Rush/Partial transcript by Emily Levy
[Ed Note: For details and background on this hearing, see this BRAD BLOG report.]
COUNCILWOMAN MARY CHEH: We're all here to talk about the D.C. Board of Ethics and Elections Internet voting pilot program, digital vote by mail. And that program they provided a test period and during that test period Dr. Halderman from the University of Michigan was one of the testers and he had found sort of significant vulnerabilities with the program. We think his findings are significant and would exceed the five minutes or three minutes that we have.
CHEH: Well, you would all get five minutes so we'll see how we can run it. Who's Dr. Halderman? Which …? You're Dr. Halderman? Okay. You're getting a lot of extra time from your folks, but if you don't use it we can also pull things out via questions. So. Dr. Halderman, we'll take your testimony. You're going to have latitude here. And I did say that one of the reasons why we're doing this and you asked about it is because of the sort of technicaly more detailed nature of it. But just remember that I have to have things simple to be able to understand it, so despite how technical or sophisticated it is in reality, if you could just kind of make it available to folks like myself. And of course remember that the public will be watching and they need to understand a) what the issue is, and what the difficulties are, so if you could put it in those terms. You're up. Go ahead.
AH:[inaudible] … aren't actually that complicated, so.
CHEH: Good. [inaudible comment from someone] Sure.
SUSANNAH GOODMAN: I can just open and then basically say what I said.
CHEH: Okay. Go ahead
GOODMAN: My name is Susannah Goodman. I'm with Common Cause, which is a national citizen advocacy organization. And we're, this panel is here today to discuss the D.C. Board of Ethics and Elections pilot program, which was designed to help uniformed, military and overseas voters cast ballots in a timely fashion. They developed an Internet voting program called Digital Vote-By-Mail and Common Cause was very concerned about the cyberfraud that could occur when ballots are cast over the Internet. So we really commend the D.C. Board of Ethics and Elections for opening this program to a test period. We believe the test period was invaluable as it showed the significant cyber-problems that could occur when votes are cast over the Internet. So with your permission I'd like to yield the balance of my time to Dr. Halderman from the University of Michigan who was able to find significant problems with the Internet voting program. And again, I want to really commend the D.C. Board of Ethics and Elections for allowing this test period.
CHEH: Basically you're a hacker, is that what we're to understand?
PROF. ALEX HALDERMAN: No, I'm a professor of computer science. [laughter]
CHEH: Just checking. Anyway, I'm sorry. Go ahead, Dr. Halderman.
HALDERMAN: Yes, well, thank you. I'd like to begin by thanking the Board for allowing me to participate in testing their Digital Vote-By-Mail system. This is the kind of open public testing that many of us in the e-voting security community --- including me --- have been encouraging vendors and municipalities to conduct. So I was very glad to participate.
I'd like to stress, though, that this kind of testing just cannot show that a system is secure. The best we can hope is that we'll find some of the problems in the system before real criminals do. But there will always be the potential that there are attackers who are smarter, better-funded or just luckier than the people doing the tests. Even though the test period was announced only three days before it was due to start, I was able to assemble a team from the University of Michigan including my students Eric Wustrow and Scott Wolchok, who are my Ph.D. students, Dawn Isabel (a member of the university technical staff), and we were also helped by Nadia Henninger, a Ph.D. student from Princeton who's here today. As far as I know, we were the only team that was seriously engaged throughout the process in the security testing side of things.
Within 36 hours of the system going live, my team had found and exploited a vulnerability that gave us essentially total control of the voting system software. This included the ability to change votes and to reveal voters' secret ballots. This problem, known technically as a shell injection vulnerability, has to do with the ballot upload procedure in the system. In effect, it allowed us to remotely log in to the server as a privileged user. BoEE launched the test bed on Tuesday the 28th and on Wednesday afternoon we began to exploit this vulnerability to perform a number of demonstration attacks.
