CITP Blog - Formerly Freedom to Tinker

Internet voting is insecure and should not be used in public elections

– by

Comments

Signed by a group of 21 computer scientists expert in election security

Executive summary

Scientists have understood for many years that internet voting is insecure and that there is no known or foreseeable technology that can make it secure. Still, vendors of internet voting keep claiming that, somehow, their new system is different, or the insecurity doesn’t matter. Bradley Tusk and his Mobile Voting Foundation keep touting internet voting to journalists and election administrators; this whole effort is misleading and dangerous.

Part I.  All internet voting systems are insecure. The insecurity is worse than a well-run conventional paper ballot system, because a very small number of people may have the power to change any (or all) votes that go through the system, without detection. This insecurity has been known for years; every internet voting system yet proposed suffers from it, for basic reasons that cannot be fixed with existing technology.

Part II.  Internet voting systems known as “End-to-End Verifiable Internet Voting” are also insecure, in their own special ways.

Part III.  Recently, Tusk announced an E2E-VIV system called “VoteSecure.”  It suffers from all the same insecurities.  Even its developers admit that in their development documents.  Furthermore, VoteSecure isn’t a complete, usable product, it’s just a “cryptographic core” that someone might someday incorporate into a usable product.

Conclusion.  Recent announcements by Bradley Tusks’s Mobile Voting Foundation suggest that the development of VoteSecure somehow makes internet voting safe and appropriate for use in public elections.  This is untrue and dangerous.  All deployed Internet voting systems are unsafe, VoteSecure is unsafe and isn’t even a deployed voting  system, and there is no known (or foreseeable) technology that can make Internet voting safe.

Part I.  All internet voting systems are insecure

Internet voting systems (including vote-by-smartphone) have three very serious weaknesses:

  1. Malware on the voter’s phone (or computer) can transmit different votes than the voter selected and reviewed. Voters use a variety of devices (Android, iPhone, Windows, Mac) which are constantly being attacked by malware.
  2. Malware (or insiders) at the server can change votes. Internet servers are constantly being hacked from all over the world, often with serious results.
  3. Malware at the county election office can change votes (in those systems where the internet ballots are printed in the county office for scanning). County election computers are not more secure than other government or commercial servers, which are regularly hacked with disastrous results. 

Although conventional ballots (marked on paper with a pen) are not perfectly secure either, the problem with internet ballots is the ability for a single attacker (from anywhere in the world) to alter a very large number of ballots with a single scaled-up attack.  That’s much harder to do with hand-marked paper ballots; occasionally people try large-scale absentee ballot fraud, typically resulting in their being caught, prosecuted, and convicted.

Part II.  E2E-VIV internet voting systems are also insecure

Years ago, the concept of “End-to-End Verifiable Internet Voting” (E2E-VIV) was proposed, which was supposed to remedy some of these weaknesses by allowing voters to check that their vote was recorded and counted correctly.  Unfortunately, all E2E-VIV systems suffer from one or more of the following weaknesses:

  1. Voters must rely on a computer app to do the checking, and the checking app (if infected by malware) could lie to them.
  2. Voters should not be able to prove to anyone else how they voted – the technical term is “receipt-free” – otherwise an attacker could build an automated system of mass vote-buying via the internet. But receipt-free E2E-VIV systems are complicated and counterintuitive for people to use.
  3. It’s difficult to make an E2E-VIV checking app that’s both trustworthy and receipt-free. The best solutions known allow checking only of votes that will be discarded, and casting of votes that haven’t been checked; this is highly counterintuitive for most voters! 
  4. The checking app must be separate from the voting app, otherwise it doesn’t add any malware-resistance at all.  But human nature being what it is, only a tiny fraction of voters will do the extra steps to run the checking protocol.  If hardly anyone uses the checker, then the checker is largely ineffective.
  5. Even if some voters do run the checking app, if those voters detect that the system is cheating (which is the purpose of the checking app), there’s no way the voters can prove that to election officials.  That is, there is no “dispute resolution” protocol that could effectively work.

Thus, the problem with all known E2E-VIV systems proposed to date is that the “verification” part doesn’t add any useful security: if a few percent of voters use the checking protocol and see that the system is sometimes cheating, the system can still steal the votes of all the voters that don’t use the checking protocol. And you might think, “well, if some voters catch the system cheating, then election administrators can take appropriate action”, but no appropriate action is possible: the election administrator can’t cancel the election just because a few voters claim (without proof) that the system is cheating!  That’s what it means to have no dispute resolution protocol.

