Internet Voting, Google, and the China Syndrome
John Sebes
Thanks again to David Jefferson for his post yesterday on the lessons for Internet voting of the Google/China news (NYT: In Rebuke of China, Focus Falls on Cybersecurity). To answer some follow-up questions, I’ll explain a bit about the term vote servers that David referred to.
Let’s start with a little background on Internet voting. Many peoples’ cybersecurity concerns about i-voting have a focus on the vulnerability of the voter’s Internet-connected computer, on which a Web browser is used for i-voting. The browser communicates with an i-voting Web server (or vote server), displays ballot items, allows the user to make vote selections, and so on (very similar to what many people do with surveymonkey and similar services on the Internet today). The security concerns are valid, whether the client computer is a home PC or a special-purpose kiosk system in a physically controlled polling place set up in a military base overseas.
But just as important is the “server side” of i-voting – the Internet-connected vote server, the Web server front-end, the database it uses, and all the other datacenter infrastructure. That infrastructure is one basket with all the eggs – the data that is used to create an election result. So of course there is concern over that basket being a target itself. After, why trouble with renting botnet time, crafting malware to distribute to already-hacked PCs, and the other work required to tamper with some of the i-ballots at the source? Why bother, if you can tamper with all of the ballots’ votes at the single destination? Good question, and the typical answer is that attacking the source is much easier, if you assume that an i-voting datacenter uses “industry best practices” for security, as is the common claim of i-voting vendors and service providers.
But as the continuing Google/China news shows us, dedicated, politically motivated adversaries have been quite able to penetrate the defenses of the I.T. plant of some of the biggest most tech-savvy companies with some of the best I.T. and security staff in the world. That being the case, why should anyone blithely accept any claim that a i-voting datacenter is sufficiently defended to protect the vote data and the election itself?
Now, nobody is suggesting that the Chinese government would try to hack Internet elections for real U.S. government offices. But now look at it from the point of view of a responsible election official, pondering the offers of for-profit vendors of proprietary i-voting solutions, who have indeed run a few election pilots and would like to have the business of running full elections out of their data-centers using their i-voting systems. The vendors claim that they have spent “enough” time, money, and effort on security. The question is whether …
… some small company that has run a few election pilots has any chance of locking down its vote servers so tightly that it can withstand a similarly determined “highly sophisticated and targeted attack” when Google and these other big company’s cannot?
That’s not a rhetorical question! The vendors are probably not the right judges about “enough” but there are several U.S. election officials who are currently mulling i-voting for overseas and military voters; they are the ones who need to weigh the risks and benefits, the required security and controls — hopefully with the advice from some of several the election technology and security experts at work on election tech or policy today.
— EJS
How is all that different from wanting to hack a bank website to have access not to the ballots but to the money?
It looks like OSDV is for digital voting but not internet voting. Is this an official position?
(Same question as in the previous post titled “What Google’s New China Policy Tells Us About Internet Voting”)
Anyway, it is a very interesting post. Thx.
Harry – that’s right, but since it is an “official” position, let me be precise about it: we are not working on technology that enables people to vote from their home PCs by obtaining an electronic ballot over the Internet, digitally marking the ballot on their PC, and returning the marked ballot data over the Internet. Instead, we’re doing other work to help today’s overseas/military voters (including the use of the Internet), and to benefit today’s in-person voting process – both by providing new technology that’s currently in broad demand by election officials. I have no doubt that someday some Americans will be voting remotely using electronic devices. But there is plenty of work to do now to fix some basic problems in the way that most people vote right now. — EJS
Thanks for this precise answer.
I hate to sound like a spoil sport, but these days elections are “certified” so quickly that hacks could be accomplished and not discovered until a winner is declared.
It is a terrible indictment all around, but the machines can not be proven trustworthy enough without a substantial percentage of the ballots being audited. I know I sound like a Luddite, because even though I would like computers to be useful in the tabulation process, I am convinced that the only trustworthy system is a hand count.
Nancy Tobi of New Hampshire has three videos documenting hand counts, and the systems are self auditing and generally foolproof. It may or may not take an extra hour or two, but when looking at the first eight years of this Century, I’m sure we would all agree those hours are worth it.
I respect you computer people, and I realize the value of the machines, but a few months ago Germany followed the lead of a couple of other European countries and banned the use of computers. After all, the only way to actually know if the tabulations are correct is to count the votes by hand.
If we had counted by hand in 2000, Bush II would never have been President.
Open Source Code for e-voting systems addresses an obvious problem with such systems. Namely that it is absurd to have the details of the basic method by which citizens control a democratic government concealed from them. But, even if the open source movement, which I believe is being powered by very fine, able, people with the best intentions, should succeed completely, there would remain a virtually limitless array of techniques for falsifying the results of elections using e-voting. The political election process is a rare example of a data processing task that does not lend itself to implementation by computers. There is no feasible way to ensure that a particular instance of an e-voting system does not have clandestine features for corrupting the results. This is because the number of different hidden cheating techniques is bounded only by the ingenuity of the designers.
Some ingenious schemes have been proposed for building in features that would allow voters to check, after the election results are posted, to see if their votes have been listed. But there is ample evidence that post election efforts to correct election outcomes seldom are effective. In a number of cases, voters have complained that their votes were not correctly recorded even on the polling booth screens, but no effective remedial action was taken, Even where there was an extensive post-election investigation of such a case–the Sarasota undervote–it was clear that there was no way to determine if deliberate cheating was the cause.
It is important to understand that, while source code is an obvious possible culprit, cheating via embedded hardware features, which are even harder to detect, is quite possible. The process whereby the source code is converted to object code (compilers, assemblers, loaders, etc.) are also potential sources of corruption. Most recently it has been demonstrated that the firmware associated with the BIOS (Basic Input/Output System), a component of every computer, is yet another tool available for cheating. (see http://threatpost.com/en_us/blogs/researchers-unveil-persistent-bios-attack-methods-031909)
Fortunately there is no need to put up with faith-based elections, i.e., a situation in which the integrity of our elections depends on the honesty and competence of an array of election officials, engineers and technicians. We can mark paper ballots by hand and have them counted by hand, in public, with the entire process monitored by representatives of competing political organizations. This approach is, in fact, widely used in several states and works just fine. Of course, regardless of the use or non-use of high technology, it remains critical that we pay attention to the voting and tabulation process, never trusting that unobserved government officials will do the right thing.
I have elaborated on the above contentions in a number of articles, which include references to other work. The Sarasota case is analyzed at
http://www1.cs.columbia.edu/~unger/articles/sarasota5-2-07.html
and the general case for hand counted paper ballots (HCPB) is made at
http://www1.cs.columbia.edu/~unger/articles/manualCount.html
Stephen H. Unger
Professor Emeritus
Computer Science and Electrical Engineering
Columbia University
Don’t be fooled by the fear mongers. Internet voting can be as secure, accurate, convenient, and reliable as any online banking or other type of e-commerce. Many countries are using Internet voting. Canada, England, Estonia, and more. Not one incident of hacking has been shown to have happened.
David Jefferson’s anti-Internet voting talk is completely unscientific. For proof of this, read my essay “The Reasonable Person Standard and the Critique of Leading Figures in the Making of Public Policy: The Case of Internet Voting.” Also see “Internet Voting: The Great Security Scare”
I follow scientific thinking, not mystical divining!
These are available for free reading or download at: http://ssrn.com/author=1053589
William J. Kelleher, Ph.D.
InternetVoting@gmail.com