Report Says Internet Voting System Is Too Insecure to Use
By JOHN SCHWARTZ
A new $22 million system to allow soldiers and other Americans overseas to vote via the Internet is inherently insecure and should be abandoned, according to members of a panel of computer security experts asked by the government to review the program.
The system, Secure Electronic Registration and Voting Experiment, or SERVE, was developed with financing from the Department of Defense and will first be used in this year's primaries and general election.
The authors of the new report noted that computer security experts had already voiced increasingly strong warnings about the reliability of electronic voting systems, but they said the new voting program, which allows people overseas to vote from their personal computers over the Internet, raised the ante on such systems' risks.
The system, they wrote, "has numerous other fundamental security problems that leave it vulnerable to a variety of well-known cyber attacks, any one of which could be catastrophic." Any system for voting over the Internet with common personal computers, they noted, would suffer from the same risks.
The trojans, viruses and other attacks that complicate modern life and allow such crimes as online snooping and identity theft could enable hackers to disrupt or even alter the course of elections, the report concluded. Such attacks "could have a devastating effect on public confidence in elections," the report's authors wrote, and so "the best course to take is not to field the SERVE system at all."
A spokesman for the Department of Defense said the critique overstated the importance of the security risks in online voting. "The Department of Defense stands by the SERVE program," the spokesman, Glenn Flood, said. "We feel it's right on, at this point, and we're going to use it."
An official of Accenture, the technology services company that is the main contractor on the project, said the researchers drew unwarranted conclusions about future plans for the voting project. "We are doing a small, controlled experiment," said Meg McLauglin, president of Accenture eDemocracy Services.
The Federal Voting Assistance Program, part of the Department of Defense, plans to officially introduce the program in the next few weeks. Seven states have signed up so far to participate: Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah and Washington. As many as 100,000 people are expected to use the system this year, and the total eligible population would about one million.
A move to that larger population of voters is far from certain, Ms. McLauglin said, and the final system could be very different from the one being used this year. "It will be up to Congress and the states to determine if this gets expanded, and how," she said.`
"Without doing these experiments, we won't learn more and we won't learn how to help these folks vote in the future," she said.
Trying to vote overseas can be a frustrating ordeal. And Internet voting makes intuitive sense to Americans who have grown accustomed to buying books, banking and even finding mates online.
But the authors of the report adamantly state that what works for electronic commerce doesn't work for electronic democracy: "E-commerce grade security is not good enough for elections," they wrote. The dual requirements of authentication and anonymity make voting very different from most online purchases, they wrote, and failures and fraud are covered by Internet merchants and credit card companies. "How do we recover if an election is compromised?" they wrote.
The report states, "We recognize that no security system is perfect, and it would be irresponsible and naïve to demand perfection; but we must not allow unacceptable risks of election fraud to taint our national elections."
They said any new system "should be as secure as current absentee voting systems and should not introduce any new or expanded vulnerabilities into the election beyond those already present." One of the authors of the report, David Wagner, an assistant professor in the Computer Science Division at the University of California at Berkeley, said, "The bottom line is we feel the solution can't be a system that introduces greater risks just to gain convenience."
Although some of the possible attacks may sound far-fetched or arcane, the security experts said that each of them had already been seen in some form out on the Internet.
"We're not making up any theoretical concepts," said Aviel D. Rubin, an author of the report and the technical director of the Information Security Institute at Johns Hopkins University. "These are all things that occur in the wild that we see all the time."
Computers on the Internet have become ever more vulnerable to malicious software that takes over the machines' functions to monitor the users' activities, scan them for private information or press them into service to launch attacks on other computers, to send spam or advertise Internet pornography sites online. "And we're going to use these as voting booths?" Mr. Rubin asked. "It just doesn't make any sense."
A major American election would be an irresistible target for hackers, and the ability of computers to automate tasks means that many attacks could be carried out on a large scale, the report said.
The authors said the Federal Voting Assistance Program, which runs SERVE, and Accenture, the main contractor, should not be faulted for their work, which they found innovative and conscientious. Secure Internet voting, the panel concluded, is an "essentially impossible task."
In fact, the panel said, "there really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough. The SERVE project is thus too far ahead of its time, and should wait until there is a much improved security infrastructure to build upon."
The risks inherent in SERVE are likely to cripple any system for Internet-based voting, said Barbara Simons, a technology consultant and coauthor of the report. "It's not just a SERVE thing," she said.
Such concerns are not new. They have formed the basis of several recent studies of Internet voting. A report in 2001 by the Internet Policy Institute, financed by the National Science Foundation, concluded that "remote Internet voting systems pose significant risk to the integrity of the voting process and should not be fielded for use in public elections until substantial technical and social science issues are addressed."
David Jefferson, an author of the new report and a computer scientist at Lawrence Livermore National Laboratory in Northern California, also worked on a 2000 report for the California secretary of state that reached similar conclusions. "Nothing fundamental has changed," he said, since that report was written.
"Nothing we've seen makes us think that this can be made secure," Mr. Jefferson said.
In attempting to play down the critique of the system, Mr. Flood of the Defense Department called it a "minority report," since it involved only 4 of the 10 outside experts asked to review the system. But Mr. Rubin, the report co-author, noted that the four authors were the only members of the group who attended both of the three-day briefings about the system.
There is no majority report, since the other six experts have not taken a public stance on the project.
Ms. McLauglin of Accenture said that the company had contacted the other six members of the outside advisory group and that five of the six said they would not recommend shutting down the program.
One of the other outside reviewers, Ted Selker, a professor at the Massachusetts Institute of Technology, disagreed with the report, saying it reflected the professional paranoia of security researchers. "That's their job," he said.
Mr. Selker, an expert in the ways people use technology, said security is a less pressing concern than mistakes in registration databases, poor ballot design and inadequate polling place procedures. "Every single election machine I've seen — including the lever machine, including punch card machines, including paper ballots — has vulnerabilities," he said.
A security expert and critic of technologically advanced voting systems who had seen an early draft of the study applauded the group's work. "What I saw convinced me that no one should ever vote on that system," said David Dill, a professor of computer science at Stanford University who has become active in voting technology issues. "I understand the problems that people overseas have voting, especially if they are in the military, and I believe we have to make it a lot easier for them," he said. "But SERVE is the wrong solution."