ArticlePDF Available

Abstract and Figures

Properly designed and engineered computerized voting systems can facilitate voting and increase the security and reliability of our voting systems. Unfortunately, in their eagerness to have the most modern and best election equipment and to take advantage of almost $4 billion in federal funding, well meaning election officials were quick to accept accuracy and security claims of computerized voting system vendors. Few questions were asked about crucial issues. How secure, accurate, and reliable are these machines? How easy are they to use, especially by people with disabilities? How could an election audit or recount be conducted? There was little or no consultation with independent technical experts on these questions, and remarkably little scientific research. Standards and regulations were inadequate to nonexistent. The implicit assumption appears to have been that no recount would ever be needed, because the new systems were so completely secure and accurate that there would no longer be any reason to challenge an election result. There is now a widespread perception that Internet voting is the wave of the future and the way to save money while increasing voter participation, especially participation of young people. (I can bank online; why can't I vote online?) Not having learned from previous mistakes and against the advice of essentially all computer security experts, Internet voting is currently being used in several countries and in some U.S. States. There is also strong pressure to adopt Internet voting in the U.S. for members of the military and civilians living abroad. In this talk I examine some of the threats of Internet voting in the hope of encouraging the technical community to oppose Internet voting unless and until these threats can be eliminated.
Content may be subject to copyright.
68 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
DOI:10.1145/2347736.2347754
Internet voting is unachievable for the
foreseeable future and therefore not inevitable.
BY BARBARA SIMONS AND DOUGLAS W. JONES
THE ASSERTION THAT Internet voting is the wave of
the future has become commonplace. We frequently
are asked, “If I can bank online, why can’t I vote
online?” The question assumes that online banking
is safe and secure. However, banks routinely and
quietly replenish funds lost to online fraud in order to
maintain public confidence.
We are told Internet voting would help citizens
living abroad or in the military who currently have
difficulty voting. Recent federal legislation to improve
the voting process for overseas citizens is a response
to that problem. The legislation, which has eliminated
most delays, requires states to provide downloadable
blank ballots but does not require the insecure return
of voted ballots.
Yet another claim is that email voting is safer
than Web-based voting, but no email program in
widespread use today provides direct support for
encrypted email. As a result, attachments are generally
sent in the clear, and email ballots are easy to intercept
and inspect, violating voters’ right to a secret ballot.
Intercepted ballots may be modi-
fied or discarded without forwarding.
Moreover, the ease with which a From
header can be forged means it is rela-
tively simple to produce large numbers
of forged ballots. These special risks
faced by email ballots are in addition to
the general risks posed by all Internet-
based voting schemes.17
Many advocates also maintain that
Internet voting will increase voter par-
ticipation, save money, and is safe. We
find the safety argument surprising in
light of frequent government warn-
ings of cybersecurity threats and news
of powerful government-developed
viruses. We see little benefit in mea-
sures that might improve voter turn-
out while casting doubt on the integ-
rity of the results.a
Almost all the arguments on behalf
of Internet voting ignore a critical risk
Internet-based voting shares with
all computerized voting—wholesale
theft. In the days of hand-counted
paper ballots, election theft was con-
ducted at the retail level by operatives
at polling places and local election
offices. By contrast, introduction of
computers into the voting process
created the threat that elections can
be stolen by inserting malware into
code on large numbers of machines.
The situation is even more dangerous
with Internet voting, since both the
central servers and the voters’ com-
puters are potentially under attack
from everywhere.
a Portions of this article are taken from the
book Broken Ballots: Will Your Vote Count? by
Douglas W. Jones and Barbara Simons, CSLI
Publications, Stanford, CA, 2012; http://bro-
kenballots.com
Internet
Voting
in the U.S.
key insights
Internet vo ting is fundamentally insecure.
Most people do not associate widely
publicized computer viruses and worms
with Internet voting.
Internet vo ting is being pushed in many
countries by vendors, election officials,
and well-meaning people who do not
understand the risks.
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 69
ILLUSTRATION BY ALICIA KUBISTA/ANDRIJ BORYS ASSOCIATES
Despite the serious threats it poses
to election integrity, Internet voting
is being used in several countries and
U.S. states, and there is increasing
public pressure to adopt it elsewhere.
We examine some of these threats, in
the hope of encouraging the technical
community to oppose Internet voting
unless and until the threats are elimi-
nated.
D.C. pilot test Internet voting has
generally been deployed without be-
ing subjected to public testing prior
to use. To the best of our knowledge,
the only exception was a “digital vote
by mail” pilot project in Washington,
D.C. in 2010. In June of that year, the
Open Source Digital Voting Founda-
tion announced that it had been se-
lected by the District of Columbia
Board of Elections and Ethics (BOEE)
to support a project to allow Internet
voting for military and overseas voters,
starting with the upcoming September
primary. The BOEE had optimistically
planned a “public review period” in ad-
vance of the primary in which everyone
was invited to try to attack the system
in a mock election. While the system
was not ready for the primary, a public
test was eventually scheduled to run
from September 28 to October 6, with
midterm election voting scheduled to
begin October 11 or 12.
The break-in. By October 1 people
testing the system reported hearing
the University of Michigan fight song
following a 15-second pause after they
submitted their ballots.6,44 A Michigan
team had taken over the system within
36 hours of the start of the tests by ex-
ploiting a shell-injection vulnerability,
thereby gaining almost total control
over the BOEE server. The attackers
remained in control for two business
days, until the BOEE halted the test
after noon on October 1. An attacker
intent on subverting a real election
would not leave such an obvious call-
ing card. The delay between the break-
in and the shutdown of the system
reveals how difficult it is to determine
that a break-in has occurred, even
when the “culprits” announce them-
selves with music.
On October 5, Michigan professor
Alex Halderman revealed that, in ad-
dition to installing the fight song, his
team had changed ballots cast prior
to their intrusion, had rigged the sys-
tem to alter subsequently cast ballots,
and could violate voters’ secret ballot
rights. That day the BOEE restarted
the test with the song removed. Testers
were told to print out and mail in their
ballots, instead of returning them over
the Internet. Figure 1 is the hacked bal-
lot, with write-in candidates selected
by the Michigan team.
70 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
logins, the Michigan team changed the
previously unchanged defaults (user:
admin, password: admin). Whether or
not they were intentionally directed at
the D.C. voting system, the attempts
showed how dangerous the Internet
can be, with sophisticated adversaries
from around the world constantly try-
ing to break in to systems.
Implications of the attack. The D.C.
incursion illustrates how Internet vot-
ing can be attacked from anywhere.
Most complex software systems have
an abundance of vulnerabilities, with
attackers needing to exploit just one.
Moreover, all attacks except those spe-
cifically targeting the designated BOEE
election network were out of bounds
in the pilot test. Examples of non-al-
lowed attacks included client-side mal-
ware; denial-of-service attacks; attacks
against ISPs; and DNS, routing, and
other network attacks. Attackers in a
real election would not have felt bound
by such constraints. Once the Michi-
gan team had changed all the votes,
it was impossible for D.C. officials to
reconstruct the original ballots. In a
close race, attackers might control the
outcome without risk of detection. It
took more than a day for D.C. officials
to realize their system had been suc-
cessfully attacked, despite the musi-
cal calling card. By the time officials
discovered the attack, it was too late to
recover from it.
