Tuesday, July 25, 2023

Scary Stories Fail to Stop Internet Voting (A Moment in American Election History)

In 2004, the Department of Defense (DoD) had an Internet voting system ready for use, in a secure location in Reston, Virginia. A test system had been tried in 2000, and had worked without a hitch.    The new system was called “SERVE,” the Secure Electronic Registration and Voting Experiment.  About 100,000 overseas military personnel and civilians from various counties in seven states volunteered to vote from their remote locations on their own PCs in the November elections.  Congress had authorized the funds in 2002, after extensive hearings concerning the need, the feasibility, and security of the proposed system.  Teams of experts from the business sector, academia, the military, and government agencies federal, state, and local, had collaborated on the project for two years.[1]

The Federal Voting Assistance Program (FVAP), a department within the DoD, had the responsibility for the project.  Just to make sure that no stone was left unturned, FAVP decided to bring in a team of civilian computer security experts, tell them how the system would work, and let them examine the secure server in Virginia.  FVAP officials knew that some of these computer scientists had criticized the very idea of Internet voting because they considered it too vulnerable to attack and manipulation.  Nevertheless, the experts who had built the system, including specialists in secure communications from the military, were confident that these outsiders would marvel at what had been accomplished.

The folks in FAVP, and all the people who had worked on SERVE, were stunned when, after only the second of a planned series of meetings, four of the computer scientists published a report, summarized in the New York Times, condemning the system as “inherently insecure” and calling for a halt to the project.[2]

The four critics were David Jefferson, Barbara Simons, David Wagner, and Avi Rubin.  While the report praised the accomplishment of FVAP and its colleagues on constructing a secure and operable server, it proclaimed that “the very architecture of the Internet” as we now know it is irreparably insecure, and any election based on Internet voting would be vulnerable to such a variety of attacks and manipulations that the public could have no confidence in it. To hold such an election would surely precipitate a crisis of legitimacy for the office-holders and the government.

During the few days following the release of the report, its conclusions were disseminated all over the web.  A widespread public distrust of any kind of electronic voting system had already developed in the US as a result of revelations about the insecurities of Diebold touch screen voting machines, and the irresponsible remarks of that company’s president, Wally O’Dell, promising to deliver Ohio’s electoral votes to Bush in 2004.[3]  After a week of controversy, and in the absence of any defensive response from the stupefied members of the SERVE team, Undersecretary of State Paul Wolfowitz, who was then politicking for the presidency of the World Bank, ordered the project stopped.

Despite its defeat in the US, Internet voting was still considered worth a try by several nations in Europe and some provinces in Canada.  Not only is online voting more convenient for the voter, who may be housebound, or out of the country, but it is far less costly for the election officials to conduct.  The cost of paper for ballots, and printing thousands, even millions, of copies would not be incurred with online voting.  Even more expensive is the cost of labor for poll site workers, renting the polling places, security guards for the collection and transport of ballots, and counting all those ballots by hand.  Then there are the machines, like punch card machines and lever machines, which require year round storage and maintenance.  Printers, ballot scanning machines, and touch screen machines (“DREs”) are at least as costly to store and maintain as the products they have replaced.  With Internet voting, only an initial investment is made for setting up the voting precinct’s secure server, and the rest is done by the voter from home or anywhere else.  Huge cost savings can be had by election administrators over the lifetime of the server, which could be decades.

Indeed, those provinces in Canada and at least eight European nations have been using Internet voting systems, without malfunction or security breeches, throughout the past decade.[4]  To be exact, there was one incident in a Toronto election in which a denial of service attack bogged down the server for about 45 minutes, until the attack was warded off and full service resumed.[5]  But this was using 2003 technology, and security savvy has improved greatly since that time.

Based on the facts of experience, then, one may wonder how wise it was to shelve the SERVE project.  The successes of the Canadian and European trials now cast doubt on the dire warnings of the four alarm bell ringers. Was there anything to their claims, or were they just part of a ploy used to sell newspapers, and get themselves, in Warhol’s famous phrase, “fifteen minutes of fame”?

On the other hand, wasn’t it better to be safe than sorry?  After all, what were the consequences of canceling SERVE?  If these consequences were not significant, then no real harm was done.  Of course, this depends upon what one considers to be “significant harm.”

