Response to Mr Jefferson's comments on my blog via Linkedin

Thankyou Mr Jefferson for your comments.

As I said, I was in two minds about the timing of Ms Teague’s and Mr Halderman’s report.

I am not a person who advocates for 100% internet voting in parliamentary elections, but I do advocate for it to be implemented for use by those who would otherwise not be able to cast a secret or independent vote, or not be able to cast a vote at all due to the remoteness of their location.

However I do believe that in time internet voting will be demanded by our technology savvy youth and I also believe at that point in time internet voting will be developed to a level where the security, transparency and independent scrutiny will be agreeable to all.

In the meantime, healthy dialogue such as this is an important part of the tensions that are needed to reach a suitable and safe outcome as it provides the ongoing pressure for providers, academics, critics and electoral administrators to continuously improve the processes.

Indeed I am sure that NSW state election shall give all of the above cause to think about their future implementations.

However, I am still of the view that the timing and wide circulation of Ms Teague’s and Mr Halderman’s report was poor form and lacked judgement.

Following my blog, I was subsequently amazed to find from the NSWEC press release that where I had assumed that Teague and Halderman would have advised the NSWEC of their findings, incredibly, they had not.  Instead they had advised CERT Australia and local media outlets.  It seems that the release of the report was also timed for a series of seminars that Teague and Halderman were presenting.   So this is why I sense that perhaps although Teague and Halderman may be working for altruistic purposes, a path of greater integrity and in the greater public interest, would have been to advise the NSWEC directly so that together they could apply the solution and discuss a way forward that would not have caused so much anxiousness in the cohort of voters as described above.

As for the seriousness of the potential vulnerability. As I understand it, not one voter has reported that their vote has been recorded wrongly through the verification process. 

To address the vulnerability issue.   Teague and Halderman say it is due to the FREAK flaw via piwik

In order to exploit this flaw:-

1. The attacker has to be able to intercept the traffic.

2. The SSL could be downgraded via FREAK attack, but would still need to be broken.

3. The client’s browser would also have to be vulnerable.

4. The encryption would then have to broken and each vote changed.

This third point is most important. 

Because the FREAK attack was identified in March 2015, most browsers have been patched or are at different patch levels. You can test if your browser is vulnerable to FREAK by using this tool.   FREAK Client Test Tool.  I doubt very much if there would be many browsers left unpatched.

Most importantly this type of attack is on the client and not the iVote server.

Your argument Mr Jefferson is "..It allows the attacker to poison the NSWEC server with malicious Javascript that is in turn served to every voter thereafter.. "

Your argument is simply wrong.

I am advised that FREAK vulnerabilities in pen testing are regarded as low risk.   I know quote from https://www.entrust.com/is-your-ssl-server-vulnerable-to-a-freak-attack/

….How bad is the FREAK vulnerability? Ivan Ristić states the following, “In practice, I don’t think this is a terribly big issue, but only because you have to have many “ducks in a row”: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise).” …..

I am not a rabid supporter of electronic voting, nor am I a rabid naysayer of electronic voting.  I believe electronic voting has its place in the current electoral climate.

A few years ago I conducted a 3 day electronic voting workshop which brought together academics from Australia and the UK and electoral administrators from Australia and New Zealand.   One of the goals of the workshop was to give each of these groups a greater understanding of each other’s needs.  Networks were formed and a greater appreciation of each other’s roles were understood. Ms Teague attended this workshop. So I am disappointed that in light of her awareness as to the processes of elections, their conduct and review that she has chosen to go public with a low risk vulnerability before contacting the electoral administrators – at the very least, to show a professional courtesy.

When Is It Ok To Undermine A Parliamentary Election?

 

After 25 years working in electoral administration with a large part of that focusing on and delivering electronic voting, I am in two minds about the latest press release from Vanessa Teague pointing out a “system hack that would be difficult to perform” with regard to the NSW Electoral Commission’s iVote internet and phone electronic voting system.

The first principle of electoral administration is that processes should be open and transparent.  Our paper systems in Australia are very open and transparent.  They are conducted in a public place, the counting in the polling place is observed by scrutineers and subsequent rechecks are all open to observation.   Even postal voting has strict guidelines so that during scrutiny the identity of the voter is not revealed. 

Electronic voting has many people who are for and against it.  However the benefits to different sections of the community in a compulsory voting environment are a driving force to its implementation.

In particular, electronic voting benefits voters with a disability who would not otherwise be able to cast their vote secretly or independently.  Electoral administrators are quite rightly being forced to provide for this cohort from the pressure of representative peak bodies and sometimes from litigation.

Many of the electoral commissions in Australia have trialled or fully implemented a form of electronic voting, but mostly these have been in kiosk format. The Australian Electoral Commission did trial a remote voting system for selected areas of our overseas defence force in 2007 (AEC), but even this was not a full internet version as it was conducted on the defence restricted network, giving an extra layer of protection to the outside world of hackers.

So in Australia the NSW Electoral Commission was the first to implement internet and telephone voting in the public domain in 2011 in a general parliamentary election. It was also used successfully in all subsequent by-elections.    At this point I should declare that I was one of the project team in the 2011 implementation and also in the 2007 AEC federal implementation.

As an electoral administrator we are very accountable.  We are required to implement the electoral legislation, ensure the franchise of every voter and provide integrity to all processes.  Following each election there is always a review of our practices by a parliamentary “electoral matters committee”.   These committees are where all matters are reviewed.   Voters, peer groups, pressure groups, political parties, and academics can all make submissions as to how to improve the electoral process.   It is why the Australian systems are often seen as the best in the world.   Vanessa Teague has made many representations to these parliamentary committees regarding her wariness of internet and sometimes kiosk electronic voting, so she is aware of how elections in Australia are formally reviewed.

When reading arguments against electronic voting, it is usually along the lines that instead of one paper vote being tampered, or one ballot box being stuffed, that instead a whole database of votes can be changed.  But it appears that this is not the hack that Ms Teague found in the NSW system.   Her quote is…..

"The analogy would be pulling someone's postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead," Ms Teague said.

So this finding was not a flaw that could change a whole database of votes. 

The Chief Information Officer of NSWEC Mr Ian Brightwell said……

“It’s easy enough to [test the attack] if you sit in a local area network and direct yourself to an internal proxy, but in practical terms to intercept the traffic en masse you’d have to somehow sit in between that particular server and the client’s voting,” he said.

So in this case you would have to actually sit in between the server and the client “when they are voting” to be able to hack their vote.

Ms Teague’s press release also says that they alerted the NSWEC when they found the flaw and waited until it was fixed before publicly talking about it.

So this is where I am in two minds.  As an electoral administrator I need to know if there is an issue in the conduct of my election in order to keep the integrity of the election.  

I am sure that the NSWEC were grateful of the information from Ms Teague.

But to then go public and undermine the confidence of the whole electronic voting system, and potentially the outcome of the election seems to me to be an unnecessary act when Ms Teague could have presented this information in the fullness of time to the NSW electoral matters parliamentary committee as she has often done previously.

Electronic voting is a method of voting that is necessary at this point in time for our special needs groups, but in time it will be more necessary in a paper frugal society, and indeed it will be demanded by our mobile device equipped population. 

The tensions brought about by the people who are for and against electronic voting is good and healthy and will allow for greater security and robustness of future electronic voting systems. However we must reflect on the timing of the release of our arguments inside an active election period.