Articles

Online voting is impossible to secure. So why are some governments using it?

If you thought electronic voting machines were insecure, wait 'til you meet online voting.

J.M. Porup May 03rd 2018

Dr. Vanessa Teague is one frustrated cryptographer.

A researcher at the University of Melbourne in Australia, Teague has twice demonstrated massive security flaws in the online voting systems used in state elections in Australia — including one of the largest deployments of online voting ever, the 2015 New South Wales (NSW) state election, with 280,000 votes cast online.

The response? Official complaints about her efforts to university administrators, and a determination by state election officials to keep using online voting, despite ample empirical proof, she says, that these systems are not secure.

While insecure voting machines have received most of the attention since the 2016 U.S. presidential election, states and municipalities continue to use — even enthusiastically adopt — web-based online voting, including 31 states in the U.S., two provinces in Canada, and two states in Australia. Wales in the UK  is pushing hard for online voting. The country of Estonia uses online voting for its national elections.

Security researchers point out flaws; election officials get angry and ignore security issues that threaten the integrity of the voting results. Teague's story repeats itself around the world.

Democracy at stake

The purpose of an election is not just to select a winner, but to convince the loser, and their supporters, that they lost. Trust in the voting process is, therefore, an essential element to any voting system. "Voting over the internet is not secure enough to be trusted for government elections," Teague tells CSO. "It's not verifiable."

Unlike electronic voting machines, online voting lets voters cast their ballots on a website with a click of a mouse or tap of a finger. While electronic voting machines could one day be used in conjunction with paper ballots to increase the security of the voting process, web-based online voting is not only insecure, but is impossible to secure, experts warn.

Yet politicians are pushing ahead with plans to offer online voting, despite the clear and present danger online voting poses to the integrity of the democratic process. "Like everything else on the internet, [online voting] is not secure, but the really important point for elections is that you wouldn't even know if the outcome was manipulated or not," Teague says.

Voting officials defend their decisions, arguing that online voting increases voter turnout and makes voting more accessible to voters who are unable to come in person, or who live far from a polling station, for instance soldiers and sailors stationed abroad, or voters who live in rural or regional Australia, or far northern Canada.

However, offering online voting also makes it accessible to every spy, gangster, mercenary, and hacker on the planet. Attackers could easily violate the sanctity of the secret ballot, modify votes, or even make the web application unavailable to certain voters on polling day.

Teague and other researchers have demonstrated such attacks against live election systems.

How to attack online voting

Online voting is more fragile than other online services, like banking, and far easier to attack. The cheapest and easiest way to attack an online voting system is to flood the web application with garbage traffic and DDoS it. Any script kiddie with some bitcoin can rent a botnet army of compromised IoT devices and overwhelm the voting server on election day. To prevent such attacks, companies typically use distributed denial of service (DDoS) mitigation services like Cloudflare or Imperva Incapsula.

Such services are suitable for many Silicon Valley-style applications, but are unsuitable for ensuring a free and open democratic election, Teague says. A DDoS mitigation service has to spy on traffic in order to stop DDoS attacks. That means it has to decrypt all traffic between the user and server to determine which traffic is good and which traffic is bad. To do so, it acts as a transport layer security (TLS) proxy and performs a "man-in-the-middle" attack — with permission, of course — against all traffic aimed at the online voting service it's been hired to defend.

TLS is the encryption technology that makes HTTPS (the "green padlock" in a browser) work, which, under normal circumstances, would ensure the confidentiality of traffic end-to-end from the voter to the tally server. For a cloud-based DDoS mitigation service to work, however, the TLS encryption key sits on servers all over the world, and anyone able to hack into one of those servers and steal the TLS key is one giant step closer to changing the vote count.

Teague's team found just this problem in the Western Australia 2017 state election. They discovered the online voting TLS encryption keys on servers in data centers in countries like Japan, Poland and China. Worse, the online voting web application shared that TLS key with "dozens of unrelated websites in countries such as the Philippines, Lithuania, and Argentina," according to their report.

Any sufficiently motivated nation-state attacker could easily compromise one of these servers. Even more concerning, a nation-state could "acquire the credentials necessary to man-in-the-middle a foreign election in the context of an unrelated domestic law enforcement or national security operation," [their emphasis] their report concluded.

The secret ballot has been a cornerstone of democracy since ancient Athens, and essential to preventing vote selling or voter coercion. No one, ever, should know how a voter cast their ballot. The use of a DDoS mitigation provider in an online election may prevent DDoS attacks that take the voting website offline, but it creates a giant target with a big red bulls-eye for any nation-state wanting to spy on voters or change their votes.

"Under what circumstances would you do a recount?" Aleksander Essex, an online voting security researcher at the University of Western Ontario, in Canada, asks. "That's the real question, because you don't have that transparency. With paper ballot voting, you can go back to the paper record, assuming you can follow the chain of custody. With online voting, you don't know."

Without transparency into how the voting process works, and the ability to verify the results, online voting casts a shadow across the legitimacy of elections that include it. Democracy dies in darkness.

