24844
>> Josh Benaloh: Anyway it’s a true pleasure to welcome Barbara Simons to Microsoft. Barbara was for many years a researcher at IBM and Omodim in San Jose and also the President of the Association For
Computer and Machinery, and she has since retired, to a small island community outside of Vancouver, the real Vancouver BC, but –
>> Barbara Simons: Part time.
>> Josh Benaloh: But I put retired in quotes because retired seems to be a euphemism for working harder just on different things.
>> Barbara Simons: And not getting paid.
>> Josh Benaloh: And not getting paid exactly so, yeah I’m not sure about that trade off, I have to be careful of that. But during her later time at IBM and especially more recently she’s been doing a lot of work on elections including co-authoring a book that just came out with Douglas Jones called “Broken
Ballots” and I forget what the subtitle is.
>> Barbara Simons: Will Your Vote Count.
>> Josh Benaloh: Will Your Vote Count, that’s not exactly, okay so good I’m not missing it there, and she’s got a lot of experience in the election realm and mostly things not to do so she’s gonna tell us about that.
>> Barbara Simons: Thanks Josh. So actually we’re only in Canada part time now we’re most of the time in San Francisco.
>> Josh Benaloh: Oh, San Francisco.
>> Barbara Simons: No that’s ok, I just wanted to make that clear because didn’t want somebody accusing me of not being a U.S. resident and talking about U.S. elections. I mean that’s actually a concern.
So what is internet voting? We had to talk about, we have to think about this because there is currently a big push for internet voting and that’s one of the reasons why I wanted to talk about this topic because a lot of election officials and non-election officials think that we should be moving to internet voting for a whole host of reasons.
So one of the things that we like to emphasize is that there are safe, kind of safe things you can do and that includes posting a blank ballot on a website and downloading that blank ballot. So, when people say we want to facilitate voting for overseas voters this is what we recommend. What we do not recommend is sending a voted ballot over the internet or voting at a website even just marking a ballot online and I’m gonna talk a bit more about that later, sending a voter ballot as an email attachment and the reason that I mention this separately is that there are a number of election officials who seem to thing that email is not internet voting. I’ve actually heard of people saying that and I’m not sure where they think email comes from but they claim we don’t do internet voting we just do emails. Phone voting, a lot of phones now are being, are used over the internet although any kind of phone voting is not a good idea and fax voting of any kind for a whole host of reasons.
>> Josh Benaloh: Okay.
>> Barbara Simons: So I’ll put up this pre – I’ll just leave that slide while they come in. Yeah, we were in the garage when it happened.
>> Josh Benaloh: Okay.
>> Barbara Simons: So I just reviewed what’s safe and what’s not safe and I assume you guys all know that anyway.
So electronic voting, well, there is a 50 state report which was just released a couple of weeks ago and I recommended to anyone who is interested in these issues. It came out, it was produced by Verified
Voting Common Cause and Rutker’s Law School and one of the points it makes is that there are 31 states in the United States that allow electronic return of voted ballots, primarily for military and overseas civilians. Only New Jersey of those 31 states requires paper ballot as well and many of the, and in many cases with these remote ballots the paper ballot if it’s downloaded for example if you, they use a ballot marking device or even if they don’t if it’s mailed in or emailed in the election officials will remake the ballots so that they can go into the optical scanners. And as you can imagine there are all kinds of security issues with that process.
Some states, as I say use electronic ballot software, ballot marking software and that software which again would be downloaded from the internet and creates this problem with your communicating with the server, uh may produce a bar code for automatic remaking which again raises security issues because of course the voter can not verify what’s on the bar code. There is a ballot which, with the names so if it’s checked then you don’t have to worry about the bar code that’s to say if an election officials check it. But of course one of the reasons for having the bar code is to minimize the amount of work, anyway remade ballots are not secure.
This is just a map which you probably can’t read but trust me the darker states all have some kind of internet or electronic remote voting and this is from, you can get this on the Verified Voting website.
So why is it unsafe? Well there’s a whole host of reasons that I, we won’t have time to go over all of them today. First of all attacks on the computer managing the election or the server, attacks on the voters computers, denial of service attacks, insider threat, and by the way a lot of people who talk about security, I know that’s not true here, but when you mention insider threat election officials sometimes get indignant and think that we’re accusing them of being criminal which of course we’re not, but you have to be aware of the fact that there are all kinds of insiders in this process. And of course it’s impossible to audit a recount if there’s no paper.
Other issues as I’m sure you know are fake websites, spoofing and phishing, or false flag attacks where you might want to make an attack look like it comes from some other country that you want to get the
U.S. upset with, yeah say Iran, I’m not gonna go into those. But you can image, yes –
>>: [inaudible] a bigger threat which I don’t have any idea who is standing behind me with a Billy Club
[inaudible].
>> Barbara Simons: So you’re talking about coercion and both buying and selling that’s true for all remote voting not just internet voting. Any kind of remote voting someone could be standing behind
you with a Billy Club. So I didn’t mention it because it’s not peculiar to internet voting, it’s true of any remote voting.
>>: What does the U.S. Consulate involved if no one is holding a Bill Club on you at that moment?
>> Barbara Simons: Well yeah that, they don’t have the voting from the U.S. Consulate in these cases, that’s not an option at the moment.
So I want to talk about the DC Hack, so the DC Hack is just a wonderful, it’s one of my favorite stories that Washington DC Board of Elections and Ethics decided they wanted to have internet voting for military and civilians living abroad. For the mid-term election which at that point of course was upcoming and they actually went to a good group of people the Open Source Digital Voting Foundation which has very competent programmers working there. This is, I should say, many levels above most of the stuff that’s produced for voting as people who are involved in the field know quite well. , however because there were some good computer scientists working there the computer scientists demanded that there be a pilot test conducted before the system went live. So that was agreed and the test was announced and delayed, you can just imagine what it’s like when you try to install some software by a deadline. Finally it didn’t begin until September 28, 2010 with real voting scheduled to start two weeks later over the internet. So within a few days the University of Michigan had successfully completely taken over the system and they were very thoughtful, they left a calling card which was 15 seconds after you clicked submit my ballot in the pilot test the University of Michigan fight song came on and it’s actually a great song I’ve listened to it many times it was, yeah, by the way there’s a website you can still go to Alex Halderman’s website and have this experience yourself. Now what’s interesting was that the election officials didn’t know for several hours that their system had been subverted even though the fight song had been thoughtfully left behind and the only way they found out was that one of the people testing the system sent out an email posting saying, “why am I hearing the University of Michigan fight song?”, and then somebody said, “that’s not suppose to happen”. So they finally found out but one of the things that’s discouraging or disturbing about that part is that had this test voter not sent this email they might not have found out for several days and they knew it was a test and they knew they could be broken into. What happens in a real election? I mean, you know this is; all of these things are very disturbing in terms of the implications for a real election.
>> Josh Benaloh: [inaudible] by the way you quickly mentioned that Alex was here three weeks ago and had a talked about this at the faculty [inaudible] the video is available.
>> Barbara Simons: Oh yeah, it’s really worth it. Yeah, so three days later the digital vote by mail was – do people all know this and should I skip through this? Okay, three days later the digital vote by mail, they called it digital vote by mail instead of internet voting because some of us had managed to give internet voting a bad name so it’s now digital vote by mail is what they use. Any way it was cancelled, the voters could still download blank ballots but they could not return the voted ballots over the
Internet.
But that’s not all, on October 5 th Alex announced that his team had penetrated the system and had gone live, they exploited a shell injection vulnerability, they gave them complete control over the system, they could change already cast and future ballots, they could reveal the voters secret ballots, they installed their calling card and there’s the link which you can get later if you want. Here’s an example of the ballot and as you see they put write-ins every where to make it clear that this was a fake ballot, that they had succeeded in subverting the election. I don’t know if you can see that very well but that’s a
sample reach ballot. So, and then three days later there was a DC hearing that had previously been scheduled where Alex was called to testify and he said that since the beginning of the test his team had control of the network, the default master password for the network had been unchanged and they got the default from the manual so they didn’t have to do a lot of work. They could watch the network operators configure and testing the equipment and they actually brought pictures from the video feed to the hearing. Since the security cameras didn’t have passwords they could watch what the operators were typing including their passwords. They could have reprogrammed the switches to steal votes in a real election.
They also observed attacks coming for Iran and China. Now, Alex thinks they were probably not trying to break into the system but of course we don’t know for sure. What we do know is that these attacks are ongoing and would be happening in a real election as well and who knows what the motivation might be. They defended the network by changing the passwords and adding other, so basically they defended the DC network for the DC people. They also uncovered, and this was just serendipitous I suppose, one of the files used to test the system contained the 937 invitation letters for the people, the real voters who had signed up to vote together with those voters pins. So had they been black hats instead of white hats they could have cast ballots for real voters in the 2010 mid term election and no one would have known. Yes –
>>: Sorry can you clarify, earlier you said they used like this co shell-injection whatever -
>> Barbara Simons: Right.
>>: And maybe this is a newer thing, this is the second exploit or –
>> Barbara Simons: Yes.
>>: So there was a problem with the original like the source itself had an exploit and then they all started to take advantage of these default passwords.
>> Barbara Simons: Which they uncovered in the course of rummaging around the system, right. In fact what I was told by one of the people who worked on this system is that the voter, he’s talked about the vulnerability being introduced by the election officials I don’t know to what extent that’s true. But in any case he was complaining that the election officials made their task worse harder, but I don’t know the details so you know I don’t want to go into that.
So the impact is that DC is no longer using a web based system for their return of voted ballots although they still allow email attachments and fax returns and other states have not learned from the DC hack, other states are still trying to pursue internet voting in some cases.
So I wanted to discuss some of the various vulnerabilities. The first one is the server vulnerabilities and I want to look at corporate and government examples there. So just quoting a few people who you would think the states might pay attention to, the FBI Director Robert Mueller said, “There are only two types of companies, those that have been hacked and those that will be.” And then the former Director of the CIA National, NSA said, “The modern bank robber isn’t speeding up to suburban bank with weapons drawn and notes passed to the teller. He’s on the web taking things of value from you and me.”
So we know that there have been successful attacks on a whole host of corporations, Google, Northrop-
Grumman, Symantec, this is all one attack but hit many companies. The attacks appear to be from a trusted source, uh they exploited a vulnerability to Microsoft Explorer, and the attacker gained complete control over the compromised system, uh including systems used by software developers to build code.
Think about the implications that would have for voting and the Gmail accounts of Chinese human rights workers and I believe that the assumption is that this attack came from China.
Government vulnerabilities, again Mueller said, “The FBI’s computer network has been penetrated and attackers have corrupted data.” The former Director of the National Intelligence said, “In looking at computer systems of consequence in government, Congress, at the Department of Defense, aerospace companies with valuable trade secrets – we’ve not examined one yet that has not been infected by an advanced persistent threat.”
So I’m sure you’ve all heard of Stuxnet virus, uh malware that was initially spread by Windows, uh especial, it was, the software was specialized to attack Siemens Industrial software. It targeted the
Iranian centrifuges that we used, the centrifuges used for uranium enrichment in Iran. It appears to have been developed by the U.S. and Israel and it was very sophisticated.
Uh, there was also an attack you might not know about in Canada where foreign hackers attacked the
Canadian government, the Finance Department, Treasury Board, and Defense Research and
Development were broken into, and highly classified information was obtained in Canada.
So the moral to this story is that election officials and internet voting vendors do not have the resources of the Department of Defense or Google, or many of the other countries and companies that have been successfully attacked. So how do election officials expect to defend themselves? How do these internet vendors expect to defend themselves? They don’t have those resources either, internet voting vendors.
By the way you should jump in at any point if you want to. So malware on the voters computers which again is something I’m sure you are all aware of just recently NIST made, issued this statement that,
Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots. And, the United States currently lacks the infrastructure for secure electronic voter authentication. Now, what I’m saying something that you all know but election officials don’t know this. And so it’s important that NIST has made this statement. I mean, the reason I quote these officials is because election officials don’t know what we know.
