Network News

X My Profile
View More Activity
Posted at 10:25 AM ET, 10/30/2010

In D.C.'s Web voting test, the hackers were the good guys

By editors

By Jeremy Epstein, David Jefferson and Barbara Simons

Last month, the District conducted an Internet voting experiment that resulted in a team from the University of Michigan infiltrating election computers so completely that they were able to modify every ballot cast and all election outcomes without ever leaving their offices. They also retrieved the username and password for every eligible overseas voter who had signed up to participate. The team even defended the system against attackers from China and Iran. More than any other event in recent years, this test illustrates the extreme national security danger of Internet voting.

Though the District's Board of Elections and Ethics prudently dropped the plan to use the most dangerous parts of the system in Tuesday's midterms, the board still claims Internet voting is the wave of the future. By contrast, the consensus of the computer security community is that there is no secure Internet voting architecture suitable for public elections. The transmission of voted ballots over the Internet, whether by Web, e-mail or other means, threatens the integrity of the election. Simply fixing the problems identified in the District's test will not prove the system secure. Almost certainly the next test will discover new vulnerabilities yielding a similar disastrous result.

People frequently ask: If we can bank online, why can't we vote online? The answer is that because every banking transaction must be associated with a customer, banks know what their customers are doing, and customers get monthly statements that can be used to detect unauthorized transactions. There is no banking equivalent of the requirement for a secret ballot untraceable to the voter. While banks have huge budgets for mitigating security problems, they still lose substantial sums due to online fraud. In addition, while banks may tolerate the costs of online theft, because they save money overall, elections cannot tolerate a "small" amount of vote theft.

For more than a decade, computer security scientists have been warning of certain core dangers related to Internet voting. The successful Michigan incursion confirmed many of them:

1. Internet voting systems can be attacked from anywhere by any hostile government, criminal syndicate or self-aggrandizing individual. The Michigan team demonstrated this by conducting their attack entirely from Ann Arbor.

2. The attackers can determine the winners of an election. The Michigan attackers changed all the votes, and left no way for officials to restore the originals.

3. Effective defense is virtually impossible. There are an abundance of vulnerabilities in almost any complex software system, and voting systems are no exception. Attackers need only exploit one vulnerability, while defenders must find and defend against them all. And some things were out of bounds in the D.C. experiment; in a real election, criminal or foreign attackers would have additional opportunities for attack.

4. A cyber attack on an election may go completely unnoticed. The wrong people could be elected without anyone noticing. D.C. officials did not detect the Michigan attack for at least a day, even though the attackers thoughtfully played an audio "signature" (the Michigan fight song) after each ballot was cast. By the time officials discovered the attack, it was too late to recover from it.

By dramatically demonstrating the danger of Internet voting, the Michigan team has done our nation an enormous service. They deserve our congratulations and thanks.

The D.C. Board of Elections and Ethics deserves credit as well for choosing to conduct a public test of the system -- the first of its kind anywhere. However, we cannot expect the Michigan team or anyone else to perform pro bono testing repeatedly for each new Internet voting scheme.

Unfortunately, more than 30 other states have not learned from D.C.'s experiment and are allowing Internet voting in this week's elections. None of them has opened its systems to outside scrutiny, and all are simply relying on the assertions of their vendors or IT personnel that the systems are secure. Even companies such as Google, with vast resources and expertise, have been unable to protect themselves from remote penetration attacks from China. There is no reason to believe that states and localities can do better.

The results of the test are abundantly clear. General elections are not for experimentation. Unless and until someone produces a demonstrably secure Internet voting system that the computer security community endorses, government must not take risks that jeopardize our democracy.

Jeremy Epstein is a senior computer scientist with SRI International in Arlington. David Jefferson is a computer scientist at Lawrence Livermore National Laboratory and chairman of Verified Voting. Barbara Simons is a former IBM researcher and former president of the Association for Computing Machinery.

By editors  | October 30, 2010; 10:25 AM ET
Categories:  D.C., HotTopic  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: My views on sex ed aren't anti-gay
Next: The myth of the black Confederates


Great piece - Well-stated by scientific experts and important for us all to understand. Two added points:

First, we dishonor those who defend our security and democracy if we are so careless as to provide them the least secure means of voting.

Second, the brand new MOVE Act provided many secure, low-tech improvements for military and overseas voters. It makes sense to allow evaluation and assessment of those measures - which will take until after the 2012 election - before looking at additional high-tech and potentially risky measures.

-Dan McCrea, Florida Voters Foundation

Posted by: DanMcCreaPresidentFloridaVotersFoundation | October 30, 2010 12:14 PM | Report abuse

A huge thank you to these computer scientists for this excellent article. As they point out, unlike online bank transactions our public elections cannot tolerate even a small amount of lost or stolen votes. Banks can trace transactions and reimburse customers for losses, but once a vote is lost or stolen the voter who cast it loses his or her voice in that election forever.

Right now, voters in seventeen states (approximately 25% of the US voting population) still face unverifiable, paperless electronic voting machines in their normal polling places. It is a national disgrace that we still have this many votes at such risk in this manner.

Adding unverifiable and even more vulnerable internet voting to the mix is nothing more than a recipe for disaster.

Instead, we must commit to secure voting systems that make it possible to verify accurate vote counting is happening. Every single American voter -- whether military or civilian -- deserves to have his or her vote counted accurately as cast.

Marybeth Kuznik

Posted by: sunnykay | October 30, 2010 3:49 PM | Report abuse

Was the DC Hack a Conspiracy?

A couple of true statements in this article are, “For more than a decade, computer security scientists have been warning of certain core dangers related to Internet voting. ... By dramatically demonstrating the danger of Internet voting, the Michigan team has done our nation an enormous service.”

Simons and Jefferson, especially, are experts in what I call the Halloween method of opposing Internet voting; that is, telling really scary stories about what COULD happen if a system was hacked.(1) After a decade of crying "wolf!" without any actual facts to point to, the alarmists needed something concrete. The DC fiasco seems to be just what the doctor ordered. Now they use the DC hack as if it were proof that ALL Internet voting systems are as easy to hack. How convenient! Never mind the fact that in Europe, Canada, and the US Internet voting trials have all worked well – right now West Virginia and Arizona are having great success with well-built Internet voting systems.

Besides those pesky facts, all the facts have yet to be discovered about the DC incident. The article neglects to mention that the team at Trust the Vote, who built the DC system, have been long-time critics of Internet voting. That raises some yet unanswered questions.

Why did they submit a bid to build an Internet voting system? Why did the DC officials hire them, as opposed to the companies that built the currently successful West Virginia and Arizona systems?

One observer wrote on Slashdot (not me) that the system seems designed to fail.(2) Could that be true? Was the very construction of the system an insider attack? Did the builders plant a back door? What kind of communication did Trust the Vote members have with Halderman, after they got the DC contract? Just how duped and used were the DC officials?

1. For more details on this history see "Scary Stories Fail to Stop Internet Voting"
2. More details and citations at,

William J. Kelleher, Ph.D.
Twitter: wjkno1
FB: William Kelleher

Posted by: wjkellpro | October 30, 2010 3:50 PM | Report abuse

A conspiracy, Doctor Kelleher? When three computer experts state the well-established reasons that Internet voting is dangerous, Kelleher stoops to ad hominem attacks.

Kelleher offers no facts to dispute the rationale of the authors. He should be ignored as an unthinking advocate of Internet voting.

Paul Stokes
United Voters of NM

Posted by: stokescorrales | October 30, 2010 6:54 PM | Report abuse

If ATMs worked like Internet Voting, then:
- You would get no receipt
- You would not get a statement at the end of the month with any details, just a final balance
- The bank would only do single entry bookkeeping, showing only its accounts not customer accounts

Arizona and West Virginia successful? I missed the notice and reports of the public opportunity to hack the system? Perhaps if they subjected their systems to an extensive public test they would have some credibility. Even the test in D.C. was 1) very very short notice and length, much less time than real world hackers would have in a live voting system 2)Did not take into account the possibility of insider attack - the most dangerous requiring the fewest people.

Posted by: LutherWeeks | October 30, 2010 7:18 PM | Report abuse

Facts, Mr. Stokes? Well established? What about Europe, Canada, and the states in the US?

Come on, read the piece in note 1, above. You will see that no science, but only scary stories have been used to oppose Internet voting, and you will also see the injustice that has caused.

As a thinking person, you are surely disturbed by injustice, aren't you?

Posted by: wjkellpro | October 30, 2010 7:24 PM | Report abuse

Thank you for printing this important information from three renowned computer scientists.

Internet voting is, as the essay makes clear, a completely different and much harder security challenge than internet banking.

Our votes need to remain anonymous, yet we need to have confidence that our votes have been counted properly.

The best way to make this happen is with paper ballots, a secure chain of custody for those ballots, and strong citizens' rights so that citizens can satisfy ourselves that our ballots are counted accurately and reliably.

In our love of convenience, let's not endanger our democracy. Internet voting has the potential to be a modern-day Trojan Horse, exposing the single most critical part of our democracy to potentially invisible tampering by its enemies. Let's not invite it in.

Mitch Trachtenberg
Humboldt County Election Transparency Project

Posted by: mjtrac | October 30, 2010 7:25 PM | Report abuse

It is important to notice that the Ph.D. here supporting Internet voting, Kelleher, is a political scientist, not a computer scientist.

The validity of most prior work of political scientists studying voting behavior is based on the unsupported (unsupportable in the case of Internet and e-voting) assumption that U.S. election results are accurate. Thus, many American Politics scholars studying voting behavior oppose questioning the normative assumptions that the validity of their work depends upon.

Many U.S. election officials and voting vendors have managed to conflate the concept of the right to an anonymous ballot with a special right for themselves to count ballots secretly in a way that is wide-open to insider (or in the case of Internet voting wide-open to any hacker) tampering.

Posted by: kathydopp | November 1, 2010 11:19 AM | Report abuse

Lions and Tigers and Bears, Oh My!

I've been hearing warnings of potential electronic voting fraud for the past 5 years. For all I know it may have already occurred though how am I to know?

Might I suggest that our Chicken Littles gather their testicular fortitude and lay their collective egg on the line. Do a 'Life of David Gayle' spin and actually hack a real vote. Choose a race where one candidate is polled to win by a substantial margin and flip the results. Wait a day and then make your actions known to an amazed and flummoxed public. That should put the nail in the electronic ballot box once and for all.

The smallest of actions is superior to the greatest of groaning.

Posted by: piratejackrabbit | November 1, 2010 11:36 AM | Report abuse

Piratejackrabbit, that's an interesting challenge. But most of us whom you say are Chicken Littles are law-abiding citizens who want to make things better. Hacking a real election, even for a good purpose, is a felony. While I have no doubt that it would succeed, I'm not committing crimes, and I'm not going to encourage anyone else to do so either.

Even if the attacker revealed the hack, and even if the state decided not to prosecute, and the public believed it - what then? In most states there's no way to have a "do over", so the flipped election might well stand. And as a citizen, I don't want the responsibility of deciding the election results, even if it's for a good cause.

Posted by: JeremyInFairfax | November 1, 2010 2:43 PM | Report abuse


Hence my referral to testicular fortitude.

Posted by: piratejackrabbit | November 1, 2010 4:10 PM | Report abuse

Military-grade Internet reliability and security?

Here's a new story that appeared three days ago in the Chicago Tribune: "Pentagon cites hardware glitch in ICBM outage", a-na-missiles-20101027,0,1080872.story

This paragraph is of particular interest:

""But officials said that once it became clear the issue was technical, the military's level of concern dropped. 'This was not insignificant, but at the same time it was not catastrophic,' said one Pentagon official briefed on the incident."

Here are some of the insights imbedded in this paragraph.

1. The Military is concerned about glitches. [Corollary: Glitches in military communication systems are not impossible.]

2. Some glitches in Military systems are "not-insignificant."

3. The Military is concerned about "technical" glitches. [Corollary: Technical-- hardware/software--glitches are not impossible.]

4. The Military is more concerned when glitches are not technical. [Corollary: Either a) their programmers are not competent enough to avoid all non-technical glitches, or b) their programmers are intentionally setting up the systems for failure, or c) avoiding all non-technical glitches is not currently feasible. ]

Perhaps the Military should get rid of their computer programmers and hire the ones currently working for international banking firms.

Posted by: lipscombrjl | November 4, 2010 12:03 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2011 The Washington Post Company