Title : Internet Voting: A Requiem for the Dream
Author : kerrnel
==Phrack Inc.==
Volume 0x0f, Issue 0x45, Phile #0x0b of 0x10
|=-----------------------------------------------------------------------=|
|=-------------=[ Internet Voting: A Requiem for the Dream ]=------------=|
|=-----------------------------------------------------------------------=|
|=------------------------------=[ kerrnel ]=----------------------------=|
|=------------------------=[ phrack@kerrnel.com ]=-----------------------=|
|=-----------------------------------------------------------------------=|
A! Fredome is a noble thing
Fredome mays man to haiff liking.
Fredome all solace to man giffis,
He levys at es that frely levys.
A noble hart may haiff nane es
Na ellys nocht that may him ples
Gyff fredome failyhe, for fre liking
Is yharnyt our all other thing.
Na he that ay has levyt fre
May nocht knaw weill the propyrte
The angyr na the wrechyt dome
That is couplyt to foule thyrldome,
Bot gyff he had assayit it.
- John Barbour, Brus Book I [26]
--[ Table of contents
1 - A Backstory
2 - Why Do People Want Internet Voting
3 - The Evolution of Counting Votes
4 - Where is Internet Voting Piloted and Used
5 - Other Problems of Being On the Internet
6 - End-to-End Verifiable Internet Voting Schemes
7 - Push Back
8 - But We Use The Internet for [Foo]
9 - Imagining a More Secure Internet Voting System
10 - Conclusion
11 - Acknowledgements
12 - References
--[ 1 - A Backstory
It's June of 2024 and a group of wealthy and powerful men are sitting in a
lounge room tucked away in the San Bernardino mountains, 80 miles east of
Los Angeles. Thick and acrid cigar smoke fills the room. But sickening to
me is the horrible stench of an entire nation's leadership being robbed.
The men chat and haggle over what candidate will be elected president,
senator, and so on.
The mess here in the U.S. was kickstarted 24 years ago in the 2000
election of Bush v. Gore. It took over a month to declare a winner
because of a dispute over vote counting in Florida. George Bush
eventually won Florida by 537 votes, or 0.009% [1]. There was a
tremendous amount of controversy over confusing ballots, errors with
punch cards, and recount anomalies.
In the aftermath, well meaning people called on computers to solve the
United State's voting issues. After all, computers have simplified all
other matters of life. But these people acted in a bit of arrogance; they
didn't understand the technology. They banked with the computer, chatted
with the computer, shopped with the computer, so surely it could be
trusted for voting as well. But they didn't understand the depths of
computer security problems, or why voting is fundamentally different than
all the other aforementioned tasks. Security experts, almost universally
against electronic voting, were dismissed as paranoid.
In response to public demand, Congress passed the Help America Vote Act
that sought to replace punchcard and lever voting machines [38]. And thus
it is that our elections are now decided by the whim of powerful groups
controlling the elections servers. This paper will dissect the problems
that plagued internet voting from the very beginning.
--[ 2 - Why Do People Want Internet Voting
Before taking any serious examination of the flaws inherent in internet
voting, the question must be asked, why do people want internet
voting? The answer is: 1) civic engagement, 2) money, 3) want of power,
and 4) technophilia.
Some activists believe internet voting will increase voter turnout and
thus cause higher civic engagement. That leads to the question, "Does
internet voting significantly increase turnout?" In 2002 some local
elections in the UK used an internet voting pilot, which lead to a 3.5%
increase in voter participation [6]. It is, however, impossible to prove
that this was because of internet voting [6]. Even if the increase in
voter participation was 50%, increasing voter participation at the
expense of having trustworthy elections is not a wise scheme. In the
United States anyone can vote by mail, by sending in a form and mailing
back a ballot that is sent to them. If participating in democracy is not
important enough for someone to mail a piece of paper, should we really
be bending over backwards to extend democracy to them?
Money is an inherent problem in online voting because there is a lot of
money to be made in voting systems. In the United States, open source
solutions are often not adopted by the government. If Internet voting was
ever seriously put in legislation here, companies would spew all sorts of
exaggerations about the security of their systems to receive lucrative
contracts to develop the system. Also, in the case of electronic voting
machines, the companies long lobbied to keep their source code a
proprietary secret. That we entrusted the integrity of our democracy to
it was irrelevant to their patent attorneys [7].
There is also an argument that internet voting will save money on the
cost of running elections. While it might, it's not clear that the cost
of maintaining and developing the technology is actually cheaper than
using paper ballots. More importantly, the purpose of an election is not
to do it as cheaply as possible, but to have reliable results. It makes
no sense to undermine elections to save money.
Why those seeking power want in on internet voting is a longstanding
issue. Boss Tweed, the corrupt New York City politician estimated to have
stolen from $1 billion to $8 billion in 2010 dollars [8], said, "As long
as I get to count the votes, what are you going to do about it?" [35].
Controlling the elections officials counting the votes was (and still is)
one of the simplest ways to rig an election. This fraud is committed on
local scales, however, as in the United States it is thought to be
relatively impractical to rig a federal election county by county.
Of course, it could happen in the U.S., and certainly it has happened in
other countries. Consider, the 2011 election in Russia, which was
reported to have numerous and severe irregularities on a national level
[39]. In Ghana as well there were complaints of widespread fraud
designed to rig their 2012 election [40].
Even in countries where this is possible to achieve, it takes a lot of
coordination and work to pull off, requiring loyal political machines (or
serious threat of violence). Internet voting, however, makes the fraud
much easier to commit as it is possible to attack single points of
failure -- a central counting server, or a piece of software running on
numerous precinct servers. Who wouldn't want to control the software
tallying the votes? At worst an entire country's results could be
manipulated, and even if each region or district had their own system,
groups could have a lot of influence controlling a regional election.