All of this is well understood in the scientific consensus. The insecurity of non-E2E-VIV systems has been documented for decades.  For a survey of those results, see “Is Internet Voting Trustworthy? The Science and the Policy Battles”. The lack of dispute resolution in E2E-VIV systems has been known for many years as well.

Part III. VoteSecure is insecure

Bradley Tusk’s Mobile Voting Foundation contracted with the R&D company Free and Fair to develop internet voting software. Their press release of November 14, 2025 announced the release of an open-source “Software Development Kit” and claimed “This technology milestone means that secure and verifiable mobile voting is within reach.”  

After some computer scientists examined the open-source VoteSecure and described serious flaws in its security, Dr. Joe Kiniry and Dr. Daniel Zimmerman of Free and Fair responded. They say, in effect, that all the critiques are accurate, but they don’t know a way to do any better: “We share many of [the critique’s] core goals, including voter confidence, election integrity, and resistance to coercion. Where we differ is not so much in values as in assumptions about what is achievable—and meaningful—in unsupervised voting environments.

In particular, 

In addition to the previously described flaws in the VoteSecure protocol, we note that its vote checking system is susceptible to mass automated vote-buying attacks1; and we have discovered a new flaw in the VoteSecure protocol that allows votes to be stolen2. [click for details]
[1] This conclusion is based on a technical analysis.  In the VoteSecure protocol, checking app can be run on a vote that is then cast; the checking app must be runnable on an alternate device than the voting app; that alternate device is likely a PC on which the user has control of installed software; user-installed software can extract decrypted randomizers; this allows the voter to participate in a mass vote-buying scheme. [2] “Clash attacks on the VoteSecure voting and verification process”, by Vanessa Teague and Olivier Pereira, January 13, 2026.

Based on our own expertise test, and especially in light of the response from Free and Fair, we stand by the original analysis: Mobile Voting Project’s vote-by-smartphone has critical security gaps.

Conclusion

It has been the scientific consensus for decades that internet voting is not securable by any known technology. Research on future technologies is certainly worth doing. However, the decades of work on E2E-VIV systems has yet to produce any solution, or even any hope of a solution, to the fundamental problems.

Therefore, when it comes to internet voting systems, election officials and journalists should be especially wary of “science by press release.” Perhaps some day an internet voting solution will be proposed that can stand up to scientific investigation. The most reliable venue for assessing that is in peer-reviewed scientific articles. Reputable cybersecurity conferences and journals have published a lot of good science in this area. Press releases are not a reliable way to assess the trustworthiness of election systems.

Signed

(affiliations for for identification only and do not indicate institutional endorsement)

Andrew W. Appel, Eugene Higgins Professor Emeritus of Computer Science, Princeton University

Steven M. Bellovin, Percy K. and Vida L.W. Hudson Professor Emeritus of Computer Science, Columbia University

Duncan Buell, Chair Emeritus — NCR Chair in Computer Science and Engineering, University of South Carolina

Braden L. Crimmins, PhD Student, Univ. of Michigan School of Engineering & Knight-Hennessy Scholar, Stanford Law

Richard DeMillo, Charlotte B and Roger C  Warren Chair in Computing, Georgia Tech 

David L. Dill, Donald E. Knuth Professor, Emeritus, in the School of Engineering, Stanford University

Jeremy Epstein, National Science Foundation (retired) and Georgia Institute of Technology

Juan E. GilbertAndrew Banks Family Preeminence Endowed Professor, Computer & Information Science, University of Florida

J. Alex Halderman, Bredt Family Professor of Computer Science & Engineering, University of Michigan

David Jefferson, Lawrence Livermore National Laboratory (retired)

Douglas W. Jones, Emeritus Associate Professor of Computer Science, University of Iowa

Daniel Lopresti, Professor of Computer Science and Engineering, Lehigh University

Ronald L. Rivest, Institute Professor, MIT

Bruce Schneier, Fellow and Lecturer at the Harvard Kennedy School, and at the Munk School at the University of Toronto

Kevin Skoglund, President and Chief Technologist, Citizens for Better Elections

Barbara Simons, IBM Research (retired)

Michael A. Specter, Assistant Professor, Georgia Tech

Philip B. StarkDistinguished Professor,  Department of Statistics, University of California

Gary Tan, Professor of Computer Science & Engineering, The Pennsylvania State University

Vanessa Teague, Thinking Cybersecurity Pty Ltd and the Australian National University

Poorvi L. Vora, Professor of Computer Science, George Washington University

Comments

17 responses to “Internet voting is insecure and should not be used in public elections”

  1. Nano Banana AI

    I appreciate this analysis, especially the section on ‘End-to-End Verifiable Internet Voting.’ It’s concerning that even these systems aren’t immune to the same weaknesses. I think this points to the need for a broader conversation about what truly makes an election system secure—not just from a technological perspective, but from a democratic one.

