Security = Considerations for Remote Internet Voting

Security = Considerations for=20 Remote Electronic Voting over the Internet

Avi = Rubin

AT&T Labs =96=20 Research

Florham = Park, NJ

rubin@research.att.com

http://avirubin.com/

Abstract

This paper discusses the security considerations = for=20 remote electronic voting in public elections. In particular, we examine = the=20 feasibility of running national federal elections over the Internet. The = focus=20 of this paper is on the limitations of the current deployed = infrastructure in=20 terms of the security of the hosts and the Internet itself. We conclude = that at=20 present, our infrastructure is inadequate for remote Internet = voting.

1 =20 Introduction

The right of = individuals to vote=20 for our government representatives is at the heart of the democracy that = we=20 enjoy. Historically, great effort and care has been taken to ensure that = elections are conducted in a fair manner such that the candidate who = should win=20 the election based on the vote count actually does. Of equal importance = is that=20 public confidence in the election process remain strong. In the past = changes to=20 the election process have proceeded deliberately and judiciously, often=20 entailing lengthy debates over even the minutest of details. These = changes are=20 approached so sensitively because a discrepancy in the election system = threatens=20 the very principles that make our society free, which in turn, affects = every=20 aspect of the way we live.

Times are changing. = We now live=20 in the Internet era, where decisions cannot be made quickly enough, and = there is=20 a perception that anyone who does not jump on the technology bandwagon = is going=20 to be left far behind. Businesses are moving online at astonishing = speed. The=20 growth of online interaction and presence can be witnessed by the = exponential=20 increase in the number of people with home computers and Internet = access. There is a prevailing = sentiment that any=20 organization that continues in the old ways is obsolete. So, despite the = natural=20 inclination to treat our election process as the precious, delicate and = fragile=20 process that it is, the question of using the new advances in technology = to=20 improve our elections is natural.

The feasibility of = remote=20 electronic voting in public elections is currently being studied by = the=20 National Science Foundation by request of the President of the United = States=20 (see http://www.netvoting.org//). = Remote=20 electronic voting refers to an election process whereby people can cast = their=20 votes over the Internet, most likely through a web browser, from the = comfort of=20 their home, or possibly any other location where they can get Internet = access.=20 There are many aspects of elections besides security that bring this = type of=20 voting into question. The primary ones are

coercibility the=20 danger that outside of a public polling place, a voter could be coerced = into=20 voting for a particular candidate.

=20 vote selling the opportunity for voters to sell = their=20 vote.

vote=20 solicitation the danger that outside of a public polling place, = it is=20 much more difficult to control vote solicitation by political parties at = the=20 time of voting.

registration = the=20 issue of whether or not to allow online registration, and if so, how to = control=20 the level of fraud.

The possibility of = widely=20 distributed locations where votes can be cast changes many aspects of = our=20 carefully controlled elections as we know them. The relevant issues are = of great=20 importance, and could very well influence whether or not such election = processes=20 are desirable. However, in this paper, we focus solely on the security=20 considerations as they relate to conducting online public elections. In=20 particular, we look at remote online voting, as opposed to online voter=20 registration, which is a separate, but important and difficult problem. = We also=20 focus solely on public elections, as opposed to private elections, where = the=20 threats are not as great, and the environment can be more = controlled.

The importance of = security in=20 elections cannot be overstated. The future of our country, and the free = world=20 for that matter, rests on public confidence that the people have the = power to=20 elect their own government. Any process that has the potential to = threaten the=20 integrity of the system, or even the perceived integrity of the system, = should=20 be treated with the utmost caution and suspicion.

2 =20 The voting platform

The type of remote electronic voting that we = discuss in=20 this paper involves regular Internet users with personal computers and = standard=20 operating systems and software. For the sake of the discussion, we focus = on=20 Intel machines running Microsoft operating systems with Microsoft or = Netscape=20 browsers, and voters participating from home, communicating over a = TCP/IP=20 network attached to the Internet. While this is a simplification, it is=20 representative of the vast majority of users under consideration. In = this=20 discussion, we refer to the voting platform simply as a host.

Threats to hosts can = be described=20 as a malicious payload and a delivery mechanism (A = malicious=20 payload is software or configuration information designed to do harm.). = Both of=20 these have advanced in sophistication and automation in the past couple = of=20 years. The attacks are more sophisticated in the sense that they can do = more=20 damage, are more likely to succeed, and disguise themselves better than = before.=20 They are more automated in that more and more toolkits have been = developed to=20 enable unsophisticated computer users to launch the attacks.

