BBV: Defense Dept. Cancels Use of Internet Voting Project

http://www.nytimes.com/2004/02/05/politics/campaign/05CND-VOTE.html?ex=1076648400&en=b56c7d94b88dc6c7&ei=5062&partner=GOOGLE

Citing security concerns, the Department of Defense canceled the use of a $22 million project today that would have allowed Americans overseas to vote over the Internet in this year's elections.

The system, the Secure Electronic Registration and Voting Experiment, or Serve, was developed with financing from the Defense Department.

The decision was announced in a memo from Deputy Secretary of Defense Paul Wolfowitz to David Chu, undersecretary of defense for personnel and readiness.

Paraphrasing the memo, a department of defense spokeswoman said "the department has decided not to use Serve in the November 2004 elections. We made this decision in view of the inability to ensure legitimacy of votes, thereby bringing into doubt the integrity of the election results," the spokeswoman said. The memo also states that efforts will continue to find other ways to cast ballots electronically for Americans overseas, but "the integrity of the election results have to be assured," the spokeswoman said.

****

I'd say that's another victory for the good guys :)

Glad to see they took notice of the critical security report that was released..

Good riddance SERVE.

now if we could only get rid of those damn black box voting machines here in America...

I believe they have probably figured out a way to cook the votes without using the new system. So how much of the 22 million has already been spent? Who's in charge here? Wolfkowitz? If yes, that is very strange. Was it only for the military or anyone who was overseas?

I will never forget 2000 when pundits and hosts on the propaganda shows smirkily and confidently stated that the military vote would go to Bush.

:toast:

:hi:

n/t

Speaking the truth about what a travesty the very idea of Internet voting is. The medium cannot be secured. Voting on PC's. What were they thinking?

Thanks to Simons, Jefferson, Wagner, and Rubin, for speaking the truth and speaking up:


Authors
Dr. David Jefferson
Dr. Aviel D. Rubin
Dr. Barbara Simons
Dr. David Wagner

Executive summary
This report is a review and critique of computer and communication security issues in the SERVE voting system (Secure Electronic Registration and Voting Experiment), an Internet-based voting system being built for the U.S. Department of Defense's FVAP (Federal Voting Assistance Program). The program's web site is http://www.serveusa.gov/. While the system is called an experiment, it is going to be used to count real votes in the upcoming general elections. The authors are members of SPRG (the Security Peer Review Group), a panel of experts in computerized election security that was assembled by FVAP to help evaluate SERVE. Our task was to identify potential vulnerabilities the system might have to various kinds of cyber-attack, to evaluate the degrees of risk they represent to the integrity of an election, and to make recommendations about how to mitigate or eliminate those risks.

The SERVE system is planned for deployment in the 2004 primary and general elections, and will allow the eligible voters first to register to vote in their home districts, and then to vote, entirely electronically via the Internet, from anywhere in the world. Besides being restricted to overseas voters and military personnel, SERVE is currently limited to people who vote in one of 50 counties in the seven states (Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah, and Washington) that are participating. The program is expected to handle up to 100,000 votes over the course of the year, including both the primaries and the general election. (By comparison, approximately 100 million votes were cast in the 2000 general election.) The eventual goal of SERVE is to support the entire population of eligible overseas citizens plus military and dependents. This population is estimated to number about 6 million, so the 2004 SERVE deployment must be judged as a prototype for a very large possible future system.

Our conclusions are summarized as follows:


DRE (direct recording electronic) voting systems have been widely criticized elsewhere for various deficiencies and security vulnerabilities: that their software is totally closed and proprietary; that the software undergoes insufficient scrutiny during qualification and certification; that they are especially vulnerable to various forms of insider (programmer) attacks; and that DREs have no voter-verified audit trails (paper or otherwise) that could largely circumvent these problems and improve voter confidence. All of these criticisms, which we endorse, apply directly to SERVE as well.

But in addition, because SERVE is an Internet- and PC-based system, it has numerous other fundamental security problems that leave it vulnerable to a variety of well-known cyber attacks (insider attacks, denial of service attacks, spoofing, automated vote buying, viral attacks on voter PCs, etc.), any one of which could be catastrophic.

Such attacks could occur on a large scale, and could be launched by anyone from a disaffected lone individual to a well-financed enemy agency outside the reach of U.S. law. These attacks could result in large-scale, selective voter disenfranchisement, and/or privacy violation, and/or vote buying and selling, and/or vote switching even to the extent of reversing the outcome of many elections at once, including the presidential election. With care in the design, some of the attacks could succeed and yet go completely undetected. Even if detected and neutralized, such attacks could have a devastating effect on public confidence in elections.

It is impossible to estimate the probability of a successful cyber-attack (or multiple successful attacks) on any one election. But we show that the attacks we are most concerned about are quite easy to perpetrate. In some cases there are kits readily available on the Internet that could be modified or used directly for attacking an election. And we must consider the obvious fact that a U.S. general election offers one of the most tempting targets for cyber-attack in the history of the Internet, whether the attacker's motive is overtly political or simply self-aggrandizement.

The vulnerabilities we describe cannot be fixed by design changes or bug fixes to SERVE. These vulnerabilities are fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today. They cannot all be eliminated for the foreseeable future without some unforeseen radical breakthrough. It is quite possible that they will not be eliminated without a wholesale redesign and replacement of much of the hardware and software security systems that are part of, or connected to, today's Internet.

We have examined numerous variations on SERVE in an attempt to recommend an alternative Internet-based voting system that might deliver somewhat less voter convenience in exchange for fewer or milder security vulnerabilities. However, all such variations suffer from the same kinds of fundamental vulnerabilities that SERVE does; regrettably, we cannot recommend any of them. We do suggest a kiosk architecture as a starting point for designing an alternative voting system with similar aims to SERVE, but which does not rely on the Internet or on unsecured PC software (Appendix C).

