Internet Voting is Too Insecure for Use in Elections

No matter how many times we say it, the idea comes back again and again. Hopefully, this letter will hold back the tide for at least a while longer.

Executive summary: Scientists have understood for many years that internet voting is insecure and that there is no known or foreseeable technology that can make it secure. Still, vendors of internet voting keep claiming that, somehow, their new system is different, or the insecurity doesn’t matter. Bradley Tusk and his Mobile Voting Foundation keep touting internet voting to journalists and election administrators; this whole effort is misleading and dangerous.

I am one of the many signatories.

Tags: ,

Posted on January 21, 2026 at 7:05 AM19 Comments

Comments

Cigaes January 21, 2026 7:18 AM

Even with perfect digital security, voting from home does not involve a voting booth with people paying attention and checking voters get in there alone. People who vote from home can do so under the gaze of somebody else, and that means they are not protected against constraint.

K.S January 21, 2026 7:52 AM

Elections fundamentally are about groups of powerful and connected individuals gaining (or losing) dominance, consequently cheating is inevitable. Any voting system must operate on the assumption that cheating is going to happen, that insiders will be involved in said cheating, and work to minimize possible impact of such cheating. With that said, decentralization and nonrepudiation are mandatory features of secure implementation. To me, this means in-person pen and paper ballot voting is the best we can do.

Vesselin Bontchev January 21, 2026 8:01 AM

The letter misses two other glaring insecurities. First, as @Cigaes noted, internet voting from home does not protect from coercion. Second, even if the voting process could be made secure, it wouldn’t matter, if it is not trustworthy. If the attacker can reasonably convince a large part of the population that the vote was “hacked”, it wouldn’t matter one little bit whether it was indeed hacked or not. People do not understand complex systems.

Montecarlo January 21, 2026 9:29 AM

Providing the political parties do a good job of screening candidates to ensure the eventual nominee is acceptable to a broad spectrum of the public, actual security of elections is too high a standard.

Coercion can’t be controlled in internet voting, but neither can it be controlled for mail-in voting, which has been deemed acceptable. Security theater is sufficient to confer legitimacy to the election winner.

Here Too January 21, 2026 10:03 AM

Seems that those so called “signatories” don’t even understand the essential. Nothing is secure, ever, fundamentally can’t be. Anything can be hacked and eventually will be hacked. Similarly paper ballot voting isn’t secure either. You can even track who voted how – people rarely do that with their gloves on so they leave fingerprints on the paper. It’s trivial later to collect the votes and run through the fingerprints database and forward results to the other database. I know EU governments that do so. Regularly.

Information security is a risk management. Nothing is secure so eventually you decide what risk you accept and what risk you don’t. Same with e-voting. However I’d expect statements like “too insecure” from average journalist, not from industry expert.

A. Voter January 21, 2026 10:24 AM

Mail-in voting shouldn’t be accepted, and isn’t where I’m at. We’ve got paper ballot voting ONLY.

Preventing illegitimate voting is one thing, but the system should also ensure that legitimate votes are not hindered. That’s why voting booths should be close to where people are, voting should be possible in the weekend, early voting should be possible for those who are traveling, the hospitalised should have a voting booths brought to them, etc. And no “voter registration”. The state already knows who is a citizen and has voting rights, so a separate voting registry just makes things more difficult without improving security. Instead, let people just show up on voting day or earlier with their ID and vote. Make it as easy as possible while still secure.

Of course some parties will resist that, because they know the disadvantaged are less likely to vote for them. Don’t vote for such parties that care more about power than democracy.

Rac January 21, 2026 12:51 PM

@Here Too

You won’t find false equivalences having fertile ground here. With your logic you could draw an equivalence between having an deadbolt lock made of iron vs one made of a cheeto.

lurker January 21, 2026 1:01 PM

@Here Too
re fingerprints

My country makes it easier than brushing and looking up fingerprints against an outside database. Our paper ballot system uses a barcode on the paper and on the butt of the paper where it is torn from the book. Before the paper is removed from the book the voting clerk writes a number on the butt. This number is obtained from the paper voters’ roll book. So it is relatively easy to find out who voted for whom, but the stated purpose of this feature is part of the “security” of the paper ballot system: to detect multiple voting, and impersonation. The papers, butts, and roll books are burnt as soon as the final results are announced, except where they must be retained for criminal proceedings.

People will cheat if they can. It’s a fact of life. The paper ballot system has thus far been the least hackable, and easiest to prove fraud. Privacy of the vote may be compromised when criminal activity occurs.

So Be It January 21, 2026 1:08 PM

To Rac:

Joseph Stalin is attributed to: ‘The people who cast the votes don’t decide an election, the people who count the votes do.’

So it is irrelevant if the voting mechanism is “too insecure”. It’s an illusion anyway.

Rontea January 21, 2026 1:44 PM

Internet voting is fundamentally insecure because it introduces risks that we cannot sufficiently mitigate with current technology. Computers and networks are inherently vulnerable to malware, denial-of-service attacks, and sophisticated nation-state adversaries. Unlike banking or e-commerce, voting requires secrecy, verifiability, and public trust, without the possibility of auditing or reversing a compromised election.

A clear example of how seriously security and trust are taken in critical voting processes is the papal election. The conclave is conducted entirely offline, with strict physical controls, paper ballots, and multiple layers of human oversight to prevent manipulation. If the election of the pope—an event watched by the world—relies on a carefully controlled, offline process, it underscores why connecting elections to the internet is reckless.

Any system connected to the internet exposes the election process to large-scale, undetectable manipulation. Paper ballots remain the only mechanism that allows for truly auditable and resilient elections.

Clive Robinson January 21, 2026 1:55 PM

@ Bruce, ALL,

The letter was only talking about “internet connected” voting.

It did not address the issue that “e-voting machines” of any kind are not and can not be secure even when stored properly and deployed only in voting booths with security seals etc. and never connected to the Internet…

Quite some time before “stuxnet” hit the world, I outlined on this blog an “air-gap” crossing technique aimed at e-voting machines.

Put simply it involved stepping backwards “up the supply chain” and attacking the computers of the e-Voting machine “technicians” and “maintaining staff”. So that “testing an e-Voting machine” crossed the air-gap and installed malware that “puts a thumb on the scale randomly” by flipping a few votes in the desired direction. In most votes in two party systems that “almost below the noise” level of change goes undetectable but due to the true close voting of such two party systems is sufficient to swing the vote to a desired outcome.

The trick is not getting the gap-crossing malware onto the voting machines but only onto the maintenance techs machines.

Thus there has to be a way to identify them, which there normally is in two ways,

1, Corporates tend to buy in bulk from only one or two suppliers of PC/laptops and ICT Services.
2, They tend to load specialist software often bespoke onto maintenance tech machines.

This information can be fairly easily found out with a little e-recon known to anyone involved with APT.

As the Corporates are likely to suffer from “accountants” the chances are good that “cost reductions” involve issuing techs only one PC/laptop for all functions. Thus when “on the road” it will get used on insecure networks for “ET phoning home” and to get Email, work orders, make reports and the like.

Anyone experienced in APT would know how to get at machines in the Corporate network thus be able to inject loaded email into the system addressed specifically to the techs.

Do I dare say at this point?,

“China and Russia are both reputed to have entire military groups devoted to APT against the US and it’s Corporates”

Though I strongly suspect all First World and quite a few Second World Nations do as well.

Worse Israeli and Italy being two nations that we know have corporations actively providing software and services to any “guard labour” or third World nations world wide that have the ability to pay… As evidenced by their malware ending up on journalists phones, Smart Devices, and laptops, etc.

So “NO eVoting can be Secure Ever” because supply chain attacks will always be possible. This is only going to get worse as “Client Side Scanning” gets rolled out to anyone using e-Communications that Governments to “cut costs” are forcing down peoples throats.

Which means “Pen and Ballot Paper in voting booths” should be here with us forever if semi-secure voting is to be desired.

(But even that’s not really secure, back in the 1930’s authoritarians knew how to put serial numbers on ballot papers written in milk as “invisible ink” so how individuals voted could be found out).

Estonian, now in London January 21, 2026 2:42 PM

@Clive Robinson

Your speculations are interesting but they are just speculations.
Estonians are by now using e-voting more than 20 years. That’s online voting, over the internet. Surely, considering Russia APT capabilities and how “insecure” all this voting is, Russian surely must have hacked by now Estonian e-voting and put their loyal puppet government up, considering how insecure it is and and how easy should it be.

Only… that isn’t seen.

So all those security experts that are crying “sky is falling”, “all is so insecure”…maybe they should check the reality?

An American Patriot January 22, 2026 1:15 AM

These two websites are mu$1!m terrorist networks and they must be shut down immediately
serbianforum and balkandownload
both .org domains.

Terrorists are secretly using these sites to communicate covertly. This is urgent. Take them down.

Vesselin Bontchev January 22, 2026 1:39 AM

@Why Secret Voting? Voting needs to be secret in order to prevent vote buying. If somebody wants to buy your vote, you have to be able to show them that you have indeed voted in the way they wanted, so that they know that they’re getting their money’s worth. With secret voting, you can’t do that.

Povl H. Pedersen January 22, 2026 6:25 AM

Looking at Estonia: There is no way to ensure that the voter is doing so without being under pressure to make some specific choice. In the USA lots of Republicans would have force their wives to vote for the orange guy. So their vote would not have been a vote of free choice. The option to change your mind later, or go to the polling station helps a little.

Electronic voting without a paper trail, and without open source code is by definition not reliable. And in the US, they would probably use a republican owned company to do everything in the dark.

We need paper trails. Or if pure electronic, we need at least a blockchain or something like it, of all votes, where every voter can verify their own vote, but nobody else should be able to determine who cast which vote. And we need multiple voting attempts. And voters should be able to send their unique ID to any 3rd party anonymously, and the 3d party can then use this to sample the election.

If not run fully in the open, we need an open standard, and anybody should be able to sign up to get live voting results. Thus no post-voting manipulation possible. There will likely be hundreds of unrelated recipients of every single vote.

It is more than enough that the tech billionaires owns almost all media and communication channels. That is skewing the election big time by manipulation. Just look at how many people think Trump is fit to be president of the USA – Dementia supposedly is no problem.

NC January 22, 2026 12:58 PM

The point about coercion is interesting, especially as pertains to mail-in voting, but I think we have to consider relative harms. How many people have a controlling spouse or whatever, vs how many people are shut-ins or work too many jobs or just otherwise can’t get to the polls? My intuition is the that the second group is much larger, and that thus a rule like mail-in voting would bring us closer to a representative democracy, but any actual solution would need to get actual data and weigh the implications carefully.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.