Is the Internet Secure Enough for Elections?
"Criminals are often the first through the gate of a new technology," wrote Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier. 21
In addition to the traditional incentives for stealing an election -- winning the election and the power and perks that go with it -- the public would also need to be concerned about the random, "for the thrill of it," hacker attack.
For instance, FBI agents across the country are targeting members of the hacker gang "Global Hell," which has taken responsibility for hacker attacks on government web sites including the White House, U.S. Senate, and the Federal Bureau of Investigation. Terrorist hackers from outside the U.S. produced similar Internet attacks on the Pentagon and NATO. If such sites can be hacked into, surely Internet voting sites could be similarly vulnerable, resulting in wholesale election disruption or even fraud.
Technology for the secure transmission of data (indeed, military-grade data) across the internet is readily available. The question is not whether the security technology exists, but rather whether it will be applied sufficiently by internet voting technology vendors to protect the sanctity of the ballot from those who may deliberately seek to thwart it.
It is difficult to assess current Internet security because organizations that are attacked or experience security failures are often reluctant to publicly disclose the incidents, for fear of impact on their business. Given that reality, the known impacts of Internet security breaches are even more staggering:
- $5 billion of credit card fraud annually;
- $10 billion of on-line information theft annually, including calling card and credit card numbers, pirated software and corporate secrets;
- Nearly 50% of organizations suffered an information-security-related financial loss in the last two years; 10% of users reported an attempted or successful break-in to their system via the Internet in the past year; over 50% claimed they would not know if someone broke into their system through the Internet;
- 20% of organizations that have external network access have been hacked. 22
Several voting equipment manufacturers are readying systems for Internet voting. Initially, these systems will be used in "private" elections (unions, corporations, associations), with the hope that success in those environments will increase likelihood of use in public elections - the largest market. 23
Assuming that the deficiencies of today's voter registration lists could be cured instantaneously, we are still left with the less-than-perfect security available today on the Internet.
Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security says, "The only system that is truly secure is one that is switched off and unplugged, locked in a titanium safe, buried in a concrete vault on the bottom of the sea and surrounded by very highly paid armed guards." 24
Opportunities for mischief on the Internet abound, and raise concerns about whether the Internet is ready, or even close to ready, to offer the level of security necessary to ensure free and fair elections.
For example, Internet surfers looking for the Scottish Labour Party web site were recently "electronically hijacked" by the Scottish Nationalist Party, through a phantom web site - a common occurrence on the Internet. While this paper was being readied for publication, a similar incident was reported "closer to home." Visitors to the U.S. Senate web were hijacked for the second time in several weeks and put onto a bogus and defaced "Senate" web site.
Such phantom sites could easily be constructed to divert voters from an election site. The frightening thing is that voters would not necessarily be aware their votes were not being legitimately cast. Once diverted to such a counterfeit site, their voting transaction could be captured and used to log votes for the thieves' candidates of choice on the real election site, quite possibly without detection.
The potential to divert voters selectively must also be considered. There have been a number of recent revelations in industry media about "cookies" - the small data files which contain confidential identifier information that are written to a computer's hard drive when you view web sites. Cookie files help web administrators identify individual visitors to a site so that content can be customized, but some privacy advocates charge that these files can be used to gain all manner of personal information about an Internet user. Cookies cannot, however, be used to extract information that the user did not provide. The problem is that information that a user provides to one web site for use only on that web site could conceivably be collected by a different web site, and information provided to multiple web sites can be linked together. 25
Therefore, it is conceivable that cookie files could be used to identify voters by party, or other preference categories, based upon their web usage, and be used to manipulate election outcomes by selectively interfering with the voting of these groups. For example, if all Internet users in a particular voting jurisdiction who had frequented anti-tax web sites could be electronically prevented from having their votes counted in an election on a new tax referendum, or diverted to a bogus election site, which would not count their votes, it could illegitimately allow that referendum to pass.
As this paper went to press, there was yet another revelation regarding cyber-security. It was reported by the Associated Press that flaws in the Microsoft Office software suite could be used through e-mail or rogue Web sites to retrieve, alter or erase data in computers used by millions of people. It remains to be seen whether fraudsters could and would be effectively prohibited from using such programming devices. 26
The level of public alarm on the subject is so high that the Federal Trade Commission is pushing for release of on-line data collection practices in hopes of allaying fears that may be affecting internet commerce. This followed release of a Louis Harris survey that showed that although only 5% of Internet users have had their on-line privacy invaded, over half believe it is possible for their privacy to be invaded without their knowledge. 27
This year several serious viruses have made their destructive way through the Internet. As this report was being prepared, yet another hacker virus erupted over the Internet causing damage to corporate and individual systems. This "worm" virus followed just weeks after an arrest in another recent computer virus case known as "Melissa." The FBI is investigating the case as a possible crime.
A recent survey by Computer Economics, a California research firm, quieried 185 companies that share data with it to gauge the impact of computer viruses. The firm predicts that computer viruses will cost businesses worldwide about $7.6 billion in the first half of 1999 and that the frequency of virus attacks will continue at its current rate, but that the level of attack will become more severe. 28
The psychology of hackers makes Internet voting a likely and especially appealing target. Hackers pursue their targets for the satisfaction of defeating security systems, and do not even need detection or public credit to obtain the great "highs." 29
Hacking is not limited to the software in your computer. Even the chips in hardware can be "hacked," as evidenced by the recent scandal involving Intel's Pentium III. A German publication says it has developed a software program capable of reading Intel's serial code without a user's knowledge. This has been acknowledged by Intel spokesman Tom Waldrop, who commented, "There is virtually no software that can't be hacked - and most anything in a computer can be hacked." MicroDesign Resources analyst Peter Glaskowsky confirmed, "If they get the processor serial number, they can pretend to be you." 30 These revelations no doubt are reflective of the industry's push for other levels and types of security systems for the Internet.
There is little activity on the Net now that suggests how best to approach on-line voting security. There are a multitude of on-line voting opportunities on the Internet, but most do not even attempt to offer the level of security that would be necessary for public elections. Even stockholder voting, which is just now taking hold on the Internet, is not a good comparison since its requirements differ from public elections. It is much more challenging to build a system that has to make sure each voter votes only once without revealing who each voter voted for.
However, mechanisms are in use that would likely form the structure of security for such a system. Returning to the earlier definition, a secure internet voting system could rely on the following tools:
· Personal Identification Number (PIN) or password, to ensure proper voter authentication
· Encryption, including RSA/Digital Signature technology, to ensure proper vote privacy and accuracy
· Smart Card & Card Reader
· Biometric Identification and Reader
The most basic level of security available today for Internet voting would be the PIN or password. In use on numerous web sites, they ostensibly could ensure that a voter's ballot could only be cast by that voter.
For example, one proposed Internet system requires voters to input personal information such as birth dates and Social Security numbers, as well as a PIN provided when they register to vote via computer. The number is primarily used, however, to guarantee that only one ballot is executed for that voter.
PINs and other voter identifiers can be extracted through the Internet. In 1994, "sniffer" attacks penetrated Internet-connected UNIX systems and systematically gathered Internet passwords. Hundreds of thousands - maybe millions - of Internet user passwords sent at the beginning of each communication session were compromised. 31
So PINs by themselves are not a guarantee of privacy. Also, reliance on PINs could create other problems if a voter forgets theirs and is delayed or prevented from voting.
All Internet security systems currently in place or contemplated rely on some type of encryption. Cryptography is a complex field not readily understood by the uninitiated. The kind of public key-private key system which is likely to form the basis of Internet voting systems would be fairly secure, with some provisos. A determined vote thief or hacker would still have several potential weak points for attack, even in the best encrypted system. Careless handling of private key data on the part of administrators or private key encryptions that are not long enough to withstand "brute force" 32 attacks are just two examples of such potential weaknesses.
Although universal encryption standards are desirable, the biggest vulnerability could come if a uniform Internet voting system were applied to all elections. Today's election system where each voting jurisdiction selects its own equipment and protocols (within the context of federal and state requirements) at least provides the protection of vast variance that would defeat the theft of a presidential election. A national Internet voting system would be a large, non-moving, target to potential vote thieves or hackers.
There is intense ongoing debate about the nature and type of encryption which should be used on the Internet, and the extent to which government should have access to the "keys" that unlock encrypted information. Such public policy debates will undoubtedly affect the level of security achievable in any Internet voting system. 33
Encryption alone does not guarantee authenticity - an important factor for any security system, but especially for Internet voting. The addition of a digital signature tightens the security.
Digital signature technology is already being accepted as a principle security device for on-line voting systems. Most states have already enacted, or are in the process of studying or enacting, authorization for some form of either electronic or digital signature. An indicator of just how rudimentary understanding of the technology is lies in the lack of agreement even about definitions. Some states have authorized "electronic" and others "digital" signatures and a few legislatures have authorized both. However, Congress is moving toward an endorsement of electronic signatures in e-commerce. 34
Digital and electronic signatures, in their purest definition, are random irregular cryptographic identity verifiers. However, the lack of conformity in definition in each state is leading to a hodgepodge of case law on what constitutes a legally acceptable electronic or digital signature. The legal effect of all this new identity technology is virtually nil. 35 A plaintiff still bears the burden of authenticating signatures on an electronic record - which might be even more difficult to do in an electronic environment than, say, verifying handwritten signatures on absentee ballots (which is itself problematic).
