Internet Voting 2.0 and Other Advances in Election Technology in Takoma Park Hackers still an enormous concern, but voter privacy problems possibly put to rest
FairVote's home city of Takoma Park, Md., hosted a test on Thursday of an innovative new interface for absentee voters that would allow them to verify that their voted were counted in the final tally of this November's citywide elections, which use instant runoff voting. To be clear, the absentee voting interface tested would NOT necessarily involve casting ballots via the Internet. A potential add-in tested alongside the verification system could provide that option in the future, however. That option effectively addresses concerns about voter anonymity, but the potential for virtual shenanigans by hackers who know more about the electronic frontier than any election official endures as the fiberglass ceiling for any Internet voting system.
The base model (again, not related to online voting) would simply extend to absentee voters a tool offered and enjoyed by poll-goers in the city's 2009 election. "Scantegrity" works exactly like other paper-based optical scan systems except that voters mark the ovals denoting their choices with a special marker that reveals a unique confirmation number printed in invisible ink within the oval (a lot like those color-changing markers by Crayola). The voter can write down her codes, which are not traceable to whomever she voted for, and then enter them into her computer on Election Night to verify that her votes were part of the final tally. Anonymity is ensured to such an extent that if you marked the wrong oval and inadvertently cast your vote for say, Pat Buchanan, you would still never find out. All you would see is that your vote was counted and not thrown out, lost, or misread by the scanner as going for a candidate with a different confirmation code.
The test today primarily concerned the extension of the Scantegrity mechanism to absentee voters, who probably stand to benefit the most from such a system. Having voted almost exclusively absentee myself, I can attest to the uncertainty that this would help soothe (though it's unclear how it helps the person who spoiled their ballot and finds out on Election Night). Of course the state cannot mail magic markers along with the ballots, so each confirmation number appears directly underneath its oval within a square containing only that oval and that code.
Onto the point of controversy: absentee voting online. This feature is much further from implementation than the other improvements tested, but its design significantly assuages one of the two greatest concerns we all feel when the subject of Internet voting comes up-- preserving the privacy and anonymity of voting. The key difference between "Remotegrity" and previous attempts at Web-based voting is that the ballots are not available through the Internet at all -- each voter is mailed a paper ballot that they can fill in and mail back OR opt to use the corresponding confirmation codes, password, and Online Verification Number to cast the ballot online. That's at least three barriers, but the bottom line is that no computer ever knows how I, Melanie Kiser, voted (until I tell you here).
Here was my experience with the absentee voting simulation: I walked in and received a blank envelope containing two standard-sized envelopes and a page of instructions, just like I usually get from my mailbox. I opened the sealed envelope labeled "Unmarked Ballot.," which I could choose to send in the old-fashioned way or use to cast my vote online. On the ballot today were "Favorite musician from the Beatles" and "Favorite poet." Edgar Allen Poe is running unopposed for Favorite Poet, but there's a write-in option. I make my decisions and direct the Web browser to the Remotegrity demo site. I fill in the confirmation codes corresponding to my choices (with instant runoff voting).
The information you see in the screenshot to the left represents all a hacker has to work with in identifying who cast these votes and who the votes are for. I'll leave my Beatles votes a secret so that if anyone wants to try to figure it out they can. In race #2, Edgar Allen Poe is running unopposed. I chose to write in Stephen Sondheim (realizing that he is not a "poet" per se) as my first choice. Got to love that with IRV, even if there was another candidate running against Poe, my vote for Sondheim would not be "wasted" or "spoil" the race. In the event that neither Poe nor his main competitor got a majority of 1st choices, my vote would be transferred to Poe. Anyway, the grid on my paper ballot shows 371 as the code to vote this as my 1st choice. If I wanted to vote him as my second choice, the code would be 971 and presumably bounce back if I entered it in the blank next to 1st choice. The code corresponding to Poe, 2nd choice, is 080. If I'd voted him 1st, his code would have been 982.
After clicking "Next," I'm directed to the unsealed envelope labeled "for Marked Ballot," which I could alternatively have used to mail the paper ballot in if something went wrong with the Internet option. On the front are three different scratch-off categories. I'm prompted to scratch off and enter one "one-use password" (there are four of these). Then I scratch off my "LockIn" code and enter it to finalize my vote. And I'm done.
The test today concerned only the usability and functionality of such a system (and voters' perceptions and opinions on it). Research study chief Poorvi L. Vora, an associate professor in the Deparment of Computer Science at George Washington University, said that while the system has been designed with security in mind every step of the way, further development and testing of the hackability aspect will be done if the system is considered usable enough based on the research study results.
Presumably this will include the very effective testing method that last year revealed the vulnerability of D.C.'s pilot system (and killed the plan to use it), in which hackers are invited to breach, manipulate, and undermine the system as best they can. In the D.C. trial, a team from the University of Michigan managed to take over the system within 36 hours, changing votes and revealing demo voters' identities and choices. Their feat went unnoticed for two entire business days until demo voters began reporting that the Michigan fight song played when they clicked the button to cast their ballots.
Team leader J. Alex Halderman, a professor of computer science and electrical engineering who has also reprogrammed in-person voting machines to run Pac-Man, explained in detail how they did this and what can be learned from the experience. Basically, some miniscule mistake in the upload mechanism (this program had voters downloading PDFs and re-uploading them) gave them a point of entry, and similarly tiny errors can create similarly huge problems for other Internet voting systems such as Remotegrity.
It will be interesting to see how the GWU/Remotegrity system holds up and how the developers applied the lessons of the D.C. Pilot, but a viable system that is equal or superior to accepted paper-based methods seems a very long way off. At the time (less than a year ago), Halderman said he cannot imagine any secure system of Internet voting and had this to say about its current feasibility: "Voting over the Internet is just so far from a good idea using today's technology that it's a little bit startling to me that jurisdictions are seriously considering it."
Takoma Park also tested an audio interface aimed at accessibility for visually impaired voters that promises to enhance their experience and anonymity (currently, they require assistance from a third party). The system, which uses a numeric keypad formatted like a touchtone telephone but as easy to press as a computer keyboard, enthralled at least one blind tester, who exclaimed, "I've been voting ever since I knew that I could vote, and I've never gotten it so clearly!" She liked it so much that she did it multiple times.