National: Why You (Still) Can’t Vote Online | National Journal

When Hur­ricane Sandy hit in 2012, it threw New Jer­sey in­to an ad hoc ex­per­i­ment in on­line vot­ing. … Had New Jer­sey’s ex­per­i­ment gone well, it would have been a ma­jor vic­tory for ad­voc­ates of on­line vot­ing, who’ve long ar­gued that the in­ter­net could be a valu­able tool to pro­tect the right to vote and in­crease dis­mal U.S. vot­ing rates. It did not, however, go well at all: Email serv­ers were over­whelmed, leav­ing voters un­able to re­quest or re­turn their bal­lots. In an at­tempt to fix the situ­ation, one elec­tions of­fi­cial gave out his per­son­al email ad­dress to voters to sub­mit their bal­lot re­quests—and a se­cur­ity re­search­er dis­covered that his pass­word re­cov­ery ques­tion was ap­par­ently his moth­er’s maid­en name after look­ing at Hot­mail’s pass­word-re­set form. The of­fi­cial says he was nev­er hacked. … Se­cur­ity ex­perts cried foul at the elec­tion, which saw an es­tim­ated 50,000 bal­lots cast elec­tron­ic­ally. They were con­cerned that voters’ per­son­al data was po­ten­tially ex­posed, and were wor­ried that there was an op­por­tun­ity for bal­lots to go un­coun­ted. “We don’t know how many of these votes were ac­tu­ally coun­ted or shouldn’t have been coun­ted versus lost, or how many people tried to use this sys­tem but were un­able to get bal­lots,” Ed Fel­ten, who was then the dir­ect­or of Prin­ceton Uni­versity’s Cen­ter for In­form­a­tion Tech­no­logy Policy, told Al Jaz­eera in 2014. “We can’t meas­ure it, but cer­tainly there are in­dic­a­tions of over­flow­ing mail­boxes, big back­logs and prob­lems pro­cessing re­quests. So I don’t think you could con­clude at all that this was a suc­cess­ful ex­per­i­ment.”

National: Internet voting isn’t ready yet, but it can be made more secure | Computerworld

A push to allow Internet voting in elections is growing stronger along with advances in the underlying technology, but systems are not yet secure enough to use with relative certainty that the vote counts will be accurate, according to a new report. Still, while “no existing system guarantees voter privacy or the correct election outcomes,” election officials could take several steps to significantly improve the security and transparency of Internet voting systems, said the report, commissioned by the U.S. Vote Foundation, an organization that helps U.S. residents vote. Election officials considering Internet voting must embrace an end-to-end verifiable Internet voting system, or E2E-VIV, said the report, released Friday. An E2E-VIV would be difficult to build, but it would allow voters to check that the system recorded their votes correctly, to check that it included their votes in the final tally and to double-check the announced outcome of the election, the report said. An Internet voting system must be transparent, useable and secure, said the report, echoing some recommendations security groups have made about other electronic voting systems. “An Internet voting system must guarantee the integrity of election data and keep voters’ personal information safe,” the report said. “The system must resist large-scale coordinated attacks, both on its own infrastructure and on individual voters’ computers. It must also guarantee vote privacy and allow only eligible voters to vote.”

National: Technology aims to improve the voting experience | The Washington Post

In an age where people can transfer money using their mobile device, it’s not hard to envision a future where citizens wake up on Election Day, pull out their phones and choose the next leader of the Free World on the way to work. Last week, a federal election agency took a small step toward that futuristic vision. … The updated guidelines will allow manufacturers to test machines against modern security and disability standards and get them certified for use by states ahead of the 2016 presidential election. … When it comes to Internet-based voting systems, many experts argue there’s no clear solution to address the issues of security and verifiability. A securely designed online system also needs to be easy to use, and so far that goal has eluded researchers, said Poorvi Vora, an associate professor of computer science at George Washington University who has researched Internet voting systems. Vora is part of a group of academics, computer scientists, election officials and activists working on a project led by the Overseas Vote Foundation, an Arlington, Va.-based nonprofit, to answer one question: Is it possible to design a system that lets people vote remotely in a secure, accessible, anonymous, convenient and verifiable manner? The answer so far is no, but the group says it is close to a possible solution and will present its design to the election research community and federal agencies this summer. As with health records or financial data, online security remains an obstacle.

Editorials: 5 Ways To Fix America’s Dismal Voter Turnout Problem | ThinkProgress

Voter turnout in the U.S. during the last midterm election hit the lowest point since the 1940s. The number of Americans heading to the polls each election has been declining for the last fifty years and lawmakers have recently been pushing efforts to keep even more people away from the polls. People do not exercise their right to vote for various reasons, some of which are easier to solve than others. According to a U.S. … Voters can already use their smartphones in some cities to simplify daily tasks like tracking how long they have to wait for a bus or train. So why shouldn’t information about polling places be available online? Joe Kiniry, the principal investigator with computer science company Galois, said that while he was working in Denmark, he helped to build a system voters could use to figure out the length of lines at polling places. “Of course it’s doing that by watching people’s cell phones as they walk into the polling place and figuring out how long it took you to get to the front of the line, how long it took you to leave,” he said. “So in the adoption of this cheap, easy technology… we’ve now traded off the cost and efficiency of an election with the privacy of voters.”

National: Internet Voting Hack Alters PDF Ballots in Transmission | Threatpost

Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter’s machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.

National: Simple hack could alter Internet ballots | The Hill

Basic cyberattacks could tamper with electronically submitted ballots, leaving no trace behind, according to research from computer science firm Galois. On the heels of election watchdog groups criticizing Alaska’s use of ballots submitted online, Galois demonstrated that electronic ballots could be modified through simply hacking into home routers, which often have minimal security measures. “An off-the-shelf home Internet router can be easily modified to silently alter election ballots,” said the researchers, Daniel Zimmerman and Joseph Kiniry. A few states now allow voters to receive and return a ballot electronically. Election officials argue it is a way to increase voter participation, while technologists insist heightened turnout isn’t worth the high risk of fraud.

Oregon: Portland security firm has a warning for email voting | Portland Business Journal

It only took a couple days and tweaks to about 50 lines of code for a pair of security researchers from Portland-based Galois to demonstrate how hackers could change an election if email voting were to move beyond the pilot phase. Researchers Joseph Kiniry and Dan Zimmerman were able to show how files could be intercepted between the voter and election office through a relatively easy hack of standard router software. The duo looked at routers that are commonly used by household Internet Service Providers. “We did experiments on how it could be deployed if we were a bad guy,” Kiniry said. “Unfortunately, the state of security on these devices on the Internet is so poor.” Plus, he noted detecting that something was wrong was difficult and would take security experts to figure out the router was not working properly.

Alaska: Hackers Could Decide Who Controls Congress Thanks to Alaska’s Terrible Internet Ballots | The Intercept

When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska’s first-in-the-nation internet voting system. And according to the internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers. Any registered Alaska voter can obtain an electronic ballot, mark it on their computers using a web-based interface, save the ballot as a PDF, and return it to their county elections department through what the state calls “a dedicated secure data center behind a layer of redundant firewalls under constant physical and application monitoring to ensure the security of the system, voter privacy, and election integrity.” That sounds great, but even the state acknowledges in an online disclaimer that things could go awry, warning that “when returning the ballot through the secure online voting solution, your are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”