We did several things. We collected data stored on the server including crucial secrets such as the database user name and password as well as the key the system used to encrypt ballots for privacy. We modified all the ballots stored on the system that had already been cast by voters and we changed the votes so that the votes would be counted for candidates we selected. Mostly they were evil science fiction robots. We also rigged the system to replace any future ballots that were cast in just the same way. We installed a back door that let us view how voters voted together with their names, violating the secrecy of the ballot, and to show that we had control of the server we left a calling card, if you will. This was on the confirmation screen that voters get to see after they vote. After 15 seconds, that screen would start playing music: the University of Michigan fight song. This was my students' idea.
CHEH: You're a funny bunch, over there. [laughter]
HALDERMAN: Well, we're a pretty serious bunch, too. But we were looking at this exercise as a healthy kind of back-and-forth between us and the BoEE administrators because this is the kind of, this kind of intrusion is something that they would face in a real attack if the system went live, and we wanted to give them experience with it. But clearly stealthiness was not our main objective, otherwise we wouldn't have played the fight song. Nevertheless, we didn't immediately announce what we had done. We wanted them to have a chance to exercise, the administrators to have a chance to exercise their attack detection and recovery procedures, which are an essential part of any online voting system. But still the attack remained active for two business days on the site, from overnight on Wednesday until Friday afternoon when BoEE officials took down the test bed server after several testers pointed out the fight song was playing. So a real attack might be completely invisible and could have gone on undetected much, much longer.
In fact, other attacks did go undetected. I know this because my team conducted one of them. Since the beginning of the test my team has been monitoring and controlling routers and switches that are connected to the BoEE pilot network. These are critical pieces of the network infrastructure. We gained access to this equipment because the network administrators who set it up left a default master password unchanged. This password we were able to look up in the owner's manual for the piece of equipment. And once we, once we did we found it was only a four-letter password. So once we gained control of this equipment, we could watch in real time on my desktop in Michigan as the network operators configured and tested the equipment. We could also watch them on camera because we found a pair of security cameras in the data center were on the same network as the pilot system and were publicly accessible with no password at all. I have some pictures here of people in the data center …
CHEH: [inaudible], Miss Benjamin, could you do me a favor and pick up these items?
HALDERMAN: Thank you. So we were able to watch from Michigan what they were typing to configure the systems including the passwords that they used to configure these routers and switches, as well as to watch people on camera as they were in the data center room.
CHEH: The people from the BoEE, you realized you were on camera?
HALDERMAN: Although these pieces of …
?: [inaudible comment]
HALDERMAN: [laughter] Although these pieces of equipment don't seem to be in use yet, the ones that we got access to, they're plugged into the network and this kind of access that we had would have allowed us to reprogram them so that when they are put in use, we could monitor, change and redirect the data flowing through the BoEE network. This could easily have given us a totally separate second way to steal votes in a real election.
We weren't the only ones, though, who were trying to attack the BoEE network infrastructure. While we were in control of these systems we observed other attack attempts originating from computers in Iran and China. These attackers were attempting to guess the same master password that we did. And since it was only four letters long, they would likely have soon succeeded. So we decided to defend the network by blocking them out, by adding rules to the firewall, and by changing the password to a more secure one.
CHEH: You changed the password of the BoEE system?
HALDERMAN: Of the pilot system, yes.
CHEH: You changed it?
HALDERMAN: We did, yeah, to something so that the Chinese and Iranian attackers wouldn't get it.
I'd like to stress that attacks like this are a common Internet phenomenon and I do not believe that these attackers were specifically targeting the D.C. voting system. But this is a large part of why Internet voting is so dangerous. The servers are going to face attacks from powerful adversaries anywhere in the world.
All of the specific vulnerabilities that we exploited to do this are relatively simple problems and easy to fix, but it would be vastly more difficult to make Internet voting secure. Web security generally tends to be brittle. That is, one small mistake can completely compromise the security of the system. This is part of why even the Pentagon and Google can't keep their networks secure. So unlike applications like online banking, where, an Internet voting system just can't keep accounting records of how every single voter voted, because we have a secret ballot.
