A new report entitled "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)" has called for the halt of the deployment of SERVE in 2004 until underlying security issues have been resolved. At the heart of the report, written by a group of four security experts from academia and the private sector, are apprehensions about the security threats, the On Demand technology of Internet voting, and the stakes for democracy.
What Is SERVE?
SERVE is a project aimed at providing Uniformed Services members and overseas citizens the ability to register, request an absentee ballot, vote, and check registration status via the Internet throughout the absentee voting process. SERVE is a part of the Federal Voting Assistance Program (FVAP) that was mandated by Congress under the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) of 1986 and is currently run by the Department of Defense under Donald H. Rumsfeld.
Although SERVE is billed as an "experiment," it is currently scheduled to be deployed for the 2004 primary and general elections and is expected to handle up to 100,000 votes over the course of the year for the states of Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah, and Washington. By comparison, in the 2000 presidential election, a total of only 84 votes were cast by a predecessor system called Voting Over the Internet (VOI).
An Experiment Leading to Full Deployment
The eventual goal of SERVE is to support the entire population of eligible overseas citizens plus military personnel and their dependents. This population is estimated to number about six million, so the 2004 SERVE deployment is seen as a prototype for a very large future system.
However, in a year when the President of the United States is building his campaign for re-election upon issues of national security, this new report raises the specter of the infamous Florida re-count, the terrorist attacks of 9/11, the ongoing Internet virus and worm epidemics, and the potential for Denial of Service (DoS) attacks that could significantly impact the validity of this On Demand e-government experiment and election results as a whole. While such a terrible outcome might seem unlikely to some, the authors make a compelling technical case for a complete re-evaluation of the SERVE project.
E-Commerce Versus E-Voting
The basic premise of SERVE is that modern e-commerce security technologies can be modified and enhanced to enable individuals to cast their ballots in an election with the same success that consumers currently experience when purchasing goods over the Internet.
However, in analyzing the registration and voting mechanisms of SERVE in light of the current Internet security technologies available, the authors found a number of significant differences in the scope of the project and a basic lack of oversight in the security technologies employed. According to the authors, "voting requires a higher level of security than e-commerce. Though we know how to build electronic commerce systems with acceptable security, e-commerce grade security is not good enough for public elections." Why? What is the difference?
Voting Is a Non-Transferable Right
According to the authors, securing Internet voting is structurally different from--and fundamentally more challenging than--securing e-commerce. For instance, it is not a security failure if your spouse uses your credit card with your consent. However it is a security failure if your spouse votes on your behalf, even with your consent; the right to vote is not transferable.
Interruption of Service Nullifies Elections
Threats are more important to the outcome of a democratic election, too. For instance, a DoS attack on e-commerce transactions may mean that business is lost or postponed. However, such an attack on Internet voting would de-legitimize all the transactions that were cast. Yet the results to an election would be irreversible, disenfranchisement would be complete, and the validity of the outcome could never be assured. Such was exactly the point of the Florida recount in 2000.
Democracy Requires Verifiable, Anonymous Voting Results
The authors also point to the very special requirements that voting holds for maintaining the anonymity of the voter. Voting anonymity is one of the hallmarks of a free and open election, and detecting fraud in an electronic system of Internet voting requires a substantially different security scheme than e-commerce. For instance, in a commercial setting, customers can detect errors because their transactions are not anonymous, and the results of their purchases appear on billing statements that can be checked against electronic receipts. The opposite is true in the security requirements for Internet voting: The voter must be assured that his/her results are accurately accounted for in a setting of anonymity so that the vote cast may not be traced back to the voter. It is an issue of trust that strikes at the core of the "one-man/one-vote" compact of a democracy.
A Flawed Architecture in Current Internet Technology?
These differences between e-commerce and e-voting security make the strongest case for a full examination of the SERVE system before the 2004 elections. Yet, according to the authors of the report, who have studied the proprietary system being deployed, grave security risks have yet to be addressed. The 34-page report breaks these threats into logical groups and then examines the potential of these risks under the current SERVE architecture. According to their evaluation, the risks are high, while the technical Internet skill required to create the security threats are relatively low. According to the authors, these threats include the following:
DoS attacks against SERVE vote-recording servers
- Trojan horse attacks against the voter's personal computer, preventing the casting of the vote or altering the ballot
- On-screen electioneering in which the voter's ballot is hijacked, rerouted, or changed
- Spoofing of the SERVE election site itself, through various easy-to-implement means
- Physical alteration of the voter's personal computer to prevent or change votes
- Untraceable insider attacks against the SERVE vote-recording servers
- Untraceable, automated vote buying or selling across the Internet
- Coercion of voters through electronic Internet surveillance of the voters' ballots
- SERVE server-specific viruses that manufacture, steal, or alter votes
Assessing the Real Threat to Electronic Internet Voting
Electronic Internet voting is the Holy Grail of the On Demand e-democracy movement that is backed by IBM and other industry giants, as well as the open-source movement itself. Today, the future promise of Internet voting is an integral part of how computer software and hardware vendors market to governments and nations. This concern is practical in nature and financial at root. For instance, it's estimated that the recent recall election in California cost the beleaguered state over $63 million during a fiscal crisis in which the budget was already $8 billion in deficit. Elections are expensive, and ad hoc elections are even more so.
On the surface of it, the SERVE system appears to meet many of the goals of the e-democracy movement, providing electronic ballots, ease of implementation, rapid deployment, and the quick "on demand" results.
However, when security experts attempt to peer beneath the public face of nearly all of the electronic balloting systems that are being funded by the current U.S. Congress, they're brought up short by the proprietary nature of these products. All are the properties of private corporations, all provide limited access to the underlying code that runs them, and none are known to adhere to overall external international standards that might prevent security flaws, manipulation, or fraud. Those that are based upon Microsoft Windows technology are immediately suspect for similar reasons and for reasons of Microsoft's past track record in securing the Windows platform.
The real underlying fear of the authors of "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)" is not that this experimental system will fail massively during 2004, but that its potential success using current Internet technologies might lead public officials to believe that it is inherently secure. To these experts, exactly the opposite is true: Even without access to the underlying code running the system, they can easily devise mechanisms that could thwart the intent of the voter. Their formal meetings with officials and technical experts within the SERVE program have not brought remedy to their concerns, and this warning report is the result.
On the one hand, the impact of SERVE in 2004 can be dismissed as merely "an experiment in e-democracy." After all, it will only be counting a mere 100,000 votes across eight states this year.
On the other hand, the fate of the 2000 election ended up in the hands of a much smaller number of voters in Florida, and the final number of uncounted votes is still a matter of hot debate.
The message of the authors of this report is simple: "We can and should do better than this flawed technology." Unless we do, we will all suffer from the security risk from some unknown weapon of mass election.
Thomas M. Stockwell is Editor in Chief of MC Press, LP.