Don't Stop the Handcount - A Few Problems with Internet Voting. Ben Rothke looks at the security issues about Internet voting. From the CSI Journal

1. I N F O R M A T I O N W A R F A R E
Don’t Stop the Handcount:
A Few Problems with Internet Voting
by Ben Rothke, CISSP ternet-based election require are impossible to attain
Every day, millions of people use the Internet to ac- with our current infrastructure. This article will focus
cess their bank accounts pay income tax, order books on those problems.
and send e-mail. Internet kiosks are appearing in
stores, airplanes, hospitals and subway stations. Given
the ubiquitous nature of the Internet, why can’t we
use it to vote for our elected officials? Internet voting—Solution or snake oil?
To those detached from the realms of election law, Out of the ashes of the Florida voting debacle came
computer security and personal privacy, the act of or- the battle cry of “Let’s use the Internet to run future
dering a book from Amazon and placing a vote election and make them efficient”. This reckless reac-
would seem to be related. In reality, the two acts are tion to use the Internet for national elections is my-
radically different. The demands that a national In- opic, in that it focuses solely on the tabulation issues,
Benefits
To be sure, there would be some benefits to Internet-based elections:
Convenience which Convenience is one of the most compelling arguments in favor of Internet voting. USA Today technol-
leads to an increased ogy columnist Kevin Maney equated traveling to a voting booth in order to participate in an election to
voter turnout being forced to go to the Post Office in order to send e-mail.
Over 100 million people who were eligible to vote did not do so during Election 2000. In 1998 the
turnout rate for the general election in the United States was only 44.9 percent, ranking 138th in a list of
170 Democratic nations.
Knowledge Voters often have little or no significant information available to them about the candidates or issues that
are on the ballot.
Internet voting would allow officially approved information on each candidate to be readily available
to the voter.
Efficiency Internet voting is arguably the quickest and most efficient way to administer elections and count votes.
Access Being able to vote from your home, office or gym, voters will no longer have to worry about leaving
work early, getting caught in traffic jams, etc. Ease of access will also directly contribute to an in-
creased voter turnout.
Regional voting A voter could utilize any polling site within their immediate geographic area because all ballots would
centers be available at any site via the Internet. Currently, a voter’s ballot can only be found at the poll site in
their locale. This would eliminate any problems with the so-called digital divide.
Computer Security Journal • Volume XVII, Number 2, 2001 13

2. I N F O R M A T I O N W A R F A R E
while ignoring other difficulties that Internet-based substandard are:
elections simply can’t ameliorate. ❏ Infrastructure
There are serious problems with the current voting ❏ Authentication
infrastructure. Inefficiency, inaccuracy, antiquated vot- ❏ Voting software
ing machines and fraud are but a few of the acute Let’s examine each one.
problems. Those that feel a national Internet-based
election is feasible are either in denial about Internet Infrastructure
and security realities or have some financial incentive Internet voting requires an infrastructure where 200
in an Internet voting scheme. million people could vote on a single day. Never in the
The excitement of the idea of voting from the com- history of information systems has such a large-scale
fort of our home should not blind us to the reality project been undertaken. This national voting system
that the Internet is hardly a secure environment. Just would have to incorporate the registering of voters,
as physical voting systems are vulnerable to attacks, so ballot preparation, election processing, tabulation and
too are Internet systems vulnera- more. The sheer size of this pro-
ble to viruses, denial of service On Election night 2000, ject requires a colossal amount
and many other types of attacks. news sites such as cnn.com of design, testing, money, man-
The quandary with Internet- were flooded by users. The power and time.
based voting as opposed to tradi- sites were unable to support Just because we have this
tional voting is that the Internet the amount of users re- thing called “the Internet” in no
attacks are much easier to per- questing information. way means that it can support
form, more detrimental in their Rolling-out a national voting the load of a national election.
outcome, and much harder to network is the technological On Election night 2000, news
detect. equivalent of build- ing the sites such as cnn.com were
Bruce Schneier writes in Ap- New York World Trade Cen- flooded by users. The sites were
plied Cryptography (John Wiley ter, yet all of the Internet- unable to support the amount
& Sons ISBN: 0471117099) voting evangelists are only of users requesting information.
that computerized voting proto- building backyard shacks. Rolling-out a national voting
cols must maintain an individu- network is the technological
als privacy and prevent cheating. The ideal protocol equivalent of building the New York World Trade
has, at the very least the following six requirements: Center, yet all of the Internet-voting evangelists are
❏ Only authorized voters can vote only building backyard shacks.