Consequences

To take the measure of the harm done by canceling SERVE, remember that the war in Iraq had begun in March 2003.  By Election Day, in November of 2004, there were roughly 150,000 combat troops in Iraq.[6]  Add to that another 150,000 Americans providing some kind of support to the troops, either logistical or diplomatic, in that war-torn country, and the result is roughly 300,000 eligible US voters.  The war in Afghanistan then was still in its infancy, with about a tenth as many Americans of voting age, or roughly 30,000.[7]  The 100,000 Americans who had volunteered to vote online in the SERVE project included some of these folks in combat zones.

When SERVE was shut down, all the men and women in harm’s way, as well as the other overseas volunteers, lost their opportunity to vote conveniently, and had to vote by mail or not at all.

This lost opportunity is not the only harm the cancellation of SERVE caused.  Nothing on the scale of SERVE has come along for overseas voters since 2004; hence, the frustrations of overseas voters have continued almost unabated for the six years since that project was shut down.  I say “almost” because, as I will discuss below, some remedial steps are now being taken.

Overseas Americans have always had a hard time voting.  From the days when Ben Franklin, John Jay, and Thomas Jefferson were diplomats in Europe, to now, Americans abroad have had to rely on snail mail to vote, if they could.  Many states made no provision for absentee voting until well into the 20th Century.  During WWII the federal government did its best to help GIs to participate in the democracy they were fighting and sometimes dying for.  A law was passed requiring the states to provide absentee ballots for our citizens in uniform.  But a few years later, when the law expired, it was not renewed.

Finally, Congress enacted the Uniformed and Overseas Citizen Voting Act in 1986.  States were supposed to provide absentee ballots to their overseas citizens, upon request, in time for the citizen to vote and return it by mail.  But a shocking number of states have displayed a callous indifference to their citizens abroad, including soldiers during the wars we were fighting.  One study, released in 2009, found that 25 states and the District of Columbia routinely sent out absentee ballots so late that by the time the voters received them it was too late for most of the voted ballots to be returned and counted.[8] Even when absentee ballots could be mailed back in time to be counted, they were often set aside and ignored, or not counted unless the race was so close that they could make a difference.

In 2002, Congress had intended the SERVE project to be the beginning of the end of this abuse and neglect.  If SERVE had been successful in 2004, like the European and Canadian trials have been, then 100,000 overseas Americans would have finally been included in our democratic process.  Beyond that, the opportunity to vote conveniently would probably have been expanded to every overseas American by 2008.  Of course, that didn’t happen.

Returning to SERVE

Since 2004, pressure has been mounting in the states and in Congress to treat our men and women in uniform, and at war, as well as all Americans abroad, with more dignity, and to honor their right to take part in our democratic processes.  As a result, some states began taking the initiative to improve conditions for their overseas citizens.  Arizona, for example, became one of the leaders by offering a website with voter information.  It took requests for absentee ballots via email or fax.  It sent out ballots by fax or email.  A few other states followed, but the ballot still had to be returned by ground mail.  Then some states even began to allow voted ballots to be returned by fax or email attachment.

In October 2009, President Obama signed into law the MOVE Act; that is, the Military and Overseas Voter Empowerment Act.  This law requires the states to, among other things, send out absentee ballots at least 45 days before a federal election (so that they can be returned in time to be counted), and to provide electronic means for requesting and sending out absentee ballots.[9]

Consequently, in 2010, 33 states offered some form of Internet voting to their overseas citizens.  About half of these allowed fax or email return of voted ballots.  In these cases, an absentee ballot can be requested, sent out, voted, and returned all on Election Day.  US troops, and all overseas Americans, certainly deserve such convenience.  However, this method of ballot return is far from ideal.  One shortcoming is that in California, and other states, for a voter to return his or her voted ballot by fax or email attachment, a privacy waiver must be signed.  Somebody in the Secretary of State’s office is going to see that “Private Jones” voted Libertarian or Socialist when the ballot comes in, and the state doesn’t want to get sued for violating the voter’s right to privacy.

A more positive omen, however, is that some states will offer voting at their secure website, just as SERVE would have done in 2004.  For example, in July of this year the website for West Virginia Secretary of State Natalie E. Tennant announced the results of her office’s recent Internet voting trial.  Five county clerks volunteered to offer the option to their overseas voters, including military and civilians. According to the announcement, this pilot program saw an 80 percent ballot return rate. Other methods of absentee voting, such as by mailed-out paper ballots, saw return rates of about 40 percent.  The website also states that “Voter response was so positive, in her report to the state legislature, Tennant asked lawmakers to consider allowing additional counties to participate in the 2010 General Election.”[10]

Much ado has been made over a hacking of Washington DC’s Internet voting server in September of 2010.  But this was during its first trial run, and no actual voting took place.  (For an accurate reporting of the event, see “Does the DC Fiasco Damn Internet Voting?” at http://tinyurl.com/DCin2010 )

The circle back to SERVE will be completed by the DoD in the near future.  Bob Carey, the new Director of FVAP, recently announced that “the decision has been made” to restore something like the old SERVE system, with all the latest updates, of course.[11]  No deadlines have been set, yet, but planning is underway.