Finally, technophiles can be a driving factor behind internet voting.
These are people who just love having new technology for the sake of
having new technology. In fact, I myself am guilty of loving the latest
and greatest products. But in some cases, such as internet voting, we
ought to be careful to make sure that technology is really improving the
situation. So to the technophiles, even though I know they mean well, I
ask them to please be restrained and think about the consequences of
internet voting before we jump out of our seats for it.
--[ 3 - The Evolution of Counting Votes
Before the American Revolution, voting was generally conducted by voters
calling out their votes which a clerk recorded next to their name [2].
This made verification of vote counts very easy, but obviously introduced
a lot of opportunity for retaliation, vote buying, etc. By the time of the
American Revolution the Americans and French were exploring the use of the
secret ballot. The French constitution in 1795 mandated, "all elections
are carried on by secret ballot" [2].
Of course as voting by ballot began to catch on, so did ballot stuffing.
In 1856 a vigilance committee in San Francisco found a ballot box with a
false bottom trap that stored ballots. It would look empty upon
inspection before voting, and after the polls closed, the other ballots
could be secretly mixed in. Some of the first technology to combat these
tricks was quite simple: in 1858 Alan Cummings and Samuel Jollie both
patented transparent ballot boxes. The design was quite simple: a glass
globe in a wooden frame so that the ballots were always plainly in view
from the start of voting to the moment of tabulation. This same principal
is still used in many countries, although plastics have generally
replaced glass [41].
Twenty years before the advent of the glass ballot boxes, the Peoples'
Charter of 1838 in Britain had already described a voting machine. I
strongly encourage the reader to have a look themselves at the image in
[42], but in it a brass ball was dropped into a hole, corresponding to a
candidate, which registered a vote on a dial.
In 1892 the Myers Automatic Voting Booth was first introduced in the
United States [43]. According to Douglas W. Jones of the University of
Iowa, in the 1890s these machines were on the cutting edge of technology,
with a tremendous number of moving parts. These machines did not provide
a voting record for each voter, but simply had a counter behind each
candidate which displayed their total number of votes.
Electoral fraud was of course already a big problem with these mechanisms,
and isn't a new concern with internet voting; my concern is just the
extent of it. In 1934 Joseph P. Harris published his report on voting
fraud in the United States [44]. He summarized types of fraud as such:
Registration frauds - Register dead, non-existent voters, etc. Votes are
then cast under the fake voters' names on election day.
Repeating - Persons go from precinct to precinct voting under the names of
these bogus voters, or even under the names of real voters.
Ballot box stuffing - Officers overseeing the election will stuff ballots
into the box. To avoid obvious counting issues, they will check off the
name of a no-show voter for each fraudulent ballot inserted.
Chain ballots - A marked official ballot is given to a voter in the
morning. The voter is to deposit the market ballot and return the blank
ballot given to them at the polling station. They are paid once the blank
ballot is returned. This process continues all day. Harris notes a lack
of evidence that this was a common practice.
Assistance to voters - Voters may ask for assistance while casting their
ballot. This is an easy way to break voter secrecy and ensure people are
voting "the right way." They may ask for assistance willingly, or they may
be intimidated into doing so.
Intimidation and violence - Chicago, IL is a notoriously corrupt city.
Harris noted whole sections of the city being terrorized by "the gun play
of gangsters." Kidnapping had even been used to remove determined poll
watchers.
Altering ballots - If a voter fails to vote for all candidates, an
election officer can simply add marks for their preferred candidate.
Likewise excess marks can be added to disqualify a ballot voting for
unfavored candidates.
Substitution of ballots - Legitimate ballots may be discarded, and other
ballots substituted for them.
False count and false returns - It's well understood that it's much easier
to simply rig the counting of votes than to alter ballots. In some cases
ballots are not counted at all, and results are simply fabricated. Votes
can also be read and/or recorded incorrectly by various precinct workers.
Altering returns - The precinct returns can be altered by officials in the
election office.
Specific to lever voting machines one reported form of fraud is to break
the teeth of the gear for a specific candidate's counting mechanism. This
means that once during a cycle of the gear, a vote for that candidate is
not registered. In Philadelphia in 1978, there was an election to
determine if the mayor would be allowed to run for an additional term, as
he faced a term limit. During the elections, the machines failed,
curiously at high rates in districts that strongly opposed the mayor.
Unfortunately, a suitable report of why the machines failed was never
produced [2].
The next major technology change in voting came with the advent of the
punchcard. Punchcards themselves are just what they sound like -- cards
with perforated dimples that can be punched out to vote for a candidate.
However, as was seen in the 2000 United States presidential election, they
are susceptible to chads that are not not fully pushed out, creating
controversy over how to count those. Around the same time, optical
scanning machines rose to popularity. With these machines, which many of
us have used for exams in our school days, the voter bubbles in their
choice with a pencil or pen.
The next piece of voting technology, which moved closer yet to internet
voting, was the direct recording electronic voting machine, or DRE. These
are computers in which people place their votes, which are then
electronically tabulated. These machines are certainly more efficient
than paper ballot counting, but are riddled with grave security issues
[47]. I would love to explore those issues further, however, the focus of
this paper is on internet voting.
--[ 4 - Where is Internet Voting Piloted and Used
Now that we understand why people want internet voting, and the history of
voting technology leading to this point, for this paper it's important
that we understand where internet voting is being used already, and what
we know about these systems. I begin with an example of Washington D.C.
because it is a rare case where the public was allowed to fully
penetration test the system in a mock election.
In 2010 Washington D.C. embarked on a pilot project to allow voters to
participate in local elections through an online voting system. In
September 2010, before collecting real votes, the Board of Elections
conducted a pilot test allowing any member of the general public to vote
and test the security of the system. Ultimately an attack by a team of
researchers from the University of Michigan caused them to cancel the
online voting initiative. The researchers were able to seize control of
the servers, unmask secret ballots, and alter the final election results.
The following information is a summary of what the Michigan team found (
please see [9] for a copy of their paper).
The system itself used a stack consisting of Ruby on Rails, Apache, and
MySQL. A front end web server receives HTTPS requests from the voters and
then reverse-proxies them to the application server which hosts the
software and stores the ballots. Multiple firewalls work to complicate
attacks by blocking outbound TCP connections. The University of Michigan
researchers noted that the intrusion detection system in front of the web
server failed to decrypt the HTTPS connections carrying their attack.
To login to the system the voter needs to use a voter ID number,
registered name, residence ZIP code, and 16-character hexadecimal PIN.
These credentials were sent out to voters in the mail.
The ballots themselves are PDF files, filled out by the user with a PDF
reader, and then uploaded to the server. To safeguard ballot secrecy, they
are encrypted with a public key issued by elections officials. When the
election ends they are transfered from the server to an offline machine,
holding the private key, where they are decrypted and counted. Think about
that -- they go through the trouble of keeping the ballot counting machine
offline but allow arbitrary PDF files to be opened on it. :>
Here are a few of the attacks that the Michigan team found. They stole the
public key, which despite the term public key should actually be kept
secret because it allows the application server to encrypt arbitrary
ballots to substitute real ballots. Once they stole the key, they indeed
used it to replace all of the previously cast ballots with forged ballots
that voted a ticket of their choosing. They then replaced the ballot
processing function with a modified function that would replace each
voted ballot with their forged ballot. This also broke the secret ballot
concept, as they used the new ballot processing function to track each
voter. And, an unencrypted copy of each ballot was stored in /tmp by the
PaperClip Rails plugin before encryption, so they could correlate the
file time to the logs and then match past ballots to voters. The database
credentials were located in the bash history file.
A 937 page PDF file containing all of the voters login credentials was
even located on the server, sitting in /tmp. And these were the
credentials for the REAL election, not merely the pilot test. Had the
real election not been canceled they could have used those to vote as
actual citizens.
Of course once finished they cleaned up the logs and removed all of their
files from the application server's directories.
To mark their territory after completely infiltrating the online voting
system, they programmed the confirmation page to play the University of
Michigan fight song when each user cast a ballot.
Despite their musical calling card, it took officials in D.C. 36 hours to
detect the attack and stop the pilot (another test user asked on a mailing
list what song is played for a successful vote, raising their suspicions).
There are many other examples of internet voting in use. These are given
as examples of countries using internet voting and not necessarily
examples of it being broken, but I do take the liberty of pointing out
concerns that I may have.
Canada. Although not used in federal elections, there are municipalities
in Canada that allow internet voting. A demo of the Intelivote System is
available at [45], however it had known hiccups in recent elections. In
2010 the system was being used across Ontario and it crashed late in the
election [46]. The president of Intelivote Systems Inc. claimed it was
because of unexpectedly high user demand, combined with a hardware
failure. The company claimed "the integrity of the vote activity was not
compromised and (Intelivote) is confident in the official election
results" [46].
Very troubling, however, is that the company, in the statement I found,
did not report having any outside parties evaluate the system to verify
the integrity. Any company would certainly have financial incentive to
cover up a hacked election, although I have no evidence to suggest
InteliVote did any such thing. I simply raise the point. A more
reasonable, and less accusatory scenario, is that they themselves may not
have realized if they were hacked, or not have gone to enough length to
find out. The fact that these incentives exist mean it is critical any
internet voting system is heavily audited by independent agencies.
New Jersey. On October 29th, 2012 Super-Storm Sandy battered the east
coast of the United States, with New Jersey being particularly hard hit.
The 2012 United States presidential election was held just a week later,
and many displaced residents needed a way to vote. The governor ordered
displaced citizens be allowed to vote by e-mail or fax [17][18]. Not only
does this break ballot secrecy -- your email address being tied to your
ballot -- but your ballot can be compromised with hacking techniques from
the early days of Phrack, rather than advanced attacks.
Although I have yet to see a detailed analysis of the results of the
e-mail voting in New Jersey, I have found reports of at least a few
issues [36]. Voters voting by e-mail are required to mail in a paper copy
of their ballot, however several county clerks, and the executive
director of the New Jersey Democratic Party, did not know this. Most
likely thousands of voters did not know either. The requirement of
mailing a separate paper ballot always raises the question that I don't
understand: why bother? If they actually count all of the paper ballots
that each person had to mail, the e-mail voting was just a nice song and
dance and actually did not make anything more convenient or cheaper. If
they do not verify all the paper ballots, there was no point in sending
one, and then the results are not trustworthy. This leaves a choice
between convenient or trustworthy, and in an election we should always go
for the trustworthy option (paper ballots).
Arizona. The 2000 Arizona Democratic Party presidential primary was the
first major election held over the internet [19]. For the non-Americans
out there (most of the world), the political parties in America have many
candidates who want to run for president under the party's name, and thus
they hold a primary election to pick their candidate. The private company,
Election.com, hired to run the election reported that there was no
hacking. This was a groundbreaking precedent for a major public election
to include internet voting.
United States. The United States allows deployed service members of the
military to vote online.
Estonia. The first country to use internet voting on a national basis was
Estonia in 2005. Estonians have a national ID which contains an embedded
digital certificate, which combined with an individual's PIN, can be used
to uniquely identify that individual. An individual needs a $7 smart card
reader, which will scan their digital certificate. The voting website can
then use this, combined with the PIN, to authenticate the individual
voting [20]. According to the PDF in [20] the ballots are secured and
kept secret through this process:
"A double-envelope scheme used for postal voting
in some countries guarantees the secrecy of the
vote. The voter's choice is encrypted by the
voting application (i.e. voter seals the choice
into an inner blank envelope) and then signs it
digitally (i.e. puts the inner envelope into
the outer one and writes his or her name and
address on it). The signed and encrypted votes
(outer envelopes) are collected to the central
site for checking and ensuring that only one
vote per voter is counted. Before counting,
digital signatures with personal data (outer
envelopes) are removed and anonymous encrypted
votes (inner envelopes) are entered into the
ballot box for counting. The scheme uses public
key cryptography"
So what do I think of this implementation of internet voting? A few
thoughts. First off, Estonia is rare in that all of its citizens have a
national ID card equipped with a smart chip inside. Even then a team of
observers from OSCE/ODIHR (Organization for Security and Cooperation in
Europe/Office for Democratic Institutions and Human Rights) found major
security issues with the 2007 election [2].
Among the issues, the project manager was able to push changes to the
voting software at will, meaning a version modified by insiders could
easily be put onto the server. Furthermore, a code review report was never
produced, and there is no policy in place dictating when internet votes
would be invalidated. I cannot stress this point enough, as it applies to
all countries: most internet voting advocates say, "Don't worry, if there
was fraud we could always invalidate the internet votes." But nobody smart
enough to hack a country's election will commit fraud in such an obvious
way that people will know to invalidate the votes. Rather they would
generate results that were statistically likely to happen and then hide
all traces of their activities.
Austria. In 2009, Austria used internet voting for the Federation of
Students' student union election according to the U.S. Election Assistance
Commission (EAC) [48]. Although Austria does not allow for the use of
internet voting in parliamentary elections, student union elections in
Austra are regulated by law, and were allowed to use internet voting.
Scytl, a European company, was selected as the software provider for the
election. For the election Austria used a national ID card, which had two
distinct PIN numbers that a voter had to use during the voting process.
They also needed a card reader for the national ID card.
Finland. Per the same EAC report, Finland allowed internet voting for
municipal elections in 2008 [48]. In Finland, kiosks at polling places
were used to access the internet voting application, rather than allowing
users to vote at home. Votes were encrypted and digitally signed by the
kiosk before transmission to the server. This election wound up having a
bug causing certain votes not to be counted, and thus had to be redone
anywhere where internet voting was used. As a result, they scrubbed the
pilot. As a note, the Finnish chose to use kiosks at the polling place
because they felt voting at home risked ballot secrecy and allowed the
bribery and intimidation of voters.
France. The EAC discussed internet voting being used in France dating back
to 2001 [49]. In 2001, Voisins-le-Bretonneux conducted an internet
voting pilot that used kiosks at the polling place like the Finnish did.
This was for municipal elections only. In 2009 the French Ministry of
Foreign Affairs setup internet voting for French citizens living overseas.
It was designed to make it easier for overseas voters to vote, and 310,000
French citizens used it. Scytl provided the technology along with Atos
Origin. The report says Opida, a security consulting company, audited the
election. Strangely I cannot find the existence of a company called Opida,
however there is a security consulting firm called Oppida located in
France so I assume this is the company in question [49].
Switzerland. In Switzerland, three of the 26 Swiss cantons have internet
voting as an option: Geneva, Neuchatel, and Zurich [49]. Since the three
all use different systems, I want to focus on Geneva's system. Geneva's
government owns and runs the system itself. Voters received a Voter
Card in the mail, which had the information needed to vote by internet,
mail, or in person. The voter used the information from this card to login
to the online voting system. They then selected choices on a ballot, and
saw a confirmation screen displaying all of their choices before casting
the ballot. Lastly, the voter needed to use a pin code located on the
Voter Card to cast the ballot.
Interestingly the Geneva state council enforced the following 11
requirements for the election (taken verbatim from [49]):
1) Votes cannot be intercepted nor modified
2) Votes cannot be known before the ballot reading
3) Only registered voters will be able to vote
4) Each voter will have one and only one vote
5) Vote secrecy is guaranteed
6) The voting application will resist any DoS attack
7) Voters will be protected against identity theft
8) Number of cast votes = number of received ballots
9) It will be possible to prove that citizen X voted
10) The system will not accept votes outside the ballot opening
period
11) The system will be auditable
I find these requirements curious, as in theory it's not possible to meet
them in a computerized system. The issue is the use of terminology such
as "cannot" and "prove." For example, I assume where it says "votes
cannot be intercepted nor modified," SSL is used to encrypt the web
traffic. But of course SSL can be attacked, and thus votes can be
intercepted or modified.
The Swiss do use one really cool piece of technology in their voting
technology: quantum encryption [24][54]. The details of quantum encryption
are outside the scope of this article, but it uses photons of light to
send encrypted messages. It is based on the fact that the quantum state
of a particle cannot be observed without altering it permanently, so
eavesdroppers cannot read the photons without destroying the information
encoded in them. The Swiss use the quantum encryption technology to
transfer vote counts over fiber optic cable from a vote counting station
in the city, to a government data center in the suburbs of Geneva.
United Kingdom. According to the EAC report [48], the UK has conducted
over thirty internet voting pilots for local elections between 2002 and
2007. In a 2002 pilot, nine locations enabled internet voting pilots. The
Liverpool pilot was particularly interesting in that voters could vote
via SMS, as well as from their home computers. Liverpool's was run by
Election.com, the same company that ran Arizona's Democratic Primary in
2000.
