In the 2017 Western Australian state election, voters with disabilities can register and vote over the Internet for the first time, using a system called iVote. Voters with disabilities deserve to have just as much confidence in the privacy and security of their votes as able-bodied voters using a polling booth. Unfortunately, a breach of voter privacy, or overt tampering of ballots, may not be noticed if it happens online – and reading or altering someone’s iVote might be easier than it seems. Security vulnerabilities are successfully exploited every day to steal money, commit financial fraud and extract government secrets. US intelligence agencies blamed Russian government hackers for interfering in the US election. The iVote registration and voting servers are protected by Transport Layer Security (TLS), the Internet’s most common security protocol. If you visit your bank and click on the padlock in your browser’s address bar, you can see a TLS certificate that proves you are communicating with the true owner of that domain. However, if you visit the WA Electoral Commission’s online registration page or the iVote log-in page and click on that padlock, you see something surprising: the TLS certificate is owned not by the WA Electoral Commission (WAEC) but by a US company called Incapsula.
Incapsula provides protection against Distributed Denial of Service (DDoS) attacks, by placing itself between voters and the actual iVoteserver. This is known as a ‘proxy’.
It means that registration information of WA voters is sent to an Incapsula server based in the US (18.104.22.168), where it is decrypted, allowing anyone with control of Incapsula’s servers to read it. (We are not eligible to register, so we don’t know whether Medicare and passport numbers of voters are also sent there.)
This is not a question of Incapsula being dishonest: possible eavesdroppers include Incapsula employees, contractors, hackers who may have compromised Incapsula’s systems, and the US Government itself. Incapsula’s competitor, Cloudflare, was recently affected by a serious security problem which leaked passwords, secret keys, intimate photos and other private data.