2.1 = Malicious payload

There are literally hundreds of attack programs = that we=20 could discuss in this section. One only need to visit the web site of = any number=20 of security software vendors to see the long lists of exploits that = affect hosts=20 to various degrees. The fact of the matter is that on the platforms = currently in=20 the most widespread use, once a malicious payload reaches a host, there = is=20 virtually no limit to the damage it can cause. With today=92s hardware = and=20 software architectures, a malicious payload on a voting client can = actually=20 change the voter's vote, without the voter or anyone else noticing, = regardless=20 of the kind of encryption or voter authentication in place. This is = because the=20 malicious code can do its damage before the encryption and = authentication is=20 applied to the data. The malicious module can then erase itself after = doing its=20 damage so that there is no evidence to correct, or even detect the = fraud. To=20 illustrate, we focus the discussion on two particular malicious payloads = that=20 each exemplify the level of vulnerability faced by hosts.

The first program we describe, Backorifice 2000 = (BO2K) is=20 packaged and distributed as a legitimate network administration toolkit. = In=20 fact, it is very useful as a tool for enhancing security. It is freely=20 available, fully open source, extensible, and stealth (defined below). = The=20 package is available at http://www.bo2k.com/.=20 BO2K contains a remote = control=20 server that when installed on a machine, enables a remote administrator = (or=20 attacker) to view and control every aspect of that machine, as though = the person=20 were actually sitting at the console. This is similar in functionality = to a=20 commercial product called PCAnywhere. The main differences are that BO2K = is=20 available in full source code form and it runs in stealth mode.

The open source nature of BO2K means that an = attacker can=20 modify the code and recompile such that the program can evade detection = by=20 security defense software (virus and intrusion detection) that look for = known=20 signatures of programs. A signature is a pattern that identifies = a=20 particular known malicious program. The current state of the art in = widely=20 deployed systems for detecting malicious code does not go much beyond = comparing=20 a program against a list of attack signatures. In fact, most personal = computers=20 in peoples=92 houses have no detection software on them. BO2K is said to = run in=20 stealth mode because it was carefully designed to be very difficult to = detect.=20 The program does not appear in the Task Menu of running processes, and = it was=20 designed so that even an experienced administrator would have a = difficult time=20 discovering that it was on a computer. The program is difficult to = detect even=20 while it is running.

There can be no expectation that an average = Internet user=20 participating in an online election from home could have any hope of = detecting=20 the existence of BO2K on his =20 computer. At the same time, this program enables an attacker to = watch=20 every aspect of the voting procedure, intercept any action of the user = with the=20 potential of modifying it without the user=92s knowledge, and to further = install=20 any other program of the attackers desire, even ones written by the = attacker, on=20 the voting user=92s machine. The package also monitors every keystroke = typed on=20 the machine and has an option to remotely lock the keyboard and mouse. = It is=20 difficult, and most likely impossible, to conceive of a web application = (or any=20 other) that could prevent an attacker who installs BO2K on a user=92s = machine from=20 being able to view and/or change a user=92s vote.

The second malicious payload that is worth = mentioning is=20 the CIH virus, also known as the Chernobyl virus. There are two reasons = why we=20 choose this example over the many other possible ones. The first is that = the=20 malicious functionality of this virus is triggered to activate on a = particular=20 day. April 26, 1999 was a disastrous day in Asia, where the virus had = not been=20 that well known, and thousands of computers were affected. This raises = concern=20 because election dates are known far in advance. The second reason for = choosing=20 this example is that the damage that it caused was so severe, that it = often=20 required physically taking the computer to the shop for repair. The code = modified the BIOS of the system in such a way that it could not boot. = The BIOS=20 is the part of the computer that initializes and manages the = relationships and=20 data flow between the system devices, including the hard drive, serial = and=20 parallel ports, and the keyboard. A widespread activation of such a = virus on the=20 day of an election, or on a day leading up to an election could = potentially=20 disenfranchise many voters, as their hosts would not be usable. This = threat is=20 increased by the possibility that the spread of the virus could be = orchestrated=20 to target a particular demographic group, thus having a direct effect on = the=20 election, and bringing the integrity of the entire process into = question.

