Internet voting system has flaws
By Patrick Kerns
February 06, 2004
Four experts in internet security published a report on January 20 declaring that the government internet voting pilot program known as the Secure Electronic Registration and Voting Experiment (SERVE) should be terminated because of the inherent security flaws of internet voting.
The experts expressed worry that the new voting technology would gain popularity after small scale tests and be rushed into widespread use, where electronic attacks and deception by hackers could significantly alter the course of American politics.
The authors of the study, Avi Rubin of Johns Hopkins University, David Wagner of the University of California, Berkley, David Jefferson of the Lawrence Livermore National Laboratory, and Barbara Simons a technology policy consultant, are all part of the ten member Security Peer Review Group, which was formed to evaluate the SERVE system.
SERVE was created and is run under the purview of the Federal Voting Assistance Program, a Department of Defense program initiated to provide overseas military personnel and citizens with an easy method of voting.
Under the current setup of SERVE, voters would visit the SERVE website using any commercially available computer and cast their vote via the webpage.
Altogether the SERVE program will be used in 50 foreign countries and the counties of seven states to count up to 100,000 votes. Eventually the program is planned to serve the voting needs of all 6 million overseas citizens, military personnel and their dependents.
The four authors of the report criticizing SERVE found fault with the basic security risks inherent in online voting, not with the particular implementation of the idea by the FVAP and Accenture, who developed the technology. According to the report, internet voting is plagued by the same problems that face some electronic voting machines in addition to its own intrinsic problems.
The report outlines some of the difficulties the SERVE system shares with the Direct Recording Electronic (DRE) voting system; the software is not sufficiently proven in testing, it is vulnerable to exploitation of the system by malicious programmers, and there is no paper or audit trail that can be used to verify a person's vote.
Wagner declared in a recent press release that "the flaws are unsolvable because they are fundamental to the architecture of the Internet. Using a voting system based upon the Internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official."
The three main vulnerabilities of any Internet voting system, according to the report, are the danger of a denial of service attacks, middleman attacks, or the use of a virus to view or change a voter's decision.
A denial of service attack is a primitive Internet attack that can crash a website with excessive traffic, and could prevent voter access to the SERVE webpage.
A spoofing, or middleman attack is one where a hacker could direct a voter to a fake SERVE page to prevent the person vote from being counted or even change it.
Viruses could be used to allow a third party to view, block, or change a voter's decision by altering programs on the user's computer.
One of the major fears of the study authors is that any success in pilot programs, such as the one this year, will result in the rapid rollout of the unproven and vulnerable technology without the proper scrutiny that is due to an unproven system. Amid the fallout of the voting catastrophe in Florida in 2000, many have felt that the desire to improve the accuracy of the voting process has lead to the rushing of new, untried technologies onto the scene, one of which is SERVE.
The debate about the viability of online voting comes at a time when other countries have been considering and experimenting with this new method of increasing the ability of the public to vote. The United Kingdom has begun sanctioning several trials of online voting in an attempt to keep voter turnout at elections high though a series of measures designed to make voting easier, including telephone, all postal balloting, and electronic voting or vote counting. In a report written for the Electoral Reform Society of the UK by an independent commission has recommended that verification steps for systems such as electronic voting be stringent, requiring detailed voter info, as well as advocating the formation of technology task forces to scrutinize the technology involved in the proposed voting systems.