So we again have some nice new malware, Flame is interesting. It only collects data but, that can be pretty important and of course the malware itself is so sophisticated, larger than 20MB, I mean 20 times larger than Stuxnet can take screen shots of on-line activity, record audio, etc., etc. You can see what it does. It’s just an example of the kinds of things that are out there. And when you think of the problems that Stuxnet and Flame are addressing they’re much harder than a simple problem of changing your vote, that’s you know much, much easier problem.
And then of course Zeus is my favorite, Zeus the primary goal of Zeus is to steal money from on-line bank accounts but again it could be easily modified. It can mimic financial statements so that the victim doesn’t know that the monies been stolen because the financial statements look the way they’re suppose to look and you basically find out when your check bounces. And we know that over 675,000 pounds was stolen from about 3000 customers of some unnamed UK bank. That as of 2009 3.6 million
PCs in the U.S. have been infected. And there’s a new credit card verification system scam, well it was new when I made this slide, I guess its a little old now that was being used to steal personal identifiable
information. When I was over in the UK about a year or so ago I received a copy of this scam from the
Commerce Bank.
Now I should mention, or maybe I do here, let me see, okay, anyway there’s a picture of the scam and it really looks the way it’s suppose to, I mean this looks like something coming from Visa or MasterCard. I don’t know how well you can see it but the point is that this fooled a lot of people and I was talking about this at Berkley recently, UC Berkley and one of the people asked me well, but then what do you do if you get email from a bank how do you know it’s legitimate? And of course the answer is a bank would never send something like this out because they know about the security issues. If you get something from your bank telling, saying you know we need to know your password or something it’s a scam.
So basically what would happen with Zeus is that the bank would cover the loss. So the reason that most people don’t know about the threat of Zeus and the money being stolen from on-line bank accounts, and the reason I’m willing to do banking on-line is that I know that if the money is stolen the bank will cover it because quietly, because the banks still come out ahead versus the cost of having to hire more tellers and have more buildings and so on. So they come out ahead by covering the loss but they do it quietly because they want people to continue using on-line banking. So as I say Zeus attacked
Charles Schwab, uh and again they did it with fake LinkedIn reminders and so on. And they captured vital personal information so this can also be used for identity theft as well as financial theft. And it is being marketed, you can buy Zeus from the black market, you can get upgrades, you can get specialized software.
It’s been on several interesting websites like when Paul McCartney was doing a tour of the United States it was on his website and people who would go there to his website would get infect, their computers would get infected. The German Wikipedia was infected at one point and it avoids detection by using
SSL to communicate with its handler. And the moral of the story is switching votes on voters’ computers is a relatively easy problem.
Conficker’s a bit older but I really like this one as well because it’s an example of how you can update the, the malware can update itself. You might say well how do you know for the next election who’s gonna to be running. Well you call home for instructions that’s how you know. And, uh, again infected machines can remotely install malicious software without the computer owner’s knowledge once the computer’s been infected. Uh, and one interesting story with Conficker is that in 2009 over 300 imaging machines in hospitals were found to have Conficker on them, even though these are not supposed to be connected to the Internet. And the way it got on there was that the machines would receive updates from the manufacturer via the Internet and they got infected. Now, fortunately nothing happened but you can just imagine the risks of having hospital machines being infected by malware.
You can also worry; you have to worry about back doors hidden election rigging software that allows someone later to insert names. And again sometimes back doors are intentional such as happened with the SonyBMG rootkit which was distributed in 2005 on millions of music CDs to gather information about users surreptitiously. Uh, it was discontinued after it was discovered and there have been lawsuits and the affected CDs have been recalled but this is an example of an intentional back door that had not been known about.
And something that, uh, I mean I suspect almost everything I’m saying to everybody in this room is obvious but it’s not obvious to election officials, it’s not obvious to most people and I think what, the
reason why is that people don’t understand how software works and they don’t understand how complicated it can be. They don’t understand when we say you can’t find all the software bugs why you can’t. And one of the argents I make is that if it were easy to check this voting software and be sure it’s secure and accurate and so on then we wouldn’t have major companies like Microsoft and Apple and you know lots of other companies sending out periodic updates many of which are security fixes. That wouldn’t be necessary, major companies would produce perfect software if they could. The problem is they can’t because it’s too complicated and again to try to explain the complexity the only, the best example I could think of is the U.S. Tax Code and for those of you who are familiar with the U.S. Tax
Code nobody understands it all. And there have been instances of, what you might think of as malware installed into the U.S. Tax Code where some update to the tax, it’s periodically updated and there’ve been cases where updates that look perfectly benign have turned out to benefit a single company in ways that had not been anticipated before the update was made. So it was not understood when the update was made and I think that, well that’s as close as I can come to an example of malware that a non-programmer might understand.
But I think one of the reasons that we have so many problems with technology and I know this is an international issue is that the people who buy the systems, the non-techies just don’t have a grasp of what’s, what software is life and what these systems are like. And so I think what one of our jobs is to try to explain it to them in ways they can understand.
>>: So what your saying that the major [inaudible] here has happened [inaudible] provisions benefiting a –
>> Barbara Simons: Provisions benefiting a single company, yes.
>>: Can you list a story for that?
>> Barbara Simons: Oh, I use to know that it had something to do with ceiling fans, I remember, I have to go back and look it up but some company that manufactured ceiling fans got some special tax break and the way it was written into the code it wasn’t at all obvious who, that is was benefiting anybody in particular. And I could, if you really want to know I could find it and send you an email with that information I just have to do some research.
>>: Thanks.
>> Barbara Simons: I’m really not making that up but your right I should have that in my figurative.
So again the message over and over is if the voter’s computer is infected with an election rigging virus or worm it’s the virus that will be voting not the voter and the voter will never know. And again I think another issue is that the voter thinks well I type it here and it’s on the screen so I know what’s on the screen is what’s being sent out. And again they don’t understand that what, that you can have one thing on the screen and quite something else going out over the Internet and that’s a difficult concept to get across for some reason, at least I find it difficult.
