For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20639 ------------------------------------------------------------------------------ Order Code RS20639 Updated September 23, 2003 CRS Report for Congress Received through the CRS Web Internet Voting Kevin Coleman Analyst in American National Government Government and Finance Division Summary Among the many issues in the ongoing national discussion about the Internet is its use in the voting process. Because voting determines who runs the government and entails two absolute requirements -- the secret ballot and security from fraud -- the stakes are higher than for many other transactions routinely conducted via the Internet. Public confidence about Internet security is increasing, but many feel that voting online requires a degree of security from fraud beyond the current standard for everyday Internet use. The National Defense Authorization Act for FY2002 and the Help America Vote Act of 2002 included provisions to extend a pilot project for Internet voting on a limited basis and to conduct an in-depth study for Congress on the feasibility of Internet voting on a national basis. Aside from voting issues, observers often refer to a "digital divide" that exists between those who have access to computers and the Internet (and the skills to use it) and those who do not. While Internet access is increasing, estimates show that those with higher incomes and education levels are more likely to have Internet access, and that black and Hispanic access lags behind that of whites. Also part of the debate are issues concerning political tradition, public confidence in Internet voting, and equal access to the ballot. Proponents of Internet voting suggest it could increase turnout, particularly among younger voters who are familiar with Internet technology. In the meantime, several experiments with Internet voting in public elections took place in the 2000 election year, and more are likely in the future as the technology for online voting evolves. This report will be updated to reflect new developments. Overview. As computer ownership increased in the early 1990s, the Internet introduced the concept of electronic democracy to a wide audience. By 1996, the national parties and scores of candidates maintained websites to disseminate information, attract donors and volunteers, and communicate directly with supporters. As an ever larger segment of the population uses the Internet to conduct business, find news, pursue leisure activities, and so on, the potential to use it for more than campaign purposes -- to conduct elections -- has become part of the discussion of applying technology to the democratic process. Electing officeholders via the Internet requires a level of security from fraud Congressional Research Service ~ The Library of Congress CRS-2 beyond what exists with current online use, according to many observers.1 For example, credit card fraud on the Internet "is recognized at the level of 10% of all transactions," according to one estimate.2 Such a level of potential fraud in an election would undermine its legitimacy, which depends on a fair and accurate count of the ballots cast. An Internet voting system, even one used on a limited basis in conjunction with traditional voting methods, needs to be at least as secure as current voting methods in its ability to safeguard a voter's identity and provide an accurate vote count. Officials of Election.com, the company that conducted Arizona's online Democratic primary in 2000, claim that adequate security measures exist which make it possible to conduct public elections on the Internet now. But other vendors, election officials, and interested observers vigorously dispute this assertion and point out that security problems with online voting could undermine future voter confidence in online elections. As for the expense of conducting elections online, a number of observers suggest that internet voting will lower election costs for local officials. As for younger voters, whose rates of participation are notoriously low, online voting could provide an opportunity to boost turnout if it became an option. Internet voting has been widely reported on in the press, and policy makers at the federal and state levels are studying its implications. In December 1999, the President directed the National Science Foundation (NSF) to conduct a one-year study of Internet voting. The NSF study was released in March 2001. An Internet Task Force organized by California's Secretary of State issued its report on January 18, 2000. The Task Force report said "At this time, it would not be legally, practically or fiscally feasible to develop a comprehensive remote Internet voting system that would completely replace the current paper process." The Task Force recommended phasing in Internet voting, with remote voting as the last phase.3 Types of Internet Voting. Two types of Internet voting are possible, and both were used in voting trials in 2000. One method, the more basic from a technical standpoint, is Internet voting at a traditional polling site, with computer voting machines connected to the Internet and where election officials authenticate voters before ballots are cast. The other method, more technically advanced, is to cast ballots over the Internet 1 For example, the Love Bug virus of May 4, 2000, affected an estimated one million computers, including those at many federal agencies, and caused an estimated $1 to $10 billion in damage. Such large-scale "hacking" is only part of the problem, and attempts to breach public and private systems occur regularly. The Pentagon estimates that its networks are hacked 250,000 times a year, of which an estimated 500 are serious attempts to access classified systems. Scott Nance, "`I Love You' Doesn't Sway CERT," New Technology Week, May 8, 2000, p. 5, and Gregory Vistica, "Inside the Secret Cyberwar," Newsweek, Feb. 21, 2000, p 48. 2 Ed Gerck, "From Voting to Internet Voting," The Bell, vol. 1, May 2000, p. 5. Another estimate noted that "about 5 percent to 6 percent of a typical Net retailer's transactions are fraudulent, compared to less than half of one percent for brick-and-mortar retailers. Fraudulent transactions account for about 10 percent of Net retailer's total sales." Craig Bickenell, "Credit Card Fraud Bedevils Web," WiredNews, [http://www.wired.com/news/business/0,1367,18904,00.html], visited Apr. 3, 1999. 