The BOEE had intended to accept
voted ballots over the Internet. If there
had been no pilot test or if the Michi-
gan team had not participated, mem-
bers of the military and civilians living
abroad who vote in Washington, D.C.
would have been voting over a highly
vulnerable system. The BOEE did the
right thing (for a municipality deter-
mined to deploy Internet voting) by set-
ting up a public test. It also learned an
important lesson from the test and ul-
timately canceled the Internet-ballot-
return portion. Voters were instead al-
lowed to download blank ballots from
the Web and print and return them by
postal mail. Unfortunately, other states
have not been as responsible. In the
upcoming 2012 U.S. election, 33 states
will allow some kind of Internet vot-
ing, including at least one Web-based
Internet pilot project, and the return of
voted ballots over the Internet through
email attachment or fax, without first
Halderman was the star of an Oc-
tober 8 oversight hearing, where he
dropped additional bombshells. From
the start, his team had control of the
network infrastructure for the pilot
project. The team used the default
master password from the owner’s
manuals, which had not been changed,
for the routers and switches, thereby
gaining control of the infrastructure
and obtaining an alternative way to
steal votes in a real election. Control
of the network also enabled the team
to watch network operators configure
and test the equipment. When they
discovered that a pair of security cam-
eras in the BOEE data center was con-
nected to the pilot system and unpro-
tected, the team used the cameras to
watch the system operators. As proof,
Halderman brought some security-
camera photos to the hearing. Halder-
man even discovered a file used to test
the system that consisted of copies of
all 937 letters sent to real voters. The
letters included voter names, IDs, and
16-character PINs for authentication
in the real Internet election. While the
team could already change voter selec-
tions, inclusion of unencrypted PINs
in a file used for testing demonstrates
that the BOEE did not understand the
fundamental principles of computer
security. The PINs would have allowed
the team or any other intruder to cast
ballots for actual voters. Finally, Hal-
derman found evidence of attempted
break-ins that appeared to be from
China and Iran. Since the attempts
involved trying to guess the network
Figure 1. The rigged District of Columbia ballot.
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 71
encouraging independent experts to
test their systems.42
One of us (Jones) has consulted with
several election offices, including the
BOEE. He observed it to be above av-
erage, in terms of both physical and
human resources, suggesting that the
mistakes found by the Michigan team
were not the result of isolated incom-
petence, but are typical of the best we
can expect under current conditions.
Likewise, Halderman has said that
the quality of the D.C. source code
seemed much better than the closed-
source electronic voting systems he
has examined. Security is difficult, and
even organizations with security exper-
tise have been successfully attacked.
Given that elections offices are under-
resourced, have many other problems
to worry about, lack security expertise,
and are highly decentralized, it is com-
pletely unrealistic to expect extraordi-
nary security competence from them.
The Case for Internet Voting
Despite warnings from independent
studies and commissions, as well as
sensational news stories about hacking
and viruses, some widely held miscon-
ceptions about Internet voting persist:
It saves money and increases voter turn-
out; Web-based voting is more secure
than postal voting or voting by email or
fax; because banking and purchasing
can be done over the Internet, voting
can be done safely over the Internet;
and Internet voting is inevitable—the
wave of the future. We discuss the first
three points in the following sections
and the fourth in the sidebar “Internet
Voting and E-Commerce Compared.”
Regarding the inevitability of Internet
voting, some of the most outspoken
Internet voting opponents are highly
respected computer security experts.
Our goal is to convince you that secure
Internet voting is unachievable for the
foreseeable future and therefore, we
sincerely hope, not inevitable.
Saves money. The cost of Internet
voting, especially up-front charges,
can be steep. For example, 2009 cost
estimates from Internet voting vendor
Everyone Counts were so large that
a legislative proposal in Washington
state to allow Internet voting for mili-
tary and civilian voters was killed in
committee. The estimated costs, ob-
tained by John Gideon of VotersUnite,
included proposed up-front costs rang-
ing from $2.5 million to $4.44 million.
After that, each county would have
been hit with an annual license fee of
$20,000–$120,000, plus $2–$7 per over-
seas voter.5
In the March 2011 election in the
state of New South Wales, Australia,
46,864 people voted on an Internet
voting system called iVotes, also an Ev-
eryone Counts product.33 The develop-
ment and implementation costs for us-
ing iVotes in the election exceeded $3.5
million (Australian dollars), resulting
in a cost of about $74 per vote cast. By
contrast, the average cost for all forms
of voting in the same election was $8
per vote, though the cost per Internet
vote would have decreased if amortized
over more voters.
Increases turnout. Internet voting
does not necessarily increase turnout.
Everyone Counts ran an Internet-based
election in Swindon, U.K., in 2007 and a
local election in Honolulu, HI, in 2009
where votes were cast only by Internet
or telephone. The Electoral Commis-
sion, established by the U.K. Parlia-
ment, determined that Internet voting
in Swindon had a negligible effect on
turnout; meanwhile, in Honolulu there
was an 83% drop in turnout compared
to a similar election in 2007.22,40 We
know of no rigorous study of the im-
pact of Internet voting on turnout; con-
ducting such a study would be difficult,
since turnout can vary enormously
from election to election. But even if
Internet voting could increase turnout,
the increase would be irrelevant if the
election results were at risk of corrup-
tion by insecure Internet use.
Web-based voting is more secure.
Verifiability and transparency are criti-
cal aspects of any election, especially
if it involves a secret ballot. It is funda-
mentally impossible for anyone, even
election officials, to directly oversee or
observe the tabulation of an Internet-
based election, including one that is
Web-based. A software bug or an attack
could cause an election outcome to be
wrong because either the tabulation
is incorrect or the voters’ selections
were modified. To address such risks,
we need to determine after an election
that the technology operated correctly
and the declared winner actually won.
We can verify the results of a paper-
based election by auditing a sample of
the cast ballots or, in the extreme, by
recounting all of them. Such an au-
dit or recount must involve a secure,
observable chain of custody of the
ballots, something impossible with
current Internet voting technology. Al-
lowing voters to print copies of their
ballots for personal use is meaning-
less, because these copies may not
match the electronic versions used in
computing the results.
Military Voting
Members of uniformed services and
their families and non-military citizens
living overseas are called UOCAVA vot-
ers, after the U.S. Uniformed and Over-
seas Citizens Absentee Voting Act of
1986 (http://www.fvap.gov/reference/
laws/uocava.html). They have long
complained that absentee ballots are
never delivered or their returned voted
ballots arrive too late to be counted,
concerns used to justify the push for
Internet voting at both the state and
federal levels. A widely discussed solu-
tion is to have the military run its own
centralized Internet voting system over
its high-security infrastructure. This
is a bad idea for at least two reasons:
First, it runs counter to the principle
of civilian control over the military and
creates the potential that the military
might control the vote. Second, it is un-
realistic and unwise to even consider
connecting unsecure Web servers run
by local election officials to a military
network that is supposed to maintain
a high level of security. Some support-
ers of Internet voting for the military
have noted that postal mail ballots are
also not secure. While it is true that
all forms of remote voting pose secu-
rity problems, Internet voting can be
attacked by anyone from anywhere,
something that is not the case for post-
al ballots. In addition, the Internet can
be used for wholesale attacks on large
numbers of voters, whereas attacks on
postal ballots are inherently confined
to a retail scale.
Two projects for UOCAVA voters are
noteworthy: SERVE, killed in 2004, and
Operation BRAVO, implemented in the
2008 U.S. presidential election:
SERVE. The Secure Electronic Reg-
istration and Voting Experiment, or
SERVE (www.fvap.gov/resources/me-
dia/serve.pdf), was the most ambi-
tious project to date intended for use
72 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
istan or Iraq, took 20 or more days to be
returned from an MPO. The time to get
a voted ballot from a service member
to an MPO ranged from two to 20 days.
Therefore, if election officials provide
downloadable blank ballots at least
45 days before an election, essentially
all members of the military should be
able to return their voted paper ballots
in time to be counted.
Risks
Not satisfied with the significant
speed-up provided by MOVE, Internet-
voting advocates continue to call for
the return of voted ballots through the
Internet, either as email attachments
or as some kind of Web form. Doing
either securely would require solving
some of the most intractable problems
in cybersecurity:
The server. In the 2010 D.C. pilot
project, University of Michigan gradu-
ate students attacked the election
server over the Internet. Independent
hackers, political operatives, foreign
governments, and terrorists could also
mount such attacks. Local election
officials with little or no expertise in
computer security have little hope of
defending themselves.
Corporate and government vulner-
ability. Many corporations and govern-
ment agencies store sensitive or classi-
fied information on their computers,
sharing with election officials the goal
of defending against attackers who
might steal or alter such information.
Despite large staffs of security profes-
sionals with significant resources,
computers in major corporations and
government agencies have been at-
tacked successfully. For example, a
2008 survey of approximately 1,000
large organizations worldwide found
the average loss per organization from
intellectual property cybertheft was
about $4.6 million.19 A December 2009
report from the Computer Security In-
stitute (http://gocsi.com) surveying 443
U.S. companies and government agen-
cies found 64% had reported malware
infections during the preceding year.36
A major China-based Internet attack
on Google and many other companies
in late 2009 showed that even major cor-
porate sites are vulnerable. The attack
targeted Gmail accounts of Chinese
human-rights activists and Google’s
own intellectual property, including
by UOCAVA voters. The goal of the $22
million project was to allow registra-
tion and voting over the Internet in the
2004 primaries and general election.
