Prof. Ron Rivest, MIT: Military/Overseas Internet Voting Risks and Rewards

Yesterday, MIT Professor Ronald L. Rivest provided his analysis of Internet voting for military and overseas voters in an entertaining and occasionally technical slide presentation at the UOCAVA Workshop on Remove Voting Systems, in Washington, D.C  <View>

Professor Rivest is a security expert, the ‘R’ in RSA Security, and 2002 winner of the Turing Award, the highest honor in computing.  When Ron talks security, everyone including legislators and election officials should listen carefully.

The talk centered on the balance between risks and rewards of using Internet voting vs. paper ballots for military and overseas voting.  You will find many of Ron’s slides entertaining, some a bit technical, yet all serious. The conclusions are straight-forward and convincing.  Some of the highlights below, view the presentation for the details and graphics:

Evaluation Criteria:

  • Availability and usability
  • Cost
  • Staffing requirements
  • Security and auditability

Rivest points out that paper based absentee voting and mail-in voting is already risky and recommends such voting be limited –  in order to limit the overall election risk:

  • Unsupervised remote voting vulnerable to
    vote-selling, bribery, and coercion.
  • Communication with voter, and transmission
    of ballots, may be unreliable/manipulable.
  • believe remote voting should be allowed:
    • only as needed
    • for at most 5% of voters
  • UOCAVA voting meets these criteria.

The risks to democracy:

If adversary determines election outcome,
all voters are disenfranchised!

We no longer have a democracy in action…

What is “loss” when election is stolen?
Just the 100% loss of franchise?

Let’s add an additional Hall of Shame Factor (HOSF), for stolen elections. (Not only shame, but if elections are (or could be) stolen, voters may get cynical and not vote again!)

Will Adversary attack voting system?

  • Is the Pope Catholic?
  • Will someone pick up $20 left on sidewalk?
  • There is nothing to deter attacker – Adv can attack anonymously over the Internet until he succeeds.
  • Do you know of any computer systems that have never been attacked?
  • Prob(Adv will attack voting system) = 100%

Internet voting has additional security problems

  • Platform insecurity (both client and server)
  • Network insecurity
  • Set of attackers enlarged from:
    • just those who can touch paper ballots, to
    • anyone on the planet with a computer
  • Attacks can be automated, executed on a massive scale, and done so anonymously

Will they succeed?

  • Large institutions (banks, Google) are successfully attacked all the time. They have much better staff and budgets!
  • Bob Morris (NSA) said: “You will always underestimate the effort the enemy will make to break your system.”…

Who has more IT capability – your local election IT staff or the Chinese?…

  • We do not currently have the technology to make internet voting secure (and may never).
  • We can’t make such technology appear by wishful thinking, just trying hard, making analogies with other fields, or running pilots.
  • It is imprudent (irresponsible?) to assume that determined effort by adversaries can’t defeat security objectives of internet voting.

Risk Assessment Conclusion:

  • Based on this risk assessment, we expect Internet voting for UOCAVA voter to disenfranchise many more voters than it would franchise.
  • The apparent gains in franchise for internet voting are misleading and illusory—the apparent gains are more than cancelled by the risks.
  • Argument is robust — conclusion remains the same even if numbers are varied significantly. In addition, there may be a DDOS attack with probability near 100%.


  • Remote voting is trade-off between franchise and risk.
  • The risks of “internet voting” more than negate any possible benefits from an increase in franchise.

Leave a Reply

You must be logged in to post a comment.