It does not take a very sophisticated malicious = payload to=20 disrupt an election. A simple attack illustrates how easy it is to = thwart a web=20 application such as voting. Netscape and Internet Explorer, the two most = common=20 browsers have an option setting that indicates that all web = communication should=20 take place via a proxy. A proxy is a program that is interposed = between=20 the client and the server. It has the ability to completely control all = Internet=20 traffic between the two. Proxies are useful for many Internet = applications and=20 for sites that run certain kinds of firewalls. The user sets a proxy by = making a=20 change in the preferences menu. The browser then adds a couple of lines = to a=20 configuration file. For example, in Netscape, the existence of the = following=20 lines in the file

c:\program_files\netscape\prefs.js

delivers all web content to and from the user=92s = machine to=20 a program listening on port 1799 on=20 the machine www.badguy.com.

user_pref("network.proxy.http",=20 "www.badguy.com");

user_pref("network.proxy.http_port",=20 1799);

If an attacker can add these two lines = (substituting his=20 hostname for www.badguy.com) = to the=20 preferences file on somebody=92s machine, he can control every aspect of = the web=20 experience of that user. There also ways of doing this without leaving a = trail=20 that leads directly to the attacker. While proxies cannot be used to = read=20 information in a secure connection, they can be used to spoof a user = into a=20 secure connection with the attacker, instead of the actual voting = server,=20 without the user realizing it. The next section explains various ways = that an=20 attacker could effect changes on a voter=92s computer.

2.2 = Delivery mechanism

The previous section gave three examples of what = an=20 attacker could do to disrupt an election if the attacker could install = code of=20 his choosing on peoples=92 computers. This section deals with how this=20 installation could happen.

The first, and most = obvious=20 mechanism is physical installation. Most people do not keep their = computers in a=20 carefully controlled, locked environment. Imagine someone who develops = an=20 application to attack the voting system, such as the two described = above,=20 prepares a floppy disk with the code on it, and then installs it on as = many=20 machines as possible. This could be accomplished by breaking into = houses, by=20 accessing machines in someone=92s house when visiting, by installing the = program=20 on public machines in the library, etc. The bottom line is that many = people can=20 obtain physical access to many other peoples=92 computers at some point = leading up=20 to an election. Then, malicious code can be delivered that can trigger = any=20 action at a later date, enable future access (as in the case of BO2K), = or=20 disrupt normal operation at any time. Considering that many of the = attack=20 programs that we are seeing these days run in stealth mode, malicious = code could=20 be installed such that average computer users cannot detect its = presence.

While the physical = delivery of=20 malicious code is a serious problem, it is nowhere near as effective as = remote=20 automated delivery. By now, most people have heard of the Melissa virus = and the=20 I Love You bug. These are the better-known ones, but many such attacks = happen=20 all the time. In fact, = the most=20 widespread of the e-mail viruses, Happy99, has received very little = media=20 attention. Typically, these attacks cause temporary disruption in = service, and=20 perform some annoying action. In most of the cases, the attacks spread = wider and=20 faster than their creators ever imagined. One thing that all of these = attacks=20 have in common is that they install some code on the PCs that are = infected.=20 There is a misconception by many people that users must open an = attachment in=20 order to activate them. In fact, one virus called Bubbleboy was = triggered as=20 soon as a message was previewed in the Outlook mailer, requiring no = action on=20 the part of the user. Any one of these e-mail viruses could deliver the = attack=20 code described in the previous section.

It is na=EFve to = think that we have=20 seen the worst of the Internet viruses, worms, and bugs. In the last = several=20 months, the incidents of new attacks have grown much faster than our = ability to=20 cope with them. This is a trend that is likely to continue.

E-mail viruses are = not the only=20 way that malicious code can be delivered to hosts. The computers in most = peoples=92 houses are running operating systems with tens of thousands = of lines of=20 code. These systems are known to be full of operational bugs as well as = security=20 flaws. On top of these platforms, users are typically running many = applications=20 with security problems. These security flaws can be exploited remotely = to=20 install malicious code on them. The most common example of such a flaw = is a=20 buffer overflow. A buffer overflow occurs when a process assigns more = data to a=20 memory location than was expected by the programmer. The consequence is = that=20 that attacker can manipulate the computer=92s memory to cause arbitrary = malicious=20 code to run. There are ways to check for and prevent this in a program, = and yet=20 buffer overflows are the most common form of security flaw in deployed = systems=20 today.

Perhaps the most = likely candidate=20 for delivering a widespread attack against an election is an ActiveX = control,=20 downloaded automatically and unknowingly from a Web server, which = installs a=20 Trojan horse (hidden program) that later interferes with voting. Several = documented attacks against Windows systems operated exactly this = way. In fact, any application that = users are=20 lured into downloading can do the same. This includes browser plug-ins, = screen=20 savers, calendars, and any other program that is obtained over the = Internet.=20 Another danger is that the application itself may be clean, but the = installer=20 might install a dynamically linked library (DLL) or other malicious = module, or=20 overwrite operating system modules. The number of ways is legion, and = most users=20 are not aware of the dangers when they add software to their computers. = As long=20 as there are people out there who download and install software over the = Internet onto today=92s personal computers running today=92s operating = systems, it=20 will be easy for attackers to deliver code that changes their votes, to = peoples=92=20 computers.

User=92s who open = attachments and=20 download software from the network are not the only ones putting their = votes at=20 risk. AOL, for instance, is in a position to control a large fraction of = the=20 total votes, because all of their users run AOL=92s proprietary = software. There=20 are dozens of software vendors whose products run on many peoples=92 = home=20 machines. For example, there are millions of personal computers running=20 Microsoft office, Adobe Acrobat, RealPlayer, WinZip, Solitaire, and the = list=20 goes on. These vendors are in a position to modify any configuration = file and=20 install any malicious code on their customers=92 machines, as are the = computer=20 manufacturers and the computer vendors. Even if the company is not = interested in=20 subverting an election, all it takes is one rogue programmer who works = for any=20 of these companies. Most of the software packages require an = installation=20 procedure where the system registry is modified, libraries are = installed, and=20 the computer must reboot. During any stage of that process, the = installation=20 program has complete control of all of the software on that machine. In = current=20 public elections, the polling site undergoes careful scrutiny. Any = change to the=20 process is audited carefully, and on election day, representatives from = all of=20 the major parties are present to make sure that the integrity of the = process is=20 maintained. This is in sharp contrast to holding an election that allows = people=20 to cast their votes from a computer full of insecure software that is = under the=20 direct control of several dozen software and hardware vendors and run by = users=20 who download programs from the Internet, over a network that is known to = be=20 vulnerable to total shutdown at any moment.

3 =20 The communications infrastructure

A network connection consists of two endpoints = and the=20 communication between them. The previous section dealt with one of the=20 endpoints, the user=92s host. The other endpoint is the elections = server. While it=20 is in no way trivial, the technology exists to provide reasonable = protection on=20 the servers. This section deals with the communication between the two=20 endpoints.

Cryptography can be = used to=20 protect the communication between the user=92s browser and the elections = server.=20 This technology is mature and can be relied upon to ensure the integrity = and=20 confidentiality of the network traffic. =20 This section does not deal with the classic security properties = of the=20 communications infrastructure; rather, we look at the = availability of the=20 Internet service, as required by remote electronic voting over the = Internet.

Most people are aware = of the=20 massive distributed denial of service (DDOS) attack that brought down = many of=20 the main portals on the Internet in February, 2000. While these attacks = brought=20 the vulnerability of the Internet to denial of service attacks to the = mainstream=20 public consciousness, the security community has long been aware of = this, and in=20 fact, this attack was nothing compared to what a dedicated and = determined=20 adversary could do. The February attack consisted of the installation = and=20 execution of publicly available attack scripts. Very little skill was = required=20 to launch the attack, and minimal skill was required to install the = attack.

The way DDOS works is = that a=20 program called a daemon is installed on many machines. Any of the = delivery mechanisms described above can be used. One other program is = installed=20 somewhere called the master. These programs are placed anywhere = on the=20 Internet, so that there are many, unwitting accomplices to the attack, = and the=20 real attacker cannot be traced. The system lies dormant until the = attacker=20 decides that it is time to strike. At that point, the attacker sends a = signal to=20 the master, using a publicly available tool, indicating a target to = attack. The=20 master conveys this information to all of the daemons, who = simultaneously flood=20 the target with more Internet traffic than it can handle. The effect is = that the=20 target machine is completely disabled.

We experimented in = the lab with=20 one of the well known DDOS programs called Tribe Flood Network (TFN), = and=20 discovered that the attack is so potent, that even one daemon attacking = a Unix=20 workstation disabled it to the point where it had to be rebooted. The = target=20 computer was so overwhelmed that we could not even move the cursor with = the=20 mouse.

There are tools that = can be=20 easily found by anyone with access to the web that automate the process = of=20 installing daemons, masters, and the attack signal. People who attack = systems=20 with such tools are known as script kiddies, and represent a = growing=20 number of people. In an election, the adversary is more likely to be = someone at=20 least as knowledgeable as the writers of the script kiddy tools, and = possibly=20 with the resources of a foreign government.

There are many other = ways to=20 target a machine and make it unusable, and it is not too difficult to = target a=20 particular set of users, given domain name information that can easily = be=20 obtained from the online registries such as Register.com and Network = Solutions,=20 or directly from the WHOIS database. The list of examples of attacks = goes on and=20 on. A simple one is the ping of death, in which a packet can be=20 constructed and split into two fragments. When the target computer = assembles the=20 fragments, the result is a message that is too big for the operating = system to=20 handle, and the machine crashes. This has been demonstrated in the lab = and in=20 the wild, and script kiddy tools exist to launch it.

The danger to = Internet voting is=20 that it is possible that during an election, communication on the = Internet will=20 stop because attackers cause routers to crash, election servers to get = flooded=20 by DDOS, or a large set of hosts, possibly targeted demographicly, to = cease to=20 function. In some close campaigns, even an untargeted attack that = changes the=20 vote by one percentage point could sway the election.

4 =20 Social engineering

Social = Engineering is the=20 term used to describe attacks that involve fooling people into = compromising=20 their security. Talking with election officials, one discovers that one = of the=20 issues that they grapple with is the inability of many people to follow = simple=20 directions. It is surprising to learn that, for example, when instructed = to=20 circle a candidate=92s name, people will often underline it. While = computers would=20 seem to offer the opportunity to provide an interface that is tightly = controlled=20 and thus less subject to error, this is counter to the typical = experience most=20 users have with computers. For non-Computer Scientists, computers are = often=20 intimidating and unfamiliar. User interfaces are often poor and create=20 confusion, rather than simplifying processes.

A remote voting = scheme will have=20 some interface. The actual design of that interface is not the subject = of this=20 paper, but it is clear that there will be some interface. For the system = to be=20 secure, there must be some way for voters to know that they are = communicating=20 with the election server. The infrastructure does exist right now for = computer=20 security specialists, who are suspicious that they could be = communicating with=20 an imposter, to verify that their browser is communicating with a valid = election=20 server. The SSL protocol and server side certificates can be used for = this.=20 While this process has its own risks and pitfalls, even if we assume = that it is=20 flawless, it is unreasonable to assume that average Internet users who = want to=20 vote on their computers can be expected to understand the concept of a = server=20 certificate, to verify the authenticity of the certificate, and to check = the=20 active ciphersuites to ensure that strong encryption is used. In fact, = most=20 users would probably not distinguish between a page from an SSL = connection to=20 the legitimate server and a non-SSL page from a malicious server that = had the=20 exact same look as the real page.

There are several = ways that an=20 attacker could spoof the legitimate voting site. One way would be to = send an=20 e-mail message to a user telling that user to click on a link, which = would then=20 bring up the fake voting site. The adversary could then collect the = user=92s=20 credentials and in a sense, steal the vote. An attacker could also set = up a=20 connection to the legitimate server and feed the user a fake web page, = and act=20 as a man in the middle, transferring information between the user and = the web=20 server, with all of the traffic under the attacker=92s control. This is = probably=20 enough to change a user=92s vote, regardless of how the application is=20 implemented.

A more serious attack = is possible=20 by targeting the Internet=92s Domain Name Service (DNS). The DNS is used = to=20 maintain a mapping from IP addresses, which computers use to reference = each=20 other (e.g. 135.207.18.199) to domain names, which people use to = reference=20 computers (e.g. www.research.att.com). The DNS is known to be vulnerable = to=20 attacks, such as cache poisoning, which change the information available = to=20 hosts about the IP addresses of computers. The reason that this is = serious is=20 that a DNS cache poisoning attack, along with many other known attacks = against=20 DNS, could be used to direct a user to the wrong web server when the = user types=20 in the name of the election server in the browser. Thus, a user could = follow the=20 instructions for voting, and yet receive a page that looked exactly like = what it=20 is supposed to look like, but actually is entirely controlled by the = adversary.=20 Detailed instructions about checking certificate validity are not likely = to be=20 understood nor followed by a substantial number of users.

Another problem along = these lines=20 is that any computer under the control of an adversary can be made to = simulate a=20 valid connection to an election server, without actually connecting to = anything.=20 So, for example, a malicious librarian or cyber caf=E9 operator could = set up=20 public computers that appear to accept votes, but actually do nothing = with the=20 votes. This could even work if the computers were not connected to the=20 Internet, since no = messages need to=20 be sent or received to fool a user into believing that their vote was = cast.=20 Setting up such machines in districts known to vote a certain way could=20 influence the outcome of an election.

5 =20 Specialized devices

One potential enabler at our disposal is the = existence of=20 tamper-resistant devices, such as smart cards. Cryptographic keys can be = generated and stored on these devices, and they can perform = computations, such=20 that proper credentials can be exchanged between a client and a voting = server.=20 However, there are some limitations to the utility of such devices. The = first is=20 that there is not a deployed base of smart card readers on peoples=92 = personal=20 computers. Any system that involves financial investment on the part of=20 individuals in order to vote is unacceptable. Some people are more = limited in=20 their ability to spend, and it is unfair to decrease the likelihood that = such=20 people vote. It would, in effect, be a poll tax. This issue is often = referred to=20 as the digital divide.

Even if everybody did = have smart=20 card readers on their computers, there are security concerns. The smart = card=20 does not interact directly with the election server. The communication = goes=20 through the computer. Malicious code installed on the computer could = misuse the=20 smart card. At the very least, the code could prevent the vote from = actually=20 being cast, while fooling the user into believing that it was. At worst, = it=20 could change the vote.

Other=20 specialized devices, such as a cell phone with no general-purpose = processor,=20 equipped with a smart card, offer more promise of solving the technical = security=20 problems. However, they introduce even greater digital divide issues. In = addition, the user interface issues, which are fundamental to a fair = election,=20 are much more difficult. This is due to the more limited displays and = input=20 devices. Finally, while computers offer some hope of improving the = accessibility=20 of voting for the disabled, specialized devices are even more limiting = in that=20 respect.

6 =20 Is there hope?

Given the current state of insecurity of hosts = and the=20 vulnerability of the Internet to manipulation and denial of service = attacks,=20 there is no way that a public election of any significance involving = remote=20 electronic voting could be carried out securely. So, is there any hope = that this=20 will change?

For this to happen, = the next=20 generation of personal computers that are widely adopted must have = hardware=20 support to enable a trusted path between the user and the = election=20 server. There must be no way for malicious code to be able to interfere = with the=20 normal operation of applications. Efforts such as the Trusted Computing = Platform=20 Alliance (TCPA) (see http://www.trustedpc.org/= home/home.htm)=20 must be endorsed. The challenge is great because to enable secure remote = electronic voting, the vast majority of computer systems need to have = the kind=20 of high assurance aspired to by the TCPA. It is not clear whether or not = the=20 majority of PC manufacturers will buy into the concept. The market will = decide.=20 While it is unlikely that remote electronic voting will be the driving = force for=20 the design of future personal computers, the potential for eliminating = the=20 hazards of online electronic commerce could potentially fill that = role.

One reason that = remote electronic=20 voting presents such a security challenge is that any successful attack = would be=20 very high profile, a factor that motivates much of the hacking activity = to date.=20 Even scarier is that the most serious attacks would come from someone = motivated=20 by the ability to change the outcome without anyone noticing. The = adversaries to=20 an election system are not teenagers in garages but foreign governments = and=20 powerful interests at home and abroad. Never before have the stakes been = so=20 high.

7 =20 Conclusions

A certain amount of fraud exists in the current = offline=20 election system. It is tolerated because there is no alternative. The = system is=20 localized so that it is very unlikely that a successful fraud could = propagate=20 beyond a particular district. Public perception is that the system = works,=20 although there may be a few kinks in it here and there. There is no = doubt that=20 the introduction of something like remote electronic voting will, and = should,=20 come under careful scrutiny, and in fact, the system may be held up to a = higher=20 standard. Given the current state of widely deployed computers in = peoples=92=20 homes, the vulnerability of the Internet to denial of service attacks, = and the=20 unreliability of the Domain Name Service, we believe that the technology = does=20 not yet exist to enable remote electronic voting in public = elections.

Acknowledgements

We thank all of the = participants=20 of the Internet Policy Institute e-voting workshop for a wonderful = exchange of=20 ideas. Special thanks go to Lorrie Cranor, Andrew Hume, and David = Jefferson for=20 valuable input.