[iwar] Historical posting
From: Fred Cohen
From: fc@all.net
To: iwar@onelist.com
Mon, Jan 1, 1999
fc Mon Jan 1, 1999
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA15269 for iwar@onelist.com; Tue, 18 Apr 2000 05:21:43 -0700
To: iwar@onelist.com
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Mon, Jan 1, 1999
From: Fred Cohen
Reply-To: iwar@egroups.com
Subject: [iwar] Historical posting
PFIR Statement on Internet Voting
(http://www.pfir.org/statements/2000-02-26)
PFIR - People For Internet Responsibility - http://www.pfir.org
[ To subscribe or unsubscribe to/from this list, please send the
command "subscribe" or "unsubscribe" respectively (without the
quotes) in the body of an e-mail to "pfir-request@p...". ]
2000-02-26
Greetings. As the election season gets into full swing, the concept of
voting via the Internet has been receiving a great deal of attention. The
Arizona Democratic Party is in fact about to hold what they say is the first
legally-binding U.S. public election (their presidential primary in early
March) which will allow Web-based voting. This is being touted as a major
and obvious step forward. In reality, this rush to permit such voting could
be a highly risky proposition, riddled with serious technical pitfalls that
have rarely been discussed.
Some of these issues are fairly obvious, such as the need to provide for
accurate and verifiable vote counts and simultaneously enforcing rigorous
authentication of voters (while still making it impossible to retroactively
determine how a given person voted). Certainly all software involved in the
election process (even when online voting is not contemplated) should have
its source code subject to inspection by trusted experts unrelated
to the firms providing those software systems. When "off-the-shelf"
software is being used for such applications, this presents an interesting
set of problems, to say the least.
But even with such inspections, these systems are likely to have bugs and
problems of various sorts, some of which will not be found and fixed quickly.
This is just an inescapable fact when it comes to virtually all software,
but could have remarkably serious consequences if such unavoidably complex
software systems become integral to virtually all aspects of the actual
voting process.
Perhaps of far greater concern is the apparent lack of understanding
suggested by permitting the use of ordinary PC operating systems and
standard Web browsers for Internet voting. While the use of digital
certificates and "secure" Web sites for such voting can do a reasonable job
of identifying the connections and protecting the communications between
voters and the voting servers, those are unfortunately not where the biggest
risks are lurking.
In recent cases of mass releases of credit card numbers and other customer
information, it wasn't the communications paths that were compromised, but
security at the servers themselves, even though they were touted as secure
and used advanced encryption technology for communications with customers.
Even with the best of intentions and efforts at good software design, the
same kinds of security failures leading to private information disclosure or
unauthorized modifications are possible in an Internet voting environment,
just as we've seen in the commercial arena.
Another area of serious concern is the ease with which voters' PCs could be
compromised prior to elections by hostile software (which could be
inadvertently loaded onto these systems via e-mail attachments,
innocent-appearing Web downloads, or many other means) and could be designed
to silently and invisibly alter the voter's input, ballot selections, and
displayed output, with no clue to the voter or the voting server that this
has occurred. Deployed on a sufficiently large scale (which might actually
not need to be very large in the case of tight races) election results could
actually be altered through such software manipulations. There is no
obvious technique for avoiding the possibility of such tampering without
resorting to "single-use" operating systems and specialized voting software,
which would need to be specially booted (from distributed floppy disks or
CD-ROMs) on voters' systems, presenting significant configuration
complexities.
The recent rash of Internet distributed denial of service attacks provides
vivid evidence of how simple it is for "invisible" malevolent software to be
distributed to unsuspecting users' computers. Even existing versions of such
software could potentially be altered to subvert Internet voting in the
manner described above. Which brings up another point--imagine the ideal
targets that Internet voting servers would make for denial of service
attacks. What better way to demonstrate power over the Internet than to
prevent people from voting as they had expected? At the very least it would
foster inconvenience and anger. Such attacks would also be likely to foster
increased concerns regarding how Internet voting might skew voter
participation in elections--between those persons who are Internet-equipped
and those who do not have convenient Internet access.
Trust in the election process is at the very heart of the world's
democracies. Internet voting is perhaps the perfect example of an
application where rushing into deployment could have severe negative
repercussions of enormous importance.
--Lauren--
Lauren Weinstein
lauren@p... or lauren@v...
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy