Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
4 November 2012
Voting by Email in New Jersey
Some very preliminary thoughts.

New Jersey was hit hard by Hurricane Sandy, and many parts of the state still lack electricity and basic infrastructure. Countless residents have been displaced, at least temporarily. And election day is on Tuesday.

There can be little doubt that many New Jerseyans, whether newly displaced or rendered homebound, who had originally intended to cast their votes at their normal neighborhood polling stations will be unable to do so next week. Unless some new flexible voting options are made available, many people will be disenfranchised, perhaps altering the outcome of races. There are compelling reasons for New Jersey officials to act quickly to create viable, flexible, secure and reliable voting options for their citizens in this emergency.

A few hours ago, Gov. Christie announced that voters unable to reach their normal polling places would be permitted to vote by electronic mail. The directive, outlined here [pdf], allows displaced registered voters to request a "mail in" ballot from their local county clerk by email. The voter can then return the ballot, along with a signed "waiver of secrecy" form, by email, to be counted as a regular ballot. (The process is based on one used for overseas and military voters, but on a larger scale and with a greatly accelerated timeframe.)

Does email voting make sense for New Jersey during this emergency? It's hard to say one way or the other without a lot more information than has been released so far about how the system will work and how it will be secured.

 

The security implications of voting by email are, under normal conditions, more than sufficient to make any computer security specialist recoil in horror. Email, of course, is not at all authenticated, reliable, or confidential, and that by itself opens the door to new forms of election mischief that would be far more difficult in a traditional in-person polling station or with paper absentee ballots. If we worry that touchscreen "DRE" electronic voting machines might be problematic, email voting seems downright insane by comparison.

But a knee-jerk reaction to the worst case scenario is probably not helpful right now. Clearly, email voting is risky. The question is whether these risks outweigh the benefits, and whether the technical and procedural safeguards that are in place are adequate to mitigate them under these rather unique circumstances.

Unfortunately, New Jersey officials have not yet released enough information to allow for an informed analysis and judgement about whether the system will invite more problems than it solves on election day. And rolling out a robust email voting system across New Jersey's 21 counties and at the scale required will involve solving some fundamentally difficult engineering problems.

A few of the more obvious questions and challenges:

  • Scale is one of the hardest problems here, and perhaps the most insidious. Even if email voting has been used in the past for a relatively small number of overseas and military voters (voting under non-emergency conditions and with plenty of advance planning), the large number of newly displaced voters requires engineering new processes for informing voters about the procedure, processing their email applications, and receiving, recording and counting their completed ballots. Systems that work on a small scale almost never work without significant change at a large scale, and the problems of "scaling up" are often invisible until it is too late to do anything about them.

  • How will the emailed ballots be secured against tampering or loss? Email messages themselves have no intrinsic protection against modification, forgery, copying or deletion when in transit, and, unlike paper absentee ballots, are not physical documents that can be protected with locks, seals and guards once received. What assurance does a voter have that an emailed ballot will be counted and that it has not been tampered with along the way? How will counties verify the integrity of emailed ballots during audits and recounts?

  • The system that receives the emailed ballots in each county must, by definition, be connected to the Internet and therefore will also, by definition, be subject to remote access by malicious attackers. This means that each county's email computers must be fully secured against every known attack, an extraordinarily difficult task in practice. Even worse, "zero day" attacks, exploiting vulnerabilities that have not yet been published or repaired, can often successfully compromise even the most carefully secured networked computers.

  • If email voting for displaced people is performed using shared computers (e.g., in libraries, brought to shelters, etc.), how will these machines be secured? General purpose computers, especially those used by many people, are especially vulnerable to viruses, worms, malware, and misconfiguration. This could could easily compromise, alter, or delete ballots sent from such computers.

  • Even if county computers are fully secured, malicious denial of service attacks against the email system, aimed at preventing ballots from reaching their destinations or overwhelming a county office's ability to process them, could potentially disrupt not only the email ballots but also the overall county results from conventional voting mechanisms. How will the system be protected against targeted denial of service?

