ArticlePDF Available

# Internet Voting in the US

Authors:

## Abstract and Figures

Properly designed and engineered computerized voting systems can facilitate voting and increase the security and reliability of our voting systems. Unfortunately, in their eagerness to have the most modern and best election equipment and to take advantage of almost $4 billion in federal funding, well meaning election officials were quick to accept accuracy and security claims of computerized voting system vendors. Few questions were asked about crucial issues. How secure, accurate, and reliable are these machines? How easy are they to use, especially by people with disabilities? How could an election audit or recount be conducted? There was little or no consultation with independent technical experts on these questions, and remarkably little scientific research. Standards and regulations were inadequate to nonexistent. The implicit assumption appears to have been that no recount would ever be needed, because the new systems were so completely secure and accurate that there would no longer be any reason to challenge an election result. There is now a widespread perception that Internet voting is the wave of the future and the way to save money while increasing voter participation, especially participation of young people. (I can bank online; why can't I vote online?) Not having learned from previous mistakes and against the advice of essentially all computer security experts, Internet voting is currently being used in several countries and in some U.S. States. There is also strong pressure to adopt Internet voting in the U.S. for members of the military and civilians living abroad. In this talk I examine some of the threats of Internet voting in the hope of encouraging the technical community to oppose Internet voting unless and until these threats can be eliminated. Content may be subject to copyright. 68 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10 contributed articles DOI:10.1145/2347736.2347754 Internet voting is unachievable for the foreseeable future and therefore not inevitable. BY BARBARA SIMONS AND DOUGLAS W. JONES THE ASSERTION THAT Internet voting is the wave of the future has become commonplace. We frequently are asked, “If I can bank online, why can’t I vote online?” The question assumes that online banking is safe and secure. However, banks routinely and quietly replenish funds lost to online fraud in order to maintain public conﬁdence. We are told Internet voting would help citizens living abroad or in the military who currently have difﬁculty voting. Recent federal legislation to improve the voting process for overseas citizens is a response to that problem. The legislation, which has eliminated most delays, requires states to provide downloadable blank ballots but does not require the insecure return of voted ballots. Yet another claim is that email voting is safer than Web-based voting, but no email program in widespread use today provides direct support for encrypted email. As a result, attachments are generally sent in the clear, and email ballots are easy to intercept and inspect, violating voters’ right to a secret ballot. Intercepted ballots may be modi- ﬁed or discarded without forwarding. Moreover, the ease with which a From header can be forged means it is rela- tively simple to produce large numbers of forged ballots. These special risks faced by email ballots are in addition to the general risks posed by all Internet- based voting schemes.17 Many advocates also maintain that Internet voting will increase voter par- ticipation, save money, and is safe. We ﬁnd the safety argument surprising in light of frequent government warn- ings of cybersecurity threats and news of powerful government-developed viruses. We see little beneﬁt in mea- sures that might improve voter turn- out while casting doubt on the integ- rity of the results.a Almost all the arguments on behalf of Internet voting ignore a critical risk Internet-based voting shares with all computerized voting—wholesale theft. In the days of hand-counted paper ballots, election theft was con- ducted at the retail level by operatives at polling places and local election ofﬁces. By contrast, introduction of computers into the voting process created the threat that elections can be stolen by inserting malware into code on large numbers of machines. The situation is even more dangerous with Internet voting, since both the central servers and the voters’ com- puters are potentially under attack from everywhere. a Portions of this article are taken from the book Broken Ballots: Will Your Vote Count? by Douglas W. Jones and Barbara Simons, CSLI Publications, Stanford, CA, 2012; http://bro- kenballots.com Internet Voting in the U.S. key insights Internet vo ting is fundamentally insecure. Most people do not associate widely publicized computer viruses and worms with Internet voting. Internet vo ting is being pushed in many countries by vendors, election officials, and well-meaning people who do not understand the risks. oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 69 ILLUSTRATION BY ALICIA KUBISTA/ANDRIJ BORYS ASSOCIATES Despite the serious threats it poses to election integrity, Internet voting is being used in several countries and U.S. states, and there is increasing public pressure to adopt it elsewhere. We examine some of these threats, in the hope of encouraging the technical community to oppose Internet voting unless and until the threats are elimi- nated. D.C. pilot test Internet voting has generally been deployed without be- ing subjected to public testing prior to use. To the best of our knowledge, the only exception was a “digital vote by mail” pilot project in Washington, D.C. in 2010. In June of that year, the Open Source Digital Voting Founda- tion announced that it had been se- lected by the District of Columbia Board of Elections and Ethics (BOEE) to support a project to allow Internet voting for military and overseas voters, starting with the upcoming September primary. The BOEE had optimistically planned a “public review period” in ad- vance of the primary in which everyone was invited to try to attack the system in a mock election. While the system was not ready for the primary, a public test was eventually scheduled to run from September 28 to October 6, with midterm election voting scheduled to begin October 11 or 12. The break-in. By October 1 people testing the system reported hearing the University of Michigan ﬁght song following a 15-second pause after they submitted their ballots.6,44 A Michigan team had taken over the system within 36 hours of the start of the tests by ex- ploiting a shell-injection vulnerability, thereby gaining almost total control over the BOEE server. The attackers remained in control for two business days, until the BOEE halted the test after noon on October 1. An attacker intent on subverting a real election would not leave such an obvious call- ing card. The delay between the break- in and the shutdown of the system reveals how difﬁcult it is to determine that a break-in has occurred, even when the “culprits” announce them- selves with music. On October 5, Michigan professor Alex Halderman revealed that, in ad- dition to installing the ﬁght song, his team had changed ballots cast prior to their intrusion, had rigged the sys- tem to alter subsequently cast ballots, and could violate voters’ secret ballot rights. That day the BOEE restarted the test with the song removed. Testers were told to print out and mail in their ballots, instead of returning them over the Internet. Figure 1 is the hacked bal- lot, with write-in candidates selected by the Michigan team. 70 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10 contributed articles logins, the Michigan team changed the previously unchanged defaults (user: admin, password: admin). Whether or not they were intentionally directed at the D.C. voting system, the attempts showed how dangerous the Internet can be, with sophisticated adversaries from around the world constantly try- ing to break in to systems. Implications of the attack. The D.C. incursion illustrates how Internet vot- ing can be attacked from anywhere. Most complex software systems have an abundance of vulnerabilities, with attackers needing to exploit just one. Moreover, all attacks except those spe- ciﬁcally targeting the designated BOEE election network were out of bounds in the pilot test. Examples of non-al- lowed attacks included client-side mal- ware; denial-of-service attacks; attacks against ISPs; and DNS, routing, and other network attacks. Attackers in a real election would not have felt bound by such constraints. Once the Michi- gan team had changed all the votes, it was impossible for D.C. ofﬁcials to reconstruct the original ballots. In a close race, attackers might control the outcome without risk of detection. It took more than a day for D.C. ofﬁcials to realize their system had been suc- cessfully attacked, despite the musi- cal calling card. By the time ofﬁcials discovered the attack, it was too late to recover from it. The BOEE had intended to accept voted ballots over the Internet. If there had been no pilot test or if the Michi- gan team had not participated, mem- bers of the military and civilians living abroad who vote in Washington, D.C. would have been voting over a highly vulnerable system. The BOEE did the right thing (for a municipality deter- mined to deploy Internet voting) by set- ting up a public test. It also learned an important lesson from the test and ul- timately canceled the Internet-ballot- return portion. Voters were instead al- lowed to download blank ballots from the Web and print and return them by postal mail. Unfortunately, other states have not been as responsible. In the upcoming 2012 U.S. election, 33 states will allow some kind of Internet vot- ing, including at least one Web-based Internet pilot project, and the return of voted ballots over the Internet through email attachment or fax, without ﬁrst Halderman was the star of an Oc- tober 8 oversight hearing, where he dropped additional bombshells. From the start, his team had control of the network infrastructure for the pilot project. The team used the default master