Senator Online (SOL) is a newly registered political party under the Commonwealth Electoral Act. While AusCERT has no objection to the registration of the party in itself, AusCERT has concerns about some of the claims being made by the party in relation to the security and integrity of the online voting system which the party candidates say they will rely upon to determine how to vote on bills that are passed to the Senate.

There are a number of security concerns with the technology and mechanisms that the SOL plans to use for online voting which makes the SOL voting system vulnerable to manipulation by unscrupulous persons. Hence, the SOL voting system cannot be relied upon to accurately record the votes or views of legitimate eligible SOL voters exclusively. Potentially, SOL senators may vote in accordance with a manipulated voting system, rather than in response to the will of a majority of eligible Australian voters who cast a vote through the SOL web site.

The claims made by SOL

The party claims that it will use Internet based online voting, via the SOL web site, to enable eligible voters registered with the AEC to cast one vote per person per issue.

SOL will ensure that each person on the Australian Electoral roll has only one vote. The poll member registration process will check the persons full name, address and date of birth against the Australian Electoral roll. If the details match, that person will receive a user ID and password which the user will confirm on-line to activate their membership. The process will restrict people signing on as others and ensure that each person on the Australian Electoral roll has only one poll membership and therefore only one vote on each bill or issue.

It also states that:

Website security will be paramount, together with poll members' details, the integrity of the information available, and the voting process.

The threat

Technology mechanisms

• usernames and passwords are not a secure or reliable form of authentication. They can be easily captured and reused by attackers seeking to impersonate the legitimate owners of those credentials. Hence it is possible for attackers to improperly cast votes on behalf of SOL registered voters.

  The capture and reuse of usernames and passwords are a common occurrence and a feature of phishing and online ID theft trojan attacks designed to steal money out of the bank accounts inter alia. Even some forms of two-factor authentication are potentially vulnerable to capture and use by an attacker.

  In the case of online ID theft trojan attacks, attackers capture a broad range of single factor credentials - not just for bank accounts - but also for usernames and passwords typed into the keyboard, accessed via mouse clicks on screen images and captured from 'protected store' when users save passwords to their computers.

  Given that these types of attacks commonly occur in Australia, the likelihood of SOL issued usernames and passwords being captured is moderate to high.

  Alternatively, there are other forms of trojans in common use which wait for the legitimate registered user to log on and then perform a transaction on behalf of the legitimate user in the background without their knowledge or consent. Hence, it is conceivable that attackers could develop a trojan which performs a particular vote on behalf of the legitimate user in the background - while providing an interface to the user which is designed to deceive them that their vote was accepted when it was not.

• It is doubtful that SOL would have knowledge of the volume and behaviour of trojans that target Australian internet users on a daily basis which seek to compromise their computers in the manner described above. As such it is difficult to conceive SOL would have the knowledge or expertise and financial resources to develop an online voting system that addresses these specific threats and vulnerabilities.

  Even with appropriate knowledge, skill and resources, there are still significant limitations to the viability of this type of voting system as it relies substantially on the security of the remote computer host casting the vote.

  While achieving a secure and trustworthy Internet online voting systems is not insurmountable, these solutions are only for government or the most well-resourced of organisations - not a newly formed political party seeking to find candidates, let alone voter interest.

Administrative processes

• Depending on how rigorous SOL is in its registration process, it may be possible for unscrupulous persons to register multiple AEC voter identities with SOL by using the personal information of multiple different and legitimate registered AEC voters. For example, we all know the personal information of friends, family and others and indeed the Australian electoral roll is publicly available to anyone. Hence it is conceivable an individual could register multiple times with the SOL, using different and legitimate AEC voter identities.

  According to SOL, the "poll member registration process will check the persons full name, address and date of birth against the Australian Electoral roll. If the details match, that person will receive a user ID and password which the user will confirm on-line to activate their membership." The question remains, how will SOL verify that the identity claimed does indeed belong to the individual claimed before providing a SOL registration? Or will SOL simply see if such a person exists on the Australian Electoral Roll and hence allow the registration to proceed, which can be done trivially online via the AEC web site. If the SOL is - as it claims to be - very much an 'online' presence then without other forms of identification presented in person (such as birth certificates, passport, drivers licence etc), there really is no way to verify that each of the registered SOL identities correspond to only one AEC registered voter.

Independent assurance

• In establishing the online voting system that will influence the outcome of the Australian democratic parliamentary processes, there has been no independent evaluation of the system to ensure that the system is capable of reliably ensuring that only one valid and legitimate vote will be recorded per eligible person per bill and is not vulnerable to subversion.

  While some may argue that no independent verification of a voter's identity is done before each person is allowed to vote at an AEC polling booth- which is correct - the reality is that Internet online voting systems lend themselves to widespread vote manipulation in a covert manner, without the collusion of other parties, whereas in-person, paper based systems do not.

The impact

Nonetheless, it is conceivable that once the SOL online voting mechanism is made available to the Australian public - and indeed to the world - since the SOL online voting is open to manipulation by non Australian citizens as well (given that the Internet is a globally accessible tool), it is quite possible some individuals or indeed foreign nation states may potentially seek to influence the outcome of the Australian democratic process by seeking to influence the SOL senators within the Senate on particular issues of national or international significance.

Moreover, very few people anticipated that the current widespread cybercrime threat would escalate or become as widespread as it has in such a short time when the various online policies and systems were being designed and established. Now that these systems exist and are vulnerable to exploitation, they are being attacked. The same can be said for an online voting system - if you create it, you give the opportunity for a variety of interests in Australia and around the world to exploit its weaknesses where such weaknesses exist.

In Australia with its strong two party system, we know that at times the independent senators or senators from minor political parties can hold the balance of power in the Senate and hence in this situation, it is possible to manipulate the voting outcome of the SOL by manipulating the online voting system and effect the outcome of whether a bill is passed or not.

Most Australians will be aware of the impact the Senate can have on a democratically elected government, when in 1975, the Senate blocked monetary supply to the Government (which held a majority in the House of Representatives). As a consequence of the Senate's vote, the Prime Minister was sacked by the Governor-General and an election was called. Hence it is conceivable that the ability to influence the voting behaviour of two or even one Senator, by manipulating an insecurely designed online voting system, could have major ramifications for the democratic process and outcomes within Australia.

Fortunately, Australia has not adopted widespread electronic voting as other parts of the world have (except for a few cases on a smaller scale). There has been significant research done showing serious weaknesses in the design of a number of e-voting systems in use. Of course, the worst of these systems allow votes to be cast from "voters" from any remote computer of unknown trustworthiness which means that it is conceivable to influence who is elected to government itself by controlling these computers remotely.

Summary of concerns

• it will be possible for an individual to vote more than once on any given topic by adopting the identities of multiple legitimate AEC voters;

• it will be possible for an attacker to hijack the vote of multiple legitimately registered SOL voters through trojan malware (under the control of an attacker) as described above;

• it will be possible for non-eligible persons to vote one or more times on particular issues by either of the two previous methods.

There are a unique set of properties that need to be addressed to maintain the confidence and the integrity of democratic processes and outcomes when using e-voting systems. But when these issues are not adequately addressed and e-voting systems fail or are perceived to be fallible, then democracy itself is undermined.

Kathryn Kerr