Security Survey and Analysis of Vote-by-Mail Systems
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Security Survey and Analysis of Vote-by-Mail
Systems
Jenny Blessing Julian Gomez McCoy Patiño
jbless@mit.edu jrgomez@mit.edu mccoyp@mit.edu
Tran Nguyen
kiretran@mit.edu
arXiv:2005.08427v2 [cs.CY] 5 Sep 2020
Abstract 1 Introduction
Voting by mail has been gaining traction In an era where COVID-19 has necessi-
for decades in the United States and has tated social distancing and an elimina-
emerged as the preferred voting method tion of large gatherings, the logistics of
during the COVID-19 pandemic [6, 55]. political elections in the United States
In this paper, we examine the security are a natural cause for concern. On
of electronic systems used in the process the one hand, it is important that our
of voting by mail, including online voter democratic processes proceed as normal
registration and online ballot tracking and elections continue to take place; on
systems. The goals of these systems, to the other, in-person voting at central-
facilitate voter registration and increase ized locations poses a potential health
public confidence in elections, are laud- threat to citizens and threatens to sup-
able. They indisputably provide a crit- press voter turnout.
ical public good. It is for these reasons
This leaves two possibilities for remote
that understanding the security and pri-
voting: Internet voting or voting by
vacy posture of the mail-in voting pro-
mail. Voting over the Internet has re-
cess is paramount.
peatedly been shown to be dangerously
We find that online voter registration insecure by security researchers, leav-
systems in some states have vulnerabil- ing large-scale mail-based voting as the
ities that allow adversaries to alter or only viable remote option [26, 28, 36].
effectively prevent a voter’s registration. Voting by mail allows citizens to exer-
We additionally find that ballot tracking cise their right to vote from the safety
systems raise serious privacy questions of quarantine. There are currently five
surrounding ease of access to voter data. states—Colorado, Oregon, Washington,
While the vulnerabilities discussed here Hawaii, and Utah—that conduct elec-
are unlikely to enable an adversary to tions almost entirely by mail, and an
modify votes, several could have the ef- additional six provide a permanent mail
fect of disenfranchising voters and re- ballot option [11]. While only a hand-
ducing voter confidence in U.S. elections ful of states currently vote primarily by
infrastructure, thereby undermining the mail, U.S. Senators Amy Klobuchar and
very purpose of these systems. Ron Wyden introduced a bill in March
1
2020 that would “guarantee every voter developed in Colorado’s Denver County,
a secure mail-in paper ballot” [15, 11]. which has been the vanguard of vot-
ing by mail. Each of these systems use
To reassure voters that their mailed bal-
USPS Intelligent Mail barcodes (IMb) to
lot is on its way or that their returned
track a ballot from when it is mailed
ballot was counted, states that make
from a centralized election facility to
heavy use of voting by mail have widely
when the completed ballot is received
adopted online ballot tracking systems
by local voting officials. The services
[11]. These systems generally allow a
and tracking capabilities offered by all
voter to track the status and location of
three systems are effectively the same.
his or her ballot at any point and receive
As an example, the web interface of Bal-
notifications by email or SMS.
lotTRACE is shown in Figure 1.
The novelty of these tracking systems is
Ballot Scout Ballot Scout is a web
such that none of them have yet been
application developed by Democracy
publicly evaluated from a technical per-
Works, a nonpartisan, non-profit organi-
spective. In this paper, we hope to
zation that provides tools for voters and
bridge this gap and provide an evalua-
support to election officials [53].
tion useful for private citizens concerned
about their privacy as well as for elec- BallotTRACE BallotTRACE is a web
tion administrators interested in ensur- application developed by the Denver
ing the integrity of their elections. The Elections Division in 2009 in partnership
ongoing pandemic serves as a reminder with a local software company, i3logix
that the security of remote systems that [8]. It was the first of the three systems.
support the voting process, such as on-
BallotTrax BallotTrax is available as
line voter registration systems and bal-
a web application and as an iOS mo-
lot tracking systems, is equally as im-
bile application. It is a spin-off of Bal-
portant as the security of in-person vote-
lotTRACE, marketed more widely by
casting systems.
i3logix. It is run as a for-profit service
[47].
1.1 Existing Ballot Tracking Sys-
tems
2 Online Voter Registra-
While only five states conduct elections
tion
entirely by mail, all states allow absen-
tee balloting pending an acceptable ex- 2.1 Current State of OVR
cuse, and so ballot tracking systems are
A voter must first submit a voter reg-
used across several states and counties.
istration form in all states but North
There are three ballot tracking systems
currently in common use: Ballot Scout,Dakota in order to mail in a ballot.
BallotTRACE, and BallotTrax. By our This is traditionally done in person or
count, around 15 states have counties by mail, but starting with Arizona in
2004, voter registration has increasingly
that use at least one of these three track-
ing websites. moved online. As of February 3, 2020,
39 states and the District of Columbia
Two of these three systems, Ballot-
allow online voter registration (OVR) in
TRACE and BallotTrax, were originally
2
Figure 1: BallotTRACE’s voter lookup search form.
some form. Cost savings associated with a voter’s Social Security number (SSN)
OVR are often cited by election officials are only required if they do not have a
as a significant reason for the shift, but state ID [9]. This clearly presents a po-
other perks include task automation and tential avenue for voter impersonation.
greater convenience for voters [44, 49].
