a kiosk rather than seeing candidates' names and checkboxes next to them you instead would type in a short sentence which represent that candidate, which you learned about through other channels such as sent to you in the mail." Malware designed to favor one candidate wouldn't be able to know which coded sentence, “the rain in Spain” or “the quick brown fox” for example, represented which candidate.
The accessibility report, prepared by the Inclusive Design Research Centre at OCAD University found that none of the three proposals met the minimum accessibility standard, known as Web Content Accessibility Guidelines 2.0, or WCAG 2.0.
For example, Scytl's demonstration didn't include "focus" indicators for ballot submit buttons — blue highlights around buttons that let the user know which element is selected if they aren't using a mouse. Many voters with disabilities rely on the keyboard and visual cues to help them navigate.
According to the report, proposals from Dominion Voting and Scytl failed to fully accommodate screen readers — programs that read the text of web pages aloud for those hard of seeing.
For instance, in the Scytl proposal, if a user leaves some fields unmarked, red text will appear alerting the user to the error. This error lacks the appropriate metadata for the screen reader to notice it, however, so the reader will fail to announce the error to the user, according to the report. As a result a blind user would not be notified a required field is missing and couldn't proceed to the next screen.
While the report states that many of these issues could be fixed with a few months' work, the report also states that many of the vendors expressed reluctance at making revisions or even acknowledging that their system did not meet current standards. Critics also point out that oversights like these show a lack of initial care put into systems that should have been designed with usability and accessibility as a top priority. Scytl said that their system met most of the requirements and was in the process of being tested further.
Recent U.S. action
Most recently, a federal judge ordered Maryland to allow an “online ballot marking tool.” Although this tool was audited by the security firm Unatek, researchers and the Maryland Board of Elections had doubts as to its thoroughness. Jeremy Clark, one of the security researchers who produced the Toronto report, described it as a "vulnerability assessment" and not a thorough audit of the system's architecture.
"These audits examine the system according to a set of well-known attacks, so you can conclude that an attacker using the same set of well-known attacks will not succeed," Clark said. "However you cannot conclude anything about how successful an attacker might be if they use different types of attacks, including novel attacks they might develop for attacking the specific system."
In a federal ruling ordering Maryland to offer this tool to disabled and overseas voters, the judge cites the existence of a second audit that the Board of Elections commissioned as evidence that the tool had been thoroughly tested. As the summary of this audit states, however, it assessed the "process and personnel background" and "did not perform any technical tests and did not interview Unatek's consultants or attempt to substantiate or refute the accuracy of the information included in the Security Review and Assessment."
Other groups took issue with the accessibility of the Maryland system, as well. Noel Runyan, a blind computer scientist and access technology engineer tested the system but had difficulties logging in and with the way the screen reader announced instructions, he said. The National Federation of the Blind stated that it tested the system and found it to be WCAG 2.0 compliant to the AA standard but could not provide any internal reports describing how they came to this conclusion.
Following the Maryland ruling, NFB has passed and sent a resolution to 13 states that already have some form of online ballot marking tool urging them to make the technology available for those with disabilities. Opponents worry that the Maryland ruling will lead to systems they view as problematic being implemented elsewhere.
"We all agree that absentee voting should be accessible," Runyan said. "Our disagreement is whether this is an accessible system for that need. We couldn't use it. We couldn't make the thing work."