Slashdot Mirror
In Theory And Practice, Why Internet-Based Voting Is a Bad Idea
A few countries, like Estonia, have gone for internet-based voting in national elections in a big way, and many others (like Ireland and Canada) have experimented with it. For Americans, with a presidential election approaching later this year, it's a timely issue: already, some states have come to allow at least certain forms of voting by internet. Proponents say online elections have compelling upsides, chief among them ease of participation. People who might not otherwise vote — in particular military personnel stationed abroad, but many others besides — are more and more reached by internet access. Online voting offers a way to keep the electoral process open to them. With online voting, too, there's no worry about conventional absentee ballots being lost or delayed in the postal system, either before reaching the voter or on the way back to be counted. The downsides, though, are daunting. According to RSA panelists David Jefferson and J. Alex Halderman, in fact, they're overwhelming. Speaking Thursday afternoon, the two laid out their case against e-voting.
(Read more for more, and look for a video interview with Halderman soon).
Jefferson and Halderman have impressive credentials as analysts and critics of internet voting. Jefferson, a computer scientist at Lawrence Livermore National Laboratory, is chairman of the board of the Verified Voting Foundation, an NGO focused on promoting election integrity, and coauthor of a report that spurred the Department of Defense to withdraw for further consideration its then-plan for online voting, called SERVE, in 2004. Halderman takes a different, hands-on approach, demonstrating (along with his grad students at the University of Michigan) just how polling-station election machines and online voting system can be compromised. "I've probably hacked into and otherwise found vulnerabilities in more polling places than anyone else," he says.
Jefferson and Halderman are careful to define the key element of elections they're trying to expose as unfixably broken: namely, the delivery of completed ballots over the internet, whether that means a web app, email or some other conduit, without a voter-verified paper audit trail. Some kinds of election technology can move from the voting booth to the online world with less risk to the integrity of the election itself — for instance, distribution of blank ballots, or even online voter registration. "This isn't about keeping score of primaries, or gathering information about candidates, but actually voting," said Jefferson. The risk of hacked elections isn't just the possibility of political rivals trying to out-do each other, he said; ultimately, vulnerable election systems compromise national security and ballot secrecy. Even a few hundred votes may suffice to swing a House or Senate race, and that can have cascading consequences for control of elected bodies themselves. "Wherever there's a concentration of votes sufficient to swing a major election, there's a national security concern."
Why assume that election systems can be manipulated? And since paper ballots are not immune to questionable or downright fraudulent counts, why call out the electronic version in particular? In part, he says, because the structure of an electronic voting system is inherently complex, and because it's difficult if not impossible to roll back results if a compromise is suspected. Unlike paper ballots (and in the absence of a paper audit trail backing an electronic voting system), online vote gathering offers no good way to re-count. Jefferson laid out four major and overlapping areas of likely attacks on internet voting systems, any one of which could taint the results of an election.
First, individual voting jurisdictions are vulnerable to attack. (In the U.S., for federal elections, that essentially means counties, totaling more than 7000.) Even in local races, there can be billions of dollars at stake in high-population counties like Cook County or L.A. County. Vendors, both their networks and their source code, are also at risk. Assuming that even best efforts can keep the source code behind the handful of election-system vendors safe is a sucker's bet, Jefferson says. Even large companies with enormous security resources have been hacked, with source code a prime target, as happened to Google and 25 other firms in 2010 in a breach attributed to Chinese operatives. "Who knows if those [online voting software] vendors have already been penetrated? You wouldn't have any idea," said Jefferson.
Even if both local voting authorities and e-voting software vendors were themselves able to deflect all attacks, voters using an online voting system on their home or office PCs would still be at the mercy of the weakest link of the chain — the security of the machines available to them. Targeted malware could be used to present a different set of on-screen options to a voter than it actually sends back to the election counters. Because one of the protections of a secret ballot is to make available to voters proof that they voted but not how they voted, individuals who intended to selected candidate A would have no reason to know their vote was cast for candidate B instead. Malware could also simply vote without user interaction. It may not be election related, but a large fraction of PCs are already infected with some kind of malware, showing how big a problem this could be.