password from the owner’s manuals, which had not been changed, for the routers and switches, thereby gaining control of the infrastructure and obtaining an alternative way to steal votes in a real election. Control of the network also enabled the team to watch network operators conﬁgure and test the equipment. When they discovered that a pair of security cam- eras in the BOEE data center was con- nected to the pilot system and unpro- tected, the team used the cameras to watch the system operators. As proof, Halderman brought some security- camera photos to the hearing. Halder- man even discovered a ﬁle used to test the system that consisted of copies of all 937 letters sent to real voters. The letters included voter names, IDs, and 16-character PINs for authentication in the real Internet election. While the team could already change voter selec- tions, inclusion of unencrypted PINs in a ﬁle used for testing demonstrates that the BOEE did not understand the fundamental principles of computer security. The PINs would have allowed the team or any other intruder to cast ballots for actual voters. Finally, Hal- derman found evidence of attempted break-ins that appeared to be from China and Iran. Since the attempts involved trying to guess the network Figure 1. The rigged District of Columbia ballot. contributed articles oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 71 encouraging independent experts to test their systems.42 One of us (Jones) has consulted with several election ofﬁces, including the BOEE. He observed it to be above av- erage, in terms of both physical and human resources, suggesting that the mistakes found by the Michigan team were not the result of isolated incom- petence, but are typical of the best we can expect under current conditions. Likewise, Halderman has said that the quality of the D.C. source code seemed much better than the closed- source electronic voting systems he has examined. Security is difﬁcult, and even organizations with security exper- tise have been successfully attacked. Given that elections ofﬁces are under- resourced, have many other problems to worry about, lack security expertise, and are highly decentralized, it is com- pletely unrealistic to expect extraordi- nary security competence from them. The Case for Internet Voting Despite warnings from independent studies and commissions, as well as sensational news stories about hacking and viruses, some widely held miscon- ceptions about Internet voting persist: It saves money and increases voter turn- out; Web-based voting is more secure than postal voting or voting by email or fax; because banking and purchasing can be done over the Internet, voting can be done safely over the Internet; and Internet voting is inevitable—the wave of the future. We discuss the ﬁrst three points in the following sections and the fourth in the sidebar “Internet Voting and E-Commerce Compared.” Regarding the inevitability of Internet voting, some of the most outspoken Internet voting opponents are highly respected computer security experts. Our goal is to convince you that secure Internet voting is unachievable for the foreseeable future and therefore, we sincerely hope, not inevitable. Saves money. The cost of Internet voting, especially up-front charges, can be steep. For example, 2009 cost estimates from Internet voting vendor Everyone Counts were so large that a legislative proposal in Washington state to allow Internet voting for mili- tary and civilian voters was killed in committee. The estimated costs, ob- tained by John Gideon of VotersUnite, included proposed up-front costs rang- ing from$2.5 million to $4.44 million. After that, each county would have been hit with an annual license fee of$20,000–$120,000, plus$2–$7 per over- seas voter.5 In the March 2011 election in the state of New South Wales, Australia, 46,864 people voted on an Internet voting system called iVotes, also an Ev- eryone Counts product.33 The develop- ment and implementation costs for us- ing iVotes in the election exceeded$3.5
million (Australian dollars), resulting
in a cost of about $74 per vote cast. By contrast, the average cost for all forms of voting in the same election was$8
per vote, though the cost per Internet
vote would have decreased if amortized
over more voters.
Increases turnout. Internet voting
does not necessarily increase turnout.
Everyone Counts ran an Internet-based
election in Swindon, U.K., in 2007 and a
local election in Honolulu, HI, in 2009
where votes were cast only by Internet
or telephone. The Electoral Commis-
sion, established by the U.K. Parlia-
ment, determined that Internet voting
in Swindon had a negligible effect on
turnout; meanwhile, in Honolulu there
was an 83% drop in turnout compared
to a similar election in 2007.22,40 We
know of no rigorous study of the im-
pact of Internet voting on turnout; con-
ducting such a study would be difﬁcult,
since turnout can vary enormously
from election to election. But even if
Internet voting could increase turnout,
the increase would be irrelevant if the
election results were at risk of corrup-
tion by insecure Internet use.
Web-based voting is more secure.
Veriﬁability and transparency are criti-
cal aspects of any election, especially
if it involves a secret ballot. It is funda-
mentally impossible for anyone, even
election ofﬁcials, to directly oversee or
observe the tabulation of an Internet-
based election, including one that is
Web-based. A software bug or an attack
could cause an election outcome to be
wrong because either the tabulation
is incorrect or the voters’ selections
were modiﬁed. To address such risks,
we need to determine after an election
that the technology operated correctly
and the declared winner actually won.
We can verify the results of a paper-
based election by auditing a sample of
the cast ballots or, in the extreme, by
recounting all of them. Such an au-
dit or recount must involve a secure,
observable chain of custody of the
ballots, something impossible with
current Internet voting technology. Al-
lowing voters to print copies of their
ballots for personal use is meaning-
less, because these copies may not
match the electronic versions used in
computing the results.
Military Voting
Members of uniformed services and
their families and non-military citizens
living overseas are called UOCAVA vot-
ers, after the U.S. Uniformed and Over-
seas Citizens Absentee Voting Act of
1986 (http://www.fvap.gov/reference/
laws/uocava.html). They have long
complained that absentee ballots are
never delivered or their returned voted
ballots arrive too late to be counted,
concerns used to justify the push for
Internet voting at both the state and
federal levels. A widely discussed solu-
tion is to have the military run its own
centralized Internet voting system over
its high-security infrastructure. This
is a bad idea for at least two reasons:
First, it runs counter to the principle
of civilian control over the military and
creates the potential that the military
might control the vote. Second, it is un-
realistic and unwise to even consider
connecting unsecure Web servers run
by local election ofﬁcials to a military
network that is supposed to maintain
a high level of security. Some support-
ers of Internet voting for the military
have noted that postal mail ballots are
also not secure. While it is true that
all forms of remote voting pose secu-
rity problems, Internet voting can be
attacked by anyone from anywhere,
something that is not the case for post-
al ballots. In addition, the Internet can
be used for wholesale attacks on large
numbers of voters, whereas attacks on
postal ballots are inherently conﬁned
to a retail scale.
Two projects for UOCAVA voters are
noteworthy: SERVE, killed in 2004, and
Operation BRAVO, implemented in the
2008 U.S. presidential election:
SERVE. The Secure Electronic Reg-
istration and Voting Experiment, or
SERVE (www.fvap.gov/resources/me-
dia/serve.pdf), was the most ambi-
tious project to date intended for use
72 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
istan or Iraq, took 20 or more days to be
returned from an MPO. The time to get
a voted ballot from a service member
to an MPO ranged from two to 20 days.
Therefore, if election ofﬁcials provide
45 days before an election, essentially
all members of the military should be
able to return their voted paper ballots
in time to be counted.
Risks
Not satisﬁed with the signiﬁcant
speed-up provided by MOVE, Internet-
voting advocates continue to call for
the return of voted ballots through the
Internet, either as email attachments
or as some kind of Web form. Doing
either securely would require solving
some of the most intractable problems
in cybersecurity:
The server. In the 2010 D.C. pilot
ate students attacked the election
server over the Internet. Independent
hackers, political operatives, foreign
governments, and terrorists could also
mount such attacks. Local election
ofﬁcials with little or no expertise in
computer security have little hope of
defending themselves.
Corporate and government vulner-
ability. Many corporations and govern-
ment agencies store sensitive or classi-
ﬁed information on their computers,
sharing with election ofﬁcials the goal
of defending against attackers who
might steal or alter such information.
Despite large staffs of security profes-
sionals with signiﬁcant resources,
computers in major corporations and
government agencies have been at-
tacked successfully. For example, a
2008 survey of approximately 1,000
large organizations worldwide found
the average loss per organization from
intellectual property cybertheft was
about $4.6 million.19 A December 2009 report from the Computer Security In- stitute (http://gocsi.com) surveying 443 U.S. companies and government agen- cies found 64% had reported malware infections during the preceding year.36 A major China-based Internet attack on Google and many other companies in late 2009 showed that even major cor- porate sites are vulnerable. The attack targeted Gmail accounts of Chinese human-rights activists and Google’s own intellectual property, including by UOCAVA voters. The goal of the$22
million project was to allow registra-
tion and voting over the Internet in the
2004 primaries and general election.
