E-voting: Hacking newspapers vs. hacking elections
Posted by Bob Jonkman on February 5th, 2013
Jeremy Epstein
Jeremy Epstein from the technology blog Freedom to Tinker provided expert testimony to a Virginia state Senate Committee Hearing on a bill to allow military voters to cast their votes via the Internet, and has written an article comparing Hacking newspapers vs. hacking elections:
The past few days have revealed that the New York Times, Wall Street Journal, and Washington Post have all been hacked by Chinese government-affiliated organizations, for the purpose of spying on reporters. The Washington Post says that the attacks were detected over a year ago, and had been going on for at least a year before that. Commercial security products like anti-virus did not detect the malware, which isn’t surprising to anyone who is familiar with signature-based schemes. The attacks on major newspapers were significant enough that Krebs on Security quotes Gunnar Petersen saying it would be “more surprising would be a major newspaper outlet that wasn’t hacked by the Chinese”. (This in turn reminded me of the Nixon enemies list, where being omitted from the list was a sign that one was unimportant, and “Newsman Daniel Schorr and [actor] Paul Newman stated, separately, that inclusion on the list was their greatest accomplishment.”.)
So what does this have to do with voting? The NY Times story appeared on Jan 30. On Jan 29, I testified to the Virginia Senate Committee on Privileges and Elections hearing in opposition to SB 830 and 874. These two bills would require the Virginia State Board of Elections to allow military voters to cast their votes via the Internet. (The Patron (sponsor) of 874 said that it was not internet voting, but rather returning the ballot via electronic format, which is to say by email or web site. I fail to see the a meaningful difference between that an internet voting.)
In my testimony, I explained that internet voting is harder than almost any other kind of activity on the internet including banking – and that the only reason we can do banking and other activity online is because of cross-checks and the willingness to accept a level of fraud that’s not possible with voting.
In response to my testimony, representatives of the State Board of Elections were asked by the senators whether they were confident that the system was secure. The SBE representative assured the senators that the system was secure. Unfortunately I was not permitted to respond to that assertion, and the SBE wasn’t challenged why they believe that they can provide the necessary protection.
I continue to be amazed that elected officials can read constant articles about hacking, and yet readily accept the assurances that there will be no problems with internet voting. If the SBE is so good at stopping attacks, perhaps they should supplement their paltry budget by providing security for banks, Federal government agencies like DOD, and the nation’s leading newspapers!
In reply to my request for permission to republish his article, Jeremy Epstein wrote:
[…] There’s been a number of ill-considered internet voting experiments in Canada, unfortunately. Probably the worst was in Edmonton AB, where there was a “mock election” to select a favorite jelly bean color. Based on that experiment, which disallowed any effort to break the system, the city concluded that the system was secure. I don’t understand how they came to that conclusion – or even to the much simpler conclusion that the apparent winner of the jelly bean contest was actually the selection of the majority of the voters. The only conclusion that I could reasonably draw is that people like internet voting – which we already knew. What we don’t know is how it can be done securely, and that experiment did nothing to further our understanding.
Updated 5 February 2013 to clarify that Jeremy Epstein testified at the Virginia state senate hearing, not a federal one.
Hacking newspapers vs. hacking elections by Jeremy Epstein from the Freedom to Tinker blog is republished with permission of the author.