Tag Archives: Voting system

The Price Of Democracy

An interesting essay by security guru Bruce Schneier (via the brianstorms weblog) on the economics of fixing an election. Put simply: How much is it worth a party to fix an election, and so how much would they be willing to spend on doing it? Put another way, how much should the folk designing an electronic voting system assume will be spent on trying to get past the security software?

Bruce does the math and concludes ”that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget. Conclusion: The risks to electronic voting machine software are even greater than first appears.”

Scary stuff. Although much of the emphasis of such articles has been on how this might be done in established democracies (and there’s still plenty to worry about there) my worry is how about how voting systems may be exported to the developing world.

Internet Voting: A Minority Report?

A reader kindly pointed out this New York Times piece on the Internet voting story I posted yesterday, which highlights some other aspects of the case.

While four members of a panel asked to review the SERVE program — designed to allow Americans overseas to vote over the Net — said it was insecure and should be abandoned, the NYT quoted Accenture, the main contractor, as saying the researchers drew unwarranted conclusions about future plans for the voting project. “We are doing a small, controlled experiment,” Meg McLauglin, president of Accenture eDemocracy Services, was quoted as saying.

Another side to this pointed out by the loose wire reader: Accenture says that the four researchers were a minority voice, and that five of the six others ‘would not recommend shutting down the program’. One of the other outside reviewers, Ted Selker, a professor at the Massachusetts Institute of Technology, disagreed with the report, and was quoted by the NYT as saying it reflected the professional paranoia of security researchers. “That’s their job,” he said. In response one of the four naysayers noted that they were the only members of the group who attended both of the three-day briefings about the system.

The reader also makes this observation: “One of their complaints is that the Internet is inherently unsafe, which may be true. I don’t believe that the US Postal Service (which is the current method for transmitting absentee ballots) is inherently safe either. Ever seen a bag of mail sitting in a building lobby waiting for pickup? I have.” Fair enough, but unless the bag contained ballots (something I have seen in, er, less security conscious democracies), I don’t think it’s a fair comparison, since a few tampered or misdirected ballots would not undermine the integrity of the election.

The security compromises in SERVE are likely to be at the server level, where hackers could either alter delivered votes, mimic voter activity, or disrupt legitimate voters from placing their ballot. This could be done on a scale that would undermine the integrity, or at least could be believed to do so. Remember: In an electronic election (where no parallel paper ballot is collected), a claim of largescale tampering is enough to undermine confidence in the result.

My tupennies’ worth? Although the E stands for experiment, I don’t see SERVE as a ‘controlled experiment’. The NYT says the program will be introduced “in the next few weeks” and covers seven states, and a possible 100,000 people this year. That doesn’t sound like an experiment to me. Maybe I’m missing something here, but I don’t really see how you can conduct an experiment in a live voting environment. What happens if there’s a suggestion the system has been compromised, either during or after the vote? I always thought that voting systems were either approved, credible and acceptable or not in public use. Of course it’s fine to have an ‘experiment’ where the only experimental part is, say, the user-aspects of the voting process. But security can surely never be part of an experiment in a live voting situation.

Security experts are paid to be skeptical. If they raise a warning flag as big as this, I think they should be listened to.

“Internet Voting Isn’t Safe”

The e-voting saga continues.

Four computer scientists say in a new report that a federally funded online absentee voting system scheduled to debut in less than two weeks “has security vulnerabilities that could jeopardize voter privacy and allow votes to be altered”. They say the risks associated with Internet voting cannot be eliminated and urge that the system be shut down.

The report’s authors are computer scientists David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley; The Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and leading technology policy consultant. They are members of the Security Peer Review Group, an advisory group formed by the Federal Voting Assistance Program to evaluate a system called SERVE, set up to allow overseas Americans to vote in their home districts. The first tryout is scheduled Feb. 3 for South Carolina’s presidential primary.

The four say that “Internet voting presents far too many opportunities for hackers or even terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect. Such tampering could alter election results, particularly in close contests.” They “recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.”

The authors of the report state that there is no way to plug the security vulnerabilities inherent in the SERVE online voting design. “The flaws are unsolvable because they are fundamental to the architecture of the Internet,” says Wagner, assistant professor of computer science at UC Berkeley. “Using a voting system based upon the Internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official.”

