Response from the NSW Electoral Commission to iVote security allegations
This response concerns allegations made during the NSW 2015 state election regarding the security and integrity of the Commission's iVote®internet voting system by researchers Dr Halderman (University of Michigan – USA) and Dr Teague (University of Melbourne).
On Friday, 20th of March 2015 Drs Teague and Halderman sent a report marked "Confidential report: Please do not distribute" to media outlets and CERT Australia[1]. They did NOT provide the report directly to the NSW Electoral Commission, however they did provide the "confidential" report to the ABC. The report did NOT state that its content was conditionally confidential or embargoed until remediation was undertaken by the Commission. CERT Australia is a federal government agency, it is unable to deal with a state government agency such as NSW Electoral Commission.
The correct agency for Drs Teague and Halderman to have reported this incident was in fact the NSW Electoral Commission. Dr Teague had previously sent emails to the Commission's CIO and could have done the same on this occasion. The Commission received the report by Drs Teague and Halderman from staff in the Department of Defence via an email at 3:40pm on Friday. Had the Commission not established an informal arrangement with Australian Signals Directorate prior to the election, then the report may not have been received by the Commission before close of business Friday. The report provided to the Commission on the Friday was entitled "New South Wales iVote System is Vulnerable to MiTM Vote Stealing Attacks" and resulted in extensive media coverage questioning the security of the iVote® system.
The only significant information contained in the report regarding the security of the iVote system related to the identification of the FREAK[2] vulnerability in the publicly accessible SSL certificate on the Piwik website, which was a website connected to the iVote® system. Drs Teague and Halderman were aware that the related Piwik website was used only to provide statistics regarding the iVote core voting system's operation and was not essential to its main function of receiving votes.
The vulnerability was found by Drs Teague and Halderman using a free internet based certificate test service, which is a service commonly used by system administrators to test website certificate security. The relatively poor certificate test result found by Drs Teague and Halderman should in itself have been seen as reasonable grounds for them to have advised the Commission that a potential security issue had been identified. In the Commission's view, it was not essential that a proof of concept system to be created just to prove a material threat existed when the identified vulnerability and other unlikely and/or difficult to implement factors were combined.
The Commission understands that the existence of the vulnerability was known by Drs Teague and Halderman soon after voting commenced, at 8am on Monday the 16thof March, and should under normal responsible disclosure practices[3], have been provided to the Commission at that time. It has been subsequently confirmed from statements made by Dr Halderman at a recent conference that the existence of the FREAK vulnerability was known to him before Wednesday the 18th of March. He further stated that he did not provide this information to the Commission at that time because he did not believe he was [legally] obliged to do so and he also wanted to use that time to prepare a proof of concept system and a report for the media.
The Commission would have thought a more appropriate course of action for Drs Teague and Halderman would have been to advise the Commission when the vulnerability was first identified, then prove their attack hypothesis by developing a proof of concept system or perform other research that they thought appropriate. Then, should they believe the Commission had not taken sufficient action, contact the media and advise them of their concerns. Regrettably, this was not the course of action chosen by Drs Teague and Halderman.
The report provided to the Commission on the Friday resulted in extensive media coverage which questioned the security of the iVote system. The report and subsequent media presentations by Drs Teague and Halderman appeared to be designed to cause a significant reduction in the public's confidence in the iVote system. Also, they typically did not provide a realistic or a quantitative assessment of the risk of a large-scale attack being successfully executed against the iVote® system.
In addition to preparing the report and proof of concept system, Drs Teague and Halderman published a blog, which showed the proof of concept system with a screen which was a facsimile of the iVote system but with an added 'Ned Kelly' icon on the display. Whenever a vote was cast in their proof of concept system the icon would appear suggesting to the voter that their vote had been stolen. This system appeared to be developed to provide a dramatic backdrop to their media presentations.
On the morning of Saturday, 21st of March and prior to the identified certificate vulnerability being remediated, the ABC contacted the Commission and advised they had a copy of the "confidential" report from Drs Teague and Halderman and requested a statement from the Commission regarding the content of the report. The ABC did NOT advise the Commission they were operating under an embargo from Drs Teague and Halderman with respect to the report.
