Arizona did something very
interesting in the 2008 general election: it accepted votes over the internet.
Is it a good idea, or not?Some individual counties have
experimented with allowing online voting for overseas citizens, and the
Pentagon considered its own system in 2004, before abandoning it because of security
issues. But Arizona was the first to offer internet voting, in a national
election, to all its overseas military and civilian families through a central
website. Election officials demonstrated their system at the Computers, Freedom
and Privacy Conference here Thursday, and they seemed pretty confident that it
was secure.“It’s run over a secured system
using industry standard encryption,” said state CIO Craig Stender. “We had many
users from over 50 countries using the system in that election.”Voting rights activists are
alarmed over the growing acceptance of internet-enabled voting — several states
are considering legislation to allow systems like Arizona’s, and Hawaii recent
ran municipal elections online, though participation was dismal. “There is a
big push ongoing to encourage states to introduce internet voting for military
and civilians living abroad,” said computer scientist and e-voting expert
Barbara Simons in a recent e-mail. “Democrats Abroad allowed people to vote in
their 2008 primary using an unbelievably insecure system … Much of these
efforts are occurring under the radar, because national news does not cover a
lot about what is happening at the state level regarding voting.”In the Arizona system, voters
could request an early ballot through a Secretary of State website, and receive
it though snail mail. If there’s no time for the postal service, though, the
voter gets a PDF of the ballot in e-mail.This is where it gets a little
clunky. You can’t fill out the ballot on your computer — you have to print it
out, then use your scanner to scan the completed and signed ballot back onto
your PC. Then you upload the scanned ballot to the aforementioned “secured
system” (it uses SSL).From there, county election
officials can log on and retrieve the ballot through a pretty nifty backend
system. They print it out in your home county, and treat the printout like any
other absentee ballot. The whole system allows an overseas voter to request a
ballot and vote as late as 7:00 p.m. on election day, without planning ahead,
and the state credits it for an unspecified increase in overseas voter
participation in 2008 (of course, participation increased across the board in
2008).Stender, and director of
elections Amy Bjelland, said the system wasn’t true internet voting, because
you couldn’t just go to a website and click on some radio boxes to choose the
next president. But does the print-and-scan technique really make the system
secure?Threat Level can imagine
someone writing a bot that infects unpatched PCs en masse, watches for
interactions with the voting website, then changes the votes in the PDF to
whatever the malware writer wants. Reading and interpreting the ballot would
require some skillful engineering, but no more than what hackers have already
shown in breaking CAPTCHAs like peanut shells, among other things. Conficker’s
author could code this in his sleep.Speaking on the panel here,
computer scientist Avi Rubin pointed out that phishing attacks could also lure
voters onto a fake election website, where the black hats could have their way
with the vote.These attacks are a built-in
risk for any system that proposes to turn home computers into voting booths.
But current, offline voting methods aren’t exactly bulletproof either. Threat
Level asked the officials if they concede a client-side vulnerability, and have
consciously decided that the risks are outweighed by the benefits of getting
more military and overseas participation in an election. They seemed
surprised by the question.“It’s not true internet voting,
so we don’t feel that we have the same security issues that true internet
voting would have,” said Bjelland. She adds that Arizona has some 5,000
different ballot layouts for different voting jurisdictions, which would make
automated tampering a challenge.
Arizona's Internet Voting System
But is it safe?