Search This Blog

Monday, April 22, 2013

About Internet Voting

About Internet Voting

California Assembly Bill 19 (Ting, D-San Francisco) [1] proposes to allow Internet voting. The bill has two serious problems.

The first is in Section 4502(b)(2), which describes what the Internet voting system is to be tested for. They must check that no-one can make the system report inaccurate tallies or change votes. But the bill does not require testing to ensure that all parts of the voting system will be available during the voting period.

Let’s see what this means. During Election Day, when you open your browser and type in the Election Office’s web site, you get a message saying the web site is unavailable. You’re thrilled so many people are voting, so you go to work. While there, you try to vote again, with the same result. This happens whenever you try to cast your vote throughout the day. That evening, at 7:55pm (just before the polls close), you try to vote from home one last time. Again, the web site is “unavailable”. Oh, well.

What you just read is a description of a “denial of service” attack. They are actually fairly common, and extremely easy to launch. In fact, recently many banks (such as U.S. Bank, Bank of America, Wells Fargo Bank, CitiBank, and American Express [2,3,4]) were victims of such attacks. But the banks have an advantage that election offices don’t: lots of servers and lots of money. They can hire teams of cybersecurity experts to respond to these attacks, and can reroute traffic to geographically widely distributed servers to mitigate some of the effects of the attack. Even so, the banks all experienced slow-downs that affected customer use of their web sites.

Given that most Election Offices have 1 or 2 people whose job involves cybersecurity (among other functions) and would have a single server to handle Internet voting, the possibility of Internet voting with an inaccessible server is very realistic. And as the above news articles note, these attacks are easy to launch — from anywhere in the world.

In fact, this has happened. During Hurricane Sandy, New Jersey allowed voters to request email ballots by sending an email to county email addresses set up for this purpose [5]. But the email addresses which received the emails were quickly overwhelmed, and email requests for ballots were bouncing [6]. And this was not an attack; it was simply voters requesting email ballots.

Thus, any proposed Internet voting system needs to be able to handle a denial of service attack. But the bill does not require they be tested for this ability.

The second problem is much more basic: what is an “Internet voting system”? The bill defines it in Sec. 4500(2). It includes the election office server, of course, and the Internet. But what else does it include? The system or device you cast your vote on, and that then transmits the vote to the election server.

Let’s assume you are voting on your home computer. How do you know the votes you enter on your computer are what is sent to the server? It is very easy to write programs that alter information; indeed, the infamous computer virus does exactly this. And while antivirus programs are very effective in countering viruses that they know about, they do not protect you against new viruses or other nasty programs on your system. There are many ways to introduce these programs, including having you go to a web site that looks like your bank’s (for example). When you get there, the site has you download something to improve service — and presto!, the malefactors have just put a virus on your system.

With smartphones this is even easier, because we all download apps and run them. The protection most smartphones offer is minimal, so writing an app to cast your vote (suitably doctored, of course) is easy to write. To get you to download it, the perpetrator sends you an email saying that your election official has set up a web site that you can go to for the app — and when you download it, you really download the doctored app. The election official, of course, did not send this letter.

And there are even more problems. The bill doesn’t require the Secretary of State to certify the system, despite what the legislative counsel’s digest says. It simply requires that the report say the system meets “the standards of accuracy, security, integrity, efficacy, and accessibility”; then it is deemed certified (4502(c)). What “the standards” are is nowhere defined. Also, the bill says nothing about certifying the procedures under which the system is to be used.

This last point is critical. Security experts know that a “system” is not secure; a “system” is secure when used in a specific way. A good way to think of this is to consider how safe a car is. When the driver obeys the traffic laws, she is (usually) quite safe. But if she runs red lights, she is not. Similarly, if the Internet voting system procedures are poorly done, or do not take into account the bad things that can prevent voting or corrupting the ballots, poor “system” security is the least of the problems. Yet the bill does not require these be checked.

The quest for Internet voting is a good one; but before the body politic decides that it should be implemented, the dangers and problems of it must be known, discussed openly, and a conscious decision made that the consequences of those problems are acceptable. A pilot study using a real election does not provide this information for several reasons. First, no reputable computer security expert will ever attack a voting system during an election (it’s a crime), so we cannot test the security of the system and its procedures as actually used. Second, enabling detection of some attacks requires a complete record of what happens — including how you voted. Before this type of recording is done, the body politic must decide that how you voted can become known, and accept the attendant risks of vote selling and voter intimidation. Third, a very sophisticated attack could well be undetectable — so how would we know the votes were compromised? And so forth.

I applaud Assemblyman Ting’s desire to increase voter turnout. But this bill isn’t the way to do it.

As for my credentials: I am a professor of computer science at the University of California at Davis, where I am a co-director of the Computer Security Laboratory. I have been in the field since 1978. I have been studying electronic and Internet voting since 2004, when I participated in the RABA study of electronic voting systems for the State of Maryland [7]. I was also one of the co-leaders of the technical part of the California Secretary of State’s Top-to-Bottom Review of voting systems certified for use in the State of California [8]. Currently, the National Science Foundation is funding our research on election processes [9,10]. Our group works with election officials in Yolo and Marin Counties.

Any opinions expressed in this note are those of the author, and not necessarily those of anyone else.

References

[1] “Internet Voting Pilot Program,” Assembly Bill No. 19, California State Assembly (Apr. 16, 2013); available at http://www.leginfo.ca.gov/pub/13-14/bill/asm/ab_0001-0050/ab_19_bill_20130416_amended_asm_v97.htm

[2] “3 More Major US Banks Report Possible Cyber Attacks,” NBC News (Sep. 27, 2012); available at http://www.nbcnews.com/technology/technolog/3-more-major-us-banks-report-possible-cyber-attacks-6126050

[3] M. Lennon, “Wells Fargo Says DDoS Attack Disrupting Online Banking Website,” Security Week (Mar. 26, 2013); available at http://www.securityweek.com/wells-fargo-says-ddos-attack-disrupting-online-banking-website

[4] B. Acohido, “Amex Latest U.S. Major Bank to Get Knocked Offline,” USA Today (April 2, 2013); available at http://www.usatoday.com/story/tech/2013/03/29/american-express-denial-of-service-hack/2030197/

[5] “Christie Administration Announces E-Mail and Fax Voting Available to New Jerseyans Displaced by Hurricane Sandy,” State of New Jersey (Nov. 3, 2012); available at http://www.state.nj.us/governor/news/news/552012/approved/20121103d.html

[6] B. Sullivan, “New Jersey’s Email Voting Suffers Major Glitches, Deadline Extended to Friday,” NBC News (Nov. 6, 2012); available at http://usnews.nbcnews.com/_news/2012/11/06/14974588-new-jerseys-email-voting-suffers-major-glitches-deadline-extended-to-friday

[7] “Trusted Agent Report Diebold AccuVote-TS Voting System,” RABA Innovative Solution Cell, Columbia, MD (Jan. 20, 2004); available at http://nob.cs.ucdavis.edu/~bishop/notes/2004-RABA/2004-RABA.pdf

[8] M. Bishop, “Overview of Red Team Reports,” Office of the California Secretary of State (July 2007); available at http://www.sos.ca.gov/voting-systems/oversight/ttbr/red-overview.pdf

[9] “TC:Medium:Collaborative Research: Technological Support for Improving Election Processes,” award from the National Science Foundation to the University of California at Davis (Sep. 15, 2009); abstract available at http://www.nsf.gov/awardsearch/showAward?AWD_ID=0905503

[10] “EAGER: Collaborative: Process-Based Technology to Support Comparison and Evaluation of the Security of Elections,“ award from the National Science Foundation to the University of California at Davis (Oct. 1, 2012); abstract available at http://www.nsf.gov/awardsearch/showAward?AWD_ID=1258577

No comments:

Post a Comment