E-mail Voting, Complexity, and Trust
John Sebes
Some of the feedback on my internet/email voting post can be summed up this way:
Is email voting really that bad? Sure, emailed ballots can be snooped, tampered, or diverted en route, but so can paper vote-by-mail ballots – yet we still use them. So what, specifically, is so much worse about emailed ballots?
First off, I have to say: “great question!” because it is asking about a comparison between two voting methods that appear to be very similar, but differ fundamentally, as Pito said in his blog post comparing vote-by-mail with atoms and vote-by-mail with bits. I can shed some light on the technological differences, in my laundry list below. But first I should point out the most important difference between the risks faced by the vote-by-mail (VBM) paper ballots en-route from voter to destination, and the analogous risks for email return.
The difference is, in a word, comprehension by voters. The threats to paper VBM are well-understood, relatively simple to state, and currently accepted as a trade-off for the ability to vote from overseas. Sure, an unknown number of postal workers in an unknown chain of national postal services, all can find VBM ballots, and mess with them or help other to do so. We know that, we’re not keen on it, but it beats not voting all all if you live overseas.
But if you really want to claim that the risks of email are comparable to postal mail, then you have to appreciate a set of broader and more complex technological threats to emailed ballots. Here are some of those threats, that perhaps not everyone is familiar with, including not only a wide variety of technology that can mess with the ballots, and but also a wide variety of people with access to ballots.
- The email ballot’s first step is in the telephone company of the place where the overseas voter lives. From the voter’s computer, the email passes through telco equipment such as dial-up modems, digital subscriber link access modules (DSLAMs) for DSL service, or coax/cable service equivalents. Telco staff with access to this equipment have access to the ballot.
- The next step is transport onward from the telco to the voter’s local Internet Service Provider (ISP), using a variety of network switches and routers and firewalls operated by the telco or the ISP. Again, everyone with access to these devices — including remote access via the network — has access to the ballot. The voter has to trust their immediate ISP to not read or tamper or block the email – not to be taken lightly for some overseas voters living in countries where the government actively intercepts Internet traffic.
- The next steps consist of more transport, via several ISPs along the way to the ISP of the voter’s email service provider. A variety of protocols may be used, but Post Office Protocol (POP3) is fairly common, and the ISPs often have visibility on the POP3 sessions. Again, the voter has to trust these ISPs, and all the people with access to the network gear.
- The voter also has to similarly trust their email service provider, and the staff with access to the POP3 servers or similar, as well as the SMTP servers that move the mail onward towards it destination.
- Onward from the voter’s email service provider, there is more transport via more ISPs, and as before the voter is typically not aware of which or how many ISPs, and how many routers and email servers are involved. From an overseas voter’s home PC, it would not be unusual for an email to transit 5 ISPs, 4 mail servers, and 50 hops on the 3 phases of transport. (Those phases are: (1) from voter to their SMTP server, (2) thence to the BOE’s SMTP server, and (3) then from the BOE’s SMTP server to the email’s destination.)
- At some point the email arrives on the SMTP server for the email address that the voter sent their email to — hopefully, the SMTP for the BOE. From there onward, the email goes from the BOE’s SMTP server to wherever the email finally arrives. In this 3rd phase, the email is accessible in the same way as in the first phase, but in reverse order: all the servers and routers and all the people with local or remote access to them, at these organizations: BOE’s email service provider, the service provider’s ISP, and the telco systems that deliver the BOE’s ISP’s traffic to the BOE computer that is the final destination of the email.
- And all that is assuming that the email actually arrives – which is not guaranteed, and can’t be verified! Even a confirmation reply email can be easily forged.
Is all that different enough from postal threats? Sure, those overseas postal people can misbehave, but they have to first find a paper VBM ballot, then physical access to it, and time and space to work on the ballot, without significant risk of observation. With email, by contrast:
- There is a wide array of technology and systems and people with access to them.
- The access includes remote access where the people don’t have to be physically proximate to the computer or the email data passing through it.
- And that’s just the insiders, the people with legitimate access to these systems. But let’s not forget the risks that some of these computers or systems have been compromised by purely digital adversaries — a threat made all the more real by successful attacks on Google and several other top-tier technology companies.
I’m pretty sure that most overseas voters and most election officials do have a good understanding of paper vote-by-mail and its risks. I may be wrong, but I expect most of them do not have a similar understanding of this complex set of digital threats to emailed ballots en route, and have not assessed those risks to be at parity with the risks of paper VBM en route. Until and unless that understanding and assessment actually happens, then internet/email voting cannot fairly be said to parallel paper vote-by-mail as an equitable solution.
— EJS