Globeandmail.com
Oct. 27, 2014
By Adrian Morrow
It took just one typo in one line of code to elect a malevolent computer program mayor of Washington, D.C.
In the fall of 2010, the District staged a mock election to test out a new online voting system, and invited hackers to check its security. A team from the University of Michigan took them up on the offer. They quickly found a flaw in the code and broke in.
They changed every vote. Master Control Program, the self-aware software that attempts to take over the world in the film Tron, was a runaway write-in candidate for mayor. Skynet, the system that runs a robot army in the Terminator franchise, was elected to Congress. And Bender, the hard-drinking android in the cartoon Futurama, became a member of the school board.
Incredibly, it took D.C. officials two days to realize they had been hacked.
The use of Internet voting is exploding. Nearly 100 Ontario municipalities are using it in Monday’s election - including one that will even ditch paper ballots entirely. Proponents contend it is not only more convenient, but more equitable, giving people who cannot get to physical polling stations the same opportunity to vote as everyone else.
But the expansion of e-voting has also caused consternation for some security researchers and municipal officials.
They worry that entrusting this pillar of democracy to computers is too great a risk, given the potential for software problems - or hackers determined to put beer-swilling robots on the school board.
To those who run e-voting systems, the rise of the machines is all but inevitable.
“It’s getting easier and easier for people to get online and the natural extension is: What are all the things we can do?” said Dean Smith, founder of Halifax’s Intelivote Systems. “Security issues notwithstanding, people are demanding more. You could have security stories come out every day and people would still rely on and trust technology.”
His company is part of a growing cottage industry. Founded in 2003, it ran eight contests in its first round of Ontario municipal elections. Now, it is running 48. Toronto’s Dominion Voting, started in 2002, also supplies electronic vote tabulators for paper ballots, and handles between 1,000 and 1,500 elections every year.
Barcelona-based Scytl, which entered the Canadian market in 2011, will run 22 Ontario municipal elections. Nebraska-based Election Systems and Software also has branch offices in Ontario and British Columbia.
One early adopter was Markham, a suburb of 300,000 that sprawls north of Toronto, which embraced online voting in 2003.
“It has been a very positive step towards helping voters with disabilities actually cast a ballot independently,” city clerk Kimberley Kitteringham said. “And it’s greener: We’re not asking people to get into cars and drive to a voting place.”
To keep security tight, the city hires a third-party IT firm to check the system’s code before each election and report vulnerabilities to the city.
As a last line of defence, Markham only offers online voting during the advance voting period. If ever the system broke down, they could mitigate the damage by shutting and redirecting people to physical polls.
Ajax, another Toronto-area municipality, is not building in such a safety net.
In this vote, the town is going all-electronic. Electors can vote via computer or smartphone, or by telephone. They can also attend polling stations and vote on a laptop connected to the voting website. The security includes a PIN mailed to voters, a CAPTCHA challenge (which requires users to type out the letters shown in an image) and an outside IT expert monitoring the system. The town has never used online voting before, but is confident enough in its proliferation elsewhere to jump into the deep end.
“It’s been used dozens and dozens of times successfully in other municipalities,” said Nicole Wellsbury, the town’s manager of legislative services. “It seems extremely unlikely to me this system could be hacked.”
Other jurisdictions are more wary.
Edmonton tested an e-voting system in 2012 with a mock election. But after some voters successfully registered to vote multiple times, city council got cold feet.
“If you actually open the door for hacking or security concerns or potential fraud, then you defeat the whole purpose of democracy,” then-councillor Kim Krushell told CBC. Other councillors countered that, during a real election, the security would be tighter. In the end, the city scrapped the system.
Ahead of Halifax’s 2012 election, security researcher Kevin McArthur scanned its Internet voting system for vulnerabilities. He said he uncovered security gaps that would allow a hacker to change votes without it showing on the system logs, by intercepting data between users’ computers and the server.
He took his concerns to the Cyber Incident Response Centre at Public Safety Canada. They were worried enough to warn both the Halifax government and the software provider, Scytl.
A Halifax spokeswoman confirmed the city looked into the potential problems, but she would not say what it did to fix them. In a statement, Scytl said the company “addressed the problems in written correspondence to CCIRC, by outlining the security capabilities of our existing technology.” It added it has safety measures in place to deal with the types of vulnerabilities Mr. McArthur says he found. Public Safety Canada would not say if it was satisfied with the response.
Despite these concerns, those who run e-voting are adamant about its security.
“If you break into a system - which has never been done - it would trigger an alarm with an elected official,” said Dominion Voting CEO John Poulos. “Even if it was possible, there would be a full trace on it.”
Such categorical statements make critics bristle.
They contend that, for all the safeguards companies and governments have in place, they cannot possibly cover every contingency. Mr. McArthur points to stories of governments hacking each others’ intelligence networks: If spy agencies can’t solve such problems, what hope do local governments have? “Frankly, for a municipality or province to think they can take on these threats, well, it’s just the height of arrogance,” he said.
The Michigan geeks who hacked D.C.’s system reached a similar conclusion.
“It may some day be possible to build a secure method for submitting ballots over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today’s security technology,” wrote J. Alex Halderman, the professor who led the hacking team, on his blog.
He also argued it is possible to break into a system without election staff knowing it - raising the troubling possibility hackers have infiltrated online voting systems before but were simply never detected.
Take the D.C. case. The intrusion by Prof. Halderman’s team was so stealthy, officials did not discover it by monitoring the servers. They only realized something was amiss because the hackers deliberately left a calling card: They programmed the university’s fight song to play whenever someone cast a ballot.
And the programming flaw that allowed such a total hack of the D.C. system?
It was a mistake so infinitesimal, even an eagle-eyed coder could have missed it. A programmer was supposed to put double quotation marks in one line of code, but typed single ones instead.