In Liverpool, electors were mailed an information sheet with PINs,
passwords, candidate codes, the web address and instructions. Voters using
the internet voting went to the web-site and entered the PIN and password
specified in their information sheet. The voters then made their
selections and voted after confirming their choices. The vote was then
transmitted over the internet to Election.com's servers, where it was
tallied.
Voters using SMS to vote sent a text message that was formatted as such:
<PIN>
<PASSWORD>
<CANDIDATE NUMBER>
They then sent the message to a phone number specified in their
information sheet. Apparently each ward used a different phone number.
The voter then receives a confirmation text message, and the vote was
then sent to the same Election.com server as the internet votes. I have a
lot of concerns about voting via SMS. I am not very knowledgeable with
SMS protocols, but the information I have read indicates SMS messages are
encrypted with the broken A5 cypher and only between the phone and the
cell tower [50]. Furthermore, I know from firsthand experience how many
times I've tried to send a text and it doesn't show up until hours or
days later. Not a system I want casting my vote.
In Liverpool, for the 2002 pilot, the EAC reported that 59.4% of voters
voted in person, or by mail, 16.4% voted by internet, 17.4% by telephone,
and 6.7% by text message.
State of New South Wales. Can't forget the Aussies out there! The last
example I will pull from the EAC report [48] is the State of New South
Wales which allowed voting from home by internet and telephone in their
2011 state election. They called the system iVote. It was designed for
voters with disabilities (including legal blindness), illiterate voters,
and voters traveling or living 20km or more from their polling place.
Everyone Counts [51] was responsible for the core technology behind the
voting system. Voters registered to use the iVote system over the internet
or by calling an iVote operator. When they registered, voters specified a
six digit PIN. The voter then received an eight digit iVote number (which
was sent by email, mail, telephone, or text). In that trial, 2,259 voters
voted by phone and 44,605 voters voted by internet.
The government of New South Wales produced a post election report on the
election [52]. They commissioned Pricewaterhouse Coopers (PwC), one of the
"big four" accounting firms, to generate the report. The report at [52]
claims they found that no tampering had occurred with the ballots. However
they say only that this information was gleaned from "cryptographic
integrity checks," which is not specific enough for me to draw any
conclusions. Consider the Helios example, presented later in the paper, as
proof that ensuring that nothing was tampered with on the server side as
little evidence that the election was not rigged.
In the report they note that they tested the iVote system and made sure
the test results recorded matched the test votes cast for internet and
phone voting. However, a team of researchers at Princeton University wrote
malware for a Diebold Accuvote-TS machine which disabled itself during
test mode, and then completely wiped itself after the election leaving no
traces [53]. The same type of attack could work against an online voting
system such as iVote, although of course there is no evidence is has been
done... yet.
The PwC report also contains a list of incidents in Appenix C [52]. The
problems ranged from relatively harmless (voters were sent the wrong iVote
numbers and then given the correct iVote numbers and asked to vote again)
to grave. On March 23, 2011 there was an 8 minute outage of the iVote
system between 10:24 AM and 10:33 AM for which no cause was ever
identified. Not every outage in a system is a sign of foul play but in a
system which runs a state's election, I would like better answers than
"undetermined cause."
--[ 5 - Other Problems of Being On the Internet
Cyber warfare has become big business. For example, on March 20, 2013,
South Korean TV networks and banks were crippled in a cyber attack that
was ultimately blamed on North Korea [11]. The U.S. government seems
paranoid about cyberattacks originating in Iran and China [29]. While it
is difficult to know how much truth there is to individual claims about
who is attacking whom, I think we can all agree that there are certainly
aggressive attacks occurring between countries. If a national election
was being conducted by internet voting, a foreign country would have a
high degree of incentive and desire to disrupt or control the election.
Another speculative but real threat would be a phishing and/or
misinformation attack. For example, in 2012, in Madison, Wisconsin, a U.S.
city, the Republican party sent a mailing to heavily democratic areas
giving them incorrect registration instructions [30]. It's not clear if
this was deliberate or an honest mistake, but it is suspicious, and you
could imagine sending e-mails to people that would cause them to go to the
wrong web-site to vote. It could be an identical look alike to the real
election web-site and either throw their vote way, or even steal their
credentials and use them at the real voting web-site. This is speculative
and it's doubtful an entire election could be rigged this way, but such
tricks could deprive a certain percentage of voters of their voting
rights, and could even tip the balance in an extremely tight race.
It would also be possible to harvest credentials in the weeks before an
election by sending e-mails instructing voters to "enter their credentials
to verify their online voting account." Those credentials could then be
used to vote on election day. Like the misinformation attack, this would
have limited impact but could still affect a tight election and cause
confusion amongst the general population.
Another attack that has been used in real life against voting systems is
the browser rootkit attack, whereby one secretly installs a browser
extension that modifies the behavior of webpages. The Helios voting
system [32] is an open source internet voting system that is designed to
allow users to vote a secret ballot but still verify that the ballot was
received and tallied correctly (source code available at [33]). In other
words, it is a mathematically and cryptographically correct model of
internet voting. Helios uses client side JavaScript extensively, to store
the ballot itself and the Exponential ElGamal encryption used [34] is
implemented in JavaScript. For some of the computationally intensive
crypto procedures are implemented in Java, requiring the JVM to be
installed on the web browser. JavaScript and JVM... can one ask for a
better attack vector? :>
In the Helios system, candidates are allowed to provide a PDF file
(another fantastic attack vector) that explains their candidacy for
voters to view. So the scheme is probably clear at this point: exploit a
PDF vulnerability to install a malicious browser rootkit as an extension
(they picked Firefox but claim IE would have been just as easy to
attack), which is actually injected into an already installed extension
so the user does not notice a new extension being installed. The browser
rootkit spies on the user's web traffic, and swings into action whenever
the user visits the voting web-site. At that point it has full control
over what the clients does and sees on their end of the voting system.
Researchers Saghar Estehghari and Yvo Desmedt implemented this attack
against Helios. Their complete report is available at [31].
In their case they have Alice running against Bart Preneel, and they want
Alice to win, so she uploads the rootkitted PDF. In this attack, only a
candidate or admin could carry it out because voters cannot upload their
own PDFs to the server.
With the rootkit installed, when a voter votes for Bart, they change the
vote to Alice. But they modify the confirmation page and plaintext views
of the ballot to show that Bart was voted for, fooling the voter. The last
issue is if the voter decides to verify the ballot, the system will show
the "Encryption doesn't match" message as the result. They fixed this by
changing the verification function to always output "Encryption is
verified," under all circumstances.
This attack could have been distributed through any means and attacked any
system. The point is that as long as every home computer is a potential
voting kiosk, it's not a problem if the election server proves too
difficult to compromise. By hacking the users browser to change votes
behind the scenes, the election can still be manipulated silently. Even a
properly designed voting system can be compromised because the voting
kiosk is not secure.
There exists another problem with the fact that every home computer is now
potentially a voting kiosk. Vote rigging through bribes or intimidation
will once again rise in popularity. This is currently hard to do because
people vote with a secret ballot, in a private booth. No thug can pay them
a bribe knowing that they actually voted for them, nor beat them knowing
that they voted for the wrong person (except for the "voter assistance"
ploy described earlier). With internet voting, you might simply watch
them vote, or host a "community voting event" at your house, to shake
everyone down.
As a reminder, why focus our scrutiny solely on the potential for outsider
attacks? As I quoted Boss Tweed earlier, as long as those in power
control the insiders counting the votes, they can seldom be stopped. Most
of us know the famous example from the movie "Office Space," where the
company's software is programmed to siphon tiny fractions of every
transaction into a bank account and it then goes horribly wrong. But it
would not be hard at all for some of the programmers of the voting
software to sneak in some code to alter the election (consider the
Estonia incident where the project manager could push changes to the
server at will).
--[ 6 - End-to-End Verifiable Internet Voting Schemes
A cryptographically verifiable voting scheme, Helios, has already been
mentioned in this paper. These schemes try to compensate for the problems
that come with voting over a network composed of untrusted and often
compromised components. However, it was demonstrated that a browser
rootkit successfully undermines the voting scheme. There are other
systems which go a step farther by using specialized printers to produce
physical, cryptographically signed, receipts. These schemes are closer
to a DRE machine, since they require the voters to go to a voting
location with specialized equipment, but I want to address the schemes
because they could presumably be networked to the internet to facilitate
in vote aggregation and counting, and because they use internet bulletin
boards to post the proof that the ballots were correctly counted.
One of the best known of these schemes is David Chaum's "Secret Ballot
Receipts: True Voter-Verifiable Elections" scheme [60]. The detailed
cryptography of the scheme is outside of the scope of this paper, but
interested readers should read both Chaum's paper [60], and a
vulnerability analysis of the scheme conducted by Chris Karlof et al.
[61], which identifies key flaws.
In Chaum's scheme, voters receive a physical receipt of their ballot,
which consists of two separately laminated layers. Put together, the
layers make up a human readable image of the ballot. But each individual
half, alone, appears to be nothing but random black and white pixels.
After the machine prints the receipt, the voter tells the machine which
half they will keep as their proof (this must be done after the machine
has printed the receipt), and shreds the other half at the polling
location. Later, cryptographic material embedded in the layer can be used
by election trustees to tabulate the ballot, and voters can verify that
their vote was counted correctly by locating their receipt on the public
bulletin board.
I am not aware of any proofs that the cryptographic scheme used by Chaum
is flawed, however as Karlof et al. point out, these voting schemes are
implemented on systems with a very wide scope, and there are many
opportunities for flaws in the systems themselves, as well as human
error. The social engineering attacks they present are interesting.
Ordinary citizens do not understand cryptography to enough depth to
generally notice even a very minor alteration in the cryptographic
protocol. For example, if the machine asks the voter which portion of the
receipt the voter wishes to retain (top or
bottom), before printing the signed receipt, the machine can construct
the two receipts to decrypt to an arbitrary ballot of the attacker's
choosing (see [61] for an explanation of why that is).
This is exactly my problem with such schemes. As I explain in the
conclusion, one of the central tenants of democratic elections is that
ordinary citizens see and understand the voting process, and have faith
in the results. Ordinary citizens, including myself, do not understand
these schemes to the appropriate depth to monitor the election and have
faith and understanding in the process. Worse yet, no matter how sound
the math behind the crypto is, the implementation of the crypto
primitives must be absolutely correct. A nation state could easily detect
and take advantage of the most subtle statistical flaws in the
pseudorandom number generation, for example (that is if they had not
already backdoored the key generating hardware used in the election).
Ordinary citizens can watch voters put their ballots into boxes and then
later watch the ballots be removed and counted. Ordinary citizens can see
someone take all the ballot boxes into a secret backroom and later emerge
with them. Ordinary citizens, including myself, cannot look at a
cryptographically signed receipt and say, "Ah, the random number
generation is flawed!". Thus a complicated cryptographic scheme, not well
understood by the general population, is not the way to have trust in
democratic elections.
--[ 7 - Push Back
Despite the number of countries adopting internet voting pilots, there has
also been backlash against electronic voting in general in certain
countries.
In 2007 the Dutch banned the use of their Nedap voting machines [58],
citing the lack of a paper trail. In addition in 2009 Ireland abandoned
their e-voting initiative citing high cost as well as a lack of trust in
the computers' ability to securely tabulate an election [57].