3 California Internet Voting Task Force, A Report on the Feasibility of Internet Voting, Jan., 2000, p. 1. CRS-3 from remote locations using electronic authentication and computer security technologies. The Arizona Democratic primary, for example, used both methods; voters could cast their ballots from remote locations or at any polling place. Some observers believe that remote Internet voting should not be attempted until voters become comfortable with polling site Internet voting and until procedures are well established to ensure accurate voter authentication, ballot secrecy, and security. Others, however, argue that polling site Internet voting will have little value to voters, who want the convenience of remote Internet voting. Technologies Behind Internet Voting. Internet voting systems use several technologies to ensure authentication, secrecy, and security. These include encryption (the scrambling of information in data transmissions to provide confidentiality) and electronic signatures (methods that use such techniques as passwords, personal identification numbers (PINs), smart cards, biometrics, and digital signatures) to verify the identity of the voter and provide data integrity (i.e., assurance that the data is not altered during transmission). Other computer security technologies, such as firewalls, antivirus programs, and intrusion detection systems, are also used to prevent unauthorized hacker access to computer systems used in the election process.4 Different types of elections require different standards for voter verification, data integrity for ballots, and assurance against tampering. For example, private sector elections (conducted and funded by private organizations and regulated by the sponsoring organization) typically have lower standards for these factors than public sector elections (conducted, funded, and regulated by government). Private sector elections have been conducted using the Internet to a far greater extent than public sector elections. The Current Debate: Issues and Challenges. While the computer security technologies mentioned above are well established in theory, they have not yet been used on a wide scale. Some government agencies, large companies, and financial institutions use encryption, electronic signatures, and other computer security techniques in conducting business transactions with established suppliers and customers. Some analysts predict that computer security technologies will proliferate at an accelerated rate in the next few years. Few businesses, however, have implemented these technologies for use with the general public today. Some argue that the public needs to become more familiar and comfortable with the Internet in other aspects of life, such as by engaging in Internet commerce, before governments should adopt Internet voting systems. Internet voting systems could be phased in over time, from the use of Internet-connected computers at state and local government-controlled polling sites, to remote Internet voting from users' home PCs. The new voting systems must also be user-friendly enough that many voters will prefer to use the Internet method over the traditional method of voting. Many current security components to computer systems are thought to be cumbersome for users. The following areas are the principal concerns with Internet voting at present. Security Issues. Protecting the voting process from electronic attacks is a fundamental challenge both for vendors who design online voting systems and for election administrators who run elections. As with current voting systems, any 4 For a background on these technologies, see CRS Report 98-67, Internet: An Overview of Key Technology Policy Issues Affecting its Use and Growth. CRS-4 vulnerability that could allow for voting more than once, changing a voted ballot or the election tally, or otherwise compromising the integrity of the process, raises the potential for fraud. In addition, Internet voting systems could be vulnerable to "denial-of-service" attacks in which the system is flooded with e-mail messages, causing it to shut down. Internet voting, like absentee voting, entails casting a vote from remote location and raises a possibility of bribery or vote tampering that does not exist with in-person voting. Safeguards can be provided through the establishment of computer security procedures that prevent unauthorized individuals from seeing the contents of a ballot. Establishing public trust in the security features of Internet voting systems may take time and perhaps the use of an independent oversight or auditing organization. Negative public perceptions of Internet voting security could be significant in the early stages of a transition to online voting, although acceptance might increase along with advances in technology and successful online voting trials. According to a July 1999 public opinion poll, 62% believed that it will be many years before Internet voting can be made secure from fraud; 24% thought it could be made secure soon; and 7% believed it will never happen.5 Ballot Secrecy. Ballot secrecy must be ensured in any election in order to prevent vote-buying and other kinds of fraud. Traditional voting at a polling place entails two separate steps for confirming a voter's identity and casting a ballot. The voter signs in at the precinct poll and then proceeds to the voting booth to cast a ballot. With Internet voting, the two steps are combined. An individual's identity must be confirmed and then the ballot is provided to the voter, increasing the possibility that the voted ballot, while in transit over the Internet, could be observed, changed, or recorded along with the voter's identity. While encryption and electronic signatures can provide privacy for voters, there seems to be no technical means of preventing these activities under remote Internet voting systems. Access. While remote Internet voting from home or the workplace will not likely occur on a large scale for some time, it will probably raise questions concerning equal access to the ballot. Before providing Internet voting for its 2000 Presidential primary, the Arizona Democratic Party sought and received clearance from the Justice Department concerning Voting Rights Act restrictions on instituting changes to the electoral process. In addition, a nonprofit group, the Voting Integrity Project, filed a federal lawsuit that alleged the Internet voting plan diluted minority participation (see discussion in the section on internet voting in the 2000 elections). Issues regarding access to computers and the Internet -- the digital divide -- are likely to continue because of disparities between certain groups in the electorate. Social and Political Implications. Some observers are critical of Internet voting on the basis of tradition, arguing that it