    Reply
  2. Harish Pillay

    Thank you for posting this.

    I’ve always advocated that online voting is not (yet) secure and safe and despite all the evidence in that direction (as this post suggests), we have organizations like the IEEE running online voting (called vTools) that I, as an IEEE member, can’t even check if the code is working correctly. Besides, the vTools is not even published on an open source license and we are all none the wiser.

    Reply
  3. Pau Escrich

    I think this is a great analysis, and I agree with the core warning: if we don’t assume the voter device is clean, malware can change votes at scale, and no crypto can fully “fix” an infected phone.

    I’m a PhD student and leading the team which is implementing a new voting protocol named DAVINCI (https://davinci.vote), it’s fully free open source and I do believe it provides higher guaranties than any other existing solution.

    We remove a big failure mode of remote voting systems, trusting servers/operators/committees to tally honestly. DAVINCI relies on verified computation (zkSNARKs): if you can’t prove the batch was processed correctly, you can’t update the tally.

    It is built to be receipt-free (sequencers re-encrypt ballots, so the voter can’t later prove the randomness), and voters can silently overwrite their vote as many times as they want.

    The honest tradeoff (as spotted in the article) is that you can’t trivially verify the exact content of what ends up stored after re-encryption, but you can verify your submission was accepted and processed under the constraints.

    For the malware issue, the only realistic path is mitigation + scope: don’t vote from a random mobile app; use a hardened voting client (for example, a certified voting OS inside a VM) and strong operational controls.

    We should start experimenting where it makes sense, not national elections maybe, but lower-stakes governance where the benefits of remote participation are real. Internet voting might have so many benefits for society, I think its worth trying.

    I’m open to further discuss.

    Reply
  4. Jurjen Bos

    Is there an additional list of signers? Having done part of my Ph.D. research on voting, I would really like to sign this, and I am pretty sure I am not alone in this.

    Reply
    1. Robert F. Hausman, Jr. PhD.

      Indeed you are not alone. I too would like to sign.

      Reply
  5. Atro Tossavainen

    Ever heard of Estonia? Failing to mention Estonia in this article…

    Reply
    1. Douglas W. Jones

      I am a signer of this statement, and yes, I’ve heard of Estonia. I worked with Tarvi Martens, one of the developers of the Estonian system, in an evaluation of the Dutch RIES (Rijnland Internet Election System) 2 decades ago. First, the Estonian system is predicated on technologies we do not have in the US, specifically, universal use of smart national ID cards to provide the foundation of a national cryptographic infrastructure. Second, the Estonian system rests on the government being trustworthy, or more specifically, it rests on the issuers of those smart cards not to have included any backdoors in the cards themselves, and on the election authorities to run an honest system. Add to this the fact that the Estonian system remains vulnerable to client-side attacks.

      On the plus side, Estonia has been the frequent object of cyberattacks from Russia. They have lots of experience standing up to a rather big adversary in the electronic domain. But note that success in the past does not guarantee continued success in the future. For the past decade, Russia has been just a bit distracted by a tiff with a country somewhat to the south.

      Reply
    2. Stefan Smiljkovic

      With all the vulnerabilities they’ve pointed out, why do you think some still believe it’s a good idea?

      By the way, what about Estonia? I have a company there as an e-resident.

      Reply
  6. Jan Willem de Vries

    The main issue with internet voting can on principal reasons never be solved: when voting on paper at a polling station, it can be arranged that a vote keeps secret. Nobody can enforce you to vote in a certain way. When voting through Internet an especially by smartphone any person can be forced to show what he/she is voting or, worser, to vote in a certain way.
    I am afraid that Internet voting will be promoted by authoritarian leaders, so they can influence the outcome directly, by force or by hacking the system.

    Reply
    1. Pau Escrich

      There are ways to avoid coercion at big scale, this is the “receipt free” property of the e-voting systems. So a voter cannot prove to a third party what he voted for. In addition to “silent vote override”, so a voter can always rewrite its vote silently without any other party noticing.