Old Security Worries

But, one may ask, what about all those dire warnings that once brought down the SERVE project?  Have Congress, the president, the Department of Defense, the military, and all those state officials gone nuts?  Think about the warnings those four computer scientists proclaimed in 2004.

For example, David Wagner has said, “One of the problems with Internet voting is that it exposes the potential for a single individual anywhere in the world, perhaps not even on US soil and not subject to US law, to attack elections and change votes en masse. Internet voting systems also tend to be subject to worms, viruses, and phishing attacks.” (Italics added)  He also warned that, “SERVE is susceptible to large-scale election fraud that could … go completely undetected.”[12]

In the same vein, Barbara Simons warned the nation that Internet voting “is a threat to our democracy … The bottom line is we could have our president selected by [hackers in] Iran…”[13]

Wired Magazine interviewed David Jefferson about his views on SERVE, and drew attention to his concerns over a possible slippery slope.  The article stated, “If the experiment experiences no detectable attack, Jefferson fears it could mislead organizers to conclude falsely that the system is secure and ready for expansion.  ‘Just because there wasn't an attack that you detected doesn't mean there won't be one or that there wasn't one that you didn't detect,’ he said.”[14]

Now, these are scary stories.  Think of it, a hacker in Iran could swing a presidential election in the US, and go completely undetected.  Because the hacking went undetected, we would naively expand Internet voting so that all US elections could be controlled by hostile foreign governments, and we’d never know it. That’s scary!

Indeed, as late as last year David Jefferson implored the FCC not to allow even trials of Internet voting.  Using the very same scary stories from the 2004 report, he again warned of the hidden dangers awaiting such reckless experiments, and the slippery slope such trials can create.

He pled in the most earnest of terms that, although he has been a computer security expert for nearly a half century, his own mind gets “boggled” when he thinks of all the ways that Internet voting can go wrong.[15]  (One can understand how such an expert’s mind can become boggled; all those scary stories overload his flight response, and he wants to run from his own imagination!)

Today, however, the old trick bag isn’t as effective as it used to be.  Jefferson et al have cried “wolf!” once too often.  Calmer minds have been applying scientific skepticism to those scary stories.  Science, of course, asks questions and demands facts and test-based probabilities in the answers.  Thus, government officials have asked, “With all the mind boggling things that allegedly can go wrong with Internet voting, why haven’t any of them actually occurred in trials?”

The four critics have answers to this question.  First, as Wagner says, “If I was a bad guy who knew a way to hack the election, I wouldn't attack a small-scale pilot and tip my hand; I'd wait for the voting system to be used on a large scale in an important election and then attack.”[16]  In other words, the Evil Ones are skipping the small fry in Europe and Canada, and they are lying in wait for the United States to expand online voting and fall into their trap.  So, that is why there haven’t been any problems with those Internet voting trials – the bad guys just haven’t been motivated yet.  But once the US goes national with Internet voting, watch out!  Not only that hacker in Iran, but the Russian Mafia and the government of China will get into the action.  We could end up with some wild eyed Ayatollah or grey-capped Commissar in the White House, and Commander-in-Chief of our armed forces!  How scary is that?

As if that is not scary enough, Jefferson would remind us of what all four agree, that is, that an Evil One could just change or add enough votes to swing a close election, and do so without ever being detected!  Indeed, we cannot even know whether this has already been done in Europe or Canada.

But that alarming assertion incurs an epistemological problem.  If we cannot know the truth or falsity of a proposition – such as whether an election has been hacked – then the proposition is not a matter of scientific knowledge, but only mythical speculation.

The Rise of Reason

Fortunately, Reason is coming back to the debate over Internet voting, and Reason is beginning to prevail over Fear.  What might be conceivable in the airy theoretical speculations of academic computer science, hasn’t happened in the actual practice of online voting.  Why?  The security experts who construct online voting systems, as well as law enforcement experts, are just as clever as the hackers.  Indeed, one reason we know there are hackers is because they get caught by the authorities.

