washingtonpost.com  > Live Discussions > Technology

Pentagon's Online Voting Program

Avi Rubin
Technical Director, Information Security Institute at Johns Hopkins University
Friday, January 23, 2004; 11:00 AM

A new report says a Pentagon program for Internet voting in this year's presidential election is so insecure that it could undercut the integrity of American democracy and should be stopped immediately.

One of the computer-security specialists who was asked to review the $22 million pilot plan, Avi Rubin, was online Friday, Jan. 23, 2004, at 11 a.m. ET to discuss his findings.

_____In the Post_____
Pentagon's Online Voting Program Deemed Too Risky (The Washington Post, Jan 22, 2004)
_____On the Web_____
SERVE Security Analysis
Johns Hopkins University Information Security Institute
_____Government IT News_____
Recalling Iraq's Terrors Through Virtual Reality (The Washington Post, Mar 23, 2005)
Predator to See More Combat (The Washington Post, Mar 22, 2005)
Gray Hawk to Manage MoneyFactory.com Site (The Washington Post, Mar 21, 2005)
More Government IT News

Rubin is an associate professor of computer science and the technical director of the Information Security Institute at Johns Hopkins University.

A transcript follows.

Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.


washingtonpost.com: Avi, thank you for joining us. Would you briefly outline the scope of your review and your findings?

Avi Rubin: We were invited by the DoD's FVAP to evaluate their absentee voting system for military and overseas civilians. Our conclusion were that the system cannot be secured because they require the use of PCs that can be found anywhere, including cyber cafes and in other public places. Also, we felt that denial of service attacks could potentially make the system unfair if someone wanted to selectively disenfranchise people. We had many other findings, but those are two of the key ones.


washingtonpost.com: FVAP is the Federal Voting Assistance Program


Arlington, Va.: What steps, if any, can be taken to secure the system? How much would it cost? How long would it take?

Avi Rubin: I don't believe that the system can be secured the way it is. We describe an alternative in our paper in appendix C at servesecurityreport.org. The idea there is that you would use kiosk machines in secure locations, such as embassies to receive your local ballot, you would print it out, and then mail it in. It's not perfect, but it's much more secure than what is currently being proposed.

It is definitely too late to do anything for the upcoming election.


Farragut West, D.C.: Dr. Rubin:

I noticed in yesterday's Washington Post article that the president of Accenture eDemocracy Services, the contractor building the system for the Pentagon, refers to the election as an "experiment". Does she not realize that this will be a real election with real consequences, especially if something goes wrong? Is this just another case of large corporations ignoring major security problems in order to keep a contract? Similar security problems seem to be present with electronic voting equipment, which states have already spent millions on (e.g., no paper trail to audit electronic results).

Avi Rubin: I'm glad you pointed this out. In the executive summary of our report, we point out that while they call it an "experiment", the votes will actually count, so this is a real system, and it is incorrect to call it an experiment.


washingtonpost.com: The report is online here.


Outer Banks, N.C.: Many items on the Internet are always under debate pertaining security, yet banks, NASDAQ, brokerage houses, credit card companies and the like transmit secure transactions - what makes SERVE any different?

Avi Rubin: We have a section in our report titled, "How voting is different from ecommerce". To briefly summarize, in a voting system, you do not keep a record of who voted for whom, whereas in an e-commerce system, you have an audit trail that you can use to settle disputes. That's a huge difference. Also, denial of service attacks against ecommerce result in reduced business, whereas in voting, they result in disenfranchisement.


College Park, Md.: I think that more people would vote if they could just go online and cast their ballot. What are the real security threats to a system like this? Aren't the commercial sites fairly secure, and couldn't there be a way to make the online voting system even more secure?

Avi Rubin: The problem with SERVE is that it was designed to allow people to vote from anywhere. That means that they can go to a cyber cafe in Iran, if such a thing exists, and cast their vote. Who knows what's been done to the software on that machine. The people who designed SERVE were very competent, but they were trying to solve an impossible problem.


Reston, Va.: Do you believe the voting reform law passed in the wake of the 2000 election was flawed in any way? I worry that it may have neglected to include strong language about the security provided by various technologies.

Avi Rubin: I don't think the drafters of HAVA, the Help America Vote Act, quite had an appreciation for how important security was.


Rockville, Md.: I heard a report about this yesterday on NPR and it said that even though issues have been brought up regarding the systems faults/bugs, that the Pentagon was fully committed to still using it. Why, do you think that they would not want to fix it to make sure it's 100% accurate?

Avi Rubin: I don't think it's a matter of fixing it. At this point, they need to shut it off. I do not believe that there is an easy fix for SERVE. Our computers and the Internet are not secure enough for voting in real, public elections.


