Absentee Ballots by Email?

tordia writes "Bruce Schneier has come out against a plan proposed by the Missouri Secretary of State, Matt Blunt. Blunt's proposal would allow "soldiers at remote duty stations or in combat areas cast their ballots with the help of e-mail." The plan arose when Jim Avery, a Missouri State Representative and National Guard soldier currently on active duty in Iraq, told Blunt that the fax machines required by the current Missouri absentee ballot law are rare, but most soldiers have access to computers. A spokesman for the Secretary of State's office downplays the privacy and security considerations by saying, "If the soldier is uncomfortable with this process, he or she should not consider this option". I agree with Bruce when he says "This is troubling"." Like many things, this is a wonderful idea in theory; it's just that darn implementation that things get...messy.

Email gateway?

Can't they just use an email -> fax gateway of some sort?

And, if they plan to use email, this seems like the perfect chance to try out digital signatures. The military could organize it.

Re:Email gateway?

[Isao]

Erm, the trick is to both have non-repudiation AND anonymity.

Re:Email gateway?

[BoldAC]

Here's an idea?

Just spend the money to setup private voting booths over there. Travel from company to company and allow our guys to vote.

Holy crap. These guys are overthere risking life and limb for "us" and we can't even find a way to allow them to vote?

Right or wrong... they are heros. They need to vote this election more than your average joe!

Re:Email gateway?

Hell yeah, AFAIK, these guys are in a much better position to judge Bush's foreign policy and the situation in Iraq than a bunch of whiny asshats back home.

My nephew was in Iraq. His squad was ambushed, he was shot 3 times - in the arm and in both thighs. He just got back home last week with the purple heart, and earned a medal of valor for setting off a flare after the ambush (which took out their communications as well).

Despite the fact he was wounded in Iraq, he doesn't consider it an unjust war, and plans to vote for Bush. He told me he saw first-hand the difference we've made in that country, and there's no way anyone can convince him that the war was wrong.

Re:Email gateway?

[glpierce]

"[...]these guys are in a much better position to judge Bush's foreign policy and the situation in Iraq than a bunch of whiny asshats back home."

No, they're not. Historians, economists, and political science experts (among others) are the ones who can judge. What makes you think your average soldier has any clue what the long-term financial or political ramifications of foreign policy will be?

Oh, and don't assume I'm against the war or don't support the troops. I'm just suggesting you take a step back and think about what you're saying. True, most IT nerds aren't particularly qualified to judge, but neither are most soldiers.

Re:Email gateway?

[SlamMan]

I'm an economist by degree, and I'm in no more position to judge than anybody else.

Re:Email gateway?

[Tonytheloony]

Anecdotes are a dime a dozen. Moreover, and as the previous poster replied, soldiers are not in the best position to judge the ramifications of the war (let alone realize they're not looking for any WMD)

Re:Email gateway?

[Jonathunder]

Absentee ballots by mail certainly can be anonymous. The "double envelope" method commonly used is very simple.

The absentee ballot is marked privately by the voter and placed in a provided plain envelope. That plain envelope is placed inside another envelope that has the voter's and witnesses' signatures, plus everything else the law requires for ensuring it is valid.

The election judges validate the absentee ballot by looking at the outer envelope. Once that is done, it is opened and the inner envelopes are put together and shuffled. Since they all look the same, the ballots are anonymous when the inner envelopes are opened and the ballots are counted.

That's how it works in my state, Minnesota, where I serve as an election judge.

The double envelope method is quite common, and is even described in Robert's Rules of Order Newly Revised, where it is recommended for organizations that allow voting by mail.

Security

[mfh]

"If the soldier is uncomfortable with this process, he or she should not consider this option"

That's the worst excuse for bad security I have ever heard, and I think that if it was applied on all other systems, it would be a huge disaster. Look at the ATM for example. What if instead of a bank card, we shifted to an email scheme for withdrawing and depositing money? Email cheques are fairly secure but they have a password scheme and they don't rely soely on email. There's also no private information being transferred with an email cheque, just a link that requires a password over a secure connection. But what if we just made up email money and passed it around? Huge security flaw there. Take it one step further, why not add salt to the wound, by suggesting that if you don't like the insecure system, don't use it! Duh.