Many states require additional PII to
Verifying identities with personally iden-
make their systems more secure. This
tifying information (PII) over the in-
usually means requiring a voter’s SSN or
ternet and protecting this information,
its last four digits, but some states opt
however, requires some careful consider-
for an audit code or ID issuance date in-
ation.
stead. Unfortunately, none of this PII is
In many aspects, OVR mirrors mail-in entirely secure.
registration. Voters enter their name,
date of birth, and some PII that only
the voter is presumed to know. It is 2.2 Security Concerns
most common for states to require only a
driver’s license/permit or state ID num- Sweeney et al. evaluated how voter iden-
ber for this PII [43]. This would be cause tity theft done with OVR. They found
for concern when an individual’s name that much of the data required for ma-
and date of birth are used to generate licious registration is publicly available
these numbers, as is the case in 11 states or can be obtained via data brokers and
[35]. Maryland is one of these state, the dark web. They found that 1% of
but allows voters to register using only nationwide registrations could be tar-
this ID number—the last four digits of geted with data costing only $10,081
3
to $24,926 in total, depending on the 2.3 Security Recommendations
source [41]. Disenfranchising 1% of vot-
ers could feasibly affect the outcome of Audits should be routinely performed on
national elections if targeted correctly. voter registration records in order to de-
tect an unusual volume of activity, as the
The authors acknowledge that the se-
NCSL recommends [21]. We also rec-
curity risks with online registration are
ommend recording IP addresses that are
not particularly new, but that the digi-
used when making registration changes
tal process makes it easier to carry out
so investigations can make headway if
such attacks on a larger scale. In or-
they are necessary. Providing confirma-
der to prevent large-scale identity theft
tion of registration changes by any avail-
attacks through automation, the Na-
able means of contact could also alert
tional Conference of State Legislatures
voters to suspicious activity. For in-
(NCSL) recommends using CAPTCHA
stance, an example confirmation would
on registration websites [21].
be to send a notice to a voter’s old and
CAPTCHA provides some defense new addresses when address changes are
against automated registration, but the made online [40].
researchers point out that this defense
When transferring data through online
is being weakened by the advance-
registration forms, sensitive PII should
ment of machine vision algorithms.
be end-to-end encrypted to minimize
Programs developed by Google, aca-
the risk of adversaries capturing this
demic researchers, and other companies
data and using it to modify registra-
can bypass a variety of CAPTCHAs
tions. The National Institute of Stan-
and re-CAPTCHAs with 90+% accu-
dards and Technology (NIST) has spec-
racy, making them only a “nominal
ified best security practices when han-
deterrent” [41].
dling election materials, including reg-
It would appear, then, that securing istration data. NIST recommends that
voter registration requires more than se- states use TLS 1.0 or above to encrypt
curing just registration forms and web- transmitted registration data [38]. We
sites. This is highlighted by a reported would update this recommendation to
incident during the 2016 presidential suggest using TLS 1.2 or above, given
primary election in Riverside County, that most browser support for 1.0 and
California. District Attorney Michael 1.1 will be dropped soon due to security
Hestrin ordered an investigation when vulnerabilities in each.
20 formal complaints were received on
election day, with voters claiming that
they were turned away from the polls 2.4 OVR Encryption Evaluation
due to changes in their party registra-
tion that they had not made. The in- We used an online server testing tool
vestigation found that registrations were provided by Qualys, Inc. to evaluate the
altered through California’s registration encryption protocol security of the OVR
website, but no IP addresses were col- websites provided by each state and the
lected and no audits, if any were per- District of Columbia [20]. With the ex-
formed, revealed suspicious activity [41, ception of Alaska’s website, each website
29]. received a “B” rating or higher from the
tool. Alaska’s website received an “F”
4for its vulnerability to Zombie POODLE to-end tracking, with a few differences
attacks that allow some plaintext read- in implementation.
ing and encrypted block reorganization
Should Informed Delivery be compro-
[10].
mised, its utility in performing wholesale
Two states’ websites—Florida’s and fraud is at best, negligible. We primar-
Pennsylvania’s—demonstrate a vulner- ily assess ID and IV-MTR as a model
ability in their use of Diffie-Hellman to inform us on the availability and ac-
key exchange that allows a man-in-the- cessibility of ballot-tracking services, as
middle attack known as “Logjam”. This well as its accuracy and confidentiality
Logjam attack allows an adversary to measures. Security weaknesses in IV-
read and modify data passed over the MTR pose a slightly larger threat, but
connection [2]. do not point to dire security dilemmas
in using vote-by-mail. As imperative as
Five states’ websites—Iowa’s, Ken-
the USPS is to scaling up vote-by-mail,
tucky’s, Nebraska’s, New York’s, and
we feel it worthy to discuss past security
Pennsylvania’s—don’t use forward se-
oversights in these systems and what has
crecy. Without forward secrecy, an ad-
been addressed since [11]. Security con-
versary who discovers a server’s private
cerns regarding the Intelligent Mail bar-
key can use it to decrypt any and all past
code will be discussed in §4.2, Barcode
messages sent over the channel [19].
Security; this section will focus on the
Unfortunately, 14 websites support TLS ID and IV-MTR services explicitly pro-
1.0 and 20 support TLS 1.1. One vided by USPS.
website—West Virginia’s—also provides
undesirable support for SSL 3. The
good news is that all websites support 3.1 Informed Delivery
TLS 1.2, and 10 even provide support
for TLS 1.3. Informed Delivery was originally piloted
in 2014 for a few select zip codes, and
as of 2017 provides customers in most
3 USPS Services major zip codes with the ability to de-
termine where their mail is in shipment.
The United States Postal Service Information provided through Informed
(USPS) is the infrastructural backbone Delivery includes location information
that provides chain of custody service based on scans of the parcels barcode at
for ballots and related election mail. It each transfer point, and a grayscale im-
has two main services utilizing the In- age of the front of the parcel. The need
telligent Mail barcode (IMb): Informed to scan each individual parcel results in
Delivery (ID) and Informed Visibility - poor real-time performance, with users
Mail Tracking & Reporting (IV-MTR). of Informed Delivery noting that the de-
Informed Delivery is the older and orig- livery estimates are often not reliable,
inal initiative by the Postal Service or mail updates coming in much later
to improve transportation transparency, than expected. Performance optimiza-
while Informed Visibility is a service and tions were made to address these issues,
corresponding API provided to business making Informed Visibility a more per-
owners. Both attempt to provide end- formant “real-time tracker by not re-
quiring finer-granularity barcode track-
5ing. The official site for accessing In- in an eligible location [32]. Eligible lo-
formed Visibility states it “leverages in- cations allow three possible avenues for
telligence to create logical and assumed registering for Informed Delivery.
handling events to provide expanded vis-
Two of the avenues are given online,
ibility, or makes reasonable assumptions
with the third in fine print. Upon at-
regarding a parcels location based on the
tempting to view tracking information,
movements of its expected carrier, with
a user is prompted with the two main
any additional confirmation provided by
signup options after account creation: a
scanning the parcel itself [31, 33].
one-time code sent to phone via SMS or
Prior to early 2019, USPS Informed De- to request for a code to be mailed to the
livery did not rigorously authenticate registered address. The more convenient
identity before allowing users to access method utilizes mobile account infor-
the tracking service. Account creation mation from carriers including AT&T,
used a knowledge-based authentication T-Mobile, Verizon, U.S. Cellular, and
(KBA) scheme, using approximately 4 other branded wireless operators within
multiple-guess questions using informa- the United States. USPS account profile
tion from credit-bureaus. This secu- information must match with regards to
rity scheme was woefully lacking and address, name, and number as informa-
led to a prolific string of stalking, credit tion provided by the carrier before a
card fraud, and identity theft cases in one-time passcode is sent [25]. For this
2017-2018 [16]. USPS hesitated to im- modality of verification, an attack would
plement proposed security schemes, in- require the account password, as well
cluding utilizing its own postage service as a phone number associated with the
to mitigate the widespread attacks for correct address. There are no limits or
nearly two years [17]. USPS strongly checks placed on changing Account Pro-
urged users proactively make accounts file information after logging in, but a
with strong passwords to counter the temporary lockout is placed on attempt-
fraudsters, and closing fraudulent ac- ing to verify by phone after 3 changes
counts required users to send sensitive in a day. Should an account be veri-
security question information to cus- fied, upon changing, prior verification is
tomer support through email [16]. nullified and re-authentication must be
done.
As of early 2019, we find that much of
the earlier concerns have largely been From testing with a toy account, in-
addressed after several iterative failures formation is simply checked against the
in addressing the weak security. Ac- service/billing name and address associ-
cessing Informed Delivery no longer re- ated with the phone number for authen-
lies solely on KBA; services associated tication. A motivated attacker could
with Informed Delivery are now decou- likely change their address through their
pled from general account privileges and service provider as we did using a volun-
require an extra one-time two-factor au- teer’s Google Fi account to switch ad-
thentication to access them. Per the dresses and sign up for one of our par-
January 2020 USPS Informed Delivery ent’s residences. A screenshot from the
sign-up guide, Informed Delivery is not email associated with this toy account
available for businesses, while personal of a recent Informed Delivery email is
use requires a valid address or P.O. box shown below in igure 1]. The grayscale
6image has been partially censored to cerns stem from its API. Ballot tracking
hide sensitive information for the pur- applications we examined do not explic-
poses of this report and is unaltered in itly state whether they use IV-MTRs
the email. The email service is an opt- API to inform their mail-status updates
out feature of Informed Delivery. and announcements, so we will hit main
points of concern with IV-MTR.
The second option presented is to re-
quest for an invitation code to be sent to IV-MTR returns multiple file formats,
the specified address by mail. For those from PKG to JSON, containing parcel
unable to do either, USPS also states location information. Although we were
in fine print that they can authorize ac- unable to access the current API doc-
counts by walk-in at participating loca- umentation, an older copy of the API
tions with proper identification. [30] and a partially retracted 2018 se-
curity audit on IV-MTR implies numer-
To briefly cover accessibility with ID,
ous security and encryption weaknesses,
apartment addresses within eligible zip
system misconfigurations on each of the
codes are frequently ineligible for In-
13 IV-servers, among other concerns [12,
formed Delivery sign-up. The third au-
30]. Later the same year, news stories
thentication option, of allowing users
reported that the API accepted wild-
to authenticate their identities at select
card search parameters for nearly ev-
postal service locations is likely not vi-
ery method and did not authenticate a
able for certain zip codes, and are en-
queries viewing permissions before re-
tirely unavailable at the time of this
turning relevant data [18].
writing. Vote-by-mail access has been a
concern for populations without a per- Poignantly, a report querying “for read-
manent address or P.O. box. Voter ers who volunteered to help with this
registration and access to tracking or research” was able to gain access to
registration services that require per- “multiple accounts when those users had
manent addresses or a particular lo- more than one user signed up at the
cality have seen poor registration and same physical address” [18]. The secu-
disproportionately poorer turnout rates rity audit only occurred a few weeks be-
among minority populations [46]. North fore the news break, and the allowance
Dakota, a prominent and controversial of unverified wildcard search queries is a
example of voting inaccessibility, agreed non-trivial oversight. Assuming security
to a court-order to ease registration re- vulnerabilities have been patched, the
strictions on the basis of address after information a ballot tracing app has ac-
nearly four years of litigation and only a cess to through these APIs is not clear;
week prior to the writing of this section whether the app stores non-election re-
[24]. lated parcel information is also of con-
cern.
