Security concerns prompt D.C. to suspend Web-based overseas voting

Test run of open-source Digital Vote by Mail system exposed some serious flaws

Security issues have prompted election officials in the District of Columbia to suspend a service that aimed to allow overseas voters to cast their ballots via the Web in the November elections.

The vulnerabilities in Washington's new Digital Vote by Mail system were discovered during public testing last week by several security researchers.

Details of the flaws were not immediately available. However, one of them, discovered by a researcher at the University of Michigan, was so serious that it allowed the researcher to take complete control of the system hosting the Web application and tweak it so users who voted would hear a rendition of "Hail to the Victors," a University of Michigan fight song, said one observer of the tests.

A statement on the District of Columbia's Board of Elections and Ethics Web site offered no specific details on the issues that were uncovered. It merely noted that the "current iteration of the ballot return feature" did not meet required security and file integrity standards and was therefore being suspended.

Overseas voters will still be able to use the system to download their blank ballots, print them out, mark them and send them back by mail. They also have the option of sending a copy of their marked ballot back to their precinct by e-mail or fax.

Washington's new digital voting system is designed to make it easier for overseas U.S., military personnel and other citizens to vote in elections. The system is one of many that are being implemented around the country in response to the Military and Overseas Voter Empowerment (MOVE) Act of 2009.

One of the provisions under MOVE requires election officials to provide a Web-based application for delivering ballots to overseas voters. The goal is to allow registered voters who are based overseas to log into a Web site, identify themselves using a previously provided PIN and to download the ballots for their precincts.

Under MOVE, voters are then allowed to print out the ballots, mark them and send them back by mail. They also have the option of sending a copy of their marked ballot back via e-mail or fax.

A third option allows them to use the Web application to digitally mark their ballot and send it back via the same application; this is the method that has now been suspended by election officials as a result of the security concerns.

Jeremy Epstein, a senior computer scientist at SRI International and one of those who have reviewed the design of the system, said on Tuesday that he is familiar with the testing conducted last week by University of Michigan researchers.

While he would not comment on the specifics of the testing, he said that one of the flaws allowed a researcher to take over the system and modify it so it would play the fight song.

The tests confirmed long-standing concerns about the vulnerability of Web based voting systems to issues such as denial-of-service attacks, Web redirection attacks and client-side attacks, designed to manipulate the manner in which ballots are marked, he said.

Epstein was one of several signatories to a letter sent to a D.C. council member last month expressing concern over the use of the Web system for returning marked ballots. The letter noted concern over the fact that the system had never been tested before, or certified for use by any agency.

David Jefferson, chairman of Verified Voting, and a scientist at the Lawrence Livermore National Laboratory, said that when he was testing the new system last week, he discovered a serious problem when the Web application was accessed via Apple's Safari browser on a Mac OS system. Ballots that are properly downloaded and marked using the built-in PDF viewer in Safari automatically go back to their original blank state when saved and submitted, he said.

"The default configuration of Safari is to use its own internal PDF viewer," Jefferson said. "It will allow you to make changes in the form, but when it saves the form, [the reader] throws all the changes in the form you just filled."

In a real election, it would mean that a voter had cast a blank ballot, most likely without even realizing it, he said.

"Every Macintosh Safari user, except those who had configured their browser to use Adobe Reader, would believe they had voted, [but] what they had submitted would be a blank ballot," Jefferson said.

In this case, Washington election officials should have clearly explained the potential for such issues to alert voters, he added.

Digital Vote by Mail is the first such system in the country based on technology from the Open Source Digital Voting Foundation, a group developing voting systems based on open-source technology.

John Sebes, one of the executive directors of the OSDV Foundation, on Tuesday referred questions related to the security issues to the district's Board of Elections and Ethics.

Paul Stenbjorn, the D.C. election board's chief technology officer, did not immediately respond to a request for comment by Computerworld.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon