Freeman Spogli Institute for International Studies Stanford University

FSI Stanford News

December 7, 2010 - CDDRL, Program on Liberation Technology In the News

Barbara Simons on internet voting

Barbara Simons - a computer science theorist with a long history of involvement in policy relating to voting technologies - emphasized the immense limitations that characterize Internet voting technologies and that have compromised online elections to date.

In the area of voting technologies, Simons noted, there are a set of assumptions relating to the degree of safety of different internet-related voting technologies. The so-called "safe" version of Internet voting entails posting a standard blank ballot on a website, enabling it to be downloaded, printed and mailed in by absentee voters. Unsafe technologies include sending blank ballots over the Internet, voting on a website, sending a ballot as an email attachment, phone voting that uses the Internet, or fax voting. These technologies are much less safe because it is possible for persons seeking to interfere to make changes in the results over a much larger scale than is possible with paper ballots (where changes can only be made at the local or "retail" scale). 

Simons described a recent event, dubbed the "DC Hack," that illustrates some of the many weaknesses of current Internet voting technologies. As part of the big push to allow Internet voting for military and civilians abroad, the DC Board of Elections and Ethics began a test of its system on September 28th, 2010, two weeks before the midterm election. The first problem to emerge was the realization that Mac users with Safari unknowingly cast blank votes due to a PDF bug. The second was that the Michigan fight song began to play once voters participating in the trial submitted their ballots, indicating that the site had been attacked. The test was suspended, and the "digital vote by mail" was cancelled. On October 5th, Professor Alex Halderman of the University of Michigan announced that his team had penetrated the system, and could have changed any or all of the ballots. On October 8th, at a hearing in DC, it was announced that attackers also had control of the entire network, since the default master password had been left unchanged; attempts to break in were also identified from China and Iran. As a result of this experience, DC will not be using a web-based system for return of completed ballots. However, other states are not learning from the hack and continue to explore internet-based voting systems based on the belief that they can resist attacks better. 

There are a plethora of powerful technologies that make Internet voting inherently unsafe.

  • For example, malware (including viruses, worms, and other programs) can be used to rig an election by mimicking legitimate sites and collecting information from voters using bogus forms. A malware called Zues, which has successfully siphoned money from thousands of online bank accounts in Great Britain, provides an example of the potential of these tools for attackers.
  • Attacks on the server or computer managing an election could also derail an Internet election. Attacks on servers can appear to be from trusted sources, leading victims to be tricked into clicking on a link or file. An attacker can gain complete control over a system compromised in this manner. The recent attack on Google is one example, but government sites are also vulnerable to this kind of attack.
  • Distributed denial of service (DDOS) attacks, which prevent people from accessing a website by overwhelming the website with requests, represent yet another threat. This type of attack is typically done with "botnets," which are large numbers of infected computers called zombies. The FBI estimates that one botnet (the Mariposa Botnet) may have infected 8-12 million computers internationally. This type of tool could easily be employed to disenfranchise voters-especially those who try to vote on the last day-during the election.
  •  Insider threats, the creation of fake websites (a tactic called "spoofing" or "phishing"), or "false flag" attacks (in which attackers make it appear that an attack came from another country) each could have similarly drastic effects on an Internet election.

In a world where technology and attackers' tools are constantly changing, it is very difficult to guard against the many types of possible attacks detailed above. For example, it can be very difficult to find cleverly concealed malware; if finding all bugs (or risks) were easy, major software vendors wouldn't need constant updates. Computer voting software can also be "buggy" or might contain malicious code, and even open source is not an adequate defense against this possibility. Additionally, Internet voting makes it impossible to conduct a true audit or recount if voting is to remain secret, since ballots sent over the Internet are unreliable. Making ballots more secure through the introduction of more complex technologies often introduces usability issues or makes it most difficult to count votes. Given the variety of very real threats to Internet elections, Simon concluded her talk with a strong recommendation that the United States not implement Internet voting at any time in the near future.

Topics: Elections and electoral reform | History | Liberation technology | China | Iran | United States