Participation by states and counties
within those states was voluntary. Vot-
ers could use any Windows computer,
either their own or a public computer,
like those found in libraries and cyber-
cafés. Voters were responsible for the
security of whatever computers they
used. The vendor was Accenture.
In 2003, a group of experts called the
Security Peer Review Group was assem-
bled by the Federal Voting Assistance
Program (FVAP) to evaluate SERVE;
FVAP was charged with facilitating
voting for all UOCAVA voters. Follow-
ing two three-day meetings with FVAP
and the lead technical staff of SERVE,
the four computer scientists who at-
tended both meetings, including one
of us (Simons), released a report, the
conclusion of which said: “Because
the danger of successful, large-scale at-
tacks is so great, we reluctantly recom-
mend shutting down the development
of SERVE immediately and not at-
tempting anything like it in the future
until both the Internet and the world’s
home computer infrastructure have
been fundamentally redesigned, or
some other unforeseen security break-
throughs appear.”18
When the report was issued in early
2004, 50 counties in seven states—Ar-
kansas, Florida, Hawaii, North Caro-
lina, South Carolina, Utah, and Wash-
ington—were planning to participate
in SERVE. FVAP had estimated the
maximum overall vote total would be
approximately 100,000, including pri-
maries and the general election. On
January 30, 2004 Deputy Secretary of
Defense Paul Wolfowitz said the Pen-
tagon “…will not be using the SERVE
Internet voting project in view of the in-
ability to assure legitimacy of votes that
would be cast using the system, which
thereby brings into doubt the integrity
of election results.”43 SERVE was sub-
sequently terminated.
Operation BRAVO. In 2008, Opera-
tion BRAVO, or Bring Remote Access
to Voters Overseas, provided Internet
voting from secure kiosks for residents
of Okaloosa County, FL. Unlike previ-
ous pilot projects, these kiosks were
equipped with printers to create paper
voter-choice records of voters’ ballots.
Voters could verify the records before
leaving the kiosk, after which the re-
cords were flown back to Okaloosa
County for manual reconciliation with
the ballots sent over an Internet-based
virtual private network. Small discrep-
ancies in the ballot count were uncov-
ered by law professor Martha Mahoney
of the University of Miami, but, as of
August 2012, BRAVO had yet to release
a formal report explaining the discrep-
ancies.26 The vendor was Scytl.
The Okaloosa County experiment
concerned only a single county. Ex-
panding kiosk-based Internet voting
for all service members would be very
difficult, since the system would have
to deal with tens of thousands of differ-
ent ballot styles and conflicting state
rules governing ballot presentation,
requirements that would also add sig-
nificantly to the cost.
The MOVE Act. Instead of Internet
voting, why not allow remote voters to
download a blank ballot from the In-
ternet, print it, and return the voted
ballots by mail? If the blank ballots are
available early enough, most voted bal-
lots should arrive in time to be count-
ed. Such a system might not have the
pizzazz of Internet voting but would
have fewer security issues and almost
certainly involve less cost. That is one
of the reforms dictated by the 2009
Military and Overseas Voter Empower-
ment, or MOVE, Act. Written to address
the problems of UOCAVA voters, MOVE
requires states to make blank ballots
available electronically at least 45 days
prior to any federal election; UOCAVA
voters may also request and receive
voter-registration and absentee-ballot
applications electronically.
The Military Postal Service Agency
analyzed the handling of absentee
ballots during the 2010 general elec-
tion,29 finding problems with getting
postal ballots to members of the mili-
tary, though paper ballots were gener-
ally returned quickly. Many had been
electronically downloaded, filled out
by service members, and returned by
postal mail. The average postal delay
for returned ballots was 5.2 days, well
ahead of the seven-day limit set by the
MOVE Act; 92% of absentee ballots
were delivered within seven days of ac-
ceptance at overseas Military Post Of-
fices (MPOs). Only 118 out of 23,900
voted ballots, most likely from Afghan-
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 73
software-development systems.31 As
many as 34 companies were targeted,
including Adobe, Juniper Networks, de-
fense contractor Northrop-Grumman,
major security supplier Symantec, and
Yahoo!.41 The attacked companies have
vastly more security expertise and re-
sources than local election officials or
today’s relatively small Internet voting
vendors. The attacks used email that
appeared to come from trusted sourc-
es, so victims would be tricked into
clicking on a link or opening an attach-
ment. Then, using a vulnerability in Mi-
crosoft’s Internet Explorer browser, the
attacker would download and install
malware that took complete control of
the compromised systems.
George Kurtz, executive vice presi-
dent and worldwide chief technology
officer of McAfee, an Internet security
company, expressed dismay at the im-
plications: “All I can say is wow. The
world has changed. Everyone’s threat
model now needs to be adapted to
the new reality of these advanced per-
sistent threats. In addition to worry-
ing about Eastern European cyber-
criminals trying to siphon off credit
card databases, you have to focus on
protecting all of your core intellectual
property, private nonfinancial custom-
er information and anything else of in-
tangible value.”23
Government sites have also been
vulnerable. In a March 2010 address
to the RSA Security Conference, FBI di-
rector Robert S. Mueller said the FBI’s
computer network had been penetrat-
ed and the attackers had “corrupted
data.”31 Later that year, General Mi-
chael Hayden, former director of both
the CIA and the NSA, said: “The mod-
ern-day bank robber isn’t speeding
up to a suburban bank with weapons
drawn and notes passed to the teller.
He’s on the Web taking things of value
from you and me.”13
Finally, malware that appears to
be government-generated has been
used to obtain critical intelligence,
as in the case of the Flame virus, and,
for targeted attacks, Stuxnet. Both
were widely reported to have been de-
veloped by the governments of Israel
and the U.S., with Stuxnet apparently
created to attack Iran’s nuclear fa-
cilities.32,38 Similar tools could allow a
foreign power to attack or subvert an
Internet election anywhere.
Aldrich Amesb) can do tremendous
damage, even if eventually caught.
The client. Since malware can infect
public or privately owned machines
linked to the Internet without the
owner’s knowledge or permission, cli-
ent-side malware designed to steal an
election poses significant risks for bal-
lots cast from voters’ computers. These
risks include credential theft, copying
of the ballot to a third party, and modi-
fication of the ballot before encryption,
as well as outright prevention of vot-
ing. Machines can be infected in many
ways, including downloading docu-
ments with malicious macros, browser
plugins, or improper security settings.
Furthermore, millions of comput-
ers are already connected to botnets.
In 2010, the FBI reported the Mariposa
botnet may have infected eight million
to 12 million computers worldwide.9
The virus used to create the botnet
could steal credit-card data and online-
b Ames gave the Soviet Union significant U.S.
secrets resulting in the death of a number of
“CIA assets.”
Insider attacks. While many secu-
rity discussions focus on outsider at-
tacks, insider attacks might be even
more dangerous. A risk of any com-
puterized voting, including Internet
voting, is that one or more insiders
(programmers, election officials,
volunteers, or vendors to whom the
election is outsourced) could rig an
election by manipulating election
software. Since computerized voting
is an opportunity for wholesale rig-
ging through software used by large
numbers of voters, the size of the
conspiracy needed to win an election
is greatly reduced, as is the risk of be-
ing caught.
An attacker could add a back door
to the system, with or without the
vendor’s knowledge. In general, no
amount of testing can be relied on to
reveal the presence of a back door. A
thorough code review (not required
by current law) can sometimes do
this, but code reviews cannot reliably
distinguish between an innocent mis-
take and intentional malware. A trust-
ed insider (such as former CIA agent
Internet voting involves complications not found in e-commerce:
Secret ballots. Secret ballots are required by law to protect against vote buying
and coercion. Ballot secrecy prohibits anyone from linking voted ballots to the
voters casting them. This precludes the kind of transaction logging routinely used in
e-commerce to allow reconstruction of who did what and when, should a question
arise.
Receipts. Receipts, including unique transaction numbers and complete transaction
descriptions, are routinely issued in e-commerce. These receipts confirm that the
correct orders were placed and may be used as proof of purchase in the event of
disputes. Ballot secrecy prevents issuing any documents to voters that voters could use
to prove how they voted. Documents that do not provide such proof are of limited use in
an audit or recount.
Malfunction and fraud. In the event of an e-commerce failure due to malfunction or
fraud, there is a good chance the situation will be rectified or that the purchaser can
stop a credit-card payment after noticing the discrepancy. However, if a ballot is not
successfully cast on election day, the voter probably will not know and almost certainly
will not be able to revote.
Vote buying and selling. Unlike commercial activities, vote buying and selling is
illegal. In the 2000 U.S. presidential election between Republican George W. Bush
and Democrat Al Gore, an online system designed to broker Green Party candidate
Ralph Nader and Gore votes was created but forced to shut down by the California
attorney general. There is no evidence that any votes were actually traded. With Internet
voting, voters could sell their voting credentials, perhaps even online, using a Web site
designed to automatically cast their ballots.a
No proposed Internet voting system is able to overcome these hurdles.
a When family members vote on a home computer or citizens vote from a computer in a public
library, multiple voters will share the same IP address; while it is possible to detect multiple votes
from one IP address, it would be problematic to prohibit them.
Internet Voting and
E-Commerce Compared
74 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
Web site that redirected visitors to an
IP address in Amsterdam in order to
exploit vulnerabilities on the victims’
machines to install the Zeus virus.16
The infection, planted shortly before
McCartney’s New York reunion con-
cert with Ringo Starr, was timed to
catch as many victims as possible be-
fore discovery.
The German edition of Wikipedia
was another source of infection.14 A
bogus Wikipedia article about another
dangerous piece of malware contained
a link to software that would suppos-
edly fix the problem. However, anyone
who downloaded the “fix” was actually
downloading a copy of Zeus. In 2009 it
was estimated by security firm Dam-
balla that Zeus had infected about 3.6
million PCs in the U.S. alone.28
Zeus was built to steal money from
online financial accounts. When vic-
tims would visit their banks’ Web sites,
Zeus would copy their credentials and
send them to a remote location where
they would be used to steal from their
accounts. Zeus could even forge finan-
cial statements so victims would see
no evidence of the theft when checking
their online statements.39 Victims typi-
cally learned of the theft only when fi-
nancial transactions failed to clear due
to insufficient funds, at which point it
was too late to retrieve the money.
The Zeus virus also spoofed verifica-
tion systems used by Visa and Master-
Card when enrolling new users7 (see
Figure 2), thereby obtaining sensitive
information (such as Social Security
numbers, card numbers, and PINs)
from unknowing victims who would
think they were providing the infor-
mation to the real bank. This informa-
tion, sent to the attacker’s computers,
would be used to defraud the victims.
Yet another attack was reported
in August 2010 by Internet security
firm M86 Security; the report said that
about 3,000 bank customers in the
U.K. were victimized by a form of the
Zeus virus. The announcement accom-
panying the report’s release, which did
not provide the bank’s name, said the
following about the attack:25 “Unpro-
tected customers were infected by a
Trojan—which managed to avoid de-
tection by traditional anti-virus soft-
ware—while browsing the Internet.
The Trojan, a Zeus v3, steals the cus-
tomer’s online banking ID and hijacks
banking passwords, as well as launch a
denial-of-service attack; the creator of
the virus also sold customized versions
with augmented features. A Microsoft
report estimated that in the first half
of 2010 more that 2.2 million U.S. Win-
dows PCs were in botnets.4
Those wishing to rig elections need
not build new botnets. Many botnets
used for financial fraud are available
for rent. It would not take a large staff
to alter existing malware to attack elec-
tions, and it would not be out of char-
acter for existing malware developers
to offer ready-to-customize election-
rigging malware as soon as Internet
voting were to enter widespread use.
The sheer number of potential at-
tacks and the difficulty of preventing
any of them increase the vulnerability
of Internet-based elections. In light of
the many successful attacks against
governments, major banks, and the
world’s technology leaders, it should
be relatively easy to entrap large num-
bers of voters who are not technolo-
gists. Once a voter’s computer is infect-
ed, all bets are off. Malware can make
the computer display a ballot image
that represents the voter’s intent cor-
rectly, even as it sends something en-
tirely different over the Internet. That
is, it is the virus that votes, not the vot-
er. The voter never knows, because it is
impossible for the voter to see what is
actually sent.
Since antivirus software works by
checking for known viruses and worms,
whenever a new virus appears, the anti-
virus software must be updated. There
can be many days or even weeks be-
tween the time the virus is initially dis-
tributed and when it is recognized and
analyzed. After that, the virus fix must
be distributed, and victims must disin-
fect their machines. Because antivirus
software has limited capability for rec-
ognizing unknown malware, a new vi-
rus or worm may well escape detection
for a while. Even if detected, removal
can be difficult, as most PC owners
who have had to deal with adware and
spyware are aware. A 2007 study found
that antivirus software has become less
effective over time, with recognition of
malware by most commercial antivi-
rus software falling from 40%–50% at
the beginning of 2007 to 20%–30% by
the end of that year.12 Another set of
experiments conducted at the Univer-
sity of Michigan showed the number of
malware samples detected decreased
significantly as the malware became
more current; when the malware was
only one week old, the detection rate
was very low.34 Given the limitations
of antivirus software, an effective at-
tack would be to distribute election-
stealing malware far in advance of the
election. If the malware were to spread
silently, it could infect a large number
of machines before being detected, if it
is detected at all. Moreover, it might be
impossible to determine which votes
are modified or even which computers
are infected.
The Conficker worm illustrates the
risk malware poses to Internet elec-
tions. Having rapidly infected from
nine million to 15 million machines in
2009, Conficker could “call home” for
more instructions, so the unknown cre-
ator of Conficker could instruct infect-
ed machines to install additional mal-
ware remotely without the computer
owner’s knowledge.2 The new instruc-
tions might target specific candidates
and elections shortly before a vote.
While many viruses and worms are
planted without the computer owner’s
knowledge, users can be duped into
downloading highly questionable soft-
ware. In August 2009 a spam message
circulated, saying “If You dont [sic] like
Obama come here, you can help to ddos
[Distributed Denial of Service] his site
with your installs.” CNET News report-
ed that people who clicked on the email
link were offered money in exchange for
downloading the software; they were
even told to return to the Web site for
updates if their virus-detection software
deleted their first download.30 While the
source of the software is not known, the
goal could have been to disrupt sites as-
sociated with President Barack Obama,
to engage in identity theft, or even to
infect machines of Obama opponents,
something that could be especially use-
ful if Internet voting were to become an
option in the U.S.
Threat example: The Zeus virus.
The Zeus virus illustrates how a virus
can manipulate what a voter sees and
change the voter’s selection. While
Zeus has been used mainly to steal
money, it would not be difficult to re-
program it to steal votes.
In April 2009, malicious software
was discovered in Paul McCartney’s
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 75
their online banking sessions. It then
checks the account balance and, if the
account balance is bigger than GBP
800 value, it issues a money transfer
transaction… From July 5, the cyber
criminals have successfully stolen GBP
675,000 (c. USD 1,077,000) and the at-
tack is still progressing.”
On September 29, 2010, the U.K. Po-
lice Central e-crime Unit announced
the arrest of 19 individuals accused
of using Zeus to steal $6 million from
thousands of victims over a three-
month period.24 To this day, new Zeus
attacks continue to be discovered; for
example, in October 2010, Computer-
world reported that Zeus was attacking
Charles Schwab investment accounts,20
with victims’ machines infected by
links to malicious sites hidden in bo-
gus LinkedIn reminders. There is even
a criminal service that will compile a
Zeus binary for a fee.10
Impersonating the election server.
Another Internet risk involves Web-
site spoofing. Because counterfeit
sites can be made to look like legiti-
mate sites, spoofing can fool victims
into revealing sensitive personal infor-
mation. With Internet voting, spoofing
can be used to trick voters into think-
ing they have actually voted when in
fact they have not, while also collecting
authentication codes and voters’ in-
tended ballots, a violation of the right
to a secret ballot.
