Stealing Oscar

It’s often been said that Oscar season reflects the broader splendors and dysfunctions of American public life. The Academy of Motion Picture Arts and Sciences’ ideals of scrupulous fair play have been under constant challenge in recent years, on such issues as the promotional pull of A-list stars, the power of big-studio money and negative advertising campaigns designed to undermine the competition.

Now, though, the academy may be committing a blunder of its own making. It recently announced that it would be ditching its current all-mail secret ballot system, and that its more than 5,000 members would be voting through their own computers, starting next year.

The academy said the software developed by the San Diego-based computer voting company Everyone Counts would incorporate “multiple layers of security” and “military-grade encryption techniques” to ensure that nothing untoward or underhanded could occur before PricewaterhouseCoopers, its accountancy firm, captured the votes from the Internet ether.

Unfortunately, leading computer scientists around the world who have looked at Internet voting systems do not share the academy’s confidence. On the contrary, they say the technology is vulnerable to a variety of cyber attacks — no matter how many layers of encryption there are — and risks producing a fraudulent outcome without anyone necessarily realizing it.

Nothing has demonstrated the danger more starkly, perhaps, than a pilot Internet election in Washington in the fall of 2010, which was comprehensively hacked by a team from the University of Michigan. Election officials had invited the public to test the program, and the team, led by computer scientist J. Alex Halderman, was able not only to change votes undetected but also to see who had voted for whom. Halderman reported seeing attempted hacks from as far away as Iran and China, and took steps to thwart them while election administrators in Washington remained blissfully unaware.

Computer experts on both sides of the Atlantic are unequivocal: There is no known way to have a secret ballot, keeping the voter entirely separate from his or her vote, and also to conduct a meaningful audit ensuring that nothing went awry. David Dill, a computer science professor at Stanford University and the founder of the voting rights group VerifiedVoting.org, said the danger was far more acute when voters use their own computers, which tend to be riddled with malicious software that enables hackers half a world away to manipulate them at will.

“If someone decided to steal the Oscars and snag votes from machines already under their control, it could change the outcome,” Dill explained. And, as goes the academy, so goes the political world. As more and more states disregard the experts and allow Internet voting for overseas and military voters, the risk of foul play in political elections increases.

Four years ago, Dill drafted a statement outlining the dangers of Internet voting — which had just been introduced for the Democratic Party primary season — and got 30 high-profile colleagues to sign it. These included Avi Rubin and Dan Wallach, who led the team in 2003 that exposed deep flaws in the operating software used by Diebold, then one of the leading makers of computer voting terminals. Diebold took a hit to its once-stellar reputation as a maker of ATMs and is no longer in the election software business.

Everyone Counts is certainly savvier than some of the computer voting machine manufacturers who emerged a decade ago. Chief Executive Lori Steele understands that clean elections are about accountability from end to end, not just some miracle machine that does all the work by itself.

She also did not contest the objections voiced by Dill and the other computer scientists. Rather, she argued that, whatever the flaws, carefully encrypted computers are far more reliable than paper ballots, which can potentially be manipulated by a single rogue election official. Everyone Counts puts its machines through a rigorous auditing process, she said, and even interrupted a recent election in Australia to conduct a surprise audit in the middle of the ballot count.

That argument might have been good enough for the academy and for PricewaterhouseCoopers, but it still alarms many software experts. “A surprise audit in the middle is interesting, but I don’t think that’s adequate for the job because there are still multiple ways to defeat it,” Dill said.

Peter Ryan, a British professor of applied security at the University of Luxembourg who has worked unsuccessfully for years to crack the Internet voting problem, was equally scathing, dismissing Everyone Counts’ description of its own software security as “fancy crypto” that would not stop someone motivated and smart enough to find a way to break it.

The academy has always bent over backward to keep Oscars voting beyond suspicion. It has also won plaudits from voting reform advocates for its embrace of instant runoffs and, in the best picture category, rank-choice voting that now gives rise to a variable number of nominees each year.

When asked about the problems inherent in Internet voting, the academy’s chief operating officer, Ric Robertson, appeared to be unaware of them. “I’m not personally aware of that particular dialogue,” he told me. He expressed an interest in studying the problem, though, and emphasized that Everyone Counts and PricewaterhouseCoopers plan to spend the next year fine-tuning the system.

It’s important that the academy weighs its options carefully, and not just to squash arguments about which actors or screenwriters might have been “robbed.” An endorsement of Internet voting by Hollywood’s ruling body will inevitably be taken as an opportunity to push the technology more aggressively in the political arena. As long as there are questions about the safety of the technology, that expansion poses an ever-greater threat to our democratic integrity.

Andrew Gumbel is an L.A.-based journalist and the author of “Steal This Vote: Dirty Elections and the Rotten History of Democracy in America.”