Security bug in Australia’s online voting system throws doubt on Britain’s digital election goal

Britain’s hopes of enabling online voting in general elections have faced a dose of reality after a security vulnerability in an Australian system was exposed.

The iVote system was introduced for the New South Wales (NSW) State Election in 2011 for voters who are more than 20 kilometres from a polling station, and has also been used in subsequent state by-elections.

But its use in NSW’s state election this month has faced intense scrutiny after researchers discovered a major security hole that could allow a hacker to read and manipulate votes.

With 66,000 online votes already cast by the time Vanessa Teague and J. Alex Halderman, of the University of Melbourne and University of Michigan respectively, disclosed their revelation, the legitimacy of the entire election has been called into doubt.

One of the servers used to serve the voting website has “very poor security” and is vulnerable to a range of cyber attacks, including the recently discovered FREAK attack, the researchers found.

They reported the vulnerability to CERT Australia on Friday, resulting in the Electoral Commission fixing the flaw the following day.

‘Unfortunately, the system had already been operating insecurely for almost a week, exposing tens of thousands of votes to potential manipulation,’ the researchers wrote. ‘The vulnerability to the FREAK attack illustrates once again why internet voting is hard to do securely.

‘The system has been in development for years, but FREAK was announced only a couple of weeks before the election. Perhaps there wasn’t time to thoroughly retest the iVote system for exposure.’

>See also: John Bercow’s digital commission looks to engage young people in politics with a fully interactive parliament by 2020

Election security researchers wont be surprised by these problems, they added, citing ‘dire security problems’ with internet voting in Estonia and Washington D.C.

In 2010, Halderman and his students hacked into the online voting system of the Washington D.C. Board of Elections and Ethics, which only realised two days later because a musical ‘calling card’ was left behind.

‘Securing internet voting requires solving some of the hardest problems in computer security, and even the smallest mistakes can undermine the integrity of the election result. That’s why most experts agree that internet voting cannot be adequately secured with current technology.’

In Britain, the Speaker’s Commission on Digital Democracy called on parliament in January to embrace digital technology to be more transparent, inclusive and better able to engage the public with democracy.

One of its key targets specified that by 2020, secure online voting should be an option for all voters. This would be complemented by changes in political education in schools, helping to ensure that increasing numbers of young people register to vote and understand the democratic process.

In addition, the report recommended that MPs who are unwell or have childcare responsibilities should have the option to vote electronically away from the Chamber during a division.

Information Age has contacted the Speaker’s Commission on Digital Democracy for comment.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...