Web Balloting? Not Likely With the Doubts It'd Cast

Dave Wilson

November 23, 2000|Dave Wilson

Now that we officially live in a banana republic, lots of people wonder whether the Internet can let us hold elections with something other than paper ballots that can be folded, spindled and mutilated.

Well, yeah, technically you could vote on the Internet today. Ripping off "The Six-Million-Dollar Man," we have the technology--sort of. But it's actually a lot harder than most people think to keep tabs in cyberspace. In fact, most people have no grasp of how fluid identity can be online. But that's all going to change today, folks.

Today, we're going to learn how to forge e-mail. That's right, I'm going to explain, right here in this column, how to appear to be anyone else on the Internet. Because once you understand how to do it, you can be on the lookout for when it's happening to you.

The most common e-mail packages--including products such as Eudora, Microsoft's Outlook and Netscape's Messenger--all require users to insert identifying information about themselves during the initial configuration process. You need to type your name in the box that asks for your name. And you need to type your e-mail address in the box that asks for your e-mail address.

In effect, your e-mail software is asking you who you are.

But the nefarious e-mail user might very well ask, "Gee, whom do I want to be?"

If, for example, you identify yourself as Dave Wilson and list your e-mail address as, that's the way your mail will go out. Please don't try this at home, though. The vast majority of recipients won't be able to tell that the mail has been forged.

Unless, of course, you read this column.

This type of forgery is a standard trick used by spammers. If you reply to spam, you'll probably just reply to some nonexistent e-mail address. Or you could wind up flooding the mailbox of some poor sap whose address has been appropriated by a spammer.

There is a way to spot this nonsense, however. Nearly all standard e-mail software will let you look at something called the e-mail's "headers," essentially a list of the computers that the e-mail has moved through. (If your software won't let you see headers, start using some that will.)

If you get e-mail that seems a bit unusual--such as a job offer from the White House--you'd be well advised to check the headers to see whether the missive originated with government computers or your best friend's Internet service provider.

Because it's so easy to appear to be someone else in cyberspace, don't expect to be voting for president from the computer in your den any time soon.

Security professionals call this an "authentication issue," and there are plenty of ways to get around it. But most schemes rely on such things as digital certificates, which work well with small groups or in specialized populations such as the armed forces. But managing these things--which perform the functional equivalent of the driver's license you show bouncers to get into a bar--gets really, really complicated. At the moment, there's no great way to manage things such as digital certificates for the entire voting population of the United States.

Authentication problems aren't just an issue for future elections. Because anybody can type in an e-mail address, lots of us wind up subscribed to e-mail lists we never asked for. That's because too many scummy Internet companies don't care whether you signed up for the service or not; they just want to claim another subscriber. A well-mannered list or Web site sends an e-mail to your address saying something like: "Hey, somebody told us to send mail to this address; if that's true, reply to this message. If you didn't ask to sign up, then just ignore this, and you'll never hear from us again."

If you're reading this and thinking, "Man, those guys who built the Internet were morons," well, there actually was a reason things turned out like this.

The basic nuts and bolts that make the Internet work were conceived and largely developed in a mainframe computer environment with "dumb" computer terminals. The distributed computer environment most of us use today--with independent computers sitting on our desktops--wasn't part of the early design. Partly as a result of this evolution in technology, it became harder to track people on the Internet.

Now, the obvious answer to this problem is to make it impossible for people to forge e-mail. But that's the wrong answer.

Setting up a system like that virtually guarantees that you'll lose your privacy in cyberspace. Your every movement could be tracked, your every e-mail traced, and you'd be a lot more cautious about what Web pages you visited. Forget about anonymously looking up information about HIV treatments or birth control or, heck, free speech.

In other words, welcome to China.

So the best systems are the ones we've got now. We allow anonymity, accepting the nasty things that anonymity allows such as letter bombs and prank phone calls. But we have parallel systems that offer a high degree of authentication, through the presentation of things such as passports.

We're still building authentication schemes that we can use for an Internet election. In the meantime, don't expect paper ballots to go away any time soon.


Dave Wilson is The Times' personal technology columnist.


* Dave Wilson answers reader questions in Tech Q&A. T7

Los Angeles Times Articles