So if there is fraud it's much more difficult to detect it or to recover from it. You can't just back it out. And unlike absentee ballot returned by postal mail, fax, or email, an attacker who compromises a digital ballot return system could disenfranchise all of the voters in one fell swoop. So it may some day be possible to build a secure method for submitting ballots over the Internet, but the scientific consensus as representatives from the Board heard in the [sounds like U.O.Cava?] workshop in August, the scientific consensus is that Internet voting is just too dangerous today based on the limits of today's security technology. Indeed, it will probably be decades if ever before the technology is at a level where we can perform a, perform voting safely purely over the Internet.
This is why I wasn't surprised when we found the problems we did in the BoEE's system, because web security just is a terribly hard problem and websites tend to have vulnerabilities of kinds like these. But after our attack on the test bed server I later examined the data we collected, files that were sitting around on the server machine that we accessed, and there was one thing that was incredibly shocking. So the reason I was able to find what I did is that the programmers made another mistake when they built the system. It accidentally kept around a copy of the, whatever files or ballots were uploaded by voters in an unencrypted form where you could just see whatever was in the file if you had access to the server. And looking back at these files, some of them were left from before the test period officially began, it appears that before the public test was launched someone at BoEE was testing the system by uploading files of various sizes. They wanted to make sure that it would reject files that were too small or too large. Any files would do for this, and it looks like the files that were uploaded were just things that were lying around on somebody's computer, some BoEE employee's computer. Some of the files were just a page with one sentence, "This is a blank ballot." Others were much bigger. One was even the installation file for a certain Macintosh programming tool that the system, was not a ballot file at all but it would be rejected by the system for being too big.
But one of the files, which I have here [takes hundreds of pages out], one of the files was a 937-page .pdf document. It appears to be the 937 invitation letters that BoEE sent to registered voters. Each page contains the name and voter ID number of a real voter along with the 16-character PIN that is the only password a voter needs in order to use the system in the real election. We examined the file metadata. The author of the file is Paul Stenpjorn[?]. It appears that, that this may be the real thing.
We found the document on the test bed server, a system that BoEE invited the world to break into. And that we showed could be broken into very easily. We have no way of knowing who else has access to this. The PINs in this document are the most critical secret to protecting the whole voting system. If digital ballot return were still in use, a criminal could use them to vote in the name of every single voter and keep the real voters from voting! So my question is why was this file on the test bed system? This isn't the sort of thing that you would actually need to use to test this feature that was apparently being tested. I'm just deeply concerned that BoEE does not take the secure, does not take security seriously and that it fails to appreciate the security challenges that are faced by any Internet voting system. Thank you.
CHEH: Thank you very much. I want to put a couple of questions. These may be to anybody, whoever wants to answer them. But the first question I think you did answer, but I want to, you know, find out for sure. You're saying that right now we do not have the capacity, under any circumstances, to have secure internet voting?
HALDERMAN: I'm saying this is a technical problem we do not yet know how to solve, no.
CHEH: And obviously I'm out of my element here, so bear with me. What about the most sensitive secrets that governments have, and encryption, and what if you have two keys, one on one side and one on the other side?
CHEH: Wouldn't that kind of system, if plausibly deployed, couldn't that work?
HALDERMAN: So governments' most sensitive secrets are not put onto computers that are connected to the internet. That's a large part of how we protect them. And it's exactly because internet security is such a difficult problem that we don't trust internet-connected computers to keep those secrets safe.
CHEH: But what about a two-key system, though?
JEREMY EPSTEIN: Could I …?
EPSTEIN: If I may, the gentleman who invented the system you're referring to is Dr. Ronald Rivest of M.I.T. He was one of the signatories on the letter which we sent to you just before this trial period began, urging you not to move forward with this experiment. And if the man who invented it thinks it's not a good idea and his invention isn't good enough to succeed in doing what you're talking about, it's hard for me to imagine why the rest of us mere mortals would be able to use his invention to do that.
