There are hazards in remote Net voting

There are hazards in remote Net voting

Even before last fall's presidential election put the spotlight on the technical deficiencies of current paper-based voting machines, various groups were proposing and studying a possible new generation of voting technology'remote Internet voting systems.

The idea is simple: A voter could study the candidates and issues online from home, at leisure. Then, when ready to vote, the voter would connect to a server run by the election agency, type a password or offer some other authentication, call up the blank ballot, mark choices and hit the 'vote' button to record the ballot.

Voting could be accomplished in two minutes, from home, with no need to visit a polling place. Those who work away from home, or happen to be traveling, institutionalized, away at school or in the military could vote over the Internet from anywhere in the world.

It is a compelling vision'one that would extend the franchise to groups of people who have traditionally faced geographic barriers to voting, and would make voting more convenient for everyone.

Like Swiss cheese

The idea sounds attractive and technically plausible. Unfortunately, when it is examined carefully, several profound security problems become clear. The security holes are so severe that an attacker could easily launch an automated attack that could prevent thousands of voters from voting, or could spy on their votes, or even change their votes and swing the results of the election without ever being detected. Such attacks could be launched from anywhere in the world, possibly by a foreign government or even a lone individual.

Here is a partial list of the types of attacks that are easily possible:

Virus attacks: In this scenario the attacker circulates a virus'infecting PCs by any of a dozen easy means'which does nothing at all until the voter starts to vote. The virus changes his or her vote, and erases itself so it cannot be detected later.

Spoofing attacks: Here the voter is tricked, by any number of means, into 'voting' at a fake voting site that looks and acts exactly like the real one. The votes might be just thrown away by the attacker; but a more sophisticated attack may allow the spoofer to capture enough authentication information from the voter so that the attacker can subsequently vote over the Internet in place of legitimate voters.

Denial-of-service attacks: In these situations the attacker jams the vote server with so much fake traffic that it becomes overloaded and cannot receive or process real votes. For the duration of the attack no votes come through. If the attack takes place during the last few hours of the election, then any number of voters can be disenfranchised.

System administrator attacks: In workplace, college, military and other institutional situations it is common for system administrators to install remote control software on all of the computers they manage. This same legitimate software, however, can also allow the administrator to electronically spy on votes or even change them remotely.

Automated vote selling systems: The vote buyer puts up a Web site'perhaps outside the country'that vote sellers visit. The two then cooperate, in an automated protocol, so that the buyer helps the seller vote in the agreed-upon way, and the seller helps the buyer transfer payment.

These security threats either do not apply at all, or are at least much more manageable, in pollsite Internet voting, which uses systems that require voters to go in person to polls controlled by elections officials to cast their Internet ballots.

But for remote Internet voting'done from home or office sites not configured by election officials'these threats are quite profound. There is no easy defense against any of them. They do not represent bugs in any software that might be fixed by an appropriate patch.

Resistance is futile

Stronger encryption, or voter authentication or firewalls would make no difference at all. 'Secure' connections between the PC and the vote server would not help.

Even virus protection software is of limited value, since it can only protect against a known virus, and then only if a fix has been constructed and the voter downloads it before voting. Considering the ease with which virus attacks succeed'remember the 'ILoveYou' virus that penetrated an estimated 10 million computers'chances are good that a large number of votes can be compromised by a virus attack even under the best of assumptions.

These problems are not going to be resolved any time soon. However, with additional research on secure election protocols, and with the gradual replacement of the current generation of PCs and Internet infrastructure with hardware designed with better security in mind, these problems may be eased or eliminated.

In the meantime, because free and fair elections are a matter of vital national security in any democracy, we simply have to give up on remote Internet voting.

David Jefferson is a senior member of the research staff at Compaq Systems Research Center in Palo Alto, Calif. He has been researching Internet voting there for seven years.

READERS SPEAK

Contractors. You can't live without them. But sometimes you can't live with them. GCN/State & Local has been covering some contracts and contractors that have gone awry.

Some agencies have gone so far as to collect liquidated damages. Other simply debar certain vendors, at least temporarily, if they don't live up to terms. Still other agencies find mistakes caused by their own contract activities.

What do you think? Are more contracts going off the rails than in the past? What is your agency doing to ensure contract compliance?

To share your thoughts and read those of your colleagues, go to www.gcnstateandlocal.com/state/index.html and click on the Readers Speak button along the left side of the home page.

We'll also print the most intriguing responses in the next issue of GCN/State & Local.

Readers whose comments appear in the publication will receive a GCN commuter mug and a coffee gift certificate.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above