Problems with the iVote Internet Voting System

The Computing Research and Education Association of Australasia (CORE) is an association of university departments of computer science in Australia and New Zealand. This submission has been authorised by the President of CORE. The authors are both Computer Science and Engineering researchers whose main interest is in electronic voting and security. We have previously made submissions to parliamentary inquiries examining the problems with e-voting and IT systems used in Australian elections. At present we are collaborating with the Victorian Electoral Commission on its e-voting system. In the 2011 State Election the NSWEC ran one of the world's most ambitious Internet voting projects with a system called iVote, provided by US vendor Everyone Counts. The main purpose was to enable vision impaired voters to vote without human assistance, but the project was extended to any voter who was outside NSW on election day. This excellent opportunity to use technology to improve the voting experience for voters with disabilities is an important part of modern electoral reform. However, widespread Internet voting is extremely difficult to secure and scrutinise. Many security experts believe that it cannot be trusted for public elections [IAVOSS07; VV08]. In this submission we explain the problems with iVote and identify measures that need to be taken to ensure that future Internet voting systems provide stronger protection of voter rights. We aim to maintain the quality and trustworthiness of NSW elections, and ensure that Internet voting is offered only when it does not reduce vote security, vote secrecy or voter independence. The iVote system had significant security vulnerabilities and reliability failures, one of which is known to have misrecorded votes. The system also experienced failures in authenticating eligible voters. Although the system protected votes in transit across the Internet, there is not enough publicly available information to establish whether vote privacy and anonymity were adequately protected at the Electoral Commission. iVote also had reduced safeguards against general IT security vulnerabilities because the part of the system intended to detect external hacking was " not implemented as per design " [PWC11a]. Although there are well-known measures to mitigate many of these problems, the iVote system does not contain such countermeasures in the design. Moreover it is evident that poor practice was employed in implementing iVote, which resulted in defects (and likely vulnerabilities) being introduced but not being identified until too late. The audit and evaluation processes were given inadequate time and …