Alarm over e-mail bal­lots

Hack­ers could ex­ploit vul­ner­a­bil­i­ties

The Washington Post Sunday - - METRO - BY AARON C. DAVIS

A con­tro­ver­sial change in Mary­land Gov. Martin O’Mal­ley’s oth­er­wise pop­u­lar bill to ex­pand early vot­ing could lead to voter fraud and ex­pose the state’s elec­tions to cy­ber­se­cu­rity threats, ac­cord­ing to a vot­ing group and elec­tion tech­nol­ogy ex­perts.

The pro­vi­sion, sought for more than a year by Mary­land’s State Board of Elec­tions, would al­low any Mary­lan­der to re­ceive a pass­word by e-mail to down­load and mark a bal­lot at home be­fore mail­ing it back to elec­tions of­fi­cials. But the prob­lem, crit­ics warn, is that the e-mail sys­tem lacks ba­sic pro­tec­tions and there would be no sig­na­ture ver­i­fi­ca­tion or other means to en­sure that the per­son for whom the bal­lot is in­tended is ac­tu­ally the per­son who casts it.

Ex­perts have also warned that the pro­posed on­line bal­lot de­liv­ery sys­tem could be hacked on a mas­sive scale be­cause of a sec­ond and re­lated vul­ner­a­bil­ity that still ex­ists with the state’s new on­line voter reg­is­tra­tion sys­tem.

Mary­land res­i­dents can reg­is­ter to vote on­line with a driver’s li­cense num­ber. But in Mary­land, that num­ber is a for­mula of a res­i­dent’s name and birth date that can be found on­line.

Re­becca Wil­son, co-di­rec­tor of the non­profit SAVE Our Votes, tes­ti­fied be­fore state law­mak­ers Thurs­day that any hacker who pays $125 for Mary­land’s pub­licly avail­able data­base of voter records and who is adept at scour­ing Face­book or other so­cial me­dia sites for birthdays could eas­ily as­sume vot­ers’ iden­ti­ties and com­pro­mise a state elec­tion.

“By tak­ing the voter his­tory file, it’s pretty easy to see who votes and who doesn’t. A hacker could tar­get those who don’t vote and re­quest ab­sen­tee bal­lots on the be­half of tens of thou­sands, and there would be no way for the State Board of Elec­tions to de­ter­mine that,” said Wil­son, a chief elec­tions judge in Prince Ge­orge’s County.

Asked by law­mak­ers about such a sce­nario, Ross K. Gold­stein, deputy ad­min­is­tra­tor of the elec­tions board, ac­knowl­edged an on­go­ing vul­ner­a­bil­ity in the state’s new on­line voter reg­is­tra­tion sys­tem be­cause of its re­liance on driver’s li­cense num-


But he said the board was mon­i­tor­ing the sys­tem for sus­pi­cious be­hav­ior and in coming months would be­gin re­quir­ing reg­is­trants to an­swer ad­di­tional ques­tions with per­sonal in­for­ma­tion to con­firm their iden­ti­ties be­fore cre­at­ing or al­ter­ing a voter reg­is­tra­tion file.

Gold­stein dis­missed Wil­son’s broader com­plaint about the move to­ward on­line bal­lot mark­ing, sug­gest­ing that she and other crit­ics want the state to re­turn to pa­per-only bal­lot­ing.

“I be­lieve tech­nol­ogy can solve prob­lems, and there are steps that we def­i­nitely can, and plan to, take to mit­i­gate the risks,” he said.

But Wil­son warned that the state’s pro­posed sys­tem could ex­pose vot­ers’ bal­lot pref­er­ences to on­line in­trud­ers.

In Mary­land, any res­i­dent can choose to vote­ab­sen­tee, and those who choose to re­ceive a bal­lot over the In­ter­net would have the op­tion of mark­ing their pref­er­ences elec­tron­i­cally on their com­puter or print­ing out the bal­lot and mark­ing their se­lec­tions by hand.

Se­lec­tions that vot­ers make on­line would be em­bed­ded in a bar code that would ap­pear once the voter prints the bal­lot. Whether marked by hand or on­line, the bal­lot would still have to be re­turned by mail. But Wil­son warned that on­line snoop­ing soft­ware, such as that used to mon­i­tor em­ploy­ees at the U.S. Food and Drug Ad­min­is­tra­tion, could sur­rep­ti­tiously cap­ture a voter’s se­lec­tions.

Wil­son and other lo­cal elec­tions of­fi­cials also warned of un­told new costs and po­ten­tial de­lays in count­ing the new bal­lots, be­cause elec­tion work­ers would still have to re­print each bal­lot on a type of pa­per that can be read by elec­tronic vote coun­ters. Each bal­lot would also have be ver­i­fied by hand for se­cu­rity rea­sons.

Gold­stein noted that the sys­tem is be­ing used suc­cess­fully to

“How we han­dle this cy­ber stuff right now is hard to leg­is­late. We would like to see it a lit­tle tighter.”

Del. Sheila E. Hix­son (D-Mont­gomery), who said she sup­ports the bill to ex­pand early vot­ing but is con­cerned about the on­line por­tion

de­liver bal­lots on­line to Mary­land’s small per­cent­age of mil­i­tary on ac­tive de­ploy­ment and vot­ers overseas.

The Na­tional Fed­er­a­tion of the Blind, United Se­niors of Mary­land and the Mary­land Dis­abil­ity Law Cen­ter were among sev­eral groups tes­ti­fy­ing force­fully in sup­port of the on­line sys­tem.

“It is im­per­a­tive that the leg­is­la­ture mod­ify the ab­sen­tee bal­lot process so that it can truly be ac­cessed and uti­lized by all Mary­land vot­ers,” said Alyssa R. Fieo, the law cen­ter’s le­gal ad­vo­cacy di­rec­tor. By vot­ing at home, she said, on­line bal­lot­ing will al­low those with dis­abil­i­ties “to vote pri­vately and in­de­pen­dently and in the man­ner in which they have cho­sen.”

How­ever, Del. Don Dwyer (RAnne Arun­del) ques­tioned how, with­out sig­na­ture ver­i­fi­ca­tion or other means, the state could be so sure that a bal­lot was not filled out by a rel­a­tive or some­one else. Un­like some states that have gone en­tirely to mail-in bal­lot- ing, Mary­land does not ver­ify sig­na­tures on any ab­sen­tee bal­lots. In Novem­ber, 5 per­cent of vot­ers cast ab­sen­tee bal­lots; 16 per­cent voted early at polling places.

The bulk of the bill by O’Mal­ley (D) is aimed at elim­i­nat­ing long lines that have plagued vot­ers in the two statewide elec­tions since Mary­land be­gan early vot­ing.

His bill would in­crease the num­ber of days for early vot­ing, the num­ber of early vot­ing sites and for the first time, al­low res­i­dents to reg­is­ter on the same day they cast a bal­lot.

House Ways and Means Chair­woman Sheila E. Hix­son (DMont­gomery) said she was in strong sup­port of the bill but con­cerned about the on­line por­tion.

“How we han­dle this cy­ber stuff right now is hard to leg­is­late,” she said. “We would like to see it a lit­tle tighter.”

Last fall, Alex Halderman, David Jef­fer­son and Bar­bara Si­mons, re­searchers at the Univer­sity of Michi­gan and the Lawrence Liver­more Na­tional Lab­o­ra­tory and a former pres­i­dent of the As­so­ci­a­tion for Com­put­ing Ma­chin­ery, re­spec­tively, wrote to Mary­land elec­tions of­fi­cials urg­ing them to take im­me­di­ate steps to bet­ter pro­tect the state’s on­line voter reg­is­tra­tion sys­tem.

The three sent a fol­low-up let­ter Wed­nes­day, say­ing they were con­cerned that Mary­land’s sys­tem re­mained “up and run­ning and open to large-scale, au­to­mated reg­is­tra­tion fraud.”

“Mary­land’s elec­tions would be even more at risk if this vul­ner­a­ble voter reg­is­tra­tion sys­tem were cou­pled with on-line de­liv­ery of bal­lots,” they wrote, “es­pe­cially since Mary­land does not com­pare ab­sen­tee bal­lot sig­na­tures to the sig­na­tures of record.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.