If soldiers send their private info over email, this also produces a security risk if the enemy gathers intel on soldiers to use against their families. Bad bad bad idea. :(

I'm one of the admins of Gmailforthetroops.com and we've had to let everyone know that we only want soldiers to privately provide their .mil or gc.forces.ca email addys to people handing out Gmail invites, to prevent personal info being circulated that could lead down a dangerous path if the enemy decided to look them up. This has been largely difficult to reign in, but for the most part it's a fairly anonymous exchange. No worse than name, rank, serial number. And that's the idea. But if you have to fill out an absentee ballot in this email scheme, it would require much more personal info or it could be easily abused.

Yesss!

[hattmoward]

This will help cement Bush/Cheney in for '04!

Oh crap, did I just say that out loud?

Re:Yesss!

[MikeMacK]

I'm sure there are a few who would like to see them in cement.

Re:Yesss!

[Mork29]

You actually bring up a good point. Soldiers used to vote republican. It's just how it was. This year, it's changed alot. There is alot of debate amongst soldiers on who they'll vote for, and we seem to be split as much as the polls on who is going to be voting for who. This is a big push to get us to vote. (You can look at my e-mail address to see why I said we). Soldiers could really play a big part in this election in alot of the swing states. I think that soldiers certainly deserve to be given every possible means of easy and secure voting possible. The president is the commander in chief and that effects soldiers more than any body else. Voting is difficult in the military, but it's something that we've earned. The system does have to be secure and safe though. I pray for the day when E-Voting is a possiblity. Well, as an agnostic I don't really pray.... but you get what I mean.

Re:Yesss!

Soldiers used to vote republican. It's just how it was. This year, it's changed alot.

A lot of us libertarians used to vote republican too. Funny how Bush and the neocons destroyed everything the Republican party once stood for - small government, stay out of business, etc; and turned it into a far bigger-spending-party (record deficits immediatlly after Clinton's record surplus) than even the democrats, and turned it into the party of the Church - and human rights bashing not only overseas but to gays (marriage) and minorities (patriot act) at home as well.

It'll feel wierd as a libertarian to vote for a democrat, but the republicans really changed the last couple years.

Mailbombs away!

[Medievalist]

I run a few mailservers :). Every day the spammers and viruswriters come up with a new way to defeat whatever anti-spam and anti-virus measures I implement. It's a case of running as fast as we can to stay in the same place!

So maybe the spammers will decide who gets to be president this time, instead of the Supreme Court.

Prediction

[iamdrscience]

I'm going to call this election early:

John Kerry: 80,000 out of 150,000 votes
George Bush: 160,000 out of 150,000 votes

This after Diebold?

[mod_critical]

Seriously, after all the controversy over the heavily developed Diebold e-voting system, who comes out and says, "let's do it by email!".

If this refers to the SMTP/IMAP/POP3 email system then one wonders why such an insecure system would be considered.

With today's encryption technologies, it shouldn't be that big of a deal to do it securely, but suggesting to do this over standard email after all of the Diebold e-voting fear is rather bold.

Re:This after Diebold?

[TrevorB]

Forget Diebold, everyone seems to be forgetting the Letter to the Editor scandal, where the same letter was passed around for troops to sign and then passed off as a letter to the editor in the troops home town. Some of the soldiers whos letters were publish claim they never even signed the things in the first place.

Who's to say that the emails coming from soldiers would even be from the soldiers at all?

C'mon people... standardized paper ballot, a pencil X and a little bit of saliva on the envelope, and a walk to the outgoing mail bag. It shouldn't be that hard!

Where are the experts??

[bhima]

Why is it that Bruce Schneier is the only person that can speak intelligibly about security?

I know cryptology is complex but christ, there are a few tenants that even I have picked up reading his most excellent newsletters. Am I the only one who reads these? I can see it now: the US government winds up in Schneider's 'dog house' along with the rest of the shady dealers.

And me having to vote from Vienna

Re:Where are the experts??

[general_re]

I know cryptology is complex but christ, there are a few tenants that even I have picked up...

Kudos - I don't think my landlord knows jack shit about cryptography... ;)

doesnt the military....

give soldiers ability to send regular postal mail?

a week before Nov 2, simply gather up everyone's ballots (sealed in envelopes), then mail them back home. IIRC, this is what was done in 2000, and many other elections pre-fax machines.

Re:doesnt the military....

[hey]

I totally agree. There's TONS of warning about the election!!! They can send their ballots by registered postal mail from anywhere in the world.