Phishing involves email messages
that appear to be from a legitimate or-
ganization, such as a credit-card com-
pany. The phony message contains an
authentic-looking link that appears to
go to a legitimate site but actually goes
to a spoofed site. When such email
messages and Web sites are well de-
signed, victims end up providing sen-
sitive information, such as credit-card
numbers. Phishing is usually used to
steal personal information, but can
also be used to trick voters into vot-
ing on a spoofed Web site. Phishing
is a powerful tool for amplifying the
power of spoofing, though its effec-
tiveness can be reduced if voters are
instructed to always type in the full
URL of the voting Web site, instead of
just clicking on links.
A counterfeit voting site can con-
duct a man-in-the-middle attack. In its
simplest form, the counterfeit site re-
lies entirely on the real site for content,
monitoring and occasionally editing
the information flow between the voter
and the real election server. This allows
the attacker to intercept information,
such as passwords and votes, and po-
tentially to alter votes. A more complex
counterfeit could simulate a voting
session, then use the credentials col-
lected from the voter at a later time to
cast a forged ballot. Monitoring the IP
addresses from which ballots are cast
is not a defense, since multiple voters
might share the same IP address for le-
gitimate reasons.
A common way to avoid counterfeit
Web sites is to rely on a certificate au-
thority (CA) to authenticate sites. If the
browser does not recognize the issuer
of a certificate, it will ask if the user
still wants to access the site. A user who
does not understand the significance
of the browser’s question may naïvely
ignore it and access a counterfeit site.
Even when voters are careful to visit
only sites they believe are legitimate,
they could still be victimized. First,
it is possible to trick many browsers
into going to the attacker’s, rather
than to the legitimate, site.45 Second,
some CAs do not validate the identi-
ties of sites they vouch for.35 Third, an
attack on the CA can create fake SSL
certificates, as happened to DigiNo-
tar, a Dutch CA.21 Finally, an attack on
the routing infrastructure of the Inter-
net could divert voters to a counterfeit
voting site without their noticing the
diversion.27
Denial-of-service attacks. There are
many documented instances of Dis-
tributed Denial-of-Service (DDoS) at-
tacks. For example, the massive 2007
DDoS attack on Estonia and the attacks
on the Republic of Georgia during the
2008 Russo-Georgian war all originat-
ed in Russia. Other victims of DDoS at-
tacks include Amazon, eBay, Facebook,
Google, Twitter, and Yahoo!. Politically
Figure 2. Bogus enrollment screen displayed by Zeus; screenshot by Amit Klein of Trusteer.
76 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
to verify that their ballots were accu-
rately received and counted. Unfor-
tunately, cryptography does not pro-
tect Internet-based elections against
DDoS attacks, spoofing, coercion, de-
sign flaws, and many kinds of ordinary
software bugs.8 Recounts on these
cryptographic voting systems cannot
recover from such threats. While these
systems have been used for some
small Internet elections, the consen-
sus in the cryptographic community
is that they are not ready for use in a
major election. Ben Adida, creator of
Helios, wrote in 2011: “The one prob-
lem I don’t know how to address with
Helios is client-side security...We now
have documented evidence...that vi-
ruses like Stuxnet that corrupt nuclear
power plants by spreading from one
Windows machine to the other have
been built…So if you run a very large-
scale election for a president of a G8
country, why wouldn’t we see a similar
scenario? Certainly, it’s worth just as
much money; it’s worth just as much
strategically... All the ability doesn’t
change the fact that a client-side cor-
ruption in my browser can flip my vote
even before it’s encrypted, and if we…
must have a lot of voters verify their
process, I think we’re going to lose,
because most voters don’t quite do
that yet.”1 Note that while Helios can
detect DDoS attacks, network attacks,
and several other types of attacks
mentioned here, it cannot prevent, di-
agnose, or fix them.
Perhaps eventually a paperless
cryptographic Internet voting system
will be developed that is sufficiently
secure, accurate, usable, and trans-
parent to be used in major elections.
Until then, the conclusion of the Na-
tional Commission on Federal Elec-
tion Reform, co-chaired by Presidents
Gerald R. Ford and Jimmy Carter in
2001, still stands, that Internet voting
“is an idea whose time most certainly
has not yet come.”11
Conclusion
Proposals for conducting voting pilot
projects using real elections continue
to reappear in the U.S. and elsewhere,
apparently independent of warnings
from computer-security experts. While
the appeal of Internet voting is obvi-
ous, the risks are not, at least to many
decision makers. Computer profes-
motivated DDoS attacks, like the one
on Wikileaks in 2010 and a reprisal by
Anonymous against MasterCard, have
become relatively common.
A DDoS attack could prevent certain
groups from voting or even disrupt an
entire election, as probably occurred in
a 2003 leadership vote by the New Dem-
ocratic Party (NDP) in Canada. Internet
voting for the NDP election lasted from
January 2 until the party convention
January 25, 2003. Coincidentally, on
January 25, the same day the Slammer
worm was attacking large numbers of
(unpatched) Windows 2000 servers on
the Internet, the NDP voting site was
reportedly down or effectively unus-
able for hours.3
Due to the secrecy surrounding
the technical aspects of the NDP elec-
tion, we do not know if the NDP vot-
ing site was brought down by a DDoS
attack or by the Slammer worm. The
vendor, election.com, claimed to have
patched the servers against Slammer
and maintained that it experienced
a denial-of-service attack. Unfortu-
nately, election.com provided neither
logs nor other proof that its servers
were patched, nor did it permit expert
examination of its records. There was
no transparency and hence no way for
an independent outsider to determine
what had happened.
Not having learned from the 2003
attack, the NDP suffered a massive
DDoS attack during its March 2012
leadership election. The NDP was so
ill prepared that people attending the
party conference were unable to vote
during the attack, as no back-up pa-
per had been provided. Once again,
there was no independent examina-
tion or report.
Loss of the secret ballot. All forms of
remote voting diminish ballot secrecy
and increase the risk of coercion and
vote selling simply because they elimi-
nate voting booths. Internet voting de-
creases secrecy still further. States that
allow the return of voted ballots by fax
or email attachments have been asking
voters to sign statements relinquish-
ing the right to a secret ballot. Mix nets
and other cryptographic schemes can
mimic the secrecy protections of the
double envelopes traditionally used
to partially preserve ballot secrecy in
postal voting, but they do not protect
against client-side attacks.
The threat to eliminate the secret
ballot for a class of voters is disturb-
ing for several reasons: First, it ren-
ders these voters second-class citi-
zens, deprived of a right other citizens
take for granted. Second, there is no
need to eliminate the secret ballot
for overseas voters, as we discussed
earlier. Third, and most important,
ballot-secrecy protection is more than
an individual right; it is a systemic re-
quirement, essential for fair, honest
elections. Without ballot secrecy, vot-
ers, especially those in hierarchical or-
ganizations, such as the military, may
be subject to coercion. An election
where some voters can be pressured to
vote a particular way is not a free and
fair election.
Bribery. Finally, we cannot rule
out the threat of old-fashioned brib-
ery. National races in the U.S. cost
vast sums—a small fraction of which
would be an exceedingly large bribe
and more than enough to cover the
cost of attacks, such as the one on the
2010 pilot D.C. voting system, as well
as others on voters’ computers. Hal-
derman said his team’s attack would
have cost less than $50,000 at gener-
ous consulting rates.
Other Countries
We have focused on Internet voting in
the U.S., but Internet voting has been
used in several other countries, includ-
ing Estonia and Switzerland, neither of
which protects against malware on vot-
ers’ computers, and Norway in 2011.c
The Netherlands provided an Internet
voting option in its 2006 parliamentary
elections, but Internet voting was sub-
sequently banned, largely because of
work by a group called “We Don’t Trust
Voting Computers.” The U.K. tried In-
ternet voting on a pilot basis in 2007,
but the U.K. Electoral Commission rec-
ommended against further e-voting pi-
lot projects until a range of issues had
been addressed.40
Far Future
Systems like Helios15 and Remoteg-
rity37 use encryption to allow voters
c Norway uses encryption, but malware on a
voter’s computer is still able to change votes,
so long as the change is consistent with the
partial proof sent to the voter or the voter does
not check the partial proof.
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 77
sionals have an obligation to explain
these risks.
Pilot projects are routinely declared
successes, regardless of any problems
encountered. However, it is danger-
ous to draw conclusions from a “suc-
cessful” Internet voting pilot project.
There is little reason to attack a small
pilot project, and a malicious player
might refrain from attacking a major
election until the new technology is
entrenched. Having claimed success,
independent of proof of the accuracy
of the pilot project, Internet-voting
vendors and enthusiasts routinely
push to extend Internet voting to a
broader group of voters, thereby seri-
ously undermining election security.
Computer professionals must object
to pilot projects that do not plan for an
assessment of the integrity of the elec-
tion and a public reporting of any dis-
crepancies encountered.
Unlike legitimate computer-securi-
ty experts, malicious attackers are not
likely to publicize their attacks, just as
credit-card thieves do not openly ad-
vertise their thefts. When election of-
ficials and policymakers ask for proof
that a voting system has been attacked,
it is important to keep in mind that
detecting well-devised attacks is inher-
ently difficult. The burden of proof that
a voting system has not been attacked
should fall on those making the claim,
not the other way around.
Ultimately, the balance between the
integrity of election technology on the
one hand and convenience on the oth-
er is both a public-policy and a techno-
logical issue. Decision makers must be
warned of all the risks in order to craft
wise policy.
Acknowledgment
We are grateful to the referees who
provided us with excellent recom-
mendations.
References
1. Adida, B. Panelist remarks at panel on Internet voting.
Electronic Voting Technology Workshop/Workshop on
Trustworthy Elections (San Francisco, Aug. 9, 2011);
http://www.usenix.org/events/evtwote11/stream/
benaloh_panel/index.html
2. Bowden, M. The enemy within. The Atlantic (June
2010); http://www.theatlantic.com/magazine/
archive/2010/06/the-enemy-within/8098/
3. CBC News. Computer vandal delays leadership
vote (Jan. 25, 2003); http://www.cbc.ca/news/
story/2003/01/25/ndp_delay030125.html
4. Claburn, T. Microsoft Finds U.S. Leads In Botnets.
InformationWeek (Oct. 14, 2010); http://www.
informationweek.com/security/vulnerabilities/
microsoft-finds-us-leads-in-botnets/227800051
businesscenter/article/157909/feds_to_shore_up_
net_security.html
28. Messmer, E. America’s 10 most wanted botnets.
Network World (July 22, 2009); http://www.
networkworld.com/news/2009/072209-botnets.html
29. Military Postal Service Agency. 2010 Analysis of the
Military Postal System Compliance with the MOVE
Act. Washington, D.C., Aug. 2, 2011; www.fvap.gov/
resources/media/2010_MPSA_after_action_report.pdf
30. Mills, E. Spam offers to let people use their PC to
attack Obama site. CNET (Aug. 18, 2009); http://news.
cnet.com/8301-1009_3-10312641-83.html?tag=nl.
e757
31. Mueller III, R.S. Prepared Remarks. RSA Security
Conference, San Francisco, Mar. 4, 2010; http://www.
fbi.gov/news/speeches/tackling-the-cyber-threat
32. Nakashima, E., Miller, G., and Tate, J. U.S., Israel
developed computer virus to slow Iranian nuclear
efforts, officials say. Washington Post (June 19, 2012);
http://www.washingtonpost.com/world/national-
security/us-israel-developed-computer-virus-to-
slow-iranian-nuclear-efforts-officialssay/2012/06/19/
gJQA6xBPoV_story.html?wpisrc=al_national
33. New South Wales Electoral Commission. Report
on the Conduct of the NSW State Election 2011;
http://www.parliament.nsw.gov.au/Prod/parlment/
committee.nsf/0/67f2055c4d085409ca25795a0017
cf2c/$FILE/NSW%20EC%27s%20Report%20on%20
the%202011%20State%20Election.pdf
34. Oberheide, J., Cooke, E., and Jahanian, F. CloudAV:
N-version antivirus in the network cloud. In
Proceedings of the 17th USENIX Security Symposium
(San Jose, CA, July 28–Aug. 1, 2008), 91–106.
35. Palmer, C. Unqualified Names in SSL Observatory.
Electronic Frontier Foundation Deeplinks blog, Apr.
5, 2011; https://www.eff.org/deeplinks/2011/04/
unqualified-names-ssl-observatory
36. Peters, S. 14th Annual CSI Computer Crime and
Security Survey, Executive Summary. Computer
Security Institute, New York, Dec. 2009; http://www.
docstoc.com/docs/40697141
37. Remotegrity. 2011; https://demo.remotegrity.
org/http://www.scantegrity.org/wiki/index.php/
Remotegrity_Frequently_Asked_Questions
38. Sanger, D.E. Obama order sped up wave of
cyberattacks against Iran. New York Times (June 1,
2012); http://www.nytimes.com/2012/06/01/world/
middleeast/obama-ordered-wave-of-cyberattacks-
against-iran.html?pagewanted=all
39. Trusteer Inc. Measuring the In-the-Wild Effectiveness
of Antivirus Against Zeus. White Paper, Sept. 14, 2009;
http://www.techrepublic.com/whitepapers/measuring-
the-in-the-wild-effectiveness-of-antivirus-against-
zeus/1686945/post
40. U.K. Electoral Commission. Key Issues
and Conclusions, May 2007 Electoral Pilot
Schemes. London, Aug. 2007; http://www.
electoralcommission.org.uk/__data/assets/
electoral_commission_pdf_file/0009/16200/
ICMElectoralPilotsresearchreport_27285-
20161__E__N__S__W__.pdf
41. Vascellaro, J.E. and Solomon, J. Yahoo! was also
targeted in hacker attack. Wall Street Journal (Jan.
14, 2010); http://online.wsj.com/article/SB100014240
52748703657604575004421409691754.html
42. Verified Voting Foundation. Internet Voting 2012;
http://www.verifiedvotingfoundation.org/article.
php?list=type&type=27
43. Weiss, T.R. Pentagon drops online votes for armed
forces. Computer Weekly (Feb. 6, 2004); http://www.
computerweekly.com/news/2240054464/Pentagon-
drops-online-votes-for-armed-forces
44. Wolchok, S., Wustrow, E. Isabel, D., and Halderman,
J.A. Attacking the Washington, D.C. Internet voting
system. In Proceedings of the 16th Conference on
Financial Cryptography and Data Security (Bonaire,
Feb. 28. 2012); http://fc12.ifca.ai/pre-proceedings/
paper_79.pdf
45. Zetter, K. Vulnerabilities allow attacker to impersonate
any website. Wired.com (July 29, 2009); http://www.
wired.com/threatlevel/2009/07/kaminsky/
Barbara Simons (simons@acm.org) is a retired IBM
Research staff member, Board Chair of Verified Voting, and
former ACM President.
Douglas W. Jones (jones@cs.uiowa.edu) is an associate
professor in the Department of Computer Science of the
University of Iowa in Iowa City.
© 2012 ACM 0001-0782/12/10 $15.00
5. DeGregorio, P. UOCAVA Voting Scoping Strategy.
Washington Secretary of State Public Record, Jan.
18, 2009; http://www.votersunite.org/info/WA-PRR-
ScopingStrategy.pdf
6. District of Columbia and Halderman, J.A. Thank you to
voters (hacked ballot acknowledgment with Michigan
fight song); https://jhalderm.com/pub/dc/thanks/
7. Dunn, J.E. Trojan attacks credit cards of 15 U.S. banks.
Techworld (July 14, 2010).
