In order to reach out to voters displaced by Hurricane Sandy, the state of New Jersey will allow residents to vote by e-mail. The goal is laudable, but the means of achieving it is fraught with danger of facilitating voter fraud.
There has been a great deal of controversy over the last few years about some states instituting ID requirements for voting. I don't want to get into the extremely nasty politics of this issue, but from a computer security perspective, the conflict is one of weak vs. strong authentication. To address a bad situation, New Jersey has found a way to make authentication even weaker than it normally is.
Where I live and vote in New Jersey, authentication is weak: I go in and give my name. The poll worker gives me a piece of paper on which I print and sign my name. The worker then checks my name and signature against what they have in their paper records. I am then given a piece of paper which I bring to the voting booth; the poll worker there takes it and I go in and vote.
There are some informal checks in this system: if I've been voting for years, the poll worker or the poll challengers (party representatives) may recognize my name but not my face. Also, sample ballots are mailed out in advance to every registered voter and, if they come back undeliverable, the voter is supposed to be purged from the system.
Of course, you all know about Hurricane Sandy. In New Jersey, especially North Jersey where I live, life is messed up. I'm lucky; I never lost power or Internet or anything, but my neighbors on one side of my house and most of the rest of the town lost all of it. I know many residents who have moved in with relatives or to hotels, some out of state, in order to have heat and electricity, and we're hosting some relatives in our house.
Tomorrow is election day. How are all these people supposed to vote when they're not even in their voting district, and gas is scarce, making it hard to get there? It's a genuine problem and New Jersey has come up with a genuinely scary solution for it: voting by e-mail.
The voter sends in an application for a vote by mail ballot (click here for the application for my county). The county clerk determines if the application is valid and, if so, "... shall electronically send the ballot and the waiver of secrecy form to the voter by the method chosen by the voter (email/fax)." The clerk will accept applications through 5PM Tuesday and filled-in ballots through 8PM Tuesday.
So it still sounds like the signature is being used, but in this case the person doesn't even have to be there to sign it in front of the poll worker. Someone with access to signatures could pretty easily fake up a bunch of applications and ballots. Think residents of a nursing home, or maybe a graveyard, especially considering that registration can also be done remotely.
And as for the communications mechanism, e-mail is probably the world's most insecure medium. Originating addresses are easily spoofed.
It's lucky in a sense that there aren't any really competitive races in New Jersey this year, at least not at the Federal level. Everyone expects President Obama and Senator Menendez to won their New Jersey races handily. For the congressional and local races, the loser can always challenge the result, claiming that there is evidence that there were "a combination of legal votes rejected or illegal votes received sufficient to change the result of the election," and I'd have to think that the circumstances would make challenges more credible if it's at all close or out of character for the district. (True story: One of our authors, Jerry Ryan, serves on our township committee. In his first election he won by 4 votes and the loser challenged the result. The courts declared the election a tie and ordered a do-over, which Jerry won more decisively.)
There have been crises affecting elections before: September 11, 2001 was scheduled for the primary vote for Mayor of New York City. The primary was postponed. That wasn't really a big problem, but this election has to be conducted at the same time as the elections in all the other states. You can't just delay it. I wish I had a better idea for reaching out to displaced voters. Nothing good comes to mind. The precedent of using e-mail in this way really bothers me.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.