Re:doesnt the military....

[sluke]

Not to be overly critical, but in the article it states that soldiers still have the option of mailing their ballots. (this was somewhere around that inane comment that if they were uncomfortable with email voting they could use some other method.)

Re:doesnt the military....

No, he didn't. The media speculated for several weeks that he would, despite the fact he and Leiberman were constantly ruling out going down that path.

Some thoughts

[Ckwop]

Why is it that politicians seem to do everything in their power to undermine public
confidence in the election process? What's wrong with having miltary poll stations
in Iraq and then simply flying the ballot boxes back? Sure, it's more expensive
that e-mail but if the US government can spend billions to put a democracy in the middle east
surely a few million dollars could be set aside to insure integrity of the US vote.

Simon

Re:Some thoughts

[Mork29]

That would imply that all soldiers can vote on the same day. That's not the case. At any given time soldiers are off post conducting missions, or even simply traveling in convoys. The purpose of the absentee balot is that it can be filled out and sent on more than one day. Also, many soldiers are to spread out and remote to have an official and proper ballot station set up. Are they supposed to set up the booth in the back of a truck?

Re:Some thoughts

[gclef]

Unfortunately (or fortuantely, depending on your point of view), the federal government doesn't run the vote. The states do. So, for the Armed Forces to run a voting system themselves, they'd have to abide by 50 different sets of laws about how the vote should be run...basically making setting it up impossible.

Honestly, the simplest system (absentee balloting) seems to be the best in this case, and has worked fine for years. Why we're trying to replace something that isn't broken is beyond me.

Send your security concers to /dev/null

[gargonia]

A spokesman for the Secretary of State's office downplays the privacy and security considerations by saying, "If the soldier is uncomfortable with this process, he or she should not consider this option".

Oh, I see. If you're worried about security, don't use the system. Right. So, what's to prevent someone from using this system for me in my name? Who decides which ballot is valid in the case of multiple submissions? I certainly hope someone rethinks this idea before it gets implemented. There is simply WAAAAAY too much potential for abuse.

Report at the tabaulating workstation

Bush: 1,356
Kerry: 1,498
Nader: 1
L337 D00d Linus Torvalds: 82,239,123

Great Idea!

[justforaday]

This is a great idea!!! Now where can I dig up a list of overseas soldiers??? Ahhh yes...I knew there was a reason why I bookmarked this story...

This idea, very bad.

[KI0PX]

The *only* methods of voting should be by secret ballot.

Let's say I am an employer, and I say "you'll get fired if you don't vote for candidate X". If the only methods of voting are by secret ballot, the voter is protected. Otherwise the voter might be forced or coerced into using the "optional" un-secret method. (And yes this has happened before!)

On top of that concern, we're using e-mail? I don't trust the e-mail system for anything important at all. Last semester we had to turn in our homework via e-mail in one of my classes, which I had qualms about. Lo and behold, at the end of the semester, two of my assignments didn't get counted by the professor. He insisted that the e-mail system was perfect. This idea, very bad.

Security is for Sissies

[Bob9113]

A spokesman for the Secretary of State's office downplays the privacy and security considerations by saying, "If the soldier is uncomfortable with this process, he or she should not consider this option".

So I wonder what they'll say afterwards...
Spokesman: See, this plan worked perfectly - we got 100% turnout.
Soldier: 100%? How? I didn't use the email voting system.
Spokesman: Sure you did, we have your vote right here. You voted for Kevin Mitnick, and used the reply-to address "haX0r-v0t3r@133t.ru."
Soldier: What?
Spokesman: There you have it folks, as we said beforehand, if they didn't trust it, they wouldn't use it. 100% used it, so clearly 100% trust it. And if 100% of our fighting men and women trust a system they know nothing about, who are you to question it? It's a simple question really: Do you support our soldiers, or are you a terrorist? The terrorists don't want our soldiers to vote.

RTFA

[awb131]

It's not as bad as it might sound. The only "internet-type" involvement in the process is actually data being moved over MILNET. Very little of MILNET is publicly accessible. When the ballots get to the DoD, they are faxed to the appropriate election officials in Jefferson City, MO.

Not ideal, but it's not as insecure as I would have imagined.

But how secure is faxing your vote?

[the_skywise]

Okay, emailing a vote is not exactly secure, but how secure is faxing a vote?

