The Moose Lurking in the Room
An article appeared this week by well known and credible journalist Steve Friess that summarily states, at the risk of sounding sensational, hackers could decide who controls Congress in this election simply thanks to Alaska's Internet Ballots. A colleague here, wrote about this earlier, and first mentioned it last March, but it bears worth re-emphasizing.
We completely agree with experts interviewed for this article (Joe, Bruce, and Ed) -- especially the line about how if there is a solution to online transaction systems' security then it's the Banks that would be buying it!
To put a finer point on it, we are in a partial agreement with the SCYTL spokesperson but with a differing conclusion. Sure, every voting channel has security and integrity risks, none are perfect, and everything is a tradeoff. In fact, we and our colleagues on the Voting System Risk Assessment Project some years back compiled a comprehensive catalog of all the variables and threats, to enable risk trade-off analysis, and it is very complex. But the spokesperson's conclusion -- about Internet voting being just another channel with risks to manage -- we do NOT share.
iVoting is nearly unique in that it can be 100% compromised -- literally affecting every ballot cast -- by a small number of people, anywhere on the planet. Contrast that with attacks on vote by mail or in person voting or on ballot boxes -- to scale those attacks you need people, working in person, in conspiracies that are too large to conceal, and with personal consequences that are very high, in order to get to 100%.
Regarding Alaska specifically, perhaps the strangest thing is that Alaska voters may not know that the integrity of their ballots depends not on the probity of election officials whose activities are public, but instead rely on the ability of data center IT operations geeks to not make mistakes, to not abuse their privileged access to the electronic ballot box, and to keep bad guys from getting in to that electronic ballot box.
And who are these geeks? They're not elections professionals -- certified, volunteer, or otherwise. Nothing personal, but why should Alaska voters put their trust in these I.T. folks and their computers, especially at a time when over half of Americans have had their personal information jacked from the IT operations of some of the biggest and best funded companies in the world?
We continue to be surprised that this situation has only been covered in a more-or-less trickle of short articles and blurbs. From a self-serving stand point, we argue the energy should be on fixing, improving, and upgrading the approved systems and processes we have today, and then (and only after that) should we start working to innovate the means by which we cast and count our ballots in a digital age -- in a manner more easy and convenient to those who've never known life without the 'Net.
We very definitely believe everyone is entitled to an easy, convenient, and even delightful voting experience. Getting there requires we first ensure the attributes of verification, accuracy, security and transparency of these nearly sacred documents of our democracy called ballots. Then we'll get right on figuring out the Smartphone interface.