Go to HHH home page.
Election Academy
 


NIST Statement on Internet Voting: Is It "Someday" Already?

Bookmark and Share

Internet.Voting.jpg

[Image courtesy of QualityPoint]

This post has been updated to correct Ms. Collins' first name - DMCj

On Friday, May 18 Belinda Collins, a senior advisor at the National Institute of Standards and Technology [NIST], issued the following statement with respect to Internet voting:

NIST scientists have been conducting research into the use of electronic technologies to support overseas and military voting, including casting ballots over the Internet. In 2008, NIST released NISTIR 7551, A Threat Analysis on UOCAVA Voting Systems, which analyzed the use of several electronic technologies for different aspects of the absentee voting process.  This research concluded that widely-deployed security technologies and procedures could mitigate many of the risks associated with electronic ballot delivery, but that the risks associated with casting ballots over the Internet were more serious and challenging to overcome.   

Based on that research, NIST developed two documents covering security best practices for UOCAVA voting, NISTIR 7711, Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters and NISTIR 7682, Information System Security Best Practices for UOCAVA-Supporting Systems. These two documents serve as companion documents to one another. NISTIR 7711 covers security best practices and considerations for election officials considering the use of electronic mail or Web sites to expedite transmission of voter registration materials and blank ballots.  NISTIR 7682 provides best practices for IT professionals charged with configuring and administering IT systems used to support UOCAVA voting.   

In early 2011, NIST released NISTIR 7770, Security Considerations for Remote Electronic UOCAVA Voting, which studied Internet voting in more detail.  This report identified and analyzed current and emerging technologies that may mitigate risks to Internet voting. It also identified several areas that require additional research and technological improvements.  The study concluded that Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems.  Malware on voters' personal computers poses a serious threat that could compromise the secrecy or integrity of voters' ballots.  And, the United States currently lacks a public infrastructure for secure electronic voter authentication. Therefore, NIST's research results indicate that additional research and development is needed to overcome these challenges before secure Internet voting will be feasible. NIST plans to continue to work with our partners in the public and private sectors on these issues.

The issues highlighted in the NIST statement are similar to those raised by computer scientist David Jefferson in a white paper I blogged about last November. His conclusion - that voting is unlike other familiar online commerce activities (like banking and shopping) and thus vulnerable to the weaknesses of the Internet - is reinforced by NIST's pronouncement.

What's especially interesting about the statement is that (as Collins notes) it comes over a year after the latest formal NIST study of Internet voting. Why, then, issue the statement now?

The answer, I think, is that technology has evolved - with encouragement from the federal government, which seeks to enfranchise military and overseas voters - to the point where vendors are beginning to offer products that look and feel like Internet voting. In particular, we are seeing the rise of solutions that allow voters to make voting choices and then print ballots for physical return to an election office. While these products don't necessarily follow the "traditional" model of Internet voting - with ballots being transmitted online for counting at a central location - there is concern among advocates and computer scientists that such solutions are still exposing voters' choices to the risks of the Internet. This "proto-Internet voting", as some scholars call it, is seen as just as dangerous as the real thing because of the risk to voters.

The NIST statement seems to reinforce the general consensus that it isn't yet "someday" for Internet voting; however, it also tees up a battle to define new technologies in such a way as to apply (or avoid) that term. Election officials considering one of the new solutions should expect to get an earful in the months ahead.

2 Comments


  • Bob Carey of FVAP sent me the following comment:

    What threats do "proto-internet" voting entail? Where in Dr. Collins' statement does she raise concerns about online ballot delivery and marking with physical return? I don't see it.
    I think such conjecture as to intentions for such a release ignores a more likely, and more prosaic, reason for a statement now - maybe a recent FOIA request or a simple request for statements?

    Further, what the statement doesn't address, but which I hope may be corrected to address it, is that there is a sea of difference in the malware threat to uncontrolled personal computers sitting on someone's desk at home, and the extensively protected computer systems such as the Defense Information Security Network (DISN), which are constantly protected from, monitored and checked for malware. That can substantially reduce the risk of malware.

    Finally, this doesn't even address the issue of relative risk - the risks in the current military and overseas voting systems are legion, especially those which rely on postal mail delivery and even return. Both 2008 and 2010 post election data showed military voting failure rates significantly higher than the general electorate's, largely because of the inherent delays in postal mail, totalling 200,000 to 250,000 military voting failures. That's a significant level of risk of disenfranchisement in the current election system that largely goes ignored in these discussions.

  • New Study!
    How NIST Has Misled Congress and the American People about Internet Voting Insecurity.

    A new study of Internet voting in the USA reveals that the National Institute of Standards and Technology (NIST) has MISREPRESENTED its “research” on Internet voting security. NISTIR 7770 copied from another report on Internet voting - No Science
    Complete study at http://ssrn.com/abstract=2229557
    (free, safe download of PDF)

    Yours,

    William J. Kelleher, Ph.D.
    Political Scientist, author, speaker,
    CEO for The Internet Voting Research and Education Fund
    Blog: http://tinyurl.com/IV4All
    Twitter: wjkno1

    Author of Internet Voting Now!

  • Leave a comment


    Humphrey School Sites
    CSPG
    Humphrey New Media Hub
    Electionline.org