motivated DDoS attacks, like the one
on Wikileaks in 2010 and a reprisal by
Anonymous against MasterCard, have
become relatively common.
A DDoS attack could prevent certain
groups from voting or even disrupt an
entire election, as probably occurred in
a 2003 leadership vote by the New Democratic Party (NDP) in Canada. Internet
voting for the NDP election lasted from
January 2 until the party convention
January 25, 2003. Coincidentally, on
January 25, the same day the Slammer
worm was attacking large numbers of
(unpatched) Windows 2000 servers on
the Internet, the NDP voting site was
reportedly down or effectively unusable for hours.
3
Due to the secrecy surrounding
the technical aspects of the NDP election, we do not know if the NDP voting site was brought down by a DDoS
attack or by the Slammer worm. The
vendor, election.com, claimed to have
patched the servers against Slammer
and maintained that it experienced
a denial-of-service attack. Unfortunately, election.com provided neither
logs nor other proof that its servers
were patched, nor did it permit expert
examination of its records. There was
no transparency and hence no way for
an independent outsider to determine
what had happened.
Not having learned from the 2003
attack, the NDP suffered a massive
DDoS attack during its March 2012
leadership election. The NDP was so
ill prepared that people attending the
party conference were unable to vote
during the attack, as no back-up paper had been provided. Once again,
there was no independent examination or report.
Loss of the secret ballot. All forms of
remote voting diminish ballot secrecy
and increase the risk of coercion and
vote selling simply because they eliminate voting booths. Internet voting decreases secrecy still further. States that
allow the return of voted ballots by fax
or email attachments have been asking
voters to sign statements relinquishing the right to a secret ballot. Mix nets
and other cryptographic schemes can
mimic the secrecy protections of the
double envelopes traditionally used
to partially preserve ballot secrecy in
postal voting, but they do not protect
against client-side attacks.
The threat to eliminate the secret
ballot for a class of voters is disturbing for several reasons: First, it renders these voters second-class citizens, deprived of a right other citizens
take for granted. Second, there is no
need to eliminate the secret ballot
for overseas voters, as we discussed
earlier. Third, and most important,
ballot-secrecy protection is more than
an individual right; it is a systemic requirement, essential for fair, honest
elections. Without ballot secrecy, voters, especially those in hierarchical organizations, such as the military, may
be subject to coercion. An election
where some voters can be pressured to
vote a particular way is not a free and
fair election.
Bribery. Finally, we cannot rule
out the threat of old-fashioned bribery. National races in the U.S. cost
vast sums—a small fraction of which
would be an exceedingly large bribe
and more than enough to cover the
cost of attacks, such as the one on the
2010 pilot D.C. voting system, as well
as others on voters’ computers. Halderman said his team’s attack would
have cost less than $50,000 at generous consulting rates.
other Countries
We have focused on Internet voting in
the U.S., but Internet voting has been
used in several other countries, including Estonia and Switzerland, neither of
which protects against malware on voters’ computers, and Norway in 2011.c
The Netherlands provided an Internet
voting option in its 2006 parliamentary
elections, but Internet voting was subsequently banned, largely because of
work by a group called “We Don’t Trust
Voting Computers.” The U.K. tried Internet voting on a pilot basis in 2007,
but the U.K. Electoral Commission recommended against further e-voting pilot projects until a range of issues had
been addressed.
40
Far Future
Systems like Helios15 and Remoteg-rity37 use encryption to allow voters
c Norway uses encryption, but malware on a
voter’s computer is still able to change votes,
so long as the change is consistent with the
partial proof sent to the voter or the voter does
not check the partial proof.
to verify that their ballots were accurately received and counted. Unfortunately, cryptography does not protect Internet-based elections against
DDoS attacks, spoofing, coercion, design flaws, and many kinds of ordinary
software bugs.
8 Recounts on these
cryptographic voting systems cannot
recover from such threats. While these
systems have been used for some
small Internet elections, the consensus in the cryptographic community
is that they are not ready for use in a
major election. Ben Adida, creator of
Helios, wrote in 2011: “The one problem I don’t know how to address with
Helios is client-side security... We now
have documented evidence...that viruses like Stuxnet that corrupt nuclear
power plants by spreading from one
Windows machine to the other have
been built…So if you run a very large-scale election for a president of a G8
country, why wouldn’t we see a similar
scenario? Certainly, it’s worth just as
much money; it’s worth just as much
strategically... All the ability doesn’t
change the fact that a client-side corruption in my browser can flip my vote
even before it’s encrypted, and if we…
must have a lot of voters verify their
process, I think we’re going to lose,
because most voters don’t quite do
that yet.”
1 Note that while Helios can
detect DDoS attacks, network attacks,
and several other types of attacks
mentioned here, it cannot prevent, diagnose, or fix them.
Perhaps eventually a paperless
cryptographic Internet voting system
will be developed that is sufficiently
secure, accurate, usable, and transparent to be used in major elections.
Until then, the conclusion of the National Commission on Federal Election Reform, co-chaired by Presidents
Gerald R. Ford and Jimmy Carter in
2001, still stands, that Internet voting
“is an idea whose time most certainly
has not yet come.”
11
Conclusion
Proposals for conducting voting pilot
projects using real elections continue
to reappear in the U.S. and elsewhere,
apparently independent of warnings
from computer-security experts. While
the appeal of Internet voting is obvious, the risks are not, at least to many
decision makers. Computer profes-