Internet Voting Security: Wishful Thinking Doesn’t Make It True

[The following is a post written at my invitation by Professor Duncan Buell from the University of South Carolina. Curiously, the poll Professor Buell mentions below is no longer listed in the list of past & present polls on the Courier-Journal site, but is available if you kept the link.]

On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time.

One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.

To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.

In one case, the script was a bash script that looped a specified number of times and issued a curl command. My colleague’s comment was:

I started by looking at the source code of the website, which is possible with any browser. The poll in question used a HTTP form to submit the result, and only using cookies to prevent duplicate voting. One quick Google search later, I was reading a website about how to submit form data with curl (a linux utility that allows you to send all kinds of HTTP requests from a shell). From there, it was a simple matter of tinkering with the curl command until it submitted the result I wanted, and then looping it to run a large number of times. Curl doesn’t store or use cookies unless you explicitly tell it to, so it avoided the poll’s duplicate voting system entirely.

In the other case, what we had was a simple HTML script to enter data into the web form, and the script was run repeatedly with iMacros in Firefox.

Each of the scripts was done in about 30 minutes start to finish, and then run on four computers at home (2 + 1 + 1 for the three of us). When we started, just after dinner, the vote was 255 for, 90 against, and 146 “I’d have to be convinced”, with a handful of “no opinion” votes. By 10:30pm, we had collectively voted “no” about 9000 times. By Friday morning, we had voted more than 60,000 times and the poll was running 13 to 1 against.

This was a simple online poll that was easily compromised. Internet voting vendor software will be harder to compromise, but this shows that computer security is hard and claims must be proved. Before we entrust critical public functions such as voting to such software, the public deserves a solid demonstration that such claims are truly substantiated, and policy makers need to be schooled in a proper skepticism about computer security. That has not yet happened.

There is an irony in hacking an online poll about whether voting can be hacked. But it points to a much-needed dialogue between policy makers and computer security experts. Elections are too important to be entrusted, without proof, to the marketing hype of an Internet voting company. The nation’s real elections should be decided by the voters in the nation’s jurisdictions, not by whichever entity – foreign or domestic – happens to have the best software bots running on any given biennial Tuesday in November.