I am very concerned about the widespread push toward Internet voting in the U.S., of which email voting is just one kind. Neither the Internet itself, nor voters’ computers, nor the email vote collection servers are secure against any of a hundred different cyber attacks that might be launched by anyone in the world from a self-aggrandizing loner to a foreign intelligence agency. Such an attack might allow automated and undetectable modification or loss of any or all of the votes transmitted.
While all Internet voting systems are vulnerable to such attacks and thus should be unacceptable to anyone, email voting is by far the worst Internet voting choice from a national security point of view since it is the easiest to attack in the largest number of different ways.
The technical points I am about to state are not my opinions alone. The computer security research community in the U.S. is essentially unanimous in its condemnation of any currently feasible form of Internet voting, but most especially of email voting. I strongly urge legislators in states considering e-mail voting to request testimony from other independent computer network security experts who are not affiliated with or paid by any voting system vendor. Email voting is extremely dangerous in ways that people without strong technical background are not likely to anticipate.
Here are the problems with email voting:
1. Lack of privacy: Emailed ballots are always transmitted essentially in the clear, never encrypted. (The exceptions to this generalization do not apply to email carrying ballots. The reasons for this are technical, but they will not change in the foreseeable future.) Most state statutes that allow email voting bill explicitly recognizes that it is impossible to guarantee vote privacy with email voting, and require voters, if they choose email their voted ballots to their election officials, to sign an affidavit waiving the anonymity of their votes. It is common for national intelligence agencies (including our own) to collect and store all email that crosses national boundaries, and that would include emailed ballots along with the names of the voters and related information. Also, many voters (including military voters) get their email service through their employers who legally reserve the right to inspect all incoming and outgoing email. So voters should be aware that their votes are not guaranteed to be private, and in many cases they are almost guaranteed not to be private.
2. Vote manipulation while in transit: –That email is not encrypted does not just compromise voter privacy. Without encryption, emailed ballots can be easily modified or manipulated en masse while in transit from the voter to the local election officials. Email is transmitted from router to router, and from forwarding agent to forwarding agent along the transmission path, through infrastructure that belongs to various corporations and national governments. It is trivial for any IT person who controls one of these routers or forwarding agents to filter, out of the vast stream of email, exactly those emailed ballots addressed for a chosen set of election email servers (such as county servers in one or more states that are of interest to the attacker), and then to automate a process to either discard ballots that contain votes she does not like, or replace them with forged ballots that she likes better, all the while keeping the voter’s signed waiver and envelope attachments intact. Such malicious activity would only result in a transmission delay on the order of one second or so. This is anything but difficult. There are thousands of people in the U.S. who have the skill and are in a position to do this easily for at least some ballots, and vastly more in other countries. Unless all of the received ballots are made public on a web site associated with the names of the voters who cast them there would be absolutely no way to detect this on-the-fly ballot manipulation. Neither the voter nor election officials would be able to notice any irregularity.
3. Server penetration attacks: Even in the ideal and highly unlikely instance that e-mailed ballots are strongly encrypted in transit from the voter to the election official; anyone in the world can mount a remote attack on the server collecting emailed votes. If the attackers are competent and determined there is essentially no chance that they will fail (despite the common overconfidence of the IT staffs running servers). Every major high tech company in the US, and most government agencies have been victims of such attacks, including RSA, Google, and the White House. These are organizations with security expertise and infrastructure dwarfing that of any voting system vendor or election administrator. Just last October the Washington, D.C. Board of Elections and Ethics (BOEE) was forced to cancel its planned November Internet election because security researchers proved that they could easily penetrate the BOEE network while sitting at the University of Michigan. They were able to take complete control of all the voted ballots and replace them all with phony ones. University of Michigan Prof. Alex Halderman, who led the team of researchers that conducted the DC hack, has published a concise account of the DC hack.
4. Ballot files can carry malware into the election network: Most state legislation enabling email voting does not specify what types of files the emailed ballots, and waivers must be. But for various reasons vendors and election officials almost always opt to allow PDF (Portable Document Format, by Adobe). Most people are familiar with this file type, of course, but it is not widely known to the general public that PDF has one of the longest security rap sheets of any document type. In particular, innocent looking PDF files are able to carry very dangerous malware that can open a backdoor to remote control of the election network. Once the vendor or local election officials set up a server to receive email ballots they are opening themselves up to a PDF attack that anyone on Earth can launch by sending a specially constructed PDF “ballot” that is infected with malware. Once the ballot is opened the malware instantly does its work. There are ways to partially ameliorate this vulnerability (but only partly). However, even partial ameliorations greatly increase the development cost and operational complexity of the vote collection infrastructure.
5. Voters’ computers infected with malware: As if the unacceptable and largely immitigable risks described above were not enough to discredit email balloting, we have not yet addressed one of the most certain sources of malware: the voters’ own computers. As most users of the Internet are now aware, our personal computers are routinely infected with malware from all over the world. If email voting becomes common I would fully expect that some enterprising malware designer will decide to create and spread and sell (!) a malware module that sits silently on a voter’s computer doing nothing at all until he sends an email to one of the particular addresses that is used to collect ballots, at which point it will modify the To: address just as the email leaves the computer to send the ballot to the malware-designer’s own shop for inspection and modification before forwarding it on to election officials at home. Again, I implore election administrators and lawmakers to reject assurances that such an attack is hard. It takes a little more skill than some of the other attacks, but it is much harder to detect and prevent than the attacks on vote servers, and is well within the competence level of the attackers who carried out the Google hack and numerous other attacks against highly protected corporate and government computer networks, If I were a cyber attacker in a country that is a U.S. rival I would use an attack like this (among others).
6. Denial of service attacks: Email can be subject to denial of service attacks. It is easy, for example, to have a million emails sent to the voting email address, vastly swamping the relatively small number of legitimate ballots that a jurisdiction might expect and possibly crashing its server or overloading its routers. Anyone who owns or rents a large botnet (a collection of infected PCs controlled by one criminal or organization) can do this in minutes from the safety of overseas locations that are untraceable and out of reach of U.S. law. This might be just a huge nuisance attack. But if it lasts for the final hours of Election Day, the emailed ballots arriving during those hours will be delayed until it is too late to count them (as specifically mentioned in this bill) and thousands of voters can be disenfranchised. (A related denial of service attack happened in a Canadian election in 2003. Today it would be much easier to launch a much larger attack.)
7. Email ballots are unauditable; attacks are undetectable and irreparable: Email ballots, like those cast on paperless electronic voting machines in polling places, are completely unauditable in any meaningful way. There is no way, even in principle, to verify that the electronic ballot that arrives at the election server is the same as the one the voter intended to send. The above attacks (except for denial of service) are likely to be completely undetectable. The wrong persons might be elected, the wrong initiatives passed or rejected, and no one would ever know. Even if some attacks were somehow detected, there is no way to know whose votes were modified or discarded so there is no way to repair the damage!
8. Multiple simultaneous attacks: Like all other forms of Internet voting, email elections need not be attacked by just one person or organization at a time. Multiple independent attacks by people who may not even be aware of each other could be simultaneously directed at the same email election from anywhere in the world. This make effective defense, already essentially hopeless, even more difficult
9. These facts will not change: These vulnerabilities are facts about email voting. They are fundamentally built in to the architecture of email, of the Internet itself, and of the PCs and mobile devices that people vote from, and are not going to change for as far ahead into the future as anyone can see. Anyone’s security claims to the contrary should be treated with extreme skepticism. No amount of encryption (even if it were used for some parts of the voting infrastructure), no amount of firewalling, no use of strong passwords or two factor authentication, no amount of voter signature checking, and no other security tricks of the trade are sufficient to materially change these facts.
10. Similar problems with FAX voting: I have made the above criticisms of email voting, but almost identical considerations apply to FAX voting. While FAX and email seem superficially different, they are in fact very similar from a security point of view. Faxes are sent unencrypted; they are forwarded from switch to switch within the telephony infrastructure of many private and national corporations; they are subject to absolutely trivial denial of service attacks. The similarity is so great that there is a FAX analog for every one of the email vulnerabilities listed above. Moreover, with the increasing popularity of Web-based services such as eFax, FAX is increasingly a Web-based, rather than a telephony-based, process, rendering distinctions between FAX and email voting less relevant each year.
11. Move toward Internet distribution of blank ballots. It is clear that overseas and military voters experience barriers that are largely associated with mail delays. While there are a number of cyber security issues regarding the electronic transmission of blank ballots to voters via the Internet, those issues are much more manageable than those for the electronic return of voted ballots. I suggest that election officials and lawmakers consider a program to reduce overseas mail delays by allowing voters to download blank ballots from a web server, then print them, mark them, and mail them back to local election officials. Such a process will eliminate at least one transoceanic mail delay and also eliminate the need to have accurate addresses for military on the move in the field. It will go a long way to relieving the problems of overseas voters without endangering the security of the entire election.
For these reasons I strongly urge states that do not currently provide for email voting not to start down that path. In my professional opinion this path leads only to a major risk to U.S. national security, exposing our elections to easy manipulation by anyone in the world.
David Jefferson is a computer scientist and researcher at Lawrence Livermore National Laboratory in California where he studies cyber security and ways to protect the nation’s military, civilian, and government networks from cyber attack. He is also the Chairman of the Board of Verified Voting, and has been studying electronic and Internet voting for over a decade, advising five successive California Secretaries of State on voting technology issues.