Rothke - Dont Stop The Handcount A Few Problems With Internet Voting


Published on

Don't Stop the Handcount - A Few Problems with Internet Voting.

Ben Rothke looks at the security issues about Internet voting.

From the CSI Journal

Published in: News & Politics, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rothke - Dont Stop The Handcount A Few Problems With Internet Voting

  1. 1. I N F O R M A T I O N W A R F A R E Don’t Stop the Handcount: A Few Problems with Internet Voting by Ben Rothke, CISSP ternet-based election require are impossible to attain Every day, millions of people use the Internet to ac- with our current infrastructure. This article will focus cess their bank accounts pay income tax, order books on those problems. and send e-mail. Internet kiosks are appearing in stores, airplanes, hospitals and subway stations. Given the ubiquitous nature of the Internet, why can’t we use it to vote for our elected officials? Internet voting—Solution or snake oil? To those detached from the realms of election law, Out of the ashes of the Florida voting debacle came computer security and personal privacy, the act of or- the battle cry of “Let’s use the Internet to run future dering a book from Amazon and placing a vote election and make them efficient”. This reckless reac- would seem to be related. In reality, the two acts are tion to use the Internet for national elections is my- radically different. The demands that a national In- opic, in that it focuses solely on the tabulation issues, Benefits To be sure, there would be some benefits to Internet-based elections: Convenience which Convenience is one of the most compelling arguments in favor of Internet voting. USA Today technol- leads to an increased ogy columnist Kevin Maney equated traveling to a voting booth in order to participate in an election to voter turnout being forced to go to the Post Office in order to send e-mail. Over 100 million people who were eligible to vote did not do so during Election 2000. In 1998 the turnout rate for the general election in the United States was only 44.9 percent, ranking 138th in a list of 170 Democratic nations. Knowledge Voters often have little or no significant information available to them about the candidates or issues that are on the ballot. Internet voting would allow officially approved information on each candidate to be readily available to the voter. Efficiency Internet voting is arguably the quickest and most efficient way to administer elections and count votes. Access Being able to vote from your home, office or gym, voters will no longer have to worry about leaving work early, getting caught in traffic jams, etc. Ease of access will also directly contribute to an in- creased voter turnout. Regional voting A voter could utilize any polling site within their immediate geographic area because all ballots would centers be available at any site via the Internet. Currently, a voter’s ballot can only be found at the poll site in their locale. This would eliminate any problems with the so-called digital divide. Computer Security Journal • Volume XVII, Number 2, 2001 13
  2. 2. I N F O R M A T I O N W A R F A R E while ignoring other difficulties that Internet-based substandard are: elections simply can’t ameliorate. ❏ Infrastructure There are serious problems with the current voting ❏ Authentication infrastructure. Inefficiency, inaccuracy, antiquated vot- ❏ Voting software ing machines and fraud are but a few of the acute Let’s examine each one. problems. Those that feel a national Internet-based election is feasible are either in denial about Internet Infrastructure and security realities or have some financial incentive Internet voting requires an infrastructure where 200 in an Internet voting scheme. million people could vote on a single day. Never in the The excitement of the idea of voting from the com- history of information systems has such a large-scale fort of our home should not blind us to the reality project been undertaken. This national voting system that the Internet is hardly a secure environment. Just would have to incorporate the registering of voters, as physical voting systems are vulnerable to attacks, so ballot preparation, election processing, tabulation and too are Internet systems vulnera- more. The sheer size of this pro- ble to viruses, denial of service On Election night 2000, ject requires a colossal amount and many other types of attacks. news sites such as of design, testing, money, man- The quandary with Internet- were flooded by users. The power and time. based voting as opposed to tradi- sites were unable to support Just because we have this tional voting is that the Internet the amount of users re- thing called “the Internet” in no attacks are much easier to per- questing information. way means that it can support form, more detrimental in their Rolling-out a national voting the load of a national election. outcome, and much harder to network is the technological On Election night 2000, news detect. equivalent of build- ing the sites such as were Bruce Schneier writes in Ap- New York World Trade Cen- flooded by users. The sites were plied Cryptography (John Wiley ter, yet all of the Internet- unable to support the amount & Sons ISBN: 0471117099) voting evangelists are only of users requesting information. that computerized voting proto- building backyard shacks. Rolling-out a national voting cols must maintain an individu- network is the technological als privacy and prevent cheating. The ideal protocol equivalent