Oh sure, they can "see" a signature but how many people in the voting office are going to check the signature against the one on file? (IE, how many dead people vote in elections?)

"If it's insecure, just don't use it"?

[krysith]

I agree, there is a serious problem with the attitude of "if you think it's insecure, just don't use it". I've run into this same attitude with regards to touchscreen electronic voting machines. I have been told that if I don't trust the ES&S systems, I should just vote by absentee ballot. It doesn't matter if I use a known secure voting apparatus if the other people who are voting do not. It doesn't help that my vote gets counted accuratly if someone can add an arbitrary number of votes for the candidate of their choice.

Hypothetical Example:
1000 people eligible to vote.
600 actually vote:
200 use secure method. They vote 150 for candidate A, 50 for candidate B.
400 use insecure method. They vote 220 for candidate A, 180 for candidate B.

Total legitimate votes: 370 for A, 230 for B.

Now Mr. Vote-Hack adds 200 phantom votes for B, through the insecure method.

Did anyone's vote count, aside from Mr. Vote-Hack?

In some systems, unless the entire system is secure, securing parts of it doesn't really matter.

Re:Wow, um...

[Rei]

That's a false dichotomy. There's also snail mail.

Email is a lot easier to intercept than faxes. Faxes require physically tapping into the line. Email simply requires any ISP have any computer on their local network which the data passes through en-route from the military computer to the voting office be comprimised, *or* tapping into the lines.

And, it's not just a "not voting/voting with risk to your family" situation. It's a "someone who doesn't like the statistical balance of your unit's politics and launches a DDOS attack on you when you would normally be voting. Or its a case of someone phishing (what was it, 22% of all phish emails work?). Or a case of a worm whose sole task is, apon propogating, to send out a ballot voting for candidate X. Or a dozen other things.

It's not fricken' hard

[Deep+Fried+Geekboy]

You know, only the US (of developed Western democracies at least) makes such a big fricken' mess out of the whole voting process. Pieces of paper and ballot boxes actually work. They may be slower, they may be more expensive, but they WORK and they are transparent. They are scaleable and the hardware is cheap. Recounts are easy and verifiable.

Prediction: the US will be convulsed over the reliability and fairness of its elections procedures every four years for the forseeable future.

Countries using ballot papers and boxes will get their results a bit slower, but will not be convulsed.

As for the argument that e-voting makes it easier for people to vote, thus increasing democratic participation, all I can say is, if you care so little about your vote that you can't be bothered to leave the house to cast it (I"m assuming those who are housebound are catered for) you don't deserve to vote.

Sheesh. I have used up my 'fricken' quotient for today but it was worth it.

Some old technology is very good. Like the bicycle. When I worked in TV we used to bike tapes around rather than using the internet, because as our tech director used to say, "Never underestimate the bandwidth of a man on a motorbike".

More than digital signatures.

[goombah99]

More than digital signatures are needed. There has to be feedback to the soldier that his vote was cast and counted at the central polling place. There is a technology that can do this from the company "vote here" which allows the voter to call in later and check that their vote was recieved unchanged without actually telling them the vote (basically it tells them an encrypted checksum that cant be reversed to reveal the vote even by brute force). This does not prevent the client computer casting the ballot from making a mistake or being corrupted malicously or otherwise. But it does solve the transmisson and feedback problem. I oppose this tehcnology for general public use (favoring paper trails due to their ability ot be recounted) but for soldiers overseas prompt ballot collection may take priority over recountability since the risk is greater that your ballot wont be counted at all than it will be miscounted.

Email voting could work, but not this way.

[TheCabal]

Voting by email could work, but probably not with the scheme being proposed.

Every military member has a CAC card which serves as a military ID but it is also a smartcard. Every person in the DoD is issued a digital certificate by the DoD when the card is issued. It should just be an academic exercise to create a voting station where the user inserts his CAC, votes and receives a confirmation that is encrypted with the user's public key and signed with the appropriate private key as an audit trail. I think this scheme fulfills the requirements for a "trusted" voting system. Voters are securely authenticated, votes are audited and cryptographically secured. Of course, the flaw usually lies in the implementation...

Re:no way

[stratjakt]

Each voter is issued a crypto-token, the private part of a public-private key pair. Of course, this cant be tied to a name to preserve anonymity. They vote electronically and all the votes are emailed at once in a big tarball. A hardcopy is printed of each vote (encrypted) in case you want to recount.