So distributed denial of service attacks is another way to attack Internet voting and it prevents people from accessing websites. Obviously a good example for non-techies is when you want to call in a call in show you usually can’t get in because everyone’s calling in and that’s a distributed denial of service attack, not intentional but it is denial of service. It’s typically done with botnets with, that are, consist of zombies. The FBI has said that the Mariposa Botnet may have infected 8,000,000 and 12,000,000
computers internationally. It was use, it stole credit cards data and on-line banking passwords and again many of these, much of this malware has customized versions and voters could be disenfranchised on election day by selectively disenfranchising groups where you know they’re gonna vote for the party you don’t want to win for example.
Estonia is an example of a country that suffered a massive denial of service attack. It was not done during an election but it could have been because they’re very wired there. Speculation is that it originated in Russia because of the Estonian decision to move the Soviet War Memorial. And as I said they had earlier had a national parliamentary election where people were allowed to vote over the
Internet and that could have been seriously disrupted by distributed denial of service attack.
In Canada there were distributed, yes –
>>: Do you know how much malware there is on the military computers overseas?
>> Barbara Simons: I don’t know but I would guess that there’s some there I –
>>: It said there administrator [inaudible] the computers that the military personnel would use for voting.
>> Barbara Simons: Right.
>>: Use just PCs that are, that people walk up to and work on for a little while.
>> Barbara Simons: Well military, well I mean, fortunately we don’t have a widespread Internet voting of the military yet but for example in 2004 there was a project called Serve which was proposing precisely that, uh, to allow military voters to vote over the Internet using their PCs, vote from an
Internet café. The only requirement is they had to use Windows machines and had to be in a certain level but not very, you know, the requirements were not very strong except you couldn’t use a Mac, and
I mean anybody, you could vote from anywhere. So, yes –
>>: [inaudible] was Home Depot importing fans from China?
>> Barbara Simons: Thank you for –
>>: There was a tariff and there was a last minute provision put into eliminate that tariff so it wouldn’t be –
>> Barbara Simons: Would you send me that –
>>: Sure if that’s the one you’re thinking of.
>> Barbara Simons: Yes, yes, so the keyword was ceiling fans?
>>: Yes ceiling fans.
>> Barbara Simons: Yes, Home Depot.
>>: Tax break.
>> Barbara Simons: Tax - [inaudible]
>>: Yes.
>> Barbara Simons: So the new democ, the NDP in Canada is a left wing party which likes to be really inclusive and so they wanted to let everybody get involve, all the party members get involved with their leadership vote and in 2003 they allowed people to vote over the Internet and their voting site was shut down for several hours. Now we don’t know if it was a distributed denial of service attack or if it was the Slammer Worm which was also going around then, and we’ve never found out. The vendor claims to have patched for the Slammer Worm but we don’t know there’s been no independent examination, nothing. And the NDP bless, you know bless them did it again in 2012 I mean it’s like they didn’t learn.
They had a second leadership election over the Internet and they suffered a massive denial of service attack. They were so ill prepared for this and I really find this kind of appalling that they, this was going on during their convention and at the convention people had to vote on terminals that were scattered around the room so people who were physically there couldn’t vote during this attack because there were no paper ballots. And again there’s been no, I mean they, they have acknowledged that they suffered a massive denial of service attack, they had to acknowledge that but there’s been no report issued at least that I’ve seen and I’ve been watching. Yeah –
>>: [inaudible]
>> Barbara Simons: No it’s, I think it’s a different system. Let me see, in fact it may have been everyone counts I’m not sure I’d have to go, it’s in the book, look it up in the book. I think it’s in the book, oh no it may not be, no it’s not in the book because this happened after we were finished writing. I’d have to, but I can get that information for you. Yes –
>>: [inaudible] you were saying how this could be somebody if they were denial service on I don’t know the peoples voting machine or something but if there is sort of a single server where everyone’s voting how does denial service, how can someone use that to get the outcome that they want, other than just causing mayhem which is also bad?
>> Barbara Simons: Well yeah, I mean, uh what the, you’re saying that you can do selective disenfranchisement with voter’s machines but not necessarily with a server, is that what you’re saying?
>>: That’s what I am wondering.
>> Barbara Simons: Well yeah I think that’s true but of course there are other ways of disenfranchising voters.
>>: But is the denial service attack on the server, is there, is there a way that they’re using that to try to get an outcome that they want or is it just to cause problems?
>> Barbara Simons: Well in this case I don’t know what the purpose of was, that allowed service attack was on the NDP in 2012, my guess is that a lot of people never got to vote.
>>: Yeah.
>> Barbara Simons: And it’s possible that influenced the outcome of the race. How it did I don’t know.
So, you know I don’t know what the motivation was.
>>: [inaudible]
>> Barbara Simons: Well of course they may have done those too.
>>: [inaudible]
>> Barbara Simons: I don’t know maybe someone just wanted to show off, I don’t know. Maybe it’s someone who didn’t like the NDP I mean that’s certainly possible that some from another political party candidate did this to make the NDP look foolish. I mean I could see that as a motivation. But they don’t know –
>>: [inaudible]
>>: Ha, ha, ha, ha.
>> Barbara Simons: That would be [inaudible]. But they don’t, you know it’s like it didn’t, there are still throughout Canada there are towns and provinces who are still talking about having Internet voting.
This seems to have just gone over their heads. And one of the things that happen is that, you know I’m telling you all of these things much of which I know I realize you know, but people don’t say they read about Stuxnet and how it attacked the Iranian centrifuges and they don’t say well gee that could happen with Internet voting too. Some how the vendors say what we have is completely secure, trust us it’s okay and they don’t put these things together.
>>: So this is, this is, I’m just [inaudible] why we might still want Internet voting. You know I can see the example of Amazon, you know I use my credit card to buy some thing from Amazon. Visa, Amazon, myself between the three of us you’ve decided this makes sense despite the risks. So is there some basis for, to, some way to think through the Internet voting and still, uh, be some reason you might do it anyway?
>> Barbara Simons: Well I, I buy things over, from Amazon too but it’s not the same thing as voting because when you buy a book as you say Amazon knows who you are, it knows what you’re buying, you know if your book arrives or not. With your vote it’s supposed to be secret. You don’t want the election officials to know how your voting, you don’t know if your vote arrived correctly, and there’s know way to correct if it doesn’t get there. With a book Amazon can send you another book but if you’re vote is lost there’s nothing you can do.
So a lot of people have made this assumption I can bank over the Internet or I can buy a book from
Amazon over the Internet, why can’t I vote over the Internet? And the part they don’t put to together is that voting is a harder problem and one of the main reasons it’s a harder problem is that you have a secret ballot. Some people have said well lets get rid of the secret ballot. I personally think that would be a disaster for a whole host of reasons which we can discuss if you want but I –
>>: Is there, what would be the reason [inaudible] –
>> Barbara Simons: In favor –
>>: [inaudible]
>> Barbara Simons: Well election officials think people, we’ve hear many times this will get young people to vote you know cause voting, shopping, also young people cause they are so you know Internet suave. If we have Internet voting they’ll all vote; we can get more people voting, it will be cheaper which isn’t necessarily true by the way. And so these are notions that people have that are not necessarily grounded in any kind of realistic testing. And of course it’s very difficult to test anything over the Internet with voting elections because every election is different, different people come out to vote, and just because you get more people voting in one election and fewer in another doesn’t mean that that’s because of technology or the lack of technology. You just can’t compare them they’re not the same. But again there are these myths that are out there and of course there encouraged by the vendors. But there’s no substantial scientific evidence to my knowledge that supports them.
>>: [inaudible]
>> Barbara Simons: What?
>>: The military push to –
>> Barbara Simons: Oh yeah, well there’s, yeah, there’s been a big push by a branch of the military uh to have Internet voting for military and civilians living abroad, hopefully that might be changing, we hope. They’ve been pushing Internet voting since 2000 and the Serve Project that I mentioned was being pushed by this agency of the military called MVAP Federal Voting Assistance Program and, uh, they just seem to be staffed by, with people who think Internet voting is great. So that makes our task harder but that may be changing.
Insider Threat – Am I on? So, again it’s difficult to discuss with the election officials but the fact of the matter is there are many different insiders such as people who write the software, uh, anyone who has access to the main software or even to computers. We’ve seen examples where computers have been infected by using, Ed Felton had an example where he showed how to infect computers using a, just using the card that goes into, uh, to set up the ballots and to collect the votes. , so basically anyone who has access can potentially, potentially rig an election. And, again as examples of insiders, Jerome Kerviel lost almost $7 billion in unauthorized transactions, and of course we have CIA Agent Adrich Ames who was very high level but who was a trader. And so we know that there can be insider threats when money is stolen or books are stolen or what have you, secrets, or secrets passed that can be eventually uncovered. But how do you prove an elections been stolen? When there’s no documentation. Yeah, you have a question?
>>: How is this new for Internet voting this seems like the same problem [inaudible] or anything?
>> Barbara Simons: Well the problem is not being able to prove that an election was stolen is the case whenever there is no paper, I mean certainly with these paperless touch screens machines I agree -
>>: I mean the entire insider threat, I mean the –
>> Barbara Simons: Well no because if you have a machine, a system that can be audited or recounted, if you have for example, well, I should put it, let me put it, if you’ve got corrupted election officials I
think it’s almost impossible to have a completely secure election if people are really corrupted, if they are determined, maybe your system would work I don’t know. But in general it’s impossible if you’ve got corrupted insiders. One thing with Internet voting versus other kinds of voting is that your attacks, these attacks can come from anywhere of course and that’s a big difference. Now that doesn’t necessarily change the insider threat but in general.
>>: Sure, I just meant with respect to insider threats it seems like it just is that I mean the people who made the scan-con machines could have whatever –
>> Barbara Simons: You’re right –
>>: [inaudible]
>> Barbara Simons: You’re right –
>>: [inaudible]
>> Barbara Simons: You’re right it is. So insider threat is a problem with most voting systems but certainly when there’s nothing that can be audited. So the argent that we are all making is that we need accountability. We know the computer software can be buggy or might contain malicious code or a whole list of other things can happen. Open source and I should probably say public source because you clearly don’t want people changing the software, so public source is, is I think a good thing as opposed to secret software but it’s not adequate because as we all know public source can also be subverted and of course the system used in DC was open source or public source and that was hacked. And, again because the votes are secrets basically in general I can’t verify that my vote was accurately received and counted over the Internet.
So I just thought I’d mention Estonia because Estonia is a very wired country and it’s frequently brought up as an example of how Internet voting works cause they’ve been doing Internet voting there for quite some time. And the number of people participating has increased with each election so at the last election of 2011 24% of the votes were cast over the Internet. , I was actually invited to Estonia last year by the mayor of Taling who is the head of the Center Party. The Center Party which was the second, came in second in the 2011 election believes that the election was rigged. They believe that because they didn’t do as well on the Internet part, portion of the election as they did on the non-Internet portion. Now maybe it was rigged, maybe it wasn’t rigged, I mean it might be the Center Party consisted of a lot of Russians who are living in Estonia or former Russians, a lot of older people they’re probably less likely to vote over the Internet, or they may be less likely to vote over the Internet.
So, it’s quite possible that this differential can be explained legitimately or maybe not, or maybe it’s some of both, maybe there was this difference and there was some rigging, we don’t know. And that’s the problem is that we don’t know that the Center Party can not prove that the election was rigged and the party that won can not prove that it was not rigged, because it’s impossible to conduct a post election recount or audit to prove that everything was done properly. Furthermore, what I learned when I was there was that the project manager could update the software with no oversight and, you know, so I’m saying we need to bring in outside experts and they said sure bring in outside experts that’s fine but they’re gonna have to sign a non-disclosure agreement before they can view the code. And the outside experts who were willing to do this were unwilling to sign an NDA because they wanted to be able to speak openly if they uncovered some problem. So there’s been no independent view of the
code. But I just want to mention the fact that this soft, that the manager could access the software with no oversight is a glaring security hole, glaring. And I’m not accusing him of anything I mean I think he’s, he’s probably a really decent guy and trying to do the right thing but this should never be allowed independent of who it is.
So in summary, ballots must, you must be able to audit and recount. Ballots done over the Internet are unreliable and therefore a recount is meaningless. So we have to have paper ballots and mandatory audits where you randomly select ballots afterwards to be recounted and again this is just not directly related to Internet voting but what most of us are looking for is what we call risk limiting audits where by using statistical methods you can reduce the number of ballots that have to be looked at in order to convince yourself that the election results were correct. I mean, we don’t think that you have to get the precise exact numbers that everybody got. What we really should be concerned about is that the correct people were the winners, so as opposed to that they got, you know you don’t want; you don’t need it down to the least significant digit or anything like that. You just want to make sure the correct people won and so again closeness of the election is a factor and you just keep on with this audit until you, you’re able to convince yourself that the right people won, oh and that’s in the book.
So, we don’t need to stop there that’s basically it.
[applause]
So I hope there’s some questions. I hope there’s some questions or comments.
>>: [inaudible] so I read the book from OSC which says that they complained because they considered that it was a inherently manipulatable because [inaudible] so the end of the reports says by the way they tried to bring it to the Supreme Court of Estonia but it was thrown out because it was [inaudible] and they declared that they were going to take it to the European Board of Justice. Let me just expand and tell me more about what the dispute was and what happened.
>> Barbara Simons: Well, actually I think the initial complaint was brought by a graduate student in
Estonia who’s not a computer science, I think he’s a historian or some, yeah, and he looked at this and said wow this is insecure, well I have to say you know he’s obviously done some, he’s messed with computers you know he knew something about what he was doing and he wrote a complaint and again it, and I believe it was rejected and they, I don’t remember, I actually have this written up so I don’t know if the details were that they felt that it was irrelevant or but whatever but at some point time became and issue and they said its past time that you can complain and they threw it out.
>>: [inaudible]
>> Barbara Simons: H –
>>: [inaudible] demonstrate that there had been any problem perhaps.
>> Barbara Simons: That may be. I mean I can actually –
>>: [inaudible] vulnerability –
>> Barbara Simons: I can double check and tell you I mean I had, I just don’t have it at my fingertips.
But basically, it was; I think it was not taken seriously, quite frankly and I think the people running the
country don’t want to acknowledge that there could have been a problem in the election. And again I think this is; this is not unique to Estonia I think we see this all over where election officials don’t want people raising questions about election outcomes, uh for several reasons. First of all they don’t want to be challenged but also they’re afraid that this will make voters not trust the democracy or the leadership and it might discourage people from voting. I mean one of the things that we constantly get told is because you’re raising these issues people won’t go to vote because they think their vote won’t count.
>>: [inaudible]
>> Barbara Simons: Yes, and frankly that’s a concern of mine because I don’t want to discourage people from voting and what I would generally say is yes we’ve got these problems but if you want to make sure your vote won’t count don’t vote. You know, if you want to have your vote to count you must go vote. So, , but that is an issue and my guess is that after all the people running Estonia are the people that won the election so they don’t have a whole lot of motivation to cast doubt on the election.
>>: [inaudible] among the supporters of the Center Party that –
>> Barbara Simons: Election was rigged.
>>: Election was rigged.
>> Barbara Simons: I don’t know because you know I don’t speak Estonian, ha-ha, and the people I talked to felt that but they were the leaders, plus the student, well I mean the student wasn’t saying he thought it was rigged what he was saying was that it is fundamentally insecure and it might have been rigged but he was not making that accusation it was the leadership of the party who were saying that.
Yeah –
>>: I want to get back to his question so in the current, in the current voting system we accept some amount of risk like when I, like here in Washington now we have to vote by mail –
>> Barbara Simons: Which is a terrible idea.
>>: I agree, so I have to believe that the mailman isn’t throwing my ballot away cause he knows what area of Seattle I come from, I have to trust that the Scantron machine that scans it does everything actively that they didn’t pre-stuff it with some ballots, there’s a lot of trusts going on.
>>: There’s some minor things, you can check on-line to see whether, King County claims to have received your ballot so that [inaudible] –
>>: Oh, okay, so I can get around the mailman problem. Okay, so there’s a variety of things so it seems but the reason why I still feel for myself confident, relatively confident partially because I haven’t thought of it as much but this is because the damage that anyone person can do seems a little bit more limited and I’m wondering if that’s one of the big differences with Internet voting is that what one person or organization can do is magnified?
>> Barbara Simons: Oh, absolutely, well basically with the introduction of computers that’s also the case. Once you get computers in if you can get malware into the, like the computers that are counting the ballots –
>>: Right.
>> Barbara Simons: That magnifies the potential as well and, but by the way I think what you should be doing is trying to change the system in Washington State cause it’s, there are lots of security issues with, with just vote by mail.
>>: [inaudible] to the coercion question I was wondering this also because I thought originally the whole point of the voting system was to not allow coercion and as soon as you allow mail in votes you allow coercion, right?
>> Barbara Simons: That’s right.
>>: So it seems kind of odd, I mean –
>> Barbara Simons: I think it’s terrible.
>>: That’s a problem in general, right, anywhere the mail, and it’s not just cause it’s only mail and it’s as soon as you allow mail in at all coercion –
>> Barbara Simons: As soon as it’s remote, I mean the beauty of polling place voting at least the way it use to be is you’d go in and that you could draw a curtain, now I guess with computers these days they don’t necessarily have curtains anymore. But, you know ideally you should be able to go in some place, draw a curtain and vote where nobody can see what you’re doing.
>>: Not just [inaudible] you had to or they would –
>> Barbara Simons: Was the lever machines but not everybody had lever machines, yeah.
>>: But, they probably also would require only one person at a booth at a time –
>> Barbara Simons: Oh of course.
>>: [inaudible] so I mean –
>> Barbara Simons: Unless, except in the case of people with disabilities they would sometime – but that was an issue too, yeah.
>>: So Mexico recently had an election where they do classic, what you might consider classic voting where you go into a voting booth, people claim that election was rigged too –
>> Barbara Simons: Uh huh.