The SERVE system might appear to work flawlessly in 2004, with no successful attacks detected. It is as unfortunate as it is inevitable that a seemingly successful voting experiment in a U.S. presidential election involving seven states would be viewed by most people as strong evidence that SERVE is a reliable, robust, and secure voting system. Such an outcome would encourage expansion of the program by FVAP in future elections, or the marketing of the same voting system by vendors to jurisdictions all over the United States, and other countries as well. However, the fact that no successful attack is detected does not mean that none occurred. Many attacks, especially if cleverly hidden, would be extremely difficult to detect, even in cases when they change the outcome of a major election. Furthermore, the lack of a successful attack in 2004 does not mean that successful attacks would be less likely to happen in the future; quite the contrary, future attacks would be more likely, both because there is more time to prepare the attack, and because expanded use of SERVE or similar systems would make the prize more valuable. In other words, a "successful" trial of SERVE in 2004 is the top of a slippery slope toward even more vulnerable systems in the future. (The existence of SERVE has already been cited as justification for Internet voting in the Michigan Democratic caucuses.)

Like the proponents of SERVE, we believe that there should be better support for voting for our military overseas. Still, we regret that we are forced to conclude that the best course is not to field the SERVE system at all. Because the danger of successful, large-scale attacks is so great, we reluctantly recommend shutting down the development of SERVE immediately and not attempting anything like it in the future until both the Internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear. We want to make clear that in recommending that SERVE be shut down, we mean no criticism of the FVAP, or of Accenture, or any of its personnel or subcontractors. They have been completely aware all along of the security problems we describe here, and we have been impressed with the engineering sophistication and skill they have devoted to attempts to ameliorate or eliminate them. We do not believe that a differently constituted project could do any better job than the current team. The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the FVAP has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough. The SERVE project is thus too far ahead of its time, and should wait until there is a much improved security infrastructure to build upon.

http://www.mercurynews.com/mld/mercurynews/news/7885748.htm

California Secretary of State Kevin Shelley on Thursday announced measures to improve election security in the wake of a report describing how votes can be easily manipulated by hacking into an electronic voting system used across California.

One in four California voters, including those in Alameda County, are expected to cast ballots in next month's presidential primary on electronic voting systems made by Diebold Election Systems.

SNIP

The report, which was prepared by Raba Technologies for the Maryland legislature, comes on the heels of an audit of California Diebold systems conducted by Shelley's office in December. That study found Diebold had installed unapproved software in 17 California counties in violation of state law. ``Clearly, Diebold needs to get its house in order or it will not be allowed to continue to do business in California,'' said Shelley spokesman Doug Stone.

SNIP...

Shelley is not asking for changes to Diebold's software, but he called on the company to turn over its software code so it could be evaluated by independent experts chosen by the state. Shelley also is requiring random state testing of all electronic voting systems on election day to ensure ballots are accurately recorded.

As an additional safeguard, Shelley is ordering counties to post election results from each touch-screen machine at each precinct after the polls close and to disconnect the machines from the Internet. Voting-equipment companies must prepare a voting security plan for review by the state.

But the action that needs to happen is decertifying Diebold. They've broken the law, state regulations, and no one can find any measure of security in the system.

Doesn't California have a three strikes law?

I hope Shelley is laying the groundwork to boot Diebold out.

Then, take a look at the county officials who are crying about losing their auditless voting machines, especially the ones who purchased the machines in violation of state law. Our voting machines have to be accountable and so do election officials. They had no business signing contracts for machines that did not meet state law.

California has one of the highest rates of turnover for ex county and state officials entering the voting industry. Sounds like a 60 Minute piece to me. Vendors aren't buying expertise- they are buying influence. Some of that influence comes from people high up, like ex Secretaries of State. Those individuals have a great deal of influence on the county officials in each state. Some even have "training" programs for election officials. Those programs, while valuable for some things, have also provided a closed avenue for vendor propaganda. Then the vendors ply them at conferences and association meetings, refusing to let the other side be heard, as was the case when they threw Mercuri out of an IACREOT meeting.

Who's influencing the Secretaries of State? The vendors and vendor controlled or employed entities, like the ITAA. Remember the secret meeting between the ITAA and the vendors? Right on schedule comes Harris Miller's op ed in USA today. The purpose- to change public "perception." I.E., another dog and pony show, marketing hype and PR to sell a product dangerous to democracy.

The chain of this vendor-controlled self-regulation will go all the way up to the FEC, who allowed it to happen. When you dig up the 1990 voting machine standards, the ones that Mercuri has pointed out don't even meet the minimal industry requirements of computing systems, the ones most of todays systems are certified under, you will find the names of state officials who helped "craft" the regualtions. (Of course, there's the fact that our certification process is a joke, passing machines that don't even meet the trite standards)

Two names stand out for me because they come from my state: Ralph Munro (CEO of VoteHere) and protge Sam Reed, current Washington Secretary of State and a big proponent of Internet voting, coincidentally. These individuals are also apparently responsible for county election clerks saying that HAVA bans the use of paper. Washington auditors are still referring to the long-debunked R. Doug Lewis article against voter verified paper ballots.

SERVE and touch screens are the tip of the iceberg. We already know that the optical scan programs have been compromised, too.

It's time to clean house.

what do they have up their sleve to replace it? VoteHere?

I am glad for this victory...but just what do they have planned?

if allowed to vote fairly, the military is no lock for * this time around.

will be interesting to see what sleaze they have on backup...