A little more than 24 hours after online ballots started pouring into the Washington, D.C., Board of Elections and Ethics in late September, it became apparent that something was amiss. Washington's newly elected U.S. Representative went by the name of Colossus. A villainous computer from science-fiction lore captured the city-council chairmanship. And 15 seconds after voters cast their ballots, they were serenaded by the University of Michigan fight song. The system had been hacked.
Fortunately the vote was merely a test, and the disruption was designed to be instructive. For the first time, Washington planned to allow overseas and military voters to submit their ballots over the Internet during next month's elections. To gauge its security and iron out the kinks, officials invited hackers to take a whack at breaching the system's defenses. That task turned out to be far too easy. "It just took one open door," says J. Alex Halderman, the University of Michigan computer scientist who led the assault. Within three hours, Halderman and two graduate students located a flaw in the system's "brittle" security design. After waiting a day for votes to stream in, the trio hijacked the server changing ballots, broadcasting the maize and blue's fight song, seizing control of the security cameras in the board's offices and unearthing a folder containing the personal information of the more than 900 overseas voters who were to receive online ballots next month. It took 36 hours for officials to notice they had indeed been hacked.
Halderman says the exercise was meant to educate election officials about the dangers of online voting. "The question is not whether these systems can be broken into," he says. "It's whether anyone wants to."
They won't have to wait long to find out the answer. During next month's midterm elections, 33 states will allow a few million military and overseas voters to return their ballots online. Yet few, if any, states have taken the time to test their networks. While it may be tempting to jettison long lines, hanging chads and finicky voting machines for the ease of the Web, experts warn that Internet voting invites disaster. "We don't have the technology yet to do this in a secure way, and we may not for a decade or more," says Ron Rivest, a computer scientist and cryptography expert at MIT. The worst-case scenario? "You may find elections that end up with a totally unclear result," Rivest says. "You may find the entire system taken over and trashed."
Analysts say that online voting is a bad idea born out of good intentions. Overseas voters have a tendency to be disenfranchised by distance: a 2009 analysis by the Pew Center on the States determined 16 states did not provide members of the military, their spouses and citizens living abroad enough time to vote. To remedy the problem, last year Congress passed the Military and Overseas Voter Empowerment Act, which requires states to distribute ballots at least 45 days before an election. Still, it's not hard to see why online ballot returns would seem appealing. "The challenge has been explaining the security risk to people who desperately want to improve the plight of overseas voters," says Pamela Smith, president of the Verified Voting Foundation.
Chastened by the exercise, Washington is canceling plans to let voters return ballots digitally. But some states are undeterred by the red flags. "The system we have is totally different. You can't compare apples and oranges," says West Virginia Secretary of State Natalie Tennant. Mountain State voters in eight counties will be able to cast ballots online next month, using a complex, privately designed system that includes a secure website, passwords and encryption codes. The process varies from state to state. In Arizona, authorized voters will be e-mailed a ballot, which they will be able to print, fill out and then upload and return. County officials will verify each voter's name, address and signature, just as they will do for mail-in ballots. "I guess an e-mail could theoretically be intercepted, but generally speaking, we're confident," says Matthew Benson, a spokesman for Arizona's secretary of state. Massachusetts voters will have the luxury of returning ballots over e-mail.
But election-transparency advocates argue that none of these methods are secure. Despite the desire to ensure overseas votes get counted, they say, online voting remains far too vulnerable to mischief. "We've been working to build enfranchisement and increase the ballot count for years. If we thought this was the answer, we'd be doing it. But it's being built on quicksand right now," says Susan Dzieduszycka-Suinat, CEO of the Overseas Vote Foundation. "Our ballots are precious cargo ... [The Internet] is the last thing on earth designed to handle private info that should not be tampered with. It's like writing a contract in pencil."
The Washington incident illuminated those risks. "The good news," says Verified Voting's Smith, "is there was a public test that enabled white-hat hackers to demonstrate there are various ways to breach the system." The bad news is that while the Michigan team left a mischievous calling card to alert officials to their prank, malevolent intruders won't be inclined to advertise their dirty work. As it turned out, Halderman and his team weren't the only hackers to try to penetrate the Washington system. While inside, they noticed computers with IP addresses in China and Iran, among others, trying to gain access to the network. (The Michigan team changed the system's password to prevent them from doing so.) "This is a fact of life on the Internet today," Halderman says. "There are bad guys out there probing for weaknesses, trying to break into any computer they can find."