UPDATE February 9 2019: Victory! These bills did not make it out of committee.
Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the years of unanimous empirical research showing that online voting is inherently vulnerable to a variety of threats from malicious hackers, including foreign nations.
EFF strongly opposes Virginia H.B. 2588 and S.J.R. 291, and all online voting. Instead, EFF recommends that absentee voting, like all voting, be conducted with paper records and risk-limiting audits, the current state-of-the art in election security.
The first problem with Internet voting is the most basic: If citizens vote with their own phones and laptops, and those phones and laptops have malware on them, that malware can manipulate the vote. Consider all the spam in your inbox every day. Lots of it comes from compromised machines. Voting on such compromised computers would mean handing our elections over to whoever controls the biggest botnet.
Relatedly, any Internet voting infrastructure is vulnerable to DDoS attacks. The Commonwealth of Virginia seems to have forgotten that just two years ago, the Mirai botnet took down big chunks of the Internet. A botnet operator could perform DDoS attacks against election servers, making it harder to vote. Or they could attack home Internet services in specific neighborhoods, tilting an election in favor of one candidate or another by selectively suppressing votes.
There’s also the risk of spoofing attacks: If an attacker can convince enough people to vote through a fake site or a fake app, they have effectively suppressed those votes and potentially changed the election outcome. We’ve already seen “vote by text” scams in previous elections. Those scams will only become more potent if Internet voting is real. Just think back to the last time a friend or relative was phished, or had their account hacked, to understand what a widespread problem spoofing could be in an elections context.
Virginia currently has a paper trail for all ballots, and passed legislation in 2017 mandating risk-limiting audits. Adding Internet voting to the mix would undermine all the hard work that election officials in the state have already put toward securing elections.
EFF proudly joined with Verified Voting and other voting experts to ask the Virginia General Assembly to reject H.B. 2588 and S.J.R. 291. Read the letter here.