CHEH: Right, but wasn't it good to have a test case? I mean, the very fact that you're here, and …
EPSTEIN: Oh, absolutely. We think it's wonderful that it was tested and now we should put it aside and come back and look at it again maybe in another ten years.
GOODMAN: I'd like to add something to that. I think it's extremely gratifying that there are election officials like Rokey Silliman(?), like the D.C. Board of Elections and Ethics, that are willing to put this kind of transparent effort forward and allow for public testing. I think that there are some obvious critical lessons learned here, as you said. Why we're here. I'm concerned that we do learn the right lessons. You can patch holes, you can fix the system, you can try a different system, but the biggest problem here is the internet. And until you have a different internet, it's not likely that any such system is going to be able to assure the secrecy and security of the votes. This is done with the motivation of helping military and overseas voters, largely who have had a really unfair shake for a lot of years and we want to make things better for them, the MOVE Act was passed with the idea of expanding their opportunity, but it didn't require electronic return of voted ballots and these are precisely the reasons why that was not included.
CHEH: Can we have half a loaf? Can we communicate with the voters via internet but have them send back by fax or some other methodology the ballot itself?
HALDERMAN: I think that's much less risky. And sending ballots, sending the unfilled ballots over the internet and having the voters fill them in removes a lot of the problem that we've, that we've seen. and in cases where there's not another practical way to communicate ballots to voters before the election, that may be the best solution on the balance of the risks. The major …
CHEH: But you said, you know, and I know you can't give me certainty, perhaps, but you say it's much less risky and that, you know, on balance --- is it risky, nevertheless?
GOODMAN: It is. You know, one of the problems that we have here is that we've done this test on the Digital Vote-By-Mail system but D.C. and a lot of other jurisdictions around the country are currently using some email return of voted ballots and some fax return of voted ballots. And I would submit that there's not a lot of difference today, back in the old days fax was a dedicated phone line to another dedicated phone line. But now I can send faxes to and from my computer and it goes over the internet and never touches a phone line. So what we're talking about is an alternate version of internet voting if you use those methods for electronic return. And I think you have to take that on …
CHEH: How can that be made secure, though, because you do use the internet as part of the delivery device, so to speak?
GOODMAN: Exactly. And I think that's a concern. And until we do things like opening up the email servers to tests such as this test, you're not going to find out exactly the level of vulnerabilities that exist.
HALDERMAN: There is no perfectly secure system and that's, I think, a key point here, is we need to not expect perfection but at the same time recognize where there're major problems and this showed a system that had major problems. There are problems certainly with fax and email voting. There's also problems with plain old U.S. mail voting.
CHEH: But those problems would be limited in scope, right? That is to say …
HALDERMAN: Right. That's exactly right.
CHEH: …you don't get into the whole operation. You may be able to frustrate a particular vote.
HALDERMAN: We call that 'retail' versus 'wholesale' attacks. And this is a wholesale attack.
EPSTEIN: If I may, it's a little bit like the difference between all of the voters riding together in one airplane and each voter driving to the polls individually. If everyone is riding on the same plane and there's a problem, or if someone wants to disrupt the election by disrupting the airplane, then all of the eggs are in one basket. Everyone is affected together. And in fact …
CHEH: And can I …?
CHEH: Can I stop you there? Because I want to understand this. Nevertheless, I mean given the sophistication and the speed of computers, even if you do it at retail you could have some operation that you create that would allow you to do it at retail at great speed, no?
EPSTEIN: So that is a concern but also, there are some wholesale concerns with ballot distribution. For instance, if I can manipulate the server to give voters the wrong ballot or a ballot that is marked in a certain way so I can tell who voted, or a ballot that will just be counted as invalid when it gets back to Washington, then I can attack through ballot distribution, too. But the risk is quite a bit less because that server that's connected to the internet isn't processing the return votes, so there's much less opportunity for me to do something there that will allow me to change all the votes.
