December 22, 2024

Posts Comments

Yet again, why banking online .NE. voting online

July 6, 2011 by

One of the most common questions I get is “if I can bank online, why can’t I vote online”. A recently released (but undated) document ”Supplement to Authentication in an Internet Banking Environment” from the Federal Financial Institutions Examination Council addresses some of the risks of online banking. Krebs on Security has a nice writeup of the issues, noting that the guidelines call for ‘layered security
programs’ to deal with these riskier transactions, such as:

  1. methods for detecting transaction anomalies;

  2. dual transaction authorization through different access devices;

  3. the use of out-of-band verification for transactions;

  4. the use of ‘positive pay’ and debit blocks to appropriately limit
    the transactional use of an account;

  5. ‘enhanced controls over account activities,’ such as transaction
    value thresholds, payment recipients, the number of transactions
    allowed per day and allowable payment days and times; and

  6. ’enhanced customer education to increase awareness of the fraud
    risk and effective techniques customers can use to mitigate the
    risk.’

[I’ve replaced bullets with numbers in Krebs’ posting in the above list to make it
easier to reference below.]

So what does this have to do with voting? Well, if you look at them
in turn and consider how you’d apply them to a voting system:

  1. One could hypothesize doing this – if 90% of the people in a
    precinct vote R or D, that’s not a good sign – but too late to do
    much. Suggesting that there be personalized anomaly detectors (e.g.,
    “you usually vote R but it looks like you’re voting D today, are you
    sure?”) would not be well received by most voters!

  2. This is the focus of a lot of work – but it increases the effort for the voter.

  3. Same as #2. But have to be careful that we don’t make it too hard
    for the voter! See for example SpeakUp: Remote Unsupervised Voting as an example of how this might be done.

  4. I don’t see how that would apply to voting, although in places like Estonia where you’re allowed to vote more than once (but only the last vote counts) one could imagine limiting the number of votes that can be cast by one ID. Limiting the number of votes from a single IP address is a natural application – but since many ISPs use the same (or a few) IP addresses for all of their customers thanks to NAT, this would disenfranchise their customers.

  5. “You don’t usually vote in primaries, so we’re not going to let you
    vote in this one either.” Yeah, right!

  6. This is about the only one that could help – and try doing it on
    the budget of an election office!

Unsaid, but of course implied by the financial industry list is that the goal is to reduce fraud to a manageable level. I’ve heard that 1% to 2% of the online banking transactions are fraudulent, and at that level it’s clearly not putting banks out of business (judging by profit numbers). However, whether we can accept as high a level of fraud in voting as in banking is another question.

None of this is to criticize the financial industry’s efforts to improve security! Rather, it’s to point out that try as we might, just because we can bank online doesn’t mean we should vote online.

Filed Under: Other Topics Tagged With:

Debugging Legislation: PROTECT IP

May 14, 2011 by

There’s more than a hint of theatrics in the draft PROTECT IP bill (pdf, via dontcensortheinternet ) that has emerged as son-of-COICA, starting with the ungainly acronym of a name. Given its roots in the entertainment industry, that low drama comes as no surprise. Each section name is worse than the last: “Eliminating the Financial Incentive to Steal Intellectual Property Online” (Sec. 4) gives way to “Voluntary action for Taking Action Against Websites Stealing American Intellectual Property” (Sec. 5).

