Two Faces of Electronic Voting

IEEEmember writes "The Swiss are claiming the world's first binding Internet vote in a national referendum. Voters were given lottery style scratch-off cards that allowed them to vote either by Internet, snail mail or in person. Internet votes can be cast from any computer accessing the elections site securely over the web. Electronic voting has been implemented to combat declining participation in elections. Stories from The Age, swissinfo and CBS available at Google News. The IEEE is calling attention to the current process for establishing standards for electronic voting. Project 1583 - Voting Equipment Standard and Project 1622 - Electronic Data Interchange are being developed by Standards Coordinating Committee 38 rather than being relegated to a single society to ensure the broad range of electronic voting issues can be addressed adequately. These standards are being written for use in the U.S. however some parties have shown an interest in extending them to other countries."

Verification

[sofakingon]

Two Words: Paper Trail.

There must be a verifiable, permanent, physical record in any election to ensure that any and all democratic elections are not tampered with.

Re:Verification

[rhakka]

for now, perhaps.

However people who spout this act like you can't tamper with physical records. You can. Physical records are not secure.

The question is not can elections be secure. They cannot. The question is HOW SECURE can they be, and while we may not be there yet, it is certainly possible down the road that a fully electronic method could be made AS secure as leafs of paper in boxes in someone's basement, IMHO

Paper Trail

[Anonymous Coward]

"When you can walk the rice paper without tearing it, then your steps will not be heard."

--Master Kan [imdb.com]

Re:Verification

[sofakingon]

People do things that they believe are in their best individual iterest.

Online transactions are, for the most part, secure and trustworthy because it is in the best interest of the businesses and financial institutions to provide the best service possible.

What, then, would be in the best interest of the [current] government in regards to electronic voting?

Food for thought.

"Power tends to corrupt, and absolute power corrupts absolutely." -Lord John Acton

this DOESN'T make the front page?!

[Anonymous Coward]

A REAL tech article dealing with REAL tech issues!?

I mean, c'mon it's an IEEE article, how much more does it need?!

Re:Verification

[Jerf]

However people who spout this act like you can't tamper with physical records. You can.

No, people who "spout" this think that it is much harder to systematically tamper with physical records than electronic records, and that this fact shows no signs of becoming less true any time soon.

Moreover, auditable electronic voting combines many of the nice parts of electronic voting with all of the nice parts of physical voting.

I think us "physically auditable voting"-type folks understand what is going on; it is exactly that understanding that has us calling for the hybrid, best-of-both-worlds solution, instead of the "God only knows what happened for sure" world of electronic-only voting.

Electronic vote hacking is NOT the only danger!

[JimMarch(equalccw)]

San Francisco recently had a scandal in which city employees were herded through the absentee voting system and browbeaten by supervisors who watched over their shoulder to make sure they "voted properly".

To solve this problem and numerous others, the idea of private voting at local polling places where this sort of thing can be monitored developed. When done right, polling-place voting leads to the LOWEST level of overall fraud.

Right now, Black Box Voting and other advocacy/reform groups are talking about using absentee voting to create a paper trail when polling places lack them. BUT we know about this issue! Our stance is a condemnation of the worst of the elecronic voting systems, NOT a condemnation of polling place voting.

Internet voting is worse than absentee, for several reasons:

1) A small script could record exactly how you voted, allowing you to sell your vote. Concerns over mechanical voting systems in New York and other urban areas led to an experiment with "paper reciepts" about 70 - 80 years ago and it turned into a vote-buying bonanza for crooked unions. (That's why Voter Verified Paper Trail plans today involve leaving the paper in a secure ballot box at the polling place.)

2) There's still a sizeable non-Internet-connected population out there, esp. at retirement homes and blue-collar unions. "Free Internet Voting Terminals!" at union halls and nursing homes would be a hotbed of "browbeat fraud" similar to the San Francisco case above...in the case of unions, people who didn't vote at the union hall (where the networked PCs are monitored with a remote view application) would be exposed to considerable pressure for not voting "the right way".