CHEH: And you said something that was also disturbing with respect to this test. Namely that a period of time went by and there were no sufficient --- or you don't know that there were any sufficient red flags --- to say that it had been broken into. And so I would take it that even with these other methodologies and even though the scope of potential mischief would be limited, as to those one further thing we should have is a very clear use of these red flags so that it's immediately known whether someone is attempting to do this. Do you know whether on these alternative methods we have sufficient notice built in?
EPSTEIN: Well, it's hard to say what sufficient notice would be. Because it would certainly be possible with today's technology to attack it in a way that nobody would notice. That's the worry that all of the scientists that I've spoken with share about internet voting. We have to, what we can do is a best effort. And for voters who otherwise are going to have a very difficult time participate in the election, then making a best effort at ballot distribution is a compromise that may well be worthwhile. But digital ballot return, we worry, has potentially greater social consequences because of the fact that someone could centrally change all of the votes.
GOODMAN: There's an additional concern, too, which is that recently the District of Columbia passed a requirement for voter-verified ballots and post-election audits, a system that doesn't provide a hard copy independent record of the voter's intent, is essentially not an auditable system, not a recountable system with legitimacy. If your ballots are coming back digitally and then there's a printout that occurs in D.C. but it's not a printout that the voter has witnessed, then you cannot construe it to be the voter's intent. It could have been changed in transit.
HALDERMAN: May I make one other comment about the system itself that Dr. Halderman and his team broke into. This system was much better built than most systems and yet these are the problems we saw. It was designed by people who really knew what they were doing, unlike a lot of voting systems, and yet we had all these problems. So these are a lot of the risks, and so you're better off, perhaps, than many, but it's still a long way from being safe.
CHEH: Well, you know, that seems to cut two ways. I mean I thought in part by describing what had gone on and the sloppiness of what was used as an example and [so forth], now you're saying these are really the top people but it seemed like in some ways they were …
EPSTEIN: Isn't that ironic?
CHEH: … they weren't so smart or they weren't so diligent, or maybe they're not the best after all. I mean, I know you're lauding them now to say gee, even they couldn't do it, but I don't know …
HALDERMAN: This speaks to how hard the problem is, that even good people who are trying very hard and being diligent about it can't catch all of the possible problems. And since it only takes one problem in many cases for us to completely take control of the system, for someone to change all of the votes, that's the core of the issue with internet voting. That's why the scientists are so alarmed. This is not a problem we know how to solve.
GOODMAN: I would just like to say that I think everybody shares the concern for the overseas and military voters, that they get their ballots on time, that they vote their ballots and that their ballots are returned in a timely fashion so that they're not disenfranchised. But this solution doesn't have to, we're all used to sending things instantaneously but sometimes that's not the best idea, and I think that's what we're seeing here. In neighboring Maryland and Virginia, Virginia has a huge military population, they don't allow this. It's not the law. And a number of states prohibit email, fax and internet voting for precisely these reasons. It's an extremely appealing, very attractive solution to a very concerning problem and, unfortunately, it's not the right solution.
CHEH: And the impetus for this was this idea about giving, you know, sufficient time and access for people who are overseas or in the military.
EPSTEIN: Well, I have no doubt that the particular problems that Dr. Halderman identified could be fixed rapidly. Perhaps some of them already have. I don't know. But I think it's important, we have a concept in the security field called "penetrate and patch." What it means is you break into a system, as Dr. Halderman did, and then you come back, you fix it, and you try it again. And what you would think is that after you do this, there wouldn't be any problems. But what we found in 40 years of experience that you can penetrate and patch and then you penetrate again and you patch again, and you penetrate again and you patch again, and you penetrate again and you patch again, and it never ends. If it ended, Microsoft would have succeeded. We wouldn't all be having to reboot our computers and install patches once a month for the past ten years. This is not something that we can just say, "Please, BoEE, fix the problems and then we can do it." This isn't a solvable problem that way.
