NSW Electoral Commission answers iVote critics

The NSW Electoral Commission is refusing to shy away from its pro-electronic voting position despite the recent discovery of a flaw in its iVote system just days before the 2015 state election.

Ian Brightwell addresses Sydney CeBIT (Source: CeBIT Australia)

iVote is the online tool used in NSW to allow the blind and vision impaired, disabled and overseas or interstate residents to cast their ballot remotely. It was used by 286,000 voters in the March 2015 poll.

At the CeBIT conference in Sydney today, NSWEC chief information officer and iVote evangelist Ian Brightwell argued the benefits the system offered its users - “people we would otherwise fine if they did not vote” - outweighed the risks.

Brightwell has been speaking out against the findings of a report released just days before the 2015 NSW election which identified third-party code on the iVote server that was vulnerable to the FREAK flaw - a hole in SSL/TLS protocols that could enable man-in-the-middle attacks on iVote users.

“We had a few interested cyber security people who were very keen to make media out of the event, and that’s their choice,” he said of the Melbourne and Michigan researchers that publicised the flaw.

“But we don’t think they came up with anything of substance.”

Brightwell argued that electronic voting was no more imperfect that regular voting - it's just newer.

“The reality is that once you stick that piece of paper in a ballot box or an envelope, you haven’t got a clue what goes on after that,” he said.

“And there are some processes in the back end that aren’t very pretty.”

For example, he revealed, a security guard wandered into the supposedly shut-down Town Hall polling site in the early hours of the morning during the last election, with CCTV showing him strolling past stacks of blank ballot papers.

The only reason the unauthorised entry was noticed, he said, was because the man used a computer to register himself for iVote and the NSWEC team had to solve the mystery of how someone used the system at 3:29 am on a Thursday.

"The human element injects a certain element of inaccuracy into regular voting as well," Brightwell said.

“There is no right answer in manual counting. If I put 2000 ballot papers down, got a handful of you around, and asked you to count them in three teams, I would get three different answers.

“There are comparative risks. We are balancing one risk against the other,” he said of the electronic voting vulnerabilities.

CSC’s Clinton Firth, who was working with the electoral commission before and after the attacks, said even if the two discovered vulnerabilities (FREAK and Bar Mitzvah) were successfully exploited, the fallout would have been minimal.

He argued that the man-in-the-middle attack which could have been enabled would only have allowed attackers to target one voter at a time.

Firth said the number of would-be hackers who attempted to exploit the FREAK bug was “comparatively small” to the attack volumes he sees in the commercial sector.

On March 16, he said, someone attempted an SQL injection attack on iVote just moments after voting, so the agency was able to tie the event straight back to the perpetrator. They traced other attempted incursions back to a series of US universities scanning for vulnerabilities.