Does the Cal State San Marcos class president election hack mean
that Americans should fear Internet voting? Not if you think critically about
it.
Facts:
Matthew Weaver, 22, pleaded guilty* to wire fraud, access device
fraud, and unauthorized access to a computer. He was sentenced to a year in
prison. His crime was to plug keylogging devises into 19 school computers. The
devises record computer user's keystrokes without the user's knowledge. Thus he
stole the email passwords of more than 740 students. He used this information
to vote for himself 630 times during the online student elections in March
2012.
Votes had to be cast from campus computers. Network
administrators noticed all the voting activity from one computer. They quickly notified
school police, who nabbed Weaver in the act.
Implications:
This news report has fired up David Jefferson’s flare for
spinning scary stories. He warns ominously, on the Election Law Blog, that “In
a high stakes public election we will not be so lucky [as to catch the crook in
the act].”
“Had this been a public election conducted via Internet
voting, it would have been much more difficult to identify any problem or to
capture the perpetrator, [because] people would vote from their own private
PCs.”
Well, that is scary! But how would the crime be carried out? Consider how many votes a crook would have to control to win a presidential election. In 2012, Obama beat Romney by roughly 4,000,000 votes. As a comment below reminds us, to win a majority of Electoral votes, a hacker using Weaver’s technique would have to control tens of thousands of votes. Obviously, a guy like Weaver couldn’t run around plugging keylogging devices into that many computers to steal log on info. So, how would it be done?
Well, that is scary! But how would the crime be carried out? Consider how many votes a crook would have to control to win a presidential election. In 2012, Obama beat Romney by roughly 4,000,000 votes. As a comment below reminds us, to win a majority of Electoral votes, a hacker using Weaver’s technique would have to control tens of thousands of votes. Obviously, a guy like Weaver couldn’t run around plugging keylogging devices into that many computers to steal log on info. So, how would it be done?
Leaving his readers hanging, Jefferson skips any detailed
discussion of how a crook could steal an online presidential, or other public,
election.
Instead, he creatively imagines that if Weaver had “used one
of his keylogging devices to capture the password of a system administrator”
Weaver could have “then used that password to install keylogger software on
other campus computers to capture the students’ passwords.”
Jefferson omits mentioning how Weaver would gain access to
the administrator’s computer so he could plug in the devise. Maybe Weaver could
don a custodian disguise, and plug it in while pretending to clean the office.
Anyway, Weaver would have had to return to the office to
retrieve his device so that he could take it home to download the
password.
Details aside, after Weaver installs his keylogging software
into the school network, he has to hope that nobody checks the network event
logs before the election. The logs would show the activity, and an alert
administrator would remove the software.
Imagination on fire, Jefferson then declares that Weaver
didn’t have to cast votes one at a time; instead, he “could have run a program
to automate the casting of all of those phony votes.” Of course!
But wait, what if the voting website had a challenge/response
authentication mechanism. Weaver’s voting program couldn’t copy words or add
numbers automatically. All his efforts would have been for naught. But let us
imagine that he could get past this little security challenge. The network
administrator would still see the spike in activity coming from one IP address.
That signal could be blocked, and could also be traced back to Weaver.
Lesson:
Jefferson spins a chilling tale, but it requires his readers to suspend their critical faculties to be affective. Is that what you want to do?
Jefferson spins a chilling tale, but it requires his readers to suspend their critical faculties to be affective. Is that what you want to do?
PS
Good news! Obama’s Commission on Election Reform has posted
my recent scholarly paper on Internet Voting!
The paper recounts the history of Internet voting in the
USA, and shows how NIST has misled Congress and the American people about
online voting insecurity. I take the same practical approach there that I did
here in this blog post.
Also, my book, Internet Voting Now, is listed in the
“Research Bibliography” provided to the Commission by CalTec/MIT.
William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Email: Internetvoting@gmail.com
Twitter:
wjkno1
Author of Internet
Voting Now!
Kindle edition: http://tinyurl.com/IntV-Now
In paper: http://tinyurl.com/IVNow2011
* ABC News -