of building the New York World Trade has, at the very least the following six requirements: Center, yet all of the Internet-voting evangelists are ❏ Only authorized voters can vote only building backyard shacks. ❏ No one can vote more than once Let’s go to the numbers—103,814,206 votes were ❏ No one can determine for whom anyone else cast in Election 20001. Nationally, the polls were open voted for roughly a combined total of roughly 18 hours. ❏ No one can duplicate anyone else’s vote Using these numbers2, the voting system would have (This turns out to be the hardest requirement) to process on average of 5.75 million votes per hour, ❏ No one can change anyone else’s vote with or close to 100,000 votes per minute3. While 100,000 out being discovered. votes per minutes is an average, there will be peak peri- ❏ Every voter can make sure that their vote has ods where many more votes would have to be been taken into account in the final tabulation processed. By comparison, the STAR electronic funds As we will see, no current Internet-based voting transfer network makes roughly 2.4 billion ATM/POS scheme is able to provide all six criteria. transactions per year4. This is approximately 6,575,000 transactions per day. A Help Desk will also have to be deployed. If 5% (a conservative number) of the voters would have prob- The Reality About Internet Elections lems on election day, over 5 million help desk calls While there are benefits to Internet voting, the security would have to be handled. That translates into risks offset any benefit. Three areas that currently are roughly 275,000 calls per hour or 4,629 calls per 14 Computer Security Journal • Volume XVII, Number 2, 2001
  3. 3. I N F O R M A T I O N W A R F A R E minute. That would require an enormous help desk on a host in a few minutes, and all of them given staff, in addition to a huge PBX to support the load. enough time. Can such an infrastructure be built? Perhaps—but is If corporate America can’t effectively authenticate the government willing to spend the money necessary their users, how can an Internet election expect to se- to develop it? According to Doug Lewis, executive di- curely and effectively authenticate millions of users? rectors of the Election Center, “the price tag nation- While the current system is ripe for abuse, it is still good wide could run to about $6.5 billion”. Washington is enough given the difficulty in making illegal votes. unlikely to come up with those types of funds for an Since there is little (if any) cross-checking between unproven technology in a time of desired tax cuts. voting precincts, a rogue voter could register in a num- Some have stated that since the difficulties in design- ber of municipalities and vote numerous times. While ing a voting infrastructure are so immense, we should plausible, society tolerates it given the facts that: people just use the ATM network for voting. Regrettably, we are generally honest, we don’t have the resources to fight can’t just add Internet voting to the ATM networks for it, combined with the difficulty of voting more than a variety of reasons. The Electronic Funds Transfer Net- once. Even if a person could get to a new polling place work (EFTN) vendors have invested huge amounts of every 15 minutes, they could cast at most 47 illegal money in secure data processing votes. Finally, we have to toler- centers to ensure their cus- If corporate America can’t ate a certain amount of fraud tomers have fast, reliable, secure effectively authenticate their because there is no alternative. access to their accounts. users, how can an Internet But when we move the elec- The EFTN is a closed net- election expect to securely tion from the physical world to work, as opposed to the public and effectively authenticate the digital world, physical limi- Internet. Would the various millions of users? While the tations no longer apply. A EFTN members open their current system is ripe for rogue Internet voter would not networks a few times a year for abuse, it is still good enough need to race between polling elections - almost certainly not. given the difficulty in mak- places, he only needs to run his First, this would require buy-in ing illegal votes. malicious Java applet, and is no from many EFTN members, longer limited to 47 measly ille- as not all networks have national coverage. But more gal votes, he can now vote thousands of times. The chal- importantly, using an ATM for voting may not even lenge here is for the attacker to figure out how many be feasible as many ATM’s are made solely for money votes are needed to win, and only go over it by a small transfer and deposits. There is no way that a voting ap- amount in order not to arouse suspicion. plication could be loaded onto the ATM. Many of the e-voting vendors have voting applica- Voting Software tions but how no clue on how they are going to make Assuming the network infrastructure is in place for a Internet voting work. Perhaps they should learn from national election, software still must be written to en- those in the construction industry - don’t build until able the voting. Writing software that can be used by you have a workable design and obtained the neces- over a 100 million users on a single day, in both a sary permits. scaleable and secure manner is a daunting task. Such a task has never been attempted, let alone realized. Authentication One of the problems with the Florida election was Authentication is a pillar of information security and the notorious butterfly ballot. Many have stated that the Achilles heel of many networks. Authentication the perplexity of such a confusing ballot would not on Windows NT/2000, NetWare and Unix is facili- have happened if computerized voting had been im- tated via the username/password scheme. A reality plemented. Whoever would make such a claim has ev- check on this scheme can be found by using tools idently not been involved with software applications such as the L0phtCrack password-auditing tool development. ( or Brutus (www.hoo- Designing an application that has a front-end GUI, They can discover many passwords which is easily usable for a computer novice, is not a Computer Security Journal • Volume XVII, Number 2, 2001 15
  4. 4. I N F O R M A T I O N W A R F A R E simple endeavor. This is discussed at length in About silient? Attackers do not follow the rules, if there is a Face: The Essentials of User Interface Design by Alan Maginot Line to be crossed, they will go around it. Cooper (IDG Books 1995 ISBN 1568843224). Their security details are proprietary, but I don’t Cooper describes how many software applications are know what the obvious reasons are. Voters have rights poorly designed. Software designed and written by engi- (both as voters and taxpayers) and an obligation to neers is often not usable to those without an engineer- know how their vote is being protected. No one ex- ing background. Cooper shows how applications pects an organization to reveal its trade secrets, but a developers can build GUIs that (to use Cooper’s words) company providing a public service can’t make their don’t make the user look stupid. security architecture a secret. Let’s assume that we have a GUI that is intuitive and If iBallot is concerned that a hacker come into their easy to use What about its security? Can it be tam- system, read about the system’s security, and then de- pered with? It is built according to open standards? feat the security, they don’t have a lot of confidence in Has the application been reviewed by a group of third- their system. An opposite approach is from Argus Sys- party security experts? tems Group ( to have a con- As to the security of voting software, it is surprising test6 where testers are invited to penetrate into a system how many Internet voting companies lack deep knowl- and find weaknesses7. edge of security. Using as an example, the Finally, the fact that encryption and secure server company calls itself “the world’s premier Internet vot- technology is employed does not necessarily mean that ing, testing, survey & polling the entire voting process is au- system”. As to the question of Who is rallying for Internet tomatically fair, accurate and how secure the iBallot system is, voting? While the vendors not subject to tampering. It they state5: are behind the concept, who just means that they utilized uses a number of in the security community encryption and secure server security and encryption fea- feels Internet voting is feasi- technology. tures that, when combined, ble? Many other Internet voting provide a very high level of se- I was unable to find a single companies are equally secretive curity throughout the entire individual of note who felt it with their security policies, voting process. The details of and those that do have infor- this process are proprietary, for obvious reasons. It does mation, often make inaccurate or erroneous claims, not make a great deal of sense to disclose how the iBal- such as Validity Systems who bases their technology security system works only to have a hacker on8 Microsoft NT operating system with built-in In- come into the system, read about the system’s security, ternet Information Web Server (IIS), the only true defeat the security and tamper with the voting process. multipurpose server operating system on the market. For this reason, does not publish its secu- Last time I checked, Solaris and HP/UX were true rity processes. However, with the foregoing being said, multipurpose server operating systems. the system does employ encryption and se- Finally, other software issues that must be dealt with are: cure server technology to ensure that the entire voting Windows and browser bugs and vulnerabilities process is fair, accurate and not subject to tampering. Back doors, dynamically linked libraries (DLL), ma- Let’s briefly scrutinize this statement: licious payload (how can the infrastructure stop denial A secure system is one that can withstand attack when of service attacks, viruses, malicious software, Trojan its architecture is publicly known. This is true for cryp- tography, firewall architecture and even physical locks. The more it is tested by unbiased third parties, the bet- Social Engineering ter it is. Conversely, a system that relies on security through obscurity will inevitably fail. DNS attacks (attacks against DNS could be used to di- iBallot states that when the features are combined a rect a voter to the wrong web server. A user could follow very high level of security exists. But what about if some the instructions for voting, and yet receive a page that of the security is bypassed? Will the system still be as re- looked exactly like what it is supposed to look like, but 16 Computer Security Journal • Volume XVII, Number 2, 2001
