The District of Columbia created an electronic system to make it easier for overseas and military voters to cast ballots over the Internet. I want to point out that this is not some complicated electronic voting system, it is very simple:
The voter goes to a website and they get a PDF file of the ballot. They can do one of two things: print out the ballot, mark it by hand, and send it back by regular mail, OR they can vote directly on the PDF file and then send it back electronically. The only part that needs to be secure is the part where they transfer their ballot file back to the server. Transferring files securely is something that is done all the time, so this should be easy, right?
So confident were the DC officials that their system was secure, they decided to have a test period and invite people to try to hack into it. That was their big mistake.
An assistant professor at the University of Michigan, along with a couple of grad students, decided to take the challenge. The result? In less than 36 hours, they broke into the system, replaced all the ballots, installed a “back door” that would allow them to see and modify any ballots cast on the system. And for fun, they installed an easter egg that played the University of Michigan fight song after the voter submitted their ballot.
Now here’s the ironic part. Despite the fact that the hackers were not trying to hide their attack, and that the DC system administrators had systems in place to detect any attack, the successful takeover of the voting system was not detected. In fact, they only found out about it (after two days) because test voters reported hearing the UM fight song.
In other words, it was trivial to take over this supposedly secure voting system and — without detection — change enough votes to change the results of an election. Just imagine what an organization who actually wanted to throw an election could do.
As a result, the DC Board of Elections and Ethics has announced that they will not proceed with a live deployment of their system in a real election. Whew, I guess we dodged that bullet, right?
Well, not quite. That was just DC. According to the NY Times, 33 states will allow overseas and military voters to cast ballots over the internet in the upcoming November election. A real election. With no test period. That’s millions of votes that can easily be hacked. D’oh!
11 Comments
I’m sorry, but the entire design–ignoring the actual implementation mistakes–of this system is astoundingly stupid. (Personal qualifications: I’m a Ph.D. candidate in computer science, specializing in the design of secure systems. No, e-voting is not my primary focus, but I’ve read extensively on the issues, and some of the problems overlap with my own research.)
First, the system does not appear to have any authentication. You go to the web site and download the PDF. How do they ensure that you’re a registered voter? That is, you could very easily be a foreign national, just entering voter ID information for a registered voter. So the system does not seem to adequately ensure that the person casting the ballot is actually the person whose name appears on the form.
Similarly, how do you know that the information on the received ballot was what the voter entered? Have these designers never heard of malware? What mechanisms do they have in place that prevent the file from being tampered with after the user saves the document, but before it’s actually submitted. A rogue program could corrupt the file during that time.
This system also blatantly ignores one of the major problems of voting: preventing vote purchases. One of the reasons for having monitors at polling sites is to observe the voting process. It prevents someone from standing outside offering $100 to vote for candidate X. This defense works because there is no way for the voter to prove to the vote buyer that they voted correctly. They could lie just to get the $100. (Extortion and intimidation works the same way, except the malicious actor threatens the voter if they don’t vote correctly.)
This system doesn’t address any of these concerns (and that’s just the beginning)! While you can argue that any overseas voting would have the same problems, it’s not true. With traditional paper ballots, the person has to sign the form. This signature can be compared with the voter registration. That is, the signature authenticates the person. In e-voting, the system authenticates the computer, but not necessarily the person. This is a fundamental challenge.
E-voting is insanely difficult to get right. I have yet to see a truly secure e-voting technique that stands up to peer review and addresses all of these concerns. Anyone who tells you otherwise probably works for Diebold.
Michael, I totally agree, but I think the reason they are pushing electronic voting of some kind for overseas and military is that voting from overseas is already insecure (at best). Foreign governments do open mail sent from overseas, and a significant portion of the ballots get lost. Or they get delayed and received too late to count in the election. I read that something like a quarter of all ballots sent in from overseas are lost or delayed so they don’t count.
In theory at least it should be possible to build an electronic system that is more secure than sending in ballots by mail. But this sure isn’t it. It is going to take a lot of work and a lot of public testing (like what DC did). I just hope that the “lesson learned” from this public trial isn’t that there shouldn’t be any more public trials — just put the systems in place during real elections no matter how bad they are. Then we would have no reason to trust our elections.
