April 24, 2014

avatar

Internet Voting: How Far Can We Go Safely?

Yesterday I chaired an interesting panel on Internet Voting at CFP. Participants included Amy Bjelland and Craig Stender (State of Arizona), Susan Dzieduszycka-Suinat (Overseas Vote Foundation) Avi Rubin (Johns Hopkins), and Alec Yasinsac (Univ. of South Alabama). Thanks to David Bruggeman and Cameron Wilson at USACM for setting up the panel.

Nobody advocated a full-on web voting system that would allow voting from any web browser. Instead, the emphasis was on more modest steps, aimed specifically at overseas voters. Overseas voters are a good target population, because there aren’t too many of them — making experimentation less risky — and because vote-by-mail serves them poorly.

Discussion focused on two types of systems: voting kiosks, and Internet transmission of absentee ballots.

A voting kiosk is a computer-based system, running carefully configured software, that is set up in a securable location overseas. Voters come to this location, authenticate themselves, and vote just as they would in a polling place back home. A good kiosk system keeps an electronic record, which is transmitted securely across the Internet to voting officials in the voter’s home jurisdiction. It also keeps a paper record, verifiable by the voter, which is sent back to voting officials after the elections, enabling a post-election audit. A kiosk can use optical-scan technology or it can be a touch-screen machine with a paper trail — essentially it’s a standard voting system with a paper trail, connected to home across the Internet. If the engineering is done right, if the home system that receives the electronic ballots is walled off from the central vote-tabulating system, and if appropriate post-election auditing is done, this system can be secure enough to use. All of the panelists agreed that this type of system is worth trying, at least as a pilot test.

The other approach is use ordinary absentee ballots, but to distribute them and allow voters to return them online. A voter goes to a web site and downloads a file containing an absentee ballot and a cover sheet. After printing out the file, the voter fills out the cover sheet (giving his name and other information) and the ballot. He scans the cover sheet and ballot, and uploads the scan to a web site. Election officials collect and print the resulting file, and treat the printout like an ordinary absentee ballot.

Kevin Poulsen and Eric Rescorla criticize the security of this system, and for good reason. Internet distribution of blank ballots can be secure enough, if done very carefully, but returning filled-out ballots from an ordinary computer and browser is risky. Eric summarizes the risks:

We have integrity issues here as well: as Poulsen suggests (and quotes Rubin as suggesting), there are a number of ways for things to go wrong here: an attacker could subvert your computer and have it modify the ballots before sending them; you could get phished and the phisher could modify your ballot appropriately before passing it on to the central site. Finally, the attacker could subvert the central server and modify the ballots before they are printed out.

Despite the risks, systems of this sort are moving forward in various places. Arizona has one, which Amy and Craig demonstrated for the panel’s audience, and the Overseas Vote Foundation has one as well.

Why is this less-secure alternative getting more traction than kiosk-based systems? Partly it’s due to the convenience of being able to vote from anywhere (with a Net connection) instead of having to visit a kiosk location. That’s understandable. But another part of the reason seems to be that people don’t realize what can go wrong, and how often things actually do go wrong, in online interactions.

In the end, there was a lot of agreement among the panelists — a rare occurrence in public e-voting discussions — but disagreement remained about how far we can go safely. For overseas voters at least, the gap between what is convenient and what can be made safe is smaller than it is elsewhere, but that gap does still exist.

Comments

  1. rp says:

    There are so many different ways someone with malicious access to either PC or server could subvert this process. The easiest one I can think of would simply discard the ballot scan and substitute its own renamed file. (Yep, there’s checking you can do to counter such a simple version, but counter-countermeasure are fairly easy as well).

    One important thing to remember is that for most vote-rigging purpose it is only necessary to spoil a ballot you (statistically or by inspection) don’t like.

  2. pete.d says:

    One of the things that has struck me during the increase of polling-place security measures (for example, the districts that require photo ID, with the claim that they are trying to catch illegal immigrants or just general voter fraud) is that districts all over the nation continue to use a mail-in absentee ballot that is inherently not secure.

    Here in Washington State, most (all?) counties have moved to a 100%-mail-in voting process.

