Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly. “Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.”Full Article: Experts Find Serious Problems With Switzerland's Online Voting System.
This article originally appeared on Electronic Frontier Foundation’s website on February 4th, 2019
Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the years of unanimous empirical research showing that online voting is inherently vulnerable to a variety of threats from malicious hackers, including foreign nations.
EFF strongly opposes Virginia H.B. 2588 and S.J.R. 291, and all online voting. Instead, EFF recommends that absentee voting, like all voting, be conducted with paper records and risk-limiting audits, the current state-of-the art in election security.No to Online Voting in Virginia | Electronic Frontier Foundation.
The future of voting should not involve your cellphone, according to a leading cybersecurity expert. In a first-of-its-kind pilot program, West Virginia will test blockchain encrypted mobile phone voting for members of the U.S. military. But Joe Hall, chief technologist and director of internet architecture at the Center for Democracy & Technology, warned that the plan presents a host of risks. “West Virginia has taken the ridiculous step of deciding that they’re going to not only vote on a mobile device, which in and of itself is just a bad idea, but use a blockchain mechanism, something associated with crypto-currency or bitcoin,” Hall told Grant Burningham, host of the Yahoo News podcast “Bots & Ballots.” In a September interview with Burningham, venture capitalist Bradley Tusk argued that his foundation’s plan to test cellphone voting was a way to boost voter participation in the U.S. However, Hall believes the risks outweigh the possible benefits.Full Article: Blockchain voting too risky, cybersecurity expert says.
Amid suspicions of interference in the 2016 elections, states must be more careful than ever to provide heightened security in this year’s primaries. Yet, West Virginia has just introduced a more vulnerable form of voting for deployed military personnel. West Virginia is now the first state to pilot blockchain technology, to allow some deployed soldiers to vote through mobile phones. Yet cyber security experts warn that this technology, also used for cryptocurrencies, poses dangers for voting. Instead of pioneering voting’s future, West Virginia is paving the way for future election hacking. Blockchain technology addresses only part of the security process currently used by those administering U.S. elections. It’s like installing a high-tech lock and alarm system in your home, and then leaving a front door key and the alarm pass code under the doormat. The alarm system may work perfectly, but until the keys and pass codes are also secure, your home won’t be secure, either.Full Article: Audrey Malagon: Our soldiers deserve secure votes | Op-Ed Commentaries | wvgazettemail.com.
Dr. Vanessa Teague is one frustrated cryptographer. A researcher at the University of Melbourne in Australia, Teague has twice demonstrated massive security flaws in the online voting systems used in state elections in Australia — including one of the largest deployments of online voting ever, the 2015 New South Wales (NSW) state election, with 280,000 votes cast online. The response? Official complaints about her efforts to university administrators, and a determination by state election officials to keep using online voting, despite ample empirical proof, she says, that these systems are not secure.Full Article: Online voting is impossible to secure. So why are some governments using it? | CSO Online.
The Election Commission of Pakistan (ECP) has formed a committee to conduct a technical audit of the Internet voting solution process that was proposed by the National Database and Registration Authority (Nadra). The task force formed on the directions of the Supreme Court is mandated to assess the technical soundness of the web-based automated system that has been designed to help overseas Pakistanis vote through the Internet. Only expatriates who have been issued national identity cards for overseas Pakistanis and valid machine-readable passports will be eligible to use the system to cast their votes.Full Article: ECP sets up team to scrutinise Internet voting system - Newspaper - DAWN.COM.
Editorials: Blockchain is not only crappy technology but a bad vision for the future | Kai Stinchcombe/Medium
Blockchain is not only crappy technology but a bad vision for the future. Its failure to achieve adoption to date is because systems built on trust, norms, and institutions inherently function better than the type of no-need-for-trusted-parties systems blockchain envisions. That’s permanent: no matter how much blockchain improves it is still headed in the wrong direction. This December I wrote a widely-circulated article on the inapplicability of blockchain to any actual problem. People objected mostly not to the technology argument, but rather hoped that decentralization could produce integrity.Full Article: Blockchain is not only crappy technology but a bad vision for the future.
IT experts on Thursday raised objections over an e-voting software prepared by National Database and Registration Authority (NADRA) to enable overseas Pakistanis to cast their votes in the forthcoming elections. A three-member bench of the Supreme Court, led by Chief Justice Saqib Nisar, Thursday resumed hearing of a case pertaining to voting rights to overseas Pakistanis. During the hearing, the NADRA chairman briefed the SC bench, officials of the Election Commission of Pakistan (ECP) and representatives of different political parties on the e-voting system. The official said that providing e-voting facility to around 7 million overseas Pakistanis would cost Rs150 million.Full Article: IT experts object to NADRA's e-voting software for overseas Pakistanis | Pakistan - Geo.tv.
