When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska’s first-in-the-nation internet voting system. And according to internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers.
Any registered Alaska voter can obtain an electronic ballot, mark it on their computers using a web-based interface, save the ballot as a PDF, and return it to their county elections department through what the state calls “a dedicated secure data center behind a layer of redundant firewalls under constant physical and application monitoring to ensure the security of the system, voter privacy, and election integrity.”
That sounds great, but even the state acknowledges in an online disclaimer that things could go awry, warning that “when returning the ballot through the secure online voting solution, your are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”
That disclaimer is a pre-emptive admission of failure, says Bruce McConnell, who served until 2013 as the top cybersecurity officer for DHS. “They admit that they are not taking responsibility for the validity of the system,” McConnell told The Intercept. “They’re saying, ‘Your vote may be counted correctly, incorrectly, or may not be counted at all, and we are not taking any responsibility for that.’ That kind of disclaimer would be unacceptable if you saw it on the wall of a polling place.”
In 2012, Alaska became the first state to permit internet balloting for all voters, and no problems were reported during the system’s first deployment. But there weren’t any high-profile races then, and Alaska wasn’t an electoral factor in the presidential race. This year, the state has two nail-biters: the Senate race between incumbent Democratic incumbent Mark Begich and Republican challenger Dan Sullivan, and the gubernatorial contest between GOP incumbent Gov. Sean Parnell and independent Bill Walker. The Begich-Sullivan contest is particularly noteworthy, since it could be the deciding factor in the GOP attempt to retake the Senate. Right now, Nate Silver’s FiveThirtyEight is giving Sullivan a narrow two-point edge, but polling in Alaska is notoriously difficult—which means that any online tampering might be hard to detect because there’s little reliable data on what election outcome to expect.
“The way we’ve done it, no one will ever know the ballot got changed.”
Add to that the fact that cybercrime experts from across the nation say the system, created by a Spanish-based company called Scytl, can potentially be duped from anywhere in the world. Malware that already resides on many personal computers could be activated to alter votes, PDFs could be altered as they travel from the voter’s computer to that of the elections department, servers could be hacked, and insiders could change vote tallies — all without anyone ever knowing.
Computer scientists have already done some of these things in controlled laboratory experiments, in some cases attacking the same systems that Scytl has deployed in other jurisdictions around the world. In fact just this week Joseph Kiniry, a principal investigator at Galois, an international cybersecurity firm, asked his team to figure out ways to alter locked, supposedly un-editable PDFs remotely without detection. It took them, he said, a day.
“It’s a scary threat because the way we’ve done it, no one will ever know the ballot got changed,” Kiniry said. “The ballot isn’t changed on the voter’s computer. We haven’t done anything to attack the election department’s computers. We just changed the ballot while it goes over the internet.”
Alaska Elections Director Gail Fenumiai (pictured at top) did not respond to Kiniry’s claims. But she did tell The Intercept that as recently as last week, about 1,800 voters had requested electronic ballots. In 2012, she said, about 5,300 people requested electronic ballots, but she declined to provide a breakdown of how many returned them online. Voters can also return them via mail or fax.
Scytl spokeswoman Maureen Szlemp insisted their systems are no less secure than traditional paper ballots: “Any voting channel, traditional or electronic, presents some level of security risks. The security of a voting channel will depend on the processes put in place to help mitigate these risks. Online voting can be as secure as—or in many cases, more secure—than traditional paper-based voting provided that adequate security measures are adopted.In the case of online voting, conventional security measures such as firewalls or SSL communications are necessary but not sufficient to guarantee the security requirements of online voting. In addition to these basic security measures, it is also necessary to implement additional layers of specialized security technology to address the specific risks posed by online voting and guarantee critical security requirements such as voter privacy, vote integrity, and voter-verifiability.”
McConnell finds it astonishing that anybody could believe that, given the almost daily accounts of massive multinational corporations and sensitive government agencies being hacked. If companies like Scytl have solved the problem of cyber attacks, he said, “wouldn’t they want to sell that technology to every major financial institution in that country rather than local county election officers?”
Ed Felten, the director of Princeton University’s Center for Information Technology Policy, Kiniry, McConnell, and University of Michigan Professor Alex Halderman are among the more prominent voices urging against the implementation of online voting. Earlier this year, Halderman’s students proved that the e-voting system in Estonia—considered the most secure in the world—can be hacked. Kiniry’s work demonstrating serious vulnerabilities in small-scale trials of Norway’s online voting system is one reason the country scrapped the project last year.
McConnell is also concerned that, even if the actual votes cast were secure, someone could deluge the system with additional fake ballots, spoiling the election because nobody would be able to figure out which votes were genuine. While Scytl and other vendors insist paper balloting is also vulnerable, those votes can be audited and recounted, unlike votes sent through the internet.
Alaska isn’t alone: About half of the states currently allow electronic return of ballots for active duty military or overseas voters, mostly via traditional, unencrypted e-mail, according to the National Conference of State Legislatures. Just this week, a Rutgers University study described the emergency e-mail balloting procedure instituted in New Jersey in 2012 for displaced voters after Hurricane Sandy as a disaster, with thousands of ballots not counted or counted improperly.
Kiniry said folks like him are hamstrung because they cannot legally or ethically hack into live elections to prove their vulnerabilities. He said he has heard from members of the cyber-activist group Anonymous who have expressed concerns of their own about the danger to democracy posed by such systems.
“We’re going to have a perfect storm one of these days, and it could very well be this mid-term election,” he said “All it takes is a half-dozen members of Anonymous who want to make a point about digital elections to completely embarrass vendors and policy makers. Donald Duck will be elected.”
Photo: Rick Bowmer/AP