Last month, the New South Wales Electoral Commission’s ongoing battle to defend the integrity of its online voting system took chief information officer Ian Brightwell all the way to Switzerland — the last bastion of modern direct democracy. After requests from commissioner Colin Barry were knocked back by two other academic conferences, Brightwell finally got his chance to explain the NSW experience of implementing iVote in direct response to a pair of crusading academics who have doggedly attacked the online voting platform both in Australia and abroad. The organisers of the VoteID 2015 conference, held last month in Bern, Switzerland, deemed the claims and counter-claims interesting enough to design a special session around them. By now, most people who’ve heard about online voting in NSW would have also heard the persistent warnings of Vanessa Teague, a research fellow at the University of Melbourne, and J. Alex Halderman, an associate professor of computer science and engineering from the University of Michigan.Full Article: To defend iVote, the NSW electoral commission went to Switzerland.
In 2010, the District of Columbia decided to test its online absentee voter system. So officials held a mock election and challenged the public to do their best to hack it. It was an invitation that Alex Halderman, a computer-security expert at the University of Michigan, couldn’t resist. “It’s not every day that you’re invited to hack into government computers without going to jail,” he says. In less than 48 hours, Halderman and his students gained complete control of the system and rigged it to play the Michigan fight song each time a vote was cast. The students were ecstatic, but Halderman, who has a long history of exposing cybersecurity weaknesses, takes a more sober view. “This is the foundation of democracy we’re talking about,” he says.
“Internet voting” means different things to different people. To many folks, it might mean “click a button, submit, done.” To some—and for our purposes—it means anytime a voted ballot is transmitted in any way, shape or form via the Internet. Whatever the definition, computer scientists tell us that secure online voting is still many years, or even decades, away. For now, they say, using the Internet to return voted ballots can’t be done with confidence. Like it or not, Internet voting is on the minds of legislators and other policymakers. We say that, based on the 13 states that have had legislation in 2015 that deals in some way with permitting Internet voting. Only one has been enacted, Maine SB 552. So voters’ needs and technical expectations may push policymakers toward Internet voting—and at the same time security concerns are holding it back.Full Article: States and Election Reform | The Canvass: July 2015.
As many as 66,000 votes in the New South Wales state election 2015 could have been tampered with. The election was held on 28 March 2015 and is now closed. Voters used the iVote system which is described by its makers as “private, secure and verifiable” in its operation. Further, the Australian Electoral Commission insists that all Internet votes are and were “fully encrypted and safeguarded” at this time. The iVote system is a form of voting where eligible voters can vote over the Internet or telephone as an alternative to voting at a physical polling station. Security is provided using an 8-digit iVote number, a 6-digit PIN and a 12-digit receipt number for each individual. Australia is arguably a perfect test case for electronic voting with its vast distances that prevent some voters from getting to a polling location. A system like this also benefits the disabled and other less mobile voters. However, the system has been derided by non-profit digital rights group the Electronic Frontier Foundation (EFF), “The problem is that the system was not ready to be one of the biggest online voting experiments in the world.” EFF’s Farbod Faraji says that a FREAK flaw has been discovered in the Australian system by Michigan Computer Science Professor J Alex Halderman and University of Melbourne Research Fellow Vanessa Teague.Full Article: Votes gone walkabout after Australian election voting flaw - SC Magazine UK.
New South Wales Electoral Commission (NSWEC) CIO Ian Brightwell has defended the state’s online iVote system for the second time in as many weeks, after concerns were raised that a ballot error could put the state’s Legislative Council results in question for some seats. In the first two days of voting for the NSW state election, which was held on March 28, an error on the electronic ballot paper used for the online iVote system saw voters unable to vote above the line for two parties. … Brightwell’s defence of the NSW iVote system comes just two weeks after he fended off claims by online security researchers that the system had been vulnerable to a range of potential attacks, including those using the FREAK vulnerability. At the time, Brightwell played down the findings of the two researchers, Michigan Computer Science professor J Alex Halderman and University of Melbourne research fellow Vanessa Teague, saying that the vulnerability claims had been “overstated”.Full Article: NSW iVote ballot mistake put down to human error | ZDNet.
