Joey Chau

Mark Dlugokencky

Lauren Dana Rosenblatt

Kevin Sheu

 

Security and Privacy in Computing 600.443

E-Voting Project – Part I

 

California Internet Voting Task Force: Report on the Feasibility of Internet Voting

            The California Internet Voting Task Force was created by Secretary of State Bill Jones to study the feasibility of using the Internet as a tool for conducting elections in California.  The report stated that various technological threats such as viruses and Trojan horse software attacks were a significant risk to an Internet voting system.  These software attacks could lead to ultimate impact problems such as denial of service when attempting to vote, and the changing of votes without voter knowledge.

            The system must also deal with the issue of authentication of voters.  It must ensure that every voter has the opportunity to vote, and that each voter does not vote more than once.

            As a result of these observations, the task force recommended that a two step process be taken to implement an Internet voting system.  The first step requires the Internet Voting technology to be implemented in a supervised setting like a traditional polling place.  Only in the second step will the system allow the casting of Remote Internet Ballots.  The authentication process would be electronically handled in the second step.

            The task force concluded that an Internet voting system should only be used as a supplement to the current system.  Issues such as authentication cannot truly be resolved until digital signatures, or a form of biometric authentication can be decided upon.    Additionally, attacks on computer software are difficult to prevent.  Although, a unique operating system and web browser software can be provided, this can only provided for an on-site polling station.

 

CalTech MIT Voting Technology Project

The Caltech MIT Voting Technology Project was started during the 2000 presidential elections to study the conflict that began as a result of a breakdown in the election process.  The project evaluated whether current technologies could meet the country’s needs for a secure, reliable, robust system for recording election preferences.

            The report concludes that between 4 and 6 million votes were lost in the 2000 presidential election.  It suggested two primary steps for reducing the number of lost votes that could be initiated immediately.  They believed that immediate upgrading of voting technologies, such as the replacement of punch cards and lever machines with optical scanners, could prevent the loss of up to 1.5 million votes.  The report suggested that an improvement in voter registration systems such as improved database management, better synchronization between databases, and provisional ballots could prevent the loss of around 3 million votes.

            The report cited various problems regarding how elections are currently run.  The first problem was the fact that the current process makes it very difficult to have recounts.  Many machines, such as lever machines and many electronic voting machines, provide no record of voters’ intentions apart from the count itself.  In addition, many votes are not counted.  A large amount of ballots were not counted because they were unmarked, spoiled, or ambiguous.

            The paper defined the term residual votes as the number of uncounted, unmarked, and spoiled ballots that were used as a metric for measuring the effect of different machines in terms of lost votes.  Their research also concluded that in terms of current technologies, the Optical scan recorded the most reliable residual votes, and that paper ballots, and current DRE machines were the least reliable.  The paper concluded that the high rate of residual votes from DREs stems from the user interfaces; the system was ambiguous as to which candidate a user was voting for, and thus the overall system was confusing.  They also found that physical problems such as loose cables, and electrical counters contributed to lost votes. 

            The project also drew a distinction between two broad types of security problems.  The first is the manipulation of voters, including the selling of votes, and forced voting.  The second is the tampering with the recording and counting mechanisms of the system.  The effects of a corrupted system must be considered with regards to electronic voting.  They provided various recommendations for the security of the system.

            They believed that the system should be simple.  It is very difficult to design a secure system that must meet an assortment of requirements.  The electronic system should be separate from the rest of the system.  They also wanted the source code for vote recording to be open source, so that it could be openly audited for security flaws.  The project recommended a mechanism for the sake of auditing both the votes and the equipment.  This provides for a more reliable system that can be checked in the event of a question in relation to the validity of the system or vote count.  They also suggested that the equipment maintain a log of all events that occur on each machine.  This will provide a way to check for irregular activities, and figure out who was accountable for those actions.  Most notably, the project stated that Remote Internet voting is a serious security risk that current technologies cannot handle.  Therefore, the report recommends that Remote Internet Voting not be used until future work can be conducted to make it more secure.

            The project suggested a framework, A Modular Voting Architecture (AMVA) that could be used as a base architecture upon which future voting machines could be built.  The framework utilizes the concept of a “FROG”, which is a physical item on which votes could be recorded.  The central feature of the architecture is that the recording of a voter’s choices on a FROG and the casting of the vote are separate processes.  The architecture moves away from complex electronic voting machines that lend themselves to security threats.

 

 

Security Considerations for Remote Electronic Voting over the Internet and Report of the National Workshop on Internet Voting

            There seems to be a growing trend now to move just about anything and everything to the internet to provide convenient access to any sort of information.  As a result, there have been many proponents of remote electronic voting.  Remote Electronic voting based on the internet, in its current state, would have significant security issues.  Furthermore, besides the security issues, there are other aspects that must be addressed.  Some of these issues include: “coercibility, the possibility that a voter in a public place could be coerced to vote a certain way – vote selling, the opportunity to sell votes for profit  - vote solicitation, that it is harder to regulate vote solicitations in any other voting medium – registration, the problem of registration online and how to avoid fraud.”  Besides security issues, there are some basic technical and social science issues involved in electronic voting.  Because voting is a pivotal aspect of our form of democracy, any form of voting would undoubtedly face many questions of legitimacy along with malicious adversaries and attackers.  Security considerations can be broken down into three different areas: voting platform, communication, and social engineering.

