A few years ago, the District of Columbia adopted one of the most voter-empowering elections codes in the country.
Among the legal processes the new law established was a requirement that all ballots be "voter-verifiable." The voter must have a chance to ensure that the ballot that will be counted as her official vote is marked as she intended. Ignoring this commonsense requirement, the DC Board of Elections and Ethics decided to try internet voting for overseas voters, denying those voters a chance to verify their ballots as required by law, but speeding up the process. They promised that the voting would be secure.
Last week, DC decided to open up their new program to public scrutiny. And, thanks to a few computer scientists from the Univ. of Michigan, the security failures of online voting became too obvious to ignore.
Here was the initial report from Mike DeBonis of the Washington Post:
Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot -- and midday Friday, the trial period was suspended, with the board citing "usability issues brought to our attention."
Here's one of those issues: After casting a vote, according to test observers, the Web site played "Hail to The Victors" -- the University of Michigan fight song.
"The integrity of the system had been violated," said Paul Stenbjorn, the board's chief technology officer.
Today, however, we learned the situation was far, far worse than originally disclosed, when the University of Michigan professor behind the hack testified as to just what...and who...his team discovered:
[Professor J. Alex] Halderman revealed more at the hearing this morning, including that his team was able to take control of routers and switches in the voting system. That gave them access to, among other things, security cameras in a BOEE server room. (After his testimony, Halderman showed reporters live video from the room, streaming to his iPhone.)
...
Halderman also reported that while he and his students had control of the system, they witnessed hackers from China and Iran prodding those routers and switches. They chose to modify a firewall and change the password to keep the would-be infiltrators out.
Halderman also revealed a more serious security breach: A document containing names and addresses of the more than 900 voters eligible for the Internet voting trial was left on the test server, he testified, along with crucial ID numbers that would have allowed hackers to request and complete ballots.
"This was the biggest shock we've had in a very long time," Halderman said after testifying. "I didn't believe what I was looking at. ... It's sort of the crown jewels of the security for the real election."
Just to recap: the online voting systems were unsecure, the DCBOEE left incredibly sensitive voter information on the server, Chinese and Iranian hackers managed to infiltrate the system (and were only stopped by other infiltrators), and the whole idea violates DC law anyway.
So what was the DCBOEE's response?
...The lesson learned is not to be more timid, but more aggressive about solving the problem in exactly the way that we have chosen. Our task is to continue pursuing a robust, secure digital means for overseas voters to cast their ballot rather than resorting to e-mail or fax.
...
The computer science community needs to understand that this toothpaste is already out of the tube and no volume of warnings can put it back. Voters are currently casting ballots by e-mail and fax. We need to work together to find a better alternative.
As John Cole would say, Hoocoodanode?