They can then verify the individual votes authenticity with the corresponding public keys.

It could be done.

Re:Wow, um...

[B'Trey]

Not only that, but there are a few other details that make this a little different.

First, all of the email will be coming from .mil domains. The military owns the entire domain. Implement a verification procedure, such as a reply-to-sender that "I received your vote. Please reply to this email to let me know that you actually sent it."

Second, the military ID card (the CAC, or Common Access Card) is a Smartcard. (Hopefully, the link works. I'm not positive that it's accesible from a machine outside the .mil enclave, but I'm on base right now and can't check.) Every member of the military should have three certificates that are issued by one of the military's private PKI servers. The three certs are intended for identification (such as logging into computers and web sites), email signing and email encryption.

This doesn't make the scheme foolproof or provide airtight security. But an email that is verfied as coming from a .mil domain, and that is signed and encrypted by two different PKI certs issued by private and extremely well protected PKI servers isn't the gaping security hole that "Just send your vote by email" makes it sound like.

Fight for your rights

[Doc+Ruby]

Soldiers in combat are rarely cut off from the rest of America's physical presence for very long. Ammunition, food, and other materiel are supplied by American supply lines, even far forward at the front. Those lines also deliver mail, as part of the US Postal Service extended to military requirements. These ballots can be sent securely through those supply lines, as they always have been. Most soldiers can send their ballots in advance of deployment to the front, which is almost always planned long before. Their disadvantage in access to "late breaking news", after their vote but before Election Day, is consistent with the other liberties soldiers voluntarily suspend when accepting military command. Corruption of their right to secrecy, and corruption, through selective demographic ballot under/service, of the people's right to equal access to all voters, is not consistent with military service defending the Constitution.

why just for military?

[tuxette]

Why not for all U.S. expatriates, if you're going to do something like this at all?

PGP?

[nlinecomputers]

If they could use PGP I'd have less a problem with it. You could scan the ballot and then encrypt the file to the state's public key and send it off. But you can still track the file to the sender so short of using anonymous remailers this still isn't private.

Gee, you're right...

[mark0]

After all, nobody's ever stolen a ballot box, stuffed a ballot box, altered a paper ballot, discarded a paper ballot, or anything at all like that.

Politicians and technology

[SCHecklerX]

Or, management and technology. Same difference.

Why can't they ever just say "We need a way for soldiers to easily cast an absentee ballot" and then let people who know what they are doing come up with the proper system?

This is a problem where I work as well.

The absentee process has two parts

[M.+Piedlourd]

Here in Connecticut, there are two steps to absentee voting: first, the voter fills out an application and submits it to the Town Clerk. Then the Clerk gives him a ballot to fill out and return. Imagine how this plays out when the voter is on the other side of the earth:

1.) The application has to get to the voter somehow. This is not as much of a problem as it once was, because one can email the town clerk and ask for it to be mailed, one's relatives can send it to you, or you can print it out from the Secretary of the State's web site.

2.) Once the application is filled out, it must be mailed back to the Town Clerk. Currently, the law allows one to fax the application to ensure the ballot goes out in a timely manner, but it must be mailed at the same time it is faxed. If the application is not received in the mail be the close of polls on election day, the ballot is rejected.

3.) When the Town Clerk receives the application, he prepares a ballot and mails it.

4.) Then I get to vote. And mail back the ballot. And hope that it's received in time.

That's a cycle of three or four mail trips across the world. Anybody overseas who wants to vote absentee needs to get going right now to make sure their votes are counted! Incidentally, look at the audit trail absentee balloting leaves in its wake: the completed application, an outer envelope for mailing, an inner envelope to ensure ballot secrecy, and the ballot itself. With the potential for mischief that absentee balloting presents, I am glad all this paperwork exists. However, in the interest of timeliness and of not disenfranchising remote voters, I think the application process, but not the voting itself, can be shortened by using email without sacrificing security. Imagine this process:

1.) The voter emails the town clerk with the required information and a digital signature.

2.) The clerk mails the ballot.

3.) The voter mails back the ballot.

That's two mail trips. That's still a wait, but the process is simpler, there's still an audit trail, the identity of the voter is still verifiable, and the ballot is on good old paper. Why can't states adopt a sensible, middle-ground process like this one? And why doesn't Missouri's chief elections official understand the importance of an auditable vote?