3.2 Informed Visibility A scan of the 2019 copy of the IV-
MTR documentation published after
Whereas security issues generally stem the security patch shows that although
from user authentication for Informed connection is still only secured with
Delivery, Informed Visibility-Mail TLS 1.0, the authentication protocol
Tracking & Reportings security con- now requests user information in search
7Figure 2: Email received from using one member’s phone to sign-up at another member’s
address. Grayscale images of mail and incoming parcel bundles are shown. Sensitive information
redacted.
queries, and an authentication token greatly from the availability of voter
time-out after 15 minutes. [31]. databases [34, 27]. Others have quickly
capitalized on this data. In 2018, two
mobile applications, VoteWithMe and
4 Ballot Tracking Systems OutVote, were released. These ser-
vices used information from government
4.1 Tracking System Authentica- records to allow consumers to see whom
tion of their friends and family voted in re-
cent elections by matching the smart-
All three major ballot tracking phone’s contacts to voter files [34], with
systems—Ballot Scout, BallotTRACE, the effective end goal of using social
and BallotTrax—have online web ap- pressure to get people to vote. While
plications that allow a voter to view these apps have lost popularity since the
their ballot tracking status [52, 4, 3]. November 2018 election, ballot tracking
These lookup systems authenticate websites provide very similar informa-
users using only voter record data that tion and have renewed this conversation.
is publicly available in many states, For example, Californias version of Bal-
however, enabling users other than the lotTrax advertises on its homepage that,
voter in question to view the voters when using its system, “tracking your
ballot status and, perhaps of greater ballot...has never been easier” [52]. Un-
concern, voting history. fortunately, this ease comes with a secu-
States that make voter files public have rity tradeoff. BallotTrax asks voters for
historically done so to allow public their first name, last name, date of birth,
scrutiny to prevent voter fraud, but and ZIP code in order to view tracking
political campaigns have also benefited information, all data contained in Cal-
8Figure 3: BallotTRACE’s lookup page for the mayor of Denver, CO, that displays partial
voting history indicating that the mayor cast a ballot in the 2020 primary elections, accessed
using public voter records. Sensitive information is redacted.
ifornias voter database which has been has since been removed, the state allows
made publicly available under freedom anyone to request the full voter list, and
of information requests [52]. private citizens have made a handful of
New York voter lookup tools available
Sites such as VoterRecords.com have
online [23].
taken voter databases from several
states and collected the information un- BallotTRACE, developed by i3logix in
der one centralized website, allowing any Denver, Colorado, operates similarly
user to search for a voters record using to BallotTrax. Figure 1 displays the
only their name, to view all voters regis- lookup form used by BallotTRACE and
tered in a particular district, and various shows that the system allows voter
other combinations. According to its lookup based only on first name, last
website, VoterRecords.com is “sourced name, ZIP code, and birth year [4]. To
from official government public records demonstrate the feasibility of arbitrary
that were released under FOIA and pub- voter lookup, we chose to look up the
lic record laws” [50]. voter information of the Mayor of Den-
ver, Michael Hancock, as an example.
Although this site has collected the
records of just 16 out of 50 states, nu- Using voter record data from Voter-
merous other states have their voter Records.com, we were able to access the
databases separately available online. mayor’s ballot tracking status account
New York, for example, is not included page, and further view the voting his-
in VoterRecords.com, but in 2019 the tory for the 2020 primary, as shown in
New York City Board of Elections up- Figure 3 [4]. We were further able to ac-
loaded voter enrollment data for 4.6 mil- cess the Notification Preferences page,
lion voters to its website [51]. While as shown in Figure 4, and seemingly
it appears that this particular database could have modified or unsubscribed
9Figure 4: BallotTRACE’s notifications page for the mayor of Denver, CO. The system appears
to allow any user who accesses a voter information page to update voter notifications. Again,
sensitive information is redacted.
from notification updates. Even with- ifornia that are planning on automati-
out making any modifications to contact cally sending all voters mail-in ballots,
information, an adversary could view a this ID could be included with the bal-
voter’s email address or partial phone lot to enable voters to track its return
number, as demonstrated. to their local election facility [7]. Vot-
ers could use this randomly assigned ID
The problem is fundamentally one of in-
along with typical identifying informa-
sufficient authentication. The system
tion, such as first name and last name,
cannot guarantee with any measure of
to authenticate themselves to the ballot
confidence that the user looking up a
tracking system.
particular voters information is truly the
voter if the only information required to
look up a voter is publicly available. 4.2 Web Lookup Form Security
Our proposed solution is to recommend
the use of a 12-digit unique, random- Like online voter registration systems,
ized ID that is assigned to a particu- the various ballot tracking web applica-
lar ballot envelope. The concept is sim- tions all necessarily contain HTML or
ilar to the United States 2020 Census AngularJS forms in which voters can
use of 12-digit Census IDs, which are enter their information. This input is
included in the materials mailed to res- then used as the basis for subsequent
idents [1]. A state or county can pro- SQL queries to the election facilitys bal-
vide a voter with this unique ID as part lot tracking database [52, 4, 3]. Given
of their paper-based or online absentee this proximity to an important elections
ballot request. For states such as Cal- database, properly securing these forms
10is critical. capable of detecting all possible vulner-
abilities, these results are a promising
For a broad overview of the configura-
indicator of solid security practices.
