Net has too many holes to cast ballots by PC
Originally published Jan 29, 2004
Mike Himowitz
THE INTERNET is a splendid medium for influencing public opinion, mobilizing political workers or raising money for candidates, as Howard Dean proved early in his presidential campaign (at least before the Great Yowl).
But the Internet is a rotten medium for voting.
Oh yes, it's convenient - not only for voters, but also for hackers, criminals, dirty tricksters, terrorists and perhaps even foreign governments that would love nothing more than to gum up the works when the United States gives online voting a try.
That is exactly what will happen on a small scale in the coming months as the Department of Defense unveils a $22 million experimental project that will allow up to 100,000 members of the military and civilians living overseas to cast ballots from Web-connected PCs in the presidential primaries of seven states.
Last week, a group of security consultants hired by the government to poke holes in its Secure Electronic Registration and Voting Experiment (SERVE) did just that. Their scathing report concluded that the Net is so fundamentally insecure that using it for voting in the foreseeable future threatens the integrity of the electoral process.
Not surprisingly, the government said "thank you" and announced it would go ahead with the project anyway. But the report, available at www.serve securityreport.org, is well worth reading if you care about fair and accurate vote counts.
First, the authors are: Avi Rubin, technical director of the Information Security Institute at the Johns Hopkins University; David Jefferson, a computer scientist at Lawrence Livermore National Laboratory, who has served on a wide variety of electronic voting panels; Barbara Simons, an encryption expert and former president of the Association for Computing Machinery; and David Wagner, a scientist at the University of California at Berkeley and specialist in security vulnerabilities.
These aren't kooks or professional Jeremiahs. They're top professionals in their field. Like all security specialists, they're paid to be paranoid - to find flaws.
Rubin, in particular, has actively criticized the electronic voting terminals that Maryland and other states are busy installing. But what's scary is that this group didn't have to dig very deep into its collective bag of expertise to make a case against Internet voting.
At the outset, they concede that SERVE addresses a real problem for 6 million military personnel and civilian expatriates. Registering and casting an absentee ballot can require up to five separate international mail transactions, each subject to unavoidable delays and the risk of missing deadlines.
There's also no question that it would be easier for these folks to register and vote at a PC. The question is whether the convenience is worth the risk that their votes could be compromised or changed in the process. Or that an entire election could be subverted by a band of hackers or agents of another country.
It's not idle speculation. Although SERVE will process only 100,000 ballots this year, remember that George W. Bush won Florida, and hence the presidency, by only 269 votes in the election mess of 2000. So a few votes altered here or ped there can make a big difference.
"Democracy," the report says, "relies on broad confidence in the integrity of our elections, so the stakes are enormous. We simply cannot afford to get this wrong."
Florida, by the way, is one of the states where SERVE will be tested. The others are Arkansas, Hawaii, North Carolina, South Carolina, Utah and Washington.
Although some of the report's concerns might be far-fetched, the scientists' core arguments are well understood by anyone who's spent serious time with PCs on the Internet.
The first is that an Internet system takes a critical element of the election machinery out of the hands of local election boards and puts it onto insecure PC desktops.
SERVE allows voters to cast ballots from any computer connected to the World Wide Web - which is one of its great attractions. Unfortunately, those PCs must be running Windows, the flaws of which are so abundant that Microsoft has to issue monthly security s.
Worse yet, in order to vote, users must enable ActiveX controls, JavaScript and cookies in their Web browsers. Those are three of Windows' most insecure features, already subject to attacks by legions of hackers and malicious Web site operators.
Although the report notes that SERVE implements the same encryption and security used in commercial transactions, that isn't good enough.
That's because commercial transactions are verifiable. If you order a book from Amazon. com, you'll get an e-mail confirmation - and your credit card statement will show the charge. And of course, the book will arrive - or not.
Because SERVE is designed to protect voter privacy, the report says, there's no way a voter can verify that his vote was actually recorded or recorded accurately. And there's no paper trail, as there is with today's absentee ballot. This is also an issue with all-electronic voting machines. If something goes wrong or there is a challenge, there's no backup, just a "trust us" from the election board.
There's also virtually no way to ensure that a computer hasn't been compromised by viruses, worms or Trojan horse programs specifically designed to alter votes, fool voters into thinking they've cast their ballots or to prevent voters from reaching SERVE's Web page in the first place. Just look at the proliferation of adware, spyware, keystroke loggers, browser hijackers and other malware that already infect millions of computers.
Another potential threat: Denial of Service (DoS) attacks that could flood SERVE's computers with data just before the election, making it difficult or impossible for voters to log on. Over the last year, hackers have joined forces with virus and worm-writers to spread software that hijacks thousands of PCs and turns them into "zombies" that join in these DoS attacks.
None of this is speculation - in fact, the real payload of the MyDoom virus that flooded millions of mailboxes this week is a zombie program that attacks servers operated by the SCO Group, a company engaged in a legal brawl with backers of the Linux operating system. It could just as easily be directed at an Internet voting system.
Now, election chicanery is nothing new. It has always been possible to rig mechanical voting machines or tamper with paper ballots. It's also possible to tamper with a handful of absentee votes - particularly in settings such as nursing homes - or to intercept them at some point in the mail. But it's almost impossible to do it on a large scale without being detected.
Unfortunately, powerful modern computers and the ubiquity of the Internet now make it possible for a handful of hackers to disenfranchise large numbers of voters and threaten the outcome of an entire election.
The authors of the report also worry that a successful test of SERVE - one without obvious glitches or security problems - will just encourage expansion of an insecure program.
"The lack of a successful attack in 2004 does not mean that successful attacks would be less likely to happen in the future; quite the contrary, future attacks would be more likely, both because there is more time to prepare the attack, and because expanded use of SERVE or similar systems would make the prize more valuable," the report concluded.
Democracy is messy and expensive by its very nature. It's not worth jeopardizing its crown jewel - a fair and honest election - for convenience's sake. We can find a better way to help absentees cast their ballots.
Copyright © 2004, The Baltimore Sun |