Techdirt gives a good overview of the bill, so I’ll just pick some details:

  • Infringing activities. In defining “infringing activities,” the draft explicitly includes circumvention devices (“offering goods or services in violation of section 1201 of title 17”), as well as copyright infringement and trademark counterfeiting. Yet that definition also brackets the possibility of “no [substantial/significant] use other than ….” Substantial could incorporate the “merely capable of substantial non-infringing use” test of Betamax.
  • Blocking non-domestic sites. Sec. 3 gives the Attorney General a right of action over “nondomestic domain names”, including the right to demand remedies from (A) domain name system server operators, (B) financial transaction providers, (C), Internet advertising services, and (D) “an interactive computer service (def. from 230(f)) shall take technically feasible and reasonable measures … to remove or disable access to the Internet site associated with the domain name set forth in the order, or a hypertext link to such Internet site.”
  • Private right of action. Sec. 3 and Sec. 4 appear to be near duplicates (I say appear, because unlike computer code, we don’t have a macro function to replace the plaintiff, so the whole text is repeated with no diff), replacing nondomestic domain with “domain” and permitting private plaintiffs — “a holder of an intellectual property right harmed by the activities of an Internet site dedicated to infringing activities occurring on that Internet site.” Oddly, the statute doesn’t say the simpler “one whose rights are infringed,” so the definition must be broader. Could a movie studio claim to be hurt by the infringement of others’ rights, or MPAA enforce on behalf of all its members? Sec. 4 is missing (d)(2)(D)
  • WHOIS. The “applicable publicly accessible database of registrations” gets a new role as source of notice for the domain registrant, “to the extent such addresses are reasonably available.” (c)(1)
  • Remedies. The bill specifies injunctive relief only, not money damages, but threat of an injunction can be backed by the unspecified threat of contempt for violating one.
  • Voluntary action. Finally the bill leaves room for “voluntary action” by financial transaction providers and advertising services, immunizing them from liability to anyone if they choose to stop providing service, notwithstanding any agreements to the contrary. This provision jeopardizes the security of online businesses, making them unable to contract for financial services against the possibility that someone will wrongly accuse them of infringement. 5(a) We’ve already seen that it takes little to convince service providers to kick users off, in the face of pressure short of full legal process (see everyone vs Wikileaks, Facebook booting activists, and numerous misfired DMCA takedowns); this provision insulates that insecurity further.

In short, rather than “protecting” intellectual and creative industry, this bill would make it less secure, giving the U.S. a competitive disadvantage in online business. (Sorry, Harlan, that we still can’t debug the US Code as true code.)

Filed Under: Other Topics

Seals on NJ voting machines, as of 2011

March 21, 2011 by

Part of a multipart series starting here.

During the NJ voting-machines trial, plaintiffs’ expert witness Roger Johnston testified that the State’s attempt to secure its AVC Advantage voting machines was completely ineffective: the seals were ill-chosen, the all-important seal use protocol was entirely missing, and anyway the physical design of this voting machine makes it practically impossible to secure using seals.

Of course, the plaintiffs’ case covered many things other than security seals. And even if the seals could work perfectly, how could citizens know that fraudulent vote-miscounting software hadn’t been perfectly sealed into the voting machine?

Still, it was evident from Judge Linda Feinberg’s ruling, in her Opinion of February 2010, that she took very seriously Dr. Johnston’s testimony about the importance of a seal use protocol. She ordered,


4. SEALS AND SEAL-USE PROTOCOLS (REQUIRED)

For a system of tamper-evident seals to provide effective protection seals must be consistently installed, they must be truly tamper-evident, and they must be consistently inspected. While the new seals proposed by the State will provide enhanced security and protection against intruders, it is critical for the State to develop a seal protocol, in writing, and to provide appropriate training for individuals charged with seal inspection. Without a seal-use protocol, use of tamper-evident seals significantly reduces their effectiveness.

The court directs the State to develop a seal-use protocol. This shall include a training curriculum and standardized procedures for the recording of serial numbers and maintenance of appropriate serial number records.

(With regard to other issues, she ordered improvements to the security of computers used to prepare ballot definitions and aggregate vote totals; criminal background checks for workers who maintain and transport voting machines; better security for voting machines when they are stored at polling places before elections; that election computers not be connected to the Internet; and better training for election workers in “protocols for the chain of custody and maintenance of election records.”)