”Serious security vulnerabilities” for Estonia’s online voting system

No country in the world has as much experience with online voting as the tiny country of Estonia. Living in the shadow of its much larger neighbor, Russia, Estonia has been offering online voting in government elections since 2005.

Researchers took a closer look at the country's online voting system, and not only found security issues with the software, but hilarious operational security failures, including an official video of the pre-election process that showed wi-fi passwords posted on the wall, administrators filmed typing in root passwords, and a software build system that was also being used to play PokerStars.

"Estonia's internet voting system has such serious security vulnerabilities that an international team of independent experts recommends that it should be immediately discontinued," researchers concluded. "A state-level attacker, sophisticated criminal, or dishonest insider could defeat both the technological and procedural controls in order to manipulate election outcomes."

Russia attacked Estonia with a massive DDoS attack in 2007 over the country's decision to move a Soviet-era war memorial. According to The Guardian, the main targets of attack were government websites, the political parties, major news organizations, and two of the country's biggest banks.

Nevertheless, Estonia's National Election Committee rejected the security researchers' findings, saying in a statement at the time, "We believe that online balloting allows us to achieve a level of security greater than what is possible with paper ballots."

Australian online voting cover-up

The NSW state election of 2015 was so insecure that one seat in the upper house of the state parliament may have been decided by hacked votes. In response to the scandal, the electoral commission went to great lengths to avoid transparency regarding the security issues Teague and her team reported, and only revealed the true nature of the problem under close questioning in state parliament a year later.

Before the election, the state electoral commission told the Australian Broadcasting Corporation (ABC) that "People's vote is completely secret... It's fully encrypted and safeguarded, it can't be tampered with." Yet it took researchers only a few days to identify fatal flaws in the online voting web application that could have easily been used to spy on and even modify every single vote cast online, and to do so in an undetectable manner.

"This is a complete and total break of the most basic security goals of an online voting system," Teague tells CSO. "No warnings in the browser. It successfully subverted the TLS connection to the third-party [analytics] service. It would have looked completely normal at the electoral commission end. It would have looked exactly the same as a legitimate vote. It was a legitimate vote from an eligible voter. Just not the one the voter intended to cast."

Because the online voting platform, built by Spanish firm Scytl, is not open source, the researchers were unable to test the application prior to the election. They had to wait until the online voting system went live, and then examine the public-facing portions of the system.

Teague and her team reported their findings immediately to the Australian CERT, but by the time the system was fixed, more than 66,000 votes had been cast online — far more than the margin of 3,177 votes that decided one seat in the NSW Legislative Council.

"To our knowledge, this is the first time enough votes to affect a parliamentary seat in a state election have been returned over an internet voting system while it was demonstrably vulnerable to attacks that would allow external vote manipulation," their report concludes.

The NSW electoral commission initially reported after the election that there were no anomalies seen while using the online voting platform, but a year later, under questioning in state parliament, admitted that there were, in fact, significant anomalies reported by voters. More than 600 voters who attempted to verify their votes using a rudimentary telephone-based system were unable to do so — a 10 percent failure rate, enough to call into question the voting result of the state election. "That to me is the bottom line," Teague says. "The really important thing is that we didn't find out the truth at the time."

Regardless, the NSW government is pushing ahead, ignoring the danger signs. "The NSW Electoral Commission (NSWEC) intends providing iVote as a voting channel for the 2019 NSW State General Election," a NSW electoral commission spokesperson told CSO by email.

Far from understanding the danger internet voting poses to free and open democratic elections, the NSW Electoral Commission went so far as to call Teague and her colleague, Alex Halderman of the University of Michigan, "anti-internet voting activists," in their 2015 response to the security research. In fact, earlier this week the NSW government contracted a second time with Scytl, the online voting vendor responsible for the 2015 debacle, according to CSO's sister publication, Computerworld Australia.

Closed source online voting software: a threat to democracy?

Unlike electronic voting machines, which researchers routinely pick up on eBay to reverse engineer, the complete lack of transparency around online voting systems hampers research and harms democracy, experts agree.

No commercial online voting platform makes its source code available for public scrutiny. Onerous non-disclosure agreements (NDAs) typically prevent security researchers from publishing their findings. This is the opposite of how paper-based elections work: Everyone knows and understands how the system works, and can even go watch ballots being counted, if they want to.

One online voting provider, Everyone Counts, touts its "Open Code Advantage," which, they claim, "allows expert inspection and auditing of source code," according to this pdf document served from their Squarespace website.

However, Teague says this claim is marketing nonsense. "It means that you have to sign a punitive NDA, which includes among its terms the requirement that even the fact you've signed an NDA is secret," she tells CSO. "I don't know of anyone with any sense of integrity who has signed it."

Everyone Counts disagrees. "We can appreciate that many researchers would prefer our Open Code Advantage program went further towards making our voting platform open source," Everyone Counts communications and administrative manager Stefanie Histed wrote in an email. "However, the program is designed to allow our clients an opportunity to review our systems (either directly or through designated third parties), and the NDA is written and/or tailored in partnership with these clients."