CHEH: Does internet voting take place anywhere on this planet?
EPSTEIN: Yes. And there are cases where it's been done, for example, in Estonia, and it's, they have a different set of threats than we do and they also have different capabilities than we have. For example …
CHEH: They're better? In Estonia?
EPSTEIN: They have a, everyone has a, everyone has a secret card, excuse me, has a smart card sort of like a credit card but smarter, and every computer in the country uses them and there are certain things you can do when everyone has a national ID.
CHEH: So would that be like their key?
EPSTEIN: Yeah, it's used exactly …
CHEH: Their individual key. So you could have a two-key system but you gotta have your own key.
EPSTEIN: Well, there's still a lot of problems with it, to be sure, but yes, that is one of the things that gives you a two-key system.
GOODMAN: It's not a secret ballot. And that's a critical …
HALDERMAN: That totally changes the problem if it's not a secret ballot, yeah.
EPSTEIN: There are many differences. It's not, that's one difference, what I just described and what Dr. Halderman and Ms. Goodman say, it's not a secret ballot, are other changes. So you can't say it's the same. It's different. And there are places that have done other experiments with internet voting.
CHEH: Could you identify those?
EPSTEIN: Democrats Abroad did a pilot program in the 2008 primary. Anyone who wanted to could claim to be a Democrat abroad and could cast a vote. There was no validation. And it was not an open test so we have no idea whether it was succe—whether it was broken into or not.
GOODMAN: It was also not a secret ballot.
EPSTEIN: And it was not a secret ballot, yes, I'm sorry. The Arizona Democratic Party did a primary and that was also not a secret ballot and we don't know whether that was broken into or not because there was no study done. Michigan, I think, did a primary also. Hawaii did a local election and again we don't know what really happen but we know turnout was down by 85%.
CHEH: Let me ask you, oh, I'm sorry.
GOODMAN: I just want to, you know, the problem is reaching the overseas and military voters. And I feel like that we should focus on ways to solve that problem versus this, you know, ways to make internet voting safe. I feel like conflating those two issues is not going to get us anywhere. I think, again, other states don't allow this because of these problems. And there are already a lot of problems with the D.C. elections and money could be better spent helping voters in other ways and helping—The Overseas Vote Foundation helps voters get ballots and gets them FedExed back to the jurisdictions. There are many ways that we can help overseas and military voters get their ballots and get them returned without entering this minefield.
CHEH: So you don't know or there's never been a legitimate way to assess the Michigan or Hawaii experiments?
EPSTEIN: That's what's wonderful about this experiment that the BoEE did and why we salute them. Because for the first time what computer scientists have been warning could happen in an election, we know that in fact it really could happen. It isn't just a theoretical problem, it's a practical problem. So nobody has ever assessed an internet voting election before this one. So that's why it's wonderful what you did. And now we've learned it and let's move on and come back and visit it again in ten years.
CHEH: Forgive me, but …
HALDERMAN: Well, I'd like to personally say, again, how much I appreciate what the Board has done. This really is an excellent show of the concern that everyone on the Board must have for the security of their voters. It's the right approach to take, if you're going to, if you're planning to deploy a system like this. My concern is just that based on the scientific consensus, it's not a good idea to plan to deploy a system like this.
CHEH: Well, let me ask you this. From a legislative perspective, because your observation about better attend to other things. We just heard about maybe we need more training, and maybe— should the Council by legislation just shut this down?
CHEH: Yes? You think yes?
CHEH: And is that your same opinion with respect to email or these other ones that have some risk but not the same kind of risk?
EPSTEIN: I think they should be reserved for extreme cases where the voter cannot return the ballot by postal mail.
HALDERMAN: And I would encourage also to have an open test of such efforts as well to make sure that the problems we've seen here don't also exist there. The risks are significantly smaller but they're nothing close to zero. And so doing a test of those systems would also be very valuable both to the Board and to the research community to understand: is this a problem or is this something we could reasonably encourage?