Finally, pure network attacks (or even errors) could disrupt the integrity of an election; exactly that kind of attack brought much of Estonia's online traffic to a halt in May 2007; lucky for Estonians that was not during an election, because Estonia is one of the few countries that has fully adopted online voting. Perhaps more chilling is the brief re-routing in April 2010 of 15 percent of the world's internet traffic through China.
Insecurity on the internet is itself a long-standing problem, so why the fuss? Unlike financial crime, such as credit card fraud, election fraud is hard to detect, and even harder to correct for, in large part because ballot secrecy is key to fair elections.
Voting is different. "Superficially, you'd think the transactions are very similar [to financial transactions], but underneath, all the issues are completely different. The privacy requirements are completely different, for example," says Jefferson. To prevent coerced voting, or simple vote selling, "You're allowed to tell anyone how you voted all you want, but you're not allowed to have proof of how you voted." Rolling back results to investigate suspected breaches is impossible, Jefferson says, without exposing the actual votes of individuals, at the very least to election officials.
Investigating financial crime online is the opposite; there, figuring out exactly who did what and when is the whole point, and the evidence is easy to find: if banking credentials are stolen, he said, "some account will go to zero." But in the case of elections, it's more likely that "the wrong people take office, and life goes on, and it's just never discovered."
And while no election fraud has yet been attributed to it, the trend is growing to institute the version of online voting that Jefferson calls "the worst idea ever" — voting by email. 33 states have modded their voting systems to accept in some cases PDFs of scanned ballots through ordinary e-mail to be entered by election workers. The numbers may be small (typically, this form of voting is limited to overseas voters, and in some cases voters are asked to acknowledge that their vote cannot be kept secret), but this allowance means that "e-mail voting is very widespread in the United States."
While Jefferson works through Verified Voting to influence policy makers to lay out the case against online voting, J. Alex Halderman, in his role as an assistant professor at the University of Michigan, turns theory into reality: he and his students break election systems (devices as well as software) in the U.S. and abroad to show just how easily a malicious attacker could do the same. He offered as an example of several of the ways electronic voting can fail his successful attack on an internet voting plan (see this earlier Slashdot story) that was to have been implemented in 2010 in the District of Columbia. The District had, with Federal grant money, designed an online voting system and already put it nearly into production, and had mailed PINs and voter ID numbers to voters in anticipation.
To D.C.'s credit, Halderman says, the election officials at least asked first for advice from security experts around the country, and invited them to test it in advance of using the system in an actual election, though mere days before the system was to have gone live. "It's not every day you're invited to hack into government computers without the threat of jail hanging over your head," says Halderman, who was attracted to the challenge of investigating the system itself, as well as curiosity about how the D.C. officials would respond to a system compromise.
Though Halderman says the Ruby on Rails-based system was written in "generally clean code," his team discovered a shell injection vulnerability which gave them access to the D.C. system (see his full paper as a PDF for the details), and immediately set about playing.
Web apps tend to be brittle, says Halderman, and D.C.'s was no exception. "App frameworks are written in ways that allow small mistakes to have big consequences," especially when vulnerabilities are often widely disseminated soon after discovery, and not always by white hat hackers like him.
"The first thing we did was steal all the important stuff," he says — credentials, keys, and more. Simply snooping on the data wasn't enough to fully demonstrate the problems in the system, though; the team replaced the information on all of the ballots as well, replacing the actual candidates with ones of their choice, offering up options like Hall 9000, and Bender for school board, and forced client machines to play the University of Michigan's fight song, before erasing the logs that would have allowed their intrusion to be properly analyzed by the system's administrators.
Their attack also led them to gain full access to a terminal server on the same network, and after they'd hacked into this ("using the default password from the owner's manual," Halderman notes) they noticed there was evidence in the logs of other attacks. In particular, some of the attacks appearing to originate in Iran and in China. While Halderman doubts these represent an attack specifically on the DC system voting system, the evidence of such attacks is "an illustration of how vulnerable things are."
Halderman acknowledges that voting in person, especially by electronic means, is far from foolproof, but he joins Jefferson in saying that online voting is categorically worse, and suggests that everyone who takes an interest in security or the mechanics of democratic elections raise the issues of privacy and security. His conclusion and advice for election officials in the U.S.: Voting online is a bad idea, and it simply can't be fixed in the foreseeable future. All the security problems of e-voting machines at polling stations apply directly to internet voting, too, which means that anyone on Earth can attack an online election.
"If my vote is insecure, everyone else who lives under that same government is harmed by that."
(Read more for more, and look for a video interview with Halderman soon).
Jefferson and Halderman have impressive credentials as analysts and critics of internet voting. Jefferson, a computer scientist at Lawrence Livermore National Laboratory, is chairman of the board of the Verified Voting Foundation, an NGO focused on promoting election integrity, and coauthor of a report that spurred the Department of Defense to withdraw for further consideration its then-plan for online voting, called SERVE, in 2004. Halderman takes a different, hands-on approach, demonstrating (along with his grad students at the University of Michigan) just how polling-station election machines and online voting system can be compromised. "I've probably hacked into and otherwise found vulnerabilities in more polling places than anyone else," he says.
Jefferson and Halderman are careful to define the key element of elections they're trying to expose as unfixably broken: namely, the delivery of completed ballots over the internet, whether that means a web app, email or some other conduit, without a voter-verified paper audit trail. Some kinds of election technology can move from the voting booth to the online world with less risk to the integrity of the election itself — for instance, distribution of blank ballots, or even online voter registration. "This isn't about keeping score of primaries, or gathering information about candidates, but actually voting," said Jefferson. The risk of hacked elections isn't just the possibility of political rivals trying to out-do each other, he said; ultimately, vulnerable election systems compromise national security and ballot secrecy. Even a few hundred votes may suffice to swing a House or Senate race, and that can have cascading consequences for control of elected bodies themselves. "Wherever there's a concentration of votes sufficient to swing a major election, there's a national security concern."
Why assume that election systems can be manipulated? And since paper ballots are not immune to questionable or downright fraudulent counts, why call out the electronic version in particular? In part, he says, because the structure of an electronic voting system is inherently complex, and because it's difficult if not impossible to roll back results if a compromise is suspected. Unlike paper ballots (and in the absence of a paper audit trail backing an electronic voting system), online vote gathering offers no good way to re-count. Jefferson laid out four major and overlapping areas of likely attacks on internet voting systems, any one of which could taint the results of an election.
First, individual voting jurisdictions are vulnerable to attack. (In the U.S., for federal elections, that essentially means counties, totaling more than 7000.) Even in local races, there can be billions of dollars at stake in high-population counties like Cook County or L.A. County. Vendors, both their networks and their source code, are also at risk. Assuming that even best efforts can keep the source code behind the handful of election-system vendors safe is a sucker's bet, Jefferson says. Even large companies with enormous security resources have been hacked, with source code a prime target, as happened to Google and 25 other firms in 2010 in a breach attributed to Chinese operatives. "Who knows if those [online voting software] vendors have already been penetrated? You wouldn't have any idea," said Jefferson.
Even if both local voting authorities and e-voting software vendors were themselves able to deflect all attacks, voters using an online voting system on their home or office PCs would still be at the mercy of the weakest link of the chain — the security of the machines available to them. Targeted malware could be used to present a different set of on-screen options to a voter than it actually sends back to the election counters. Because one of the protections of a secret ballot is to make available to voters proof that they voted but not how they voted, individuals who intended to selected candidate A would have no reason to know their vote was cast for candidate B instead. Malware could also simply vote without user interaction. It may not be election related, but a large fraction of PCs are already infected with some kind of malware, showing how big a problem this could be.
Finally, pure network attacks (or even errors) could disrupt the integrity of an election; exactly that kind of attack brought much of Estonia's online traffic to a halt in May 2007; lucky for Estonians that was not during an election, because Estonia is one of the few countries that has fully adopted online voting. Perhaps more chilling is the brief re-routing in April 2010 of 15 percent of the world's internet traffic through China.
Insecurity on the internet is itself a long-standing problem, so why the fuss? Unlike financial crime, such as credit card fraud, election fraud is hard to detect, and even harder to correct for, in large part because ballot secrecy is key to fair elections.
Voting is different. "Superficially, you'd think the transactions are very similar [to financial transactions], but underneath, all the issues are completely different. The privacy requirements are completely different, for example," says Jefferson. To prevent coerced voting, or simple vote selling, "You're allowed to tell anyone how you voted all you want, but you're not allowed to have proof of how you voted." Rolling back results to investigate suspected breaches is impossible, Jefferson says, without exposing the actual votes of individuals, at the very least to election officials.
Investigating financial crime online is the opposite; there, figuring out exactly who did what and when is the whole point, and the evidence is easy to find: if banking credentials are stolen, he said, "some account will go to zero." But in the case of elections, it's more likely that "the wrong people take office, and life goes on, and it's just never discovered."
And while no election fraud has yet been attributed to it, the trend is growing to institute the version of online voting that Jefferson calls "the worst idea ever" — voting by email. 33 states have modded their voting systems to accept in some cases PDFs of scanned ballots through ordinary e-mail to be entered by election workers. The numbers may be small (typically, this form of voting is limited to overseas voters, and in some cases voters are asked to acknowledge that their vote cannot be kept secret), but this allowance means that "e-mail voting is very widespread in the United States."
While Jefferson works through Verified Voting to influence policy makers to lay out the case against online voting, J. Alex Halderman, in his role as an assistant professor at the University of Michigan, turns theory into reality: he and his students break election systems (devices as well as software) in the U.S. and abroad to show just how easily a malicious attacker could do the same. He offered as an example of several of the ways electronic voting can fail his successful attack on an internet voting plan (see this earlier Slashdot story) that was to have been implemented in 2010 in the District of Columbia. The District had, with Federal grant money, designed an online voting system and already put it nearly into production, and had mailed PINs and voter ID numbers to voters in anticipation.
To D.C.'s credit, Halderman says, the election officials at least asked first for advice from security experts around the country, and invited them to test it in advance of using the system in an actual election, though mere days before the system was to have gone live. "It's not every day you're invited to hack into government computers without the threat of jail hanging over your head," says Halderman, who was attracted to the challenge of investigating the system itself, as well as curiosity about how the D.C. officials would respond to a system compromise.
Though Halderman says the Ruby on Rails-based system was written in "generally clean code," his team discovered a shell injection vulnerability which gave them access to the D.C. system (see his full paper as a PDF for the details), and immediately set about playing.
Web apps tend to be brittle, says Halderman, and D.C.'s was no exception. "App frameworks are written in ways that allow small mistakes to have big consequences," especially when vulnerabilities are often widely disseminated soon after discovery, and not always by white hat hackers like him.
"The first thing we did was steal all the important stuff," he says — credentials, keys, and more. Simply snooping on the data wasn't enough to fully demonstrate the problems in the system, though; the team replaced the information on all of the ballots as well, replacing the actual candidates with ones of their choice, offering up options like Hall 9000, and Bender for school board, and forced client machines to play the University of Michigan's fight song, before erasing the logs that would have allowed their intrusion to be properly analyzed by the system's administrators.
Their attack also led them to gain full access to a terminal server on the same network, and after they'd hacked into this ("using the default password from the owner's manual," Halderman notes) they noticed there was evidence in the logs of other attacks. In particular, some of the attacks appearing to originate in Iran and in China. While Halderman doubts these represent an attack specifically on the DC system voting system, the evidence of such attacks is "an illustration of how vulnerable things are."
Halderman acknowledges that voting in person, especially by electronic means, is far from foolproof, but he joins Jefferson in saying that online voting is categorically worse, and suggests that everyone who takes an interest in security or the mechanics of democratic elections raise the issues of privacy and security. His conclusion and advice for election officials in the U.S.: Voting online is a bad idea, and it simply can't be fixed in the foreseeable future. All the security problems of e-voting machines at polling stations apply directly to internet voting, too, which means that anyone on Earth can attack an online election.
