Verified Voting Blog: California’s Internet Voting Initiatives

This article was originally published in Communications of the ACM on February 24, 2016.

California, home of an underabundance of rain and an overabundance of ballot initiatives, may be confronted with one or two initiatives on this November’s ballot that, if passed by the voters, will mandate the establishment of Internet voting in the state.

A total of three such initiatives are under consideration so far. The first, poorly written and probably a long shot, represents one of the hazards of the initiative process: anyone can pay the fees and submit any crazy idea for a new law. But the other two are closely related, with the same sponsor and largely identical content. We expect only one of those two will go forward. Since they represent the most significant concern, for the rest of this blog we discuss only them.

The two initiatives, numbered 15-0117 and 15-0118, can be found at the CA Attorney General’s site. They are carefully drafted to avoid ever using the terms “Internet voting” or “online voting” or “email” or “web,” etc. Instead, they refer throughout to “secure electronic submission of vote by mail ballots.” Presumably, this is in part because the computer and elections security communities have managed to give “Internet voting” a bad name.

New Jersey: Bill to Permit Overseas & Military Voters to Vote Using Internet Advances | PolitickerNJ

Legislation sponsored by Assembly Democrats Paul Moriarty, Wayne DeAngelo, Joseph Lagana and Joe Danielsen to permit overseas and military voters to vote using the Internet was released Thursday by the Assembly Appropriations Committee. “Every vote counts, but they especially must count for those protecting our freedom in the military,” said Moriarty (D-Gloucester/Camden). “This is a common sense, 21st century bill.”

International: Voting From the Privacy of Your Couch | Bloomberg

Electoral fraud has been pervasive in Nigeria since it returned to civilian rule in 1999. This year, to prevent tampering with ballots on the way to the capital, poll workers nationwide used technology from a Spanish software maker called Scytl to scan the tallies and transmit them electronically. Despite predictions of violence, voters elected an opposition candidate—removing an incumbent from office for the first time—in a process Human Rights Watch described as “mostly peaceful.” Governments in 42 countries are using software from Scytl (rhymes with “title”) to bring elements of their elections online, from registering voters to consolidating results. “If you look at the way elections are being run in most countries, it’s still the same way they used to be run 50 years ago,” says Chief Executive Officer Pere Vallès. Using Scytl’s technology, he says, a country can more easily stop fraud and announce winners “in a few hours instead of a few days.” … Many election watchdogs say software isn’t yet secure enough to be trusted, and they’re concerned that Scytl and its competitors haven’t developed a way for third parties to independently verify results. “Murphy’s Law says something is going to go wrong in pretty much every election,” says Pamela Smith, the president of election watchdog Verified Voting in Carlsbad, Calif. “Transmitting actual votes is too high-risk for using online technology.” No current online system has “the level of security and transparency needed for mainstream elections,” according to a July report prepared for the U.S. Vote Foundation, a nonprofit that advocates for expanded absentee voting.

Switzerland: Swiss Post, Scytl to develop e-voting system | SWI

The Swiss Post is developing a new e-voting system with the Spanish company Scytl. Flüeler Oliver, a spokesman for the Swiss Post, told the NZZ am Sonntag on Sunday that the company hopes to compete with current cantonal e-voting projects, and is currently in talks with some, though no individual cantons were named. Two weeks ago, a system developed in the United States was rejected by the Swiss cabinet when it was proposed by nine cantons in an attempt to introduce e-voting for the parliamentary elections in October. Security flaws were cited as the reason for the rejection.

Verified Voting Public Commentary: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Under Executive Order 13636 [2] (“Executive Order”), the Secretary of Commerce is tasked to direct the Director of NIST to develop a framework for reducing cyber risks to critical infrastructure (the “Cybersecurity Framework” or “Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Department of Homeland Security, in coordination with sector-specific agencies, will then establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.

NIST has issued a Request for Information (RFI) in the Federal Register. It is to this RFI that our response pertains. The undersigned persons and organizations include experts on matters relating to election technology, election practices, encryption, Internet security, and/or privacy. We appreciate the opportunity to provide input on this RFI entitled “Developing a Framework to Improve Critical Infrastructure Cybersecurity”.

Our response focuses on the discussion of specific practices as they pertain to elections practices and systems as part of the nation’s critical infrastructure. (Download the Full Response as a PDF)

Verified Voting Blog: Internet Voting in the U.S.

The assertion that Internet voting is the wave of the future has become commonplace. We frequently are asked, “If I can bank online, why can’t I vote online?” The question assumes that online banking is safe and secure. However, banks routinely and quietly replenish funds lost to online fraud in order to maintain public confidence. We are told Internet voting would help citizens living abroad or in the military who currently have difficulty voting. Recent federal legislation to improve the voting process for overseas citizens is a response to that problem. The legislation, which has eliminated most delays, requires states to provide downloadable blank ballots but does not require the insecure return of voted ballots.

Yet another claim is that email voting is safer than Web-based voting, but no email program in widespread use today provides direct support for encrypted email. As a result, attachments are generally sent in the clear, and email ballots are easy to intercept and inspect, violating voters’ right to a secret ballot. Intercepted ballots may be modified or discarded without forwarding. Moreover, the ease with which a From header can be forged means it is relatively simple to produce large numbers of forged ballots. These special risks faced by email ballots are in addition to the general risks posed by all Internet-based voting schemes.

Verified Voting Blog: Online voting is risky and expensive

Online voting is an appealing option to speed voting for military and overseas voters. Yet it is actually “Democracy Theater”, providing an expensive, risky illusion of supporting our troops. Technologists warn of the unsolved technical challenges, while experience shows that the risks are tangible and pervasive. There are safer, less expensive solutions available. This year, the Government Administration and Elections Committee held hearings on a bill for online voting for military voters. Later they approved a “technical bill”, S.B. 939. Tucked at the end was a paragraph requiring that the Secretary of the State “shall, within available appropriations, establish a method to allow for on-line voting by military personnel stationed out of state.”

In 2008, over thirty computer scientists, security experts and technicians signed the “Computer Technologists’ Statement on Internet Voting,” listing five unsolved technical challenges and concluding: “[W]e believe it is necessary to warn policymakers and the public that secure internet voting is a very hard technical problem, and that we should proceed with internet voting schemes only after thorough consideration of the technical and non-technical issues in doing so.” The prevailing attitude seems to be, if voters and election officials like it and see no obvious problems then it must be safe.

Verified Voting Blog: Oak Ridge, spear phishing, and i-voting

Oak Ridge National Labs (one of the US national energy labs, along with Sandia, Livermore, Los Alamos, etc) had a bunch of people fall for a spear phishing attack (see articles in Computerworld and many other descriptions). For those not familiar with the term, spear phishing is sending targeted emails at specific recipients, designed to…

Verified Voting Blog: Losing Democracy in Cyberspace

It has been nothing short of astonishing that, within a few weeks, the brave people of Tunisia and Egypt toppled corrupt dictators who ruled for decades. One of the protesters’ key demands was for democratic elections — the right to choose a government that is responsive to the people’s needs. That is also what protesters in Bahrain, Yemen, Iran, Jordan and Libya are demanding as they call for the dissolution of their autocratic and oppressive governments. As the protesters know all too well, voting does not mean that one’s vote will be counted. In Egypt’s 2005 elections, Hosni Mubarak was reelected with 88.6 percent of the vote. In 2009, Tunisia’s Zine El Abidine Ben Ali was reelected with an 89.6 percent landslide victory. In both cases allegations of fraud and corruption surrounded the elections.

What nobody is talking about is how votes will be cast in emerging democracies. For elections to be legitimate in such countries, it is critical to use voting technology that counts votes accurately. In the 21st century, chances are high that computers will be used in some form in the coming elections in Egypt and Tunisia. But voting computers, like heads of state, must be held accountable to the people they serve. It is a tenet of computer science that computers can be programmed to do anything, including play “Jeopardy!” and steal votes.

Verified Voting Blog: In D.C.’s Web Voting Test, the Hackers Were the Good Guys

Last month, the District conducted an Internet voting experiment that resulted in a team from the University of Michigan infiltrating election computers so completely that they were able to modify every ballot cast and all election outcomes without ever leaving their offices. They also retrieved the username and password for every eligible overseas voter who had signed up to participate. The team even defended the system against attackers from China and Iran. More than any other event in recent years, this test illustrates the extreme national security danger of Internet voting.

Though the District’s Board of Elections and Ethics prudently dropped the plan to use the most dangerous parts of the system in Tuesday’s midterms, the board still claims Internet voting is the wave of the future. By contrast, the consensus of the computer security community is that there is no secure Internet voting architecture suitable for public elections. The transmission of voted ballots over the Internet, whether by Web, e-mail or other means, threatens the integrity of the election. Simply fixing the problems identified in the District’s test will not prove the system secure. Almost certainly the next test will discover new vulnerabilities yielding a similar disastrous result.

