Internet Voting Technology and policy issues

Internet Voting Technology and policy issues David Wagner UC Berkeley Introductions • I’m a computer security researcher • We study attacks and countermeasures – Before one can design a system that will resist attack, one must anticipate how it might be attacked No Secrets • Proactive study of attacks is generally a good thing • Mounting such attacks is not, of course – Don’t use your super powers for evil Selective History of Voting (US) • • • • • • • • early 1800’s: public oral voting at County Hall 1800’s: free-form, non-secret paper ballots popular 1884: widespread vote fraud 1888: adoption of Australian secret ballot 1930’s: lever machines widely adopted 1960’s: punchcard voting developed 2000: butterfly ballots, chad, Florida, gack! 2002: HAVA Attacks on the Secret Ballot Registration fraud: • Register in multiple jurisdictions • Graveyard voting • “Cleanse” the voter list • Districting & re-districting Insider fraud: • Throw ballot boxes into the bay • Stuff ballot box after polls close • Sleight of hand • Voter intimidation • “Run out of ballots” Tallying attacks: • Malicious talliers might calculate wrong results • Give talliers bogus tools Voter fraud: • Vote multiple times (ballot box stuffing) • Multiple voting • Impersonation Attacks on the Secret Ballot Registration fraud: • Identity fraud Insider fraud: • Ballot box stuffing • Ballot marking Voter fraud: • Impersonation • Vote multiple times • Vote buying, chain voting Tallying attacks: • Inaccurate counts • Ballot marking • Manipulation of challenge procedure How Secure is the Secret Ballot? • It’s easy to forge a few fraudulent votes • But: It’s very hard to forge a lot of fraudulent votes… • Summary: Australian secret ballot is quite robust; a well-designed security system. History of Internet Voting • 2000: 36,000 Arizona citizens vote in Democratic primary over the Internet; 85 military personnel vote in November elections over the Internet • 2000: California studies Internet voting; task force recommends against it • 2000: NSF panel warns of security risks in Internet voting • 2004: SERVE will accept votes over the Internet The SERVE Project • A DoD project for overseas voters • Register & vote from abroad • Vote over the Internet, using your Windows computer Who is eligible for SERVE? Overseas & military voters from participating jurisdictions (7 states, 51 counties) The SERVE Architecture (1) * Citizen HTTPS * SERVEUSA.gov ** Voter Registration Voter Status Check Ballot Definition Overseas voters Ballot Def. Data Web Server Internet HTTPS, SFTP Voting Engine Ballot Reconciliation Encrypted Voted Ballots UVS Control Data LEO Processes •Voter Registration •Ballot Definition •Ballot Decryption UVS Laptop •Ballot Tabulation •Voter History UVS Control Data Ballot Definitions Voted Ballots (Encrypted) * Firewall ** Identification & Authentication Process Election officials SERVE server infrastructure The SERVE Architecture (2) Citizen HTTPS Ballot Def. Data UOCAVA Voting System (UVS) Encrypted Voted Ballots Central Server Voter History UVS Control Data HTTPS LEO Infrastructure Manual Security Risks in SERVE (1) Software flaws: • Unintentional bugs might enable remote attacks • Malicious code might contain a backdoor • COTS software might be insecure or backdoored Insider attacks: • Votes cast could be modified or deleted • Election officials could learn how you voted, or count your votes incorrectly • Sysadmins, developers could bypass security Security Risks in SERVE (2) Attacks on the client: • Worms, viruses • Remote attacks • Malicious websites, ActiveX Website spoofing: • Voters might be redirected to the wrong site (DNS hijacking, email) • Spoofed site might observe or change votes • Automated vote swapping and vote buying Denial of service attacks: • DDoS might render servers unreachable • Targeted disenfranchisement Summary • How do you know that your vote was counted? • How much security is enough? • How much security is too much? You won the election, but I won the count. -- Somoza Discussion? Fighting Words • Internet voting is a danger to democracy • No voting system will ever be perfectly secure; why worry? • Absentee vote-by-mail is already insecure; why should Internet voting be held to a higher standard? • 30% of our military today can’t vote; a little insecurity is worth it if it fixes the problem • The threat of extraterritorial election fraud is new, and requires new laws