Internet Voting, Safely
[Note - this is an archived version of the original posting from 05:41 PM EST, Jan 25 2004]
Recently there has been publicity about a report critical of a proposed internet voting experiment. The voting system, called SERVE, was designed to allow overseas military personnel to vote absentee via the internet. The authors were four members of the SPRG (Security Peer Review Group), a ten member panel of experts in computerized election security that was called upon to review the SERVE project. The remaining members of the panel have not issued a public report on their opinion of the system.
Generally I agree with the concerns raised by the report. At this point, the security of typical PCs running Windows software is too weak to let them be a foundation for something as important as voting. It is extremely difficult to secure a Windows system to be immune to worms, viruses and other malware, and a voting application would be a significant target for malicious software creators.
At the same time, it is important not to read too much into the published criticisms. Most of the points made are rather specific to the SERVE system itself, and to the nature of the internet and PC security today. But any large-scale implementation of voting will occur only after several years of development and testing. During that time, we can expect continued improvement in technology, and especially in security technology. Many of these improvements are on the drawing boards now, and more will be developed.
As recently as a few years ago, security was largely a non-issue on net. It is only within the last two or three years that the problems have escalated to the point that major efforts are being made to improve the security situation. As with spam, which has just become an issue within the past year, it will take time for the net to react, but reactions will come.It is a worthwhile exercise, then, to look at internet voting in the context of the security improvements that we can expect in the next five to ten years. Are the problems with internet voting, as the report claims, "fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today"? And is it the case that the security problems "cannot all be eliminated for the foreseeable future without some unforeseen radical breakthrough"? While no technology can eliminate "all" problems, I believe that the improved security capabilities that will become available over the next few years could eliminate many of the difficulties with internet based voting.
One of the most anticipated new security technologies expected to become available is Microsoft's Next Generation Secure Computing Base (NGSCB), aka Palladium. This is an implementation of the Trusted Computing (TC) concept, promoted by the Trusted Computing Group (originally TCPA). In Microsoft's vision, Trusted Computing consists of the following technologies:
Process isolation: Running without being altered or interfered with by other programs or the user himself Sealed storage: Storing data in encrypted form such that no other programcan decrypt it Secure user I/O: Displaying data and receiving input from the user without it beingaltered or inspected by other software Remote attestation: Being able to prove to a remote system precisely what local programis runningLet us examine how these properties can improve the prospects for secure internet voting applications. First, process isolation will address the most serious problem with internet voting today, the tremendous insecurity and vulnerability of most PCs to software attacks. Since a PC used for voting must be hooked up to the net, it is inherently exposed to these attacks. Current technologies, including firewalls and anti-virus software, can help but generally are inadequate. Process isolation will allow a voting client program to run without being affected by other malicious software on the machine. This technology sets aside a special memory region which cannot be touched by other software, where the voting program can load and store its data. Even if the user's PC is full of viruses, the voting program will still be able to run and not be touched. Sealed storage will add security by allowing the user to store his voting credentials and other sensitive data in such a way that they cannot be stolen by infected software on the computer. This technology could even allow for online voter registration (prior to voting) in such a way that crucial registration information was kept sealed and inaccessible even to the voter himself. This would prevent sharing credentials even with the cooperation of the voter, eliminating one possible form of vote selling. Secure user I/O will add a crucial element of security for voting. It will prevent malicious software from pretending to be the voter and submitting votes on his behalf through spoofing input; and it will protect privacy by keeping other software from being able to see what is displayed on the screen as the voter makes his choices. This latter feature will close off another avenue for vote selling. Finally, remote attestation is the most important feature for the voting application. This is what allows the central voting server to authenticate that each user is running a valid copy of the voting client software; that the client software is running on a computer with the TC enhancements; and that the client software has not been infected, modified or otherwise tampered with. This provides the "root of trust" for the voting system, a foundation for establishing all of the other security features listed above. Putting these features together, Trusted Computing provides a secure environment on end-user PCs where voting client software can run. It allows for secure distribution of the client software, as any modifications to it can be detected during the remote attestation phase. It protects the user's privacy and prevents vote alteration, substitution or spoofing. And it greatly reduces the problems with vote selling. In addition, these features can address another class of problems described in the report, the use of computers belonging to other owners for voting. In many cases people are expected to vote on computers controlled by employers, local governments or other institutions, because they may not have their own systems or they may not have internet connections. The report describes problems with this arrangement including lack of privacy and even vote alteration, as the owner of the computer has complete control over all that happens on it. One of the most controversial features of Trusted Computing attacks exactly this problem, by allowing the owner to (voluntarily!) give up control over some software on his computer. The TC features listed above provide protection against not just remote and local software attacks, but also interference by the owner of the computer himself. Not even the owner can bypass the process isolation, or unseal stored data, hack into the I/O paths, or produce a false attestation about the nature of the software that is running. This will provide protection to voters who use computers owned by other parties and eliminate a large class of attacks listed in the report. Recently, some observers, most notably the Electronic Frontier Foundation, have proposed that the remote attestation feature should be overridable by the owner. He would, in effect, be able to get his TC system to lie about what software is running. While this might seem to be an improvement in the system by giving user's more control, it actually eliminates some of the most important security features. In this particular case, for example, it would mean that voting users would no longer have any assurance that the system they were using was running legitimate software. The owner could have loaded it up with spyware and worse. The well-meaning attempts by the EFF to soften the security of TC would actually eliminate an important user protection in this and other applications. The bottom line is that there are cases where it is useful to the owner of a system to be able to publicly renounce the ability to control certain software applications. By proposing to take this ability away from him, the EFF is actually diminishing rather than enhancing the user's available choices. Mostly here we have been focusing on the voting client software, which will be running on a large number of relatively insecure machines located in homes and businesses. However the same considerations can be used to improve the security of the server software as well. Even if the net as a whole cannot be made secure, and legacy software remains vulnerable due to the complexity imposed by retaining compatibility for decades-old software, TC will allow new programs to be created and to run in a new, clean environment free from molestation by other programs. Voting servers can rely on TC technology to protect their applications from a wide class of attacks. One final comment is with regard to the problem with Denial of Service (DoS) attacks. Today it is relatively easy for an attacker to take control of hundreds or even thousands of poorly protected PCs on the net. At his command, these systems can send a flood of requests at some server, overwhelming it and preventing legitimate connections from getting through. These DoS attacks have been a nagging problem on the net for the past few years, and the report worries about the implications if such a shutdown attack occurs during a vote. However it is likely that within a few years there will be widespread installation of DoS resistant features within the net. One technique used to make DoS more effective is to get computers to lie about their internet addresses when they send out requests. This makes it harder to trace where the attacks come from and shut them down. However an effective counter-measure is known, which is for internet providers to refuse to send out packets from their customers with such bad address data. These countermeasures are likely to be widespread within a few years and the problems with DoS attacks correspondingly diminished. Summing up, if we take a snapshot of the net today, we see it just beginning to awaken to problems of security which have been festering for years but have now escalated to urgent dimensions. Security professionals are experts on the current state of the art, but focusing too narrowly on present conditions produces only nearsighted prescriptions. Looking ahead a few years to security enhancements which are already being worked on and implemented, the situation changes drastically. There are no reasons I can see why internet voting will be fundamentally unsafe or undesirable once these new security features are widely available. While internet voting is not something we should rush into, at the same time we should not close our eyes to the inevitability of society continuing to exploit the tremendous information capabilities of the net in new and challenging ways. The security pendulum is swinging, and in a few years the problems which seem so overwhelming today will have solutions which make them tractable and manageable. Trusted Computing is an important part of the security equation of the future. Any analysis of a security application which fails to consider the impact of TC will be inherently incomplete and soon obsolete. I encourage security professionals to familiarize themselves with Trusted Computing technology and to use this new toolkit as an integral part of their analyses.