Cases in point: Ten years ago, in the olden days of security technology, Gary McKinnon, who was an unemployed computer programmer on the dole in England, hacked into some US military files.  As a result of his cleverness, he is now wanted by the authorities in the US.  For the past eight years he has been paying his lawyers to fight his extradition to the US, where a costly trial, and likely fines and prison time, await him.  During this unhappy experience, he even developed a sudden case of Asperger’s Syndrome (useful to appeal for pity, no doubt).[17]

Hackers beware! One former “Botnet King,” John Schiefer, was so clever that he could control thousands of PCs, and use them to send-out millions of spam emails with the click of a mouse.  He thought he could out-smart the law, but he is now serving a four year sentence in federal prison.[18]

The real reasons why Internet voting trials around the world have been successful are plain to see.  The security technology is effective, and so is law enforcement.  Where Internet voting has been tried, the rational hacker calculates, when tempted, that lawyer’s fees, fines, and time in prison aren’t worth changing a few votes in one election.  Those would-be hackers who have been foolish enough to try to hack online voting systems have failed because the security technology in place beats them.  Computer memories show when unauthorized intrusions have been attempted; thus proving that the security programs have worked.  The past successes of Internet voting are a reliable harbinger of the way it will proceed in the future.

Conclusion

Every government official knows that no voting system is going to work perfectly, someone is going to try to cheat the game, or some technical hitch could occur somewhere.  Nevertheless, the risks can be protected against, so that they are quite minimal, as the experience in Canada shows.  E-banking and e-commerce wouldn’t exist if half the scary stories told by a few alarmists were true.  When it comes to protecting profits, for example, security technology is able to stay ahead of the hackers – otherwise the banks would not still be in business.  The kind of security technology used in e-commerce can be, and has been, transferred to online voting. 

Of course, as we all know, hacking does happen.  But when hacking does occur in e-commerce, a careful examination of the facts in the case generally turns up some human error or wrongdoing, rather than a failure of the security technology.

For example, 60 Minutes had a piece on a woman who went online only to witness her bank account being drained right before her eyes.[19]  Turns out she didn’t have security software in her PC, and her son was downloading pirated music, which let the hackers into her computer.

Google’s bad experience in China was their own fault, too.  Lured into China by greed, they conspired with the Chinese government to limit the freedom of speech online.  They allowed government agents to block access to websites that either favored democracy or freedom of religion.  These agents made regular reports to their government about what they had learned of, among other things, Google’s email security codes.  With that information the government reverse engineered those codes.

Duh!  What were they expecting?  When you play with fire, you get burned.

Fortunately, local election officials in the United States are unlikely to give Chinese agents, or Russian Mafioso, much less Iranian mullahs, access to the secure servers in their state’s counties.  If all goes well with this year’s online voting trials, domestic trials are sure to begin.  Yes folks, Internet voting is coming to the USA!

PS

Written in 2011, this post was lost for a while. It is now being posted again (for the record). Now that Blockchain technology raises Internet security to new levels, maybe the optimism of this post can be renewed.


William J. Kelleher, Ph.D.

InternetVoting@gmail.com

Also blog at,

The Political Science Interpretivist

https://interpretat.blogspot.com/

 

 



[1] Electronic Elections, R. Michael Alvarez, Thad Hall. Princeton University Press, 2008

See pages 77-85, also 68-72 and 98.

[2] http://www.nytimes.com/2004/01/21/technology/23CND-INTE.html, and http://www.servesecurityreport.org/.  Avi Rubin claims credit in this autobiography for having made the deal to give the New York Times an exclusive on their report.  Brave New Ballot, Avi Rubin.  Morgan Road Books, NY, 2006, page 171. 

[3] ''I am committed to helping Ohio deliver its electoral votes to the president next year,'' wrote the president of Diebold.

http://www.nytimes.com/2003/11/09/business/machine-politics-in-the-digital-age.html?sec=technology

[4] Hall and Alvarez, ibid.  There have dozens of trials in the UK and across Europe since 2002, for “a total of eight nations.”  Page 76  “In these trials, there had not been any documented security problems, … the experiences were problem-free.”  Page 71f.

[5] “It took Election.com only 45 minutes to fix the problem…”

 http://www.wired.com/politics/security/news/2004/01/62041?currentPage=all

[11] csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/CAREY_FVAP_Presentation_to_NIST-EAC-FVAP.pdf, at page 12. 


No comments: