A recent article at Time http://www.time.com/time/politics/article/0,8599,2025696,00.html details how an online voting system was hacked. The good news is that it was a public test and not a real election. The bad news is that real people’s information was able to be obtained.

The “hackers” professor J. Alex Halderman and some of his graduate students from The University of Michigan had little trouble compromising the system and they found that hackers from China and Iran also were trying to infiltrate the system.

Currently in the US, the online systems are intended to allow overseas military personal to more easily and effectively vote. If online voting becomes the norm for all voters there will be problems. The Internet is not a secure place and online voting system just scream for abuse. There are several ways an election could be subverted with online systems, not that it doesn’t happen sometime anyway. For a few years now governments have been aware that computer hardware made in foreign countries could potentially have built in back doors. Even hardware built domestically could have built in back doors. The Nixon administration taught Americans that criminal activity designed to subvert the democratic process is embraced by major political parties. There doesn’t need to be a built in backdoor however, attacks such as clickjacking can alter votes. Another tactic likely to be seen is typo squatting. Elections boards will have to register many domains to preventing typing mistakes from becoming redirected votes. Plain old phishing attacks will also work quite well. An email claiming that there has been a change in online voting procedures to enhance security will almost certainly lead many down the wrong path.

The article quotes Ron Rivest, a computer scientist and cryptography expert at MIT as saying "We don't have the technology yet to do this in a secure way, and we may not for a decade or more". Rivest may be right. It might take the development of dedicated devices in order to provide a safe, auditable and reliable ways to vote online.

It is an interesting note that Estonia has been using online voting for a few years now, apparently with success. There are some lessons to be learned from how Estonia handles online voting. The Estonian system requires multifactor authentication. Compared to a country like the US however, the Estonian system is a far smaller scale and probably far less of a target than the US is. While the technical implementations in the Estonian process may be of educational value if online voting is adopted in the US, I am not confident that we can assume the same level of reliability in such a system in the US.

Randy Abrams
Director of Technical Education
ESET LLC