Bad Idea, in Voting
posted by Danielle Citron
I’ve been in my book writing fox hole, so much so that when the storm hit Maryland and D.C. and I did not lose power, I had no idea that nearly half of my state and our neighboring ones had none. But enough about hiding from the world (and the Internet), there are alarming stories about voting worth sharing now with elections coming up, the only time the public seems to sniffle at the issue. Internet voting. One might say, in your dreams, pal, never going to happen. But in truth it is happening, with calls for more. Nineteen states offer some form of online voting, mostly for soldiers living overseas. The Military and Overseas Voter Empowerment Act requires states in most cases to get ballots to military and overseas voters well in advance of regularly scheduled federal elections, which has led states to adopt voting via e-mail and online for soldiers. (Other states like Maryland allow voters to download ballots online and mail them). Because these experiments have “worked,” more calls for voting online have been forthcoming on the grounds that people might then actually vote. It’s my understanding from voting activists that election boards are agitating for online voting, and it is a very bad idea. To state the utterly obvious, all things online are insecure — the infiltration of Pentagon and countless companies, including financial ones, should instill fear about the sophistication of bad actors looking to steal state secrets, trade secrets, credit card numbers, SSNs, you name it. And online elections–what a target (think about all of the people who would bother–in a word, lots). Stuffing ballot boxes in a handful of precincts is quaint as compared to the possibilities of malware, distributed denial of service attacks, and the like in a state and federal election. It is mind blowing, really.
Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman of the University of Michigan recently released a study on the ease with which they hacked a pilot project on Internet voting run by Washington D.C. The authors explain that within 48 hours of the system going live, they gained near-complete control of the election server, successfully changed every vote and revealed almost every secret ballot. Two business days later, election officials detected the intrusion, and probably only because the authors deliberately left a prominent clue. Some respond to these sorts of concerns with “we bank online and it is safe, so we can vote online, if we just work hard enough at it.” As the authors explain, banking and voting involve very different activities with very different needs for secrecy as between client/voter and bank/voting precinct. As the authors explain:
While Internet-based financial applications, such as online banking, share some of the threats faced by Internet voting, there is a fundamental difference in ability to deal with compromises after they have occurred. In the case of online banking, transaction records, statements, and multiple logs allow customers to detect specific fraudulent transactions and in many cases allow the bank to reverse them. Internet voting systems cannot keep such fine-grained transaction logs without violating ballot secrecy for voters. Even with these protections in place, banks suffer a significant amount of online fraud but write it off as part of the cost of doing business; fraudulent election results cannot be so easily excused.
The National Institute of Standards and Technology agrees. Chief among NIST’s concerns are malware and our lack of an infrastructure for secure electronic voter authentication. Amazingly, countries like Estonia and Switzerland have adopted Internet voting for national elections.