  • The procedure in the state's directive involves the voter including a signed "waiver of secrecy" form along with the email that contains his or her completed ballot. This implies that email voters will need access to a printer to print out this form and a scanner to read it in after they sign it (or access to special software that attaches a pre-scanned signature to a document). Will displaced voters have all the equipment needed to participate?

  • How many displaced voters will have access to email? Will certain groups be disproportionately favored or disfavored with this new system?

  • How will the officials be trained to manage the email voting system, especially with regard to dealing with voters? Traditional polling places employ a large temporary workforce of poll-workers who serve as voters' primary contacts for questions and information when they vote. Who will serve these functions for the potentially large number of email voters?

  • Each county runs its own election system. There are 21 counties in New Jersey, which means that these issues will have to addressed in 21 different environments, with 21 different computer systems, staffs, and sets of logistical constraints.

  • Someone is going to lose each contested race on the ballot. The email voting system must be sufficiently secure to withstand any challenge to the result they might mount.

  • The governor announced the plan for email voting late Saturday. This is being written early Sunday morning. The election is on Tuesday. That leaves less than two days to plan, evaluate, and implement at scale a very complex system. It is hard to imagine how this will be possible without at least some serious problems on election day.

When we did the voting systems security evaluations for California and Ohio in 2007, each study involved several months of effort by dozens of specialists. And even then, the process felt very rushed and barely adequate. In rolling out secure email voting in only a few days, New Jersey is attempting something much, much more challenging.

I hope it goes well.

Update 4 November 2012 2pm: After a night's sleep, I'm even more concerned about NJ's (well intentioned) email voting plan. Aside from the inherent security issues with email, the rushed pace creates the biggest challenges here - each county now has to work at breakneck speed to develop robust processes for voter outreach, managing ballot requests, processing emailed ballots and secrecy waivers, etc. And there will be a loser in every contested race, who will now have a new opening to challenge the result. Basically, each county has less than two days to figure out how to design and deploy a full-scale voting system that the loser of each race will have considerably more than two days to figure out how to challenge. It may not ultimately matter in the Presidential race, but it won't be pretty in a lot of local races.

Princeton's Andrew Appel, who has also studied evoting, points out that the NJ directive specifies procedures that may contradict NJ election law; you can read his take at freedom-to-tinker.com.

Update 4 November 2012 3pm: Apparently the governor's directive is being updated to require that email ballots be followed up by a mailed-in paper form within some time period. This addresses Andrew Appel's concern (linked above) that emailed ballots alone do not comply with NJ election law.

This new requirement raises some questions of its own. What if a voter's follow-up ballot's doesn't match the emailed version? Does that spoil the entire ballot? If not, which one wins? Whatever the answer, this creates some new potential sources of mischief. For example, if there is a close tally (likely in at least some local races in the state), email voters could be targeted after election day to encourage (or coerce) them to change or spoil their ballots. And, of course, the more complicated and uncertain the procedure is, the more likely that some voters will fail to successfully navigate the process to get their votes recorded. All of this is relatively uncharted territory, and the decisions made today about how this will work throughout the state and in each county will likely have repercussions for weeks after the polls close on Tuesday.

Update 5 November 2012 9am: Many of the problems with email voting are problems of scale - the more ballots that are cast this way, the more likely there are to be problems. Unfortunately, email voting is getting so much attention that I worry that displaced NJ voters who are still somewhere in the state may not be aware of another option: voting in person at a different polling place. According to this order [pdf] any displaced voter is allowed to vote at any NJ polling place on Tuesday by a special "provisional ballot", which is then returned to the voter's county of registration to be counted (where their registration can be verified).

The provisional ballot process isn't foolproof - it involves generic paper ballot forms that may require voters write in their choices for local office if they vote away from their home districts, and poling places need to have an adequate supply of the forms - but it has the significant advantage of following an established, existing process that uses a paper artifact with a physical chain of custody. NJ residents who can't get to their normal polling places should probably try to vote in person by provisional ballot first, and only if that fails for some reason resort to the riskier and less certain email voting method.