DC BOEE Lessons Learned from Digital Vote by Mail Hacking

by Paul Stenbjorn,
Director Information Services

On Friday, October 1, 2010, the District of Columbia’s Board of Elections and Ethics learned that its Digital Vote by Mail public examination software had developed an affinity for the maize and blue of the University of Michigan. Since no staff of the BOEE or our development partners, the Open Source Digital Vote Foundation, had attended the school, we reached the logical conclusion. Our public test had been hacked.

Which you would think would have been an objectively bad thing for the BOEE. You’d think wrong.

In August of 2010, the National Institute for Standards and Technology (NIST) conducted a Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) workshop in which the academic computer science community issued a rebuke of all intermixing of votes and the internet. Election administrators were warned, in stark language, not to venture into the deep dark digital woods where perils lurked that were unstoppable and unavoidable.
We in the election community were seeking guidance in the development of next generation election systems which would provide military and overseas voters a simplified method of receiving and returning their ballots. We know the challenges of postal mail delivery, especially to deployed men and women in uniform, and wanted to engage the best technical minds in the country in developing a framework for digital ballot delivery and return. At the UOCAVA workshop little progress was made in developing best practices, risk models, or frameworks for collaboration, so the BOEE decided to work independently with its partner organization to deploy the first in the nation, open source, online ballot delivery and return system. We vowed to publish the source code and offer a public examination period in which users would be given unfettered access to the system to determine its strength or weakness, assess its usability, and generally kick the tires.

Fast forward to the last week in September - after delays in launching the public examination period, a hotly contested election on September 14 kept BOEE staff otherwise engaged, we launched the application and invited all comers to test and prod our system. Our goal was simple: determine if the application as developed passed muster, and if not, determine better mechanisms for security, transport and usability for future releases. The BOEE may have been the sponsor of this project, but our mission was to make this open source package freely available to all election officials. We understood the risks of making this package available for testing. But someone had to do it.

When Alex Halderman and his students successfully hacked the system, we learned many valuable lessons about the security issues with the file upload mechanisms used in this software. More importantly, however, we achieved a collaborative engagement with the computer science community that was working with elections officials in the early stages of developing a better model for future deployment. This was our goal at the NIST workshop, and we look forward to continuing this collaboration.

We will continue this project and hope this interaction will serve as a model for future releases. We will stand up new revisions and invite the computer science community not only to attempt to hack the system, but come develop it with us. Imagine what would be possible if the best minds in the country collaborated on developing robust, open source election software.

In response to the hacking of the Digital Vote by Mail public examination software, David Jefferson of Verified Voting stated:

“Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.”

With all due respect to Mr. Jefferson, the lesson learned is not to be more timid, but more aggressive about solving the problem in exactly the way that we have chosen. Our task is to continue pursuing a robust, secure digital means for overseas voters to cast their ballot rather than resorting to e-mail or fax. As Thomas Edison famously said, “Nearly every man who develops an idea works at it up to the point where it looks impossible, and then gets discouraged. That's not the place to become discouraged.”

The burden of proof will always rest with the election officials to ensure integrity and transparency of all voting systems, but the computer science community has a heavy burden as well. The computer science community needs to understand that this toothpaste is already out of the tube and no volume of warnings can put it back. Voters are currently casting ballots by e-mail and fax. We need to work together to find a better alternative.

Even more, voters expect that there will be a day when online voting will be as simple as paying bills or paying taxes. While there will always be citizens who choose to file their taxes on paper and there will always be voters who wish to visit their local polling place on Election Day, election officials know that voters expect, one day, to cast their ballot from their laptop.

The BOEE’s Digital Vote by Mail application is an open source software package. We released not only the software, but also the design rationale documentation and networking schematics. We gave the hackers the keys to the store. This is critical toward enhancing the integrity of election systems. Were the BOEE to have deployed a commercial digital ballot return system, we may not have been able to discover comparable shortcomings until actual votes were involved. Furthermore, commercial software would not provide the transparency that is so critical to public trust and future technology development. This is a core value of the D.C. Board of Elections and Ethics and the successful hacking of the Digital Vote by Mail system proved that we were right to deploy and test an open source election system.

While the BOEE would prefer to have a system that withstood all scrutiny and testing, we are achieving exactly what we set out to do. We are heartened by the knowledge that the digital ballot delivery system we are deploying will allow overseas and military voters to receive ballots nearly instantaneously. We are also encouraged that the partnerships we have begun to develop through this initiative will continue to build and lead to better voting systems for all voters. The University of Michigan students and faculty deserve credit for accepting this responsibility in constructive hacking, however, we all know that this does not represent the end of digital ballot transport, but a step toward a solution that will be less partisan in its Big 10 affiliations.