-----------

Note that these issues are present EVEN IF THE SYSTEM IS TECHNOLOGICALLY PERFECT(!), written in Open Source with strong crypto by /.ers.

Upshot: Internet Voting cannot be made to work right, due to "human hacking" even if "computer hacking" is somehow made impossible (which is pretty damn doubtful).

Jim March
Member, Board of Directors, Black Box Voting (www.blackboxvoting.org)

Internet Voting - No thanks

[salesgeek]

In 2002 I helped a relative run for office in a county in east-central indiana. What I learned there is that any system that you don't have to show up and identify yourself before you vote is very easy to defraud. That's why internet voting is scary. It's also why absentee ballots are scary.

Parties would look for nursing homes, hospitals and homebound senior citizens and help people there get absentee ballots. Sounds great until step two: Operatives would then come back and help them fill in the absentee ballots. Amazing how many straight ticket R or D ballots came in. In this particular year, the D's won the foot race to get more ballots.

Re:Verification

[swillden]

However people who spout this act like you can't tamper with physical records. You can. Physical records are not secure.

Yes, they are.

Not because there's anything about them that's inherently more secure, but because we know how to secure physical objects. After all, we've been doing it for tens of thousands of years.

Physical records have the advantages that they are visible to the naked eye, cannot easily be modified en masse (except destructively), and take up space. This means that even non-technical people can *watch* them through each stage of the process, able to see that they do not leave the location under observation and that they are not modified while there. Given enough watchers including some "disinterested" election officials and security guards and some representatives of the candidates, vote-changing on any significant scale is basically impossible. And the nature of the process ensures that as the votes are collected the more votes there are in one place the more people are around watching.

I design and construct secure computing systems for a living, and I'm a big fan of cryptography and the nifty things that you can do with it. However, one of the things that a few years in this business pounds into your head (even if it's as thick as mine) is that electronic security is always much, much harder to achieve than you'd expect and in fact it's nearly impossible except in the most stringently-controlled circumstances.

I'm not claiming that secure electronic voting is impossible, but it sure as hell isn't easy, and we *don't* know how to do it yet.

IMO, the real challenge with creating a secure electronic voting system isn't figuring out how to secure it, because we should just accept that that's impossible. Technology can't do it no matter how sophisticated, and any electronic system is inherently "opaque" to observers (unlike paper). The challenge, then, is to figure out how to build a system that is both fully auditable *and* fully anonymous. Those requirements are nearly contradictory, but not quite.

By fully auditable I mean it must be possible to verify the authenticity of every vote counted, tracing it back to the polling station it came from and verifying that it was cast by a legitimately-registered voter. Further, it must also be possible to verify that no votes get lost. Selectively discarding a small random selection of ballots from particular districts would be a beautiful way of electronically gerrymandering an election. By fully anonymous I mean it should be impossible to identify any ballot with a particular voter, even with the voter's full cooperation. (Note that any Internet voting approach fails this requirement, as do mail-in votes. You need a voting booth for anonymity.

Does that mean that only "perfect" security is "good enough" security? No. Security can often be far less than perfect, but still do the job. The problem here is that the value of rigging an election is so high, the security also has to be extremely high. There are two obvious ways of achieving "good enough" security in a scenario like this: Perfect security (yeah, right), and compartmentalized security. The latter means that although the cost/difficulty of breaking the security is within reach of the attacker, the benefit of doing so is too small because it affects such a small part of the election. In other words, the security system needs to be structured such that attacks on it are not scalable and not efficient.

But the whole point of electronic voting systems is scalability and efficiency. Compartmentalizing the security while retaining the overall scalability and efficiency is not easy. The typical way to do it is to use a consistent overall infrastructure but to break the system into non-interoperable chunks through key diversity, but that creates a key management nightmare that in turn requires a key management system which becomes an exploitable weakness.

Secure, efficient and cost-effectiv