"If my vote is insecure, everyone else who lives under that same government is harmed by that."
It is pretty obvious that electronic voting requires both anonymity (to remove fear of retributions) and accountability (to remove fraud).
About the only way to do that is to issue each person to have a pass-phrase coupled pair of electronic "vote cards" that is non-identifying. It would require the present of both cards and the pass-phrase to vote. If you lost one card, you can use the other (plus the pass phrase) to invalidate the lost card (and any recently casted votes.) If you lost both cards, you are SOL. No vote for you.
So, you just can't have a reliable electronic voting system.
Over the last few decades, American states have tried one thing after another to "make voting easier" in an attempt to increase participation (and, usually, to sway elections by increasing the number of voters aligned with one major party or the other). Two of the most significant have been the passage of "motor voter" laws (you can register to vote when you get or renew your driver's license) and "vote by mail". However none of these have really worked. People (like me) who are inclined to vote will do so, whether by mail or by traveling to an assigned polling place. The majority of American voters, though, simply don't seem engaged in the process.
I'd be all for e-voting with the right technology (secure and economical), but it's just about convenience for me. But I'll vote in any case - I have no illusions it'd increase participation.
#DeleteChrome
No, the problem (among many, many others, though I think this is the biggest) is that there's no way to provide a secret, anonymous ballot. With online voting, parties could reward those voting for them, or bosses could require that their employees vote for the "company party". Verification of a user's vote is as easy as making them log in and vote in your presence, on your computer. Hell, a company could just require that you hand over your login and vote for you. Outside of physical presence, how do you suggest these problems be worked around?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
You did, in fact, miss a key step:
4. Profit.
That said I believe you have solved the /. riddle. Long after every other nerd that solved it previously went in to politics :)
---Up Up Down Down Left Right Left Right B A START
Well, what they do in Sweden for voting is still old-school paper ballots... in fact, to a former North American it is almost a bit scary as the political parties are allowed to hang around the polling stations handing out polling slips... yes, you use a specific polling slip for the party you want to vote for, and the well-organized and well-funded parties will sometimes send out the voting slips ahead of time! What they also have in Sweden is a national ID system - everyone has an ID number that is used for everything - taxes, healthcare, picking up packages from the post office - everything! And tied to that system are the major bank systems, many of which us a Bank-ID token which you load on your computer to allow online tax submissions, health insurance claims, parental leave (hello 480 days paid leave!), etc. The online part of the ID validation is based on either a single-use scratch bankcard or a keypad that you insert your bankcard into, which you enter a validation code, your PIN, and then it returns a validation code. So, my guess is that switching to e-voting in Sweden would be a breeze, and the security would definitely be strong. Now that I think about it, no idea really why there is no e-voting here yet - heck, you can file your taxes by SMS here!
sig? what sig? i didn't see any sig...
In my view an important property of any ballot is that the great majority of people must be able to understand the whole process. That's the only way for people to have confidence that there's a reasonable chance of detecting and preventing rigging. It also rules out pretty well any form of electronic voting. Internet security involves very serious maths that very few people can handle.
Around here we still write numbers in squares on pieces of paper and drop them in the ballot box. It works. The cost is tiny compared to the cost of government. I just can't see the advantages of more automation being worth the risk.
People might think it weird that an IT guy would have this luddite view but I think, on the contrary, I'm better placed than most to know what could go wrong.
Privacy is a huge issue here. Now if you have to go to a voting booth to vote your overbearing SO can't coerce you to vote one way or another. You have plausible deniability. That's kind of hard to do when they're standing behind you watching you vote from the family PC.
load "linux",8,1
Actually many jurisdictions make it extremely difficult for overseas military to vote with unrealistic deadlines for applying for the absentee ballot then mailing them out 10 days before the election and expecting to get them back by election day. 25 yrs in the service and I've seen many of the hassles that different jurisdictions use.
Your idea about flying the ballot to LA is a non-starter as the ballots need to get back to my home jurisdiction to be counted. They already fly the mail. The real difficulty is complying with all the deadlines that are different for each state.