Andrew Appel has posted this draft on SSRN (forthcoming, University of New Hampshire Law Review). Here is the abstract:
No known technology can make internet voting secure, according to the clear scientific consensus. In some applications—such as e-pollbooks (voter sign-in), voter registration, and absentee ballot request—it is appropriate to use the internet, as the inherent insecurity can be mitigated by other means. But the insecurity of paperless transmission of a voted ballot through the internet, cannot be mitigated.
The law recognizes this in several ways. Courts have enjoined the use of certain paperless or internet-connected voting systems. Federal law requires states to allow voters to use the internet to request absentee ballots, but carefully stops short of internet ballot return (i.e., voting).
But many U.S. states and a few countries go beyond what is safe: they have adopted internet voting, for citizens living abroad and (in some cases) for voters with disabilities.
Most internet voting systems have an essentially common architecture, and they are insecure at least at the same key point, after the voter has reviewed the ballot but before it is transmitted. I review six internet voting systems deployed 2006-2021 that were insecure in practice, just as predicted by theory—and some were also insecure in surprising new ways, “unforced errors”.
We can’t get along without the assistance of computers. U.S. ballots are too long to count entirely by hand unless the special circumstances of a recount require it. So computer-counted paper ballots play a critical role in the security and auditability of our elections. But audits cannot be used to secure internet voting systems, which have no paper ballots that form an auditable paper trail.
So there are policy controversies: trustworthiness versus convenience, security versus accessibility. In 2019-22 there were lawsuits in Virginia, New Jersey, New York, New Hampshire, and North Carolina; legislation enacted in Rhode Island and withdrawn in California. There is a common pattern to these disputes, which have mostly resolved in a way that provides remote accessible vote by mail (RAVBM) but stops short of permitting electronic ballot return (internet voting).
What would it take to thoroughly review a proposed internet voting system to be assured whether it delivers the security it promises? Switzerland provides a case study. In Switzerland, after a few years of internet voting pilot projects, the Federal Chancellery commissioned several extremely thorough expert studies of their deployed system. These reports teach us not only about their internet voting system itself but about how to study those systems before making policy decisions.
Accessibility of election systems to voters with disabilities is a genuine problem. Disability-rights groups have been among those lobbying for internet voting (which is not securable) and other forms of remote accessible vote by mail (which can be adequately securable). I review statistics showing that internet voting is probably not the most effective way to serve voters with disabilities.