Judge Feinberg gave the State until July 2010 to come up with a seal use protocol. The State missed this deadline, but upon being reminded of the deadline, they submitted to the Court some woefully inadequate sketches for such a protocol. The Court rejected these sketches, and told them to come up with a real protocol. In September 2010 they tried again with a lengthier document that was still short on specifics, and the Court again found this inadequate. In October 2010 they tried again, asking for another 12-month extension, which the judge granted. In addition they proposed some new seal protocols, but asked the Court not to show them to Plaintiffs’ experts–which is most unusual in the tradition of Anglo-American law, where the Court is supposed to hear from both sides before a finding of fact. By March 2011, Judge Feinberg has not yet decided whether the State has a seal use protocol in compliance with her Order.

I’ve been observing the New Jersey Division of Elections quite closely over the past few years, as this litigation has dragged on. In some things they do a pretty good job: they are competent at voter registration, and they do maintain enough polling places so that the lines don’t get long—and these are basics of election administration that we should not take for granted. But with regard to the security of their voting machines, they just don’t get it. These direct-recording electronic voting machines are inherently insecure, and in the period 2008-2010 they have applied no fewer than six different ad-hoc “patches” to try to secure these machines: four different seal regimes, followed by three different documents claiming to be seal use protocols.

Is the New Jersey Division of Elections deliberately stalling, preserving insecure elections by dragging this case out, always proposing too little, too late and always requesting another extension? Or do they just not care, so through their lack of attention they always propose too little, too late and always request another extension? Even if the Division of Elections could come up with a seal use protocol that the Court would accept, how could we believe that these Keystone Kops could have the follow-through, the “security culture”, to execute such a protocol in the decades to come?

These voting machines are inherently insecure. The State claims they could be made secure with good seals. That’s not true: even with perfect seals and a perfectly executed seal-use protocol, there is the danger of locking fraudulent software securely into the voting machine! But even on its own flawed terms–trying to solve the problem with seals insead of with an inherently auditable technology–the State is failing to execute.

Filed Under: Other Topics

Internet Voting in Union Elections?

March 16, 2011 by

The U.S. Department of Labor (DOL) recently asked for public comment on a fascinating issue: what kind of guidelines should they give unions that want to use “electronic voting” to elect their officers? (Curiously, they defined electronic voting broadly to include computerized (DRE) voting systems, vote-by-phone systems and internet voting systems.)

As a technology policy researcher with the NSF ACCURATE e-voting center, I figured we should have good advice for DOL.

(If you need a quick primer on security issues in e-voting, GMU’s Jerry Brito has just posted an episode of his Surprisingly Free podcast where he and I work through a number of basic issues in e-voting and security. I’d suggest you check out Jerry’s podcast regularly as he gets great guests (like a podcast with CITP’s own Tim Lee) and really digs deep into the issues while keeping it at an understandable level.)

The DOL issued a Request for Information (PDF) that asked a series of questions, beginning with the very basic, “Should we issue e-voting guidelines at all?” The questions go on to ask about the necessity of voter-verified paper audit trails (VVPATs), observability, meaningful recounts, ballot secrecy, preventing flawed and/or malicious software, logging, insider threats, voter intimidation, phishing, spoofing, denial-of-service and recovering from malfunctions.

Whew. The DOL clearly wanted a “brain dump” from computer security and the voting technology communities!

It turns out that labor elections and government elections aren’t as different as I originally thought. The controlling statute for union elections (the LMRDA) and caselaw* that has developed over the years require strict ballot secrecy–such that any technology that could link a voter and their ballot is not allowed–both during voting and in any post-election process. The one major difference is that there isn’t a body of election law and regulation on top of which unions and the DOL can run their elections; for example, election laws frequently disallow campaigning or photography within a certain distance of an official polling place while that would be hard to prohibit in union elections.

