NIST finds security problems with overseas e-voting
Efforts to allow members of the U.S. military and other overseas voters cast ballots by e-mail or on the Internet face serious security problems, according to a new U.S. government report.
Even though voting by standard mail has its own problems, the report, from the U.S. National Institute of Standards and Technology (NIST), says that electronic transmission of completed ballots, also including telephone and fax, "present significant challenges to the integrity of the election."
The U.S. Department of Defense experimented with Internet voting in 2003, but dropped a pilot program the next year after security concerns surfaced. A handful of states have experimented with Internet voting, including Florida and Alabama in 2008, prompted by concerns about military mail ballots not being delivered in time to be counted.
The Help America Vote Act of 2002 (HAVA) requires the U.S. Election Assistance Commission (EAC) to study methods of overseas voting, and the NIST report is part of that effort. "IT security is an important aspect of this issue, so EAC asked NIST to conduct a study that would explore the security threats associated with potential electronic technologies for overseas voting, and identify possible ways of mitigating the threats," said Nelson Hastings, co-author of the report.
The NIST report says it's relatively safe to transmit unfilled ballots by fax or e-mail or put them on the Web, but sending filled-in ballots by those methods present problems with security or privacy.
Voting by telephone would require PINs, and PINs can be lost or stolen, the report says. In addition, telephone calls can be tapped, especially VoIP (voice over Internet Protocol) calls, the report says.
Fax transmissions can be relatively secure, but faxed ballots may be left unattended "for several hours," the report says. "Fax machines would likely be left in a room at the election office receiving faxes throughout the day," the report says. "This gives would-be attackers time to view sensitive personal information or destroy valid registration forms."
E-mail can be intercepted or blocked, the report adds. "E-mail does not provide any guarantee that the intended recipient will receive the message," the report says. "An attack on DNS [Domain Name System] servers could route e-mails to an attacking party. This would not only result in voter disenfranchisement, but also the loss of sensitive voter information."
While there are no reports of such an attack being successful, a recent vulnerability was discovered in DNS servers that could have been used to create such an attack, the report says.
There are also a number of less sophisticated attacks that could disrupt e-mail voting, the report says. "A denial-of-service attack could flood election officials with a massive number of fraudulent e-mails," the report says.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
NIST
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
