Appendix A

California Internet Voting Task Force

Technical Committee Recommendations

 

Table of Contents

6  Security in i-voting

The current paper ballot systems set a security standard that we adopt as the baseline for i-voting. They represent certain tradeoffs between voter convenience and protection against fraud that the Legislature and Congress, have deemed appropriate; hence we take it as a guiding for the design principle. We require that elections with i-voting be at least as secure as those without; however, we view our charter as not to make broad recommendations for election security reform, but to offer means to integrate i-voting as smoothly as possible into the current systems.

In any engineered system there are design tradeoffs that reflect necessary compromises between conflicting goals. In i-voting, one key tradeoff is between ease and simplicity of voting on the one hand, and the integrity and privacy of votes on the other. Absentee balloting, for example, is more complicated than voting at the polls, even though it is potentially less secure. The requirement for voters to send a new request for an absentee ballot for each election, and do so with a live signature, and then sign the ballot envelope when mailing it back, are all security procedures that have no analog when voting at the polls, but are the necessary price to be paid for the convenience of remote, early voting afforded by absentee ballots. Likewise, i-voting will have its own security procedures, which will often make voting more complex than other Internet transactions, more complex than voting at the polls, and, when voting from home, school, or office PCs (as opposed to a voting kiosk), more complex than using a paper absentee ballot. The additional complexity is the inevitable price of security and convenience.

Since i-voting systems are assumed here to augment, rather than replace, voting at the polls and voting with paper absentee ballots, this task force has adopted the criterion that the overall security of elections must not be reduced by the addition of i-voting as an option. But in the absence of improvements in security of the current registration and voting systems, a very tight security for Internet voting can do little to increase the overall security of an election. Putting strong locks and guards on one barn door, when there are weak locks and no guards on the other doors, does not increase the overall security of the barn.

As an application of this reasoning, we note that there are some weaknesses in current electoral practice that we do not anticipate will be rectified in I-voting systems. Among them are the potential for vote coercion, or the sale of votes, or potential privacy violations under the current absentee ballot system. Nothing prevents a voter, perhaps under coercion, from allowing another person to watch over his shoulder as he votes and mails the ballot. Nor does anything prevent him or her from pre-signing the ballot envelope, thereby authenticating it, and then selling the envelope and the blank ballot to someone else who then casts the vote (other than the fact that it is illegal). Neither of these problems occurs with voting at the polls. Since these possibilities are already inherent in the current absentee ballot system, we did not adopt the criterion that they must be prevented with i-voting systems.

On the other hand, we did not want to introduce new modes of vote coercion or vote sale, or extend their scope or time window. For example, several security problems could be solved or ameliorated if it were possible for Internet voters to contact the county after voting to verify how they votedóa possible feature that is perfectly feasible technically, but has no analog in paper voting systems. However, that would also allow the coercion or sale of votes not just before the ballot is mailed, but also for as long afterward as the window of verification remains open. We believe that would open the door to widespread abuse, and would reduce the overall security of elections; hence, we recommend instead that there be no way for an Internet voter to verify his or her vote after the fact.

6.1  Security issues specific to i-voting

There are several broad security issues that must be dealt with in any i-voting system that are specific to Internet voting, and may have no analog in conventional voting systems. Here is a short list of them:

The first four of these properties are referred to as "end to end" properties, in that they call for maintaining a security property all along the multi-step path from one end of the communication (the mind of the voter), to the other (storage on the county vote servers or canvassing computers). For example, ballot integrity requires that the contents of a voterís ballot not be changed by malicious software on the computer he or she votes on, nor by any of the routers, computers, or employees of the several private networks along the Internet path to the vote servers, nor by the vote servers themselves, nor by any employees of the contractor that runs the VSDC, nor in transit to from the VSDC to the county canvass computers.

If the voter is voting from a home PC, the most insecure, uncontrolled part of the end-to-end path is inside the computer used by the voter. Any i-voting protocol will transmit the ballot in encrypted form, which guarantees that it cannot be read by any third party, and that it cannot be modified by a third party without detection. Therefore, the riskiest part of the trip that the ballot takes is inside the vote client, before it is encrypted.

6.2  Malicious software

Malicious software is software that is deliberately designed to do harmful things that the user neither wants nor expects, and to either hide the harmful action or perform it so quickly that it cannot be stopped.

Also known as malware or vandalware, it can be introduced on a client machine, and in such a way that the voter is unaware of its presence. Among the things that malicious software can easily do if no preventative measures are taken are (a) change the votes on the electronic ballot without the voterís knowledge, (b) reveal the supposedly secret votes to some outside party, or (c) simply prevent a person from voting, possibly leaving him or her with the impression that the vote was recorded.

Malicious software is usually distributed to home and office computers through a variety of mechanisms known in the security literature as viruses, worms, back doors, trapdoors, logic bombs, Trojan horses, bacteria, rabbits, or liveware. Prof. Eugene Spafford of Purdue University provides an excellent set of definitions and discussions around each of these methods.

