Another new Internet Voting system, another major vulnerability to massive election fraud discovered along with it. This time in Australia, as reported by ABC:
The iVote system allows people to lodge their votes for Saturday’s state election online, instead of visiting a physical polling station.
It aims to make voting easier for the disabled or for people who live long distances from polling booths.
However computer security researchers said they found a critical issue and alerted the NSW Electoral Commission on Friday afternoon.
The commission said the problem was fixed over the weekend and it expected 200,000 people would use the system in the lead up to the election.
Well. If the people who run it said it was fixed, why worry? (Just because they also said it was secure in the first place? Silly you.)
“Just because they’ve patched this particular bug that they’ve been specifically notified of does not mean that they’ve fixed the fundamental questions around the security and verifiability of the system,” said University of Melbourne’s Vanessa Teague, who discovered the security vulnerability. “If anything the existence of this one particular bug serves to bolster the argument that these kinds of bugs are probably inevitable in these kinds of systems”…
She said the attack could allow another person to either read, or even manipulate a vote, before it was sent to the electoral commission’s servers.
“The analogue would be pulling someone’s postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead,” Ms Teague said.
“The point of course with the electronic equivalent is that an attacker wouldn’t necessarily need to be in New South Wales to do this and they could potentially do this in an automated way to a very, very large number of votes.”
Ms Teague said the voter would be unaware their vote had been changed.
The Chief Information Officer with the NSW Electoral Commission offered this unfortunate quote to the ABC: “We are confident however that the system is yielding the outcome that we actually initially set out to yield,” before adding: “and that is that the verification process is not telling us any faults are in the system.”
The ABC also notes that “The computer code of the iVote platform is not open source and is not available broadly for security experts to review.”
Other than that, sounds like a fantastic idea!
We’ve written about so many Internet Voting disasters over the years, along with scientifically supported reasons why it can never be done safely or verifiably, that we’ll just summarize by sharing this quote from our 2013 article about L.A. County’s plans for a new voting system which, while set to be 100% unverifiable after an election, as currently planned, at least does not include Internet Voting, according to our interview at the time with Los Angeles County Registrar-Recorder/County Clerk Dean Logan:
One need only look back to Washington D.C.’s disastrous experiment in Internet Voting, which almost went live in 2010 for overseas and military voters. The plans to use the system were scrapped at the last minute after it was hacked and completely taken over by “white hat hackers” (University of Michigan computer students and their professor), who had gained such total command of the system in mere hours that they were not only able to change every vote already cast on it during a mock election, but inserted a script into the system to change all future votes invisibly as well. They even modified all of the system’s main passwords to thwart similar attempts to hack the system that they discovered to be ongoing by computers from both Iran and China.
There have been many other disasters in Internet Voting — from a 2012 online Canadian election attacked by some 10,000 computers, to a 2012 CA State University student body election that was hacked by one of the candidates in order to gain control of an annual salary and the student government’s $300,000 budget, to this year’s embarrassment by the Academy of Motion Picture Arts and Sciences which attempted to use Internet Voting for the first time this year, to disturbing and questionable effect.
The non-partisan election integrity group, VerifiedVoting.org posted a “Statement on the Dangers of Internet Voting in Public Elections,” signed by nearly a dozen top computer science and security experts with backgrounds in electronic voting systems. The letter explains that “Cyber security experts at the National Institute of Standards and Technology and the Department of Homeland Security have warned that current Internet voting technologies should not be deployed in public elections,” as they “cannot be properly protected and may be subject to undetectable alteration.”
(Snail mail support to “Brad Friedman, 7095 Hollywood Blvd., #594 Los Angeles, CA 90028” always welcome too!)
|
Thanks for covering this important story. The iVote Internet voting system was developed in partnership with Scytl, a Spanish company that has been successfully promoting its Internet voting system all over the world, including in the U.S., as completely secure against tampering and completely protecting ballot secrecy.
I’m surprised the personal privacy wanks aren’t all over this. If, as is widely suspected, the CIA has planted bugs in the root systems of most computers, any computer-related voting should be laughed at without a second thought, especially through networked systems.
Hey, Brad, in light of how simple it is to make money off such vulnerable systems as you’ve demonstrated endlessly, and as knowledgeable you are about these systems, maybe you should consider starting a computerized voting system yourself. The ironies will get a lot of attention and sales and then you can sell the company and not worry about raising money from your readers.
Michael G –
Along those lines, you may enjoy this piece of ours from 2009: CIA Warning: ‘E-Voting Not Secure’ – U.S. EAC Finally Releases Complete Transcript of Cybersecurity Expert’s Stunning Remarks
I like that last part! But, other than that, I couldn’t do it. Sure, I could make money selling crack, and I think it should be legal to sell crack, even if I think selling (and/or using) crack is a bad idea. So, even if I could make money at it…well, you get the idea. 🙂
(Though, I should add, if crack were legal to sell, I think I would prefer to sell that over an e-voting system!)