After a considerable amount of wrangling and writing, ACCURATE submitted a comment, find it here in PDF. The essential points we make are pretty straightforward: 1) don’t allow internet voting from unsupervised, uncontrolled computing devices for any election that requires high integrity; and, 2) only elections that use voter-verified paper records (VVPRs) subject to an audit process that uses those records to audit the reported election outcome can avoid the various types of threats that DOL is concerned with. The idea is simple: VVPRs are independent of the software and hardware of the voting system, so it doesn’t matter how bad those aspects are as long as there is a robust parallel process that can check the result. Of course, VVPRs are no panacea: they must be carefully stored, secured and transported and ACCURATE’s HCI researchers have shown that it’s very hard to get voters to consistently check them for accuracy. However, those problems are much more tractable than, say, removing all the malware and spyware from hundreds of thousands of voter PCs and mobile devices.

I must say I was a bit surprised to see the other sets of comments submitted, mostly by voting system vendors and union organizations, but also the Electronic Privacy Information Center (EPIC). ACCURATE and EPIC seem to be lone voices in this process “porting” what we’ve learned about the difficulties of running secure civic elections to the labor sphere. Many of the unions talked about how they must have forms of electronic, phone and internet voting as their constituencies are spread far and wide, can’t make it to polling places and are concerned with environmental impacts of paper and more traditional voting methods. Of course, we would counter that accommodations can be made for most of these concerns and still not fundamentally undermine the integrity of union elections.

Both unions and vendors used an unfortunate rhetorical tactic when talking about security properties of these systems: “We’ve run x hundreds of elections using this kind of technology and have never had a problem/no one has ever complained about fraud.” Unfortunately, that’s not how security works. Akin to adversarial processes like financial audits, security isn’t something that you can base predictions of future performance on past results. That is, the SEC doesn’t say to companies that their past 10 years of financials have been in order, so take a few years off. No, security requires careful design, affirmative effort and active auditing to assure that a system doe not violate the properties it claims.

There’s a lot more in our comment, and I’d be more than happy to respond to comments if you have questions.

* Check out the “Court Cases” section of the Federal Register notice linked to above.

Filed Under: Other Topics Tagged With:

Seals on NJ voting machines, March 2009

March 7, 2011 by

During the NJ voting-machines trial, both Roger Johnston and I showed different ways of removing all the seals from voting machines and putting them back without evidence of tampering. The significance of this is that one can then install fraudulent vote-stealing software in the computer.

The State responded by switching seals yet again, right in the middle of the trial! They replaced the white vinyl adhesive-tape seal with a red tape seal that has an extremely soft and sticky adhesive. In addition, they proposed something really wacky: they would squirt superglue into the blue padlock seal and into the security screw cap.

Nothing better illustrates the State’s “band-aid approach, where serious security vulnerabilities can be covered over with ad hoc fixes” (as Roger characterizes it) than this. The superglue will interfere with the ability for election workers to (legitimately) remove the seal to maintain the machine. The superglue will make it more difficult to detect tampering, because it goes on in such a variable way that the inspector doesn’t know what’s supposed to be “normal.” And the extremely soft adhesive on the tape seal is extremely difficult to clean up, when the election worker (legitimately) removes it to maintain the machine. Of course, one must clean up all the old adhesive before resealing the voting machine.

Furthermore, Roger demonstrated for the Court that all these seals can still be defeated, with or without the superglue. Here’s the judge’s summary of his testimony about all these seals:


New Jersey is proposing to add six different kinds of seals in nine different locations to the voting machines. Johnston testified he has never witnessed this many seals applied to a system. At most, Johnston has seen three seals applied to high-level security applications such as nuclear safeguards. According to Johnston, there is recognition among security professionals that the effective use of a seal requires an extensive use protocol. Thus, it becomes impractical to have a large number of seals installed and inspected. He testified that the use of a large number of seals substantially decreases security, because attention cannot be focused for a very long time on any one of the seals, and it requires a great deal more complexity for these seal-use protocols and for training.

For more details and pictures of these seals, see “Seal Regime #4” in this paper.

Filed Under: Other Topics, Privacy & Security Tagged With: ,