Private email over the Internet is not a secure method of transfer for documents containing your confidential identity information. This is why Overseas Vote Foundation recommends that voters return their ballots by regular mail and fax.

And yet approximately 18 states are allowing overseas and/or military voters to return their voted ballots by scanning them in and attaching the file to an email. 

We base this recommendation on the analysis of computer security professionals and election integrity experts such as Dr. David Jefferson, a professor of Computer Science at the University of Southern CaliforniaProfessor Ronald Rivest, the Andrew and Erna Viterbi Professor of Electrical Engineering and Computer Science in MIT's Department of Electrical Engineering and Computer Science.

The following are his responses to our question about the security of return voted ballots and the differences between email balloting and Voting by Mail (VBM).

Dr. David Jefferson:

Email ballots have LOTS of problems.

1) Email can be lost in transit:  Email is a “best efforts” service, not a guaranteed delivery.  If an intermediate or final server is down there may be several attempts to deliver it, but if they fail the email may be bounced (the good case) or simply dropped (the bad case).  If bounced, it may be *days* before the sender is notified.  This behavior is unusual, but not rare.

2) Email can be filtered: Most ISPs offer "spam" filtering according to widely varying undocumented criteria.  While for the most part this is helpful, it is crucial that ballots not be considered spam and get filtered out.  But how will we know? If it is filtered, the sender will not know, and an unsophisticated county might not either.

3) Email can be duplicated: It does not happen often, but it is a normal hazard of a reliable message service that it prefers to err on the side of delivering too many copies rather than risk delivering no copies of a particular email.  Just the other day I got eleven copies of a piece of personal email that was sent only once.

4) Email can be forged: This means that the From: line is not reliable indicator of the real sender.  While most consumer email programs do not permit this, the more primitive ones widely available do.  Spammers take great advantage of this.

5) Email cannot generally be encrypted.  It is not that it is fundamentally immune to encryption, of course.  But there is no simple, widely deployed, turnkey encryption system available with consumer email because there is no universally trusted and available public key infrastructure that consumers know how to use and is supported by their email programs.

6) Email can be copied, read, and modified anywhere along the path from sender to receiver.  Email is a store-and-forward service, which means it is relayed in several steps from the sender to the receiver, by servers that probably belong to several different companies.  Because it is unencrypted, it is trivial for anyone who controls one of the email relays to copy an email, read it, drop it (i.e. simply fail to relay it forward), bounce it back to the sender, or modify arbitrarily it before forwarding it to it's destination.  The same thing can happen if the sender's computer is infected by malware. 

7) Ballots can be copied, violating privacy: Emailed ballots must be accompanied with the name of the voter, and both will be in the clear.  As a result, the owner of an email relay can make copies of all ballots transiting through his network, and simply read how people voted, with all of the bad consequences that might entail.  And we must assume that email that crosses a national boundary over civilian infrastructure will be copied en masse by the governments on both the sending and receiving sides.

8) Attacks on email ballots do not have to be retail at all.  The can easily be wholesale.  Anyone who controls an email relay can modify it's behavior to put aside all ballots (trivially identifiable by destination address) for further "processing" to decide how to attack them.  An attack may be as simple as dropping ballots that the attacker does not like.  Or forwarding them to a third party for vote buying or coercion purposes.  Or wholesale modification or substitution of the ballots to change votes according to the attacker's desires.  If automated--and why wouldn't it be? -- then thousands of ballots can be affected with an additional delay for each of less than a second in delivery time. 

9) You don't think it is likely that anyone really would modify your email in transit?  How many times have you seen emails with taglines or ads inserted that the sender did not put there?  Email modification in transit happens to millions of messages every day.  Automating the wholesale modification thousands of email ballots is simply a matter a person in the right place wanting to do it.  It does not even have to be an employee of the company that owns the email relay where the attack happens.  A third party from anywhere in the world who remotely and surreptitiously gains control of an email relay can do the same thing in any of several ways, and likely not get detected for a long time--long enough to change the outcome of an election with no hope of repairing the damage.  

Dr. Jefferson on the differences between email balloting and paper VBM:

1) Ease of automation of email attacks: There is no corresponding hazard for VBM.

2) Lack of ability to detect email attacks: Physical attacks on snail mail ballots, unless done slowly and carefully with good tools, would be detectable.  The only simple undetectable attack on snail mail is to throw ballots away based on where they came from without opening them to determine whether they are favorable or not to the attacker - not a very sharp attack at all.

3) Speed and simplicity of email attacks: Once installed, an email attack package would work silently and efficiently and could handle all of the ballots that happened to be routed through that particular server.  The only way to achieve a similar attack effect for snail mail would be to have a big boiler room operation with many people in league at a postal service location.

4) The potential for foreign cyber attacks: Email attacks do not have to be perpetrated by insiders or employees of ISPs that run email relays.  Any foreign agency might attack an email server remotely and control it, or a botnet criminal syndicate, or an enterprising lone hacker.  There is no corresponding attack mode for snail mail.

Dr. Ronald Rivest:

There is one attack on email balloting that hasn't received much explicit discussion, which is the denial-of-service (DOS) attack.

Unless extraordinary measures are taken, the servers run by jurisdictions to collect email ballots are very vulnerable to DOS attacks.

It is child's play these days to hire a botnet to send out tens or hundreds of millions of spam email messages; I doubt the filters on most election jurisdiction servers would be able to cope... And of course, you can target servers according to the politics of the targeted jurisdiction.

While a DOS attack is easily detectable, it isn't so clear what one can do about it with the framework of election management and typical election budgets. And it illustrates nicely another way in which the Internet and snail-mail differ...

Related Blog Post:

Let's Hear It: Do You Want to Email Your Ballot?