Some security analysts cast a 'no' vote on Defense's online absentee voting system
- By William Jackson
- Feb 06, 2004
Security analysts who evaluated Defense Department plans are deeply split on the advisability of online absentee voting for the fall presidential election.
A minority report from a third-party review board concluded that the Secure Electronic Registration and Voting Experiment's Internet voting will invite 'hackers or even terrorists to interfere with fair and accurate voting.'
Other reviewers called Defense's SERVE worthwhile and reasonably safe.
'Computers are used for a variety of purposes by the government, and there is no reason to think they cannot be used for voting as well,' said Thad Hall, a program officer with the Century Foundation in Washington. 'The government has an explicit policy encouraging use of the Internet for tax filing, so why shouldn't it be used for this?'
But critics maintain the stakes are too high to experiment in a live election.
'I'm not against computers,' said Aviel D. Rubin of Johns Hopkins University, one of the authors of the minority report, speaking at a conference last year. But he added, 'In order for democracy to work, people need to have confidence in the election system.'
DOD's Federal Voting Assistance Program, which runs SERVE, wants to improve absentee voting for U.S. citizens living or serving overseas. SERVE expands on a small program that counted a handful of overseas military votes in 2000. This year as many as 100,000 voters from 50 counties in Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah and Washington will be eligible to cast ballots online at www.serveusa.gov
Accenture Ltd. of Chicago received a contract to develop SERVE in 2002. The contract runs through March 2005 to allow for post-election review.
SERVE was designed originally for use in a general election. But 'we're hoping to use it in some primaries,' said Meg McLaughlin, president of Accenture's e-democracy services division.
Although South Carolina is a pilot participant, SERVE was not available for last week's primary in that state because the system's still undergoing certification by an independent laboratory. The certification will also clear the system for use for the fall presidential election.
The impetus for SERVE was the contested 2000 presidential election, in which the government found 20 percent to 29 percent of eligible overseas voters could not get absentee ballots or did not receive them in time. Up to 26 percent of those eligible did not even try to vote.
The Internet is one route to fix the failed paper process, McLaughlin said, because 'many voters who try to use it today are not able to. We need to do some small, controlled experiments.'
DOD spokesman Glenn Flood said security 'was our No. 1 priority when we started on this concept. Measures have been put in place, and we have been working with state and local election officials to ensure integrity.'
The Federal Voting Assistance Program contracted with the California Institute of Technology for the independent review of SERVE. The 10-member Security Peer Review Group included 'people we knew were highly critical of Internet voting,' Hall said.Key concerns
The authors of the minority report were Rubin, David Jefferson of Lawrence Livermore National Laboratory, David Wagner of the University of California at Berkeley and Santa Barbara, and Barbara Simons, an IBM Corp. consultant.
They cited these threats, among others:
- Software flaws and bugs inserted by programmers
- Denial-of-service attacks that could hamper balloting
- Spoofing attacks, in which a vote could be redirected to a phony Web site that blocked or altered it
- Malicious code on a PC that could let a third party monitor or manipulate votes.
The analysts said their report was not intended as a criticism of government's efforts or the work done by Accenture.
'The real barrier is not a lack of vision, skill, resources or dedication,' they noted. 'It is the fact that, given the current Internet and PC security technology, FVAP has taken on an essentially impossible task.'
William Jackson is freelance writer and the author of the CyberEye blog.