Arizona's Internet Voting System

Arizona did something very interesting in the 2008 general election: it accepted votes over the internet. Is it a good idea, or not?Some individual counties have experimented with allowing online voting for overseas citizens, and the Pentagon considered its own system in 2004, before abandoning it because of security issues. But Arizona was the first to offer internet voting, in a national election, to all its overseas military and civilian families through a central website. Election officials demonstrated their system at the Computers, Freedom and Privacy Conference here Thursday, and they seemed pretty confident that it was secure.“It’s run over a secured system using industry standard encryption,” said state CIO Craig Stender. “We had many users from over 50 countries using the system in that election.”Voting rights activists are alarmed over the growing acceptance of internet-enabled voting — several states are considering legislation to allow systems like Arizona’s, and Hawaii recent ran municipal elections online, though participation was dismal. “There is a big push ongoing to encourage states to introduce internet voting for military and civilians living abroad,” said computer scientist and e-voting expert Barbara Simons in a recent e-mail. “Democrats Abroad allowed people to vote in their 2008 primary using an unbelievably insecure system … Much of these efforts are occurring under the radar, because national news does not cover a lot about what is happening at the state level regarding voting.”In the Arizona system, voters could request an early ballot through a Secretary of State website, and receive it though snail mail. If there’s no time for the postal service, though, the voter gets a PDF of the ballot in e-mail.This is where it gets a little clunky. You can’t fill out the ballot on your computer — you have to print it out, then use your scanner to scan the completed and signed ballot back onto your PC. Then you upload the scanned ballot to the aforementioned “secured system” (it uses SSL).From there, county election officials can log on and retrieve the ballot through a pretty nifty backend system. They print it out in your home county, and treat the printout like any other absentee ballot. The whole system allows an overseas voter to request a ballot and vote as late as 7:00 p.m. on election day, without planning ahead, and the state credits it for an unspecified increase in overseas voter participation in 2008 (of course, participation increased across the board in 2008).Stender, and director of elections Amy Bjelland, said the system wasn’t true internet voting, because you couldn’t just go to a website and click on some radio boxes to choose the next president. But does the print-and-scan technique really make the system secure?Threat Level can imagine someone writing a bot that infects unpatched PCs en masse, watches for interactions with the voting website, then changes the votes in the PDF to whatever the malware writer wants. Reading and interpreting the ballot would require some skillful engineering, but no more than what hackers have already shown in breaking CAPTCHAs like peanut shells, among other things. Conficker’s author could code this in his sleep.Speaking on the panel here, computer scientist Avi Rubin pointed out that phishing attacks could also lure voters onto a fake election website, where the black hats could have their way with the vote.These attacks are a built-in risk for any system that proposes to turn home computers into voting booths. But current, offline voting methods aren’t exactly bulletproof either. Threat Level asked the officials if they concede a client-side vulnerability, and have consciously decided that the risks are outweighed by the benefits of getting more military and overseas participation in an election.  They seemed surprised by the question.“It’s not true internet voting, so we don’t feel that we have the same security issues that true internet voting would have,” said Bjelland.  She adds that Arizona has some 5,000 different ballot layouts for different voting jurisdictions, which would make automated tampering a challenge.