Alexandria, Va.: Regarding electronic voting machines manufactured by Diebold etc.: How would you suggest modifying these devices to better eliminate the chance of fraud?

Avi Rubin: The code in the Diebold machines was developed very poorly. The easiest way to improve them is to provide a voter verifiable audit trail. I'd like to see touch screen machines that act as ballot printing machines. People would then fill out the paper ballot and feed it to an optical scanner. That way, the ballots could be used in case of a recount.


Baltimore: How similar is the DoD program to the one that was criticized in Maryland?

Avi Rubin: They are very different. I believe the one you are referring to in Maryland is the Diebold electronic voting machine with a touch screen. That is used in traditional polling stations for voting. There are serious security problems with it. However, the DoD program would allow people to vote over the Internet using a web browser like the one you are using to see this interview.


washingtonpost.com: Md. Plans Vote System Fixes After Criticisms (The Washington Post, Sep 25, 2003)


Reston, Va.: Avi, as with any process, there is a risk benefit analysis. I assume that a bedrock concern of yours is that, given the high profile of a presidential election, the incentives are greater for a hacker to try to foil and disrupt the system given the splash it will cause. Are you as concerned about security breaches for elections on the local level? For example, we are holding a preference poll here in Reston (it is not even a binding election), and some in our community have been startled by your published concerns and wonder if by introducing online voting we are compromising the integrity of the process. Indeed, we are using even less sophisticated processes than DOD (we are passwords mailed to voters; I understand DOD is using digitally encrypted signatures). Shareholder elections use online voting; many venues do. I gather you are not saying that, because there is some risk with online voting (just as there is risk of fraud with mail-in ballots or even walk-in voting), we should not use online voting in any circumstance. I gather it is more, look, this isn't perfectly secure, stakes in a presidential election are high, and risk of hacking increases given the profile of the event, so we should wait until we have even better and more secure technology. Does that argument apply on the local level for obscure elections?

Avi Rubin: Very good question! You need to gage the level of threat when deciding which system to use. Voting for your local dog catcher is different from voting for President of the United States. Our analysis applied to an election where there would be the highest incentive to disrupt it. I think it is reasonable to use less secure voting systems such as you describe, when the stakes are not as high.


washingtonpost.com: The SERVE program web site is here.


Washington, D.C.: Are you aware of any internet voting systems in place that meet the security requirements you outline?

Avi Rubin: No. I do not believe such a system is possible with today's computers and today's Internet.


Washington, D.C.: Where does the Bush Administration stand on the SERVE system? Are they 'fer it or agin it'?

It seems that we could probably spend more money on devising a better nation-wide system for the citizens here, rather than add one more easily corruptible system to the mix.

Avi Rubin: I have no idea where the Bush administration stands. I have not seen any public statement from them on this issue.


Arlington, Va.: Are there security measures adopted by the financial sector that could help with secure e-voting?

Avi Rubin: Actually, those measures exist in the SERVE system. They use cryptography and passwords and other techniques. However, as I mentioned earlier, the requirements for securing voting are more challenging than those for securing financial transactions.


Fairfax, Va.: Could the Pentagon apply its expertise in cryptography to the problem?

Avi Rubin: Actually, they do use cryptography. Unfortunately, cryptography can do nothing about worms and viruses, which could change the way someone votes, or at the very least fool someone into thinking they have voted.


Ann Arbor, Mich.: Has your organization studied the Michigan Democratic Party's plans for an online primary vote?

Avi Rubin: Hi in Ann Arbor. Go Blue! (I am a university of Michigan alum) We are just now starting to look closely at Michigan. They are using a different system than SERVE, and the requirements are different, as I do not believe that the caucuses need to be anonymous. However, I believe many of the generic attacks that we describe apply to that system as well.


Ballston, Va.: Re: denial of service - If this happens in ecommerce the consumer simply tries again later (in the rare occurrences that Amazon or Ebay are blocked, it's never more than a few minutes before the attack is detected and thwarted). If a voter were temporarily blocked, wouldn't they be able to try again? Aren't the real victims of disenfranchisement our troops who wait for a paper ballot that has a high probability of never arriving?

Avi Rubin: I believe that we have not yet seen an attack on the scale of what is possible. In February of 2000, all of the major web sites you describe and others were brought down for several hours. They finally traced the attack to a 17 year old Canadian. What could a dedicated country, willing to spend billions of dollars do? I believe much more than that.


Alexandria, Va.: The era of a truly "anonymous" vote is long past. Sophisticated data analysis systems already reveal how Americans are voting at the precinct level. Combining that data with party insiders' knowledge of specific precincts basically reveals who is voting for whom. With that said, perhaps the only way to do Internet voting is to agree that anyone wanting to vote that way has to be willing to participate in an auditable system -- one that would record each person's vote (referencing some sort of unique ID). Thoughts?

Avi Rubin: I am not as cynical as you are. I think that when I vote, nobody should know for whom I am voting, unless I tell them. I do not think we should give up and build systems that compromise anonymity. Voting anonymously is an important part of democracy and protects us against intimidation and vote selling.


Reston, Va.: Your concerns are with unsecure PCs in cyber cafes in Iran (or wherever). I gather you don't have the same sense of heightened concern or sensitivity for use of online voting in local elections for town offices?

Avi Rubin: Again, the level of threat needs to be taken into account. If you are only voting for your local officials, there is less of a threat than if you are voting for President. Still, any public election should be taken seriously, and I think right now Internet voting is far too dangerous.


Washington, D.C.: Didn't Arizona conduct an online primary vote in 2000? Any lessons to be learned from that?

Avi Rubin: That is correct. One of the problems with such experiments is that if nobody attacks the system, people claim that the system is secure. The truth is that in the Arizona primary, the outcome of the national primary was already determined at the time of the voting, so any attacker with any sense would not waste their attack on a meaningless election. One of my biggest fears is that SERVE will go off "without a hitch", where no attack is perceived (even if one happened) and that will pave the way for future expansion of the system.


Rockville, Md.: How far have denial of service attacks come in the past few years? Why aren't today's defenses adequate?

Avi Rubin: One of the biggest problems we have is that today's viruses and worms are depositing zombies (program that will attack later) all over the Internet. When the signal comes in, hundreds of thousands of machines can be programmed to attack a victim as hard as possible.

The defenses are in the early research phases. There are some products out there that can defend an enterprise against known attacks, but right now, the attackers are way ahead.


Washington, D.C.: How important are the users in this system? Is there any way to guarantee they would take necessary safeguards before participating?

Avi Rubin: Good question. Users are always important to consider when designing a security system. As long as you assume that users want to participate, your task is easier when designing a voting system. But, considering the value of a vote, and the fact that people might want to sell their vote, you have an additional challenge.


Foggy Bottom, D.C.: You suggest printing and optical scan as if that's automatically superior. Perhaps the security issues are simpler to solve but the scanners must be properly calibrated etc to "ensure" an accurate count. South Carolina elections in 2000 demonstrated the flaws of that system. It would seem the focus should be on researching secure electronic systems...not returning to last century flawed technologies. My question is: aren't the piece of the puzzle already available? eg check-sum protocols, encryption, etc?

Avi Rubin: I believe that there are advanced cryptographic techniques that can make verifiable voting much better. The problem is that you then have to show up at the polls with a mathematician. The thing I like about paper is that everybody understands it and can relate to a printed ballot.

I agree that optical scans are not perfect. But, it's a lot easier to get an optical scanner right than a full fledge touch screen voting and tabulating machine. There is much less code. If the code for the optical scanning machine is made public, that's even better. And, a necessary component of the system is to have surprise recounts of the paper ballots, to check that the scanners are working correctly.


Outer Banks, N.C.: Who cares if these (essentially absentee voters) whose votes are always counted last and generally only if a tie is in jeopardy are lost? This is an experiment and as such, it should be viewed as an experiment - don't we have something to gain from experimenting?

Avi Rubin: In a scientific experiment, you have some hypothesis, and you conduct an experiment to validate it or to disprove it. If we run SERVE, and someone succeeds in changing votes, it is possible that this would happen without us ever knowing it. So, what did we learn from the experiment. Also, Florida is participating in SERVE. The number of votes they will receive from the system would have been enough to potentially change the outcome of our last presidential election.


Washington, D.C.: If the world's banking system can trust literally trillions of dollars to be transferred over the Internet, why is it considered impossible to trust the Internet to transmit 100,000 votes?

Avi Rubin: See me earlier answer to this question and the section of our report about how e-commerce is different from voting.


Upper Marlboro, Md.: If they can't keep spam out of our email boxes then how are they going to ensure the security of voting online???

Avi Rubin: Good question.


San Bernardino, Calif.: The threat(s) to internet voting and electronic voting have been wildly exaggerated and undefined in the view of other security and elections experts.

Who specifically do you think poses a threat to these systems and why?

If there is intelligence that specific threats of this type of political terrorism do really exist, why not pursue those posing the threat rather than abandoning proving elections technology?

Avi Rubin: I don't think you have to look too far in our history to see examples of people trying to subvert elections. Look at how much money is spent on political advertising. Imagine the chance to actually change votes directly. I believe foreign governments, other politicians, and terrorist groups pose threats, as well as the lone hacker who wants to get noticed.


Ottawa: Is there any fear that a push toward e-voting, could worsen the disparity between technology haves and have-nots? Initially there may be a lot of redundancy, but will we see a time where the technologically unsavvy are left out in the democratic cold?

Avi Rubin: What you are referring to is the question of a "digital divide". It's a very good question, and one that I'm not qualified to answer. I've looked at the security issues, since that's my area of expertise. The social scientists are studying the digital divide issue, and that is an excellent question to pose to them.


Leesburg, Va.: Avi, do you see any similar areas of life in which people are trying to embrace technology without grasping its risks?

Avi Rubin: Yes, in fact, I have set up a site dedicated to exposing technology risks. The site is http://abusabletech.org/ and you can read of some of the risks there. Technology risks and peoples' misuse of technology is something that I have focused on a lot in the last several years. I also suggest that if you are interested in this topic, that you check out Peter Neumann's Risks column, which you can find with google.


Baton Rouge, La.: Isn't there a fundamental difference between internet voting and self-contained electronic precinct voting? It is fairly obvious that the web in not "securable". However, electronic voting in a precinct seems the best option. And, we know that there are secure technologies for electronically transferring the date packets.

Avi Rubin: Yes, there is a fundamental difference between Internet voting and electronic precinct voting. I believe that Internet voting is strictly worse. However, I don't think we should minimize the risks of electronic precinct voting. Anytime large, complex software is part of a system, it becomes very difficult to analyze and to understand the risks involved. One thing many people do not appreciate is how easy it is to disguise bogus and malicious code in a software package. The insider threat to an election system is all too real.


Outer Banks, N.C.: In your answer to my last question, you state there is the possibility someone could change votes without the system knowing about it. But I thought using digital cryptography employs the use of things like Smartcards, or even Biometrics; therefore, if only I hold the card or digital imprint, how is someone going to change my vote. If they open my encrypted algorithm, that will leave an imprint and can't that be traced to disqualify the ballot? If they get on my system, they still can't vote unless I sign on with my card - isn't that correct?

Avi Rubin: Imagine that someone sets up a bogus web site that looks and feels like the SERVE site. Now, you go there to vote. If you vote the way the attacker likes, you are redirected to the real SERVE site. If you vote a different way, you are thanked, and the connection is dropped, or you are given an error message. No cryptography or biometrics can defend against this. Similarly, if someone replaces the browser on a machine with something that looks like a browser, but is actually a vote capturing program, users could be fooled. The way you describe the system is not exactly accurate. I recommend that you read our report.


Olney, Md.: Following up on the San Bernadino question: Isn't it true that there has never been a perfectly secure voting system? (paper is subject to chain voting and misinterpretation, etc.) Isn't this really a question of which security tradeoffs are most reasonable in today's environment?

Avi Rubin: That's exactly right. One of the things we want to avoid, when moving towards high tech voting is to open ourselves up to attacks that are more scalable and that could influence more votes. When something is automated the impact it can have is much greater.


Washington, D.C.: I have to take issue with you on the voter verified paper trail. The machines already print out a receipt at the request of an election official. Further, if the paper trail receipts were required, they would be illegal. Currently, there is no standard for such machinery and not even a telephone number to call about it. How can modification be espoused when the machinery is clearly illegal!; It's irresponsible and a violation of the deadlines set forth in HAVA for our electoral voting systems to be modernized by 1/1/2006. Comments?

Avi Rubin: The paper that they print out now on request may not represent how the voter voted. The voter verifiable paper is necessary to ensure that the voter can have confidence that their vote was recorded properly. I'm not advocating receipts that people would take away from the polls. Rather, paper that people would then deposit in a scanner or in a box at the poll site.


Washington, D.C.: Someone once sent me an email claiming that an upset winner for a Congressional seat was an executive of the company that ran the election system. I disregarded the letter as a crank conspiracy theorist. Later, I read how this indeed was a surprise election upset and indeed the elected person was such an executive. Now, perhaps the election was legitimate and it just looks suspicious. Yet, this leads to the question the letter writer posed to us: could those who control the system manipulate the system to elect who they wish?

Avi Rubin: This is a big problem. Of course, those who build the system can have the machines do whatever they want. One of the problems with systems that do not have voter verification is that there is not way to answer the hard questions when there is a dispute in an election.


washingtonpost.com: Avi, thanks for joining us. Visit washingtonpost.com for continuing coverage of the issue, as well as links to other resources listed at the top of this page.


© 2004 Washingtonpost.Newsweek Interactive
Viewpoint: Paid Programming

Sponsored Discussion Archive
This forum offers sponsors a platform to discuss issues, new products, company information and other topics.

Read the Transcripts
Viewpoint: Paid Programming