Australia: Victorian inquiry backs limited Internet-based e-voting | Computerworld

A Victorian parliamentary inquiry has backed the roll out of Internet-based voting for state elections, but only in limited circumstances. A report by the state parliament’s Electoral Matters Committee on the issue was tabled yesterday. The inquiry endorsed the use of remote electronic voting for electors who are blind or have low vision, suffer motor impairment, have insufficient language or literacy skills, or who are eligible to vote but interstate or overseas. Internet-based voting should be backed by the “most rigorous security standards available” to the Victorian Electoral Commission (VEC), the report recommended.

Australia: NSW’s e-Voting system under fire | Computerworld

In the aftermath of the 2 July federal election, Prime Minister Malcolm Turnbull and opposition leader Bill Shorten both indicated support for the potential use of eVoting to avoid drawn-out post-election ballot counting. However, the eVoting platform used in Australia’s most populous state — New South Wales’ iVote system — has again come under fire. The iVote system supports telephone and Internet-based voting in the state. The current version of iVote was produced by Scytl in partnership with the NSW Electoral Commission (NSWEC) and used in the 2015 state election. The robustness, privacy and verification method of the system have been questioned by two university researchers, one of whom was previously instrumental in uncovering a security vulnerability in iVote.

Australia: Electronic voting may be faster but carries security risks | The Australian

The federal elections have mercifully come to an end, but the prolonged vote count has re-energised calls for online electronic voting. The clamour for a speedy outcome is understandable given the 21st century demand for instant gratification, but there are unintended consequences that bear careful consideration. Not only do we run the risk of introducing a whole new set of problems but also potentially undermine the very fabric of our unique democratic system. Entrepreneurs are quick to make claims that their online voting systems are safe and secure, but are unable to provide iron clad guarantees. The potential reward for the successful supplier of an online electronic voting system would be $50 million to $100m annually so there can be no doubt that pressure will mount on the Australian Electoral Commission and equivalent state bodies. … Writing in The Conversation, Vanessa Teague and Chris Culnane from the University of Melbourne and Rajeev Gore from the Australian National University identified three reasons why we shouldn’t move to an online voting system: it might not be secure, the software might have bugs and, most important, if something goes wrong we might never know.

Editorials: E-voting is still the wrong answer to the wrong question | Stilgherrian/ZDNet

Here we go again. There’s been an election in Australia, so once more, with all the regularity of a cuckoo clock, politicians and pundits alike are proposing that electronic voting is the answer. So, here we go again, explaining why it’s a bad idea. First, if e-voting is the answer, what is the actual question? Here’s what troubles people this time. … Broadly speaking, there’s two kinds of e-voting: voting over the internet, and voting in person at polling stations where votes are recorded on computers rather than paper ballots. Whichever kind of e-voting we’re talking about, it has to solve a conundrum. How do we provide the complete transparency of process needed to eliminate fraud, while still maintaining the secrecy of individuals’ votes? As I wrote in 2011, transparency is the tricky bit. “Our paper voting system is easy to understand. Anyone with working eyesight and who can read and count can scrutineer the process. No special skills are required,” I wrote.

Australia: Election explainer: why can’t Australians vote online? | The Conversation

In 2015, more than 280,000 votes were received in the New South Wales election from a personal computer or mobile phone. This was the largest-ever binding election to use online voting. But federally, the Joint Standing Committee on Electoral Matters has ruled out allowing Australians to cast their vote online, arguing it risks “catastrophically compromising our electoral integrity”. Despite years of research, nobody knows how to provide evidence of an accurate result while keeping individual online votes private. Internet voting is similar to online banking, except you’re not sent a receipt saying “this is how you voted” because then you could be coerced or bribed. Your vote should be private, even from the electoral commission.

Australia: Let us test voting code, say academics | Associated Press

Doubts about the accuracy of the Senate vote count remain until the Australian Electoral Commission agrees to publicly release the computer code it uses. That’s the view of the Australian Greens and academics who have studied vote-counting software errors. University of Melbourne researchers recomputed the NSW local government election results from 2012, finding two errors in counting – one of which showed a candidate’s chances of election significantly being reduced. The NSW Electoral Commission on Tuesday announced it had corrected the software – originally bought from the AEC – following the study by researchers Andrew Conway and Vanessa Teague. But it was only because the NSWEC published its full preference data and coding that the errors were identified.

Australia: Buggy vote-counting software borks Australian election | The Register

The body overseeing elections in the Australian state of New South Wales (NSW) has acknowledged researchers’ claims of a bug in the software it uses to count votes. The NSW Electoral Commission (NSWEC) has corrected an error detected and described by researchers Andrew Conway and Vanessa Teague, and verified by computer science academics from the University of Melbourne and the Australian National University. The bug relates to extrapolation of voting patterns, a technique used in some Australian jurisdictions where a Single Transferable Vote (STV) system is used. Voters’ second preference candidate can secure a vote if the first preference has already been elected to a chamber using proportional representation.