            The current structure for any form of electronic voting would require using a basic client server model.  In this model, poll site clients would provide some interface to users and the server would act as a tally and ballot database.  This sort of model is fairly prevalent and many of its advantages and disadvantages are known.   However, to fully ‘secure’ all aspects of communication poses a tradeoff with convenience.  Enforcing security may make systems harder to use and the implementation of a new security scheme may end up being quite costly.  If on Election Day there is a major functional flaw in the election system, none of the security measures will matter.  There must be some way of guaranteeing that the electronic system will be able to provide voting access in the face of any shortcomings.  In this regard, a backup handwritten system may need to be put in place behind an electronic system in case of a system breakdown.  A heated debate may also arise regarding the source code for such a system.  The new voting architecture may be known but should the general public have access to the source code of the voting application?  This question is a fundamental issue in computer science.  Imaginably, there will also be a debate over the platform that will run the host because a potentially large amount of money may be earned or lost based on the decided specification.

            Before getting into the details of the security risks, it is important to realize the social implications of an electronic voting system.  Any new system that is implemented should try to increase the meager voter turnout in most recent U.S. elections.  Although electronic voting maybe more convenient, studies have shown that convenience may not play an important role in effecting the participation of voters.  In fact, information and motivation have been shown to be possibly more influential in increasing voter turnout – both of which are not provided by electronic voting.    Demographics need to be considered because polling stations must be easily accessible to all demographics.  Because this system would be a large technological step, such a system may limit the accessibility of perhaps computer illiterate individuals and thus would be greatly challenged.   However, because of the convenience of poll-site internet voting, many people with disabilities may be able to vote when they otherwise could not using today’s system.  Finally, the entire election process maybe changed due to internet voting.  Currently, once a ballot is cast, there is not way for a voter to change their vote.  With a new system, it may be possible that voters can continually change their vote until some sort of predetermined voting deadline.  Finally, the privacy of the individual voter must be preserved.  The current system allows some form of voter anonymity.  Because user information may be passed onto an electronic voting system, would their information be compromised and will election information be commercially available to recoup financial loses from implementation?  These and many other issues are all very important.

            Since almost everyone in the United States uses Intel machines running Microsoft operating systems with Internet Explorer or Netscape as a medium to connect to the web, the study mainly focuses on security weaknesses in these platforms.  In general, threats to the host platforms can be described in two ways: malicious payload and a delivery mechanism.  Over the years, both mechanisms have improved and are now more likely to succeed and do considerably more damage.  Malicious payloads are programs that sit in a host waiting to exploit it.  Because of the nature of these programs, actual votes cast from such computers could in fact change someone’s vote.  Some examples of such programs include Backorifice 2000 – a package that allows people to remotely take over control of the computer that the application resides on.  Furthermore, this type of software is totally legal because it is sold as a network tool.  It is unlikely that the conventional computer user would have any hope of detecting the presence of such a malicious program.  Another example is the infamous Chenobyl Virus.  This attack changed the BIOS on effected machines such that the only repair method involved hardware servicing.  This attack was mentioned in particular to point out the devastating effect a widespread virus such as this could have on election day, not to mention all the disenfranchised voters who would begin to doubt the system if the very voting machines were taken down.  The final attack involves a little trick dealing with internet proxy servers.  If an application is able to alter the states of the proxy server file, then a malicious client could effectively take over the internet experience of the effected hosts.

            The malicious applications must have some mechanism for entering the voting host.   The simplest form of delivery is just for someone to physically install the application on the voting host.  At various points leading up to the election, many people will have access to the polling machine.  Remote automated delivery poses an even greater threat than physical delivery of malicious code.  Real life examples of such code can be found in the Melissa virus and the I Love You bug.  These remote applications which install some code on the PC often spread faster and wider than their creators ever imagined.  Such e-mail viruses could easily deliver the malicious payloads.  Unfortunately, the very operating system that the hosts will run is an area of exploitation.  Most operating systems are known to contain many operational bugs as well as security flaws.  A very prevalent attack is the buffer overflow.  By assigning more data to a memory location than was expected, a malicious user can manipulate the computer’s memory.

            Communication between voters and voter databases is a very important communication link in remote voting.  This communication link can be protected by any number of security mechanisms that have been mathematically proven to be effective.  The main type of attack that is still unpreventable is a distributed denial of service attack.  These attacks have been implemented in the past and have effectively brought down entire sections of the internet.  Such an attack on Election Day could possibly cause the entire voting system to be taken down along with the Internet.  The daemons which are run on unsuspecting computers used in distributed denial of service attacks are freely available for any novice hacker to implement.  Another possible attack is more directed and is known as the ping of death.  This mechanism of attack takes advantage of packet fragment assembly to cause the host computer to unknowingly die.

            Attacks do not have to be completely technical, such as social engineering attacks.  This is a broad category of attacks with the intent of fooling people into compromising their security.  To computer illiterate people, the computer is an intimidating, poorly designed interface that may then be exploited.  For example, malicious individuals may send emails to people telling them to click on a link that will direct them to a voting site.  However, this link would not take them to the real site and the security of all information sent by the user to this site would be compromised.  The information could then be exploited by the malicious user onto the real polling site.  The easiest such attack could involve manipulation of the current DNS.

 

 

Bibliography

Rubin, Avi.  “Security Considerations for Remote Electronic Voting over the Internet.”  AT&T Labs.  Florham Park, NJ.

 

Freedom Forum Panelists.  “Report of the National Workshop on Internet Voting.” Internet Policy Institute.  March 2001

 

Jones, Bill (Secretary of State).  “A Report on the Feasibility of Internet Voting.”  California Internet Voting Task Force.  January, 2000

 

M. Alvatez, S. Ansolabehete, E. Antonsson, J. Btuck, S. Graves, T. Palftey, R. Rivest, T. Selket, A. Slocutn, C. Stewartt III.  “Voting: What Is.  What Could Be.”  CalTech MIT Voting Technology Project.  July, 2001.