September 3, 2004

Experts question integrity of proposed military e-voting scheme

Author: Jay Lyman

Last February, a team of patriotic geeks was assembled by Uncle Sam to
test out the Secure Electronic Registration and Voting Experiment (SERVE)
system for military and others stationed outside the Untied States. The team's conclusions, unfortunately, were
that the system was as wide open as a Windows box in terms of vulnerability
and totally closed in terms of code, calling the mostly-Accenture software
of the system into question.

The SERVE program got served and is now a
footnote in history, but little more than three months before the next major
U.S. election, Missouri Secretary of State Matt Blunt has proposed a
somewhat similar, Internet-based system for front-line military personnel to
vote. This is causing concern from those same voting experts about who will vote,
how they will vote, and how integrity will be ensured for those most
deserving of a vote.

Blunt last week proposed an Internet-based, email, and fax voting option
for Missourians serving in designated combat locations overseas. Under the
plan, absentee ballots will be scanned and emailed to the U.S. Department of
Defense, which will then fax the ballots to the military voter's local
election official.

Blunt's office -- which blamed a delay in certification of Aug. 3 primary
results and printing and delivery of local ballots for the November election
on a state Democratic Party lawsuit -- said the ballots will be transmitted
over secure military lines and faxed directly to Missouri's local election
officials. Blunt, a former Navy officer who served in Afghanistan in 2001
and now Missouri's top election official, said the faxed and emailed ballots
are not required by law, and military voters may still mail their absentee
ballots if they choose.

In a press release,
Blunt urged local election officials to work diligently to respond to
absentee ballot requests, particularly for military personnel stationed
overseas. The Secretary of State's office said the plan came about after its
June announcement that it would allow voters in combat locations to fax
their ballots directly to their local election officials if they elected to
do so. Blunt's office learned from Missouri National Guard Combat Engineer
Jim Avery that few units overseas had access to fax machines. Most did,
however, have access to computer equipment that could scan a paper ballot
and allow email delivery back to the States.

"Simplifying the voting process for these heroes is the least we can do
in honor of the sacrifices they are making in defense of our freedoms,"
Blunt said.

However, in addition to the typical accusations that the plan is a Republican Party
play to secure more military votes, there are significant technical and
logistical questions being raised by electronic voting experts, some of whom
think the proposed voting option may be even more insecure than SERVE.

Special convenience or credibility stretch?

No one doubts that military personnel should have the chance to cast
their ballots and have them counted before the achievement of world peace,
but the conditions at the time of voting, lack of privacy, convoluted
procedure for actually delivering the votes, and the lack of time before
election officials are called to action have experts worried that the combat
votes could be compromised.

Barbara Simons -- past president of the Association for Computing
Machinery, founder and co-chair of the U.S. Public Policy Committee of ACM,
and co-author of the SERVE report that highlighted insecurities in the DOD
e-voting experiment -- said Missouri's plan may be even more dangerous than
SERVE.

"My initial reaction is that it's probably more insecure than SERVE,
though we are still trying to learn the details," Simons said in an email.
"At a minimum I find it pretty shocking that soldiers are being told that
they need to relinquish the secret ballot in order to use the system. Not
only does the lack of secrecy raise the specter of possible election fraud
(lose the 'wrong' votes, or even perhaps modify them), but in addition, one
cannot discount the possibility of coercion of soldiers by their military
superiors."

Simons, who has been critical
of the U.S. e-voting infrastructure and leading companies, said a lack of
verifiable paper receipt, closed code and procedures, and pressure to
upgrade voting technology had converged to hamper true, American democracy,
adding that the Missouri proposal seems to perpetuate the problem.

"It feels as if we are in a constant struggle to try to make the United
States live up to the promise of democracy," Simons said. "At a minimum, we
shouldn't be moving to systems that make election fraud easier than it had
been."

Late and close cause concern

David Wagner, an assistant professor of computer science at the
University of California-Berkeley and another SERVE report co-author, said
it was premature to come to conclusions as to whether the system poses
significant risk of fraud or tampering. However, Wagner did say the Missouri
move represents a departure from a "sensible and well thought out" Federal
Voting Assitance Program (FVAP) initiative to ensure, mostly via military
and mail service, that all military absentee ballots are received.

Wagner said he was surprised to see such a plan put forth so close to the
time of the election.

