April 16, 2014

avatar

Joisy on my mind

Like everyone interested in the mechanics of elections, I’ve been fascinated by the New Jersey efforts to allow voters to request and submit ballots via email. In this posting, I’d like to address four brief points that I don’t think have received much attention – the first two policy, and the last two technical.

First, the New Jersey directives have been inconsistent in how they’ve treated the requirement for returning paper copies of ballots submitted by email. For good reasons, New Jersey law requires that hardcopies be submitted to the local elections office, to be postmarked not later than election day. But some of the releases from the Lieutenant Governor’s office have mentioned this requirement, and others have been silent. In particular, the final release, put out mid-afternoon on Election Day, says nothing about the topic, when it extended the deadline for returning the email copy to the end of Friday. I expect that the majority of email ballots will not have corresponding hardcopies returned, which should (if the law is followed) result in the email copies being discarded.

Second, the New Jersey law is silent on what happens if the email and hardcopy disagree. This can happen for both innocuous and benign reasons. The former may include the voter changing her mind after emailing the ballot, noticing after emailing that she forgot to select a candidate for a contest, or many other reasons. Malicious reasons might include malware on the voter’s computer, in the network, or in the election office’s computer manipulating the electronic copy (which is after all unencrypted), as well as simple insider threats at the election office (i.e. receiving one version of the voter’s ballot but manipulating it before printing and counting it). If the two disagree, is the ballot discarded? Or is one or the other counted? Or is the election office responsible for figuring out which items the two agree on and counting those, but not the items where they disagree?

Third, the risk of malicious attachments coming in to election offices. This problem is two subparts – the risk of malicious software being introduced into the election office via attachments, and the second is reversing the decade of training even if nothing bad happens. For the former, it’s pretty much inevitable that some election office will get infected by malware, given the instructions to election officers to open attachments that may contain requests for absentee ballots or the ballots themselves. For the latter, IT departments everywhere have tried to teach computer users not to open attachments from unknown people, and preferably not even from known people. This is one of the major factors in reducing the risk from malware – and we know what happens when the training fails (for example, the major RSA and Google intrusions over the past few years were both due to poisoned attachments). But by telling election officials that voters will email in their requests for blank ballots, and the marked ballots, and from potentially any email address in the world, how will they decide which ones to open and which to ignore? (Yes, I assume that election officials have antivirus or similar software installed in their mail servers and/or end user systems, but those systems aren’t particularly effective, as the RSA & Google examples show.)

Fourth, the flip side of the above – we’re teaching our voters to open any attachment that seems to come from an election office, because it may be our long-awaited blank ballot. How long before this becomes an avenue of attack for malware authors? Just send a message with a return address from “”, and voters are now trained to open the message and the attachment.

I consider that the risk of malware in New Jersey government systems is probably near 100% by the end of this week, as they finish processing email ballots. I hope I’m wrong. But what scares me the most is that if there’s someone who’s been waiting for an opportunity, this is the perfect time to launch that attack, which may never be detected.