Internet Voting Snafu at USRowing

USRowing, the governing body for the sport of rowing in the U.S., recently announced the discovery of likely fraud in one of its leadership elections.

Further investigation into this region’s voting resulted in the determination that fraudulent ballots were cast in the Mid-Atlantic election that directly affected the outcome of the Mid-Atlantic Regional Director of the Board of Directors election only. Those responsible for the fraudulent ballots have not yet been identified.

The election was held using an Internet voting system called Votenet. Votenet promotes itself as highly secure, and the company’s website offers white papers touting security certifications from Hyperion, Interfor, SAS70, Verisign, McAfee, and TrustE.

Security experts have long been skeptical of Internet voting. Although it might make sense to do online voting for some lower-stakes private elections, especially those without a secret ballot requirement, it has long been known that elections that rely only on Web or email access by voters cannot be very secure.

What went wrong in the USRowing election? I couldn’t find any discussion of the incident on Votenet’s site. The best clue comes from the USRowing statement:

During the initial phase of the investigation, a member of the rowing community came forward and disclosed their ability to obtain login information that allowed access to VoteNet, USRowing’s third-party online voting resource used successfully for the past four years, while appearing to be an authorized voter of a USRowing member organization. This individual also admitted to using these credentials while the election was underway to access most of the Mid-Atlantic organizations’ voting accounts on VoteNet.

This appears to indicate a failure of user authentication. Somehow, it was possible to get login credentials that allowed an attacker to pass themselves off as most or all of the authorized voters. How exactly this happened is not clear, but two obvious possibilities are that a listing of login information was somehow available to would-be attackers, or that login information such as passwords were created in a way that made them guessable. With the ability to impersonate voters, someone was apparently able to cast improper votes.

It’s interesting that the problem was apparently not discovered right away. One would expect that if an attacker cast a bogus ballot on behalf of a voter, there would be some chance that that voter would later log on and attempt to vote, only to discover that the system thought their vote was already recorded.

It’s also notable that USRowing seems to know which ballots were fraudulent. They don’t know who is responsible for casting the fraudulent ballots, so this knowledge can’t have come from the perpetrator. And notice that although USRowing says it knows of an individual who used others’ voting credentials during the election (see second quote above), but they don’t know who cast the fraudulent ballots (see first quote above)—which can only mean that the fraudulent voter was not the only one who knew of the security problem.

All of this has to be embarrassing for Votenet. It could be that Votenet’s internal security is excellent and that all of their certifications are entirely valid—but as the USRowing example shows, this by itself is not enough to make an election secure. Maybe the problem was entirely due to USRowing’s error. But even if that’s true, if you’re in the business of providing secure elections, your customers will want you to do what is necessary to provide secure elections.