      This is a problem that has a solution. However, the issue is that on receipt-free systems, the voter cannot 100% guarantee, after casting the vote, that the ballot was not modified by a malware. So if we don’t assume the voting devices are safe, high stake e-voting might be compromised.

      Reply
    2. SD

      Are people banned from taking their smartphones inside the voting booth where you’re from? Because you can definitely take pictures of your ballot to show to people willing to buy your vote, it’s a routine practice in many meme democracies.

      Reply
  7. Calculator

    The most telling part here is the response from the developers themselves. When they explicitly admit that their system cannot prevent coercion or solve the dispute resolution problem, that should be game over for the pitch. It is wild that we are still having this conversation when the people building the code say they can’t fix the fundamental flaws. If I can’t prove my vote was changed without canceling the whole election, the verification feature is basically theater.

    Reply
    1. alain R

      100% agree: it’s not just about broken or compromised technology, it is also because of weaknesses in the democratic process itself.

      Reply
  8. Martijn Hunsche

    The message needs to be repeated. Nothing has changed. Electronic voting is still not a good idea. I participated in a study for the Dutch government in 2013. In short: never 100% secure, very expensive (the system needs to be developed every election) and transparency left the building.
    https://highberg.com/nl/insights/onderzoek-internetstemmen-voor-kiezers-buiten-nederland

    Reply
  9. Sprunki

    Voters must rely on a computer app to do the checking, and the checking app (if infected by malware) could lie to them.

    Reply
  10. Manabu Muta

    Thank you for this thoughtful and rigorous analysis.

    I fully agree with the core insight that remote Internet voting cannot be made perfectly secure by technology alone, and that vulnerabilities at the endpoint and server level remain a significant concern. This aligns with our own risk assessment.

    At the same time, I would like to offer a complementary perspective based on a recent policy proposal I helped lead, titled “JEEADiS Policy Proposal 2026: Redesigning the Infrastructure of Digital Democracy — A Policy Proposal for Realizing Internet Voting in Japan”.
    https://www.jeeadis.jp/pressrelease/jeeadis-releases-policy-proposal-2026-redesigning-the-infrastructure-of-digital-democracy-a-policy-proposal-for-realizing-internet-voting-in-japan

    Our goal was not to dismiss the serious threats you discuss, but to treat them as design requirements rather than reasons for categorical rejection.

    Several points of intersection between the concerns you raise and our institutional approach include:

    Endpoint compromise (malware): While client malware cannot be eliminated, our proposal embeds a revoting mechanism and paper-override rule such that any compromised cast can effectively be nullified by a later, legitimate submission. This is not a perfect fix, but it is a process-level mitigation recognizing endpoint risk.

    Limitations of E2E verifiability: We share your concern that E2E-V mechanisms often go unused in practice. Our model integrates mandatory basic receipt confirmation via a national portal and optional advanced cryptographic verification, paired with a public immutable log that supports third-party audit during disputes. The aim is to make verification both usable and institutionally supported.

    Server and insider threats: Rather than trusting a single operator or administrator, our architecture separates roles, uses threshold cryptography with distributed key management, and includes supervised tallying ceremonies. Paired with public cryptographic proofs, this shifts control away from any single point of internal compromise.

    Phased introduction: Recognizing the risks of large-scale deployment, we advocate starting with overseas voters—a relatively small, high-need population with risk characteristics comparable to postal voting. This allows experience-based scaling rather than monolithic launch.

    In our view, the arguments you articulate do not contradict the possibility of controlled, institutionally robust deployment; rather, they highlight why such deployment must be grounded in governance, transparency, and verifiability, not technology alone.

    Thank you again for advancing this important debate. Your work provides a valuable foundation for discussions on how policy, institutional design, and cryptographic mechanisms can coexist in addressing the very challenges you describe.

    Manabu Muta,
    Board Member, Japan & Estonia EU Association for Digital Society (JEEADiS);
    Principal Author, JEEADiS Policy Proposal 2026

    Reply
  11. Kimi k25

    Wow, 21 computer scientists signing off on internet voting being insecure? That’s a pretty strong consensus. It’s wild to think about, like, what if they released VoteSecure and a tiny percentage of people noticed something was wrong.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

About

The CITP Blog is hosted by Princeton University’s Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you’ll find comment and analysis from the digital frontier, written by the Center’s faculty, students, and friends.

Categories