Future Internet Voting Faces Security Hurdles, CMU Students Find-CMU News - Carnegie Mellon University

Monday, November 7, 2016

Future Internet Voting Faces Security Hurdles, CMU Students Find

American Flag

Internet voting is not common in the United States, but any online or internet-based U.S. election system in the future will require strong encryption measures.

The recommendation was made by students in Carnegie Mellon University's H. John Heinz III College's Master of Science in Information Security Policy and Management (MSISPM) program, who developed a report on internet voting in collaboration with Galois, an Oregon-based research and development firm, and the U.S. Vote Foundation.

Among the experts contributing to the project, there was consensus that the only acceptable system for an American election would be an end-to-end verifiable (E2E-V) voting system.

Susan Dzieduszycka-Suinat, president and CEO of the U.S. Vote Foundation, said that although there have been many internet voting projects in other countries, the project needed to answer a specific question: If we had to develop an internet voting system for the U.S., how would we do it?

"The students were asked to do research on existing systems and to put together a competitive analysis," she said.

Dzieduszycka-Suinat added that the students' analysis "was very helpful, and it showed us that the state of play in E2E-V systems is poor. It was extremely useful to have that contribution. It was something that we would never have had enough time for, and it gave great headway."

The project researched and laid the groundwork for a prototype E2E-V internet voting system that could be secure and scalable to national elections. The CMU students found that current technologies were insufficient in fundamental ways — usability was a major area of deficiency — and could not meet the privacy and security demands of elections.

The students' recommendations for the security system included robust validation of user credentials, an encrypted exchange of information from server to user and from user to database, and an audit capability that would give the voter confidence that votes were recorded as cast and counted in the official tally.

Heinz alumnus Ron Bandes, president of VoteAllegheny and a cybersecurity expert for the Pennsylvania Joint State Government Commission Advisory Committee on Election Technology, said that where privacy is concerned, people often compare e-commerce and voting transactions, though they are structured very differently.

"In fact, voting is a much more difficult security problem," Bandes said. "With e-banking and e-commerce you have receipts, so you can prove the transaction. You can't have a receipt in voting. You can have a receipt that says, 'I voted.' You cannot have a receipt that says, 'This is how I voted,' because of the possibilities of vote buying or coercion."

The gold standard in elections for years has been paper ballots for their ability to be verified and re-counted by hand. Many states have created processes by which voters can return ballots electronically, and only five — Alabama, Alaska, Arizona, Missouri and North Dakota — allow ballots to be returned via web portal. Alaska is the only state in which web-based voting is available to all eligible voters.

"There are risks associated with [online voting]," said Randall Trzeciak, director of the MSISPM Program who advised the students. "If you ask any bank or financial institution, they write off a certain amount of fraud as a cost of doing business. There is, in my opinion, not an acceptable level of fraud that could occur in a voting process. We should have confidence that every vote would count as was intended."

Voter Engagement at Home and Abroad

Working with the Overseas Vote initiative of the U.S. Vote Foundation, another team of Heinz College students created voting information widgets for the client's Voter Account application.

The widgets provide the voter with key election information. For example, an active duty servicewoman stationed in Kuwait could download the app, authenticate her identity and voting privileges, plug in her permanent address in California, and find out exactly what and who is on the ballot back home.

In 2014, U.S. voter turnout was at its lowest since World War II, and media outlets devote a lot of attention to the voting habits of members of the "millennial" generation.

While millennials (roughly defined as people currently ages 18-35) have the lowest voter turnout of any age group domestically, representation is far worse for overseas voters. The Federal Voting Assistance Program (FVAP) reported that only 4 percent of eligible overseas voters cast ballots in 2014. Among registered overseas voters who requested a ballot in 2014, less than 60 percent of them confirmed they "definitely voted."  Dzieduszycka-Suinat said absentee voting is a simpler process for an overseas voter than for a domestic one.

While technology would help overseas voters stay more informed about American elections, this has clear upsides for domestic voters. The student deliverables to Overseas Vote included a polling location widget that uses Google Maps to guide the voter to his or her polling place, and the capability to communicate via social media features to maximize voter engagement.

As an advocate for responsible voting, Bandes applauded the project.

"People want to go to the polls informed about who really stands for what," Bandes said. "They don't want buyer's remorse."