A unique voting predicament has emerged in New Jersey after Hurricane Sandy ravaged the state last week: Many residents, especially first responders, may not be able to physically get to the polls.As a solution, Gov. Chris Christie announced on Saturday that Garden Staters "displaced" by the superstorm will be able to vote electronically, either by email or fax.
But security researchers have never had a particularly warm place in their hearts for e-voting – never mind a system that is being devised just days before an election.
To vote electronically, displaced voters may submit a mail-in ballot application either by e-mail or fax to their county clerk. Once an application is approved, the clerk will electronically send a ballot to the voter by either fax or e-mail in accordance to the voter's preference. Voters must return their electronic ballot – by fax or email – no later than Nov. 6, 2012, at 8 p.m.
Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania and an e-voting expert, immediately raised security concerns, ranging from forgery to denial-of-service attacks to malware:
- How will the emailed ballots be secured against tampering or loss? Email messages themselves have no intrinsic protection against modification, forgery, copying or deletion when in transit, and, unlike paper absentee ballots, are not physical documents that can be protected with locks, seals and guards once received. What assurance does a voter have that an emailed ballot will be counted and that it has not been tampered with along the way? How will counties verify the integrity of emailed ballots during audits and recounts?
- The system that receives the emailed ballots in each county must, by definition, be connected to the internet and therefore will also, by definition, be subject to remote access by malicious attackers. This means that each county's email computers must be fully secured against every known attack, an extraordinarily difficult task in practice. Even worse, "zero day" attacks, exploiting vulnerabilities that have not yet been published or repaired, can often successfully compromise even the most carefully secured networked computers.
- If email voting for displaced people is performed using shared computers (e.g., in libraries, brought to shelters, etc.), how will these machines be secured? General purpose computers, especially those used by many people, are especially vulnerable to viruses, worms, malware, and misconfiguration. This could could easily compromise, alter, or delete ballots sent from such computers.
- Even if county computers are fully secured, malicious denial of service attacks against the email system, aimed at preventing ballots from reaching their destinations or overwhelming a county office's ability to process them, could potentially disrupt not only the email ballots but also the overall county results from conventional voting mechanisms. How will the system be protected against targeted denial of service?
TWEET: Most important message about NJ voting: email should be considered last resort. Provisional ballot at another polling place much safer.
Meanwhile, Ed Felten, a professor of computer science and public affairs at the University of Pennsylvania who has studied the security and privacy ramifications of e-voting for several years, said in a Sunday blog post that he understands the state providing the email option, considering the unique circumstances. But he hopes this style of voting isn't embraced for the long-term.
He said the mechanism will have more assurance if the state forces voters to also submit a hard-copy version of their vote in the mail. But it's unclear if officials are going to require this in the same way they do for absentee voters.
One area most researchers agree is that no matter how the election in New Jersey turns out, the loser likely will challenge any votes cast electronically.