❏ No one can vote more than once Let’s go to the numbers—103,814,206 votes were
❏ No one can determine for whom anyone else cast in Election 20001. Nationally, the polls were open
voted for roughly a combined total of roughly 18 hours.
❏ No one can duplicate anyone else’s vote Using these numbers2, the voting system would have
(This turns out to be the hardest requirement) to process on average of 5.75 million votes per hour,
❏ No one can change anyone else’s vote with or close to 100,000 votes per minute3. While 100,000
out being discovered. votes per minutes is an average, there will be peak peri-
❏ Every voter can make sure that their vote has ods where many more votes would have to be
been taken into account in the final tabulation processed. By comparison, the STAR electronic funds
As we will see, no current Internet-based voting transfer network makes roughly 2.4 billion ATM/POS
scheme is able to provide all six criteria. transactions per year4. This is approximately
6,575,000 transactions per day.
A Help Desk will also have to be deployed. If 5% (a
conservative number) of the voters would have prob-
The Reality About Internet Elections lems on election day, over 5 million help desk calls
While there are benefits to Internet voting, the security would have to be handled. That translates into
risks offset any benefit. Three areas that currently are roughly 275,000 calls per hour or 4,629 calls per
14 Computer Security Journal • Volume XVII, Number 2, 2001

3. I N F O R M A T I O N W A R F A R E
minute. That would require an enormous help desk on a host in a few minutes, and all of them given
staff, in addition to a huge PBX to support the load. enough time.
Can such an infrastructure be built? Perhaps—but is If corporate America can’t effectively authenticate
the government willing to spend the money necessary their users, how can an Internet election expect to se-
to develop it? According to Doug Lewis, executive di- curely and effectively authenticate millions of users?
rectors of the Election Center, “the price tag nation- While the current system is ripe for abuse, it is still good
wide could run to about $6.5 billion”. Washington is enough given the difficulty in making illegal votes.
unlikely to come up with those types of funds for an Since there is little (if any) cross-checking between
unproven technology in a time of desired tax cuts. voting precincts, a rogue voter could register in a num-
Some have stated that since the difficulties in design- ber of municipalities and vote numerous times. While
ing a voting infrastructure are so immense, we should plausible, society tolerates it given the facts that: people
just use the ATM network for voting. Regrettably, we are generally honest, we don’t have the resources to fight
can’t just add Internet voting to the ATM networks for it, combined with the difficulty of voting more than
a variety of reasons. The Electronic Funds Transfer Net- once. Even if a person could get to a new polling place
work (EFTN) vendors have invested huge amounts of every 15 minutes, they could cast at most 47 illegal
money in secure data processing votes. Finally, we have to toler-
centers to ensure their cus- If corporate America can’t ate a certain amount of fraud
tomers have fast, reliable, secure effectively authenticate their because there is no alternative.
access to their accounts. users, how can an Internet But when we move the elec-
The EFTN is a closed net- election expect to securely tion from the physical world to
work, as opposed to the public and effectively authenticate the digital world, physical limi-
Internet. Would the various millions of users? While the tations no longer apply. A
EFTN members open their current system is ripe for rogue Internet voter would not
networks a few times a year for abuse, it is still good enough need to race between polling
elections - almost certainly not. given the difficulty in mak- places, he only needs to run his
First, this would require buy-in ing illegal votes. malicious Java applet, and is no
from many EFTN members, longer limited to 47 measly ille-
as not all networks have national coverage. But more gal votes, he can now vote thousands of times. The chal-
importantly, using an ATM for voting may not even lenge here is for the attacker to figure out how many
be feasible as many ATM’s are made solely for money votes are needed to win, and only go over it by a small
transfer and deposits. There is no way that a voting ap- amount in order not to arouse suspicion.
plication could be loaded onto the ATM.
