Secure, Accessible Internet Voting: a Grand Challenge Jay Lepreau University of Utah Voting is the foundation of our democracy. Anything that can raise the US's low voter turnout rate, without introducing other downsides (including increasing the impact of the digital divide), should serve to strengthen our democracy. Voting over the generic Internet has obvious allure. It sounds convenient and efficient. It would facilitate same-day registration. Not only might some forms of it vastly increase citizen participation, but it enables new forms of direct political engagement, such as nationwide town meetings or more flexible voting systems than the common winner-take-all format. Indeed, Internet voting at first seems so attractive that it has been proposed and even performed several times in the last decade, by governments, political parties, and institutions (e.g. ICANN). The most well-known recent system was the US DoD's SERVE system, which was intended to facilitate voting by overseas members of the armed forces. However, SERVE and all Internet voting contain enormous vulnerabilities [1]. In fact, that report concludes that for any Internet voting system to be secure, a requirement is that the Internet be rearchitected: "There really is no good way to build such a voting system without a radical change in overall architecture of the Internet ....". Besides the many normal threats to machines on the Internet, the security requirements of a voting system are uniquely challenging. For example, i) Voters must be authenticated-- yet remain anonymous! That requirement has similarities to the authenticated-but-private access a future secure Internet architecture probably requires. ii) Voting fraud must be detectable, yet voters cannot be issued receipts, for that would enable vote selling and coercion. iii) No individual can be trusted, for by definition *everyone* (who is a concerned citizen) has a stake in the results of the election [2]. Nearly intractable threats are those due to the lack of physical security of the local voting equipment hardware and software, often imagined as a home or public PC. This aspect of i-voting is (largely) beyond the scope of distributed systems and Internet architecture. It remains an open problem, but can be mitigated by using special "trusted" hardware and software. Adding physical security, through special kiosks or machines located only at polling places, is a reasonable step for this challenge. as Internet voting would still provide many benefits. A voter-verified paper trail would still be necessary for audit. A network-related threat that is clearly intractable today is DoS attacks. A voting system must be highly available and responsive, even under attacks from insiders, small groups, well-financed corrupt organizations, or foreign governments. Any kind of DoS attack on targeted voting districts would cause selective undervoting, affecting the results. Even subtle attacks, such as delaying the server's responses, could affect an election. The voting period may extend longer than the traditional one day, but there is always some completion deadline-- and many voters wait until that time. DoS is a uniquely harmful threat in voting, as it can mean "irreversible voter disenfranchisement" [1]. Most other transactions, including financial, have ways to remediate error or denial of service, such as insurance, refunds, or legal action. Any history of voting irregularities shows that few are proven until long after the election in which they occurred-- and are rarely remediated. This grand challenge invites, or perhaps requires, progress on a completely different aspect of today's Internet. To avoid unequal access stemming from the "digital divide," we need great progress on enhancing network usability through self-configuring networks and universal last-mile access, probably through secure community wireless. However, a self-configuring broadcast-based network obviously worsens security and DoS threats. Intermediate goals can be set by decreasing the scale, narrowing the population (eg, those with University ID's accessing an experimental Internet, at first only in university elections; or military personnel at one or a few foreign bases; or citizens in a small town), restricting the hardware to be physically-controlled, and restricting the local software to be on read-only physical media. "War-gaming" can be carried carried out in simulation, emulation, and a prototype new Internet. [1] D. Jefferson, A. Rubin, B. Simons, D. Wagner, "A Security Analysis of the Secure Electronic Registration and Voting Experiment," January 2004, www.servesecurityreport.org [2] Douglas W. Jones, "Voting and Elections," http://www.cs.uiowa.edu/~jones/voting/