Participation by states and counties
within those states was voluntary. Vot-
ers could use any Windows computer,
either their own or a public computer,
like those found in libraries and cyber-
cafés. Voters were responsible for the
security of whatever computers they
used. The vendor was Accenture.
In 2003, a group of experts called the
Security Peer Review Group was assem-
bled by the Federal Voting Assistance
Program (FVAP) to evaluate SERVE;
FVAP was charged with facilitating
voting for all UOCAVA voters. Follow-
ing two three-day meetings with FVAP
and the lead technical staff of SERVE,
the four computer scientists who at-
tended both meetings, including one
of us (Simons), released a report, the
conclusion of which said: “Because
the danger of successful, large-scale at-
tacks is so great, we reluctantly recom-
mend shutting down the development
of SERVE immediately and not at-
tempting anything like it in the future
until both the Internet and the world’s
home computer infrastructure have
been fundamentally redesigned, or
some other unforeseen security break-
throughs appear.”18
When the report was issued in early
2004, 50 counties in seven states—Ar-
kansas, Florida, Hawaii, North Caro-
lina, South Carolina, Utah, and Wash-
ington—were planning to participate
in SERVE. FVAP had estimated the
maximum overall vote total would be
approximately 100,000, including pri-
maries and the general election. On
January 30, 2004 Deputy Secretary of
Defense Paul Wolfowitz said the Pen-
tagon “…will not be using the SERVE
Internet voting project in view of the in-
ability to assure legitimacy of votes that
would be cast using the system, which
thereby brings into doubt the integrity
of election results.”43 SERVE was sub-
sequently terminated.
Operation BRAVO. In 2008, Opera-
tion BRAVO, or Bring Remote Access
to Voters Overseas, provided Internet
voting from secure kiosks for residents
of Okaloosa County, FL. Unlike previ-
ous pilot projects, these kiosks were
equipped with printers to create paper
voter-choice records of voters’ ballots.
Voters could verify the records before
leaving the kiosk, after which the re-
cords were ﬂown back to Okaloosa
County for manual reconciliation with
the ballots sent over an Internet-based
virtual private network. Small discrep-
ancies in the ballot count were uncov-
ered by law professor Martha Mahoney
of the University of Miami, but, as of
August 2012, BRAVO had yet to release
a formal report explaining the discrep-
ancies.26 The vendor was Scytl.
The Okaloosa County experiment
concerned only a single county. Ex-
panding kiosk-based Internet voting
for all service members would be very
difﬁcult, since the system would have
to deal with tens of thousands of differ-
ent ballot styles and conﬂicting state
rules governing ballot presentation,
requirements that would also add sig-
niﬁcantly to the cost.
The MOVE Act. Instead of Internet
voting, why not allow remote voters to
ternet, print it, and return the voted
ballots by mail? If the blank ballots are
available early enough, most voted bal-
lots should arrive in time to be count-
ed. Such a system might not have the
pizzazz of Internet voting but would
have fewer security issues and almost
certainly involve less cost. That is one
of the reforms dictated by the 2009
Military and Overseas Voter Empower-
ment, or MOVE, Act. Written to address
the problems of UOCAVA voters, MOVE
requires states to make blank ballots
available electronically at least 45 days
prior to any federal election; UOCAVA
voters may also request and receive
voter-registration and absentee-ballot
applications electronically.
The Military Postal Service Agency
analyzed the handling of absentee
ballots during the 2010 general elec-
tion,29 ﬁnding problems with getting
postal ballots to members of the mili-
tary, though paper ballots were gener-
ally returned quickly. Many had been
by service members, and returned by
postal mail. The average postal delay
for returned ballots was 5.2 days, well
ahead of the seven-day limit set by the
MOVE Act; 92% of absentee ballots
were delivered within seven days of ac-
ceptance at overseas Military Post Of-
ﬁces (MPOs). Only 118 out of 23,900
voted ballots, most likely from Afghan-
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 73
software-development systems.31 As
many as 34 companies were targeted,
fense contractor Northrop-Grumman,
major security supplier Symantec, and
Yahoo!.41 The attacked companies have
vastly more security expertise and re-
sources than local election ofﬁcials or
today’s relatively small Internet voting
vendors. The attacks used email that
appeared to come from trusted sourc-
es, so victims would be tricked into
clicking on a link or opening an attach-
ment. Then, using a vulnerability in Mi-
crosoft’s Internet Explorer browser, the
malware that took complete control of
the compromised systems.
George Kurtz, executive vice presi-
dent and worldwide chief technology
ofﬁcer of McAfee, an Internet security
company, expressed dismay at the im-
plications: “All I can say is wow. The
world has changed. Everyone’s threat
model now needs to be adapted to
the new reality of these advanced per-
sistent threats. In addition to worry-
criminals trying to siphon off credit
card databases, you have to focus on
protecting all of your core intellectual
property, private nonﬁnancial custom-
er information and anything else of in-
tangible value.”23
Government sites have also been
vulnerable. In a March 2010 address
to the RSA Security Conference, FBI di-
rector Robert S. Mueller said the FBI’s
ed and the attackers had “corrupted
data.”31 Later that year, General Mi-
chael Hayden, former director of both
the CIA and the NSA, said: “The mod-
ern-day bank robber isn’t speeding
up to a suburban bank with weapons
drawn and notes passed to the teller.
He’s on the Web taking things of value
from you and me.”13
Finally, malware that appears to
be government-generated has been
used to obtain critical intelligence,
as in the case of the Flame virus, and,
for targeted attacks, Stuxnet. Both
were widely reported to have been de-
veloped by the governments of Israel
and the U.S., with Stuxnet apparently
created to attack Iran’s nuclear fa-
cilities.32,38 Similar tools could allow a
foreign power to attack or subvert an
Internet election anywhere.
Aldrich Amesb) can do tremendous
damage, even if eventually caught.
The client. Since malware can infect
public or privately owned machines
linked to the Internet without the
owner’s knowledge or permission, cli-
ent-side malware designed to steal an
election poses signiﬁcant risks for bal-
lots cast from voters’ computers. These
risks include credential theft, copying
of the ballot to a third party, and modi-
ﬁcation of the ballot before encryption,
as well as outright prevention of vot-
ing. Machines can be infected in many
ments with malicious macros, browser
plugins, or improper security settings.
Furthermore, millions of comput-
ers are already connected to botnets.
In 2010, the FBI reported the Mariposa
botnet may have infected eight million
to 12 million computers worldwide.9
The virus used to create the botnet
could steal credit-card data and online-
b Ames gave the Soviet Union signiﬁcant U.S.
secrets resulting in the death of a number of
“CIA assets.”
Insider attacks. While many secu-
rity discussions focus on outsider at-
tacks, insider attacks might be even
more dangerous. A risk of any com-
puterized voting, including Internet
voting, is that one or more insiders
(programmers, election officials,
volunteers, or vendors to whom the
election is outsourced) could rig an
election by manipulating election
software. Since computerized voting
is an opportunity for wholesale rig-
ging through software used by large
numbers of voters, the size of the
conspiracy needed to win an election
is greatly reduced, as is the risk of be-
ing caught.
An attacker could add a back door
to the system, with or without the
vendor’s knowledge. In general, no
amount of testing can be relied on to
reveal the presence of a back door. A
thorough code review (not required
by current law) can sometimes do
this, but code reviews cannot reliably
distinguish between an innocent mis-
take and intentional malware. A trust-
ed insider (such as former CIA agent
Secret ballots. Secret ballots are required by law to protect against vote buying
and coercion. Ballot secrecy prohibits anyone from linking voted ballots to the
voters casting them. This precludes the kind of transaction logging routinely used in
e-commerce to allow reconstruction of who did what and when, should a question
arise.
Receipts. Receipts, including unique transaction numbers and complete transaction
descriptions, are routinely issued in e-commerce. These receipts conﬁrm that the
correct orders were placed and may be used as proof of purchase in the event of
disputes. Ballot secrecy prevents issuing any documents to voters that voters could use
to prove how they voted. Documents that do not provide such proof are of limited use in
an audit or recount.