I find Germany's 2009 ban of electronic voting machines the most
interesting however, as many of the German Federal Constitutional Court's
findings coincide with my criticisms of internet voting (note: Germany
banned *electronic* voting machines, not internet voting, but it is still
related).
The German court found that the machines were unconstitutional because the
average citizen could not be expected to understand what the machine was
doing when it tabulated the results (it's a "black box"). In addition,
they considered that in a traditional voting system manipulations and
fraud are far more difficult to execute and carry a significant chance of
detection. However, a bug or deliberate fraud inserted into voting
software would be easy to place and difficult to detect [59].
--[ 8 - But We Use The Internet for [Foo]
One of the common fallacies to support internet voting is that if the
internet is used for other important activities, such as banking and
commerce, why can't it be trusted for voting? The two main answers are
that online banking is not secret, and that banking fraud can be papered
over with money.
Suppose I go online and send $1,000 to my landlord for rent. The landlord
will see that I sent $1,000, I will see that my account had $1,000
deducted, and the bank will have records of these transactions. I can call
the landlord and confirm that he received the money. If he lied and
claimed he didn't, the bank would still have records of it and so I could
prove that he was paid. If somehow the transaction went badly and the
landlord was paid $2,000, I would see this on my statement and could
demand the money back because my lease dictates the landlord is owed only
$1,000. But with voting, because ballots are secret, this type of
verification would never work. I know I sent a ballot, but I do not know
that it was counted towards whomever I wanted to vote for. I don't even
know that it was counted at all. If this was the landlord example, I
would see that a mystery amount was deducted from my account, have no
idea what my current balance is, and have no way of knowing that landlord
received the money, with neither him nor the bank having records of it.
The other issue is the notion of papering over fraud. When a business
evaluates a piece of technology, the basic question is if the amount of
money saved using the technology outweighs whatever the technology will
cost. The increase in fraud caused by online banking is definitely a cost
of online banking, but it saves banks and consumers so much time and
money, that it makes sense to paper over the problem. That is, when money
is stolen from people's accounts, the banks are willing to just put the
money back in and take the loss, because they still save money. But this
does not work with voting. You cannot paper over a stolen election -- the
election is rigged and the entire country's confidence is ruined (if
anybody even notices that there was fraud).
In e-commerce it is not uncommon at all to allow a spouse or child to use
your credentials to make a purchase. However, it is generally illegal to
allow someone else to vote with your name and ballot. But with internet
voting it is impossible to know when this is happening. Imagine a Silk
Road [15] website being setup for the purpose of selling voting
credentials in exchange for Bitcoins.
--[ 9 - Imagining a More Secure Internet Voting System
The book, Broken Ballots [2], mentions that in 1875 Henry Spratt of
England was granted a U.S. patent on a voting machine. The patent, U.S.
Patent 158,652, claims that it allows "balloting (that is, voting
secretly) without the aid of balls, tickets, passes, letters, figures,
official stamps, or ballot-boxes; second, absolute secrecy, it being
impossible to discover for whom the voter has voted; third, while secrecy
is obtained, all parties, pro and con, can be satisfied the voter has
voted; fourth, at the close of the poll the result of the voting can be
instantly made known; fifth, a complete check as to the numbers voted,
preventing any tampering with the apparatus."
This claim is noteworthy because it remains the central tenant that voting
technology still tries to solve. Of course, we now know that even 140 some
years later, we have not been able to solve this problem.
Matt Bishop describes the properties academia would say an e-voting system
must meet [56], and I've listed the ones I find relevant to this article:
1) The e-voting system must not be able to associate votes with a
particular voter
2) The e-voting system must prevent a voter from casting more than a
particular number of votes in a race, or one vote per ballot
3) The voter must be able to verify the votes on the ballot at any
time until the vote is cast
4) The e-voting system must tally the votes accurately. Votes must not
be intentionally or accidentally mis-recorded.
5) It must be possible to conduct an audit on the reported vote tally,
using an out-of-band mechanism. A recount cannot be conducted by
recounting votes on the server because a server with a bug will
produce a bad recount as well.
I would add a sixth requirement:
6) Trust. The general population must be able to trust that votes, or
the count, was not modified at any point in the counting process.
So the question is, could we design a system to meet all of these
requirements? As we saw in the Helios example, there are certainly
mathematical models that can do it. But our computers are so full of areas
to exploit, it's not feasible to do given what we currently know about
designing secure computer systems and I hope the examples I have provided
have convinced you of this fact.
--[ 10 - Conclusion
This article has spent some time discussing internet voting in usage, as
well as its technical shortcomings. But I would like to end on a brief
discussion of the sociology behind democracy. I believe the following:
1. Internet voting is not compatible with democracy
2. No amount of technology can change this
3. Whom you voted for ought to be secret
4. Who voted should not be secret -- it should be known as widely
as possible
5. And who counts the votes, and how, certainly ought not be secret
As I mentioned before, in 1856 a vigilance committee in San Francisco
first found a ballot box with a false bottom, allowing ballots to be
hidden in it and then secretly mixed in with the real ballots before
counting. Ever since people have been trying to counter voter fraud with
technology [2].
Democracy is somewhat miraculous compared to previous forms of government
in that power is transferred smoothly and without violence, even between
opposing factions. This is because people accept that whomever receives
the most votes has a legitimate claim to authority. If people do not
believe that the votes are legitimate, then they do not believe that the
ruler has legitimate authority, and thus social chaos could ensue.
Further complicating the matter is that votes must be secret, or citizens
can be coerced into voting for certain interests (or willingly bribed).