  5. 5. I N F O R M A T I O N W A R F A R E actually is entirely controlled by the adversary) comes up with a secure Internet-based election system, In conclusion, there is no infrastructure for Internet it will be the first ever secure large-scale network appli- voting, no way to securely authenticate millions of cation in the history of mankind.” voters, nor a mature voting software application. But Dr. Rebecca Mercuri has long been speaking on the there is hype, excitement and ignorance. subject of electronic vote tabulation and wrote her Who is for Internet voting in the InfoSec industry? Ph.d thesis on Electronic Vote Tabulation Checks & Who is rallying for Internet voting? While the ven- Balances. Mercuri is adamantly opposed to the use of dors are behind the concept, who in the security com- electronic voting systems. She elaborates a few points munity feels Internet voting is feasible? I was unable to in her opposition9: find a single individual of note who felt it could be Fully electronic systems do not provide any way done securely. that the voter can truly verify that the ballot cast cor- As to dissenting opinions, there are many. At a Birds responds to that being recorded, transmitted or tabu- of a Feather session on the topic of Internet voting at lated. Any programmer can write code that displays the December 2000 Computer Security Applications one thing on a screen, records something else, and Conference (, the prints yet another result. There is no known way to consensus was that a secure In- ensure that this is not happen- ternet voting system is many Fully electronic systems do ing inside of a voting system. years away. not provide any way that the Electronic balloting systems Dr. Avi Rubin, Principal Re- voter can truly verify that without individual printouts searcher at AT&T Labs Re- the ballot cast corresponds for examination by the voters search writes in Security to that being recorded, trans- do not provide an indepen- Considerations for Remote mitted or tabulated. Any dent audit trail (despite manu- Electronic Voting over the In- programmer can write code facturer claims to the ternet that “Given the current that displays one thing on a contrary). As all systems (espe- state of insecurity of hosts and screen, records something cially electronic) are prone to the vulnerability of the Inter- else, and prints yet another error, the ability to also per- net to manipulation and de- result. There is no known form a manual hand-count of nial of service attacks, there is way to ensure that this is the ballots is essential. no way that a public election not happening inside of a No electronic voting system is of any significance involving voting system. certified (even at the lowest remote electronic voting could level) of the US government or be carried out securely.” He concludes “One reason international computer security standards, nor has any that remote electronic voting presents such a security been required to comply with such. Hence, no elec- challenge is that any successful attack would be very tronic voting system can be called secure (despite manu- high profile, a factor that motivates much of the facturer claims). hacking activity to date. Even scarier is that the most There are no required standards for voting displays, serious attacks would come from someone motivated so computer ballots can be constructed to be as con- by the ability to change the outcome without anyone fusing (or more) than the butterfly used in Florida, noticing. The adversaries to an election system are not giving advantage to some candidates over others. teenagers in garages but foreign governments and Electronic balloting and tabulation makes the tasks powerful interests at home and abroad. Never before performed by poll workers, challengers, and election have the stakes been so high.” officials purely procedural, and removes any opportu- Creating an infrastructure for Internet voting is such nity to perform bipartisan checks. The election process a Herculean task that Bruce Schneier (President & is entrusted to a small group of individuals who pro- CTO of Counterpane Internet Security www.counter- gram and construct the machines. states “The feasibility of a national secure Internet voting provides avenues of system attack to Internet election is as close to never as to make the the entire planet. If the major software manufacturer question mute.” Schneier notes that “if someone in the USA could not protect their own company Computer Security Journal • Volume XVII, Number 2, 2001 17
  6. 6. I N F O R M A T I O N W A R F A R E from an Internet attack, one must understand that Bellovin says that “Voting from home or other non-su- voting systems will be no better (and probably worse) pervised machines is an entirely separate can of worms. in terms of vulnerability. Given how unreliable Windows is, and given how easy it Off-site Internet voting creates unresolvable prob- is to write worms, viruses, etc., using such a platform for lems with authentication, leading to possible loss of voting is a complete non-starter. And that’s on a purely voter privacy, vote selling, and coercion. These systems technical level; there are other issues about who is actu- should not be used for any government election. ally voting, coerced or bought votes, etc. Finally, we have Steve Bellovin of AT&T Labs feels an Internet elec- to realize that we’re not simply talking about reliable soft- tion could occur, but in no way could it be secure. ware; we’re talking about keeping the entire process reli- Bellovin notes that “The problem is the correctness and able and honest in the face of well-funded, highly audibility of the entire system, not just the vote-casting motivated adversaries. We’ll have not just a graveyard and tabulation. Given how difficult it is to get software vote, we’ll have a phantom PC vote, and there won’t be correct, why do we think that this code would be cor- any physical ballots or physical signatures as a check.” rect? And how would we ever audit the vote, after- Dr. Ross Anderson is a Professor at Cambridge Uni- wards?” As for the access and convenience aspect versity and the author of Security Engineering: A Guide to Election Companies Name Web site Slogan The preeminent Global Election Company. empowers voters with an easier, more secure electoral process and enables its clients around the world to be more inclusive, trusted and productive at less cost. TrueBallot TrueBallot designs and runs elections and referenda for organized labor and associations, both on and off-site, that combine adherence to strict standards of impartiality, anonymity and confidentiality with proven methods of au- tomation technology. Our staff of attorneys and computer engineers brings the benefits. is the leading worldwide supplier of secure Internet voting solutions. Validity Validity Systems is a leading Application Service Provider of technologies that Systems, Inc. enable organizations to conduct secure, private, and authenticated elections (formerly Eballot) and research via the Internet. By working with Validity Systems, an organiza- tion can harness the power of the Internet to collect accurate data that meets the most stringent security requirements of many industries. The world’s premier Internet voting, testing, survey & polling system. SafeVote Leaders in Internet Voting Technology Election Systems www.election- Election Systems and Software is the recognized global leader in providing in- and Software novative solutions and services to the elections industry. Internet Dollar Elec- tion Systems www.internet Internet Dollar election systems can support a wide range of elections. 18 Computer Security Journal • Volume XVII, Number 2, 2001
  7. 7. I N F O R M A T I O N W A R F A R E Articles of Note Are We Ready for Internet Voting? p_title.shtml The Modern Democratic revolution: An Objective Survey of Internet- Based Elections Derek Dictson and Dan Ray Analysis of Internet Voting Proposals Andre Chernay Security Considerations for remote Electronic Voting over the Internet Building Dependable Distributed Systems (John Wiley ceipt to the Buchanan campaign and get money for 2001 ISBN: 0471389226). Anderson notes that while having voted for Pat. Then take all the problems we Internet voting is currently being done for many pur- have in Florida, and add in the reality that there would poses, he doesn’t think it has a chance to be done se- be no paper ballots to be arguing over. If the code were curely with current technology. buggy, we’d have no way to count the votes as cast.” Finally, Adam Shostack Director of Technology at Zero-Knowledge Systems ( pragmatically states “take all the problems that we have with e-commerce, and add vote selling. Vote sell- Conclusions ing is the problem that if you get a receipt that says The concept of using the Internet as a voting mecha- “Voted for Pat Buchanan” you can then take that re- nism is complex as it encompasses legal, technical, Additional Information US Federal Election Commission Internet Voting Technology Alliance Voting Integrity Project Election Center www.electioncenter. org National Workshop on Internet Voting Electronic Voting site by Rebecca Mercuri Lorrie Cranor’s Electronic Voting Hot List www.research. International Foundation for Election Systems Computer Security Journal • Volume XVII, Number 2, 2001 19
  8. 8. I N F O R M A T I O N W A R F A R E ethical and political issues. While this article is but a References brief introduction to the topic, it is clear that Internet- 1 based voting is unquestionably an idea whose time has 2 If Internet voting would increase voter turnout not come. Its inherent difficulties make it an unfeasible by up to 50% as the pundit’s claim, then the voting technology. Many e-commerce companies claim that infrastructure would have to scale accordingly. taxing goods purchased on the Internet is far too diffi- 3 Proponents of Internet voting believe that it will cult an endeavor, given the complexity of the tax laws increase voter participation. If that is the case, and the multitude of municipalities. If an Internet toy then numbers be even larger than the ones I use. company is unable to figure out how much the tax is 4 on a Barbie Doll shipped to Riverside, CA, can we rea- qa.cfm?qa_id=23#23 sonably expect the e-voting companies to figure out 5 how to securely carry out an election? 6 If Internet-based voting were a drug, the FDA would 7 For a dissenting view about hacking contests, see undoubtedly reject it as unsafe and it if were an airplane, Bruce Schneier The Fallacy of Cracking Contests the FAA wouldn’t certify its airworthiness. The risks of Internet voting far outweigh any benefits it affords. 9812.html#contests In conclusion, Internet-voting is a new concept being Gene Spafford Hacker Challenges—Boon or Bane? proposed by companies with little real-world experience February 1995 in large-scale elections, let alone expertise in designing se- cure systems. Our freedom and voting process should issues/issue9602 not be subjected to hype and beta software. Ben Rothke Challenging Hacker Contests Ben Rothke, CISSP is a senior security consultant with Information Security Magazine November 1998 Baltimore Technologies. He can be reached at 8 The views expressed are his own. 9 20 Computer Security Journal • Volume XVII, Number 2, 2001