EPSTEIN: I also wanted to add that one of the things that worries me is that the results will be used to go fix the problems and then put it out for another test. And Dr. Halderman and his students have done us a great service. Not just us here in the District but across the nation. But we can't expect them to keep doing pro bono testing of systems. It's a lot of work …
CHEH: And you have classes to teach, I assume? Doctor?
EPSTEIN: He does teach classes, yes.
GOODMAN: I think that it's important to …
CHEH: That was sort of an aside. [laughter]
GOODMAN: I think that it's important to look at the benefits of using technology responsibly and to actually assess how military and overseas voting has improved this year by being able to speed up the process by which they can go through registration, with which they can get ballots, and have them return ballots in a more secure way, in a way that's auditable. And look at what's improved before making any effort to go on this kind of a limb again.
CHEH: I want to ask you all a final question. We've been talking about the security of it, the technological capability of it, the risks of it, and all of that sort of thing. I want to ask you philosophically, is internet voting really what we want to do? I mean even people at a distance? If we perfect this sort of thing, I mean, you know, in the brave new world, would we have people sitting at home on their computers just voting that way? Is there any philosophical underpinning to objection to developing these technologies? And I don't know whether that's something you want to address, but I'm just curious to hear if you have any view about that.
GOODMAN: Well, first of all, I wanted to thank you for passing the D.C. Omnibus Reform Bill.
CHEH: When people start out that way we have something bad coming.
GOODMAN: No, look. There was a very real problem in the 2008 primary with there were all of these phantom votes that came in. You did a great investigation to find out why these machines, and these machines, we're not even talking about the internet, these are machines that are on the ground here. I think your response to that, the Council's response to that, which is to increase the integrity of the D.C. voting system by requiring voter-verified paper ballot system, philosophically that's what I'm comfortable with. I want to see it and I want to know what they're counting is what I voted. So philosophically that's sort of where I stand. With a internet voting system you can never have that. It isn't the same ballot. And you can't have that kind of an audit. So I like buying groceries in my pajamas but I don't want to cast my ballot that way.
EPSTEIN: Philosophically I'm torn. I like the idea of anything that has the potential for increasing voter participation. But on the other hand, just like all vote by mail elections as are done in Oregon and Washington and parts of California, it introduces a greater risk for vote-buying and coercion and things like that that if you have to go to the polling place there's methods of having some control. So I'm not sure that it's such a wise idea for our future to get away from the social aspects of voting where we all gather in one place and cast our ballots in public without hopefully coercion and without vote buying.
HALDERMAN: I have to say that as a computer scientist, I am really thrilled about new applications of computers. They have had such a fantastic impact on people's lives and on the way we interact and communicate and do business. But my objection to internet voting is therefore not philosophical, it's practical. Because there are some things technology can do and some things that it just can't do, at least not within the state of the art. And it's unfortunately a slowly advancing state of the art. Internet voting gets to many of the core problems of computer security. How can be protect servers? How can we protect our desktops and laptops at home? So if we had a magic wand and could make it work in a perfectly secure and transparent and confidence-inspiring way, I would say, "Wonderful." But I don't know how we're going to get that magic wand.
CHEH: Ms. Smith, do you want to have the final word?
Ms. Smith: I think there is something enormously appealing about being able to do a task instantaneously from your couch and your bunny slippers. But I think that the issue here is that those of us who raise alarms and computer scientists who've raised alarms about these kinds of security concerns and malfunctions, not just malfeasance, have often been accused of being Luddites. And it's kind of comical because I, for one, can't live without the internet and am extremely glad that I was born in the day that I was born in because it's a wonder and I enjoy it every day. But there are things that can't be done on this internet. You wouldn't say you can never do it, but the internet itself has to change before we can.
CHEH: Well, okay, well, thank you all very much. I really appreciate it.
EPSTEIN: Thank you.
CHEH: And I don't know if you each deferred but nevertheless have your own written submissions, I would be pleased to have them.