1.3 Why security for Internet voting is far more difficult than for e-Commerce
Many people mistakenly assume that since they can safely conduct commercial transactions over the
Internet, that they also can safely vote over the Internet. First, they usually underestimate the hazards of online financial transactions, and are unaware of many of the risks they take even if they are careful to deal
only with “secure” web sites through the SSL protocol. But they also assume that voting is comparable
somehow to an online financial transaction, whereas in fact security for Internet voting is far more difficult
than security for e-commerce. There are three reasons for this: the high stakes, the inability to recover from
failures, and important structural differences between the requirements for elections and e-commerce.
First, high security is essential to elections. Democracy relies on broad confidence in the integrity of our
elections, so the stakes areenormous. We simply cannot afford to get this wrong. Consequently, voting
requires a higher level of security than e-commerce. Though we know how to build electronic commerce
systems with acceptable security, e-commerce grade security is not good enough for public elections.
Second, securing Internet voting is structurally different from—and fundamentally more challenging
than—securing e-commerce. For instance, it is not a security failure if your spouse uses your credit card
with your consent; it is routine to delegate the authority to make financial transactions. But it is a security
failure if your spouse can vote on your behalf, even with your consent; the right to vote is not transferable,
and must not be delegated, sold, traded or given away. Another distinction between voting and e-
commerce is that while a denial of service attack on e-commerce transactions may mean that business is
lost or postponed, it does not de-legitimize the other transactions that were unaffected. However, in an
election, a denial of service attack can result in irreversible voter disenfranchisement and, depending on the
severity of the attack, the legitimacy of the entire election might be compromised.
Third, the special anonymity requirements of public elections make it hard to detect, let alone recover
from, security failures of an Internet voting system, while in e-commerce detection and recovery is much
easier because e-commerce is not anonymous. In a commercial setting, people can detect most errors and
fraud by cross-checking bills, statements, and receipts; and when a problem is detected, it is possible to
recover (at least partially) through refunds, insurance, tax deductions, or legal action. In contrast, voting
systems must not provide receipts, because they would violate anonymity and would enable vote buying
and vote coercion or intimidation. Yet, even though a voting system cannot issue receipts indicating how
people voted, it is still vital for the system to be transparent enough that each voter has confidence that his
or her individual vote is properly captured and counted, and more generally, that everyone else’s is also.
There are no such requirements for e-commerce systems. In general, designing an Internet voting system
that can detect and correct any kind of vote fraud, without issuing voters receipts for how they voted, and
without risking vote privacy by associating voters with their votes, is a deep and complex security problem
that has no analog in the e-commerce world. For these reasons, the existence of technology to provide
adequate security for Internet commerce does not imply that Internet voting can be made safe.