People frequently ask: If we can bank online, why can’t we vote online? The answer is that because every banking transaction must be associated with a customer, banks know what their customers are doing, and customers get monthly statements that can be used to detect unauthorized transactions. There is no banking equivalent of the requirement for a secret ballot untraceable to the voter. While banks have huge budgets for mitigating security problems, they still lose substantial sums due to online fraud. In addition, while banks may tolerate the costs of online theft, because they save money overall, elections cannot tolerate a “small” amount of vote theft. For more than a decade, computer security scientists have been warning of certain core dangers related to Internet voting. The successful Michigan incursion confirmed many of them.

Verified Voting Blog: Hacking the D.C. Internet Voting Pilot

The District of Columbia is conducting a pilot project to allow overseas and military voters to download and return absentee ballots over the Internet. Before opening the system to real voters, D.C. has been holding a test period in which they’ve invited the public to evaluate the system’s security and usability. This is exactly the kind of open, public testing that many of us in the e-voting security community — including me — have been encouraging vendors and municipalities to conduct. So I was glad to participate, even though the test was launched with only three days’ notice. I assembled a team from the University of Michigan, including my PhD students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of the University of Michigan technical staff. Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots. In this post, I’ll describe what we did, how we did it, and what it means for Internet voting.

Verified Voting Blog: Dangers of Internet Voting Confirmed

For years, computer security experts have said that casting ballots using the Internet cannot be done securely. Now, after a team from the University of Michigan successfully hacked the Washington D.C. Board of Elections and Ethics (DCBOEE) public test of Internet voting, we have a visceral demonstration of just how serious the threats really are.…

Verified Voting Blog: Coalition Calls For Halt to Washington State E-mail Ballot Program

This week, as University of Michigan computer technologists revealed in stark fashion the risks of Internet voting, Verified Voting, Common Cause, and Voter Action worked to halt an effort to expand the electronic return of voted ballots in Washington State. The Secretary of State of Washington  has proposed an emergency rule that would allow voters to send their votes home to election officials via e-mail.  In a letter to the Secretary this week, the three organizations and a cooperating attorney wrote that e-mail balloting is not required by Federal or State law, and exposes voters’ ballots to unacceptable risk of error or fraud.

This week, Dr. Alex Halderman and his students at the University of Michigan provided a powerful demonstration of the wisdom of avoiding the electronic submission of voted ballots for the foreseeable future.  Professor Halderman’s team hacked the District of Columbia’s pilot Internet voting portal for the District’s overseas and military voters, changing the contents of encrypted ballots and re-encrypting them,discovering the identities and user PINs of voters – as well as noting attempts by users in Iran and China to gain access to the DC voting system.

Verified Voting Public Commentary: Verified Voting Lauds Successful Test Hack of Internet Voting Pilot

Verified Voting applauds the decision of the District of Columbia Board of Elections and Ethics to suspend their plan to offer overseas voters the dangerous option of returning their voted ballots by a “digital vote by mail” Internet voting system. The District’s plans to continue other Internet-based ballot return methods (including email and fax) for the District’s military and civilian overseas voters still raise concerns among voting security experts. DC election officials made the decision after inviting technology experts to hack the Board’s prototype voting system during a trial period. The test pilot was apparently attacked successfully shortly after it began by a team of academic experts led by Prof. J. Alex Halderman at the University of Michigan.

The attack caused the University of Michigan fight song to be played for test voters when they completed the balloting process. Full details of the hack and its impact on submitted test ballots are expected to become available in the coming days. In addition to the Michigan team’s breach of the voting system, Verified Voting’s Board Chair Dr.David Jefferson documented a very serious vote loss problem that caused voters to inadvertently return blank ballots while believing that they had submitted complete ballots. The disenfranchising bug was noted in at least two widely used computer/browser configurations. It is possible that the same problem would affect voters trying to use email or some fax systems to return voted ballots.

Verified Voting Blog: The meaning of Alex Halderman’s successful attack on the DC Internet voting system

University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia’s proposed Internet voting system which has been under test for the last week. (See www.freedom-to-tinker.com.) It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days. Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Verified Voting Blog: How the Internet Works

If we can use the Internet to deliver blank ballots, then why not use it to return voted ballots? Part of the answer lies with the nature of the Internet itself. If we are to be sure that the vote cast is the same as the vote counted, we need a way to guarantee that 1) the voted ballot has not been substituted or altered in transit, and 2) the ballot received actually was sent by the voter, not someone impersonating them. But due to the way the Internet currently works, neither of these conditions can be assured. Before looking at sending ballots via Email, it’s helpful to understand how all Internet communication works, whether it be an email, website, file download, or tweet. What we now call the Internet grew out of research on connecting computers of different types and at different locations into a single network. One of the problems facing researchers was how to move electronic information reliably on pathways that are unknown and unpredictable. Two computers might be connected via a wire across the room, or across a huge network of sub-connections spanning the planet.

