I’ve written here before about some of the problems with electronic voting machines, where the enthusiasm for new technology has sometimes run ahead of understanding its security implications. Another voting “improvement” that has been discussed is voting via the Internet, which is even more fraught with potential dangers.
The city of Washington DC has recently conducted a test of a proposed Internet voting system for absentee voters. Now, to give the election officials credit, they were doing this to address a real issue, not just trying to be “cool”. Absentee ballots have always had their problems — once, while I was in college, I missed the chance to vote because it took the US Post Office almost two weeks to transport my ballot envelope about 200 miles. The difficulties are larger for military personnel stationed overseas: international mail can be even more dicey, and some of their duty stations don’t exactly have the most convenient and responsive public services.
An article at the Washington Post Web site reports that the DC Board of Elections and Ethics began a trial of the proposed new system last week, and invited computer security folks to probe the system for weaknesses. (This, though potentially embarrassing, was a Good Thing to do.) The trial was suspended after a few days, since it was clear the integrity of the system had been compromised:
After casting a vote, according to test observers, the Web site played “Hail to the Victors” — the University of Michigan fight song.”The integrity of the system had been violated,” said Paul Stenbjorn, the board’s chief technology officer.
Stenbjorn said a Michigan professor whom the board has been working with on the project had “unleashed his students” during the test period, and one succeeded in infiltrating the system.
It will be tempting to make fun of the experiment, since the system did not survive very long, even in a limited trial. However, it is far better to have these flaws discovered in a test than to have them lurking around at the time of an actual election. Getting this right will, I think, be very difficult.
In the context of electronic voting machines, people sometimes wonder aloud why they are potentially such a source of trouble — “after all, we do financial transactions at ATMs all the time”. Without getting mired in the details, the significant difference is the requirement for a secret ballot. Obviously, at an ATM, both the customer and the bank want to be sure of the identity of the parties to the transaction.
It will be interesting to see if this experiment is continued. Although the proposed system obviously was not adequate to the job, the existing scheme is far from ideally secure. For example, absentee voters can scan their completed ballots and submit them as E-mail attachments, a procedure that is a security nightmare. As with most problems in computer security, the first time is very unlikely to be the charm.
Wired has a post in its “Threat Level” blog on this test.