Security Survey and Analysis of Vote-by-Mail Systems (2005.08427v2)

Abstract: Voting by mail has been gaining traction for decades in the United States and has emerged as the preferred voting method during the COVID-19 pandemic. In this paper, we examine the security of electronic systems used in the process of voting by mail, including online voter registration and online ballot tracking systems. The goals of these systems, to facilitate voter registration and increase public confidence in elections, are laudable. They indisputably provide a critical public good. It is for these reasons that understanding the security and privacy posture of the mail-in voting process is paramount. We find that online voter registration systems in some states have vulnerabilities that allow adversaries to alter or effectively prevent a voter's registration. We additionally find that ballot tracking systems raise serious privacy questions surrounding ease of access to voter data. While the vulnerabilities discussed here are unlikely to enable an adversary to modify votes, several could have the effect of disenfranchising voters and reducing voter confidence in U.S. elections infrastructure, thereby undermining the very purpose of these systems.

• The paper identifies core vulnerabilities in online voter registration using public PII, exposing risks of impersonation and unauthorized registration changes.
• It reveals serious privacy risks in ballot tracking systems where access to public voter data enables unauthorized viewing of sensitive information.
• The study recommends improved security measures, including unique voter IDs and robust encryption protocols, to mitigate these identified threats.

Security Concerns in Vote-by-Mail Systems

The paper entitled "Security Survey and Analysis of Vote-by-Mail Systems" thoroughly examines the security posture of electronic systems used in mail-in voting processes, particularly focusing on online voter registration and ballot tracking systems. It highlights the significant concerns surrounding potential adversarial exploitations that could hinder the integrity and privacy of vote-by-mail systems. The robustness of these systems is critical given the increasing reliance on mail-in voting to mitigate public health risks during events such as the COVID-19 pandemic.

Vulnerabilities in Online Voter Registration

The online voter registration (OVR) systems, currently implemented in 39 states and the District of Columbia, aim to simplify the voter registration process. However, these systems are susceptible to various forms of manipulation that could lead to voter disenfranchisement. The paper outlines how adversaries could leverage publicly accessible personally identifiable information (PII) to impersonate voters and alter registrations.

The authors suggest audits should form an integral part of detecting unusual registration activity, accompanied by IP address logging to trace potential fraudulent activities. The encryption protocols of OVR websites also necessitate improvements, as revealed by their vulnerability to attacks such as Zombie POODLE and Logjam, and by lacking forward secrecy.

Risks in Ballot Tracking Systems

Ballot tracking systems like BallotTRACE and BallotTrax, used extensively across numerous states, are essential for providing voters with information about the status of their ballots. However, they pose serious privacy concerns. These systems often authenticate users using publicly available voter record data, enabling unauthorized access to personal voter information and voting history.

Figure 1: BallotTRACE's voter lookup search form.

The paper proposes a solution involving the use of a unique, random 12-digit ID to enhance user authentication and privacy protection for ballot tracking systems. This recommendation aims to tighten access and mitigate potential privacy infringements inherent in existing systems.

Information Privacy and Security Challenges

The privacy of voter information is paramount, yet the ballot tracking systems often enlist third-party services like Twilio and Amazon SES, exposing voter data at multiple points. This dependency chain raises profound privacy concerns, especially considering previous security breaches within these services.

Figure 2: Email received from using one member's phone to sign-up at another member's address. Grayscale images of mail and incoming parcel bundles are shown. Sensitive information redacted.

Figure 3: BallotTRACE's lookup page for the mayor of Denver, CO, that displays partial voting history indicating that the mayor cast a ballot in the 2020 primary elections, accessed using public voter records. Sensitive information is redacted.

The discussion extends to potential attacks like Membership Attacks that exploit aggregate voter statistics to glean insights into voter behavior, subsequently impacting election outcomes.

Conclusion

The evaluation of existing vote-by-mail systems discloses substantial security challenges that must be addressed to protect voters’ privacy and maintain the integrity of elections. While these systems provide a necessary alternative to in-person voting, the paper underscores the need for rigorous security enhancements, particularly in online voter registration and ballot tracking mechanisms.

Figure 4: BallotTRACE's notifications page for the mayor of Denver, CO. The system appears to allow any user who accesses a voter information page to update voter notifications. Again, sensitive information is redacted.

The work emphasizes that, despite certain vulnerabilities, vote-by-mail remains a viable option for large-scale implementation, promising improved voter engagement and turnout. Future efforts should focus on refining electronic support systems to uphold the democratic voting processes securely and efficiently.