New Zealand: Is internet voting secure enough to use? | Radio New Zealand

Serious weaknesses exposed in an online election in Australia are a warning for upcoming New Zealand local body elections, a computer security expert is warning. Eight councils throughout New Zealand are due to trial online voting in local body elections later this year: Selwyn, Wellington, Porirua, Masterton, Rotorua, Matamata Piako, Palmerston North and Whanganui. University of Melbourne computing expert Vanessa Teague did an analysis of the iVote internet voting system used in the New South Wales (NSW) state election last year, and she and the University of Michigan’s Alex Halderman have found a way to break into the system and interfere with votes. She told Nine To Noon there had been a lot of assurances about the safety of the system, and she wanted to test it and see if this was true.

Australia: E-voting: Why Australia isn’t voting electronically on election day | Daily Telegraph

We are the pioneers of the secret ballot electoral system, but when it comes to electronic voting, Australia has long been behind the pack. Kazakhstan, India, Brazil and Estonia are among the countries who long ago swapped pencil-and-paper ballots for e-voting at polling stations or over the internet. Meanwhile, in Australia, most of us continue to bemoan the chore of queuing for hours at the polling booth. … During the NSW state election in March, residents who were vision impaired, disabled or out of town on election day were able to cast their vote with the remote voting system, iVote, in what was the biggest-ever test of e-voting in the country. … But the success of iVote was marred by reports two security experts had exposed a major security hole that could potentially affect huge numbers of ballots and maybe even change the election outcome. University of Melbourne research fellow Vanessa Teague said she and Prof Alex Halderman from the University of Michigan found iVote had a vulnerability to what’s called a man-in-the-middle attack when they tested the system with a practice server in the lead-up to the election. “We could expose how the person intended to vote, we could manipulate that vote, and we could interfere with the return of the receipt number and thus prevent the person from logging into the verification server afterwards,” she told news.com.au.

Australia: To defend iVote, the NSW electoral commission went to Switzerland | The Mandarin

Last month, the New South Wales Electoral Commission’s ongoing battle to defend the integrity of its online voting system took chief information officer Ian Brightwell all the way to Switzerland — the last bastion of modern direct democracy. After requests from commissioner Colin Barry were knocked back by two other academic conferences, Brightwell finally got his chance to explain the NSW experience of implementing iVote in direct response to a pair of crusading academics who have doggedly attacked the online voting platform both in Australia and abroad. The organisers of the VoteID 2015 conference, held last month in Bern, Switzerland, deemed the claims and counter-claims interesting enough to design a special session around them. By now, most people who’ve heard about online voting in NSW would have also heard the persistent warnings of Vanessa Teague, a research fellow at the University of Melbourne, and J. Alex Halderman, an associate professor of computer science and engineering from the University of Michigan.

Australia: Votes gone walkabout after Australian election voting flaw | SC Magazine UK

As many as 66,000 votes in the New South Wales state election 2015 could have been tampered with. The election was held on  28 March 2015 and is now closed. Voters used the iVote system which is described by its makers as “private, secure and verifiable” in its operation. Further, the Australian Electoral Commission insists that all Internet votes are and were “fully encrypted and safeguarded” at this time. The iVote system is a form of voting where eligible voters can vote over the Internet or telephone as an alternative to voting at a physical polling station. Security is provided using an 8-digit iVote number, a 6-digit PIN and a 12-digit receipt number for each individual. Australia is arguably a perfect test case for electronic voting with its vast distances that prevent some voters from getting to a polling location. A system like this also benefits the disabled and other less mobile voters. However, the system has been derided by non-profit digital rights group the Electronic Frontier Foundation (EFF), “The problem is that the system was not ready to be one of the biggest online voting experiments in the world.” EFF’s Farbod Faraji says that a FREAK flaw has been discovered in the Australian system by Michigan Computer Science Professor J Alex Halderman and University of Melbourne Research Fellow Vanessa Teague.

Australia: NSW iVote ballot mistake put down to human error | ZDNet

New South Wales Electoral Commission (NSWEC) CIO Ian Brightwell has defended the state’s online iVote system for the second time in as many weeks, after concerns were raised that a ballot error could put the state’s Legislative Council results in question for some seats. In the first two days of voting for the NSW state election, which was held on March 28, an error on the electronic ballot paper used for the online iVote system saw voters unable to vote above the line for two parties. … Brightwell’s defence of the NSW iVote system comes just two weeks after he fended off claims by online security researchers that the system had been vulnerable to a range of potential attacks, including those using the FREAK vulnerability. At the time, Brightwell played down the findings of the two researchers, Michigan Computer Science professor J Alex Halderman and University of Melbourne research fellow Vanessa Teague, saying that the vulnerability claims had been “overstated”.

Australia: New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities | Electronic Frontier Foundation

A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation. (FREAK stands for Factoring RSA Export Keys and refers to the exploitation of a weakness in the SSL/TLS protocol that allows attackers to force browsers to use weak encryption keys.) But instead of taking the researchers’ message to heart, officials instead attacked the messengers.