Australia: New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities | Electronic Frontier Foundation
A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation. (FREAK stands for Factoring RSA Export Keys and refers to the exploitation of a weakness in the SSL/TLS protocol that allows attackers to force browsers to use weak encryption keys.) But instead of taking the researchers’ message to heart, officials instead attacked the messengers.Full Article: New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities | Electronic Frontier Foundation.
As Chicagoans trek to the polls Tuesday for the city’s first-ever mayoral runoff election, some may wonder why they can’t yet vote from the palms of their hands. “For me the biggest benefit of online voting would be convenience,” said K.C. Horne, a 26-year-old accountant from Edgewater. “If I can file my taxes from my phone, I should be able to vote from my phone.” But so far, both technological and legislative hurdles have sharply limited the use of online voting. One major difference: The need to keep the user’s identity secret makes filing ballots different from other secure online transactions. “It’s an unconventional transaction where you have to be able to do business with me, but I can’t know exactly what you’re buying,” said Chicago Board of Election Commissioners spokesman Jim Allen.Full Article: Chicago mayor's race: Why you aren't voting from a smartphone - Chicago Tribune.
Australia: NSW iVote security flaw may have affected thousands of votes: Researchers | Computerworld
United Kingdom: Security bug in Australia’s online voting system throws doubt on Britain’s digital election goal | Information Age
Britain’s hopes of enabling online voting in general elections by 2020 have faced a dose of reality after a security vulnerability in an Australian system was exposed. The iVote system was introduced for the New South Wales (NSW) State Election in 2011 for voters who are more than 20 kilometres from a polling station, and has also been used in subsequent state by-elections. But its use in NSW’s state election this month has faced intense scrutiny after researchers discovered a major security hole that could allow a hacker to read and manipulate votes. With 66,000 online votes already cast by the time Vanessa Teague and J. Alex Halderman, of the University of Melbourne and University of Michigan respectively, disclosed their revelation, the legitimacy of the entire election has been called into doubt.Full Article: Security bug in Australia’s online voting system throws doubt on Britain’s digital election goal | Information Age.
Australia: International experts warn of the risks of Australian online voting tools | Sydney Morning Herald
Australia and other countries are a decade or longer away from safe methods of online voting in state and national elections and current tools pose a serious risk to democratic processes, people at a public lecture heard on Monday night. University of Michigan researcher J Alex Halderman and University of Melbourne research fellow Vanessa Teague said online voting in Saturday’s New South Wales election could have been seriously compromised through security weaknesses in the iVote system, being used in the upper house. The pair, in a a public lecture at the Australian National University, said that internet voting continued to raise some of the most difficult challenges in computer security and could not be considered completely safe. They reported faults in the NSW system to electoral authorities last week, ahead of as many as 250,000 voters using online systems to participate in the ballot.Full Article: International experts warns of the risks of Australian online voting tools.
Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug. So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information Systems at at the University of Melbourne and an assistant professor of computer science and engineering at the University of Michigan and director of Michigan’s Center for Computer Security and Society. The system in question is called iVote system and was launched in 2011 to assist voters who live 20 kilometres or more from a polling station, or those will be overseas or interstate on election day. But Teague and Halderman say their proof-of-concept probe on a “practice” system showed it is possible to “… intercepts and manipulate votes … though the same attack would also have succeeded against the real voting server,” the pair wrote in analysis.Full Article: Australian online voting system may have FREAK bug • The Register.
