SYSSEC: June 2009 Archives


June 4, 2009

Kevin Poulsen writes about the Arizona Internet overseas voting system:
"It's run over a secured system using industry standard encryption," said state CIO Craig Stender. "We had many users from over 50 countries using the system in that election."


In the Arizona system, voters could request an early ballot through a Secretary of State website, and receive it though snail mail. If there's no time for the postal service, though, the voter gets a PDF of the ballot in e-mail.

This is where it gets a little clunky. You can't fill out the ballot on your computer - you have to print it out, then use your scanner to scan the completed and signed ballot back onto your PC. Then you upload the scanned ballot to the aforementioned "secured system" (it uses SSL).

From there, county election officials can log on and retrieve the ballot through a pretty nifty backend system. They print it out in your home county, and treat the printout like any other absentee ballot. The whole system allows an overseas voter to request a ballot and vote as late as 7:00 p.m. on election day, without planning ahead, and the state credits it for an unspecified increase in overseas voter participation in 2008 (of course, participation increased across the board in 2008).

Poulsen talks a bit about the security issues here, but I thought I'd elaborate some.

The first thing to realize here is that this is actually the combination of two distinct systems, each with it's own security issues. First, we have an Internet-based blank ballot distribution system. Second, we have an Internet-based completed ballot return system. Just because you're distributing ballots over the Internet doesn't mean that you need to have them returned that way. You could just as well have people mail or fax them back. Conversely, you could mail out ballots and then have people return them over the Internet. It's easiest to analyze these systems separately.

Internet Ballot Distribution
Delivering blank ballots over the Internet seems like a natural optimization: ballot distribution by paper mail is slow and replacing that with Internet distribution improves round trip time by a factor of two, which seems valuable—as it is, the ballots already need to be designed and mailed long in advance of the election. Moreover, the security problems with distributing blank ballots are (comparatively) simple: we just need to ensure that each voter gets the correct ballot, but they're not secret so we don't need to worry about confidentiality, etc.

That isn't to say that there are no security issues, though. First, we need to ensure that an attacker can't substitute a fake ballot. In the simplest case, the attacker could just produce a superficially valid ballot that wasn't readable by the central optical scanners. That might be handled properly by the county, but it might just be discarded. More interestingly, the attacker might generate a ballot which would scan correctly, but where the text on the ballot doesn't match the votes that are recorded by the scanner for the corresponding regions (e.g., switch the labels for Bush and Gore). One might be able to program the optical scanner to detect this kind of attack by comparing the returned ballot to the expected ballot format, but I suspect that many scanners just look for the voting regions and ignore the text. After all, this is the simple way to build the system. An attack of this type could be mounted by attacking the distribution server, intercepting/modifying the ballot in transit, or attacking the user's PC once the ballot is delivered.

Finally, treating a ballot printed on ordinary printer paper as a valid ballot is a major shift from ordinary practice. In Santa Clara County, the ballots are printed on special paper and the pollworkers are expected to take action to control the number of ballots in circulation. For instance, when an absentee voter shows up and wants to vote in the polling place, they need to surrender their ballots—to prove they didn't vote by mail already—or they have to vote a provisional ballot. Similarly, election officials and/or pollworkers do reconciliation of the number of ballots voted against the number of voters. Both of these depend on controlling the total number of ballots in circulation. By contrast, if you send people PDFs they can print as many ballots as they want, and suddenly they're not a controlled item. I realize that this isn't a great form of security, since it's not really that hard to get your own ballots printed, but nevertheless it's part of the security model for the election.

Internet Ballot Return
The second piece of the system is returning the completed ballots. We have integrity issues here as well: as Poulsen suggests (and quotes Rubin as suggesting), there are a number of ways for things to go wrong here: an attacker could subvert your computer and have it modify the ballots before sending them; you could get phished and the phisher could modify your ballot appropriately before passing it on to the central site. Finally, the attacker could subvert the central server and modify the ballots before they are printed out. Poulsen quotes an election official arguing that this sort of modification is difficult:

"It's not true internet voting, so we don't feel that we have the same security issues that true internet voting would have," said Bjelland. She adds that Arizona has some 5,000 different ballot layouts for different voting jurisdictions, which would make automated tampering a challenge.

This actually doesn't seem like that hard a problem for the attacker: the ballot styles are fairly stereotyped and it's just a matter of OCRing the ballot enough to figure out which markable region corresponds to which label—and this assumes that you don't have a copy of each ballot style and can't just write semi-custom software.

Another issue is that this changes the semantics of the absentee ballot: in many jurisdictions, you fill out the ballot and place it an envelope and put your personal information and signature on the envelope. This allows the election officials to determine whether the ballot is valid without knowing its contents, providing a check against bias. It also provides for a measure of voter privacy because the voter's identification isn't tied to the ballot once the envelope's provenance has been verified. If voters sign the ballots rather than the envelopes, then both of these properties are removed.

It should be clear at this point that this sort of system isn't totally without risk. I'd be interested to hear what security issues Bjelland feels "true internet voting" has that this system does not.