Canada's largest province embraces online voting

Despite the red flashing lights and the ah-OOO-gah warning noise coming from electronic voting security researchers, the province of Ontario, home to more than 40 percent of Canada's population, is pushing municipalities to embrace online voting. The province required "municipalities to pass a by-law allowing an online ballot by May 1, 2017 to allow online voting in the 2018 civil election," according to the CBC.

Ontario has more than 400 municipalities. That's 400-odd RFPs, 400-odd contracts, and a patchwork of online voting systems deployed by several different online voting providers. The province of Ontario sets no standards for online voting, security standards or otherwise, and doesn't even know which municipalities are using online voting, and which aren't.

"Municipalities are not required to inform the ministry on what voting methods they will be using," a spokeperson for the Ontario Ministry of Municipal Affairs wrote in an email to CSO. Ontario municipalities have been using online voting since 2003, the ministry noted, and 98 municipalities offered online voting in the 2014 election, based on polling data reported to the province after the election.

Online voting and mass surveillance

As the Snowden documents make clear, governments around the world are engaged in mass surveillance of their own citizens — including the United States, Canada, and Australia. Given the trivial nature of the security flaws academic researchers have demonstrated in online voting systems, the technical barrier to spying on how citizens vote is extremely low. If online voting traffic is accessible, what’s to stop it from being swept up in that dragnet surveillance of innocent populations?

Some argue that online voting is acceptable at the municipal level because it is unlikely to attract interference from a foreign power. After all, why would Russia care about who becomes mayor of Hicksville?

"The argument against internet voting fails when you apply the standard to all use cases," Brian Lack, president of online voting provider Simply Voting, wrote in a statement to CSO. "While internet voting should not be used to select the President of the United States, the argument against internet voting fails when you apply the standard of a perfect voting system for all use cases. An Ontario Municipal Election has nowhere near the same threat level as the United States presidential elections. Russia, China, and other state-level actors are not likely to use their advanced cyberweapons to influence the outcome."

The Communications Security Establishment (CSE), Canada's counterpart to the NSA, engages in mass surveillance of all Canadians, the Snowden documents revealed. Indiscriminate spying might well lead to collecting online votes — who is voting, when they're voting, whether they vote, and maybe even who they vote for. Given the secrecy in which CSE operates, and the democratic oversight on an agency that Snowden himself said has the "weakest oversight in the Western world," the legal safeguards are flimsy at best.

"There needs to be transparency so that no individual entity is able to exert undue influence on the process in a way that is undetectable," Essex says. "Online voting simply cannot provide that transparency at this time given the limitations of the technology and the infrastructure that exist today."

CSE's counterpart in Australia, the Australian Signals Directorate (ASD), made an "informal relationship" with the NSW Electoral Commission prior to the 2015 election. CSE and ASD are both part of the Five Eyes alliance of spy agencies, and share many of the same tactics, the Snowden documents make clear.

"The NSW Electoral Commission (NSWEC) works with a range of law enforcement and intelligence agencies in relation to voting system security," a NSW Electoral Commission spokesperson told CSO in a statement. "Due to the nature of these relationships, the NSWEC does not discuss nor disclose further details."

Online voting: Complete absence of standards

Unlike electronic voting machines, which are notoriously insecure but at least have some technical standards set by the U.S. government, no technical standards  govern the use or deployment of online voting software.

One of the world's largest online voting providers, Scytl, tells CSO that it would like to see security standards developed. The question should be "about setting-up a framework that will allow the impartial evaluation of online voting systems security," Gwendoline Savoy, Scytl's marketing director, wrote in an email. "This can be achieved by defining the security requirements a government has to comply with in order to implement a secure and transparent online voting system."

There is a reason why no security standards for online voting exist: After $100 million dollars in research and years of effort, NIST, the U.S. cybersecurity standards body tasked with examining the issue, concluded that online voting is impossible to secure. "It is not clear that remote electronic absentee voting systems can offer a comparable level of auditability to polling place systems," NIST concluded in this 2011 report.

"Because of the difficulty of validating and verifying software on remote electronic voting system servers and personal computers, ensuring remote electronic voting systems are auditable largely remains a challenging problem," the report added, "with no current or proposed technologies offering a viable solution."

Without the ability to audit an election for irregularities, for instance to run a recount, online voting makes it impossible to trust the results of any election that uses such technology, and it calls into the question past election results. "In the age of online voting, it's not enough to produce the correct result," Essex says. "You have to have trust in the result. You have to have public confidence in the result. And you have to provide a reason for people to have that trust."

For her part, Teague is baffled that the NSW government has failed to understand the significance of her research. "If a live vulnerability in a state election, that we could expose every vote that went through that system," she says, "wasn't enough to cause them to desist, I don't know what level of evidence could possibly be produced that would burst the bubble of the belief that the system is secure, other than a demonstrated total security breach?"