>>: Cause although no one was coercing you one of the parties was uh giving you $50 if you when you went into the voting booth you took a picture with your phone, with your phone of your ballot and then when you came out they would give you $50, just a counter example for that, that particular issue. My question in general is there’s lots of things wrong with electronic voting how do we know if electronic voting is fundamentally less safe than traditional voting?
>> Barbara Simons: Well it depends on what you mean by electronic voting so, I mean but there, you know, to me electronic voting means there’s a computer involved but maybe that’s not what you have in mind, you mean Internet?
>>: Internet voting, yeah.
>> Barbara Simons: Internet, why, okay, so the question is why is Internet voting less safe? Because it could be rigged, basically you can rig an election, anyone from anywhere can rig the election. In Mexico if they did what you’re saying somebody had to be there passing out the money, there was the risk of being caught. Now maybe things are so corrupt in Mexico that no one worried very much about that I don’t know. Again, if things, if the system is fundamentally corrupt it’s really hard to think of a kind of voting that would defeat that.
>>: [inaudible] verifiable systems can prevent denial service if they can tell you even if there’s been an insider attack you will know –
>> Barbara Simons: You mean with paper, yeah, but, but the coercion or I mean if you’ve got, I mean it’s a very hard problem and so your saying the verifiable could prevent insider attacks?
>>: Yes, absolutely. They can’t prevent insiders from destroying the data –
>> Barbara Simons: Exactly –
>>: Not, not completing the election but you can tell whether the election was completed correctly or not [inaudible] –
>> Barbara Simons: Well I think it depends on what system you’re using. Now again the system that you’re working on maybe that’s true but in general for most systems you could for example lose paper ballots or do ballot box stuffing. I mean there are, there are issues that, I mean it’s a hard problem to get it right when you’ve got insider corruption it’s a very hard problem. So what we are focusing on is trying to come up with ways of doing things that, such that if everything works right it should be, I mean you have back up its correct and minimizing the risks. So if you’ve got corrupt insiders that’s a really hard problem but in most cases hopefully you don’t but there could still be major risks if you use the wrong kinds of technology or if you use technology wrongly. So we’re trying to eliminate unnecessary risks. There are some risks that are very hard to eliminate for any system, does that make sense?
>>: It does I’m just, I’m just sort of trying to think at a high level whether it’s really, I mean to some extent it’s easier to study risks of computer systems but it’s easily replicable and we can, we can write papers about how these things can be hacked, we can have 20 slides about terrifying the hilarious things that happened on previous attempts where as if I tried to publish a paper about well it turns out you know I had this guy come into the lab and he had his, and I wanted him to vote some way and I had the
Billy Club out and it turns out he changed his vote when I held up my Billy Club, right –
>> Barbara Simons: Uh huh.
>>: That sort of paper doesn’t really get published right because it’s, I don’t know it’s less, it’s much harder to do that type of research so it’s much harder to do the type of research on traditional voting systems than it is on electronic so we have sort of less evidence that, that type of voting is risky.
>> Barbara Simons: Well, you know in terms of the example you gave and maybe that’s not being fair to you but in terms of that example what you’re talking about is trying to impact individual voters and so that’s kind of like a retail sort of fraud. And I think a big difference is once you introduce computers into the process you can have wholesale fraud. You can have much more; you can have much more widespread fraud. I mean we can still, people can still be bribed there’s nothing you can do about that.
You may have problems with verification although I agree the cell phones are a nice way to check and that’s a problem. How do you prevent that, that’s something we, we actually talked about talking about at the meeting, we didn’t the conference we were just at. But you know you could at least have a law which says this kind of behavior is illegal and if you catch any evidence that this is going on you can prosecute someone. So there’s some risk and if someone has to be physically near by in order to pay the person off that person is running the risk of being arrested. Where as if you’re off in Romania or who knows where rigging American election over the Internet that’s very low risk.
>>: [inaudible] politically the, one of the political parties which has, uh, which has large numbers and has large amount of resources?
>> Barbara Simons: It could be. There could be lots of adversaries, I mean there, certainly as far as the
U.S. election is concerned I imagine, I mean I certainly can, there are many interested parties right, one is clearly the political parties and when you look at how much money is being spent in this upcoming election which is really terrible, horrifying you know a teeny fraction of that would be a very handsome amount of money to pay as a bribe to someone. And if you, if that someone had access to software that controls machines or Internet voting you know anything involving computers that impact a large number of people that could change the outcome, and quite frankly it’s something I worry about.
>>: So, uh, using Internet voting will cause some probability of the wrong person winning because there’s undetected fraud.
>> Barbara Simons: Right –
>>: Not using it will cause some probability of the wrong person winning because young people, other people confined to their homes, to vote, and what percentage of disenfranchised [inaudible] young people [inaudible] does it affect the ballots?
>> Barbara Simons: Well, it’s not clear that the Internet would necessarily cause –
>>: [inaudible] what percentage would convince you that –
>> Barbara Simons: I don’t know how you quantify it because how do you quantify stolen elections?
How do you determine-
>>: [inaudible] I want to compare stolen elections to stolen election. I want to –
>> Barbara Simons: Well, no this is –
>>: [inaudible] compare the wrong person with it.
>> Barbara Simons: With somebody not voting isn’t the same thing as stealing an election. They’re different now you’re saying the outcome might be the same, is that what you’re saying?
>>: Yeah I just mean the wrong person wins, the person who is a plurality of the –
>> Barbara Simons: Well I know you’re getting into a lot of, into sort of, I mean –
>>: I know, I’m just trying to figure out a way –
>> Barbara Simons: Personally I think the fact that we don’t have universal suffrage in this country is appalling. If we had universal suffrage the outcome of a lot of elections in the past 20 or 30 years would have changed. I mean just the fact and this is not relative to my talk but something I learned about in writing the book when I did the chapter on voter registration the whole history of felon disenfranchisement is shocking. I mean felon disenfranchisement was invented in the south after the civil war to keep the former slaves from voting and it’s still used to keep pretty much the same population from voting, and sometimes it’s blatant. And if you look at the percentage of people who have been disenfranchised simply by felon disenfranchisement it’s huge compared to the closest of elections we’ve had recently.