6.2.1  Scope of the malicious software problem

Malicious software is probably the most difficult technical problem involved in i-voting. While we will describe the problem is some depth to indicate its seriousness, it is important to keep in mind that there are solutions, some of which we will describe in a later section.

Todayís PC operating systems are designed as open software systems, so that users routinely change their functionality by adding device drivers, DLLs, extensions, control panels, patches, upgrades, and other code modules acquired from any number of places. Usually such code is added to the operating system as a side-effect of deliberately installing application software or system upgrades, although operating system changes can also be caused by viruses. In any case users are frequently unaware that the operating system has been changed, and certainly have no way of certifying the safety of the changes.

Browsers are even more open and more casually modified through the addition of such code modules as plug-ins, Active-X controls, JavaScript scripts, and Java applets. In many cases programs are downloaded without the userís knowledge as an invisible side-effect of merely visiting a web page, and yet they have full power to modify the software base and behavior of the computer arbitrarily.

This easy extensibility of the operating system and browser are extremely valuable for the general flexibility and adaptability of PC software. It is part of what allows such astonishingly fast evolution of PC technology. But the background danger is that any of these kinds of software extensions can harbor a malicious program, for example a "Trojan Horse", i.e. a program that surreptitiously does something other than it is advertised to do, usually harmful in some way to the userís files. Since a typical home PC has numerous operating system and browser extensions from a wide variety of places, and since there is not, and cannot be, a general test for whether these extensions carry malicious code, the home PC is an extremely dangerous platform from which to perform transactions that must be secure.

If voting were permitted from PCs with standard web browsers running over a standard operating system with no further security measures, then it would be very easy for a rogue programmer to write a malicious program in the form of an ActiveX control or plug-in or virus, then lure thousands of users to download that code, possibly unknowingly, and have that rogue program either spy on the userís voting, or even change the userís votes without the voterís knowledge, and regardless of any other features of the i-voting protocol.

A special case of the problem arises with computers connected to local area networks (LANs), or connected to the Internet through certain technologies such as cable modem connections in which the last link of the coaxial cable is, in effect, a local area network connecting many households in the neighborhood. Unless the software on a computer is very carefully configured, it is extremely easy for a person on one computer to install software, including malicious code or remote control software, on another computer on the same LAN. In the case of computers connected to certain cable Internet access systems, this would include computers owned by strangers in other nearby households, whose owners are very unlikely to know this is possible.

It is essential that any i-voting system offer some kind of guarantee that it is immune from the sort of malicious code attack that could affect the outcome of an election. It is not sufficient to argue that such an attack is unlikely, or even very unlikely. An election would be an extremely tempting target for any motivated person, from a lone hacker to a political partisan to a foreign government. Such an attack would be a political and public relations disaster; or worse, if undetected, compromise the results of the election. We must presume therefore, that if a malicious code attack is possible, it will happen sooner or later. Even before it happens, security experts will surely criticize publicly any election system having such a vulnerability, and the public would likely lose confidence in such a system.

It is important to understand that the problem of malicious code on PC platforms (including Macs and other computers) cannot be fully solved simply by adding more software, because it is a fundamental fact of the theory of computation that there can be no general test to detect whether or not a PC is harboring malicious software. Commercial virus detection software can detect and neutralize known viruses and other malicious programs that have already come to the attention of the security experts. But they can do very little about unknown malicious programs, such as those that might be quietly lying in wait for a specific event (e.g. voting) and that then take invisible action (e.g. changing a vote).

There are ways around the malicious code problem, but they all require security measures beyond ordinary use of the current PC platform and browser. It may involve a new operating system with a security architecture built in from the ground floor. It may rely on some device, communication, or human process that occurs outside the PC, and would therefore be immune to manipulation by a malicious PC programóperhaps telephone communication, or paper communication via the postal service, or a closed, uninfectable security device that plugs into PC via the serial or USB port. Or it may involve some special-purpose appliance, useful only for voting, that is software-closed and communicates with the Internet directly, bypassing PCs altogether. But i-voting mediated solely through standard PCs with the standard software available now or in the next couple of years is not recommended.

6.2.2  Internet voting systems designed to thwart malicious software

As indicated, there are ways to design i-voting systems that detect, avoid, or ameliorate the problem of malicious code. Most of them have in common one crucial point: that all cryptographic operations, and all manipulation of unencrypted vote data, take place in a software context that cannot be affected by malicious code.

Here we enumerate some of the possible approaches to the problem of malicious software; this list is not exhaustive, and other approaches might be created and certified.

  1. Clean operating system and voting application: Prior to voting, the voterís machine could be booted from a CD-ROM (or similar media) containing a "clean" operating system, with no extensions that might harbor malicious code. Combined with sophisticated scans for an infected BIOS (or equivalent on other computers), this step could virtually eliminate the possibility of malicious software during voting. This is presumably the approach that would be used for county-controlled voting machines; but such a CD-ROM could also be distributed for home voting via the postal service in response to a voterís request for i-voting authorization.

