September 18, 2020

Report Critical of Internet Voting

Four respected computer scientists, members of a government-commissioned study panel, have published a report critical of SERVE, a proposed system to let overseas military people vote in elections via a website. (Links: the report itself; John Schwartz story at N.Y. Times; Dan Keating story at Washington Post.) The report’s authors are David Jefferson, Avi Rubin, Barbara Simons, and David Wagner. The problem is not in the design of the voting technology itself, but in the simple fact that it is built on ordinary PCs and the Internet, leaving it open to all of the standard security attacks that ordinary systems face:

The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the [program] has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough.

SERVE advocates have two reponses. The first is simple stonewalling (for example, saying “We have addressed all of those problems”, which is just false). I’ll ignore the stonewalling. The second response, which does have some force, says that SERVE is worth pursuing as an experiment. An experiment would have some value in understanding user-interface issues relating to e-voting; and the security risk would be acceptable as long as the experiment was small.

The authors of the report disagree, because they worry that the “experiment” would not be an experiment at all but just the first phase of deployment of a manifestly insecure system. If an experiment is done, and no fraud occurs – or at least no fraud is detected – this might be taken as showing that the system is secure, which it clearly is not.

This reminds me of an analogy used by the physicist Richard Feynman to criticize NASA’s safety culture after the Challenger space shuttle accident. (Feynman served on the Challenger commission, and famously demonstrated the brittleness of the rubber O-ring material by dunking it in his glass of ice water during a hearing.) Feynman likened NASA to a man playing Russian Roulette. The man spins the cylinder, puts the gun to his head, and pulls the trigger. Click; he survives. “Aha!” the man says, “This must be safe.”

UPDATE (Saturday, January 24): The Washington Post site has a chat with Avi Rubin, one of the report’s authors.

UPDATE (Thursday, February 6): The DoD has decided not to use SERVE in the November 2004 elections.

Comments

  1. I haven’t read the report yet, but this sounds pretty alarmist to me. It’s one thing to say “this is more insecure than the old way, here’s an easy way to make it secure” (as with voter verification), but it’s quite another to dismiss all Internet- and PC-based systems!

    All the problems they list (insider attacks, denial of service attacks, spoofing, automated vote buying, viral attacks on voter PCs, etc.) could conceivably be carried out in the real world. Some of them are magnified by the Internet, but there are ways to alleviate this problem.

    (Voting is currently a massively-distributed system. Certainly centralizing it would cause problems (e.g. easy to DOS) but if you kept it distributed, I don’t think it would be so bad (tricky to DOS every polling server across the country).)

    There are problems, to be sure, but this is no NASA Russian Roulette. The worst case scenario is not that everybody dies, but that you have to drive to the polling place instead. Since that’s the status quo, it doesn’t seem too bad to me.

  2. (Happy 500th post!)

    Another thing to keep in mind is that whole states (like Iowa, I hear) can vote absentee. If they can do that (keep in mind that the mail has no crypto or equivalent) then I have trouble seeing why Internet absentee voting would be wildly more insecure.

  3. Cypherpunk says:

    I was surprised to see only a brief mention of the role “trusted computing” might play in online voting, relegated to the final paragraph of the last appendix. Microsoft’s Palladium (NGSCB) initiative will allow software agents to load and run in a known and controlled environment, immune to malicious tampering from other software in the machine. Voting software could use this technology to eliminate problems with the insecurity of the user’s machine. It could also make vote selling and many of the other concerns raised in the report much more difficult.

    This is also a good example where you’d want the software to be immune from tampering or control by the machine’s owner. In some cases voters may be using a machine controlled by someone else, and the report raises concerns about votes being recorded or even modified in that case. Many opponents of trusted computing have claimed that this owner-immunity has no valid purpose and should be eliminated, but the case of voting shows why it is needed.

    I can understand why the report chose to analyze the proposal in the context of current technology, but given that internet voting is something which will take many years to become widespread, it is also appropriate to look at the likely innovations in security over that time frame. The advent of trusted computing will totally change the security equation for any application involving sensitive data, and voting is a prime example. Unfortunately, some of the same security professionals who issued this report are also among the strongest critics of trusted computing technology, so perhaps they were reluctant to look too deeply into the value of such technology for this application.

  4. Aaron: In a traditional election, in order to steal or nullify a large number of votes, you have to commit many small acts of fraud, or you have to penetrate the central vote-counting operation. Both are difficult to pull off. Internet voting allows somebody sitting at their terminal in Outer Blogistan to steal or nullify many votes with a single act. It’s the possibility of large-scale, remote-control fraud that changes the security equation when you’re voting online.

    Cypherpunk: The report focuses on the system as designed, and of course the system as designed doesn’t use a Trusted Computing (TC) system. TC would change the evaluation, if the system were redesigned to exploit it. And someday, when the vast majority of overseas military folks have TC-enabled computers, a sufficiently secure online voting system may be feasible.

    If I were an author of the report, I would be worried about saying anything that could be (mistakenly or deliberately) misread as implying that the current system is just a few tweaks away from being sufficiently secure. Still, I would go farther than the report’s authors did: I would say that an eventual broad deployment of TC should trigger a reexamination of the program’s feasibility.

  5. I disagree with Aaron’s characterization of a worst case scenario. A world where voting is always conducted on the SERVE system would be infinitely worse than the status quo. The system is not certified – even to the lax standards of the FEC – which has obvious implications for trust and transparency. The fear is not that the system won’t work and will have to be abandoned; it’s that it won’t work and will be deployed anyway.

  6. If the system is well designed, then the only way I can see “large-scale, remote-control fraud” occurring is if the attacker penetrates the vote counting machines (which should be made extremely secure). If things are done right, this seems unlikely and easy to detect. If it is detected (or suspected), then you call immediate shut off the Internet vote off and fall back to traditional methods.

    Ren says a world where all voting was conducted on SERVE would be bad, and no doubt that is correct. My contention is simply that it is not impossible to design a secure system that allows a small portion of the population to submit their vote over the Internet.

    The system I imagine would work something like this: You register, an absentee ballot is mailed to you, the ballot has a nonce at the top. You can either mail the ballot back or visit a secure website and enter your vote and the string.

    The website uses some sort of CAPTCHA-style technology to make sure the vote was actually entered by a human (and not a virus that’s infected the machine).

    But, now that I think about it, why don’t they just let people submit their vote by phone. Finding a phone is no more difficult (and probably easier) than an Internet connection, it provides an audit trail (record the voter speaking their vote), it’s difficult to infect or take control of, it can’t let its owner thwart your desires, and it’s just as easy to use. Am I missing something?