"It seems pretty risky to me," he said. "On one hand, we're talking about
a pretty small scale [for the Missouri voting program]. On the other hand,
there are predictions that this could be a very close race."

Lots of questions

Another e-voting expert, who spoke on the condition of anonymity, had many questions -- but no answers -- on the Missouri e-voting venture and highlighted the
concerns, which were many. The questions and comments, which focus on the
need for openness and transparency among other requirements for trustworthy
voting, were as follows:

1) Where is the document describing the precise procedures to be used at
every stage of the process: procurement of blank ballot, scanning of filled-out ballot, emailing of filled-out ballot, converting from email to fax,
handling of fax ballots at the counties? This has to be a public document --
is it? Can we have a copy?

2) What software is involved in this process? Is there any custom
software anywhere? Who wrote it? Who owns it? Can we have a copy of the
source?

3) To use this system, Missouri and the Pentagon acknowledge that
voters have to give up the right to vote privacy. We are not
sure why, however. Is it because the votes will be transmitted by email
in the clear, i.e. unencrypted? Is it because the email will be
printed and hand faxed by "pollworkers" at the Pentagon, who have to look at
the email to figure out what county to fax it to? Is it because the
election officials manning the fax back in Missouri have to read
it to check off the name of the voter who just voted (to prevent
double voting) and to check the signature? All three? We have no
other voting system anywhere in the United States that requires a
voter to give up the secrecy of his ballot in a general election.

4) Are the ballots emailed from private PCs or from some kind
of military controlled "secure" PC? Private PCs are vulnerable to
a hundred kinds of malicious code attacks. How does anyone know
that malicious code in the PC does not alter the vote before sending
it by email?

5) What prevents denial of service attacks on the email
infrastructure or fax infrastructure used for this election?

6) The ballot with the hand signature is scanned (with what
resolution?), then emailed, printed, scanned again for faxing,
and then printed again at the county. Is the voter's signature, after
four stages of degradation, still clean enough for doing a signature
check to authenticate the voter? How do we know that someone did not
just paste the signature of a voter onto the bottom of a ballot, with
the evidence of the pasting washed away by repeated scanning and
re-printing?

7) Most crucial: When the email is converted to fax, presumably
by humans printing the email and walking it over to ordinary fax
machines (we still do not know for sure that it is not done by software),
what is to prevent those humans from selectively "losing" some
ballots for candidates they do not like, either by throwing the
ballot away, or by faxing it to the wrong county? What is to
prevent them from altering the ballot before faxing it, either
adding a vote for an unvoted race, or spoiling the ballot, or
even altering a vote with white-out and a pen (the evidence of
which would be completely washed out by the faxing process)?

8) Who are the people doing the email-to-fax translation?
Military personnel? Missouri state election officials? Missouri county
election officials? Trained citizen volunteers? Are there observers at this
site where email message are converted to fax? Where is this site anyway?
Can any Missouri citizen watch this process?

9) What audit trails will be kept of this entire process? Are
the original email files going to be saved? Will logs be
kept of the faxes sent? Are logs kept by the counties of
incoming faxed ballots? Will those logs at the receiving end of the
faxes be compared to those of the sending end? Will those in turn be
compared to the logs of the incoming email server? Are those logs
public documents? Since the voter's privacy is compromised anyway,
these comparisons should certainly be made.

10) Since the privacy of the ballot is compromised anyway, the
most certain way to assure the voter that his vote reached his county
election officials is for them to send back a copy to the voter
(by mail or email) -- that would provide an end-to-end check. Are
they doing that? That would at least provide these absentee voters some
compensation for their loss of privacy that ordinary absentee
voters whose votes are supposed to be private cannot get: actual
receipts proving their votes arrived.

11) Only certain overseas military are eligible to vote using
this system. Which specific regions, and how were they
selected? How do we know they were not selected with some bias
in mind?

12) How many votes are expected? (My estimate: substantially
under 3,000.)

13) What protections are there against "command influence" as
the voters fill out their ballots, scan them, and email them
from the combat zone?

14) Whose idea was this? The Secretary of State of Missouri, or
the Federal Voting Assistance Program in the DoD?

Blunt's office referred questions about the voting option to the DoD,
which is still working on the system and procedure with the Missouri
Secretary of State's office, an official said.

The DoD did not respond for comment.

Click Here!