>>: So you’re saying that a better solution to the, to the Internet voting would be universal software and I agree that would be a better way to solve the problem.
>> Barbara Simons: Well I think it would be it’s so better in many ways. Yeah, yeah I –
>>: Like Australia, I assume you’re –
>> Barbara Simons: No I’m not saying it should be mandatory because that has its, I don’t know how I feel about that.
>>: Oh I thought you were talking about mandatory as well as universal.
>> Barbara Simons: No, universal is not the same thing as mandatory, right. We don’t have universal suffrage in this country.
>>: Right, right but I thought you were talking about one way you could get rid of the effect of disenfranchisement of the lack of Internet voting is mandatory, is by making voting mandatory –
>> Barbara Simons: I think that they are ways short of mandatory where you can make it much easier for people to vote. I mean the fact that it is done on a week day. I mean there are all kinds of steps that can be taken that could facilitate voting, early voting, again there’s security issues with early voting, you know I don’t know why, we know it’s done on a Tuesday because of history about when this country use to be farming country and then you know they didn’t want to have it interfering with the market day and stuff like that.
I mean there are things that are done in the United States today which are like seventeenth or eighteenth century stuff. And one is, maybe nineteenth century, the way we run our elections. If you look at just how the elections are run and the lack of national standards and requirements and the things that happen from state to state, and locality to locality it’s really shocking.
And people aren’t talking about it but the, you know our democracy is not built on a very strong structure right now because of the way we run elections. So you know I think it’s a whole host of things.
Internet voting, you know there’s this move amongst some people to try to get the newest and shiniest and brightest thing to say, we’ve got the best stuff you know, we’re really ahead of the game, you know see how advanced we are and Internet voting is one such example. And yet we know that Internet voting is a terrible idea. We’ve got to get that message out. So that’s really why I talk about it but all these other issues are really important. I mean as a computer scientist I can’t really talk extensively about voter disenfranchisement because that’s not my realm and because it’s become so highly politicized.
What I can talk about is voter registration databases which is a technical issue and where people are again, again ignoring the technology. I mean there was, can I talk about, one of the things that actually
David Dill who is the founder of Verified Voting found out a couple of weeks ago was that in Washington
State a nice way to disenfranchise someone is as it turns out you can over the Internet and by looking at the voter registration information obtain enough personally identified information about a voter to go to a website and change that voter’s address without the voter’s knowledge or consent.
The state currently does not do one of the obvious things that we recommended in our study which was done back in 2006; this is an ACM study to send out a post card or something to someone to the old address when the address has been changed to make sure that there was no fraud. So this does not happen in Washington state right now hopefully that’s gonna change before the election, hopefully. But meanwhile you can do, again its retail but you can do retail fraud by simply having peoples ballots sent to the wrong address. And they won’t know because no ones telling them. I mean that’s the level of detail where things get, I mean you know how can they do this you’d say but –
>>: [inaudible] maybe a more specific answer to your question, I don’t remember if you were at the
[inaudible] a year ago but Bob Carey just left as the director of the Federal Government Assistance
Program. He was enormously concerned about the level of participation of military voters being much lower than the public at large and looking for, asking almost exactly the question that you were asked about, well we’re not getting the right results back that how do you quantify the differences and he asked for specific quantification of risks due to Internet voting from major researchers, Ron Ravesk and
David Wagner were both explicitly asked to come talk about quantifying the risks and they both came and they tried very hard to do as careful analysis as possible and gave some back to back talks where independently they basically said the risk is [inaudible]. We can’t put any [inaudible].
>> Barbara Simons: Yep those are good talks too, yep. But I mean there are varieties of ways in which one can mess up an election to wholesale and retail I just gave you a retail one here but Internet voting is wholesale.
>>: [inaudible] define all things.
>>: There is, I just had one come in earlier that said why would somebody use a denial service attack
[inaudible] I was thinking that it probably is possible to turn an election with a denial service attack if you time it to be when a particular sector of the electrets that you don’t want to vote.
>> Barbara Simons: You’re absolutely right I should have thought of that.
>>: Okay
>> Barbara Simons: Yep, that’s a good response.
>>: About this thing about Washington database which I can talk to you more about if you want. But
Washington is a relatively blue state. Washington minus King County is a pretty red state. It would be easy to do a denial of service to King County voters to have a major affect on the states outcome. The voter roles which are publicly open say exactly who you are what county you live in and all the information you need to [inaudible].
>> Barbara Simons: And with computers maybe it can be made more wholesale.
>>: It can be done from overseas outside of the nearest jurisdiction.
>> Barbara Simons: So you had one –
>>: Okay so my difficult question and feel free to wait till the cameras are off to answer if you’d rather but I, this is a theoretical question because everything you said about Internet voting I agree with completely. But I’m trying to get at is it absolutely fundamental or is there any possibility that there’s any kind of wide spread network that looks something like the Internet perhaps [inaudible] detected a century from now could allow voting that is as secure as postal voting, vote by mail, other [inaudible]?
>> Barbara Simons: Well obviously it is not such a hard question to answer because as a scientist I can’t say it’s impossible unless there’s an impossibility proof and I haven’t seen one. So obviously I can’t say it’s impossible and as you say the standard should be as secure as remote voting, any kind of remote voting; vote by mail being the canonical example. I know, you know they’ll put their attempts being made to do that and maybe one will succeed. I suspect it’s something that will be needed is similar to what I believe its Finland is it that’s doing it where they have another channel for verifying, I think its
Finland, its one of those countries –
>> Josh Benaloh: Norway.
>> Barbara Simons: Norway, thank you where they have another channel for verifying your vote where you basically can call back on your cell phone. I mean, because you can’t be sure that what you see on your Internet is correct, on your computer is correct. So my guess is if anything does work and by the way they don’t claim to be completely secure either but at least they’re aware of the issue. So I think, I think anything that would work would require another channel of communication independent of the channel that you used to communicate your vote on. That’s just a conjecture I think there maybe a theorem there I’d like to think there might be.
>> Josh Benaloh: Well thank you very much Barbara.
[applause]