It took just one typo in one line of code to elect a malevolent computer program mayor of Washington, D.C. In the fall of 2010, the District staged a mock election to test out a new online voting system, and invited hackers to check its security. A team from the University of Michigan took them up on the offer. They quickly found a flaw in the code and broke in. They changed every vote. Master Control Program, the self-aware software that attempts to take over the world in the film Tron, was a runaway write-in candidate for mayor. Skynet, the system that runs a robot army in the Terminator franchise, was elected to Congress. And Bender, the hard-drinking android in the cartoon Futurama, became a member of the school board. Incredibly, it took D.C. officials two days to realize they had been hacked. …The use of Internet voting is exploding. Nearly 100 Ontario municipalities are using it in Monday’s election – including one that will even ditch paper ballots entirely. Proponents contend it is not only more convenient, but more equitable, giving people who cannot get to physical polling stations the same opportunity to vote as everyone else. But the expansion of e-voting has also caused consternation for some security researchers and municipal officials. They worry that entrusting this pillar of democracy to computers is too great a risk, given the potential for software problems – or hackers determined to put beer-swilling robots on the school board.
… A Halifax spokeswoman confirmed the city looked into the potential problems, but she would not say what it did to fix them. In a statement, Scytl said the company “addressed the problems in written correspondence to CCIRC, by outlining the security capabilities of our existing technology.” It added it has safety measures in place to deal with the types of vulnerabilities Mr. McArthur says he found. Public Safety Canada would not say if it was satisfied with the response. Despite these concerns, those who run e-voting are adamant about its security. “If you break into a system – which has never been done – it would trigger an alarm with an elected official,” said Dominion Voting CEO John Poulos. “Even if it was possible, there would be a full trace on it.”
Such categorical statements make critics bristle. They contend that, for all the safeguards companies and governments have in place, they cannot possibly cover every contingency. Mr. McArthur points to stories of governments hacking each others’ intelligence networks: If spy agencies can’t solve such problems, what hope do local governments have? “Frankly, for a municipality or province to think they can take on these threats, well, it’s just the height of arrogance,” he said.
The Michigan geeks who hacked D.C.’s system reached a similar conclusion. “It may some day be possible to build a secure method for submitting ballots over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today’s security technology,” wrote J. Alex Halderman, the professor who led the hacking team, on his blog. He also argued it is possible to break into a system without election staff knowing it – raising the troubling possibility hackers have infiltrated online voting systems before but were simply never detected.