Malfunction and fraud. In the event of an e-commerce failure due to malfunction or
fraud, there is a good chance the situation will be rectiﬁed or that the purchaser can
stop a credit-card payment after noticing the discrepancy. However, if a ballot is not
successfully cast on election day, the voter probably will not know and almost certainly
will not be able to revote.
Vote buying and selling. Unlike commercial activities, vote buying and selling is
illegal. In the 2000 U.S. presidential election between Republican George W. Bush
and Democrat Al Gore, an online system designed to broker Green Party candidate
Ralph Nader and Gore votes was created but forced to shut down by the California
attorney general. There is no evidence that any votes were actually traded. With Internet
voting, voters could sell their voting credentials, perhaps even online, using a Web site
designed to automatically cast their ballots.a
No proposed Internet voting system is able to overcome these hurdles.
a When family members vote on a home computer or citizens vote from a computer in a public
library, multiple voters will share the same IP address; while it is possible to detect multiple votes
from one IP address, it would be problematic to prohibit them.
Internet Voting and
E-Commerce Compared
74 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10
contributed articles
Web site that redirected visitors to an
IP address in Amsterdam in order to
exploit vulnerabilities on the victims’
machines to install the Zeus virus.16
The infection, planted shortly before
McCartney’s New York reunion con-
cert with Ringo Starr, was timed to
catch as many victims as possible be-
fore discovery.
The German edition of Wikipedia
was another source of infection.14 A
dangerous piece of malware contained
a link to software that would suppos-
edly ﬁx the problem. However, anyone
was estimated by security ﬁrm Dam-
million PCs in the U.S. alone.28
Zeus was built to steal money from
online ﬁnancial accounts. When vic-
tims would visit their banks’ Web sites,
Zeus would copy their credentials and
send them to a remote location where
they would be used to steal from their
accounts. Zeus could even forge ﬁnan-
cial statements so victims would see
no evidence of the theft when checking
their online statements.39 Victims typi-
cally learned of the theft only when ﬁ-
nancial transactions failed to clear due
to insufﬁcient funds, at which point it
was too late to retrieve the money.
The Zeus virus also spoofed veriﬁca-
tion systems used by Visa and Master-
Card when enrolling new users7 (see
Figure 2), thereby obtaining sensitive
information (such as Social Security
numbers, card numbers, and PINs)
from unknowing victims who would
think they were providing the infor-
mation to the real bank. This informa-
tion, sent to the attacker’s computers,
would be used to defraud the victims.
Yet another attack was reported
in August 2010 by Internet security
ﬁrm M86 Security; the report said that
about 3,000 bank customers in the
U.K. were victimized by a form of the
Zeus virus. The announcement accom-
panying the report’s release, which did
not provide the bank’s name, said the
tected customers were infected by a
Trojan—which managed to avoid de-
ware—while browsing the Internet.
The Trojan, a Zeus v3, steals the cus-
tomer’s online banking ID and hijacks
banking passwords, as well as launch a
denial-of-service attack; the creator of
the virus also sold customized versions
with augmented features. A Microsoft
report estimated that in the ﬁrst half
of 2010 more that 2.2 million U.S. Win-
dows PCs were in botnets.4
Those wishing to rig elections need
not build new botnets. Many botnets
used for ﬁnancial fraud are available
for rent. It would not take a large staff
to alter existing malware to attack elec-
tions, and it would not be out of char-
acter for existing malware developers
rigging malware as soon as Internet
voting were to enter widespread use.
The sheer number of potential at-
tacks and the difﬁculty of preventing
any of them increase the vulnerability
of Internet-based elections. In light of
the many successful attacks against
governments, major banks, and the
be relatively easy to entrap large num-
bers of voters who are not technolo-
gists. Once a voter’s computer is infect-
ed, all bets are off. Malware can make
the computer display a ballot image
that represents the voter’s intent cor-
rectly, even as it sends something en-
tirely different over the Internet. That
is, it is the virus that votes, not the vot-
er. The voter never knows, because it is
impossible for the voter to see what is
actually sent.
Since antivirus software works by
checking for known viruses and worms,
whenever a new virus appears, the anti-
virus software must be updated. There
can be many days or even weeks be-
tween the time the virus is initially dis-
tributed and when it is recognized and
analyzed. After that, the virus ﬁx must
be distributed, and victims must disin-
fect their machines. Because antivirus
software has limited capability for rec-
ognizing unknown malware, a new vi-
rus or worm may well escape detection
for a while. Even if detected, removal
can be difﬁcult, as most PC owners
spyware are aware. A 2007 study found
that antivirus software has become less
effective over time, with recognition of
malware by most commercial antivi-
rus software falling from 40%–50% at
the beginning of 2007 to 20%–30% by
the end of that year.12 Another set of
experiments conducted at the Univer-
sity of Michigan showed the number of
malware samples detected decreased
signiﬁcantly as the malware became
more current; when the malware was
only one week old, the detection rate
was very low.34 Given the limitations
of antivirus software, an effective at-
tack would be to distribute election-
stealing malware far in advance of the
election. If the malware were to spread
silently, it could infect a large number
of machines before being detected, if it
is detected at all. Moreover, it might be
are modiﬁed or even which computers
are infected.
The Conﬁcker worm illustrates the
risk malware poses to Internet elec-
tions. Having rapidly infected from
nine million to 15 million machines in
2009, Conﬁcker could “call home” for
more instructions, so the unknown cre-
ator of Conﬁcker could instruct infect-
ed machines to install additional mal-
ware remotely without the computer
owner’s knowledge.2 The new instruc-
tions might target speciﬁc candidates
and elections shortly before a vote.
While many viruses and worms are
planted without the computer owner’s
knowledge, users can be duped into
ware. In August 2009 a spam message
circulated, saying “If You dont [sic] like
Obama come here, you can help to ddos
[Distributed Denial of Service] his site
with your installs.” CNET News report-
ed that people who clicked on the email
link were offered money in exchange for
source of the software is not known, the
goal could have been to disrupt sites as-
sociated with President Barack Obama,
to engage in identity theft, or even to
infect machines of Obama opponents,
something that could be especially use-
ful if Internet voting were to become an
option in the U.S.
Threat example: The Zeus virus.
The Zeus virus illustrates how a virus
can manipulate what a voter sees and
change the voter’s selection. While
Zeus has been used mainly to steal
money, it would not be difﬁcult to re-
In April 2009, malicious software
was discovered in Paul McCartney’s
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 75
their online banking sessions. It then
checks the account balance and, if the
account balance is bigger than GBP
800 value, it issues a money transfer
transaction… From July 5, the cyber
criminals have successfully stolen GBP
675,000 (c. USD 1,077,000) and the at-
tack is still progressing.”
