INTERNET VOTING ISSUE PAPER

There is growing interest in allowing voters to cast a ballot electronically over the internet. For purposes here, we consider internet voting to include any vote where a completed ballot is submitted over a public internet. This could include using a phone, tablet, computer or other personal device. It excludes a ballot marking device since that is not used to submit a ballot. Proponents of internet voting believe that it can improve accessibility, especially for voters with disabilities. Voter accessibility is core to the League of Women Voters’ mission. However, the League also requires that voting systems be secure, accurate, recountable, accessible and transparent (emphasis added). The League of Women Voters believes that electronic ballot return or “internet” voting does not currently comply with these League’s principles.

Security cannot be guaranteed. American elections are an attractive target to our adversaries, as evidenced by Russian, Chinese, and Iranian attempts in recent elections.  This means that any electronic balloting must assume a nation-state attack, and must meet the security sophistication to prevent, identify and repel such an attack. A potential attack against election systems using public (IP) infrastructure is not mere hyperbole. We have all read about and/or had personal experience with data breaches from trusted sources who are using state-of-art technology and advanced network administration techniques; for example, the federal government had a major data breach of its personnel system. No online system is immune from penetration. If votes submitted over the internet are breached, the State Board of Elections will be faced with responding to such a breach, while adhering to the legal timelines, privacy and data integrity necessary to certify the votes.

Accurate results cannot be assured. The US Election Assistance Commission, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Institute of Standards and Technology (NIST) have stated that “electronic ballot return technologies are high-risk even with controls in place” and that “electronic ballot return faces significant security risks to the confidentiality, integrity, and availability of voted ballots…..that can ultimately affect the tabulation and results and, can occur at scale.” In other words, accuracy cannot be guaranteed.

There is no paper trail to recount or audit results, which limits transparency. Another aspect of a secure election is having a paper trail. Maryland law requires a paper ballot submitted by the voter. This helps ensure there can be election recounts, risk assessments can be completed and there is a way to record ballots should scanners or other equipment fail. Voting over the internet does not produce an auditable paper trail.

Privacy for voters with disabilities is lost. One of the primary advantages that is seen for internet voting is to enable voters with disabilities to be able to cast a ballot without help from someone else, which can limit the privacy of their election choices. Internet voting actually compromises voter privacy because a  returned ballot must be linked to an individual to ensure that someone doesn't vote in that person's name. Experts say that current internet voting technology does not allow votes to be both verifiable and untraceable back to the individual voter.[1] When a ballot is directly linked to an individual, privacy is lost rather than gained. So an effort to improve privacy for voters with disabilities actually reduces their privacy. Furthermore, although it is estimated that about 1 in 4 adults in Maryland have a disability (more than one million adults),[2] an equity lens would suggest that all voters should have access to the same voting options, without discrimination.

Internet Voting Is Not Feasible Today

The Center for Security in Politics at the University of California, Berkeley, issued a report in December 2022 entitled, “Working Group Statement on Developing Standards for Internet Ballot Return (funded by Tusk Philanthropies)[3] which noted that internet voting demands a different set of controls compared to other types of online transactions because it requires a lack of traceability to ensure a secret ballot. They identify technical issues that would need to be resolved before recommending internet voting, such as malware on consumer devices; targeted denial of service attacks; a lack of broadly deployed digital credentials to verify voters; and the ability of wholesale attacks to affect millions of votes. They also note that trust in U.S. elections is already low even though there is no evidence of significant fraudulent activity. Internet voting could create even greater skepticism around the election results and erode confidence. The group concluded that “it is currently infeasible to draft responsible standards for internet ballot return.”

The National Conference of State Legislatures (NCSL) identified 33 places across the U.S. (including Washington DC, excluding territories) that allow some voters to submit completed ballots online. All of them allow it for military and overseas voters and twelve of them allow it for voters with disabilities.[4] They note that the federal Military and Overseas Voters Empowerment Act (MOVE), passed in 2009, requires states to​ enable the​ ​electronic ​​delivery of ​blank absentee ballots to voters who fall under the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA). However, the MOVE Act does not require states to accept voted ballots electronically. NCSL identifies the following issues that states will need to address:

  • Privacy—since election officials can identify the person who returned a ballot electronically, such ballots cannot be fully anonymous.
  • Cybersecurity—most experts agree that sending completed ballots over the internet is vulnerable to cyberattacks, such as hacking that could change a person’s votes or denial of service attacks that could prevent voted ballots from getting through.
  • Auditability—without a paper record, election results cannot be audited and a cyberattack may be undetectable.
  • Authentication—election officials will need to determine how to verify the identity of the voter.
  • Inconvenience for the local election officials—ballots submitted over the internet must be handled like blank ballots that have been downloaded from the internet and then mailed in, meaning each must be duplicated onto scannable paper, which is typically done by a bipartisan team. The work burden on local boards of elections is increased.