    I will grant that because of the bottlenecks involved, online voting is a much more attractive target. But I wonder if it will ever occur to anyone that the old absentee stand-by, mail-in ballots, fails to meet the same standards of security that are being argued for in the case of online voting.

    And if it does occur to them, will something ever be done about it, or will we just continue to move forward with this double-standard, self-contradictory voting process.

    • rp says:

      You’re not looking at the problem photo ID is intended to solve, which is not fraud but rather keeping people who don’t have photo ID (or who have a well-founded fear of local authorities) from voting.

  3. Devon Cooke says:

    Yes, allowing individual ballots out of your control is a security risk, but how much of a concern is that if each individual system has to be compromised? Someone wanting to compromise an election using this method would need to individually hack a large number of systems — one or two compromised systems might compromise one or two votes, but that’s not enough to reliably compromise an election. And, if enough systems are compromised that the outcome *could* potentially be affected, I find it highly implausible that such a widespread “botnet” of voting hacks would not be noticed and then addressed. As soon as one instance of a vote-playing hack was found, would not the electoral officials do something about it (institute a secondary system, for example)?

    The only way I can see this type of attack being a threat is if a list of overseas voters (and, ideally, their IP addresses) was somehow leaked to public. I would imagine that a list such as this is much simpler to secure than 1,000′s of public computers.

    I also second the comment about security of paper ballots … I find the possibility of paper ballots being intercepted far more likely than an electronic compromise.

    • Anonymous says:

      Most computers are already part of a botnet. If a significant election was held via the web, rigging it would only require sending a few new orders to, say, the Storm botnet, to order the bots to tamper with votes meeting certain criteria on their individual host systems. That election would be up for grabs to the highest bidder, with the Russian mob holding the auction.

  4. Anonymous says:

    As stated above, mail-in ballots are also insecure. If any district were to go online, I would expect it to be a state with high mail in voting such as Oregon, Washington, and California.

  5. kathydopp says:

    Wouldn’t a requirement to mail in as well as scan and upload the absentee ballot solve some of the same problems that the kiosk does – by allowing for audits of the electronic records?

    That said, I agree with pete.d who remarks on the security problems with even mailed absentee ballots. Dr. Charles Corry of Colorado Springs has written extensively of the problems with using mail-in balloting.

  6. Preston L. Bannister says:

    Ordinary mail-in Absentee ballots are already massively insecure (at least as used around here – and probably most other places). That sets a fairly low standard for proof against subversion. Internet Voting can be more secure, and should thus not be discounted.

    Voting at a polling place using appropriate software and carefully secured machines is better, but as long as insecure absentee voting is allowed, there is a lower standard to meet.

  7. supercat says:

    One important rule in most elections in the U.S. is that voters are forbidden from showing others how they have voted. Someone may offer goodies to a person in exchange for voting, in the hope that the person will vote “properly”, but there would generally be no legitimate way for the person offering to goodies to know or discover whether the person in question did in fact vote that way (precincts where every single voter casts a vote for the same candidate would be an exception). Allow vote buyers and manipulators to know that their efforts are “working”, however, and all sorts of mischief would open up.

    I find it troubling that so many people seem to want to replace the secret ballot with a non-secret one. While it’s true that the existing mail-ballot systems are already horrible, that doesn’t mean that one should try to extend the reach of such a horrible idea. Kiosks and portable machines, whose usage would be supervised, would be the way to go.

    • John Millington says:

      What some are calling “the convenience of being able to vote from anywhere” — a feature touted by internet voting advocates — is no feature at all. It’s a bad thing that we’ve decided must sometimes be regrettably tolerated, thus the invention of absentee ballots.

      What’s the advantage of making this process more convenient? Absentee voting should be harder than stepping into a booth where everyone can count how many legs are visible beneath the curtain. If you make it too easy, more people will find excuses to use it.

  8. John says:

    I think Internet voting can work, provided there is reliable software ensuring people don’t vote twice. Perhaps by entering in your social security number / drivers license numbers to prove your identity. It would make voting more convenient. Then again, with all that data floating around, it could be a security risk, especially with the government’s incompetence.