On September 29, 2010, the U.K. Po-
lice Central e-crime Unit announced
the arrest of 19 individuals accused
of using Zeus to steal $6 million from thousands of victims over a three- month period.24 To this day, new Zeus attacks continue to be discovered; for example, in October 2010, Computer- world reported that Zeus was attacking Charles Schwab investment accounts,20 with victims’ machines infected by links to malicious sites hidden in bo- gus LinkedIn reminders. There is even a criminal service that will compile a Zeus binary for a fee.10 Impersonating the election server. Another Internet risk involves Web- site spooﬁng. Because counterfeit sites can be made to look like legiti- mate sites, spooﬁng can fool victims into revealing sensitive personal infor- mation. With Internet voting, spooﬁng can be used to trick voters into think- ing they have actually voted when in fact they have not, while also collecting authentication codes and voters’ in- tended ballots, a violation of the right to a secret ballot. Phishing involves email messages that appear to be from a legitimate or- ganization, such as a credit-card com- pany. The phony message contains an authentic-looking link that appears to go to a legitimate site but actually goes to a spoofed site. When such email messages and Web sites are well de- signed, victims end up providing sen- sitive information, such as credit-card numbers. Phishing is usually used to steal personal information, but can also be used to trick voters into vot- ing on a spoofed Web site. Phishing is a powerful tool for amplifying the power of spooﬁng, though its effec- tiveness can be reduced if voters are instructed to always type in the full URL of the voting Web site, instead of just clicking on links. A counterfeit voting site can con- duct a man-in-the-middle attack. In its simplest form, the counterfeit site re- lies entirely on the real site for content, monitoring and occasionally editing the information ﬂow between the voter and the real election server. This allows the attacker to intercept information, such as passwords and votes, and po- tentially to alter votes. A more complex counterfeit could simulate a voting session, then use the credentials col- lected from the voter at a later time to cast a forged ballot. Monitoring the IP addresses from which ballots are cast is not a defense, since multiple voters might share the same IP address for le- gitimate reasons. A common way to avoid counterfeit Web sites is to rely on a certiﬁcate au- thority (CA) to authenticate sites. If the browser does not recognize the issuer of a certiﬁcate, it will ask if the user still wants to access the site. A user who does not understand the signiﬁcance of the browser’s question may naïvely ignore it and access a counterfeit site. Even when voters are careful to visit only sites they believe are legitimate, they could still be victimized. First, it is possible to trick many browsers into going to the attacker’s, rather than to the legitimate, site.45 Second, some CAs do not validate the identi- ties of sites they vouch for.35 Third, an attack on the CA can create fake SSL certiﬁcates, as happened to DigiNo- tar, a Dutch CA.21 Finally, an attack on the routing infrastructure of the Inter- net could divert voters to a counterfeit voting site without their noticing the diversion.27 Denial-of-service attacks. There are many documented instances of Dis- tributed Denial-of-Service (DDoS) at- tacks. For example, the massive 2007 DDoS attack on Estonia and the attacks on the Republic of Georgia during the 2008 Russo-Georgian war all originat- ed in Russia. Other victims of DDoS at- tacks include Amazon, eBay, Facebook, Google, Twitter, and Yahoo!. Politically Figure 2. Bogus enrollment screen displayed by Zeus; screenshot by Amit Klein of Trusteer. 76 COMMUNICATIONS OF THE ACM | oCTobeR 2012 | VoL. 55 | no. 10 contributed articles to verify that their ballots were accu- rately received and counted. Unfor- tunately, cryptography does not pro- tect Internet-based elections against DDoS attacks, spooﬁng, coercion, de- sign ﬂaws, and many kinds of ordinary software bugs.8 Recounts on these cryptographic voting systems cannot recover from such threats. While these systems have been used for some small Internet elections, the consen- sus in the cryptographic community is that they are not ready for use in a major election. Ben Adida, creator of Helios, wrote in 2011: “The one prob- lem I don’t know how to address with Helios is client-side security...We now have documented evidence...that vi- ruses like Stuxnet that corrupt nuclear power plants by spreading from one Windows machine to the other have been built…So if you run a very large- scale election for a president of a G8 country, why wouldn’t we see a similar scenario? Certainly, it’s worth just as much money; it’s worth just as much strategically... All the ability doesn’t change the fact that a client-side cor- ruption in my browser can ﬂip my vote even before it’s encrypted, and if we… must have a lot of voters verify their process, I think we’re going to lose, because most voters don’t quite do that yet.”1 Note that while Helios can detect DDoS attacks, network attacks, and several other types of attacks mentioned here, it cannot prevent, di- agnose, or ﬁx them. Perhaps eventually a paperless cryptographic Internet voting system will be developed that is sufﬁciently secure, accurate, usable, and trans- parent to be used in major elections. Until then, the conclusion of the Na- tional Commission on Federal Elec- tion Reform, co-chaired by Presidents Gerald R. Ford and Jimmy Carter in 2001, still stands, that Internet voting “is an idea whose time most certainly has not yet come.”11 Conclusion Proposals for conducting voting pilot projects using real elections continue to reappear in the U.S. and elsewhere, apparently independent of warnings from computer-security experts. While the appeal of Internet voting is obvi- ous, the risks are not, at least to many decision makers. Computer profes- motivated DDoS attacks, like the one on Wikileaks in 2010 and a reprisal by Anonymous against MasterCard, have become relatively common. A DDoS attack could prevent certain groups from voting or even disrupt an entire election, as probably occurred in a 2003 leadership vote by the New Dem- ocratic Party (NDP) in Canada. Internet voting for the NDP election lasted from January 2 until the party convention January 25, 2003. Coincidentally, on January 25, the same day the Slammer worm was attacking large numbers of (unpatched) Windows 2000 servers on the Internet, the NDP voting site was reportedly down or effectively unus- able for hours.3 Due to the secrecy surrounding the technical aspects of the NDP elec- tion, we do not know if the NDP vot- ing site was brought down by a DDoS attack or by the Slammer worm. The vendor, election.com, claimed to have patched the servers against Slammer and maintained that it experienced a denial-of-service attack. Unfortu- nately, election.com provided neither logs nor other proof that its servers were patched, nor did it permit expert examination of its records. There was no transparency and hence no way for an independent outsider to determine what had happened. Not having learned from the 2003 attack, the NDP suffered a massive DDoS attack during its March 2012 leadership election. The NDP was so ill prepared that people attending the party conference were unable to vote during the attack, as no back-up pa- per had been provided. Once again, there was no independent examina- tion or report. Loss of the secret ballot. All forms of remote voting diminish ballot secrecy and increase the risk of coercion and vote selling simply because they elimi- nate voting booths. Internet voting de- creases secrecy still further. States that allow the return of voted ballots by fax or email attachments have been asking voters to sign statements relinquish- ing the right to a secret ballot. Mix nets and other cryptographic schemes can mimic the secrecy protections of the double envelopes traditionally used to partially preserve ballot secrecy in postal voting, but they do not protect against client-side attacks. The threat to eliminate the secret ballot for a class of voters is disturb- ing for several reasons: First, it ren- ders these voters second-class citi- zens, deprived of a right other citizens take for granted. Second, there is no need to eliminate the secret ballot for overseas voters, as we discussed earlier. Third, and most important, ballot-secrecy protection is more than an individual right; it is a systemic re- quirement, essential for fair, honest elections. Without ballot secrecy, vot- ers, especially those in hierarchical or- ganizations, such as the military, may be subject to coercion. An election where some voters can be pressured to vote a particular way is not a free and fair election. Bribery. Finally, we cannot rule out the threat of old-fashioned brib- ery. National races in the U.S. cost vast sums—a small fraction of which would be an exceedingly large bribe and more than enough to cover the cost of attacks, such as the one on the 2010 pilot D.C. voting system, as well as others on voters’ computers. Hal- derman said his team’s attack would have cost less than$50,000 at gener-
ous consulting rates.
Other Countries
We have focused on Internet voting in
the U.S., but Internet voting has been
used in several other countries, includ-
ing Estonia and Switzerland, neither of
which protects against malware on vot-
ers’ computers, and Norway in 2011.c
The Netherlands provided an Internet
voting option in its 2006 parliamentary
elections, but Internet voting was sub-
sequently banned, largely because of
work by a group called “We Don’t Trust
Voting Computers.” The U.K. tried In-
ternet voting on a pilot basis in 2007,
but the U.K. Electoral Commission rec-
ommended against further e-voting pi-
lot projects until a range of issues had
Far Future
Systems like Helios15 and Remoteg-
rity37 use encryption to allow voters
c Norway uses encryption, but malware on a
voter’s computer is still able to change votes,
so long as the change is consistent with the
partial proof sent to the voter or the voter does
not check the partial proof.
contributed articles
oCTobeR 2012 | VoL. 55 | no. 10 | COMMUNICATIONS OF THE ACM 77
sionals have an obligation to explain
these risks.
Pilot projects are routinely declared
successes, regardless of any problems
encountered. However, it is danger-
ous to draw conclusions from a “suc-
cessful” Internet voting pilot project.
There is little reason to attack a small
pilot project, and a malicious player
might refrain from attacking a major
election until the new technology is
entrenched. Having claimed success,
independent of proof of the accuracy
of the pilot project, Internet-voting
vendors and enthusiasts routinely
push to extend Internet voting to a
broader group of voters, thereby seri-
ously undermining election security.
Computer professionals must object
to pilot projects that do not plan for an
assessment of the integrity of the elec-
tion and a public reporting of any dis-
crepancies encountered.
Unlike legitimate computer-securi-
ty experts, malicious attackers are not
likely to publicize their attacks, just as
credit-card thieves do not openly ad-
vertise their thefts. When election of-
ﬁcials and policymakers ask for proof
that a voting system has been attacked,
it is important to keep in mind that
detecting well-devised attacks is inher-
ently difﬁcult. The burden of proof that
a voting system has not been attacked
should fall on those making the claim,
not the other way around.
Ultimately, the balance between the
integrity of election technology on the
one hand and convenience on the oth-
er is both a public-policy and a techno-
logical issue. Decision makers must be
warned of all the risks in order to craft
wise policy.
Acknowledgment
We are grateful to the referees who
provided us with excellent recom-
mendations.
References
1. Adida, B. Panelist remarks at panel on Internet voting.
Electronic Voting Technology Workshop/Workshop on
Trustworthy Elections (San Francisco, Aug. 9, 2011);
http://www.usenix.org/events/evtwote11/stream/
benaloh_panel/index.html
2. Bowden, M. The enemy within. The Atlantic (June
2010); http://www.theatlantic.com/magazine/
archive/2010/06/the-enemy-within/8098/
3. CBC News. Computer vandal delays leadership
vote (Jan. 25, 2003); http://www.cbc.ca/news/
story/2003/01/25/ndp_delay030125.html
4. Claburn, T. Microsoft Finds U.S. Leads In Botnets.
InformationWeek (Oct. 14, 2010); http://www.
informationweek.com/security/vulnerabilities/
net_security.html
28. Messmer, E. America’s 10 most wanted botnets.
Network World (July 22, 2009); http://www.
networkworld.com/news/2009/072209-botnets.html
29. Military Postal Service Agency. 2010 Analysis of the
Military Postal System Compliance with the MOVE
Act. Washington, D.C., Aug. 2, 2011; www.fvap.gov/
resources/media/2010_MPSA_after_action_report.pdf
30. Mills, E. Spam offers to let people use their PC to
attack Obama site. CNET (Aug. 18, 2009); http://news.
cnet.com/8301-1009_3-10312641-83.html?tag=nl.
e757
31. Mueller III, R.S. Prepared Remarks. RSA Security
Conference, San Francisco, Mar. 4, 2010; http://www.
fbi.gov/news/speeches/tackling-the-cyber-threat
32. Nakashima, E., Miller, G., and Tate, J. U.S., Israel
developed computer virus to slow Iranian nuclear
efforts, ofﬁcials say. Washington Post (June 19, 2012);
http://www.washingtonpost.com/world/national-
security/us-israel-developed-computer-virus-to-
slow-iranian-nuclear-efforts-ofﬁcialssay/2012/06/19/
gJQA6xBPoV_story.html?wpisrc=al_national
33. New South Wales Electoral Commission. Report
on the Conduct of the NSW State Election 2011;
http://www.parliament.nsw.gov.au/Prod/parlment/
committee.nsf/0/67f2055c4d085409ca25795a0017
cf2c/$FILE/NSW%20EC%27s%20Report%20on%20 the%202011%20State%20Election.pdf 34. Oberheide, J., Cooke, E., and Jahanian, F. CloudAV: N-version antivirus in the network cloud. In Proceedings of the 17th USENIX Security Symposium (San Jose, CA, July 28–Aug. 1, 2008), 91–106. 35. Palmer, C. Unqualiﬁed Names in SSL Observatory. Electronic Frontier Foundation Deeplinks blog, Apr. 5, 2011; https://www.eff.org/deeplinks/2011/04/ unqualiﬁed-names-ssl-observatory 36. Peters, S. 14th Annual CSI Computer Crime and Security Survey, Executive Summary. Computer Security Institute, New York, Dec. 2009; http://www. docstoc.com/docs/40697141 37. Remotegrity. 2011; https://demo.remotegrity. org/http://www.scantegrity.org/wiki/index.php/ Remotegrity_Frequently_Asked_Questions 38. Sanger, D.E. Obama order sped up wave of cyberattacks against Iran. New York Times (June 1, 2012); http://www.nytimes.com/2012/06/01/world/ middleeast/obama-ordered-wave-of-cyberattacks- against-iran.html?pagewanted=all 39. Trusteer Inc. Measuring the In-the-Wild Effectiveness of Antivirus Against Zeus. White Paper, Sept. 14, 2009; http://www.techrepublic.com/whitepapers/measuring- the-in-the-wild-effectiveness-of-antivirus-against- zeus/1686945/post 40. U.K. Electoral Commission. Key Issues and Conclusions, May 2007 Electoral Pilot Schemes. London, Aug. 2007; http://www. electoralcommission.org.uk/__data/assets/ electoral_commission_pdf_ﬁle/0009/16200/ ICMElectoralPilotsresearchreport_27285- 20161__E__N__S__W__.pdf 41. Vascellaro, J.E. and Solomon, J. Yahoo! was also targeted in hacker attack. Wall Street Journal (Jan. 14, 2010); http://online.wsj.com/article/SB100014240 52748703657604575004421409691754.html 42. Veriﬁed Voting Foundation. Internet Voting 2012; http://www.veriﬁedvotingfoundation.org/article. php?list=type&type=27 43. Weiss, T.R. Pentagon drops online votes for armed forces. Computer Weekly (Feb. 6, 2004); http://www. computerweekly.com/news/2240054464/Pentagon- drops-online-votes-for-armed-forces 44. Wolchok, S., Wustrow, E. Isabel, D., and Halderman, J.A. Attacking the Washington, D.C. Internet voting system. In Proceedings of the 16th Conference on Financial Cryptography and Data Security (Bonaire, Feb. 28. 2012); http://fc12.ifca.ai/pre-proceedings/ paper_79.pdf 45. Zetter, K. Vulnerabilities allow attacker to impersonate any website. Wired.com (July 29, 2009); http://www. wired.com/threatlevel/2009/07/kaminsky/ Barbara Simons (simons@acm.org) is a retired IBM Research staff member, Board Chair of Veriﬁed Voting, and former ACM President. Douglas W. Jones (jones@cs.uiowa.edu) is an associate professor in the Department of Computer Science of the University of Iowa in Iowa City. © 2012 ACM 0001-0782/12/10$15.00
5. DeGregorio, P. UOCAVA Voting Scoping Strategy.
Washington Secretary of State Public Record, Jan.
18, 2009; http://www.votersunite.org/info/WA-PRR-
ScopingStrategy.pdf
6. District of Columbia and Halderman, J.A. Thank you to
voters (hacked ballot acknowledgment with Michigan
ﬁght song); https://jhalderm.com/pub/dc/thanks/
7. Dunn, J.E. Trojan attacks credit cards of 15 U.S. banks.
Techworld (July 14, 2010).
8. Estehghari, S. and Desmedt, Y. Exploiting the client
vulnerabilities in Internet e-voting systems: Hacking
Helios 2.0 as an example. 2010 Electronic Voting
Technology Workshop/Workshop on Trustworthy
Elections (Washington D.C., Aug. 9, 2010); http://
static.usenix.org/events/evtwote10/tech/full_papers/
Estehghari.pdf
9. FBI. FBI, Slovenian and Spanish Police Arrest
Mariposo Botnet Creator, Operators. Press Release,
July 28, 2010; http://www.fbi.gov/news/pressrel/
press-releases/fbi-slovenian-and-spanish-police-
arrest-maripora-botnet-creator-operators/
10. Fisher, D. New Service helps attackers get Zeus botnet
off the ground. Threatpost (Jan. 10, 2011); http://
threatpost.com/en_us/blogs/new-service-helps-
attackers-get-zeus-botnet-ground-011011
11. Ford, G.R. and Carter, J. To Assure Pride and
Conﬁdence in the Electoral Process. National
Commission on Federal Election Reform, Aug. 2001;
http://ﬂ1.ﬁndlaw.com/news.ﬁndlaw.com/hdocs/docs/
election2000/electionreformrpt0801.pdf
12. The H Security. Antivirus Protection Worse than a Year
Ago. Heise Media, U.K., Dec. 20, 2007; http://www.h-
online.com/security/news/item/Antivirus-protection-
worse-than-a-year-ago-735697.html
13. Hayden, M. Hackers force Internet users to learn
self defense. PBS NewsHour (Aug. 11, 2010); http://
www.pbs.org/newshour/bb/science/Jul.-dec10/
cyber_08-11.html
IT News for Australian Business (Nov. 6, 2006); http://
www.itnews.com.au/News/67796,hackers-use-
15. Helios. http://heliosvoting.org/
16. InfoSecurity. McCartney site serves up Zeus malware.
InfoSecurity (Apr. 8, 2009); http://www.infosecurity-
us.com/view/1178/mccartney-site-serves-up-zeus-
malware/
17. Jefferson D. Email voting: A national security threat in
government elections. VeriﬁedVoting blog (June 2011);
http:/blog.veriﬁedvoting.org/2011/06/20/1375
18. Jefferson, D., Rubin, A.B., Simons, B., and Wagner, D. A
Security Analysis of the Secure Electronic Registration
and Voting Experiment (SERVE), Jan. 20, 2004; http://
servesecurityreport.org/
19. Kanan, K., Rees, J., and Spafford, E. Unsecured
Economies: Protecting Vital Information.
Technical Report. McAfee, Inc., Santa Clara,
CA, Feb. 2009; resources.mcafee.com/content/
NAUnsecuredEconomiesReport
20. Keizer, G. Zeus botnet gang targets Charles Schwab
accounts. Computerworld (Oct. 16, 2010); http://www.
computerworld.com/s/article/9191479/Zeus_botnet_
gang_targets_Charles_Schwab_accounts
21. Kirk, J. Comodo hacker claims credit for DigiNotar
attack. Computerworld (Sept. 2011); http://www.
computerworld.com/s/article/9219739/Comodo_
hacker_claims_credit_for_DigiNotar_attack
22. KITV. Voting drops 83 percent in all-digital
election. Honolulu, May 2009; http://www.kitv.com/
politics/19573770/detail.html
23. Kurtz, G. Operation ‘Aurora’ hit Google, others. McAfee
Security Insights blog, Jan. 10, 2010; http://blogs.
mcafee.com/corporate/cto/operation-aurora-hit-
24. Leyden, J. UK cybercops cuff 19 Zeus banking
trojan suspects. The Register (Sept. 29, 2010); www.
theregister.co.uk/2010/09/29/zeus_cybercrime_
arrests/
25. M86 Security. M86 Security Labs Discovers Customers
of Global Financial Institution Hit by Cybercrime.
Press Release, London, U.K., Aug. 10, 2010; http://
www.marketwire.com/press-release/m86-security-
labs-discovers-customers-global-ﬁnancial-institution-
hit-cybercrime-1302266.htm
26. Mahoney, M.R. Comment on Pilot Project Testing and
Certiﬁcation. EAC, Washington, D.C., Apr. 2010; http://
www.eac.gov/assets/1/AssetManager/Martha%20
Mahoney%20-%20Comment%20on%20Pilot%20
Project%20Testing%20and%20Certiﬁcation.pdf
27. Marsan, C.D. Feds to shore up net security. Network
World (Jan. 19, 2009); http://www.pcworld.com/
... There is a general lack of trust when it comes to the use of information technology in elections [19], as well as i-voting systems. Citizens and political party's lack of trust in an internet voting technology have also been strengthened by some experts' publications of the risk and vulnerabilities associated with the use of internet voting in a legally binding election [19,20]. But it is also important to note that other countries such as Estonia and Brazil have also been able to adopt an internet voting system in their legally binding elections [21]. ...
... The two main constructs that have been identified in previous studies include trust in technology and trust in an entity [6,22,28,33]. Trust in technology examines the security and risk associated with innovation such as privacy, reliability, integrity, and accuracy [20,34]. Trust in technology has been argued to influence the adoption of various e-government services [20,34]. ...
... Trust in technology examines the security and risk associated with innovation such as privacy, reliability, integrity, and accuracy [20,34]. Trust in technology has been argued to influence the adoption of various e-government services [20,34]. Citizens and other stakeholders are skeptical in the use of e-government services such as an electronic voting system due to the uncertainty and risk associated with the technology [20,35]. ...
Chapter
The role of political parties in elections and factors that influence political parties’ internet voting system adoption has hardly been explored. One of the key barriers to internet voting system adoption is the lack of trust in the technology and election management authority by political parties. The lack of trust has led to the rejection of electronic voting systems adoption by various political parties in different African countries. The main aim of this study is to examine the role political parties play in the electoral process and the factors that can influence political parties’ adoption of i-voting system. Using qualitative research design data were collected from political parties’ executives in the form of interviews. Themes that emerged from the analysis include “Increase Voter Turnout”, “Integrity of Voting Results”, “Trust in EC”, “Trust in Technology”, “Perceive Advantages”, and “Technological Illiteracy”. The implication of the research findings was also discussed in the study as well as the limitation of the research and future studies.
... Over a decade ago, Alvarez and Hall (2004) discussed the future of Internet voting and the use of Internet voting in an Arizona county primary. However, there have been several detractors and failures of Internet voting systems due to technology and human failures resulting in several critics of using Internet voting technology (Davide et al., 2010;Dill and Castro, 2008;Epstein, 2013;Simons and Jones, 2012). One of the criticisms leveled at Internet voting systems is their lack of validation prior to deployment (Simons and Jones, 2012). ...
... However, there have been several detractors and failures of Internet voting systems due to technology and human failures resulting in several critics of using Internet voting technology (Davide et al., 2010;Dill and Castro, 2008;Epstein, 2013;Simons and Jones, 2012). One of the criticisms leveled at Internet voting systems is their lack of validation prior to deployment (Simons and Jones, 2012). For example, a Washington DC project was hacked by University of Michigan researchers in less than 36 h by exploiting several system vulnerabilities (Wolchok et al., 2012). ...
Article
Full-text available
Principles required for secure electronic voting using the Internet are known and published. Although the Internet voting functionalities and technologies are well-defined, none of the existing state-sponsored Internet voting approaches in use incorporate a total Internet-based system approach that includes voter registration, the voting process, and vote counting. The distributed Internet voting architecture concept discussed in this article uses a novel thin client approach to Internet voting. The architecture uses existing technologies and knowledge to create a viable whole system approach to Internet voting. This article describes various aspects and processes necessary to support an integrated approach. The application programming interface software for many of the critical functions was developed in Python and functionality tested. A virtual network, including a cloud-based functionality, was created and used to evaluate the various conceptual aspects of the proposed architecture. This included the concepts associated with programming and accessing smart cards, capturing and saving fingerprint data, structuring virtual private networks using tunneling and Internet Protocol Security, encrypting ballots using asymmetric encryption, using symmetric encryption for secret cookies, thin client interaction, and creating hash functions to be used within a blockchain structure in a Merkle tree architecture. The systems’ primary user targets are individuals remotely located from their home voting precincts and senior citizens who have limited mobility and mostly reside in assisted living facilities. The research supports the contention that a cybersecure Internet voting system that significantly reduces the opportunity for mail-in voter fraud, helps to ensure privacy for the voter, including nonrepudiation, nonattribution, receipt freeness, and vote acknowledgment can be created using existing technology.
... A variation of electronic voting systems is to allow the voting to be conducted online, via online network systems such as the Internet [8] [9] or private networks that are setup by the voting authorities. By utilizing online voting systems, there are many advantages when compared to electronic voting systems and traditional ballot systems. ...
... The system should also be robust enough to prevent unauthorized access to the server and the results of the voting. The security aspects of online voting systems are extremely complex, contain many points of attacks and vulnerability, in which attackers only need to exploit one of the points to change the voting results or potentially invalidate parts or all of the voting [9]. Attacks such as distributed denial of service (DDOS) attacks can disable the election network. ...