will erode and eventually replace the most basic form of citizen participation in the democratic process. Some have voiced concerns about the loss of a civic ritual in which democracy, in its simplest form, is based on citizens going to the polls. They say that "Reducing a vote to a mere key stroke of a personal computer may diminish, not heighten, the significance of the act. At a minimum, voters who bother to actually go to the polls tend to be people who are motivated enough to learn 5 ABC News Poll, July 21, 1999 (based on interviews with 1,018 adults nationally between July 17 and 18). CRS-5 about issues.... The solution to a lack of commitment of voters is not to reduce the necessary commitment needed to vote."6 Internet Voting in 2000 Elections. During the 2000 election cycle, a number of limited Internet voting trials were held in both primary and general elections. Arizona's Democratic party launched what it called "the first-ever, legally-binding public election over the Internet" from March 7 to March 11. The election was conducted by Election.com, a New York-based company. Voters cast ballots from their homes or offices between March 7th and 10th, or at polling locations on March 11.7 The party mailed a personal identification number (PIN) to all 843,000 eligible voters, who could subsequently vote their ballot via the Internet by logging on to the party's website, entering their PIN, and providing two kinds of personal identification. Voters who used the polls could also cast their vote by paper ballot or computer at the polls. According to the Arizona Democratic Party, about 41% of the 86,907 ballots cast in the election were sent via the Internet from remote locations.8 The Arizona trial election created problems for some Internet voters, and resulted in confusion in some locations because of the new procedures. Some voters with Macintosh computers were unable to vote because their software was incompatible with the security system used in the election. The party added phone lines in the last few days of voting to field calls from Macintosh users and from voters who had lost their PIN and could not vote online without it. In response to a federal lawsuit, the Party also increased the number of polling places in the month before the primary. The Voting Integrity Project, a nonprofit organization, filed the lawsuit in U.S. District Court in Arizona charging that the process violated the Voting Rights Act by creating a disparity between voters with computers and those who lacked computer access, resulting in a dilution of minority votes. While the Democratic Party increased the number of polling places in response to the suit, it had difficulty finding locations with dedicated phone lines to allow for Internet connections (although paper ballots were available at all polling locations).9 U.S. District Court Judge Paul G. Rosenblatt permitted the election to proceed and the Voting Integrity Project did not appeal the decision. Also during the Presidential primary season, voters in three election districts in Alaska cast ballots via the Internet in the Republican Party's Presidential straw poll on January 24, 2000. The project was conducted by VoteHere.net, an Internet voting company located in Bellevue, Washington, and provided 3,500 voters in remote areas the 6 Jonathan Turley, "The Mouse That Roared ... and Voted," Los Angeles Times, Jan. 17, 2000. 7 Press release, Arizona Democratic Party Announces Internet Voting Registration Procedures for World's First Legally-Binding Public Election, [http://www.election.com/us/pressroom/pr2000/0113.htm], visited Feb. 18, 2000. Federal District Court Judge Paul G. Rosenblatt allowed the election to take place despite a lawsuit that asserted that Internet voting would discriminate against minorities; the court could set aside the election if minorities were under-represented among voters. 8 Arizona Democrats, "Paper Ballots vs. Internet Votes," [http://www.azdem.org/breakdown.html], visited June 8, 2000. 9 "Internet Voting Off to Rocky Start in Arizona Democratic Party-Run Primary," Election Administration Reports, vol. 30, Mar. 20, 2000, p. 4. CRS-6 opportunity to cast ballots in the straw poll. In the past, it was difficult for voters in these areas to participate in the straw poll. In the November 2000 general election, some members of the military and citizens living abroad were eligible to vote via the Internet on November 7. Voters who were covered by the Uniformed and Overseas Citizens Absentee Voting Act (42 U.S. Code 1973ff) and whose legal residence was one of fourteen counties participating in the project in Florida, South Carolina, Texas, and Utah were eligible to participate.10 The pilot project was limited to a total of 350 voters who could request and vote an absentee ballot via the Internet; 84 voters (representing 28 states and territories, and 12 countries) cast ballots under the program. A report (available at [http://www.fvap.ncr.gov/voi.html]) evaluating the program was issued by the Federal Voting Assistance Program, which administers the federal law, in June 2001. Internet Voting in Recent Legislation.The Defense Authorization Act for FY2002 (P.L. 107-107), included a number of provisions concerning uniformed services voters, one of which continued the Internet voting pilot program administered by the Federal Voting Assistance Program. It was signed into law by the President on December 28, 2001. The program permits some absentee uniformed services voters to cast ballots in federal elections through an electronic voting system. It is expected that the program will include more states than the four that participated in 2000, and should be accessible for both registration and voting beginning with primary elections in 2004. The Help America Vote Act (P.L. 107-252) included a requirement that the Election Assistance Commission established under the law conduct a thorough study of the potential for registering and voting on the Internet. Study topics include the requirements, impact, and cost of Internet registration and voting, as well as the means of ensuring equity of access to all citizens. The law calls for submission of a report to Congress 20 months after enactment. 10 The jurisdictions include Orange and Oskaloosa counties, FL; Dallas County, TX; Weber County, UT; and in South Carolina, Beaufort, Greenville, Greenwood, Horry, Lancaster, Laurens, Lexington, McCormick, Orangeburg, Pickens, and York counties. ------------------------------------------------------------------------------ For other versions of this document, see http://wikileaks.org/wiki/CRS-RS20639