Notes on online voter registration

| Comments (5) | SYSSEC Voting
Senate Bill 381, signed by Governor Schwarzenegger, on October 1st, provides for online voter registration. Here's the statement from SoS Debra Bowen.
"Californians can pay bills and file their taxes online. Being able to register to vote online is the next logical step in making it easier for Californians to participate fully in their democracy," said Secretary of State Debra Bowen, California's chief elections officer. "This measure prevents fraud by limiting online voter registration to people who confirm their identity in a secure manner."

The online registration system will require registrants to provide their birth dates, the last four digits of their Social Security numbers, and the numbers from either a valid California driver's license or identification card. The Secretary of State may require additional information if it's necessary to establish a registrant's identity.

Registrants will be able to complete voter registration online using their digitized signatures that are already on file with the California Department of Motor Vehicles.

Unsurprisingly, there are some security concerns about a system of this type. I would break the major issues down as follows:

  • Authentication of voter registrations.
  • Corruption of the voter registration database via intrusions.
  • Privacy of voter data.

Let's take these in turn.

Authentication of Voter Registration
The first question to ask is whether the authentication here will be acceptably strong. I.e., will I be able to pretend to be you and reregister you to vote in King City, with the effect that when you go to your usual polling place you can't vote? I'm not talking about compromising the registration site, just lying on the form. Currently in order to register to vote in California you need to know your address, SSN or DL # and your birthday, plus you need to sign the form. The online site requires both the last four digits of your SSN and your DL #, plus the other information, but there's no need for you to sign your form. They just take your digitized signature off your drivers license.

Arguably, then, the online scheme is less secure: in the paper-based scheme, the SoS can compare the signature on your form to whatever signature they have on file for you (assuming they have one) and this presumably presents some barrier to forging registrations. That said, though, I suspect they don't do a very good job of verifying signatures on registration forms (actually, I don't know that they do any; credit card companies don't), and anyone who knows your SSN and DL #, probably has a good enough idea of what your signature looks like and they only need to get close enough for casual inspection.

On the other hand, because the online attacker needs both the DL # and the last four digits of the SSN, it's perhaps more difficult to impersonate a valid registration—though not very much so—than the paper-based system where only one of these is required. So, overall, this doesn't seem like a huge security hit from going to an online system.

Corruption of the Voter Registration Database
No matter what mechanism is used for authenticating users, any online system brings the risk that attackers could remotely compromise the registration site and corrupt the database correctly. Compromise of single voter registrations is already possible by simpler mechanisms (see above), but an attacker who had direct access to the database could do significantly more damage, for instance massively corrupting the database. Obviously, this creates a new opportunity for a major DoS on the election, especially if it went undetected before election day.

There are a number of mechanisms that could in principle be used to mitigate this kind of attack. The simplest is to have an airgap between the website and the database. For instance, you could have the server print out registration forms which are entered into the database in the usual way. Obviously, this removes a bunch of the efficiencies of having an online system, so it's not really attractive from that perspective. Alternatively, you could have some sort of frequent backups coupled with rate limiting of the number of changes allowed per day, but these checks themselves depend on the software doing the checks being uncompromised, which is hard to guarantee (though defense in depth is possible).

Compromise of Voter Privacy
If the voter database is directly connected to the registration site, then an attacker who compromised the site could potentially get a complete copy of the database. If the database contains sensitive information (the last four digits of your SSN qualifies here), then this is a potential vector for information disclosure. Again, this could be mitigated by having an airgap between the site and the database. Other potential mechanisms include encrypting the sensitive mechanisms in the database (this seems to be specified in the CalVote specification). [Technical note: you probably have to use public key cryptography here so that the site can encrypt the sensitive information before storing it in the database but even an attacker who has completely compromised the system can't decrypt the data.]

Bottom Line
The mass compromise issue seems to be the difficult issue here, both because it's so serious and because it's so different from the current situation. Superficially, it's a fairly standard computer security problem and it may be possible to mitigate it via the usual mechanisms, but the scale of elections and the time pressure under which they are conducted make it especially challenging.

5 Comments

For what it's worth, this system would make for a great phishing target.

I'm 99% sure that they are not doing signature validation at the time of re-registration now. If you show up at your polling place and they say you are not registered, you still vote, but on a provisional ballot. Every provisional ballot is researched. If it turns out that "you moved to King County" and you did not vote there, your provisional ballot will be counted.

From a protocol perspective, this can be called "lightly-authenticated change with post-transaction challenge". It moves the actual DoS problem to afte the election when there is plenty of time to do the validation.

I agree that that's what's supposed to happen in principle, but I suspect
in practice that a substantial number of people don't in fact vote on
provisional ballots but just leave, in which case this is a useful DoS.

I think you're omitting a very important security feature of the in-person system: the requirement that an actual physical person show up with actual physical ID. Obviously that's a minor hurdle if an individual wants to steal another individual's vote. But if someone wants to manufacture, say, 50,000 fraudulent voter registrations--possibly enough to influence a major statewide election--then getting enough people to show up enough times at the right places with plausible-looking ID is a big enough production to be unlikely not to be discovered, one way or another. On the other hand, if one has obtained, stolen or purchased the right kind and amount of personal data, then 50,000 fraudulent online registrations in scattered locations may well be a feasible number.

I'm not omitting it. California has mail-in voter registration with no
id requirement. You can print the forms off the Internet. Even if you show up at the ROV, as I did, they don't ask for id, they just give you the form you would have otherwise mailed in.

Leave a comment