Oh, and when you go to the site, you do have to enter a personalized code. So the system does have some authentication.
I haven’t really trusted the voting system for quite a few years anyway.
OK, well, at least they have some sort of authentication. Better than nothing, I guess.
It’s not as if they don’t just pick the winners by spinning a bottle anyway.
I think DC needs a giant round of applause for 1. opening themselves up to criticism through a public testing. 2. accepting that their system was crap and deciding not to use it.
If only all voting systems could be open to this sort of criticism…
I totally disagree that daring people to hack is “was their big mistake.” It is so new that one needs to give some indication that is a secure and valid way to vote (still a lot of push back and rightly so on the electronic voting machines that many do not feel were adequately tested or proven safe). And, more importantly, it did find that it wasn’t. As you point out other states are doing it without the testing. I would much rather have it scraped because some Michigan students performed a public service than have some contested election where we find out that thousands of votes are in question because (maybe) there was a hacker.
When I said that “was their big mistake” I was being sarcastic. Sorry if that wasn’t obvious.
Let me be clear. DC did the right thing in many ways. The software was open source, so it could be examined for errors, and they had a public trial, instead of testing it during a real election. Too many electronic voting machines have been used in real elections with absolutely no large scale user trials, and software that is of completely unknown quality.
The inventors of UNIX did it right so many years ago. When they created the security system for user accounts, they published the source for it and dared people to crack it. Lots of people tried, and some of them succeeded. After several rounds of improvements, they ended up with a fairly secure system (for that time). This is the BEST way to do it.
It is unclear whether any other groups took the challenge on the DC ballot system. As far as we know only one group tried to hack it, and they succeeded almost instantly. I can only imagine how insecure all those electronic voting machines out there really are, and how easily votes are stolen.
Thank you for posting this. I will be discussing voting issues this week in my current issues course.
I sincerely hope that something is done to support the ability of overseas military personnel to vote. My nephew was stationed in Afghanistan during the 2008 election. Despite much effort on the part of many soldiers and their superior officers to ensure that they had access to the vote, there were lots of problems that effectively disenfranchised our military personnel. It affects the enlisted to a greater extent than the officers. I read a recent study that found that the level of disenfranchisement of soldiers is not much different than what African Americans experienced in the early 20th century in the Jim Crow South.
To Starluna – You are very close to correct on the military voting issue. I was in Iraq during the 2008 election year and I’ll give some insight into how our absentee ballots were handled.
The military is very active in preparing Soldiers for upcoming elections. They began talking about procedures with leadership 6 months prior. The timelines and deadlines were maqde very clear and all in leadership were made aware that it was expected that all Soldiers be given the opportunity to 1. register (if not) and 2. cast an absentee ballot.
At unit levels, an advocate for voting who had received training was created and available to answer Soldiers questions and assist them as necessary. I personally helped a few Soldiers in downloading ballots and insuring they had what they needed.
The problem comes when the ballots are mailed back stateside. There is no accouting or “receipt acknowledgement” that any ballot was received and or counted. Who knows after it enters the black hole of the states electin system. That is where the problem is, I believe. 50 states, 50 different ways to run elections, and no effective oversight.
That can also cause problems with absentee voting, when states have very restrictive rules or timelines that create insurmountable roadblocks for Soldiers fighting a war. There should be 1 method and timeline for absentee voting of deployed Soldiers that is uniform and all states must accept it. Non Soldier absentee ballots can be done however each state determines.
PattriotSGT – I do think that the different rules in every state for absentee ballots are really the core of the problem. I would argue that there should be a single standard and process for all absentee voters. I had a student tell me that his home state required that he fill out the form requesting an absentee ballot at his local registry in person. He was telling me this to explain why he missed one of my classes. But it made me wonder about all of the disabled and elderly, especially those who live in rural areas (this kid came from one of those predominantly rural midwestern states), who have a really difficult time physically getting to a poll. Any disenfranchisement should be viewed as undemocratic, in my view.
This same student later told me that for one of his assignments in another class, he decided to look into the entire voting system for his state and found that they used one of Diebold’s system’s that does not provide a paper copy of votes for those who vote at the poll. So, absentee voters were forced to show up to request an absentee ballot, but there is no paper trail at the polls. Absolutely mind-blowing.