Australia: NSW election result could be challenged over iVote security flaw | The Guardian

The result of the NSW election this Saturday is likely to be challenged after a security flaw was identified that could potentially have compromised 66,000 electronic votes. A number of parties, including the Greens, the National party and the Outdoor Recreation party have told Guardian Australia they would consider all of their options after the “major vulnerability” was revealed in the iVote system, an internet voting program being trialled for the first time this year. But a senior NSW Electoral Commission official said fears of vote tampering were overblown and the work of “well-funded, well-managed, anti-internet voting lobby groups”. While the iVote website itself is secure, Melbourne University security specialist Vanessa Teague discovered on Friday that it loaded javascript from a third-party website that was “vulnerable to an attack called the FREAK attack”. “The implication is that an attacker who controls some point through which the user’s traffic is passing could substitute that code for a code of the attackers’ choice,” she said. In layman’s terms, a hacker could intercept a vote for party A and turn it into a vote for party B without alerting the voter or the NSW Electoral Commission.

Australia: NSW iVote security flaw may have affected thousands of votes: Researchers | Computerworld

Thousands of NSW state election votes submitted to iVote may have been affected by a server vulnerability according to two security researchers who discovered the issue. University of Melbourne Department of Computing and Information Systems research fellow, Vanessa Teague, and Michigan Centre for Computer Security and Society director ,J.Alex Halderman, posted a blog with their findings on March 22. “The iVote voting website, cvs.ivote.nsw.gov.au, is served over HTTPS. While this server appears to use a safe SSL configuration, the site included additional JavaScript from an external server,” wrote the researchers.

United Kingdom: Security bug in Australia’s online voting system throws doubt on Britain’s digital election goal | Information Age

Britain’s hopes of enabling online voting in general elections by 2020 have faced a dose of reality after a security vulnerability in an Australian system was exposed. The iVote system was introduced for the New South Wales (NSW) State Election in 2011 for voters who are more than 20 kilometres from a polling station, and has also been used in subsequent state by-elections. But its use in NSW’s state election this month has faced intense scrutiny after researchers discovered a major security hole that could allow a hacker to read and manipulate votes. With 66,000 online votes already cast by the time Vanessa Teague and J. Alex Halderman, of the University of Melbourne and University of Michigan respectively, disclosed their revelation, the legitimacy of the entire election has been called into doubt.

Australia: International experts warn of the risks of Australian online voting tools | Sydney Morning Herald

Australia and other countries are a decade or longer away from safe methods of online voting in state and national elections and current tools pose a serious risk to democratic processes, people at a public lecture heard on Monday night. University of Michigan researcher J Alex Halderman and University of Melbourne research fellow Vanessa Teague said online voting in Saturday’s New South Wales election could have been seriously compromised through security weaknesses in the iVote system, being used in the upper house. The pair, in a a public lecture at the Australian National University, said that internet voting continued to raise some of the most difficult challenges in computer security and could not be considered completely safe. They reported faults in the NSW system to electoral authorities last week, ahead of as many as 250,000 voters using online systems to participate in the ballot.

Australia: Online voting system may have FREAK bug | The Register

Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug. So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information Systems at at the University of Melbourne and an assistant professor of computer science and engineering at the University of Michigan and director of Michigan’s Center for Computer Security and Society. The system in question is called iVote system and was launched in 2011 to assist voters who live 20 kilometres or more from a polling station, or those will be overseas or interstate on election day. But Teague and Halderman say their proof-of-concept probe on a “practice” system showed it is possible to “… intercepts and manipulate votes … though the same attack would also have succeeded against the real voting server,” the pair wrote in analysis.

Australia: NSW Electoral Commission scrambles to patch iVote flaw | ZDNet

The analytics service used by the New South Wales electronic voting system, iVote, left voters vulnerable to having their ballots changed, according to security researchers. The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters and those living in rural areas who have difficulty reaching polling places, but the government is expanding the use of the iVote system as part of the election on March 28, and has taken approximately 66,000 votes since early polling opened last week. Researchers Vanessa Teague from the Department of Computing and Information Systems at the University of Melbourne, and J Alex Halderman from the University of Michigan Centre for Computer Security, found that while the voting website uses a safe SSL configuration, it includes JavaScript from an external server that is used to track site visitors. This, they said, would leave the iVote site open to a range of attacks, including FREAK.

Australia: iVote flaw ‘allowed vote to be changed’; electoral commission fixes vulnerability | ABC

A “major security hole” that could allow an attacker to read or change someone’s vote has been discovered in the New South Wales online iVote platform, security experts say. The iVote system allows people to lodge their votes for Saturday’s state election online, instead of visiting a physical polling station. It aims to make voting easier for the disabled or for people who live long distances from polling booths. However computer security researchers said they found a critical issue and alerted the NSW Electoral Commission on Friday afternoon. University of Melbourne research fellow Vanessa Teague, who found the security vulnerability, said it was a difficult hack to pull off, but could potentially affect ballots en masse. “We’ve been told repeatedly that votes are perfectly secret and the whole system is secure and it can’t be tampered with and so on, and we’ve shown very clearly than that’s not true – that these votes are not secret and they can be tampered with,” Ms Teague said.