    The application program used for browsing, presumably distributed on the same CD-ROM, would also have to be "clean". Current commercial browsers are not suitable for voting because they are particularly vulnerable to malicious software. A special-purpose web browser that does not accept extensions such as plug-ins, applets, controls, or scripts, and that is dedicated solely to voting, would be far more resistant to infection than todayís commercial browsers, and its integrity could be conclusively verified with a cryptographic hash or digital signature.

  2. Special security PC hardware: A special, software-closed security device might be developed to be attached to the voterís computer, e.g. through a USB port. Its purpose would be to display the ballot to the user, accept the voterís choices as input, and perform the cryptographic operations. In effect the voting is done on the security device, and the PC it is attached to is used only as a conduit to the Internet. Since the device is software-closed, meaning its software cannot be changed, it is not subject to infection by malicious code.
  3. Closed, secure devices: It is possible that special, software-closed, Internet-capable devices, such as network computers (NCs) or hand-held, wireless descendants of todayís cell phone and electronic organizers, may be developed for commerce and may be secure enough for voting as well.
  4. Secure PC operating systems: Future commercial PC operating systems may be designed for greater security than todayís systems. For example, they may be composed of digitally-signed modules, allowing secure applications to exclude, as untrusted, modules of dubious origin (i.e. potentially malicious programs). Such an operating system would enable practical, secure home and workplace voting.
  5. Code sheets: Voters could be mailed code sheets that map their vote choices to entry codes on their ballot. While voting, the voter uses the code sheet to know what to type in order to vote for a particular candidate. In effect, the voter does the vote encryption, and since any malicious software on the PC would have no access to the code sheet, it would not be able to change a voterís intentions without invalidating the ballot.
  6. Test ballots: Special test ballots can be sent from vote clients and checked by software at the county. The number, location, timing, and contents of the test ballots should be known by the county, but they should be otherwise indistinguishable from real ballots, so that any malicious code that destroys or changes real ballots will affect the test ballots as well. Analysis of the test ballots will enable any malicious code attacks to be detected, the locations of infected machines to be determined, the approximate time of the attack to be estimated, and the total number of votes affected to be bounded.

    Note that this technique does not prevent malicious code attacks; it only detects them after the fact. Hence it must be combined with one of the previous preventative techniques. Still, it is a very powerful technique because it can also be used to detect any systematic cause of lost ballots, not just malicious code attacks, and because it provides a quantitative measure of the size of any problem it detects.

  7. Obscurity/complexity: One final approach, while not sufficient for real security, nonetheless raises the cost to potential attackers. Digital ballot formats and voting software may be kept secret prior to the election and possibly randomly changed during the election, or made complex in other ways. In order to successfully carry out an attack and escape detection, malicious software authors must have a great deal of information about the internal format of the ballot and voting software. If these details are not available in advance, and/or if that information is complex, the potential authors of attack software may not have enough time to develop and distribute it during the election window.

6.2.3 Security for i-voting vs. security for electronic commerce

A commonly-asked voting security question is this: If the PC is widely used for secure electronic commerce over the Internet, and people buy everything from books to stocks online, then what is so problematic about online voting? Arenít the authentication, integrity, privacy, and malicious code concerns similar for the consumer and the voter?

The simple answer is "No". Security issues in i-voting are more difficult than for electronic commerce because of one fundamental difference: in electronic commerce, financial transactions are performed online, but there is a separate offline process for checking them and for correcting any errors detected, whereas such is not, and cannot be, the case for voting. Therefore, the fundamental security emphasis in voting must be up-front prevention of fraud and error, with no reliance on any possibility of after-the-fact correction, a much more stringent requirement than is generally necessary today for financial transactions.

Online financial transactions today are usually followed later by account statements delivered on paper from the credit card company or merchant. The consumer should, and usually does, check those statements, at least superficially, and can contact the merchant or credit company if there is an error. Errors can often be corrected by an eventual refund to the consumer; but if not, current U.S. law limits the consumerís liability in most cases for fraudulent transactions to $50. Substantial errors are almost always caught, and small errors, if not caught, do only minimal damage to the consumer. Financial fraud is not uncommon; but credit card companies have enormous staffs that specialize in reducing its incidence and lowering its cost; they write off the remainder as a cost of doing business.

But with i-voting, the situation is completely different. There is no way for anyone to check after the fact how anyone voted. In fact, it is important that a voter not even be able to verify that his or her own vote was recorded correctly, for that could open the door to vote coercion and vote selling, and it could also lead to a large number of almost certainly false claims that the vote reported after the fact was not what the voter thought he or she originally cast.

Without a way to check on a vote, it is difficult to detect vote fraud committed through the use of stolen authentication information or through malicious software on the voterís machine, and it is impossible to correct even if it is detected. Hence, we have no choice but to go to great lengths to prevent electronic vote fraud in the first place.