Article
Voting is an essential activity in the modern democracy. To facilitate the voting process, there are several attempts on proposing an electronic voting system such that, the voting and tallying processes can be done efficiently and the results would be accountable to the public. To date, however, an online electronic voting system has been rarely adopted in practice due to the possibility of having the voting result tampered through vote-rigging or cyber-attacking. In 2009, the blockchain algorithm was proposed by Satoshi Nakamoto. Blockchain is a technique for recording transactions between self-auditing ledgers in an open, distributed, permanent, and verifiable manner. Even though blockchain was originally designed for a financial applications, it is possible to apply blockchain to other domains, including in the implementation of an online decentralized-based electronic voting system. In this study, the architecture of a blockchain-based electronic voting system, named \textit{BlockVOTE}, is proposed. The architecture design and all related formal definitions are given. To validate the proposal, two BlockVOTE prototypes were implemented using two different blockchain application frameworks. The performance analysis of both versions of the prototypes are given. The analysis of both technical and management aspects on the possibility of adopting the proposed decentralized voting system in an actual voting scenario is also given at the end of this study.
... In order to improve transparency, security, and accuracy electronic voting is adopted across the world [1]. Electronic voting is a type of computer-mediated voting that has first been widely used in the United States in 1964 when seven counties shifted to this procedure for the presidential election [2], [3]. ...
... People qualified to vote in the next phase may do so (casting collation). Encrypted and verified voting should be implemented in [49]. The votes must be kept secret, anonymous, and correct, and they cannot be changed or deleted [50,51]. ...
Article
Full-text available
Electronic voting systems must find solutions to various issues with authentication, data privacy and integrity, transparency, and verifiability. On the other hand, Blockchain technology offers an innovative solution to many of these problems. The scalability of Blockchain has arisen as a fundamental barrier to realizing the promise of this technology, especially in electronic voting. This study seeks to highlight the solutions regarding scalable Blockchain-based electronic voting systems and the issues linked with them while also attempting to foresee future developments. A systematic literature review (SLR) was used to complete the task, leading to the selection of 76 articles in the English language from 01.01.2017 to 31.03.2022 from the famous databases. This SLR was conducted to identify well-known proposals, their implementations, verification methods, various cryptographic solutions in previous research to evaluate cost and time. It also identifies performance parameters, the primary advantages and obstacles presented by different systems, and the most common approaches for Blockchain scalability. In addition, it outlines several possible research avenues for developing a scalable electronic voting system based on Blockchain technology. This research helps future research before proposing or developing any solutions to keep in mind all the voting requirements, merits, and demerits of the proposed solutions and provides further guidelines for scalable voting solutions.
... But when it comes to developing African countries, there have been several challenges in the attempt to adopt such technology [8][9][10], which creates a gap in the application of technology in the electoral process. There are different opinions as to the security and reliability of the introduction of an e-voting in elections [7,11]. But in this study, the researcher supports the argument of Wiseman [7]. ...
Article
Since the reports of Russian interference in the 2016 United States General Election, the security of voting processes has received increased attention from both state and federal authorities. The declaration by the US Department of Homeland Security in January 2017 that election systems be classified as the 17th component of critical infrastructure is just the beginning of a need for more secure voting processes. More recently, the COVID-19 pandemic and the 2020 US General Election have placed greater emphasis specifically on mail-based voting processes for electoral systems. The objective of this research is to provide greater insight into potential threats to mail-based voting processes. Upon identifying an attack tree as an initial structure for evaluation, new threats are postulated, and an updated tree is proposed that accounts for more recent activities. Then, using an established assessment framework, the relative likelihood of each mail-based voting process attack scenario is identified. The results facilitate providing election officials and policymakers with greater knowledge of how mail-based voting system vulnerabilities develop as well as specific security measures that may be most beneficial.
Chapter
In recent years, the study of emotion has increased due to the interaction of human with machine as it is helpful to interpret human actions and to improve the relationship among humans and machines for developing the software that can understand the human states and can take action accordingly. This paper focuses on a preliminary study on emotion recognition using various psychological signals. Different researchers investigated various parameters which include facial expression, eye gaze, pupil size variation, eye movements using EEG, and deep learning techniques to extract the emotional features of humans. Diverse researchers have proposed a method for detecting emotions by using different psychological signals and achieved reliable accuracy. After a thorough analysis, it has been observed that the best accuracy achieved on the individual emotion detection was 90%. However, this experiment does not help to classify the specific emotion. To classify the specific emotion, the best accuracy achieved was 79.63%, which is a comparable accuracy.
Chapter
This chapter articulates that scholars write about Human Enhancement Technologies (HET) in two ways. This is not a reflection of a reality in the literature but rather a heuristic designed to contextualize democratic citizenship within contemporary HET discussions. The first way is to write about HET as possible realities far off into the future. The second way is to write about HET that can be realised seemingly as soon as tomorrow. For democratic citizenship, writing in the first case is either utopian or dystopian. It is either the projection of democracy's total triumph or its utter collapse caused by the type of rots that lead to democide. But writing in the second case is stimulating and vibrant. There are, for example, numerous calls for HET-led reforms in the literature. These reforms are needed to help answer the crisis of the citizen's august discontent (the growing and increasingly legitimized political apathy and political abstention observed in, and performed by, the citizenry). The purpose of this chapter is to focus on this second case—this more developed body of literature—and to theorise the interface between democratic citizenship and HET.
Article
Voting has been an accepted means for electing candidates, receiving public approval for referendums and budgets, and for many other tasks where the will of the people, whether a broad population or a select group, can be recorded and measured in a tangible way. Because of advances in technology, together with problems inherent in manual forms of voting, the concepts and issues relating to electronic voting (e-voting) and various other technology-based forms, are been proposed, discussed, and examined. The goal of all such systems is the casting and recording of the votes from eligible voters as they intended to be cast, with adequate security. This security requires that there be no identifiable connection between the voter and the vote that is cast, while providing an audit trail that can be used to validate that every vote was counted and tallied, as cast. The focus of this paper is to examine electronic voting technologies from the perspective of usability in controlled environments. Current research has shown that such systems form the majority of the nascent e-voting technologies, primarily because they have come closest to solving the usability and security issues inherent in technology–based voting systems.
Conference Paper
In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near-complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days — and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study — the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment — attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.
Article
Helios is a web-based open-audit voting system de-signed using state of the art web technologies and ad-vanced cryptographic techniques to provide integrity of ballots and voter secrecy in an insecure Internet envi-ronment. In this paper, we demonstrate a simple at-tack against Helios 2.0 that takes advantage of the fact that every candidate in Helios can provide a URL refer-ring to his/her candidacy statement. A malicious can-didate, who wishes to win a Helios-managed election, uploads a specially crafted PDF file containing a candi-dacy statement to his/her website. The attack is then trig-gered against each voter who is using a vulnerable ma-chine. The security of the machine is undermined, e.g., when the voter visits the attacker's webpage. In essence, we exploit Adobe Acrobat/Reader's vulnerabilities to in-stall a malicious browser extension on the voters' ma-chines. Such an extension provides an opportunity for an attacker which may fool the voter (using Social Engi-neering) into accepting a hacked ballot. Due to our attack Helios 2.0 was upgraded to Helios 3.0. We discuss gen-eralizations and the impact of the latest upgrade of Helios on security. We also discuss defences against this attack, generalizations and the impact of the latest upgrade of Helios on security.
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Microsoft Finds u.s. leads In botnets
• T Claburn
Claburn, t. Microsoft Finds u.s. leads In botnets. InformationWeek (oct. 14, 2010);
Slovenian and Spanish Police Arrest Mariposo Botnet Creator, Operators. Press Releasepressrel/press-releases/fbi-slovenian-and-spanish-police-arrest-maripora-botnet-creator-operators
• Fbi Fbi
new service helps attackers get Zeus botnet off the ground
• D Fisher
Fisher, d. new service helps attackers get Zeus botnet off the ground. Threatpost (Jan. 10, 2011);
Email voting: A national security threat in government elections
• D Jefferson
The enemy within. The Atlantic
• M Bowden