DC's Internet Voting Pilot

| Comments (5) | Voting
Last week, the DC Board of Elections and Ethics and the Open Source Digital Voting foundation announced that they were going to do a pilot Internet Voting project for overseas and military voters [*]. (In the US, this sort of voting often gets called UOCAVA, after the Uniformed and Overseas Citizens Absentee Voting Act, which covers this case). UOCAVA voters are often in remote locations with poor mail access, so traditional Vote By Mail doesn't work very well, making it an apparently attractive use case for technological fixes. That's why there have been (at least) two previous efforts to apply Internet voting technology to UOCAVA voters: SERVE and Operation Bravo. That said, there have also been significant technical concerns about this kind of technology (SERVE report, more positive report on Operation Bravo).

Details about the DC pilot are pretty thin on the ground, but I've managed to get an overview of what's public from John Sebes from OSDV. The basic idea is like this:

  • DC BOEE operates a Web site where you can download blank ballots in PDF form.
  • You either fill in the ballot with local PDF tools or print it, fill out, and scan.
  • You upload the filled-in ballot to the DC BOEE site.
  • The filled-in ballots are printed out and fed into an optical scanner just like vote-by-mail ballots.
  • There is no offline return of paper ballots.
Now, obviously you'd want to do HTTPS (HTTP over TLS) for this, but there are still a large number of potential security vulnerabilities here. The rest of this discussion is based on the assumption that the system is as constructed as above.

Attacks on the Server
The attacks that typically come to mind first are attacks on the ballot distribution and acceptance site. In this design, that site is open to the Internet and by definition pretty much anyne can talk to it, so that leaves it open to a variety of attacks. The two main attacks we need to be concerned about are compromise of the site and denial of service attacks.

In the design I just described, an attacker who manages to compromise the site can effectively replace any ballot with a ballot of his choosing. Within the limits of having the number of ballots roughly match the number of registered voters, they can also remove and and insert ballots, etc. In addition, they can track how everyone has voted. In effect, they have complete control of the election. Needless to say, this is bad.

Obviously, you can imagine hardening the site in some number of ways (firewalls, IDS, aggressive logging to offline storage, audits, etc.), but that just reduces the risk rather than eliminating it completely. Moreover, this doesn't do anything about insider attack: the election officials have complete control over this machine and we don't have any good way to verify what they have done with it (this is basically an intractable problem). This attack can be mounted by a single person, so this sort of system is significantly more vulnerable to a single point attack either by an insider or an outsider than is a traditional paper-based absentee system.

Another issue we need to be concerned about is Denial of Service attacks on the Web server. An attack like this has the potential to disenfranchise large numbers of voters. And since the demographics of UOCAVA voters differ from those of other voters, a DoS attack has the potential for differential disenfranchisement.

Software Attacks on the End-User Client
Because voters are voting on their own computers, there is of course a risk from compromise of those machines. The average user's computer isn't very well maintained and though estimates for the fraction of machines which are malware infected vary, it's clear that the numbers are large. It wouldn't be particularly hard to develop a piece of malware whose payload changed people's votes. There are several potential attack vectors here:

  • Modify the ballots on download (before the user fills them out)
  • Do a "presentation attack" on the ballot marking mode of the PDF viewer, where the voter attempts to vote for Hamilton but the viewer records Burr (this doesn't work on hand-marked ballots).
  • Modify the scanned ballots before submission.
  • Send a copy of the ballots to some third party.
  • Selectively create failures for voters who are voting the "wrong way".

In essence, every attack people have proposed on DREs is suddenly an attack on this system as well. Some of these attacks may be detectable but in general one can't recover from them. And the available evidence suggests that users are pretty oblivious to even fairly blatant attacks. [*].

Attacks on the End-User
Finally, there are attacks which don't require machine compromise. Voters connect to the election site via the Web, so a network attacker who intercepts that connection can steal ballots, modify ballots, etc. Of course, we would expect the connection to be secure, but at least some unsophisticated users are likely to override whatever warnings the browsers pop up; the available data on user interaction is that people do this quite often [*].

I should note that like any vote from home system, there is also a significant risk of compromise of voter privacy, since an attacker can look over your shoulder as you vote.

Bottom Line
As far as I can tell, a system of this type offers significantly worse security properties than in-person voting (whether opscan or DRE), since it has all the security flaws of both plus a much larger attack surface area. [Note that the intermediate opscan step offers only marginal security benefit because it's based on electronic records which are untrustworthy.] It also offers inferior security properties to traditional vote by mail. The primary benefit is reducing voter latency, but clearly that comes at substantial risk.

5 Comments

It seems to me that there're also DNS attacks to worry about, and that this system is particularly susceptible to those because most of the people using it will be in the same area. If an attacker can compromise the DNS of one of the major local ISPs, they can inject and redirect all sorts of stuff. Couple it with your observation that most users won't notice the certificate errors, and the attackers have an open path here.

On the other hand, one thing that widespread attacks have against them here is that they may likely be detected -- which may invalidate the election, but it's at least better than having major undetected mayhem. A major attack is reasonably likely to hit someone who will recognize the compromise and report it. (Of course, if the election folks are in on the penetration, there's nothing for it... but that's true of any system.)

We're a long way from having any Internet-based system be solid enough to trust, unfortunately.

There are also attacks on the authentication process, and on the process of signing up for a UOCAVA ballot, which we know little about now. But it seems clear that an online process will leave no fingerprints, and make it easier to automate an attack. In general this makes it attractive to create the appearance of a big success ("see how many more troops and overseas citizens we have voting now!") by fraudulently voting on behalf of registered voters, and thus drive a wedge into the process in which online voting is expanded to more and more people, including folks at home.

One clarification, Eric, to an otherwise fair assessment pending more details except one small thing: the qualified overseas military voters who choose to participate in this assessment Pilot can still choose to return their ballots the usual way: paper by surface mails. Your last point suggested no paper return. Incorrect.
Cheers

Greg,

Thanks for the correction. One question: what happens if I send back my paper ballot? Is it checked? What if there is no match?

The questions are off as there is a requirement by the Military that they must first get permission to use any system offered by their area commander.

This is KNOWN to FVAP the Military voting assistance program..but should be stated on their website.

Each Military person using electronic voting must get permission from their commander to use it as well give out any personal information on public networks to get a ballot which in some states require a full list of personal ID information such as DOB, Name, Prev Address, SS Number or MIL ID, current address, etc

IN FOREIGN LOCATIONS THE information could cause compromise of missions or deployment information thus each commander is to be consulted for permission to use these services and may prohibit it as off limits.

Military persons are always subject to oversight by command and in this case the information security of their deployment or mission.

"the qualified overseas military voters who choose to participate in this assessment Pilot can still choose to return their ballots the usual way: paper by surface mails. " your comments .... you realize that just to get a ballot they will need to give up personal information by State Law and thus must get approval from their area commander.

Leave a comment