paul-almond.com - How to Rig an Internet Election

paul-almond.com

How to Rig an Internet Election

By Paul Almond, 4 May 2006

Introduction

There is much discussion about using modern communications technology, the Internet in particular, in the electoral process. People could use the Internet to vote at home on their personal computers without having to go out to vote in the traditional way. Security will be a big concern with such an idea. For such a process to be viable it would be essential that people could not compromise it to the advantage or disadvantage of any particular political party or candidate.

This article will describe a weakness in the security of Internet voting processes. Although an electoral process may be well defended against direct electoral attacks it will be much harder to defend it against indirect electoral attacks.

I will explain what I mean by direct and indirect attacks and how an indirect attack could be made: I will be showing how to rig an Internet election.

Direct Electoral Attacks

The concepts of direct and indirect electoral attacks are going to be used in this article in the context of computer based attacks on an electoral process on the Internet, but the terms are more general than this and can be applied to attacks on any electoral process - high technology or otherwise.

Direct attacks are focused narrowly on the electoral process itself. They are in direct opposition with the security that has being built into the electoral process. In a conventional voting system, examples of direct attacks are:

interfering with the contents of ballot boxes.
bribing officials to count votes wrongly.
bribing officials to reject votes as invalid when they should be valid.
stealing or forging people's voting cards, or some other identification required to vote, and placing votes on their behalf without their knowledge.
arranging for people who are likely to vote the "wrong" way to be missed off the electoral register so that they are unable to vote.
arranging for non-existent or dead people to be made eligible to vote and voting on their behalf.

When people can vote on the Internet a direct attack on this part of the electoral process would directly confront the security measures built into the electoral process as hardware or software .

Examples of direct electoral attacks on an Internet voting process are:

stealing a password or some other information needed by a person to vote on his/her own computer.
compromising special voting software that a person has on his/her computer to change his/her vote without his/her knowledge.
hacking into the central computers to change the election results.
duplicating some physical device needed by people to vote from their own homes.
sending people to a fake website where think they are voting, but in fact are not. This sort of attack would turn the usual "spoofing" attack on its head.

The central computing systems used by a government to manage such a process are likely to be quite secure. This suggests the obvious strategy of attacking the personal computers used by people to vote in their own homes. Similar sorts of attacks are already made in other contexts; for example, many Internet users are familiar with "phishing" e-mails which attempt to steal their eBay^™ or PayPal^™ details. Keyloggers are also used on the Internet. These are programs covertly placed on a computer to extract such information as passwords. Advocates of cyber democracy have good arguments that such direct electoral attacks can be prevented, but more consideration needs to be given to the idea of indirect electoral attacks, which I will now discuss.

Indirect Electoral Attacks

An indirect electoral attack would not focus narrowly on the electoral process itself. It would rely on altering the general environment in which people make their votes somehow, so as to make it more difficult for certain people to vote, those people being ones who are expected to vote undesirably.

Such an indirect electoral attack, although possibly less effective than a successful direct electoral attack, should be easier to do because, as it avoids focusing directly on the electoral process, it avoids direct confrontation with the security built into the electoral process and avoids having to overcome it.

The idea of an indirect attack is not limited to elections on the Internet. Examples of indirect electoral attacks are:

threatening people who are likely to vote the "wrong" way and telling them to stay at home instead of coming out to vote.
killing or injuring people who are likely to vote the "wrong" way to prevent them from voting.
sabotaging a public transport system on the day of an election if its users tend to be people who will vote against you; for example, if a public transport system is used mainly by poor people while rich people own cars and poor people are likely to vote against you.

In an Internet election an indirect electoral attack would involve computer software that makes it hard for some people to vote. People would be targeted based on information about their political preferences that could be obtained and assessed by a computer program and the obstruction to them voting would also be caused by a computer program - an obvious way of doing this being to deny them the use of the computing system needed to access the Internet and vote.

How to Rig An Election

Let us presume that an election is being held and voters are able to place their votes on the Internet. We do not need to know the technical details of the voting process. Maybe voters have to use a special registration package which is sent to them through the post. Maybe some kind of biometric recognition is used, if technology like this becomes more common in households. Maybe a voter's conventional documents, such as a driving licence, play some part in a registration process. Maybe a special program has to be downloaded to allow a person to vote in various elections. None of this matters with my indirect electoral attack. It may seem strange to be disinterested in the electoral process which we wish to compromise, but that is the whole point and strength of an indirect electoral attack: we are not confronting the electoral process's security directly and none of these details will matter - which also means that none of the specific security measures of such a processes will work against the indirect electoral attack.

Step 1: Define the Target

The first step is to define the sort of person that we do not want voting in this election, in terms of his/her voting decisions. This is the target. Most indirect attacks will probably be intended to be to the advantage of a particular political party and so the target will be someone who is going to vote for a different party.

To make this simple: the target is the kind of person who, if this were a conventional election, we might wish to have an "accident" on his/her way to vote. That is pretty much what we are going to do - or at least its cyber equivalent.

Step 2: Profile the Target

Next, we build a profile of the target. We want to know what characteristics the sort of person has whom we want to obstruct from voting.

We need to get characteristics that would allow us to determine if a person has them by looking on his/her computer. The characteristics should also be ones that we can express in a formal way so that we can use an algorithm to automatically decide whether or not someone has them.

Step 3: Make an Algorithm to Identify the Target

We now need to make an algorithm that can determine whether or not a particular person is a target or not by looking on his/her computer and determining if he/she fits the profile made in the previous step.

A lot can be found out about someone's political views (and therefore likely voting tendencies) by looking on his/her computer. For example:

Some newspapers are favoured by people with particular political views. Many newspapers have websites. Has the person been visiting the website of a newspaper whose readership we do not want to vote? We can find out by looking at the history of visited websites on the person's computer.
Has the person been visiting any other websites that would tend to be visited by targets?
Does the person subscribe to any Internet newsgroups (Usenet groups) that would tend to be read by targets?
Has the person been using online bookshops to buy books that would tend to be bought by targets?
Has the person sent any emails, or made any newsgroup postings expressing particular negative views of political parties, politicians or policies that would qualify the person as a target? We do not need full scale artificial intelligence to do this. We could simply look for certain keywords occurring in the same sentence, such as the names of particular politicians and various insulting words.
Can we find out how much money the person has? Is he/she using some money management program, such as Microsoft Money^™, which stores his/her account balances? Is it possible to monitor the person's access to online bank accounts? How does money affect the likely voting situation? Are people who will vote undesirably likely to be rich or poor?

This is just a sample of what a computer program could do, on a person's computer, to allow it to make a good guess about his/her political allegiance and how he/she is going to vote. A Bayesian approach could be used for analysing this information.

All of this has one purpose: we want a program that, when run on someone's computer, decides if that person fits the profile of a target - that is to say if we should try to stop that person from voting.

Step 4: Build the Identification Algorithm into a Computer Virus

We now take the target identification algorithm developed in the last step and build it into a computer virus which will propagate itself on the Internet in the way that other computer viruses propagate themselves.

The idea is to get the program onto a lot of people's computers by viral infection.

When the virus is on someone's computer it will determine whether or not that person fits the target profile. If the answer is "yes" then, on or near the date of the election, the virus will perform an indirect attack to obstruct that person from voting on the Internet. This could involve seriously damaging the computer to make it unusable for anything - for example, by wiping its operating system - or it could just be some temporary obstruction that makes the computer unusable for a short time.

After the virus has finished its task it would be ideal if it erased itself, though there will probably be some situations in which this does not work.

It should be noted that a computer virus which has selected a person as a "target" could make a direct electoral attack - such as trying to vote on their behalf. This could also be a serious threat. This article, however, is concerned with indirect electoral attacks.

Step 4: Release the Virus

The final stage is to release the virus before the election. The virus will propagate throughout the Internet, from computer to computer. Every time it gets on someone's computer it will seek to use that computer to infect many other computers. It will also examine the information stored on the computer for evidence of a person's likely voting intention to determine if the computer's user is a "target" - someone whose vote is not wanted - using its identification algorithm. If it identifies the person as a target then it obstructs the person from voting on the internet by making the computer unusable.

The Result

On the day of the election lots of people with particular political views find their computers unusable and so do not place their Internet vote.

Objections

Objection 1: Damaging someone's computer won't stop them voting in an Internet election. They will just go and use another computer - for example, at a friend's house or at a library. Any Internet election in the foreseeable future is also likely to allow people to vote in the conventional way and if they do not have access to a computer they could simply go out to vote.

Answer

Some people would certainly vote, even if they had to use someone else's computer, but if you obstruct enough people from doing something then, even if there are other ways of doing it, some of then will not do it. Some people will not vote because of the extra inconvenience. Some will lack the time to make other arrangements. If one of the alternatives to Internet voting is to go out to vote conventionally then this is only possible if people have not had to commit to Internet voting previously.

The mere fact that interference like this will stop some people voting makes it a serious matter. Saying that it is not is like saying that having people stood outside a polling station to beat people up on the way in is not a problem because some people will manage to fight their way through to vote.

Objection 2: A program cannot reliably determine how someone is going to vote by looking at their computer. Any virus which did this would cause some "collateral damage": it would stop some of your own supporters from voting.

Answer

The sort of action described in this article would be viewed conventionally as unethical. A person willing to do this is unlikely to care about "collateral damage" on ethical grounds. All that will matter is numbers.

If there are only two parties that can be taken seriously and you can stop 10,000 people from voting for your opponents while accidentally stopping 5,000 of your own supporters from voting then this would seem to be a good result and the voting rights of 5,000 of your own supporters are expendable.

While collateral damage is unlikely to cause problems ethically you would have to be careful about its practical implications. Two obvious issues would need to be considered:

Firstly, you should obviously make sure that the profiling is not going to cause more collateral damage to you than it does to your enemies: a virus that cost your opponents 1,000 votes and cost you 2,000 votes would not be helpful.

Secondly, you may need to be careful that the profiling method is not going to damage some of your opponents and do collateral damage to you while giving other opponents an advantage. As an example, you may cause Party A to lose 1,000 votes and your own party to lose 500 votes. This may seem a good result, because you have a net gain of 500 votes, but what if there is another party, Party B, and you only cause that party to lose 50 votes? Party B has benefited from the damage you have done to Party A and yourself! This may be acceptable if Party A is a serious threat to you and Party B does not get many votes, but it could be damaging to your party.

The need to assess the risks in the attack does not make it invalid. Politicians make these kinds of judgements all the time, when they decide whether or not to focus on a particular policy that may have different effects on the voting intentions of different groups of voters. A political scientist would be helpful when designing the algorithm.

Objection 3: Any effect that it has on an election result would be too small to make it worth doing.

Answer

We cannot be sure how big the effects would be. A well designed virus could have a large effect on an election.

Even if the effect, in terms of the percentage of voters affected, is small, this could translate into a large effect on the outcome. If two parties have almost identical numbers of supporters then a small change in the numbers of votes could allow a party to win. If the election involves local representatives being elected in separate states or constituencies, as in the USA and Britain, then the danger from such a virus is increased because there will be local, marginal cases in which a small difference in the number of votes could have an effect on which representative is elected to represent a constituency or state.

Even if the effect were too small to do serious damage in itself, it would still be a threat to the electoral process, because if somebody tried it it could discredit the result of an election. Someone could try to use a process such as this, without any real expectation of changing the result of election, purely to discredit the whole process and bring the results into question.

An indirect electoral attack that does not change the result of an election could also contribute to a change in the result of a future election by increasing the proportion of votes that are placed for a political party, causing more voters to take that party seriously and helping it get more votes in future elections - in turn contributing to its future success and so on.

Objection 4: It could actually provoke people into voting and be counterproductive.

Answer

We cannot really be sure that it would be counterproductive. There is a possibility that it could actually work.

Even if it were counterproductive this would not remove the problem. The very fact that it is counterproductive would mean that it is still having an effect. A party may actually try an attack like this against its own supporters to incite anger against its opponents and exploit such a "counterproductive" effect to encourage its own supporters to vote and bring its opponents into disrepute.

Even if the process were counterproductive, it may not stop somebody from trying to use it and my previous point about it bringing the entire electoral process into disrepute is relevant here.

Objection 5: Why are you saying all this? Are you trying to get people to disrupt elections? Do you think this is an amusing game?

Answer

Interference in electoral processes is serious. If, however, the sort of interference that I have described in Internet elections is possible then somebody will do this without needing my help. Weaknesses in systems are almost always exploited and we gain no protection by keeping quiet about them and hoping nobody finds them. Instead, we need to be aware of such weaknesses so that we can decide what needs to be done about them.

Objection 6: The threat of indirect electoral attack that you have described is not a serious threat and it is not worth worrying about. The security processes built into an Internet election could easily stop such a threat.

Answer

The security measures in an electoral process will not work at all. This is an indirect attack and it does not confront any security specific to the electoral process. The only way to defend against an attack like this would be to improve computer security in general - a much more difficult task than simply safeguarding an election.

Objection 7: Anyone trying to do something like this they would get caught and the result would be declared invalid.

Answer

They might not get caught. People get away with computer crimes all the time and an attack of this nature could be launched from another country. They might even be clever enough to complete their attack without leaving evidence (though this would be difficult).

Even if the attack is detected it does not follow that whoever did it would get caught. They are unlikely to launch such an attack from their own equipment. It is more likely that they would use Internet cafes and machines that they have hacked for the purpose. If there were many such attacks like this - a likely outcome in the end - then most of the time the perpetrators would never be found due to lack of resources for catching them all and this sort of attack could be considered an ongoing nuisance in elections. The low chance of capture, if the perpetrators are careful, may make it an attractive way of attacking an electoral process.

If an attack is known to have occurred then this could create a disputed election result. This would not be a satisfactory solution. What if these attacks happen every time we have an election? Repetition of the election, until we get lucky and nobody attacks it, is unlikely.

Someone could make this sort of attack knowing that it will be detected, for the very reason of having an excuse to dispute the result of an election.

The result may not be declared invalid. The state may choose to live with this problem, particularly if attacks like this become a regular feature of elections - leading to controversy and disaffection with the electoral process by some voters.

Objection 8: What you describe as "indirect electoral attacks" have always been possible in electoral systems. For example, it has always been possible for people to obstruct rival voters from getting to polling stations. There is nothing special about doing this on the Internet.

Answer

There is a big difference when the Internet is involved and that difference is caused by economy of scale. In the real world the amount of obstruction that you can cause to voters is directly proportional to the resources that you can put into causing the obstruction. When self-replicating computer programs are involved the situation changes totally. A relatively small expenditure could result in the creation of a computer virus which obstructs a very large number of voters.

Indirect electoral attacks are much more likely to be a substantial threat to the electoral process when the Internet is involved. In fact, the payoff to expenditure ratio could be so great that every election might be targeted by many such attacks, some of which are made by politically motivated or mischievous individuals as well as agents operating on behalf of political parties.

Conclusion

This article has argued that any election in which people can to vote on the Internet faces the problem of indirect electoral attacks - automated attacks attempting to deny computing and communication in general to particular kinds of voters. A computer virus would be a good way of making such an attack as the virus's self-replication can allow it to infect a large number of computers. On each infected computer the virus would examine the owner's usage history to determine if he/she is likely to vote in an undesirable way and, if so, would attempt to deny him/her the use of a computer.

I may seem to be saying that Internet voting is not viable. I am not going as far as saying that, but we need to consider security issues if we are going to allow people to vote on the Internet. The same issues relate to other means of voting, such as by mobile phone text message which is vulnerable because modern mobile phones can be infected by viruses.

If we avoided problems like this for now by not allowing Internet voting we would only be buying time. As computing becomes more ubiquitous in society people will be increasingly reliant on computers to do anything - whether it is voting on the Internet or going to a place to vote conventionally - and the difference between computing activities and other activities will diminish. As this happens there will be more scope for indirect electoral attacks in any electoral process. Viruses which stop people from voting on the Internet by depriving them of their computer are only one form of indirect electoral attack and possibly one of the first and simplest ones that we will see.

The scope for indirect electoral attacks will also increase as the process that I call Turingisation (or Turingization if we use the spelling that Americans will prefer) occurs. A Turing equivalent system provides a formal language for running general purpose computing programs. Turingisation is the loss of distinction between programs and data as more programs that run on Turing equivalent systems are made able to process their data in ways that allow general purpose computer programs to be encoded in that data.

Turingisation means that more computer programs provide languages. The development of word processor macros is an early stage in Turingisation. It removes some of the distinction between a word processing program and the language used to create it: both of them can be used to run programs. It also removes some of the distinction between a word processing program and the data that it is used to create as the data itself can incorporate computer programs. Nor does this need to stop after one level.

Future threats to elections from indirect electoral attacks will only get worse as the role of the Internet in elections increases, as computers become ubiquitous in society and as Turingisation occurs. In the immediate future a possible defence may be to delay the use of Internet elections, but ultimately the only defence will be to improve computer security generally. I described a possible way of doing this in a previous article [1].

References

[1] Web Reference: Almond, P. (2005). Improving Computer Security. Retrieved 6 July 2005 from http://www.paul-almond.com/ImprovingComputerSecurity.htm.