tion of each platforms TLS/SSL web
server, we used Qualys public SSL
Server Test scanning tool, which eval- 4.3 Barcode Security
uates a website on the basis of its cer-
tificate, protocol support, key exchange, As previously mentioned when dis-
and cipher strength [20]. cussing USPS services, mail-in ballot
BallotTRACE BallotTRACEs certifi- tracking is enabled through the use of
cate signature algorithm uses SHA256 Intelligent Mail barcodes (IMBs), devel-
with RSA-4096. It only supports TLS oped by the United States Postal Ser-
1.2 and above and is therefore secure vice. Mailed ballots are contained in
against attacks affecting older versions an outer envelope with a 65-bar Intel-
of SSL/TLS like DROWN or POODLE ligent Mail barcode, the technical speci-
[20]. fications of which are publicly available
[13]. When a completed ballot is mailed
BallotTrax Californias BallotTrax sys- back, a machine at a central elections fa-
tem uses a signature algorithm with cility scans the barcode and updates the
SHA256 and RSA with a 2048-bit key. ballot tracking information accordingly.
However, the server supports TLS 1.1, a
legacy version of TLS which has been A barcode is fundamentally an input to
shown to be insecure [20]. Chrome a system. As such, barcodes represent a
is planning on deprecating support for potential vulnerability. While an effec-
TLS 1.0 and 1.1 in 2020, citing flaws tive security policy naturally distrusts
in MD5 and SHA-1, both used by these system inputs and assumes the possi-
older versions of TLS. Apple, Microsoft, bility of a malicious adversary, barcode
and Mozilla announced similar plans [5]. scanners have not historically adopted
this attitude of distrust. A 2008 talk at
Ballot Scout Ballot Scouts signature DEFCON demonstrated the feasibility
algorithm also uses SHA256 and RSA of multiple barcode-driven attacks, in-
with a 2048-bit key. Ballot Scout sup- cluding barcode-driven buffer overflow,
ports protocols TLS 1.2 and 1.3 and pre- SQL injection, and cross-site scripting
vents downgrade and other common at- attacks, and specifically mentioned In-
tacks [20]. telligent Mail barcodes as an example
Overall, BallotTRACE and Ballot [42]. QR codes were also shown in 2012
Scout’s server configurations provide to be capable of exploiting vulnerabil-
basic levels of security, although Bal- ities in the reader software or operat-
lotTraxs configuration is flawed due to ing system, such as SQL injections [14].
its support of a legacy version of TLS. Since then, the capabilities and motiva-
Scanning all three sites for SQL injec- tions of malicious adversaries have only
tion vulnerabilities using Pentest-Tools increased, but there has been no evi-
SQL Injection Scanner in addition dence that barcode security has seen a
to manual input testing revealed no commensurate increase in attention.
SQL injection vulnerabilities [37]. A barcode, then, is actually an attack
While there are no automated scanners vector into a system. A maliciously
11crafted barcode is capable of launching of itself, the fact that any malicious act
common security attacks. In the ballot as a result of this information request
tracking process, the concern is that an could be traced back to the requester
adversary could create a malicious bar- is thwarting. When methods are intro-
code and mail back an envelope with duced by which to obtain this informa-
this barcode instead of a genuine In- tion in an anonymous way via hacking,
telligent Mail barcode. This adversar- the privacy of the voting public is put at
ial barcode would then be scanned at greater risk.
an elections facility, conceivably caus-
The schema and means by which the in-
ing damage to election databases track-
formation is stored is not publicly avail-
ing which ballots have been returned—
able, as these ballot tracking services
and, far more consequentially, who has
are mostly powered by private corpora-
already voted in the election. To mit-
tions. Presumably, this is intended to
igate potential consequences of a mali-
ensure the confidentiality of proprietary
cious barcode, then, the application that
designs. However, this does pose the pri-
takes in scanner data should validate
vacy concern of aggregate voter statis-
and sanitize all inputs, whether in text
tics. As it would be necessary to track
or barcode form.
ones ballot, the ballot tracking services
are made aware of distinct voter actions.
5 Information Privacy These actions can be defined as but are
not limited to: whether or not the in-
dividual has voted, at what time they
In order to properly deliver results of voted, where they chose to deposit their
ballot tracking to a voter, ballot track- vote. While the contents of the ballot
ing services often require the submission might remain secure, the behaviors of
of personal data. In order to deliver up- voters may not. Similar to Ballot Scout,
dates on a voter’s ballot, Ballot Scout re- many tracking services explicitly state
quires the submission of a voter’s name, that they will not give away your per-
address, year of birth, and email address sonal information. However, there are
or phone number. Ballot Scout notes in no such lines in the privacy policies de-
their privacy policy that they ”do not scribing the usage or sale of aggregate
disclose any of your personal informa- statistics obtained by tracking the voter
tion unless required by law” [54]. ballots [54].
While in many states voter information This brings up the issue of differential
is public, the amount of data varies be- privacy: wherein, the aggregate statis-
tween states and the means by which to tics must be able to describe patterns
obtain the information are different as of groups within the dataset while with-
well [39]. This is where a crucial dis- holding personally identifiable informa-
tinction lies. It might be very possible to tion, in this case the actions of the in-
obtain voter information in many states, dividual. If the company were to sell
but there is often a process by which aggregate information that could isolate
one must request a list of voter informa- individuals, it becomes much easier for
tion. As a result, there is a paper trail political entities to interfere with the
that could pin responsibility. While that mail-in voting process. This becomes
does not directly protect privacy in and vulnerable to an attack such as a Mem-
12bership Attack in which the attacker can Twilio, for example, had a breach in
determine whether or not a specific indi- 2018 from one of its providers, Voxox,
vidual falls within a subset of the data. that resulted in SMS message details be-
For example, an adversary would be able ing leaked [45]. Since Twilio is used to
to determine, via membership attack, a power voter notifications, a hack on any
set of individuals that do not vote by part of this pipeline could result in the
mail. In a state where vote by mail is adversary being aware of where the bal-
the only option, contextual information lot is due to these notifications. The ad-
such as this example becomes very pow- versary could similarly obtain authenti-
erful in determining the behavior of vot- cation codes to register ballot tracking
ers. Similarly, since party affiliation is properly. It seems imperative that there
publicly known, with the voter actions must be accountability for the pipeline
known of a subset of individuals, the of providers that have access to voters
following scenario could occur: Time or personal information. Otherwise, the
location data for mail-in ballots are re- public must be adequately educated on
leased or sold to Party A. Party A, via the reach that their personal informa-
membership attack, isolates and learns tion has when being provided to a ballot
that Party B voters tend to deposit their tracking service such as Ballot Scout.
ballots at a certain time or location more
frequently. As a result, Party A tam-
pers with deposit boxes in that location 6 Conclusion
for only those specific times to achieve
a maximal impact result with minimal Vote-by-mail has received increased
effort. scrutiny during the COVID-19 pan-
The problem of privacy becomes com- demic, with widespread implementation
pounded when the security of said in- seen as a necessity given social distanc-
formation is subjected to multiple weak ing restrictions. States that have imple-
points. Ballot tracking services are not mented no-excuse, state-wide vote-by-
powered entirely by the technology of mail have seen vast successes and with
the given corporation. As a result they higher voter turnout, highlighting its ef-
are not solely responsible for all of the ficacy as an alternative to traditional on-
potential security breaches. Trackers re- site ballot casting.
quire the usage of third party tools in Security concerns and lack of trans-
order to deliver their end product. In parency with the chain of custody are
the case of Ballot Scout, to deliver its often cited as the primary reason for
tracking services it enlists the services sticking to traditional voting methods.
of the following services: Twilio, Ama- Voters want to ascertain their ballots
zon SES, and SmartyStreets [54]. Each are actually counted, and for good rea-
of these distinct services gain access to son as on-site voting machines already
different pieces of a voter’s personal in- have numerous security vulnerabilities
formation. These services similarly rely [22]. Attempts to rectify this have pro-
on other 3rd party services. As a re- duced numerous web and mobile appli-
sult, a chain of dependencies is created cations, including Ballot Scout, Ballot-
in which a voters personal data is ex- TRACE, and BallotTrax, that provide
posed at multiple different points. users with an interface to view “end-to-
13end mail tracking information” [33]. Un- grateful for the volunteers local to states
fortunately, any technological augmen- using these ballot tracking systems for
tation to a paper-based voting scheme is assisting us in our evaluation, and the
itself a potential security vulnerability. volunteer that allowed us to sign up for
Informed Delivery using their home ad-
In performing security analyses on these
dress.
applications and other relevant sites, we
have reaffirmed that although there ex-
ist concerns–including the use of weak References
user authentication and online voter reg-
istration site schemes–none present vul-
nerabilities that can be exploited on a [1] United States Census 2020. url:
large scale to directly influence an elec- https : / / my2020census . gov /
tion. The example fraudulent account login.
we temporarily created for USPS, for in- [2] David Adrian, Karthikeyan Bhar-
stance, requires an attacker to leave an gavan, Zakir Durumeric, Pierrick
information trail with their respective Gaudry, Matthew Green, J. Alex
phone carrier, and is not scalable. Al- Halderman, Nadia Heninger,
though ballot tracking systems pose con- Drew Springall, Emmanuel
cerning privacy questions, it would be Thomé, Luke Valenta, Benjamin
difficult for an adversary to use them to VanderSloot, Eric Wustrow,
perpetrate voter fraud on a large scale. Santiago Zanella-Béguelin, and
Paul Zimmermann. “Imperfect
Our findings entirely support the no- Forward Secrecy: How Diffie-
tion that vote-by-mail is an ideal scheme Hellman Fails in Practice”. In:
for wide-spread implementation, despite Proceedings of the 22nd ACM
its flaws related to tracking. Vote-by- SIGSAC Conference on Computer
mail offers a robust paper-trail and has and Communications Security,
been shown to increase voter turnout 2015.
and engagement [48]. The electronic [3] Ballot Scout Lookup Widget.
systems supporting remote voter regis- Democracy Works. url: https :
tration and voting, however, will need / / www . democracy . works /
significant security improvements before ballot- scout- lookup- widget-
we can truly trust them to uphold the sample.
integrity of our democratic processes. [4] BallotTRACE:Tracking, Report-
ing And Communication Engine.
City and County of Denver. url:
7 Acknowledgements https : / / ballottrace . org /
home.
We want to express our appreciation to [5] David Benjamin. Modernizing
the 6.857 staff for their dedication to in- Transport Security. Google Se-
struction and support in what will in- curity Blog. 2018. url: https :
variably be a semester to remember. / / security . googleblog .
com / 2018 / 10 / modernizing -
We would like to especially thank Ron
transport-security.html.
Rivest for his helpful discussions, guid-
ance, and encouragement. We are also
14[6] The New York Times Editorial [12] Office of Inspector General. In-
Board. The 2020 Election Won’t formed Visibility Vulnerability As-
Look Like Any We’ve Seen Be- sessment. United States Postal
fore. The New York Times. url: Service. 2018. url: https://www.
https : / / www . nytimes . uspsoig . gov / sites / default /
com / 2020 / 03 / 21 / opinion / files / document - library -
sunday / coronavirus - vote - files/2018/IT-AR-19-001.pdf.
mail . html ? referringSource = [13] Intelligent Mail Barcode Techni-
articleShare. cal Resource Guide. United States
[7] Nick Corasaniti and Jennifer Med- Postal Service. 2009. url: https:
ina. California to Mail All Vot- / / postalpro . usps . com / node /
ers Ballots for November Elec- 221.
tion. The New York Times. 2020. [14] Peter Kieseberg, Sebastian Schrit-
url: https : / / www . nytimes . twieser, Manuel Leithner, Martin
com / 2020 / 05 / 08 / us / Mulazzani, Edgar Weippl, Lindsay
politics / california - mail - Munroe, and Mayank Sinha. Ma-
vote-november-election.html. licious Pixels Using QR Codes as
[8] Denver Elections Division. 2010 Attack Vector. Trustworthy Ubiq-
Professional Practices Program: uitous Computing pp. 21-28. 2012.
Ballot TRACE. url: https : / / url: https : / / link . springer .
www . electioncenter . org / com/chapter/10.2991/978-94-
publications/2010%5C%20PPP/ 91216-71-8_2.
Denver_Election%5C%20Paper% [15] Amy Klobuchar and Ron Wyden.
5C % 20Submittal _ Ballot % 5C % Here’s how to guarantee coron-
20Trace_2010.pdf. avirus won’t disrupt our elections.
[9] Maryland State Board of Elec- Washington Post. url: https :
tions. Voter Registration. 2020. / / www . washingtonpost . com /
url: https : / / elections . opinions / 2020 / 03 / 16 / heres -
maryland . gov / voter _ how - guarantee - coronavirus -
registration/index.html. wont-disrupt-our-elections/.
[10] Kelly Jackson Higgins. New Zom- [16] Brian Krebs. US Secret Ser-
bie ’POODLE’ Attack Bred from vice Warns ID Theieves are
TLS Flaw. 2019. url: https : Abusing USPS’s Mail Scan-
/ / www . darkreading . com / ning Service. 2018. url:
vulnerabilities --- threats / https : / / krebsonsecurity .
new - zombie - poodle - attack - com / 2018 / 11 / u - s - secret -
bred- from- tls- flaw/d/d- id/ service - warns - id - thieves -
1333815?_mc=sm_iwfs_editor_ are - abusing - uspss - mail -
kellysheridan. scanning-service/.
[11] Natonal Vote at Home Institute. [17] Brian Krebs. USPS ‘In-
Vote at Home Scale Plan. 2020. formed Delivery’ Is Stalker’s
url: https://www.voteathome. Dream. 2017. url: https :
org/wp-content/uploads/2020/ //krebsonsecurity.com/2017/
03 / VAHScale _ StrategyPlan . 10 / usps - informed - delivery -
pdf. is-stalkers-dream/.
15[18] Brian Krebs. USPS Site Ex- IPSWeb / verification _ user _
posed Data on 60 Million information.xhtml.
Users. 2018. url: https : [26] Sunoo Park, Michael Specter,
//krebsonsecurity.com/2018/ Neha Narula, and Ronald L.
11 / usps - site - exposed - data - Rivest. Going from Bad to
on-60-million-users/. Worse: From Internet Voting to
[19] SSL Labs. SSL and TLS Deploy- Blockchain Voting. 2020. url:
ment Best Practices. 2020. url: https : / / people . csail . mit .
https://github.com/ssllabs/ edu/rivest/pubs/PSNR20.pdf.
research / wiki / SSL - and - TLS - [27] Aki Peritz. Registered to vote?
Deployment-Best-Practices. Your state may be posting personal
[20] SSL Labs. SSL Server Test. information about you online.
Qualys, Inc. 2020. url: https:// The Washington Post. 2019. url:
www.ssllabs.com/ssltest/. https://www.washingtonpost.
[21] Dylan Lynch. Securing Voter Reg- com / outlook / 2019 / 04 /
istration Systems. National Con- 09 / registered - vote - your -
ference of State Legislatures. 2018. state - is - posting - personal -
url: https : / / www . ncsl . information - about - you -
org/research/elections- and- online/.
campaigns / securing - voter - [28] National Academies of Science,
registration-systems.aspx. Engineering, and Medicine. “Se-
[22] Andrea Cordova McCadney, Eliz- curing the Vote: Protecting Amer-
abeth Howard, and Lawrence Nor- ican Democracy”. In: The Na-
den. Voting Machine Security: tional Academies Press, Sept.
Where We Stand Six Months Be- 2018.
fore the New Hampshire Primary. [29] John Sepulvado. DA: Hackers
2019. url: https : / / www . Penetrated Voter Registrations in
brennancenter.org/our- work/ 2016 Through State’s Election
analysis - opinion / voting - Site. 2017. url: https : / / www .
machine - security - where - we - kqed . org / news / 11579541 /
stand - six - months - new - hackers - penetrated - voter -
hampshire-primary. registrations - in - 2016 -
[23] Stephen P. Morse. Searching the through - states - election -
New York State Voter Records site.
in One Step (2002-2019). url: [30] United States Postal Ser-
https : / / stevemorse . org / vice. 2018 Informed Deliv-
nysvoters/nysvoters.html. ery API. 2018. url: https :
[24] NARF. North Dakota Agrees to / / krebsonsecurity . com / wp -
Court-ordered Relief Easing Voter content / uploads / 2018 / 11 /
ID Laws for Native Americans on USPS-ID-API.txt.