Because I cannot look into a database and see that a vote from myself was
recorded for candidate Bob in some election, I must inherently trust the
ballot counting process. This means I trust that the organization tallying
the votes (the government) successfully overcomes outside interests
wanting to rig the outcome.
For hundreds of years we have used paper ballots to tally our elections.
Paper ballots are far from perfect, and indeed we have seen instances of
fraud on local scales. However, paper ballots do not have a single failure
point where an entire country's election could be so efficiently
compromised, especially in countries not known for having systemic
corruption. Precinct workers verify who is actually coming to vote and
mark their name as having voted (in many towns the precinct workers will
recognize many of the voters). The ballots are then counted by people, in
front of other people, in each precinct. These results are then
congregated by district, state, etc. It is a distributed, fault tolerant
system, which relies on human beings faith in a process run by other
humans that they can monitor and understand.
With internet voting, a simple software bug could affect entire precincts,
regions, or countries and be quite difficult to detect. A maliciously
inserted bug, designed to manipulate an election, could slip through just
as easily and have the same effects. It is very difficult for humans to
know exactly what a computer is doing, especially when every computer on
the internet is a potential voting kiosk.
Thus internet voting is not a case of technology bringing democracy up to
date. It is a case of technology undermining confidence in a process that
must be trusted for elected governments to succeed. I'm one voter who is
happy to keep casting paper ballots.
--[ 11 - Acknowledgements
Much thanks to Twiga for her time and priceless advice in shaping this
paper. daw provided great insight and background reading on end-to-end
verifiable internet voting.
--[ 12 - References
[1] http://en.wikipedia.org/wiki/United_States_
presidential_election_in_Florida,_2000
[2] Broken Ballots: Will Your Vote Count?
Douglas W. Jones & Barbara Simons. 2012.
[6] http://www.emeraldinsight.com/journals.htm?articleid=863987
[7] http://www.cbsnews.com/8301-505124_162-57545531/o
hio-faces-controversy-over-voting-machines/
[8] http://en.wikipedia.org/wiki/William_M._Tweed
[9] https://jhalderm.com/pub/papers/dcvoting-fc12.pdf
[11] http://www.zdnet.com/probe-says-north-korea-behind-south-
korean-hack-7000013784/
[15] http://en.wikipedia.org/wiki/Silk_Road_(marketplace)
[17] http://allthingsd.com/20121105/after-sandy-new-jersey-becomes-an-
unwilling-test-case-for-internet-voting/
[18] http://www.njelections.org/2012-results/directive-email-voting.pdf
[19] http://en.wikipedia.org/wiki/Electronic_voting_examples
#2000_Arizona_Democratic_presidential_primary_Internet_election
[20] http://www.vvk.ee/public/dok/Internet_Voting_in_Estonia.pdf
[21] http://www.cse.wustl.edu/~jain/cse571-07/ftp/ballots.pdf
[26] http://www.poemhunter.com/poem/the-brus-book-i/
[29] http://online.wsj.com/article/
SB10001424127887324345804578424741315433114.html
[30] "Election Board Warns About Confusing Mailers."
http://www.channel3000.com/news/Elections-board-warns-
about-confusing-mailers/-/1648/16903214/-/2jq57j/-/index.html
[31] http://static.usenix.org/event/evtwote10/tech/full_papers/
Estehghari.pdf
[32] http://heliosvoting.org/
[33] https://github.com/benadida/helios-server
[34] http://www.win.tue.nl/~berry/papers/euro97.pdf
[35] https://www.schneier.com/essay-101.html
[36] http://www.politico.com/news/stories/1112/84202.html
[38] http://en.wikipedia.org/wiki/Help_America_Vote_Act
[39] http://en.wikipedia.org/wiki/Russian_legislative_election,_2011
#Electoral_irregularities_and_assessment
[40] http://www.bbc.co.uk/news/world-africa-20660228
[41] http://en.wikipedia.org/wiki/Ballot_box
[42] http://www.bl.uk/onlinegallery/takingliberties/staritems/
159peoplescharterpic.html
[43] http://homepage.cs.uiowa.edu/~jones/voting/pictures/
[44] http://www.nist.gov/itl/vote/upload/chapter9.pdf
[45] http://demo.intelivote.com/WEBDEMO/
[46] http://www.recorder.ca/2010/10/27/
technical-snags-wont-be-repeated-intelivote
[47] http://en.wikipedia.org/wiki/DRE_voting_machine
[48] A Survey of Internet Voting:
http://www.eac.gov/assets/1/Documents/SIV-FINAL.pdf
[49] http://www.systematic-paris-region.org/en/members/oppida
[50] https://en.wikipedia.org/wiki/Short_Message_Service
[51] http://www.everyonecounts.com
[52] http://www.elections.nsw.gov.au/__data/assets/pdf_file/
0007/93481/iVote_Audit_report_PIR_Final.pdf
[53] http://www.youtube.com/watch?v=ZVWIOwSkMew
[54] http://spectrum.ieee.org/computing/networks/
geneva-vote-will-use-quantum-cryptography
[56] Bishop, Matt. "An Overview of Electronic Voting and Security."
Department of Computer Science. University of California, Davis.
[57] http://www.thedailybeast.com/newsweek/2009/05/23/
we-do-not-trust-machines.html
[58] http://www.theregister.co.uk/2007/10/01/dutch_pull_plug_on_evoting/
[59] http://www.edri.org/edri-gram/number7.5/no-evoting-germany
[60] http://citeseerx.ist.psu.edu/viewdoc/
download?doi=10.1.1.71.9418&rep=rep1&type=pdf
[61] http://naveen.ksastry.com/papers/cryptovoting-usenix05.pdf
--[ EOF