Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

10/9/2014
05:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

2 Tech Challenges Preventing Online Voting In US

A new report explains that online voting in the US is a matter of "if, not when," but problems of anonymity and verifiability must be solved first.

Online elections could be a reality in the United States if the security world can figure out how to ensure both voter anonymity and vote verifiability -- two essential but "largely incompatible" goals, according to a new report from the Atlantic Council and Intel Security. The report, "Online Voting: Rewards and Risks," discusses what challenges must be solved if online voting is ever to take off in the US.

"It's not a matter of if, but of when," says Gary Davis, Chief Consumer Security Evangelist for Intel Security. "I'll go out on a limb and say within 10 years" the US will allow online voting for national elections.

Why so confident? Davis points at the progress made in banking. Trust between customer and bank is essential to financial transactions, just like trust between citizen and government when casting ballots. Breaches notwithstanding, cryptography, identity management, and other security measures have made secure online banking a reality. Couldn't the same technology be applied to online voting?

Yes, but there is a key difference between banking and voting: anonymity.

As the report explains, banks must tie a customer's identity to the details of the transaction. Conversely, the government must not tie a citizen's identity to the details of their vote. Officials do check IDs at polling places -- to make sure that the person is a registered voter at the appropriate polling location, and that nobody gets to vote more than once -- but an individual's identity is never linked to their vote. The ballots cast are only viewed in aggregate.

The need for voter anonymity gets particularly tricky when coupled with the need for vote verifiability -- making sure that votes can be accurately tabulated again during a recount or a routine audit. For years, the question of "meaningful audits" has been at the root of the e-voting security debate, even when the conversation is only about electronic voting machines at polling places, not online voting from mobile devices all over the place.

Most of the dispute is over direct-recording electronic voting machines (DREs) without voter-verified paper trails, because they introduce software to the election process, and as all security people know, new software means new vulnerabilities means new ways for nefarious individuals to exploit the system -- like for example changing a person's vote before it's officially recorded.

Critics say that there must be a way to audit DREs' results. Manufacturers say that their equipment can conduct audits of election results, but critics say that all the machines can do is recount the same corrupted records. The solution, they say, is to add a voter-verified paper trail -- after a person casts their votes, the DRE prints out their selections on paper, asks the voter to review it and confirm that it has recorded their selections correctly, and drops the paper into a secure box once approved. That way, if there is any suspicion that the software was infected with vote-changing malware, the figures can be compared against a hand count of the paper records.

Anyone who was present for the 2000 US presidential election knows that paper is not without its own set of problems. (Remember a time before you knew what a "hanging chad" was?) Yet many districts still use paper votes exclusively, or as a back-up to the DREs and optical scan electronic voting machines.

Online voting would remove paper from the equation entirely. And, according to the report, current online security technology might not be able to provide the same kind of verifiability that paper can. From the report:

Banks, online retailers, and other companies offering services over the Internet factor in some degree of loss as a cost of doing business online, and generally indemnify their customers against bad actors. Online voting poses a much tougher problem: lost votes are unacceptable.

Online voting systems are complex, and any updates often must be separately recertified by election authorities. And unlike paper ballots, electronic votes cannot be “rolled back” or easily recounted. The twin goals of anonymity and verifiability within an online voting system are largely incompatible with current technologies.

That has not stopped Americans from trying, but online voting systems in the States have been fraught with software woes. From the report:

Alex Halderman, an assistant professor and security expert at the University of Michigan, has found holes in many existing online voting systems. In 2010, Dr. Halderman volunteered to test the integrity of an Internet voting system intended for use in Washington, DC. Within hours, his team accessed secret data on the system’s server, including the key used to encrypt ballots; replaced votes that had been cast; linked voters’ names to their votes; and forced the system’s vote-confirmation screen to play his university’s fight song. The team also found evidence that other hackers were trying to compromise the as-yet unused system. It was scrapped.

"Dr. Halderman ripped it apart," says Davis, "but a lot of [the system's problem] was Security 101."

Davis says that online voting systems could "make Dr. Halderman's life more difficult" if security professionals and e-voting machine manufacturers would really work together -- something that has been difficult to achieve in the past. Manufacturers keep their software close, but some proponents of open-source and open-government have argued for greater transparency about the code running e-voting systems.

With so many questions about security, why bother with online voting at all?

"The common belief," says Davis, "is that online voting will increase voter turnout," especially if it were possible to vote via a smartphone app. As he explains, elderly or infirm people wouldn't have to leave the house. Members of the military stationed overseas will not have to go through the absentee ballot process. Young people who love technology and hate waiting in lines might be more likely to participate in the election.

However, in the short-term, online voting could increase turnout from some populations and decrease it in others. Districts offering online voting might not offer anything else. Voters do not have the option to go to another district's polling place to use their machines. So, some voters who do not trust the technology or do not have access to the technology might decide not to vote at all.

Although the US is (at least) years away from online voting, Estonia has been doing it since 2005; roughly one-quarter of their citizens vote that way. As the report explains:

Because all Estonians have a government “chip and PIN” e-ID card, online voting is now available to the country’s electorate, and votes are encrypted for greater security.

Estonians can also vote more than once, from different devices and locations, over a thirty-day period -- though only the final vote counts -- giving voters the option to change their minds. They can also vote at a polling station on election day if they wish... The Estonian system also enables individuals to verify their vote using a form of two-factor verification: in this case, two devices, such as a smartphone and a personal computer. Voters are unlikely to “sell” their vote because their e-ID cards are also tied to government services such as healthcare.

Whether or not the Estonian system for a country with only a half-million citizens could scale up to the US's needs is one question.

The bigger snag, though, is that the Estonian system relies on the fact that all citizens have government-issued Chip-and-PIN ID cards that are essential to a wide variety of government services. The American public might resist such a thing.

However, Davis thinks that as Americans become more comfortable using mobile devices for biometric authentication and transaction verification, there will be less resistance to and/or less need for such a system.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/13/2014 | 1:35:12 PM
Re: Separation of vote and identity
@Dr. T  That may solve the security and anonymity problem, but does it allow for verifiability and audits? Cause it would be really cool if it did!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/13/2014 | 8:37:17 AM
Re: IEEE 1622 as the Base
Thanks, Dr. T. Doesn't sound too comprehensive, does it? And only pertains to the military based overseas.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/10/2014 | 11:54:50 AM
Re: IEEE 1622 as the Base
I found the following description:

"This standard specifies electronic data interchange formats for blank ballot distribution, primarily to assist in satisfying the needs of the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) and Military and Overseas Voter Empowerment (MOVE) Act. Subsequent standards will address other requirements for electronic data interchange formats used by components of voting systems for exchange of electronic data. This scope does not include return of cast ballots by electronic means."
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/10/2014 | 11:53:19 AM
Re: IEEE 1622 as the Base
It will be very good if we follow a standard for it, of course. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/10/2014 | 11:44:58 AM
Separation of vote and identity
I am for all electronic. This should be quite possible with the regular identification and separations measures. Person can login with an ID and vote and we do not have to strongly tie them in the database so there is now ay to query data with both attributes. Not a big deal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 9:32:40 AM
Re: IEEE 1622 as the Base
Thanks @HCHENG085. Can you elaborate a little more on what the IEEE 1622 eVoting Standards do and don't address with respect to security of online voting?
HCHENG085
50%
50%
HCHENG085,
User Rank: Guru
10/9/2014 | 11:01:42 PM
IEEE 1622 as the Base
Perhaps, IEEE 1622 eVoting Standards can serve as the base for security on online voting. Of course, it still needs innovation on security features on IEEE 1622
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.