Reserations. 2020. url: https : [31] United States Postal Service. 2019
/ / www . narf . org / nd - voting - Informed Delivery API Documen-
rights/. tation. 2019. url: https : / /
[25] Online Mobile Phone Verification. mailomg . files . wordpress .
url: https : / / ips . usps . com / com / 2019 / 08 / iv - mtr - api -
developer-toolkit_v2.5.pdf.
16[32] United States Postal Service. How [39] National Conference of State Leg-
to Sign Up for Informed Deliv- islatures. Access To and Use of
ery. 2020. url: https : / / www . Registration Voter Lists. url:
usps . com / c360 / images / https : / / www . ncsl . org /
informed _ delivery / Informed % research / elections - and -
5C%20Delivery%5C%20Sign%5C% campaigns / access - to - and -
20Up%5C%20Guide%5C%20Jan%5C% use - of - voter - registration -
202020.pdf. lists.aspx.
[33] United States Postal Service. In- [40] National Conference of State Leg-
formed Visibility Mail Tracking & islatures. Interview with J. Alex
Reporting. 2020. url: https : / / Halderman on Cybersecurity for
iv.usps.com/#/landing. Online Voter Registration. 2013.
[34] Natasha Singer. Did You Vote? url: https : / / www . ncsl .
Now Your Friends May Know org / research / elections -
(and Nag You). The New York and - campaigns / itnerview -
Times. 2018. url: https://www. j - alex - halderman - online -
nytimes . com / 2018 / 11 / 04 / registration.aspx.
us / politics / apps - public - [41] Latanya Sweeney, Ji Su Yoo, and
voting-record.html. Jinyan Zang. Voter Identity Theft:
[35] Alan De Smet. Unique ID. Submitting Changes to Voter Reg-
2013. url: http : / / www . istrations Online to Disrupt Elec-
highprogrammer . com / cgi - tions. Technology Science. 2017.
bin/uniqueid/dl_md. url: https : / / techscience .
[36] Michael A. Specter, James Kop- org/a/2017090601.
pel, and Daniel Weitzner. “The [42] Toying with Barcodes. DEFCON.
Ballot is Busted Before the 2011. url: https : / / www .
Blockchain: A Security Analysis youtube . com / watch ? v = qT _
of Voatz, the First Internet Voting gwl1drhc.
Application Used in U.S. Fed- [43] The Pew Charitable Trusts. On-
eral Elections”. In: Proceedings line Voter Registration: Trends
of the 29th USENIX Security in development and implementa-
Symposium, 2020. tion. 2015. url: http : / / www .
[37] SQL Injection Scanner. Pentest- pewtrusts . org / ~ / media /
Tools.com. url: https : / / Assets / 2015 / 05 / OVR _ 2015 _
pentest - tools . com / website - brief.pdf?la=en.
vulnerability - scanning / sql - [44] The Pew Charitable Trusts.
injection-scanner-online#. Understanding Online Voter
[38] National Institute of Standards Registration. 2013. url: https :
and Technology. Security Best / / www . pewtrusts . org / ~ /
Practices for the Electronic Trans- media / legacy / uploadedfiles /
mission of Election Materials for pcs _ assets / 2013 /
UOCAVA Voters. U.S. Depart- UnderstandingOnlineVoterRegistrationpdf.
ment of Commerce. 2011. url: pdf.
https://www.nist.gov/system/ [45] Twilio. Twilio response to Voxox
files / documents / itl / vote / data breach. url: https://www.
nistir7711-Sept2011.pdf.
17twilio . com / blog / twilio - [53] Democracy Works. Democracy
response-to-voxox. Works. url: https : / / www .
[46] American Civil Liberties Union. democracy.works/.
The Case for Restoring and Up- [54] Democracy Works. Ballot Scout
dating the Voting Rights Act: A Privacy Policy. url: https : / /
Report of the American Civil Lib- www.democracy.works/ballot-
erties Union. url: https://www. scout- privacy- policy- terms-
aclu.org/report/aclu-report- of-service.
voting-rights-act. [55] Kim Zetter. US government plans
[47] Talib Visram. Track your ballot to urge states to resist ’high-risk’
like a package: How technology internet voting. The Guardian.
will smooth the way for Novem- May 2020. url: https : / / www .
ber’s mail-in ballot surge. Fast theguardian . com / us - news /
Company. url: https : / / www . 2020 / may / 08 / us - government -
fastcompany . com / 90501588 / internet- voting- department-
track - your - ballot - like - of-homeland-security.
a - package - how - technology -
will - smooth - the - way - for -
novembers - mail - in - ballot -
surge.
[48] Vote at Home Policy and Re-
search Guide. National Vote at
Home Institute (NVAHI). 2020.
url: https://www.voteathome.
org/wp-content/uploads/2019/
03/VAH-Policy-and-Research-
Guide.pdf.
[49] Rock the Vote. 2018 Annual Re-
port. 2018. url: https : / / www .
rockthevote.org/wp- content/
uploads/Rock-the-Vote-2018-
Annual-Report.pdf.
[50] Voter Registration Records. Voter-
Records.com. url: https : / /
voterrecords.com/.
[51] Vivian Wang. Public Records:
Personal Information on New
York City Voters is Now Avail-
able for All to See. The New York
Times. 2019. url: https://www.
nytimes . com / 2019 / 04 / 26 /
nyregion/voter-registration-
nyc-online.html.
[52] Where’s My Ballot? BallotTrax.
url: https : / / california .
ballottrax.net/voter/.
18You can also read