Many of the e-voting vendors have voting applica- Voting Software
tions but how no clue on how they are going to make Assuming the network infrastructure is in place for a
Internet voting work. Perhaps they should learn from national election, software still must be written to en-
those in the construction industry - don’t build until able the voting. Writing software that can be used by
you have a workable design and obtained the neces- over a 100 million users on a single day, in both a
sary permits. scaleable and secure manner is a daunting task. Such a
task has never been attempted, let alone realized.
Authentication One of the problems with the Florida election was
Authentication is a pillar of information security and the notorious butterfly ballot. Many have stated that
the Achilles heel of many networks. Authentication the perplexity of such a confusing ballot would not
on Windows NT/2000, NetWare and Unix is facili- have happened if computerized voting had been im-
tated via the username/password scheme. A reality plemented. Whoever would make such a claim has ev-
check on this scheme can be found by using tools idently not been involved with software applications
such as the L0phtCrack password-auditing tool development.
(www.l0pht.com/l0phtcrack) or Brutus (www.hoo- Designing an application that has a front-end GUI,
bie.net/brutus). They can discover many passwords which is easily usable for a computer novice, is not a
Computer Security Journal • Volume XVII, Number 2, 2001 15

4. I N F O R M A T I O N W A R F A R E
simple endeavor. This is discussed at length in About silient? Attackers do not follow the rules, if there is a
Face: The Essentials of User Interface Design by Alan Maginot Line to be crossed, they will go around it.
Cooper (IDG Books 1995 ISBN 1568843224). Their security details are proprietary, but I don’t
Cooper describes how many software applications are know what the obvious reasons are. Voters have rights
poorly designed. Software designed and written by engi- (both as voters and taxpayers) and an obligation to
neers is often not usable to those without an engineer- know how their vote is being protected. No one ex-
ing background. Cooper shows how applications pects an organization to reveal its trade secrets, but a
developers can build GUIs that (to use Cooper’s words) company providing a public service can’t make their
don’t make the user look stupid. security architecture a secret.
Let’s assume that we have a GUI that is intuitive and If iBallot is concerned that a hacker come into their
easy to use What about its security? Can it be tam- system, read about the system’s security, and then de-
pered with? It is built according to open standards? feat the security, they don’t have a lot of confidence in
Has the application been reviewed by a group of third- their system. An opposite approach is from Argus Sys-
party security experts? tems Group (www.argus-systems.com) to have a con-
As to the security of voting software, it is surprising test6 where testers are invited to penetrate into a system
how many Internet voting companies lack deep knowl- and find weaknesses7.
edge of security. Using iballot.com as an example, the Finally, the fact that encryption and secure server
company calls itself “the world’s premier Internet vot- technology is employed does not necessarily mean that
ing, testing, survey & polling the entire voting process is au-
system”. As to the question of Who is rallying for Internet tomatically fair, accurate and
how secure the iBallot system is, voting? While the vendors not subject to tampering. It
they state5: are behind the concept, who just means that they utilized
iBallot.com uses a number of in the security community encryption and secure server
security and encryption fea- feels Internet voting is feasi- technology.
tures that, when combined, ble? Many other Internet voting
provide a very high level of se- I was unable to find a single companies are equally secretive
curity throughout the entire individual of note who felt it with their security policies,
voting process. The details of and those that do have infor-
this process are proprietary, for obvious reasons. It does mation, often make inaccurate or erroneous claims,
not make a great deal of sense to disclose how the iBal- such as Validity Systems who bases their technology
lot.com security system works only to have a hacker on8 Microsoft NT operating system with built-in In-
come into the system, read about the system’s security, ternet Information Web Server (IIS), the only true
defeat the security and tamper with the voting process. multipurpose server operating system on the market.
For this reason, iBallot.com does not publish its secu- Last time I checked, Solaris and HP/UX were true
rity processes. However, with the foregoing being said, multipurpose server operating systems.
the iBallot.com system does employ encryption and se- Finally, other software issues that must be dealt with are:
cure server technology to ensure that the entire voting Windows and browser bugs and vulnerabilities
process is fair, accurate and not subject to tampering. Back doors, dynamically linked libraries (DLL), ma-
Let’s briefly scrutinize this statement: licious payload (how can the infrastructure stop denial
A secure system is one that can withstand attack when of service attacks, viruses, malicious software, Trojan
its architecture is publicly known. This is true for cryp-
tography, firewall architecture and even physical locks.
The more it is tested by unbiased third parties, the bet- Social Engineering
ter it is. Conversely, a system that relies on security
through obscurity will inevitably fail. DNS attacks (attacks against DNS could be used to di-
iBallot states that when the features are combined a rect a voter to the wrong web server. A user could follow
very high level of security exists. But what about if some the instructions for voting, and yet receive a page that
of the security is bypassed? Will the system still be as re- looked exactly like what it is supposed to look like, but
16 Computer Security Journal • Volume XVII, Number 2, 2001

5. I N F O R M A T I O N W A R F A R E
actually is entirely controlled by the adversary) comes up with a secure Internet-based election system,
In conclusion, there is no infrastructure for Internet it will be the first ever secure large-scale network appli-
voting, no way to securely authenticate millions of cation in the history of mankind.”
voters, nor a mature voting software application. But Dr. Rebecca Mercuri has long been speaking on the
there is hype, excitement and ignorance. subject of electronic vote tabulation and wrote her
Who is for Internet voting in the InfoSec industry? Ph.d thesis on Electronic Vote Tabulation Checks &
Who is rallying for Internet voting? While the ven- Balances. Mercuri is adamantly opposed to the use of
dors are behind the concept, who in the security com- electronic voting systems. She elaborates a few points
munity feels Internet voting is feasible? I was unable to in her opposition9:
find a single individual of note who felt it could be Fully electronic systems do not provide any way
done securely. that the voter can truly verify that the ballot cast cor-
As to dissenting opinions, there are many. At a Birds responds to that being recorded, transmitted or tabu-
of a Feather session on the topic of Internet voting at lated. Any programmer can write code that displays
the December 2000 Computer Security Applications one thing on a screen, records something else, and
Conference (www.acsac.org/2000/glance.html), the prints yet another result. There is no known way to
consensus was that a secure In- ensure that this is not happen-
ternet voting system is many Fully electronic systems do ing inside of a voting system.
years away. not provide any way that the Electronic balloting systems
Dr. Avi Rubin, Principal Re- voter can truly verify that without individual printouts
searcher at AT&T Labs Re- the ballot cast corresponds for examination by the voters
search writes in Security to that being recorded, trans- do not provide an indepen-
Considerations for Remote mitted or tabulated. Any dent audit trail (despite manu-
Electronic Voting over the In- programmer can write code facturer claims to the
ternet that “Given the current that displays one thing on a contrary). As all systems (espe-
state of insecurity of hosts and screen, records something cially electronic) are prone to
the vulnerability of the Inter- else, and prints yet another error, the ability to also per-
net to manipulation and de- result. There is no known form a manual hand-count of
nial of service attacks, there is way to ensure that this is the ballots is essential.
no way that a public election not happening inside of a No electronic voting system is
of any significance involving voting system. certified (even at the lowest
remote electronic voting could level) of the US government or
be carried out securely.” He concludes “One reason international computer security standards, nor has any
that remote electronic voting presents such a security been required to comply with such. Hence, no elec-
challenge is that any successful attack would be very tronic voting system can be called secure (despite manu-
high profile, a factor that motivates much of the facturer claims).
hacking activity to date. Even scarier is that the most There are no required standards for voting displays,
serious attacks would come from someone motivated so computer ballots can be constructed to be as con-
by the ability to change the outcome without anyone fusing (or more) than the butterfly used in Florida,
noticing. The adversaries to an election system are not giving advantage to some candidates over others.
teenagers in garages but foreign governments and Electronic balloting and tabulation makes the tasks
powerful interests at home and abroad. Never before performed by poll workers, challengers, and election
have the stakes been so high.” officials purely procedural, and removes any opportu-
Creating an infrastructure for Internet voting is such nity to perform bipartisan checks. The election process
a Herculean task that Bruce Schneier (President & is entrusted to a small group of individuals who pro-
CTO of Counterpane Internet Security www.counter- gram and construct the machines.
pane.com) states “The feasibility of a national secure Internet voting provides avenues of system attack to
Internet election is as close to never as to make the the entire planet. If the major software manufacturer
question mute.” Schneier notes that “if someone in the USA could not protect their own company
Computer Security Journal • Volume XVII, Number 2, 2001 17

6. I N F O R M A T I O N W A R F A R E
from an Internet attack, one must understand that Bellovin says that “Voting from home or other non-su-
voting systems will be no better (and probably worse) pervised machines is an entirely separate can of worms.
in terms of vulnerability. Given how unreliable Windows is, and given how easy it
Off-site Internet voting creates unresolvable prob- is to write worms, viruses, etc., using such a platform for
lems with authentication, leading to possible loss of voting is a complete non-starter. And that’s on a purely
voter privacy, vote selling, and coercion. These systems technical level; there are other issues about who is actu-
should not be used for any government election. ally voting, coerced or bought votes, etc. Finally, we have
Steve Bellovin of AT&T Labs feels an Internet elec- to realize that we’re not simply talking about reliable soft-
tion could occur, but in no way could it be secure. ware; we’re talking about keeping the entire process reli-
Bellovin notes that “The problem is the correctness and able and honest in the face of well-funded, highly
audibility of the entire system, not just the vote-casting motivated adversaries. We’ll have not just a graveyard
and tabulation. Given how difficult it is to get software vote, we’ll have a phantom PC vote, and there won’t be
correct, why do we think that this code would be cor- any physical ballots or physical signatures as a check.”
rect? And how would we ever audit the vote, after- Dr. Ross Anderson is a Professor at Cambridge Uni-
wards?” As for the access and convenience aspect versity and the author of Security Engineering: A Guide to
Election Companies
Name Web site Slogan
Election.com www.election.com The preeminent Global Election Company. election.com empowers voters
with an easier, more secure electoral process and enables its clients around
the world to be more inclusive, trusted and productive at less cost.
TrueBallot www.trueballot.com TrueBallot designs and runs elections and referenda for organized labor and
associations, both on and off-site, that combine adherence to strict standards
of impartiality, anonymity and confidentiality with proven methods of au-
tomation technology. Our staff of attorneys and computer engineers brings
the benefits.
Votehere.net www.votehere.net VoteHere.net is the leading worldwide supplier of secure Internet voting
solutions.
Validity www.eballot.net Validity Systems is a leading Application Service Provider of technologies that
Systems, Inc. enable organizations to conduct secure, private, and authenticated elections
(formerly Eballot) and research via the Internet. By working with Validity Systems, an organiza-
tion can harness the power of the Internet to collect accurate data that meets
the most stringent security requirements of many industries.
iballot.com www.iballot.com The world’s premier Internet voting, testing, survey & polling system.
SafeVote www.safevote.com Leaders in Internet Voting Technology
Election Systems www.election- Election Systems and Software is the recognized global leader in providing in-
and Software solutions.com novative solutions and services to the elections industry. Internet Dollar Elec-
tion Systems www.internet dollar.com/elections Internet Dollar election
systems can support a wide range of elections.
18 Computer Security Journal • Volume XVII, Number 2, 2001

7. I N F O R M A T I O N W A R F A R E
Articles of Note
Are We Ready for Internet Voting? www.voting-
integrity.org/projects/votingyechnology/internetvoting/iv
p_title.shtml
The Modern Democratic revolution: An Objective Survey of Internet- www.securepoll.com/VotingPaper.htm
Based Elections
Derek Dictson and Dan Ray
Analysis of Internet Voting Proposals www.mcgeorge.edu/cir/analysis_internet_voting.htm
Andre Chernay
Security Considerations for remote Electronic Voting over the Internet http://avirubin.com/e-voting.security.html
Building Dependable Distributed Systems (John Wiley ceipt to the Buchanan campaign and get money for
2001 ISBN: 0471389226). Anderson notes that while having voted for Pat. Then take all the problems we
Internet voting is currently being done for many pur- have in Florida, and add in the reality that there would
poses, he doesn’t think it has a chance to be done se- be no paper ballots to be arguing over. If the code were
curely with current technology. buggy, we’d have no way to count the votes as cast.”
Finally, Adam Shostack Director of Technology at
Zero-Knowledge Systems (www.zeroknowledge.com)
pragmatically states “take all the problems that we
have with e-commerce, and add vote selling. Vote sell-
Conclusions
ing is the problem that if you get a receipt that says The concept of using the Internet as a voting mecha-
“Voted for Pat Buchanan” you can then take that re- nism is complex as it encompasses legal, technical,
Additional Information
US Federal Election Commission www.fec.gov
Internet Voting Technology Alliance www.ivta.org
Voting Integrity Project www.voting-integrity.org
Election Center www.electioncenter. org
National Workshop on Internet Voting www.netvoting.org
Electronic Voting site by Rebecca Mercuri www.notablesoftware.com/evote.html
Lorrie Cranor’s Electronic Voting Hot List www.research. att.com/~lorrie/voting/hotlist.html
International Foundation for Election Systems www.ifes.org
Computer Security Journal • Volume XVII, Number 2, 2001 19

8. I N F O R M A T I O N W A R F A R E
ethical and political issues. While this article is but a References
brief introduction to the topic, it is clear that Internet- 1 www.cnn.com/ELECTION/2000/results/
based voting is unquestionably an idea whose time has 2 If Internet voting would increase voter turnout
not come. Its inherent difficulties make it an unfeasible by up to 50% as the pundit’s claim, then the voting
technology. Many e-commerce companies claim that infrastructure would have to scale accordingly.
taxing goods purchased on the Internet is far too diffi- 3 Proponents of Internet voting believe that it will
cult an endeavor, given the complexity of the tax laws increase voter participation. If that is the case,
and the multitude of municipalities. If an Internet toy then numbers be even larger than the ones I use.
company is unable to figure out how much the tax is 4 www.star-system.com/cfm/consumers-
on a Barbie Doll shipped to Riverside, CA, can we rea- qa.cfm?qa_id=23#23
sonably expect the e-voting companies to figure out 5 www.iballot.com/faq2.cfm?docid=28
how to securely carry out an election? 6 www.argusrevolution.com/
If Internet-based voting were a drug, the FDA would 7 For a dissenting view about hacking contests, see
undoubtedly reject it as unsafe and it if were an airplane, Bruce Schneier The Fallacy of Cracking Contests
the FAA wouldn’t certify its airworthiness. The risks of www.counterpane.com/crypto-gram-
Internet voting far outweigh any benefits it affords. 9812.html#contests
In conclusion, Internet-voting is a new concept being Gene Spafford Hacker Challenges—Boon or Bane?
proposed by companies with little real-world experience February 1995
in large-scale elections, let alone expertise in designing se- www.itd.nrl.navy.mil/ITD/5540/ieee/cipher/old-
cure systems. Our freedom and voting process should issues/issue9602
not be subjected to hype and beta software. Ben Rothke Challenging Hacker Contests
Ben Rothke, CISSP is a senior security consultant with Information Security Magazine November 1998
Baltimore Technologies. He can be reached at www.infosecuritymag.com/nov/newsviews.htm
ben.rothke@baltimore.com. 8 www.eballot.net/vsballot/technology.asp
The views expressed are his own. 9 www.notablesoftware.com/evote.html#Statement
20 Computer Security Journal • Volume XVII, Number 2, 2001