Verified Voting Blog: Internet Voting – An Introduction

In a wired world, it was inevitable that the subject of Internet Voting become a hot topic sooner rather than later. But more than just a topic of discussion, this year eighteen states will allow overseas ballots to be returned via email in November’s elections. Yet according to security experts, voted ballots sent via Internet…

Verified Voting Blog: State Election Officials: Recountable Process a Must for Overseas Voters

Last week, the National Association of Secretaries of State (NASS) adopted a resolution acknowledging both serious security and privacy concerns related to Internet voting and the need for a verifiable, recountable election process. Verified Voting applauds NASS for adopting this official position. Military and overseas voters (also called “UOCAVA voters” after the Uniformed and Overseas Citizens Absentee Voting Act) were a major topic at NASS”s summer conference last week in Providence, Rhode Island. States are now working hard to implement a recently enacted amendment to UOCAVA, the Military and Overseas Voter Emplowerment Act of 2009 (MOVE). The MOVE Act’s requirements include delivery of ballots to military and overseas voters 45 days prior to Federal elections and the option for electronic delivery of blank ballots to UOCAVA voters. One of the primary topics at the conference was a policy not required by MOVE: the use of the Internet for the return of completed ballots to election officials. Some states, for example West Virginia and Arizona, are experimenting with various forms of Internet voting, and over 30 states now allow, under varying circumstances, e-mail or fax delivery of voted ballots from UOCAVA voters.

Verified Voting Blog: Comments on EAC UOCAVA Pilot Program Testing Requirements

This week the Elections Assistance Commission (EAC) released public comments submitted on their draft UOCAVA Pilot Program Testing Requirements. The EAC document spell outs testing and certification requirements for Internet voting pilot programs for military and overseas voters, partly in response to the requirements of the Military and Overseas Voter Empowerment (MOVE) Act passed in 2009. The MOVE Act required many excellent improvements that increase opportunities for voters overseas to be able to cast their ballots in time to be counted. These changes include the electronic delivery of blank ballots and information, but not the electronic return of voted ballots. The Act also included a provision for experimental programs involving voting via the Internet. At least three states (AZ, CO, WV, and possibly GA and FL) are planning to carry out voluntary pilot programs this year. Despite the short time available for comment, many substantive comments were submitted, including from Verified Voting. While we do not mention them all here, there were many insightful comments and we urge you to read through them. Many of the comments expressed recurring themes:

Audits, Security Standards and Procedures: Verified Voting noted that an equipment manufacturing standard alone is insufficient to provide anything resembling “reasonable assurance that the pilot systems will operate correctly and securely”, as stated in Section 1.1.3 of the EAC Draft. We assert that a comprehensive security plan is required, not merely an equipment testing plan. Robust post-election audits are essential to demonstrating correct and secure operation of any voting system, be it remote or local.

Verified Voting Blog: Military and Overseas Voting Update

For members of the military, their families, and other United States citizens living overseas, voting has always presented unique challenges. Some of these problems include reliable delivery of blank ballots to the voters, secure and timely return of voted ballots, and authenticating that ballots were completed and returned by the same person they were sent to. According to an EAC study, Voting from Abroad: A Survey Of UOCAVA Voters:

There are no reliable data available on the number of [military and overseas] voters dispersed around the globe; some estimates hover around 4 million. Active-duty military are estimated at 1.5 million and family of military another 1.5 million.

In 1986 and again in 2009, Congress passed laws looking to improve access to voting for military and overseas voters. And today, as communication technologies like fax and email have become available, states are moving forward with plans for electronic transmission and receipt of ballots, all too often without sufficient regard for the privacy and security issues involved.

Verified Voting Blog: Verified Voting Comments to EAC on Internet Voting Pilots

With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on “the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere.” Sending voted ballots over the public Internet “is in a security class by itself,” the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. “Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting,” the letter said, “nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.”

