Report Says Internet Voting System Is Too Insecure to Use (fwd)

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Wed, 21 Jan 2004 17:05:41 -0500 (EST)
From: chodge5 () utk edu
Subject: Report Says Internet Voting System Is Too Insecure to Use (fwd)
X-Sender: hodge () helios dii utk edu
To: Dave Farber <dave () farber net>


Report Says Internet Voting System Is Too Insecure to Use
January 21, 2004
 By JOHN SCHWARTZ

A new $22 million system to allow soldiers and other
Americans overseas to vote via the Internet is inherently
insecure and should be abandoned, according to members of a
panel of computer security experts asked by the government
to review the program.

The system, Secure Electronic Registration and Voting
Experiment, or SERVE, was developed with financing from the
Department of Defense and will first be used in this year's
primaries and general election.

The authors of the new report noted that computer security
experts had already voiced increasingly strong warnings
about the reliability of electronic voting systems, but
they said the new voting program, which allows people
overseas to vote from their personal computers over the
Internet, raised the ante on such systems' risks.

The system, they wrote, "has numerous other fundamental
security problems that leave it vulnerable to a variety of
well-known cyber attacks, any one of which could be
catastrophic." Any system for voting over the Internet with
common personal computers, they noted, would suffer from
the same risks.

The trojans, viruses and other attacks that complicate
modern life and allow such crimes as online snooping and
identity theft could enable hackers to disrupt or even
alter the course of elections, the report concluded. Such
attacks "could have a devastating effect on public
confidence in elections," the report's authors wrote, and
so "the best course to take is not to field the SERVE
system at all."

A spokesman for the Department of Defense said the critique
overstated the importance of the security risks in online
voting. "The Department of Defense stands by the SERVE
program," the spokesman, Glenn Flood, said. "We feel it's
right on, at this point, and we're going to use it."

An official of Accenture, the technology services company
that is the main contractor on the project, said the
researchers drew unwarranted conclusions about future plans
for the voting project. "We are doing a small, controlled
experiment," said Meg McLauglin, president of Accenture
eDemocracy Services.

The Federal Voting Assistance Program, part of the
Department of Defense, plans to officially introduce the
program in the next few weeks. Seven states have signed up
so far to participate: Arkansas, Florida, Hawaii, North
Carolina, South Carolina, Utah and Washington. As many as
100,000 people are expected to use the system this year,
and the total eligible population would about one million.

A move to that larger population of voters is far from
certain, Ms. McLauglin said, and the final system could be
very different from the one being used this year. "It will
be up to Congress and the states to determine if this gets
expanded, and how," she said.`

"Without doing these experiments, we won't learn more and
we won't learn how to help these folks vote in the future,"
she said.

Trying to vote overseas can be a frustrating ordeal. And
Internet voting makes intuitive sense to Americans who have
grown accustomed to buying books, banking and even finding
mates online.

But the authors of the report adamantly state that what
works for electronic commerce doesn't work for electronic
democracy: "E-commerce grade security is not good enough
for elections," they wrote. The dual requirements of
authentication and anonymity make voting very different
from most online purchases, they wrote, and failures and
fraud are covered by Internet merchants and credit card
companies. "How do we recover if an election is
compromised?" they wrote.

The report states, "We recognize that no security system is
perfect, and it would be irresponsible and naïve to demand
perfection; but we must not allow unacceptable risks of
election fraud to taint our national elections."

They said any new system "should be as secure as current
absentee voting systems and should not introduce any new or
expanded vulnerabilities into the election beyond those
already present."

One of the authors of the report, David Wagner, an
assistant professor in the Computer Science Division at the
University of California at Berkeley, said, "The bottom
line is we feel the solution can't be a system that
introduces greater risks just to gain convenience."

Although some of the possible attacks may sound far-fetched
or arcane, the security experts said that each of them had
already been seen in some form out on the Internet.

"We're not making up any theoretical concepts," said Aviel
D. Rubin, an author of the report and the technical
director of the Information Security Institute at Johns
Hopkins University. "These are all things that occur in the
wild that we see all the time."

Computers on the Internet have become ever more vulnerable
to malicious software that takes over the machines'
functions to monitor the users' activities, scan them for
private information or press them into service to launch
attacks on other computers, to send spam or advertise
Internet pornography sites online. "And we're going to use
these as voting booths?" Mr. Rubin asked. "It just doesn't
make any sense."

A major American election would be an irresistible target
for hackers, and the ability of computers to automate tasks
means that many attacks could be carried out on a large
scale, the report said.

The authors said the Federal Voting Assistance Program,
which runs SERVE, and Accenture, the main contractor,
should not be faulted for their work, which they found
innovative and conscientious. Secure Internet voting, the
panel concluded, is an "essentially impossible task."

In fact, the panel said, "there really is no good way to
build such a voting system without a radical change in
overall architecture of the Internet and the PC, or some
unforeseen security breakthrough. The SERVE project is thus
too far ahead of its time, and should wait until there is a
much improved security infrastructure to build upon."

The risks inherent in SERVE are likely to cripple any
system for Internet-based voting, said Barbara Simons, a
technology consultant and coauthor of the report. "It's not
just a SERVE thing," she said.

Such concerns are not new. They have formed the basis of
several recent studies of Internet voting. A report in 2001
by the Internet Policy Institute, financed by the National
Science Foundation, concluded that "remote Internet voting
systems pose significant risk to the integrity of the
voting process and should not be fielded for use in public
elections until substantial technical and social science
issues are addressed."

David Jefferson, an author of the new report and a computer
scientist at Lawrence Livermore National Laboratory in
Northern California, also worked on a 2000 report for the
California secretary of state that reached similar
conclusions. "Nothing fundamental has changed," he said,
since that report was written.

"Nothing we've seen makes us think that this can be made
secure," Mr. Jefferson said.

In attempting to play down the critique of the system, Mr.
Flood of the Defense Department called it a "minority
report," since it involved only 4 of the 10 outside experts
asked to review the system. But Mr. Rubin, the report
co-author, noted that the four authors were the only
members of the group who attended both of the three-day
briefings about the system.

There is no majority report, since the other six experts
have not taken a public stance on the project.

Ms. McLauglin of Accenture said that the company had
contacted the other six members of the outside advisory
group and that five of the six said they would not
recommend shutting down the program.

One of the other outside reviewers, Ted Selker, a professor
at the Massachusetts Institute of Technology, disagreed
with the report, saying it reflected the professional
paranoia of security researchers. "That's their job," he
said.

Mr. Selker, an expert in the ways people use technology,
said security is a less pressing concern than mistakes in
registration databases, poor ballot design and inadequate
polling place procedures. "Every single election machine
I've seen - including the lever machine, including punch
card machines, including paper ballots - has
vulnerabilities," he said.

A security expert and critic of technologically advanced
voting systems who had seen an early draft of the study
applauded the group's work. "What I saw convinced me that
no one should ever vote on that system," said David Dill, a
professor of computer science at Stanford University who
has become active in voting technology issues. "I
understand the problems that people overseas have voting,
especially if they are in the military, and I believe we
have to make it a lot easier for them," he said. "But SERVE
is the wrong solution."

http://www.nytimes.com/2004/01/21/technology/23CND-INTE.html?ex=1075722669&ei=1&en=24c5f9b25e1f0130


Copyright 2003 The New York Times Company

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/