Security experts: Academy Awards not a model for Illinois' online voter experiment

As Gov. Pat Quinn takes steps to "modernize" Illinois' voter participation by moving it online, a group of concerned cyber security experts and voting rights advocates released a statement today citing the online voting for the Academy Awards as a model to be avoided in public elections. The group includes advocacy organizations Common Cause and Verified Voting and some of the most renowned figures in computer science including Ron Rivest, co-founder of RSA and Verisign.

“When the Academy of Motion Picture Arts and Sciences announced that it would be using an online voting system to help its members choose this year’s Oscar nominees and finalists, thereby adding to the “credibility” of online voting, we found ourselves compelled to remind the general public that it is dangerous to deploy voting by email, efax, or through internet portals in public governmental elections at this time,” the experts said. “Public elections run by municipal, local and state governments should not be compared to elections like the one run by the Academy.”

The goal behind the statement was to ensure that lawmakers and election officials do not lose sight of the real risks to election integrity that online registration and voting creates for public elections, despite the fact that an entity as glamorous as the Academy is using it for a private election. Private elections may be subject to rules and procedures which may make it possible to mitigate or detect cyber attacks; these conditions do not exist in public elections which require state and local officials to abide by a complex set of state and federal laws such as requiring that the ballot be secret.

“Cyber security experts at the National Institute of Standards and Technology and the Department of Homeland Security have warned that current Internet voting technologies should not be deployed in public elections,” the statement said. “Internet voting systems, including email, fax and web based voting systems in which marked ballots are cast online, cannot be properly protected and may be subject to undetectable alteration.”

Internet voting has been shown time and again to be vulnerable to potentially devastating -- and undetectable -- cyber attacks. In 2004, the Department of Defense canceled a pilot Internet voting program for military personnel stationed overseas because of concerns about security. In 2010, a "red team" led by J. Alex Halderman of the University of Michigan not only penetrated a pilot election in Washington, D.C., changing votes at will, and even managed to thwart attempted hacks from as far away as Iran and China. Election officials in Washington were unaware of any of it until Professor Halderman's team disclosed its exploits. Because of the demonstrated vulnerabilities and the public’s increased interest in online voting, a senior cyber security official at the Department of Homeland Security warned a group of election officials in March 2012 that Internet voting is “premature” and not advisable at this time. In May 2012, the National Institute of Standards and Technology - the agency tasked with studying and developing federal voting system standards – issued a similar statement saying that secure Internet voting is not yet technologically feasible for public elections.

"Financial institutions, the FBI, the White House, and the Department of Defense have all been breached," the experts said. "It is unreasonable to assume that any Internet voting system vendor today can repel a well-funded partisan operative or nation state determined to manipulate, disrupt, or violate voter privacy in an online public election."