In short, the guys are saying the Internet is just not up to handling something like voting. But they also see the way the SERVE program carries the same flaws as the Diebold and other commercial electronic voting systems that have gotten such bad press in recent weeks (some of the four authors have been in the forefront of exposing those weaknesses). “The SERVE system has all of the problems that electronic touchscreen voting systems have: secret software, no protection against insider fraud and lack of voter verifiability,” says Jefferson. “But it also has a host of additional security vulnerabilities associated with the PC and the Internet, including denial-of-service attacks, automated vote buying and selling, spoofing attacks and virus attacks.”

After studying the prototype system the four researchers said it would be too easy for a hacker, located anywhere in the world, to disrupt an election or influence its outcome by employing any of several common types of attacks familiar to regular readers:

  • A denial-of-service attack, which would delay or prevent a voter from casting a ballot through the SERVE Web site.
  • A “Man in the Middle” or “spoofing” attack, in which a hacker would insert a phony Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter’s choice. What is particularly problematic, the authors say, is that victims of “spoofing” may never know that their votes were not counted.
  • Use of a virus or other malicious software on the voter’s computer to allow an outside party to monitor or modify a voter’s choices. The malicious software might then erase itself and never be detected.

Loose Wire: The State We

Loose Wire: The State We Could Be in

By Jeremy Wagstaff
from the 28 March 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

Voting in your underwear? Sounds an appealing proposition: the chance to exercise your constitutionally protected right without actually having to leave your home. You could be watching Frasier while working out which candidate you want to mess things up for you for the next three/four/25 years, based on criteria such as which one most closely resembles a Teletubby/Frasier’s brother Niles/your Aunt Maudlin.

Yes, the lure of Internet voting is coming around again. In May, soccer enthusiasts will be able to vote for their favourite players in the World Cup via a joint South Korean and Japanese project (mvp.worldcup2002.or.kr; the site is not fully functioning yet). This is just an on-line poll, of course, and doesn’t add much to the mix except to try to introduce a new social group (soccer fans) to the concept of on-line voting. Elsewhere, however, on-line voting is already kicking in: Some towns in Britain are undertaking pilot projects allowing voters to choose their local councillors via the Internet, or even via SMS, in borough elections in May.

I don’t want to be a killjoy, but this kind of thing gives me the heebie-jeebies. The arguments in favour of on-line voting make sense — faster counting, less human error, attracting younger, hipper voters with handphones and Internet connections in their hatbands, higher turnouts, you can vote in your underpants, etc., etc. — until you actually think about it. Computers, we’ve learned since we plugged one PC into another, are notoriously insecure. Viruses are now so sophisticated and prevalent that many security consultants advise their clients to update their anti-virus software every day. What are the chances of a voting system not being a juicy target for people writing these nasty little vermin programs?

Another argument wheeled out in favour of Internet voting is this: The Web is now managing billions of dollars of transactions successfully, so why can’t it handle voting? There’s a simple answer to this, as security consultant Bruce Schneier of Counterpane Internet Security (www.counterpane.com) explains: The whole point of voting is that it’s supposed to be anonymous, whereas any financial transaction has attached to it details of payee, recipient and other important data. This makes it much, much harder to protect any voting system from fraud, much harder to detect any fraud and much harder to identify the guy conducting the fraud. What’s more, if there was evidence of fraud, what exactly do you do in an on-line vote? Revote? Reconduct part of the vote? Chances are that faith in the overall ballot has been seriously, if not fatally, undermined.

Some of these problems could be done away with via ATM-style machines that print out a record of the vote. That could then be used in any recount. But it’s still not enough: As on-line voting expert Rebecca Mercuri points out, there is no fully electronic system that can allow the voter to verify that the ballot cast exactly matches the vote he just made. Some nasty person could write code that makes the vote on the screen of a computer or ATM-machine printout different from that recorded. This may all sound slightly wacky to people living in fully functioning democracies. But (political point coming up, cover your eyes if you prefer) democracies can be bent to politicians’ wills, and one country’s voting system may be more robust than another’s.

Scary stuff. Florida may seem a long way away now, but the lesson from that particular episode must be that any kind of voting system that isn’t simple and confidence-inspiring gives everyone stomach ulcers. The charming notion that the more automation you allow into a system, the more error-free and tamper-proof it becomes, is deeply misguided. The more electronics and automation you allow into the system, the less of a role election monitors can play.

Internet voting, or something like it, may well be the future. I’d like to see it wheeled out for less mission-critical issues, like polling for whether to introduce traffic-calming measures in the town centre, or compulsory kneecapping for spitters, say. But so long as computers remain fragile, untamed beasts that we don’t quite understand, I’d counsel against subjecting democracy to their whim. Even if I am in my underpants.