Home / Blogs

Can Legislatures Safely Vote by Internet?

It is a well understood scientific fact that Internet voting in public elections is not securable: “the Internet should not be used for the return of marked ballots. ... [N]o known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet.

But can legislatures (city councils, county boards, or the U.S. Congress) safely vote by Internet? Perhaps they can. To understand why, let’s examine two important differences between legislature votes and public elections:

Public elections require the secret ballot; legislatures can vote by public roll-call vote. Internet voting requires digital credentials; the U.S. has no effective way to distribute digital credentials to the public, but it is feasible to provide credentials to members of a legislature.

The cyberthreats facing any kind of Internet voting include:

  1. hackers impersonating a voter,
  2. hackers exploiting server vulnerabilities to fraudulently change the software that counts votes,
  3. hackers exploiting (voter’s phones and laptops) client vulnerabilities to fraudulently change the software that transmits votes, and
  4. other attacks, such as denial of service: prevent some legislators from accessing the Internet.

(Blockchain can’t solve these problems; see pages 103-105)

But suppose a legislative body wished to avoid meeting in person during a pandemic. Could these threats be mitigated sufficiently?

(A) It is feasible to distribute security tokens to the 15 members of a county commission or the 435 members of the House of Representatives, in a way that’s not feasible for 235 million registered voters. Even without security tokens, a Member who is personally known to the clerk of the legislature could vote by video chat, in an emergency. (Caveats: Security tokens are highly secure but not perfect; video chat could be subject to deep fakes; but see below for mitigations.)

(B, C) Attacks that compromise the client or server computers can be detected and corrected, if everyone’s vote is displayed on a “public bulletin board.” That is, each member of the legislature would transmit his or her vote, then must check the public roll-call display to make sure the vote was reported and recorded accurately.

Checking the public roll-call display isn’t so simple since hackers could alter the member’s client device (e.g., laptop computer or phone) to make it lie about what’s downloaded from the roll-call display. A Member should check the roll-call from a variety of devices in a variety of locations, or (perhaps) coordinate with other Members to make sure they’re getting a consistent report.

This remote workaround would not be simple and easy. Careful protocols must be designed to limit the amount of time for members to contest their vote; one must consider what happens if Members game the system (by falsely claiming their vote was altered); one must consider what happens if lobbyists are literally sitting next to the member during voting (which is less likely when the member is gathered in a public place for a traditional vote). What do the legislatures quorum rules mean in this context? And many legislatures prefer to take many votes by “voice vote” where each member’s individual vote is not recorded.

And just because Internet roll-call votes may be feasible to secure, that doesn’t mean they’re automatically a good idea, or legal: see this report by the Majority staff of the House of Representatives.

Conclusion: we know that Internet voting by the public is impossible to secure, and thus we must not vote by Internet even during the COVID-19 epidemic. But Internet voting by legislatures is not necessarily impossible to secure, and could reasonably be considered. If legislative bodies desire to meet and vote remotely, there is still plenty of work to do to actually secure the process. And that’s difficult to do in a hurry.

This post was originally published on Freedom to Tinker.

By Andrew Appel, Professor of Computer Science at Princeton University

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign


Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC