The Perils of Internet Voting

Despite all the hullaballoo about the potential for voter intimidation on Nov. 2, there is a greater danger to the integrity of the midterms

Once again, raising the eternal question “Are journalists complicit or just stupid?”

From the article:

After waiting a day for votes to stream in, the trio hijacked the server — changing ballots, broadcasting the maize and blue’s fight song, seizing control of the security cameras in the board’s offices and unearthing a folder containing the personal information of the more than 900 overseas voters who were to receive online ballots next month. It took 36 hours for officials to notice they had indeed been hacked.

It’s even worse than that.

When they’d discovered the foreign intrusions from Iran and China, the “white hat” hackers from the U.S. actually took measure to protect the D.C. system.

“We decided to defend the network by blocking them out, by adding rules to the firewall, and by changing the password to a more secure one,” he explained during his testimony to a stunned Cheh.

“You changed the password of the BoEE system?” she interrupted him to ask.

“Of the pilot system, yes,” Halderman responded.

“You changed it?!” Cheh asked incredulously.

“We did, yeah, to something so that the Chinese and Iranian attackers wouldn’t get it,” he said.

Government to report on $1 trillion-plus deficit

.
“WASHINGTON – The Obama administration is set to report Friday that the federal budget deficit exceeded $1 trillion for the second straight year, providing critics of government spending with fresh ammunition ahead of the midterm congressional elections.
The Congressional Budget Office is projecting that the deficit for the 2010 budget year that ended Sept. 30 will total $1.29 trillion. That’s down by $125 billion from the $1.4 trillion in 2009 – the highest deficit on record.”
.
Spend, spend and spend some more!!

and you act like this was one man’s doing.

Hi-larious!

Actually, the fact that they never changed the default password on the server is the MOST disturbing part of the whole thing…

Please don’t hijack the thread Rusty. If you have something to say about voter fraud, say it, but save your off-topic mindless Obama hatred for a more appropriate thread.
.
Thanks in advance.

I’m soooooo glad we cleaned up that ACORN mess and returned integrity to our election process.

The technology to do this safely and securely has been around for awhile. It would also push up voter participation rates immensely and make it easy and more cheap for cities to set up libraries as polling places. People could even get electronic and printed verification of their votes.

Alex Altman is on the wrong side of this story.

Thanks for your comment. Could you point me to sources that support your claims?

No it hasn’t. Read grape’s link. As one security expert put it: if it really could be done securely, then why does Microsoft have to release a patch every month?
.
And even if it could be done securely, your #1 problem as any programmer of any skill could tell you, is going to be obscene amounts of incompetence. As grape’s link notes: these guys didn’t even change the password from the default. They left the entire registry of voter records as a file on the hard drive. The designed the voting form so that the most common behaviors for editing a PDF (using a plug-in) WOULD FAIL TO REGISTER YOUR VOTE. And as a programmer currently maintaining a program that is restricted to one operating system and 3 web browsers, it’s a pain in the a** trying to make sure it’s compatible with the majority of behaviors.
.
There are entire websites dedicated to discussions about these sorts of stupidities and there is not nearly enough effort invested into determining whether the systems they use are actually safe and secure. And unlike my company where we can get away with using security by obscurity because of the unlikely scenario someone will care about our data, voting machines have to be iron clad because China, Russia and Iran who have some of the biggest hacker teams out there (to the point that China has actively probed American military servers) and would have plenty of reason to want to screw with American elections.
.
There are entire websites dedicated to this sort of stupidity, and you’d be astonished at the number of stories that end up there from fortune 500 companies and government agencies. At one point, one of these admins successfully got a hold of not just the entire sex offender registry list for one state *without breaking a single law*, but he actually got access to every single individual person who had been incarcerated within that state for the last 20 years! I’m a Software Engineer, and I’m telling you it can’t be done safely and securely and I can assure you that until they put a system up for a year long trial to see if people can hack it, I will not believe them that it’s safe.

Hey Alex, thanks for asking.

Start here: http://www.forbes.com/2000/01/10/feat.html

The Democratic party in Arizona used Internet voting for their primary election in 2000. That was a long time ago! I think the people behind that effort would have a lot to say about what the possibilities are ten years later.

Frankly, I think it’s utterly absurd that in 2010 I have to go stand on line at a polling place to use a piece of outdated technology just to cast a vote. if I can file my taxes from my living room, or pay my bills from my living room, I can vote from my living room.

I can only surmise that certain people wouldn’t like the increased voter turn out that would result.

I look forward to the day when you can vote from your I Phone.

You’d have voter participation rates in the 90% range since, already, basically, everybody between the ages of 18 and 55 is very comfortable online and the 65 plus group always had very, very high participation rates.

Obviously there is the issue of hacking and computers are not my field of expertise. Maybe that time will be 2012 or maybe not until 2024 (by which time the 55 year olds now will be 69 year olds – not leaving anybody out).

Again, as noted in grape’s article: the major difference between taxes and banking as opposed to voting is the inability to audit the history. Because it is a secret ballot, the method of checking your vote would simply be held only in the response message to your submission of the vote. If I were to build it and my concern was secret ballot, I’d take your vote, take who you voted for, increase the tally for that individual, mark your record as having voted and tell you “thank you for voting”. If, at some point after that, someone comes in and starts altering those totals, I can’t do a recount. The count is the count but that count has been altered and there’s no way to verify. And guess what, if you got me past all their security (which in this case was an unaltered password), I could do that change blind. If you want to do a disassociated listing of individual ballots, (therefore keeping a list of individual votes unrelated to any individual ballots), it would be a trivial task to create a script to run through them all and change them.
.
The more obscure the election, the more you can feel you’re unlikely to get hacked. An uncontested Democratic Primary race? You may be fine. A Presidental Election? China would be stupid to not try.

I quote an Arizona official in my story. They are still using a form of this. (Ballot uploads.) They are trying to be accommodating, but it’s still not safe. According to every computer scientists, cryptographers and election-transparency advocates I spoke with, online security is extremely porous and will be for the foreseeable future. That may be “utterly absurd,” but it’s the case. Nobody wants military and overseas folks to be disenfranchised–96% identified it as a problem in one poll, which is why Congress passed the MOVE Act. Incidentally, Internet voting is more expensive, not less. States pay a lot of money for private vendors to set up these systems. Online voting is big business.

@forgottenlord: the primary in Arizona was a first step taken 10 years ago. Had there been more attention paid to this, more small steps taken, more tests and more resources, all of this would have been solved by now.

Forget about the security issues and start with the goal. Is Internt voting desirable or not? If yes, and I think it is, then everything you’re bringing up is solvable.

If it’s not desirable, then why not? I’m sure there are people who would not like to see it, but I’m not sure their motives are pure.

I do not see it as safe. I am not sure that we need people to vote who are too lazy to go a couple of blocks to do so. There are some exceptions for sure but……………

They’ve poured in MILLIONS into computerized voting booths over the last 10 years, and a skilled hacker can still get the voters playing pacman instead of voting without being detected by anyone not named the voter – imagine what he could do if he didn’t want the voter to find out?
.
Security is a GIGANTIC field of Computer Science. The NSA has one of the biggest security fields in the world. The NSA and the US Military continue to pour money into security every year trying to find a way to secure themselves from online attacks. Companies ranging from Google to Microsoft to Apple to McAfee to Universities across the globe invest insane amounts of time in finding ways to make things secure online. So I guess my question is this: if these companies and organizations who have insanely important vested interests in making things as secure as possible for their customers/stakeholders/etc can’t figure out how to make their fields secure from hacking, do you honestly believe that voting booths are safe?
.
And here’s the kicker, the vast majority of security experts would agree that the vast majority of online banking sites would not be considered “secure” but rather create a field of false security. The recommended security for a bank is to require the user to have both a piece of information (a password) and a device to validate your identity. What would that device be? A USB key most likely. Have you ever gotten a USB key for your online banking? Didn’t think so. However, you’re probably fine. The most obscure thing about you is what is your bank card number – why would anyone want to figure that out? Now, if you’re a multi-million dollar corporation, they might have something to worry about, but then, transferring millions of dollars probably can’t be done online.
.
But that’s generally ok. Why? Because at the end of the day, if someone hacks the bank and steals your money, you’ll find out, tell the bank, they’ll send out a report to investigate the IP of the person who made the transaction, refund your money, and the idiot goes to jail for robbing the bank. That’s easy and the risk isn’t significant enough compared to the loss of the customer base for not having online banking. If someone hacks your voting records, you will NEVER know and the consequence could be an elected official who not only doesn’t represent the interests of the voters but might even represent the interests of the hacker who got him elected.

I suggest there’s something more to this, Alex. Not everybody wants the higher turnout that would result from a remote voting system.

Seriously, disprove the argument rather than accusing people of alternative interests. When the vast majority of an entire field of study that has studied a field, and have an authoritative knowledge of the issue say the same thing, they probably aren’t all saying it because they want lower turnouts

@forgotten: Obviously, I can’t “disprove the argument” on technical grounds except to say that anything short of surpassing the speed of light is a technical problem that can be surmounted. It’s about will and priorities.

You could also give me a zillion reasons why airplanes shouldn’t be able to fly and I really wouldn’t be able to refute them from the standpoint of an engineer because I lack the skills to build an airplane. And yet they fly, don’t they?

Airplanes fly because the air is forced to take a longer path around the top of the wing than the bottom of the wing and since the pressure of air in a location is approximately the same, you have the same quantity of air above and below the wing and since the air is spread over a wider distance on top, the pressure is lower on the top which makes the air naturally want to go up trying to drag the wing between them with it creating lift. Add speed into the calculation and you get enough lift to life a plane up. That is by far an incomplete picture as one physicist pointed out to me last month that this doesn’t explain how a plane can fly upside down though he did say there was an answer and I was too lazy to read it. So, yeah, you can find a lot of information online.
.
But back to security: the problem with security, the problem that has always existed with security but has never existed with things as simple as flight: with flight, we are fighting against the limitations of the physical world. If we can figure out how to overcome them, than we advance. In security, we are fighting against the limitations of the individual which is boundless. Worse, no matter how many security experts you employ, there are ALWAYS more hackers with more brains coming up with more creative ideas outside of your tent than there are inside the tent.
.
Security is an industry that makes BILLIONS of dollars a year and the vast, vast, vast majority of that money is put back into developing security. There are thousands, probably hundreds of thousands of people who spend their free time hacking things for the explicit purpose of finding the security holes before the destructive hackers do – and they have a shockingly good success rate. An obscene number of man hours goes into security technology annually. We haven’t found an answer yet, and I can assure you that it is not because we don’t want to find an answer.
.
Though it may be fair to argue that we’ve given up believing the holy grail is out there. I honestly believe that we will break the speed of light – absolutely shatter it – before online voting ever becomes safe.

Actually, I’ve got a better argument: to quote you: “The technology to do this safely and securely has been around for awhile.”
.
I’m not saying we stop investing in this field and stop trying to figure out whether it’s achievable. Believe me, I’d love to be able to vote without leaving my computer. However, I’m telling you and experts in the field are saying this isn’t achievable after they proved that when they hacked an existing system in 36 hours or got voting booths running pacman a few years back. Do you honestly believe you understand this field enough to maintain the position that we can do this today and that proves Alex Altman is on the wrong side of this issue?
.
Shouldn’t the burden of proof rest on these machines being able to survive a rigorous security test whereby they are open and inviting hacking attempts for an extended period of time similar to the one the machine for the Washington municipal elections failed to survive? When they do that, then we can start discussing making them widespread. But if they can’t survive that sort of treatment, perhaps they aren’t ready yet.

To me, American democracy is based upon people nobody else in the world would let rule a government – commoners, or people lacking noble ancestry.
.
For me, a worker at Walmart, so long as they are not watching Fox for their “news” (say right wing indoctrination) – taking two minutes of their lunch break to vote using their web enabled cell phone (not yet cheap enough for Walmart workers, but, not too long from now it will be) would add more to American democracy than another bus load of wealthy or upper middle class elderly women who are disproportionately represented.
.
Many of the non-voters are more liberal on economic issues than those who do vote, as far as I can tell.

@fl: Do our current voting machines even meet the security requirements you describe? And, yeah… if Amazon can keep access to billions of dollars in credit securely, and if the government has the processing power to mine the data in every email, internet post and cell phone in the country… we can do this.

Vote by mail has been enormously successful and free of fraud, expand that method nationwide.
After having my bank account hacked electronically, I would never vote over the internet.

I had a relative who had her identity stolen when she lived in San Francisco.
.
She and her landlord had the same mailbox. Unlike apartment mailboxes, there was no lock on it. Somebody got hold of their bank statements and/or other things and stole both of their identities.
.
It may be that fraud through voting by mail – absentee balloting (I did that in college when registered to my hometown) – has never happened or never happened on any visible scale, but, that does not mean that it can not or will not happen.
.
Until millions of dollars are spent on training hackers to test the system in every possible way, though, for now voting by mail is far, far more secure.
.
I just look forward to a time when voting is so easy that everybody does it.

Are you trying to tell me that Walmart workers are too lazy to go to the polls or, are not voting ?
.
Commoners?
.
From what I can tell people who don’t vote, just don’t vote. They come in all sizes.

