[Politech] Report critiques federal government's Internet voting scheme [priv]

6 Jul 2018

      -------- Original Message --------
Subject:     the new Internet voting scheme
Date:     Wed, 25 Oct 2006 10:26:53 -0700
From:     Barbara Simons <simons@acm.org>
To:     Declan McCullagh
CC:     info@servesecurityreport.org

Dear Declan,

PLEASE CIRCULATE:

My colleagues David Jefferson, Avi Rubin, David Wagner and I have just
released a short paper about the government's IVAS system that involves
absentee voting using email and fax and ballot distribution over the
Internet. See

http://servesecurityreport.org/ivas.pdf

We wanted to bring this to your attention because we believe this
system poses significant risks, as described in this excerpt from our
article:

In summary, we see three main risks:

1. Tool One exposes soldiers to risks of identity theft.  Sending
personally identifiable information via unencrypted email is considered
poor practice.  No bank would ask their customers to send SSNs over
unencrypted email, yet Tool One does exactly that.  This problem is
exacerbated by potential phishing attacks.

2. Returning voted ballots by email or fax creates an opportunity for
hackers, foreign governments, or other parties to tamper with those
ballots while they are in transit.  FVAP's system does not include any
meaningful protection against the risk of ballot modification.

3. Ballots returned by email or fax may be handled by the DoD in some
cases.  Those overseas voters using the system sign a waiver of their
right to a secret ballot.  However, it is one thing for a voter's
ballot to be sent directly to their local election official; it is
another for a soldier's ballot to be sent to and handled by the DoD b
who is, after all, the soldier's employer.

Regards,
Barbara Simons

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]