Washington should abandon a new Internet-based system designed to facilitate voting for American citizens overseas, declared a panel of top computer experts—including UC Berkeley professor David Wagner—in a recently issued report.
Wagner—along with Aviel Rubin, an associate professor of computer science from John Hopkins University, David Jefferson, from the Lawrence Livermore National Laboratory and Barbara Simons, a Bay Area technology consultant—say the Secure Electronic Registration and Voting Experiment (SERVE) has several important security risks and should not be used to tally votes during trial runs that are set to take place during the upcoming primary and general elections.
Mandated by Congress and overseen by the U.S. Department of Defense’s Federal Voting Assistance Program , SERVE was designed to eliminate problems associated with the absentee ballot process that proponents say continually disenfranchise voters.
But the authors of the Jan. 21 report say the new technology, while well intentioned, poses a series of severe risks.
“Broadly, SERVE poses a much larger chance of election fraud than anything we have today,” said Wagner, a computer security expert.
The firestorm over touchscreen voting systems identified a number of serious risks associated with computer voting. SERVE, say the authors, intensifies those risks by introducing using the Internet and personal computers.
“Because SERVE is an Internet and PC-based system,” the authors say in their report, “it has numerous other fundamental security problems that leave it vulnerable to a variety of well-known cyber attacks…any one of which could be catastrophic.”
Threats include insider attacks, denial of service attacks, spoofing, automated vote buying, and viral attacks.
According to Barbara Simons, attacks could disenfranchise large sections of the 100,000 U.S. citizens (registered in seven states and currently residing in 50 countries around the world) who are scheduled to use SERVE in this year’s elections.
“[The Internet and PCs] were never designed to be secure,” said Simons.
In the report, the authors briefly describe the history of the Internet, stressing that its original construction did not emphasize security. Security barriers have been built to guard certain transactions, they said, but not Internet voting.
“For all the importance of security today, the Internet has no general security architecture; in fact it is well known to be full of general vulnerabilities,” they wrote.
As a result, attacks can be launched by someone with a relatively low skill level, and in a way that is unnoticeable. “These attacks can be perpetrated from everywhere; it could be some teenage kid, political party, political opponent, etc.,” said Simons.
Unlike other Internet transactions, such as e-commerce and e-banking—both of which the report says are relatively secure—the e-voting process poses unaccountable security risks.
People “assume that voting is comparable somehow to an online financial transaction, whereas in fact security for Internet voting is far more difficult than security for e-commerce,” they write.
Additional e-voting risks include the inability to confirm correct transactions because of voter anonymity rules. Unlike e-commerce, where a customer can double-check transactions by referring back to receipts or order statements, a voter has no way to confirm that a choice was tallied correctly.
As with touchscreen voting machines, voters using SERVE will receive confirmation that their vote was received by the polling place where they vote. But how the vote was counted can’t be confirmed because it would breach privacy rules.
Any number of possible attacks could produce a vote switch, Simons said. A virus received by the PC could easily switch the selection after it was confirmed by the voter but before it was sent. The vote would be tallied and the virus could erase itself, leaving no trace.
“Viruses and worms go around every week, and virus check software only works on known viruses,” said Simons.
A denial of service attack would simply overload the election web server with junk e-mail, preventing it from counting votes.
In their report the authors diagram the skill level needed to create all the different attacks and their possible severity. Most range from low to medium skill level and all result in large-scale disenfranchisement.
Accenture, the company in charge of SERVE’s design, stresses that the report is only a minority report, part of a larger analysis also conducted by six other people, none of whom have yet issued their own reports.
At least one of the other participants in the program, Michael Alvarez, a political science professor at Cal Tech, supports the project and says its design will help alleviate other, more severe problems that plague the absentee system.
“The way in which overseas people vote is an arcane voting system, it’s disenfranchising,” said Alvarez.
He said absentee ballots often arrive late at polling places or get jumbled in with an accumulating bundle of bulk mail that eventually is postmarked after the deadline. Small errors that are usually caught at the polling place, he says, also continually disqualify ballots.
Criticism of SERVE, founded or not, he says, is directed at the wrong place.
“We are not following the problems that already exist,” he said, and cited SERVE as a possible solution.
He also stresses SERVE as a pilot program, meant to test results. One hundred thousand voters out of an estimated six million people living overseas, he says, is a small enough group to mitigate any kind of major interference.
But it’s still too many for Simons, who points out that the 2000 general election was decided by a precipitously small number. She, along with Wagner, also stresses the importance of realizing that the technology has severe security problems that can’t be corrected with existing measures. Regardless of the security devices put in place by Accenture, there will be holes.
“That’s the most disappointing part,” said Wagner. “After a lot of effort [to explore the system’s possibilities] we found that it is just not a possibility. It would require major changes to the architecture of the Internet and PCs.
“We’re not saying that Internet voting is some evil that should never be used. The technology just isn’t ready yet.”
Another concern cited by the authors is SERVE’s future expansion. They worry that once the system is adopted it will expand, increasing the dangers associated with it.
The report has boosted the issue into the public forum, seemingly more quickly than the controversy surrounding touchscreen voting machines—an issue which hasn’t received much coverage until recently.
Tellingly, the New York Times editorialized last Friday for Congress to suspend the program:
“The intentions behind the Pentagon’s plan, the Secure Electronic Registration and Voting Experiment, are laudable…but the advantages of the Pentagon’s Internet voting system would be far outweighed by the dangers it would pose.”
At the end of their report the authors praise the project’s directors, who they say have done everything in their power to ensure a secure system.
“[The project managers] have been completely aware all along of the security problems we have described here, and we have been impressed with the engineering sophistication and skill they have devoted to attempts to ameliorate or eliminate them.”
But, said Wagner, “They are in a tough position—they’ve been told to solve an un-solvable problem.”