The existing systems are not secure and there have been several well documented instances where these voting machines have been compromised WHILE IN USE ranging from simple things like vote totals being cleared after a power failure (meaning everyone who voted prior to the power failure all had their votes lost) to the pacman incident I’ve been referring to. And those are the incidents where it got detected – as I said in the pacman incident, they actually bypassed every single method of detection and only got detected because they intentionally made themselves detected by putting Pacman up.
.
As for data mining, while it is far from an easy or perfect problem (case and point: Obama has had two separate incidents where he’s chewed out his intel team for not correlating the data), it is an insanely simple problem compared to security. Data mining evolves to solve problems faster and for more diverse pieces of information. Security is a constantly evolving problem where your solution today will be the victim of the virus of tomorrow – it took less than 24 hours for Sony’s (insanely illegal may that company rot in the deepest fiery pits of hell along with everyone within the company that remotely thought it was a legitimate idea) rootkit to be used as an entry vector for viruses to take over millions of people’s machines. And if your solution isn’t good enough, how long will it take to fix it? How long will it take to detect it? And if there is a problem, what is your recovery plan? That’s how Amazon can get credit online – there’s a recovery plan in place.
.
And unlike data mining, it doesn’t matter how much processing power you use, it won’t change the degree of security. Nearly every single one of the most secure systems in the world could run the security on the machine you’re using right now. That’s not how they are kept secure. The most secure systems don’t spend nearly as much time trying to prevent you from getting in but providing a reasonably difficult challenge that if you get in, you’ve broken enough laws that they can send the FBI to figure out where you are, followed by a firewall block preventing you from getting in. In other words, they monitor the system actively. This is an incredibly expensive proposition – you need many security experts and you need them all to have the skills to prevent the intrusion and stop it. And you’d probably have a hard time signing them to that short of a contract. Plus, you’d almost certainly want it run at a centralized federal office because if you don’t, you’re then relying on every single election office figuring out their own security and trust me when I tell you that the vast majority of them will fail miserably (not to mention the obscene costs of doing it that way) which will almost certainly get you into a nice federalism vs states’ rights fight if not a few other serious problems. Plus, if you’re late in detecting it, you still don’t have a way to ensure data integrity. Nearly every system uses nightly backups to do data integrity but the vast majority of your votes will be in a single day and if you have a problem before the end of that day, you have no way to protect the data…or really deal with the disenfranchised voter who voted that day. Worse, the sheer volume of votes would make it significantly harder to detect attempted intrusions (though not outside the realm of reasonably difficult).
.
So no, these are completely separate problems.

apr,

I have voted by mail for years. It’s very convenient, as I can gather up all my voter guides, etc.and mark my ballot at my leisure.

As for electronic voting, California reviewed and tested all the types of various machines that had been installed in local precincts, plus others submitted by vendors for certification. Not one system could be certified as secure. Problems included: poor usability for voters; system crashes so no votes could be cast; no way for voters to review their selections before pressing the “accept” button; poor network security; above-mentioned default passwords not changed; holey network security; unsecured USB ports that could be used by anybody to download data or upload worms; no way to do recounts of “actual” votes via password check or time stamp, etc.; no way to tell if vote totals had been changed by third parties at machine or network level.

The result: No electronic vote systems were certified or permitted to be used in the next election, so all precincts had to use paper-based ballots, either punch-type or fill-in blanks.

It was expensive, but necessary to ensure confidence in the election results.

herby002: I live in California and love voting by mail. I get my voter brochures about a week before the ballot. This gives me time to read about candidates and initiatives (Califonia you know) and do some research. When I vote, I feel I have done my work.
I have family in Oregon and Washington. Oregon is statewide vote by mail and most of Eastern Washington is vote by mail because it is rural. My family likes the convenience.
I understand that actually going to the polls instills a sense of community. I lived in a small town in Washington and for several years was a poll worker. It was a very communal activity. However, I think voting by mail is more secure now than electronic voting at the polling place.

I have already voted and mailed in my ballot. However, I will confess to one bad result of voting in a primary early. In the last Presidential primary, I voted early and voted for John Edwards. Oh, my! Did I feel duped. What a wasted vote. In the future, my primary vote will be delayed until time for potential catastrophes has passed.

“Are you trying to tell me that Walmart workers are too lazy to go to the polls or, are not voting ?”
.
With Walmart and two other jobs and a couple of kids, the last thing I would call a Walmart worker is lazy.
.
Try too exhausted and cynical to get into the car to drive to the polls.
.
The working poor are the least likely to vote.
.
Upper middle class and well off retirees have time to vote and to catch the early bird special.

Think about the two choices as the working poor see it as (since I had been one in the recent past):
.
One party pretends that they will help you out, but, in the end takes too many corporate donations to follow through and the other party doesn’t even both pretending to help out the working poor.
.
So, as a general rule, most of the working poor don’t see anything worth putting any effort into.

speaking of online security, these days it’s no longer safe to send anything online. I use a saas company to send secure PDFand word files to my partners, I think that voting is serious matter and that the government should use a more secure service…

This article is shamefully one-sided. It makes no effort to explain how this hack could have happened, or where the responsibility lies. Nor does it mention that West Virginia is having terrific success with its Internet voting system. For a far more informative and balanced analysis see my essay, Does the DC Fiasco Damn Internet Voting? http://tinyurl.com/DCin2010
William J. Kelleher, Ph.D.

Another antidote to Time’s goofiness is my article:
Scary Stories Fail to Stop Internet Voting
at http://ssrn.com/author=1053589
William J. Kelleher, Ph.D.