Bradley Tusk is best known as the former political operative who invented lobbying for the sharing economy. He’s the guy who claims credit for turning hordes of Uber customers into city-hall picketers whenever the ride-hailing company objected to new taxi regulations in New York, Washington, or a half-dozen other cities. When states tried to crack down on fantasy sports websites that offer daily cash prizes, one of the biggest, Fanduel, hired Tusk to mobilize its user base to hit back at attorneys general. When a local government suggests that the the people who pick up home-improvement jobs through Handy should be classified as employees entitled to benefits, the app calls in Tusk to argue that those workers are independent contractors. … But Tusk’s financial backing and the Warner family’s enthusiasm shouldn’t be taken as proof that elections can be conducted securely over the internet, says Duncan Buell, a computer science professor at the University of South Carolina who focuses on voting systems and election integrity. “I am strongly opposed to electronic voting, and I think the whole notion of internet voting is completely nuts,” Buell says. “There are a number of issues that come up. The first is authentication. How do you verify who’s at the other end?”Full Article: Meet the guy paying for West Virginia to run an election on blockchain.
Security concerns have re-emerged to further frustrate the Finnish government’s plans to launch a national e-voting system. But the country’s Ministry of Justice (MoJ) working group, which is leading the project, insists the venture is delayed rather than mothballed. Finland’s online e-voting project will now enter a problem-solving phase to identify advanced, effective and best practice solutions to protect a future e-voting system. … The MoJ estimates that the cost of launching and operating an e-voting system, based on a 15-year timespan, will be about €32m. But the risks attached to launching online voting in Finland currently outweigh its benefits, said Johanna Suurpää, chair of the MoJ’s e-voting working group (eVWG). “Our present position is that online voting should not be introduced in general elections as the risks are greater than the benefits,” said Suurpää. In its project feasibility report presented to the MoJ, the eVWG conceded that although a Finnish online e-voting system is technically possible, the technology available is not yet at a “sufficiently high level to meet all the requirements”.Full Article: Security fears delay roll-out of national e-voting system in Finland.
The Alaska Division of Elections has announced it will suspend a little-used absentee voting program in an effort to improve the security of the state’s elections. In a note released last week, the division said it had received a “B” grade for election security in a recent study conducted by the Center for American Progress, a progressive public policy group. “B” was the highest grade awarded to any state in the country; 11 states received the ranking, the report indicated. Alaska’s report drew attention to the way the state handles absentee ballots submitted from overseas.Full Article: To boost election security, Alaska suspends electronic absentee program | Juneau Empire - Alaska's Capital City Online Newspaper.
A leading data protection expert has warned of future security breaches if the government’s plan to introduce e-voting at a nationwide level goes ahead. Bruno Baeriswyl, data protection commissioner in canton Zurich, urged the authorities to give up plans, announced last April, for online voting across Switzerland. Speaking on the occasion of this year’s European Data Privacy Day at the end of January, Baeriswyl said that current technology could not guarantee that ballots remain secret in votes and elections. He and other cantonal data protection commissioners argued that digitalisation could undermine democratic principles even while online systems help to simplify procedures. “The current systems for e-voting override the secret ballot in votes and elections. But it is imperative that all transactions must always be verifiable in a secure system. As a result, either we have ballot secrecy or we don’t have a secure method,” Baeriswyl said. “And this is highly risky for our democracy.”Full Article: How risky are flawed e-voting systems for democracy? - SWI swissinfo.ch.
National Database and Registration Authority (Nadra) Chairman Usman Mobin is set to apprise the Supreme Court on Monday of “non-technical challenges” and the minimum time required to develop an integrated internet voting system to enable overseas Pakistanis to cast their votes in the upcoming general elections. During the last hearing of the petitions seeking the right of vote for overseas Pakistanis, the Nadra chairman had tried to make a presentation before a SC bench, headed by Chief Justice Saqib Nisar, on the internet voting system, but at the outset he was intercepted by the chief justice when he sought a five-month time for developing the system. … Nadra spokesman Faik Ali, when contacted, said that after the court’s directive a Nadra team headed by the chairman held meetings with the ECP officials to discuss modalities, time frame and non-technical challenges related to the mechanism. He said the Nadra chairman would apprise the Supreme Court of the outcome of these meetings on Monday.Full Article: SC to learn about ‘challenges’ in framing system for overseas voters - Pakistan - DAWN.COM.
Kaspersky, the Russian cybersecurity company accused of helping the Kremlin spy on the U.S. intelligence agencies as part of its 2016 election meddling, has launched a new product aimed at helping secure online voting and make elections more transparent and open. Polys, an online voting platform built using the same blockchain technology that underpins bitcoin, allows anyone to conduct “secure, anonymous, and scalable online voting with results that cannot be altered by participants or organizers,” the company said. Kaspersky is already speaking to a number of “politicians and political organizations in Europe” about using the system, and it says that countries in western Europe, Scandinavia and Asia are technologically and mentally ready to make the change to online voting. But one place Kaspersky will not be hawking Polys is Washington.Full Article: Russian cybersecurity firm Kaspersky wants to run your next election – VICE News.
In order to ensure the security of online voting systems used in Switzerland, the government needs to issue a challenge to the worldwide hacker community, offering rewards to anyone who can “blow holes in the system”, says a computer scientist in parliament. Since it began in 2000, Switzerland’s e-voting project has been a matter of controversy. While some have been calling for its introduction to be fast-tracked in all the country’s 26 cantons, others would like to see the project slowed. In parliament there has been a call for a moratorium on electronic voting in the whole country for four years, except for the Swiss abroad. To put an end to all the concerns and convince the critics that security and secrecy of online voting can be guaranteed, Radical Party parliamentarian Marcel Dobler thinks there needs to be an unequivocal demonstration that systems used in Switzerland are proof against computer piracy. The best way to do this, he says, is to invite hackers to target them.Full Article: Should Swiss vote hackers be rewarded with cash? - SWI swissinfo.ch.
Many of the 11,000 voting machines in New Jersey are so old, officials said, they will soon have to be replaced. Amid concerns about hacking, state lawmakers are examining how to make sure new machines will be more secure. While there’s no evidence of hacking, the machines are hackable, said Assemblyman Andrew Zwicker, D-Middlesex. And Princeton computer science professor Andrew Appel said he could quickly break the security seals on a voting machine, replace the chip that records the results, and reseal it so the tampering would be undetectable. “I was able to get a bunch of them and figure out what their weaknesses are,” he said during a hearing before lawmakers Thursday. “So if you have three or four seals on there, it’ll take me 10 minutes to get them off.”Full Article: N.J. to replace thousands of aging voting machines : Election : WHYY.
The Supreme Court of Estonia rejected the appeal of the Conservative People’s Party of Estonia (EKRE) of the National Electoral Committee’s Sept. 6 decision not to ban electronic voting at the local government council elections taking place next month. The Supreme Court explained that, according to the Local Government Council Election Act, the National Electoral Committee has the right not to start electronic voting if the security or reliability of the electronic voting system cannot be ensured in such way that electronic voting could be conducted pursuant to the requirements of the act. The National Electoral Committee is not, however, required to cancel e-voting if it receives information indicating the possibility of adverse consequences.
The Conservative People’s Party of Estonia (EKRE) has submitted an appeal to Estonia’s National Electoral Committee challenging the committee’s decision to allow e-voting in the local elections this October despite a detected security risk that could affect 750,000 ID cards. According to EKRE parliamentary group chairman Martin Helme, the party finds that the Sept. 6 decision of the National Electoral Committee to still allow e-voting in the upcoming elections opens them up to vote manipulation and the influencing of election results, party spokespeople said. The party is seeking to have e-voting called off and the elections to be held with paper ballots exclusively.Full Article: EKRE challenges electoral committee's decision to allow e-voting | News | ERR.
Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking, just days before hosting a big EU exercise on cyber warfare. International scientists have informed Estonian officials that they have found a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity. The Baltic country of just 1.3m people stressed there was no evidence of a hack of what it has proclaimed to be the world’s most advanced IT card system. The cards are used to access a wide range of digital services from signing documents to submitting tax returns and checking medical records, as well as by foreigners who are e-residents in the country.Full Article: Red faces in Estonia over ID card security flaw.
Editorials: Internet voting and paperless machines have got to go | Barbara Simons/Minneapolis Star Tribune
“They’ll be back in 2020, they may be back in 2018, and one of the lessons they may draw from this is that they were successful because they introduced chaos and division and discord and sowed doubt about the nature of this amazing country of ours and our democratic process.” — Former FBI Director James Comey, testifying about the Russian government before a House Intelligence Committee hearing, March 20, 2017
We are facing a major national security threat. As former Director Comey stated, we know that Russia attacked our 2016 election, and there is every reason to expect further attacks on our elections from nations, criminals and others until we repair our badly broken voting systems. Despite a decade of warnings from computer security experts, 33 states allow internet voting for some or all voters, and a quarter of our country still votes on computerized, paperless voting machines that cannot be recounted and for which there have been demonstrated hacks. If we know how to hack these voting systems, so do the Russians and Chinese and North Koreans and Iranians and ….Full Article: Internet voting and paperless machines have got to go - StarTribune.com.