Another level of security being touted for Internet voting is the "smart card." A smart card issued to a voter could be used at any computer equipped with a "reader." Since the card, in conjunction with a PIN or password, could be pre-programmed with ballots and mailed to voters, the card reader would then act as the polling device and the Internet would be used only to transmit an off-line completed ballot. However, such a system would still be vulnerable to Internet voter hijackers, as well as good old-fashioned mail theft.
The next generation of Internet security - biometric identifiers - is just being birthed with a host of technologies and hybrid systems for voice recognition, fingerprint, retina scan, etc. Compaq, Sony, and I/O Software, among others, have already developed such technologies for adaptation to personal computers. 36 One group of biometrics companies has formed a Washington-based trade group to represent their interests before Congress in the area of Internet security.
Under such systems, a voter would register the appropriate identifier information through a biometric terminal controlled by election officials. The voter's biometric "password" could then be employed from an appropriately equipped computer at the time of voting. Though biometric identifiers are less vulnerable to the identifier theft than other security devices, they are not foolproof. Currently in use in stationary ATM's, for example, they have not been sufficiently tested in on-line environments.
There is an additional concern about biometric identifiers -- privacy. Many Americans will balk at the gathering of this more intrusive layer of information, especially since it will be used in cyberspace. Law abiding citizens will almost certainly resist the notion of providing fingerprints and other identifiers to government sources, just as they have rejected the concept of a National Identity Card. Once in full use in American society, Big Brother truly would be watching - and able to "...call up the central computer, punch in your name and find out where you've been today." 37
Without controls of any kind on companies offering biometric systems, Internet voting that uses such technology would offer frightening opportunities for misuse.
21. Bantam Books, November 1992.
22. "Secure Electronic Commerce," p.5.
23. "Casting Ballots Through the Internet," by Rebecca Fairley Raney, New York Times, May 3, 1999.
24. "The Mole in the Machine," by Charles C. Mann, New York Times Magazine, July 25, 1999.
25. "DoubleClick not worried about privacy charges", CNET News, June 15, 1999; "Antitrust judge targets browser security," CNET News, June 10, 1999; "Cookies cap Hotmail security hole," CNET News, March 19, 1999; "Excite security hole open for months," CNET News, March 17, 1999; "Browser bug opens cookie files," CNET News, February 9, 1999.
26. "Flaws May Endanger Software's Security," Associated Press, August 1, 1999.
27. "Privacy forum plugs disclosure," CNET News.com, June 11, 1997.
28. "Virus Attacks," Washington Post Business, June 21, 1999, pg 6.
29. "Hackers of all kinds are absolutely soaked through with heroic anti-bureaucratic sentiment. Hackers long for recognition as a praiseworthy cultural archetype, the postmodern electronic equivalent of the cowboy and mountain man...But many hackers - including those outlaw hackers who are computer intruders and whose activities are defined as criminal - actually attempt to live up to this techno-cowboy reputation. And . . .there is simply no telling what hackers might uncover." The Hacker Crackdown, pg. 54.
30. "Intel's security headache spreads," CNET News.com, February 23, 1999.
31. "Secure Electronic Commerce," p4.
32. A "brute force" attack is one where the computer's ability to rapidly generate and try every conceivable combination is used to break an encryption lock. That is why the length of the encryption is important. The longer the encryption, the harder it is to break in this fashion. Any secure system should be impervious because it would have alarm trips for multiple unsuccessful password attempts. However, because each Web transmission is independent of another, it is more difficult to create protections against brute force attacks.
33. The Security and Freedom through Encryption (SAFE) Act (H.R. 850), which will lift restrictions on U.S. encryption products overseas and prevent U.S. Government attempts to control private party encryption by the use of escrow "keys" to all encrypted systems, has, at this writing, 258 cosponsors and is poised for passage on the House floor. A similar bill on the Senate side, the Promote Reliable Online Transactions to Encourage Commerce and Trade (PROTECT) measure, is moving in parallel. The Clinton Administration, citing the threat of international terrorism, opposes certain elements of these bills. This debate will affect the level and type of encryption available to be used in an Internet voting system.
34. The House Commerce Finance and Hazardous Materials Subcommittee unanimously approved legislation (HR 1714) on July 22, 1999, which contains authorization for electronic signature use in e-commerce.
35. "Analyzing State Digital Signature Legislation," Thomas J Smedinhoff, McBride Baker & Coles, August 1997.
36. "Firm unveils fingerprint ID system," February 12, 1999; "Log-ins now done by fingerprint," July 7, 1998, CNET News.com.
37. John Woodward, privacy attorney and advisor to the Biometric Industry Association, "Bar Codes for the Body Make it to the Market," The Washington Post, June 21, 1999."
Next Section: From Sixty to Zero
Copyright © 1998 Voting Integrity Project. All rights reserved.
Questions or comments pertaining to this site? Email .