Flaws in ACT election systems could reveal voters' votes

Accurate timing data about votes, and the order in which they're cast, can be enough to reveal individual voters' secret ballots.

Two newly revealed flaws in the Australian Capital Territory (ACT) electronic voting systems could have allowed voters to be linked to their votes, breaking the core democratic concept of the secret ballot.

The vulnerabilities were disclosed in a detailed technical write-up on Monday by independent security researcher T Wilson-Brown, who originally discovered and confirmed the flaws in early January.

Elections ACT had agreed in March to public disclosure on April 9, but on April 10 it pulled out. Four months later, Wilson-Brown has published them, to allow time for changes to be made before the next ACT election in 2020.

The first vulnerability stems from Elections ACT publishing online the individual, and their preference allocations under the ACT's preferential voting system, for later analysis.

Each record contains a unique sequential identifier, as well as a polling place batch number. A malicious voter could cast a deliberately unusual set of voting preferences, a pattern which would likely be unique, and use that as a marker to find the votes of people who voted around the same time in the same polling place.

This flaw existed during the 2001-2016 elections.

"The vote order data also makes it possible for anyone to discover the first and last votes in a polling place. It may also be possible to discover the first and last votes in each batch at each polling place, if batches rotate on a predictable schedule," Wilson-Brown wrote.

The second vulnerability stems from Elections ACT recording the precise time a voter is checked against the electronic electoral roll, and the precise time each vote is cast.

"If there are a small number of voters in the polling place at any time, these voters can be linked with their votes with a reasonable degree of accuracy. It may also be possible to use vote order and roll mark-off order to link voters to their votes, with decreased accuracy," they wrote.

"Access to this data is restricted to a few Elections ACT staff, and the data is destroyed a few months after the election. But it could be possible for someone to gain unauthorised access to it."

This flaw existed during the 2008-2016 elections.

"There is no evidence that either vulnerability has been used to reveal any votes. However, it may be possible to take advantage of these vulnerabilities without creating any evidence," Wilson-Brown wrote.

These vulnerabilities do not allow votes to be added, modified, or deleted.

Wilson-Brown makes seven recommendations, most of which focus on minimising the amount of data being collected.

"If particular data is not essential for conducting the election, it should not be collected. Data minimisation ensures that no one is capable of linking voters to their votes, even if they have access to all the election data," they wrote.

Wilson-Brown said their motivation for this research was the issue of control.

"If I want to keep my vote secret, then that's my decision. We shouldn't have to trust the person voting next to us, or the electoral commission, to keep our votes private. The system should be designed so votes are private," they told ZDNet.

"I remember voting in the 2016 ACT election. When my name was marked off the electronic roll, I wondered, 'How secure is this? What information are they collecting about me?' Two years later, I still don't know who wrote that software."

Related Coverage

Microsoft's new framework could help policymakers better understand cybersecurity (TechRepublic)

The firm's new Cybersecurity Policy Framework aims to provide building blocks and best practices from organizations around the world.

5 ways machine learning makes life harder for cybersecurity pros (TechRepublic)

While many companies are turning to machine learning tools to fight hackers, they may not be as helpful as they seem thanks to a talent shortage and a lack of transparency.

Hackers can steal data from the enterprise using only a fax number

Fax machines are still widely used by businesses and a communications protocol vulnerability is leaving them exposed to cyberattacks.

Internet security, encrypted messaging and privacy projects win Facebook grants

Facebook grants go to researchers developing answers to Facebook account hijacking, internet outages, and behavior-based biometrics.

AWS error exposed GoDaddy business secrets

Updated: It is believed information belonging to thousands of GoDaddy systems was leaked due to the failure.

GDPR security pack: Policies to protect data and achieve compliance (Tech Pro Research)

One of the key requirements of the newly enacted GDPR is a demonstrated effort to enforce security measures that safeguard customer data. This bundle includes six policies you can customize and implement.