Verified Voting Blog: Verified Voting Comments on EAC Internet Pilot Requirements

Thank you for the opportunity to comment on the proposed UOCAVA Pilot Program Testing Requirements.  We appreciate the invitation for public input to such an important initiative.  In this letter we confine our comments to the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere. The Verified Voting Foundation has benefited greatly from prominent experts whose professional work duties include achieving U.S. national security objectives within digital networks and computer communications.  This expertise leads us to set forth this core understanding:  Federal election security is a fundamental component of U.S. national security.  Applying this principle, we submit that election security should not be compromised for convenience or transmission speed. Internet voting (which for purposes of these comments we define as transmission of voted ballots over the public Internet) is in a security class by itself.  In comparing Internet transmission of voted ballots to paper absentee ballot voting, we agree with the oft-made point that voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting. Nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.

Verified Voting Blog: Responsible Use of Technology for Overseas Voting

Last November, the Federal Voting Assistance Program (FVAP) contacted each State with recommendations for meeting the new requirements established in the MOVE Act with the goal of bringing the absentee voting success rate for Uniformed Service members, their families and citizens residing outside the U.S. in line with that of the general population. Verified Voting strongly supports FVAP’s specific recommendations: providing a 45 day period for ballot transit, removal of notary and witnessing requirements, participation with the Uniform Law Commission efforts towards regularizing rules for overseas voters, and the responsible use of technology to aid in providing voting materials to military and overseas citizens. As an active participant in the Alliance for Military and Overseas Voting Rights (AMOVR), we agree with the principle that “transmitting blank ballots electronically does not risk voters’ privacy while improving the process in all States.” Through these recommendations each state can meet the requirements of the MOVE Act without undue risk to the integrity of the electoral process, and greatly facilitate the voting process for the citizens serving our nation in uniform and others living overseas.

However, some States are considering going beyond these recommendations in ways that could be harmful. Experts in technology such as NIST, the GAO and internal reviewers of Department of Defense projects cite significant concerns with respect to the electronic submission of voted ballots. Such systems would rely on computers, servers and/or networks outside the control of election officials, for which criteria for testing and secure operation have yet to be established. Attacks on such systems could significantly threaten the integrity of elections or the ability of voters to cast ballots. Even minor phishing and spoofing attacks could trick voters into giving up their voting credentials to an attacker.

Verified Voting Blog: Software in Dangerous Places

Software increasingly manages the world around us, in subtle ways that are often hard to see. Software helps fly our airplanes (in some cases, particularly military fighter aircraft, software is the only thing keeping them in the air). Software manages our cars (fuel/air mixture, among other things). Software manages our electrical grid. And, closer to home for me, software runs our voting machines and manages our elections. Sunday’s NY Times Magazine has an extended piece about faulty radiation delivery for cancer treatment. The article details two particular fault modes: procedural screwups and software bugs. The procedural screwups (e.g., treating a patient with stomach cancer with a radiation plan intended for somebody else’s breast cancer) are heartbreaking because they’re something that could be completely eliminated through fairly simple mechanisms. How about putting barcodes on patient armbands that are read by the radiation machine? “Oops, you’re patient #103 and this radiation plan is loaded for patent #319.”

Verified Voting Blog: What Google's New China Policy Tells Us About Internet Voting

Google recently announced in an important change of policy that it will stop censoring search results for queries coming from China.  That is interesting in its own right, but is not why I am writing this article. According to their corporate blog post, what prompted this change of policy was the discovery of “a highly sophisticated and targeted attack on [Google’s] corporate infrastructure originating from China”.  They found similar attacks on “at least twenty other large companies from a wide range of businesses”. Google further said that they “have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists”.  We are not likely to hear more detail in public about the attacks, but this is extraordinary news.

Verified Voting Blog: Candice Hoke Comments to the FCC on Internet Voting

In her response to an FCC’s question about what can we learn from pilot projects that have tested online voting, Verified Voting Foundation Board of Advisors member Candice Hoke observed that none of the domestic internet voting pilot projects have been properly structured to test for and approximate the risks that would be posed to domestic US elections. Specifically, she noted that these pilots are especially remiss in conceptualizing the risks for elections to Federal and Statewide office, where the fiscal control over billions of dollars is concerned, and the direction of military powers and foreign policy/aid.

Hoke continued: “The Internet voting pilot programs were structured by for-profit vendors, who also reported on their “success” without any independent evaluation and transparency on some critical dimensions. In Hawai’i, the project did report a dramatic drop in the reported rate of voter participation. The pilot, however, did not include any structures by which an assessment could be conducted of whether technical attacks had occurred to intercept, modify or otherwise block voted ballots from reaching the election processing location. Nor did it offer any auditing assessments that the ballots as tabulated matched the ballots as cast by voters. Thus, no conclusions can be drawn about the pilot’s success, and it bears little relation to a Federal or Statewide election context.