Also related to military voters, a December 2024 paper authored by researchers at Princeton and University of California noted that the Department of Defense (DOD)  developed an approach for secure electronic voting that was intended to be used in the 2004 general election. A review by independent security researchers (requested by DOD) examined the security of the system and found that it could not reliably secure ballots cast over the internet. Among the issues noted was that “electronically returned ballots are vulnerable to large-scale remote attacks and manipulation, but physically mailed ballots are relatively secure. Furthermore, the voter can see the votes marked in the paper ballot but has no way of knowing what was transmitted digitally.” Researchers concluded that the insurmountable challenge to securing an online voting system lies in the fundamentally insecure nature of the internet.[5]

Numerous Questions Would Need to be Answered First

1) To improve access for people with certain disabilities, an end-to-end electronic solution must be purpose-built to meet the specific needs of a targeted disability, for example for the visually or hearing impaired. It cannot be a one-size-fits-all solution. How many people will be served? Who are the priorities?

2) Would the electronic voting system be limited to Maryland voters with a disability who are physically residing in Maryland or Maryland voters who reside elsewhere, even overseas? The larger and more distributed the population, the greater the security risk and the more complex and costly the implementation, assuming that the security risks can be sufficiently mitigated. Furthermore, physical infrastructure is as important as digital security, including the hardware that supports the systems,  cables, etc.

3) How would the information contained in a marked ballot be protected between the point of transmission and receipt by the Board of Elections if that ballot is traversing a public (IP) network?

4) If voters are casting their ballots electronically from their place of residence or other public spaces such as libraries with Wi-Fi access, what level of security can be assured or is needed at the transmitting end of the ballot transaction?

5) Has a thorough assessment been done to determine the requirements and risk? What additional funding will be needed to implement the systems that will be required to ensure sufficient security?

6) Are there options for improving accessibility for voters with disabilities that will not compromise the privacy and security of their votes? All voters should have that assurance.

FAQs

  1. If I can bank online, why can’t I vote online? Any online system can be hacked. When someone does online banking transactions, the bank acknowledges risk and puts in place protocols to detect and respond to a breach and mitigate any ensuing damage, such as restoring lost funds. If a voting system is hacked, how do you give somebody back their vote?
  2. Voting by mail and drop-boxes are not secure either so is internet voting any worse? Internet voting is less secure because it does not have the same safeguards that are built into voting by mail and drop-boxes. A certified voting system in Maryland is never connected to the internet so it cannot be hacked. Voting by mail involves a paper ballot with bar codes for tracing its delivery and return. The voter must physically sign an oath to affirm that falsely submitting a ballot is against the law—a felony punishable by a fine of up to $5,000 or imprisonment for up to 5 years or both. All voters—whether voting by mail or inperson—must physically sign this oath. Paper ballots also allow for audits to be done. Drop boxes are locked, monitored 24/7 and emptied daily. None of these precautions are in place for internet voting.
  3. Don’t I already vote online if I use a ballot marking device? The Board of Elections calls it electronic voting. A ballot marking device used at a voting center does not store, tabulate, or transmit votes by any means. It is not connected to the internet. After a voter marks their ballot on the touchscreen, it produces a paper ballot that must then be scanned to be counted.
  4. How would the Board of Elections know that the vote came from me and not from someone else? A ballot voted through the internet would have to be linked back to an individual voter to ensure that person is registered to vote in Maryland. Experts say that current internet voting technology does not allow votes to be both verifiable and untraceable back to the individual voter. Internet voting would diminish voter privacy.
  5. Could my vote be hacked? Could someone change my vote after I submitted it? Yes to both. Just as your bank account can be hacked, so can a voting system. Hacking could include intercepting the vote between a person’s phone (for example) and the Board of Elections, potentially changing or blocking a vote—or a large number of votes. It is not possible to prevent and would require costly security systems (think of some high-security military systems, for example) to protect the votes.
  6. What would happen if the system were breached? Would the election results have to be thrown out? Federal election and security agencies state that a breach could affect the tabulation and results, affecting election outcomes. If a system is breached, the Board of Elections will have to respond to it but still adhere to the legal timelines and requirements for producing election results. It is not clear if they would be able to certify the election results in that situation.
  7. Wouldn’t online voting only affect a small group of people who fall under the American With Disabilities Act (ADA)? More than a million adults in Maryland fall under the provision of the ADA, or about 1 in 4 adults. If a voting system is secure, why shouldn’t all voters be able to use it? Voters with disabilities should not have to use a voting system that is less secure than what any other voter uses. They should not get a sub-standard system. That is not equitable.

 

Sources:

[1] https://verifiedvoting.org/internet-voting-faq/ 

[2]https://www.cdc.gov/ncbddd/disabilityandhealth/impacts/maryland.html

[3] R. Michael Alvarez, et al, Working Group Statement on Developing Standards for Internet Ballot Return, Center for Security in Politics, University of California, Berkeley, December 2022. https://csp.berkeley.edu/wp-content/uploads/2022/12/Working-Group-Statement-on-Internet-Ballot-Return.pdf (downloaded 1/17/2025).

[4] Brief, Electronic Ballot Return, May 9, 2024. https://www.ncsl.org/elections-and-campaigns/electronic-ballot-return-internet-voting (downloaded 1/17/2025).

[5] Andrew W. Appel and Philip B. Stark, “An Internet Voting System Fatally Flawed in Creative New Ways,” Crypto-Gram, Schneier on Security, December 15, 2024. https://arxiv.org/pdf/2411.11796 (downloaded 1/17/2025).