At the time of the ABC's request for a comment, the Commission understood that publication of a story on the content of the report was imminent and not conditional on remediation of the system. Realising this and knowing the potential concern such a story would have on public confidence, particularly if the report's proposed remediation action had not been undertaken.
The Commission knew it had no option but to remove the Piwik link to the iVote® system immediately. Therefore the removal of the link was done expeditiously and without the benefit of an independent risk assessment being performed. Then the ABC, without advising the Commission, ran the story that evening on the 7pm TV news and chose to use the proof of concept system developed by Drs Teague and Halderman in the news report. This news story, gave a false impression of the iVote® system's operation to the public, during a period when iVote was still taking votes for the State Election.
Subsequent to the removal of the Piwik link, the Commission had an opportunity to review the claims made by Drs Teague and Halderman regarding vulnerabilities in the iVote® system and has taken advice from our information security auditors. The Commission's principal security advisers CSC Cyber Security ANZ advised that Drs Teague and Halderman's claims about the vulnerabilities in iVote® system were overstated. Advice was also sought from other security organisations and they all came to a similar conclusion.
The proposed FREAK attack requires a high level of technical expertise and a number of pre-conditions to be present and as such is not considered a significant threat to iVote. We have been advised that the likelihood of someone intercepting online votes using this approach is similar to that of a malicious postman replacing a postal vote. It should also be noted that Dr Teague is reported to have said in one interview with the ABC that this type of hack "would be difficult for an attacker to perform".
The Commission has always been aware and has accepted that internet web browsers are vulnerable to attack. The Commission has never claimed that the operation of the iVote system was completely risk free and has deployed an advanced multi-layer security detection framework to ensure election integrity. This includes:
Verification service allowing voters to verify their vote was captured by iVote as cast. This feature may have identified if the proposed attack, had been undertaken during the election.
Audit process to ensure that all votes captured are decrypted correctly and match the votes held in the separately managed verification system.
Verification that the results, for a given candidate, taken through the iVote method align proportionally with results for votes cast through other paper based voting channels.
Continual monitoring during the election for anomalous network and server activity.
Testing and hardening of computers used by the system prior to commencing voting.
Post-election audit of logs.
The Commission is of the view that a large scale attack would be difficult to execute during the system's 12 days of operation, and would be detected through one of the security layers outlined above. Should the attack proposed by Drs Halderman and Teague in the media have actually occurred the Commission would have reasonably expected that our verification service would alerted affected voters who would have contacted the Commission. Some 1.7% of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote.
The Commission considers that the only reasonable way of assessing risk associated with the iVote® system is to perform a comparative risk analysis between iVote and traditional voting methods. Our assessment of comparative risks has led to our view that iVote has a similar or lower risk level than the current paper based voting system. Moreover the benefits of iVote far outweigh the low risk it poses to the election, especially given that iVote only took 6.2% of the votes at the election. The Commission is of a view that iVote should only be used for difficult to issue votes. This means that in-district attendance votes should still be issued as paper votes and will continue to be the majority of the votes issued at a general election.
The iVote internet and telephone voting system allows people to vote who, through disability or location, would otherwise find it difficult if not impossible to do so. iVote also future proofs our electoral system against the very high likelihood that postal voting will no longer be available one or two election cycles from now; the rising cost of mail (a recent increase of 40% just occurred) coupled with decreasing service levels will mean postal voting will not be a viable option. The Commission is pleased with the public acceptance of the iVote system. Some 283,669 electors voted using iVote, with 97% reporting, through an independent survey, that they were satisfied or very satisfied with iVote.
It should also be noted that both Drs Teague and Halderman are advisory board members of the US based anti-internet voting lobby group Verified Voting[4]. Verified Voting opposes the use of internet voting for significant elections and have restated this view in their submission to the President's Commission on Election Administration in which their first recommendation was to "Prohibit return of voted ballots over the Internet". Dr Halderman has supported a statement made in an open letter to President Obama by Verified Voting saying that "Internet voting must not be allowed". Similarly Dr Teague has endorsed the Dagstuhl Accord, which says she "cannot … recommend … online voting systems in elections of significant consequence". She has also said in the first recommendation of her submission to the Inquiry into the 2015 NSW state election to "Discontinue Internet and telephone voting". The Commission's view is that internet voting is not a problem for academic cryptographers to solve, but rather an evolving technology requiring a broad range of technical and electoral skills and engagement with electoral stakeholders.
Verified Voting members and supporters have been involved in direct action against the implementation of internet voting systems since 2004[5], when the US Department of Defence SERVE project was cancelled after a security review was conducted and unauthorised negative statements were made to the media by some of the review committee members. The conduct of Drs Teague and Halderman with respect to the 2015 NSW State election and, in particular, their disclosure conduct is consistent with past practices of US based anti-internet voting activists. Dr Halderman has also undertaken activism against electronic voting systems over many years in other countries. Dr Teague was instrumental in bringing Dr Halderman to Australia for the 2015 NSW State election.
The Commission takes the security of all its systems, including iVote, very seriously. The Commission welcomes the public's interest in the iVote system and would like to encourage open, unbiased and informed debate regarding the use of internet voting. Furthermore the Commission acknowledges Drs Halderman and Teague's technical skills in the area of internet security. However, some of the statements they have made appear to fall outside their core areas of research. In particular they recommended in "The Conversation" that electors "stick with an old-fashioned paper ballot". The Commission is not aware of any research done by Drs Halderman and Teague which assesses the comparative risks of internet voting against paper voting for NSW elections. We therefore believe this statement is more likely a strongly held personal view rather than a product of peer reviewed and evidence based research, either conducted by them or other reputable researchers.
It is the view of the Commission that Drs Halderman and Teague are anti-internet voting activists. In particular Dr Halderman is well known for his dramatisation of security issues principally for the purpose of discrediting electronic voting systems and in particular internet voting systems. Dr Halderman led a team of foreign activists to Estonia in 2014. Estonia was one of the first countries to use internet voting, this expedition's objective appeared to be focused on disrupting the Estonian election, rather than assisting the Estonian authorities. As in NSW, the Estonian National Electoral Committee was not fully advised of a report related to their system until after Dr Halderman and his team had held a press conference, two days prior to the election's start of online voting.
The Commission was disappointed that Drs Teague and Halderman did not share their security concerns with to the Commission when they first became known to them and that Drs Teague and Halderman typically do not disclose to the public their affiliation with US based anti-internet voting lobby group Verified Voting when making media statements on this subject.
The Commission believes that the appropriate time and place to engage in a discussion about the future direction of iVote in NSW is at the Joint Standing Committee on Electoral Matters, which is currently conducting a review of the 2015 election, including any issues around iVote. We invite them both to make submissions to this Committee and, if invited, to give verbal evidence. We look forward to their contributions.
Published: 22/10/15
[1] CERT Australia is part of the Federal Attorney-General's Department.
[2] FREAK SSL/TLS Vulnerability. Original release date: March 06, 2015. FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers
[3] Normal responsible disclosure practices are defined in Australia by section 4.12.2 of Australian Code for the Responsible Conduct of Research which in part says; "researchers should ….. promptly inform those directly impacted …. before informing the popular media").
[4] Verified Voting has engaged professional lobbyists over the past 4 years to the value of $120,000 USD to lobby against internet voting and related uses of technology for electoral matters federally in the USA. This information is provided by the US Congress Clerk of the House of Representatives.
[5] US Deputy Secretary of Defence, Paul Wolfowitz, cancelled the Secure Electronic Registration and Voting Experiment (SERVE) in 2004. The project was cancelled after 4 of the 10 SERVE Security Peer Review Group members http://www.servesecurityreport.org/, prepared a dissenting report and sent it to the New York Times prior to the main report's submission to the Department of Defence. The 4 dissenting report authors are currently either Directors of Verified Voting or were/are strong supporters.