Editorials: Why we don’t have online voting (and won’t for a long while) | Michael Cochrane/World Magazine
Society deems the voting process so important that it must be 100 percent reliable. We may tolerate failures with our cars and computers, but not our elections. The degree to which an election is free and fair is the very heart of our representative form of democracy in the United States. Technological advancements that might make the voting process more efficient or convenient could also chip away at that integrity, which requires a voting system that is available, secure, and verifiable. At an early October panel discussion on internet voting hosted by the Atlantic Council, Pamela Smith, president of Verified Voting, addressed voting system availability. “If the equipment should happen to break down, you need something else to vote on to replace it. Otherwise people are disenfranchised by that malfunction,” she said. … “Any voting system that you use has to be able to demonstrate clearly to the loser and their supporters that they lost,” Smith said. “And to do that, you need actual evidence. Voters need to be able to see that their votes were captured the way that they meant for them to be and election officials need to be able to use that evidence to demonstrate that votes were counted correctly.”Full Article: WORLD | Why we don’t have online voting (and won’t for a long while) | Michael Cochrane | Nov. 4, 2014.
Americans across the country will participate Tuesday in one of the most basic civic duties: voting. For many, that means taking time off work, driving to a designated polling place and casting their ballot through standalone voting machines. But what if the process of voting could be vastly different? Today we can do almost anything on the Internet from banking to ordering take-out, so it only feels natural that we should be able to vote that way too. … Not all elections experts think going online is a great idea. But Thad Hall, a professor of political science at the University of Utah, is ready. You know it’s kind of the ultimate easy, convenient way to vote. And I don’t have to have a piece of paper, I don’t have to mail it back, I can send my ballot instantaneously. If Hurricane Sandy comes, I don’t have to worry about voting because I can just vote from my phone or I can vote from a computer somewhere.” But then there are the naysayers, many of them statisticians and engineers who think the Internet is too insecure for such a sacred thing as voting.Full Article: Can we trust the Internet with our most basic civic duty? - DecodeDC Story.
Alaska: Hackers Could Decide Who Controls Congress Thanks to Alaska’s Terrible Internet Ballots | The Intercept
When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska’s first-in-the-nation internet voting system. And according to the internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers. Any registered Alaska voter can obtain an electronic ballot, mark it on their computers using a web-based interface, save the ballot as a PDF, and return it to their county elections department through what the state calls “a dedicated secure data center behind a layer of redundant firewalls under constant physical and application monitoring to ensure the security of the system, voter privacy, and election integrity.” That sounds great, but even the state acknowledges in an online disclaimer that things could go awry, warning that “when returning the ballot through the secure online voting solution, your are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”Full Article: Hackers Could Decide Who Controls Congress Thanks to Alaska's Terrible Internet Ballots - The Intercept.
It took just one typo in one line of code to elect a malevolent computer program mayor of Washington, D.C. In the fall of 2010, the District staged a mock election to test out a new online voting system, and invited hackers to check its security. A team from the University of Michigan took them up on the offer. They quickly found a flaw in the code and broke in. They changed every vote. Master Control Program, the self-aware software that attempts to take over the world in the film Tron, was a runaway write-in candidate for mayor. Skynet, the system that runs a robot army in the Terminator franchise, was elected to Congress. And Bender, the hard-drinking android in the cartoon Futurama, became a member of the school board. Incredibly, it took D.C. officials two days to realize they had been hacked. …The use of Internet voting is exploding. Nearly 100 Ontario municipalities are using it in Monday’s election – including one that will even ditch paper ballots entirely. Proponents contend it is not only more convenient, but more equitable, giving people who cannot get to physical polling stations the same opportunity to vote as everyone else. But the expansion of e-voting has also caused consternation for some security researchers and municipal officials. They worry that entrusting this pillar of democracy to computers is too great a risk, given the potential for software problems – or hackers determined to put beer-swilling robots on the school board.Full Article: Rise of e-voting is inevitable, as is risk of hacking - The Globe and Mail.
National: Paper: Great promise for online voting if security, verification challenges met | FierceGovernmentIT
Without a vast improvement in security, privacy and verification protocols, broad adoption of online voting – which has the potential to make voting easier and more accessible, improve turnout and reduce costs – is unlikely to take off, a new paper argues. For example, if a hacker steals money from a bank, retailer or another company, then the theft can be easily discovered and customers compensated for any loss. “Online voting poses a much tougher problem: lost votes are unacceptable,” writes the paper’s author, Peter Haynes, a nonresident senior fellow at the Atlantic Council’s Brent Scowcroft Center on International Security. “And unlike paper ballots, electronic votes cannot be ‘rolled back’ or easily recounted. The twin goals of anonymity and verifiability within an online voting system are largely incompatible with current technologies,” he adds. The paper (pdf), which was released Oct. 8 and sponsored by Internet security company McAfee, spells out the pitfalls and advantages of online voting.Full Article: Paper: Great promise for online voting if security, verification challenges met - FierceGovernmentIT.
Maryland’s Board of Elections fell one vote short last year of the super-majority needed to inch the state toward online on-line voting, despite cyber experts’ warnings that such balloting could easily be hacked, with votes even switched to other candidates. Now, three months before this fall’s elections, the issue has morphed into a legal battle pitting the blind vs. the blind. It’s a fight with plenty of intrigue behind it and nationwide implications in the debate over whether cyber security is ready for electronic voting. The National Federation of the Blind Inc., which touts itself as the recognized voice of blind Americans and their families, filed a federal court suit in May seeking to compel the state elections board to make its newly developed online ballot-marking system available so that all disabled people could cast absentee ballots via the internet this fall. It’s a suit that likely wasn’t unwelcome to the three board members who voted to implement the system and to state Election Director Linda Lamone, a big advocate of electronic voting. But over the weekend, the American Council of the Blind of Maryland, along with three blind residents and two nonprofit groups that have fought internet voting, intervened in the case filed in Baltimore. They contend that the board’s online balloting tool is both flawed and insecure.Full Article: WASHINGTON: On-line voting battle pits the blind vs. the blind | Suits & Sentences | McClatchy DC.
Editorials: Utah is correct to both be at the front of online voting, and cautiously study security | Deseret News
Utah Lt. Gov. Spencer Cox has convened a committee to study how the Beehive State might proceed with online voting. He has said Internet voting is inevitable, but his office agrees that security is the top concern. That is the correct attitude to assume as this effort proceeds. Security — the idea that a voter’s secret ballot is transmitted and tabulated correctly — must be nailed down and ensured beyond any reasonable doubt before anyone votes directly through the Internet. If voters lose confidence in the integrity of the election system, the notion of government by the people would be imperiled. We have yet to hear of any online effort that has successfully overcome these concerns. Norway, a pioneer in online voting, ended a three-year experiment with it last month, citing a lack of security. A small number of people there succeeded in voting twice by casting both online and paper ballots.Full Article: In our opinion: Utah is correct to both be at the front of online voting, and cautiously study security | Deseret News.
Namibia: Implementing Biometric-Based Systems – Researchers Challenge Electronic Voting | allAfrica.com
In line with last week’s article “Implementing Biometrics based Systems: Electronic Voting Selection Criteria”, we continue our focus on electronic voting, known as e-voting, to be held in Namibia. In addition, the Biometric Research Laboratory, BRL, at Namibia Biometric System will answer some of the questions received in last week’s article. However, researcher at BRL and worldwide have been keen to get access to e-voting machine and independently assess the merits of the machines. Researchers at BRL would like to highlight some of the latest findings on e-voting machines conducted by researchers from the University of Michigan. Recently in May 2014, researchers at the University of Michigan said they have developed a technique to hack into the Indian electronic voting machines. University of Michigan researchers were able to change results by sending text messages from a mobile.Full Article: allAfrica.com: Namibia: Implementing Biometric-Based Systems - Researchers Challenge Electronic Voting.