Q&A: COS professor Andrew Appel on email voting in New Jersey

In the wake of Hurricane Sandy’s destruction, New Jersey Lt. Gov. Kim Guadagno announced this weekend that state residents will be able to vote via email. Computer science professor Andrew Appel, who does research on computer security and election technology, spoke with The Daily Princetonian about the problems he perceives with this system.

The Daily Princetonian: Why did New Jersey choose to allow email votes in this election?

Andrew Appel: Many voters are displaced from their own homes. Some of their homes are underwater. It has been difficult to travel within the state of New Jersey and get gasoline, so voters may not be able to vote in their own towns.

DP: Logistically, how will email voting work?

AA: The law requires local county election officials to wait to receive the physical copy, compare it with the email copy, and if they match, the vote can count. As long as the email has arrived by Election Day, then the physical copy can arrive after Election Day.

In her directive this weekend, the lieutenant governor ordered for this election she’s going to consider displaced New Jersey voters as if they are overseas voters for the purpose of this statute. She did not specify who counts as a displaced voter, which is a problem. What is a much bigger problem is she did not explain the law requires the paper hardcopy to be mailed in as well.

DP: Why is a paper hardcopy required in the first place?

AA: Email is so easy to fake. Anybody can send an email that purports to come from anyone. It’s just text, all those mail headers and who it supposedly came from. That’s why you get email that purports to be from your friends that’s really trying to sell you spam products. It’s either that somebody has faked all the headers and has mailed it from their own computer, or it’s somebody’s put a computer spam virus on your friend’s computer. Spam viruses are very dangerous. They could modify an outgoing email with votes in it as you mail it. You can think you’re sending an email that votes a certain way, but it could actually vote a different way.

Furthermore, the county election officials that you’re mailing it to have computers that are not much more secure than any other personal computer or small business computer. So voting by email is about the least secure way of voting that we know of, which is why the New Jersey law requires paper backup.

DP: What could go wrong?

AA: Number one: Email votes could be hacked. Number two: If a few people vote by email this time and the state says, “Look at what a great success that was. Let’s have more people vote by email next time,” that sets up a really big, fat target for hacking, for real election fraud by computer trickery. Number three: If in this election there is some race somewhere in the state of New Jersey where the email ballots actually make the difference in who wins then the losing candidate might challenge this in court saying if there are no paper ballots, then these shouldn’t count, and the judge would have to look at the statute that says exactly that, which could be a mess, and could end up disenfranchising those voters who were following the lieutenant governor’s directive.

DP: New Jersey is a solidly blue state. Do you think this would have been even more controversial in a swing state?

Get the best of the ‘Prince’ delivered straight to your inbox. Subscribe now »

AA: New Jersey has many competitive congressional races and races further down the ticket. There are referendum questions on the ballot. There are many things to be voting for where people’s votes really will count, and of course people’s votes will really count in the presidential election. Surely if we had this kind of scenario in a swing state, it would have been even more of a disaster than it already is.

DP: Do you think this will be considered a success? Are you skeptical of how this will work out on Election Day?

AA: As [computer science professor] Matt Blaze [GS ’93] of the University of Pennsylvania said about this email voting, 21 county election offices have to administer a complicated new protocol at the same time they are recovering from the hurricane — What could possibly go wrong? New Jersey election officials have a lot on their plate and are working very hard to make the election run at all after the hurricane.

With regard to the email voting ... just because nobody can prove if computer hacking occurred, that’s not a reason to declare it a success. The real test of a system like that is how well it will work when the stakes are really high. How well will it work if millions of people are voting by email? We don’t want to go blindly into email voting for everyone when it’s so unsafe.

DP: What would have to happen for email voting to be safe enough to be an option in future elections?

AA: Nobody knows a way of making Internet voting safe enough at the moment. The reason is that the voters’ own computers are susceptible to viruses that alter their Internet transmissions without the users knowing. This is why you have spambots where you can rent a botnet with a million compromised computers to send out the spam of your choice. The tabulating computers — the servers that receive Internet votes — are both difficult to secure and not transparent.

That is the way election processes work in democracies, where one of the purposes of an election can be to throw out the government that’s running the election. All parties have to be able to see transparently enough into the process that they can trust the outcome of the election, while at the same time preserving the secret ballot. That’s a difficult problem. If you have an Internet server where the representatives of the political parties cannot even tell you what software is running on that server, there is no transparency of the process, and we lose the ability to trust that process. Even experts lose the ability to trust that process.

DP: Do you see any potential benefits of using email voting in this particular instance?

AA: No. One way that email can be involved in the process that’s not so pernicious is to obtain your blank absentee ballot by email. You can print it out. Once it is printed out, you know what is written on it. You put it in an envelope. You sign the envelope with a pen. Somebody can tell a person signed that envelope with a pen and did not paste an image in there.

The state of New Jersey already extended the deadline for postmarking absentee ballots to the day before the election. It’s normally earlier, but in the wake of the storm, they did a very reasonable thing by extending it to today. These measures are much more reasonable than the return of voted ballots by email, which cannot be secured.