8. Estehghari, S. and Desmedt, Y. Exploiting the client
vulnerabilities in Internet e-voting systems: Hacking
Helios 2.0 as an example. 2010 Electronic Voting
Technology Workshop/Workshop on Trustworthy
Elections (Washington D.C., Aug. 9, 2010); http://
static.usenix.org/events/evtwote10/tech/full_papers/
Estehghari.pdf
9. FBI. FBI, Slovenian and Spanish Police Arrest
Mariposo Botnet Creator, Operators. Press Release,
July 28, 2010; http://www.fbi.gov/news/pressrel/
press-releases/fbi-slovenian-and-spanish-police-
arrest-maripora-botnet-creator-operators/
10. Fisher, D. New Service helps attackers get Zeus botnet
off the ground. Threatpost (Jan. 10, 2011); http://
threatpost.com/en_us/blogs/new-service-helps-
attackers-get-zeus-botnet-ground-011011
11. Ford, G.R. and Carter, J. To Assure Pride and
Confidence in the Electoral Process. National
Commission on Federal Election Reform, Aug. 2001;
http://fl1.findlaw.com/news.findlaw.com/hdocs/docs/
election2000/electionreformrpt0801.pdf
12. The H Security. Antivirus Protection Worse than a Year
Ago. Heise Media, U.K., Dec. 20, 2007; http://www.h-
online.com/security/news/item/Antivirus-protection-
worse-than-a-year-ago-735697.html
13. Hayden, M. Hackers force Internet users to learn
self defense. PBS NewsHour (Aug. 11, 2010); http://
www.pbs.org/newshour/bb/science/Jul.-dec10/
cyber_08-11.html
14. Head, W. Hackers use Wikipedia to spread malware.
IT News for Australian Business (Nov. 6, 2006); http://
www.itnews.com.au/News/67796,hackers-use-
wikipedia-to-spread-malware.aspx
15. Helios. http://heliosvoting.org/
16. InfoSecurity. McCartney site serves up Zeus malware.
InfoSecurity (Apr. 8, 2009); http://www.infosecurity-
us.com/view/1178/mccartney-site-serves-up-zeus-
malware/
17. Jefferson D. Email voting: A national security threat in
government elections. VerifiedVoting blog (June 2011);
http:/blog.verifiedvoting.org/2011/06/20/1375
18. Jefferson, D., Rubin, A.B., Simons, B., and Wagner, D. A
Security Analysis of the Secure Electronic Registration
and Voting Experiment (SERVE), Jan. 20, 2004; http://
servesecurityreport.org/
19. Kanan, K., Rees, J., and Spafford, E. Unsecured
Economies: Protecting Vital Information.
Technical Report. McAfee, Inc., Santa Clara,
CA, Feb. 2009; resources.mcafee.com/content/
NAUnsecuredEconomiesReport
20. Keizer, G. Zeus botnet gang targets Charles Schwab
accounts. Computerworld (Oct. 16, 2010); http://www.
computerworld.com/s/article/9191479/Zeus_botnet_
gang_targets_Charles_Schwab_accounts
21. Kirk, J. Comodo hacker claims credit for DigiNotar
attack. Computerworld (Sept. 2011); http://www.
computerworld.com/s/article/9219739/Comodo_
hacker_claims_credit_for_DigiNotar_attack
22. KITV. Voting drops 83 percent in all-digital
election. Honolulu, May 2009; http://www.kitv.com/
politics/19573770/detail.html
23. Kurtz, G. Operation ‘Aurora’ hit Google, others. McAfee
Security Insights blog, Jan. 10, 2010; http://blogs.
mcafee.com/corporate/cto/operation-aurora-hit-
google-others
24. Leyden, J. UK cybercops cuff 19 Zeus banking
trojan suspects. The Register (Sept. 29, 2010); www.
theregister.co.uk/2010/09/29/zeus_cybercrime_
arrests/
25. M86 Security. M86 Security Labs Discovers Customers
of Global Financial Institution Hit by Cybercrime.
Press Release, London, U.K., Aug. 10, 2010; http://
www.marketwire.com/press-release/m86-security-
labs-discovers-customers-global-financial-institution-
hit-cybercrime-1302266.htm
26. Mahoney, M.R. Comment on Pilot Project Testing and
Certification. EAC, Washington, D.C., Apr. 2010; http://
www.eac.gov/assets/1/AssetManager/Martha%20
Mahoney%20-%20Comment%20on%20Pilot%20
Project%20Testing%20and%20Certification.pdf
27. Marsan, C.D. Feds to shore up net security. Network
World (Jan. 19, 2009); http://www.pcworld.com/
... There is a general lack of trust when it comes to the use of information technology in elections [19], as well as i-voting systems. Citizens and political party's lack of trust in an internet voting technology have also been strengthened by some experts' publications of the risk and vulnerabilities associated with the use of internet voting in a legally binding election [19,20]. But it is also important to note that other countries such as Estonia and Brazil have also been able to adopt an internet voting system in their legally binding elections [21]. ...
... The two main constructs that have been identified in previous studies include trust in technology and trust in an entity [6,22,28,33]. Trust in technology examines the security and risk associated with innovation such as privacy, reliability, integrity, and accuracy [20,34]. Trust in technology has been argued to influence the adoption of various e-government services [20,34]. ...
... Trust in technology examines the security and risk associated with innovation such as privacy, reliability, integrity, and accuracy [20,34]. Trust in technology has been argued to influence the adoption of various e-government services [20,34]. Citizens and other stakeholders are skeptical in the use of e-government services such as an electronic voting system due to the uncertainty and risk associated with the technology [20,35]. ...
Chapter
The role of political parties in elections and factors that influence political parties’ internet voting system adoption has hardly been explored. One of the key barriers to internet voting system adoption is the lack of trust in the technology and election management authority by political parties. The lack of trust has led to the rejection of electronic voting systems adoption by various political parties in different African countries. The main aim of this study is to examine the role political parties play in the electoral process and the factors that can influence political parties’ adoption of i-voting system. Using qualitative research design data were collected from political parties’ executives in the form of interviews. Themes that emerged from the analysis include “Increase Voter Turnout”, “Integrity of Voting Results”, “Trust in EC”, “Trust in Technology”, “Perceive Advantages”, and “Technological Illiteracy”. The implication of the research findings was also discussed in the study as well as the limitation of the research and future studies.
... Over a decade ago, Alvarez and Hall (2004) discussed the future of Internet voting and the use of Internet voting in an Arizona county primary. However, there have been several detractors and failures of Internet voting systems due to technology and human failures resulting in several critics of using Internet voting technology (Davide et al., 2010;Dill and Castro, 2008;Epstein, 2013;Simons and Jones, 2012). One of the criticisms leveled at Internet voting systems is their lack of validation prior to deployment (Simons and Jones, 2012). ...
... However, there have been several detractors and failures of Internet voting systems due to technology and human failures resulting in several critics of using Internet voting technology (Davide et al., 2010;Dill and Castro, 2008;Epstein, 2013;Simons and Jones, 2012). One of the criticisms leveled at Internet voting systems is their lack of validation prior to deployment (Simons and Jones, 2012). For example, a Washington DC project was hacked by University of Michigan researchers in less than 36 h by exploiting several system vulnerabilities (Wolchok et al., 2012). ...
Article
Full-text available
Principles required for secure electronic voting using the Internet are known and published. Although the Internet voting functionalities and technologies are well-defined, none of the existing state-sponsored Internet voting approaches in use incorporate a total Internet-based system approach that includes voter registration, the voting process, and vote counting. The distributed Internet voting architecture concept discussed in this article uses a novel thin client approach to Internet voting. The architecture uses existing technologies and knowledge to create a viable whole system approach to Internet voting. This article describes various aspects and processes necessary to support an integrated approach. The application programming interface software for many of the critical functions was developed in Python and functionality tested. A virtual network, including a cloud-based functionality, was created and used to evaluate the various conceptual aspects of the proposed architecture. This included the concepts associated with programming and accessing smart cards, capturing and saving fingerprint data, structuring virtual private networks using tunneling and Internet Protocol Security, encrypting ballots using asymmetric encryption, using symmetric encryption for secret cookies, thin client interaction, and creating hash functions to be used within a blockchain structure in a Merkle tree architecture. The systems’ primary user targets are individuals remotely located from their home voting precincts and senior citizens who have limited mobility and mostly reside in assisted living facilities. The research supports the contention that a cybersecure Internet voting system that significantly reduces the opportunity for mail-in voter fraud, helps to ensure privacy for the voter, including nonrepudiation, nonattribution, receipt freeness, and vote acknowledgment can be created using existing technology.
... A variation of electronic voting systems is to allow the voting to be conducted online, via online network systems such as the Internet [8] [9] or private networks that are setup by the voting authorities. By utilizing online voting systems, there are many advantages when compared to electronic voting systems and traditional ballot systems. ...
... The system should also be robust enough to prevent unauthorized access to the server and the results of the voting. The security aspects of online voting systems are extremely complex, contain many points of attacks and vulnerability, in which attackers only need to exploit one of the points to change the voting results or potentially invalidate parts or all of the voting [9]. Attacks such as distributed denial of service (DDOS) attacks can disable the election network. ...
Article
Voting is an essential activity in the modern democracy. To facilitate the voting process, there are several attempts on proposing an electronic voting system such that, the voting and tallying processes can be done efficiently and the results would be accountable to the public. To date, however, an online electronic voting system has been rarely adopted in practice due to the possibility of having the voting result tampered through vote-rigging or cyber-attacking. In 2009, the blockchain algorithm was proposed by Satoshi Nakamoto. Blockchain is a technique for recording transactions between self-auditing ledgers in an open, distributed, permanent, and verifiable manner. Even though blockchain was originally designed for a financial applications, it is possible to apply blockchain to other domains, including in the implementation of an online decentralized-based electronic voting system. In this study, the architecture of a blockchain-based electronic voting system, named \textit{BlockVOTE}, is proposed. The architecture design and all related formal definitions are given. To validate the proposal, two BlockVOTE prototypes were implemented using two different blockchain application frameworks. The performance analysis of both versions of the prototypes are given. The analysis of both technical and management aspects on the possibility of adopting the proposed decentralized voting system in an actual voting scenario is also given at the end of this study.
... In order to improve transparency, security, and accuracy electronic voting is adopted across the world [1]. Electronic voting is a type of computer-mediated voting that has first been widely used in the United States in 1964 when seven counties shifted to this procedure for the presidential election [2], [3]. ...
... People qualified to vote in the next phase may do so (casting collation). Encrypted and verified voting should be implemented in [49]. The votes must be kept secret, anonymous, and correct, and they cannot be changed or deleted [50,51]. ...
Article
Full-text available
Electronic voting systems must find solutions to various issues with authentication, data privacy and integrity, transparency, and verifiability. On the other hand, Blockchain technology offers an innovative solution to many of these problems. The scalability of Blockchain has arisen as a fundamental barrier to realizing the promise of this technology, especially in electronic voting. This study seeks to highlight the solutions regarding scalable Blockchain-based electronic voting systems and the issues linked with them while also attempting to foresee future developments. A systematic literature review (SLR) was used to complete the task, leading to the selection of 76 articles in the English language from 01.01.2017 to 31.03.2022 from the famous databases. This SLR was conducted to identify well-known proposals, their implementations, verification methods, various cryptographic solutions in previous research to evaluate cost and time. It also identifies performance parameters, the primary advantages and obstacles presented by different systems, and the most common approaches for Blockchain scalability. In addition, it outlines several possible research avenues for developing a scalable electronic voting system based on Blockchain technology. This research helps future research before proposing or developing any solutions to keep in mind all the voting requirements, merits, and demerits of the proposed solutions and provides further guidelines for scalable voting solutions.
... But when it comes to developing African countries, there have been several challenges in the attempt to adopt such technology [8][9][10], which creates a gap in the application of technology in the electoral process. There are different opinions as to the security and reliability of the introduction of an e-voting in elections [7,11]. But in this study, the researcher supports the argument of Wiseman [7]. ...
Article
Since the reports of Russian interference in the 2016 United States General Election, the security of voting processes has received increased attention from both state and federal authorities. The declaration by the US Department of Homeland Security in January 2017 that election systems be classified as the 17th component of critical infrastructure is just the beginning of a need for more secure voting processes. More recently, the COVID-19 pandemic and the 2020 US General Election have placed greater emphasis specifically on mail-based voting processes for electoral systems. The objective of this research is to provide greater insight into potential threats to mail-based voting processes. Upon identifying an attack tree as an initial structure for evaluation, new threats are postulated, and an updated tree is proposed that accounts for more recent activities. Then, using an established assessment framework, the relative likelihood of each mail-based voting process attack scenario is identified. The results facilitate providing election officials and policymakers with greater knowledge of how mail-based voting system vulnerabilities develop as well as specific security measures that may be most beneficial.
Chapter
In recent years, the study of emotion has increased due to the interaction of human with machine as it is helpful to interpret human actions and to improve the relationship among humans and machines for developing the software that can understand the human states and can take action accordingly. This paper focuses on a preliminary study on emotion recognition using various psychological signals. Different researchers investigated various parameters which include facial expression, eye gaze, pupil size variation, eye movements using EEG, and deep learning techniques to extract the emotional features of humans. Diverse researchers have proposed a method for detecting emotions by using different psychological signals and achieved reliable accuracy. After a thorough analysis, it has been observed that the best accuracy achieved on the individual emotion detection was 90%. However, this experiment does not help to classify the specific emotion. To classify the specific emotion, the best accuracy achieved was 79.63%, which is a comparable accuracy.
Chapter
This chapter articulates that scholars write about Human Enhancement Technologies (HET) in two ways. This is not a reflection of a reality in the literature but rather a heuristic designed to contextualize democratic citizenship within contemporary HET discussions. The first way is to write about HET as possible realities far off into the future. The second way is to write about HET that can be realised seemingly as soon as tomorrow. For democratic citizenship, writing in the first case is either utopian or dystopian. It is either the projection of democracy's total triumph or its utter collapse caused by the type of rots that lead to democide. But writing in the second case is stimulating and vibrant. There are, for example, numerous calls for HET-led reforms in the literature. These reforms are needed to help answer the crisis of the citizen's august discontent (the growing and increasingly legitimized political apathy and political abstention observed in, and performed by, the citizenry). The purpose of this chapter is to focus on this second case—this more developed body of literature—and to theorise the interface between democratic citizenship and HET.
Article
Voting has been an accepted means for electing candidates, receiving public approval for referendums and budgets, and for many other tasks where the will of the people, whether a broad population or a select group, can be recorded and measured in a tangible way. Because of advances in technology, together with problems inherent in manual forms of voting, the concepts and issues relating to electronic voting (e-voting) and various other technology-based forms, are been proposed, discussed, and examined. The goal of all such systems is the casting and recording of the votes from eligible voters as they intended to be cast, with adequate security. This security requires that there be no identifiable connection between the voter and the vote that is cast, while providing an audit trail that can be used to validate that every vote was counted and tallied, as cast. The focus of this paper is to examine electronic voting technologies from the perspective of usability in controlled environments. Current research has shown that such systems form the majority of the nascent e-voting technologies, primarily because they have come closest to solving the usability and security issues inherent in technology–based voting systems.
Conference Paper
In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near-complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days — and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study — the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment — attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.
Article
Helios is a web-based open-audit voting system de-signed using state of the art web technologies and ad-vanced cryptographic techniques to provide integrity of ballots and voter secrecy in an insecure Internet envi-ronment. In this paper, we demonstrate a simple at-tack against Helios 2.0 that takes advantage of the fact that every candidate in Helios can provide a URL refer-ring to his/her candidacy statement. A malicious can-didate, who wishes to win a Helios-managed election, uploads a specially crafted PDF file containing a candi-dacy statement to his/her website. The attack is then trig-gered against each voter who is using a vulnerable ma-chine. The security of the machine is undermined, e.g., when the voter visits the attacker's webpage. In essence, we exploit Adobe Acrobat/Reader's vulnerabilities to in-stall a malicious browser extension on the voters' ma-chines. Such an extension provides an opportunity for an attacker which may fool the voter (using Social Engi-neering) into accepting a hacked ballot. Due to our attack Helios 2.0 was upgraded to Helios 3.0. We discuss gen-eralizations and the impact of the latest upgrade of Helios on security. We also discuss defences against this attack, generalizations and the impact of the latest upgrade of Helios on security.
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Microsoft Finds u.s. leads In botnets
  • T Claburn
Claburn, t. Microsoft Finds u.s. leads In botnets. InformationWeek (oct. 14, 2010);
Slovenian and Spanish Police Arrest Mariposo Botnet Creator, Operators. Press Releasepressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-maripora-botnet-creator-operators
  • Fbi Fbi
new service helps attackers get Zeus botnet off the ground
  • D Fisher
Fisher, d. new service helps attackers get Zeus botnet off the ground. Threatpost (Jan. 10, 2011);
Email voting: A national security threat in government elections
  • D Jefferson
The enemy within. The Atlantic
  • M Bowden
Computer vandal delays leadership vote
  • Cbc News
CbC news. Computer vandal delays leadership vote (Jan. 25, 2003); http://www.cbc.ca/news/ story/2003/01/25/ndp_delay030125.html