Pentagon Cancels Internet Voting System

Ben B writes "The Pentagon won't use an Internet voting system for overseas U.S. citizens this fall because of concerns about its security, an official said Thursday. The official, who requested anonymity, said Deputy Defense Secretary Paul Wolfowitz made the decision to scrap the system because Pentagon officials were not certain they could 'assure the legitimacy of votes that would be cast.' Computer security experts who last month reviewed the Secure Electronic Registration and Voting Experiment, or SERVE, had urged the Pentagon to scrap the system, saying it was too vulnerable."

I really have to question

[barenaked]

I question the whole premise of using the internet in the voting process. The flaws are unsolvable because they are fundamental to the architecture of the internet. Using a voting system based upon the internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official. The report recommends that the Serve project be shut down and nothing like it be tried until "both the internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear." With which I wholeheartedly agree

Re:I really have to question

[El]

Unless you assume that the machine doing the encryption has already been compromised.

Re:I really have to question

[osewa77]

High security can always be layered on top of the 'unreliable' internet as it is; the problem is that the stock software has so many easily exploited loopholes (trojans? keyword capture? windows exploits?) that it would introduce messy, situations, which would not help the current government's bid for the next elections (better safe than sorry?)

Re:I really have to question

[gewalker]

In Florida they had a big fiasco. They tried to fix it by recounting the PAPER ballots repeatedly. This did not make anyone too happy either. George W. won all of the recounts, including ones done by the independent press, but lots of people still argue a fix was on, Bush stole the election, etc. -- Note:, I'm not arguing that Bush did or did not steal the election, or if he would be the first that had if he did -- I'm focusing on the controversy surrounding it to the day.

How in the world would the U.S. react if you could reasonably argue that the system could have been hacked, etc. -- Strikes me that this would be a very chaotic result.

The Internet based system does not and probably cannot have a useful audit trail that is equivalent to the paper ballots.
Foreign nationals are certainly limited in their voting flexibility and I think the Pentagon was trying to incorporate them betting in the voting process. Is there not a reasonable compromise that would meets the needs of voters and voting integrity?

Re:I really have to question

[Carnildo]

I think they should just do away with anonymous ballots.

as if there is any real need for this anymore. i've never understood why people want to still keep this secret.

In Soviet Russia, they shot people who voted against the wishes of the Party.

Re:I really have to question

[sholden]

People vote differently in secret ballots than they do in public ballots. That's a pretty significant reason to keep them.

Secret ballots prevent many problems associated with elections (breaking the legs of those who don't vote how you told them, for example). Of course with non-compulsary voting you can perform similar attacks anyway - prevent a bunch of people who will cast more votes for your opposition than for you from voting at all.

The UK has a system in which votes are tagged with unique identifiers that match a voter to a ballot - but the link is locked away somewhere "safe" and legally can't be accessed except on a court order and are destroyed after a year. That provides most of the benefits of a secret ballot, but still allows the votes to be checked if the election is suspect. See here for a short blurb on the system.

Now whether than system is good or bad is another matter, but it shows you can have some of the benefits of a secret ballot and also the main benefit of a non-secret ballot.

Re:I really have to question

[TyrranzzX]

Use a p2p system, there's no centralized point under control by anyone. Just one secure, open source model that gets implemented and is hard to hack. Plus, with paper ballots, and that kind of a system where the votes are tallied by thousands of voting machines, anyone can check the votes in their area without a problem. Use good encryption, trustable maintainers and goverment certification, and you've got a strong basis for something most techies would trust.

Re:I really have to question

[LnxAddct]

As El so elegantly stated, Unless you assume that the machine doing the encryption has already been compromised.

The problem is if I root your computer and thn you register to vote, I simply block your vote from leaving your computer, fabricate my own packets and send them along. you'll never know because voting methods require that they can't be traced back to you. If someone can prove that you voted for a certain candidate then people will start being paid to vote for certain candidates As long as you can't attatch a vote to a person then paying someone to vote for you is fundamentally flawed in that you can't prove anything they did.In an age where hackers store their movies and mp3s on government computers and an age where people will open up any email that says it was specially encoded in a binary format as an attatchment, I don't think its a wise idea for anyone to trust anyone that their vote was legitimate if it was sent through the internet.It doesn't matter if the network is decentralized (the internet is decentralized by the way), if I own your computer then I control what you do with it, simple as that.
Regards,
Steve

Re:I really have to question

[Anonymous+Cowtard]

But then the Supreme Court stepped in at the Republicans request

Yeah... after the Democrats took it to the courts to begin with.

Neither party's hands are clean in the whole fiasco.

Re:I really have to question

[MillionthMonkey]

You can solve all manner of these types of problems using certificates with high encryption strength.

No you can't. People concentrate on encryption strength as if that's everything. It's like the height of a wall. Doubling it doesn't help if people can walk around the wall. The key length is only one of many vulnerabilities in a system. Think of all the computer security breaches you've heard about. How many happened because an attacker succeeded in brute forcing a key? As opposed to, say, using an easily guessed default password? Unless you're using DES, or crappy exportable encryption, brute forced keyspaces are probably not how you will go down.

What you have here is something that is pretending to be a solution to a problem that is pretending to be a solution in search of a problem. There are really two problems here- the one you are addressing (short key length), and a more fundamental one, which is that there is no reason for we the voting public to be hearing the words "Internet" and "voting" in the same sentence at all, nor is there any reason why we should have to assume a collective responsibility for safeguarding our own votes in this election process when we weren't even the ones who had anything to gain from endangering the democratic process in the first place.

Re:I really have to question

[Free_Meson]

But then the Supreme Court stepped in at the Republicans request

Yeah... after the Democrats took it to the courts to begin with.

Neither party's hands are clean in the whole fiasco.

I hope you aren't saying that it was somehow wrong to take that election to court. That's the reason we have courts -- when everything else breaks down, they are the final arbiters of right and wrong. They are the referees that determine which rules are just and how they should be interpreted and enforced. You can't have a truly democratic system without a powerful court because those abused by the tyranny of the majority have no recourse. As for the case of Gore v. Bush, it looks like the court failed. It didn't fail because Bush won (though I would have prefered Gore), it failed because in a situation that needed a conclusive end it rendered the worst possible verdict for the sanctity of democracy in the United States. They said that a recount should happen, but becuase of an artificial deadline ~50 days before the winner would take office and less than a day after the decision, a full recount requiring less than a week would just be too inconvenient to endure. The case should have been about how to count the votes, with the democrats arguing one way and the republicans arguing another. Instead, the republican council argued that there should be no recount at all... As a litigation tactic, this was good -- if you won the first count, argue against any subsequent recounts. As it concerns the country, though, this was a horrible argument, and a less radical court would have seen the importance of deciding the election with a universal standard of fairness rather than doing what it did. The Gore v. Bush decision may have been the single worst supreme court decision since the Dred Scott v. Sanford decision, but at least in Scott the court had a sound legal principle to support its decision.

Anyway, I can't believe you're claiming the democrats should somehow be blamed or tarnished for seeking a recount in an election where equal protection had obviously been violated. The fact that such a request even made it into a court should tell you that the republican party, at least at the time, cared more about being in power than it cared about the democratic nature of the united states or its constitution.

Re:I really have to question

[MuParadigm]

"I hope you aren't saying that it was somehow wrong to take that election to court. That's the reason we have courts -- when everything else breaks down, they are the final arbiters of right and wrong."

Well, there is a Constitutional process documented, yes, right there in the Constitution, that throws the election into the House and Senate in the event of a contested slate of electoral votes from any particular state.

If your going by the Constitution, the recount should have proceeded and, since whichever side lost probably would have taken it to Congress, Congress should have decided.

That, of course, would have ended up a huge political mess, since, as VP, Gore would have had the tie-breaking vote in the Senate, and the Senate was split 50-50 at the time.

There is an argument that letting the Supreme Court decide prevented a greater crisis in Congress, and nationally. But there really was no Constitutional support for it.

So, yes, I am saying it was somehow wrong for that election to end in the Supreme Court. However, I'm not sure that the prescibed Constitutional procedure would have been any better. Taking it to the Supremes *may* have been the least wrong of all possible wrongs.

Re:I really have to question

[Bob+Uhl]

That's the reason we have courts--when everything else breaks down, they are the final arbiters of right and wrong.

No, that's why we have the military--they're the final arbiter when everything else breaks down. Fortunately, it has only once gotten to that point, and hopefully it never will again. The courts are the last peaceful recourse, but there are others available.

Re:I really have to question

[MuParadigm]

Umm, yeah, if that were the case, then Gore would have won hands down. There's no doubt that he won the popular vote in 2K.

But, you know, here in the US, we use an electoral system that grants presidential votes depending on how the majority voted in each given state.

Interestingly enough, the electoral system was developed as a compromise to allow slave states a greater say in choosing the president.

No doubt, you've heard of the 3/5 compromise. The one that declared slaves, in particular black men, as 3/5 of a person for the purposes of calculating census populations for electoral votes?

Yeah, I know it's offensive, and I'm likely to get modded as flamebait for even bringing it up. But the problem is that the whole electoral college system is a holdover from that kind of thinking.

That is to say, that at the time of the writing of the Constitution, Southern states were unlikely to ratify the Constitution because they had far fewer actual voters than the Northern states. The 3/5 compromise was a method used to grant more leverage to the implicity white Southern voters in elections, and the electoral college was a further compromise to maximize that leverage.

So, yes, the historical antecedents that created the current system for choosing a president are completely *fucked*. And, consequently, the electoral college system should have been killed off during reconstruction after the Civil War. Which would have left us with the "One person, one vote" system you have so glibly advocate.

Problem is, that would have been, "One *man*, one vote" at the time, since women weren't granted the right to vote until the 20th Century.

Second problem is, the most populous states clearly outweigh the least in terms of potential voters, simply because they have more people. The Constitution is clearly concerned with balancing the desires of the majority with the needs of the minority. Perhaps "clearly" is a bit of a misnomer there. It's not particular evident in the Constitution itself, unless you read between the lines and add in the Bill of Rights.

But, it *is* evident in the Federalist Papers, which were written to explain the intent of the Constitution, and as propaganda to get state Congresses to ratify it.

Taking into account the motives and ideals expressed within the Constitution, the Bill of Rights, and the Federalist Papers, we're left with the clear idea that the founders did not want a *strict* majority rule. They *preferred* it, but they wanted some leeway for the minority to be heard and respected. This minority includes: small states.

So: How to preserve that voice for small states? Rather than addressing the question at the end of the Civil War, as should have been done, most Congressmem decided that sticking with the electoral college provided the safest way of doing so. It didn't require any changes, and no one was coming up with a better solution. Nor was it evident at the time that a better solution was required.

This is why, even though I live in New York City, the vote of someone living in Wyoming state counts literally *ten* times as much as my vote in a presidential election.

Am I pissed about it? Damn straight I am.

You see, I really do believe that smaller states should have a forum in which their voices can be heard equally with the larger states, and that their votes will count as much. But I think the Senate takes care of that imbalance: 2 votes, 2 Senators for each state, no matter the population.

The electoral college *should* be abandoned. Not because of the "one person, one vote" principal, but because the electoral college has its roots in justifying and accomadating *slavery*, and because the other problem it was designed to address, imbalance in the representation of small states against populous states, is already adequately addressed by equal representation for each state in the Senate.

Why trust internet banking then?

[MrRTFM]

If this 'internet' is so insecure , why are the big corps. trusting it to transfer billions of dollars around.

I must be missing something - this is technically feasible, they are just doing it the wrong way.

Re:Why trust internet banking then?

[Rufus88]

Because they have a way of verifying after the fact that their transactions occurred as they should, in case they suspect fraud. With internet voting, you can't. In fact, regardless of the voting mechanism, it's important that you not be able to verify that your individual vote was recorded properly, because that would imply being able to prove who you voted for, which would permit vote-selling and make people susceptable to vote-extortion.

Re:Why trust internet banking then?

[demachina]

Because you dont have to maintain anonymity in those transfers, in fact, exactly the opposite you identify both parties with rigor. In voting you have to verify the identity of the voter with some certainty, but then switch to a mode where the actual vote they cast can not be associated with the specific voter. Very hard to do on the Internet. You also still have to make sure the integrity of this anonymous vote is retained and can be recounted. It is an ideal application for pieces of paper and a box.

In money transfers the books have to balance after the transfer is done and both parties will know what the result should be. In voting you don't know what the result is supposed to be, and the people controlling the system usually have a strong incentive to alter the outcome in there favor, and they will if its possible to do so. If you try to alter the results with a money transfers someone would instantly spot an attempt at theft unless their accounting is crap or someone goes to great lengths to obfuscate the theft.

Pure electronic voting is just a fundementally bad idea for anything where the outcome matters. You always want a voter to use paper, put in a box under the eyes of representatives of the interested parties, and maintain the security of those boxes at all times. We are blessed with all this electronic B.S. only because of the kneejerk reaction to the disaster in Florida and Congress throwing billions of dollars at the problem like they usually do. The end results was a swarm of sharks who wanted to either:

A. Get rich quickl
B. Find new and creative ways to rig elections

Proven machines where you fill in the bubbles on a sheet of paper and run it through an optical scanner would do this job ten times better than any of these all electronic touch screens or online voting or punch cards. Its no accident lots of affluent communities were using this kind of voting machine in 2000 to make sure their votes counted, and places with lots of poor people the establishment wants to disenfrancise tend to have unreliable voting systems like punch cards.

Re:Why trust internet banking then?

[MrRTFM]

Current paper voting could easily be tracked - you go up and get your name ticked off a role, and if they wanted, I'm sure they could hand me a marked ballot paper, or something. It is simply a matter of trust.

With the internet voting system there is that same critical step - after it verifies you and it assigns you that highly encrypted 'pass for one vote', you then trust the system to keep your details private (maybe with a 2nd key that only you know).

It's the same thing - you have to trust the system for *any* type of voting to work.

Re:Can't this be fixed?

[grasshoppa]

Or are they assuming voters are too stupid to do this?

Christ, wouldn't you? Your average user has problems when they get those nasty letters from MAILER-DAEMON, and some ( my mother ) even get offended that they use such a vile name ( deamon ).

So no, we are not ready, technically or socially, for internet voting.

Secret ballots?

[Mieckowski]

If any computer can be used to vote, how are the ballots kept secret? If someone's vote is observed (and they might be pressured into this by husband/wife/friend etc...) I can easily see people avoiding voting for controversial canidates, or somebody who their friends oppose.

Thank G

[shubert1966]

What the heck is with all Internet-this and internet-that. Why don't they just deploy closed LANs pre-configured with nothing more to configure that attaching cables and plugging them in.

There is little to be gained by it anyway. Apathetic and lethargic Americans will still come up with some excuse not to vote.

The money could better be spent berating these pinheads, or funding voter vans, or introducing legislation to take away privelliges from non-voters.

I think most of us feel that online CC transactions are usually safe, but we take the chance because most of the time we don't get burned (save eBay). Our CCs usually have a loss-limit protection of $50.00. My vote is more precious than $50.00.

Besides, if it was Internet-wired some politician would enact some crap legislation for last-minute pop-up adds that looked like OS dialog-boxes, thereby tricking hasty and myopic people into voting for the wrong candidate.

The pentagon counts votes??? You must be kiding.

[Ulbrekt]

I'm from Sweden and the idea to let the armed forces have anything to do with overseeing voting seems both ridiculous and dangerous. Thats how it used to work in Spain, Portugal and Greece (not to mention eastern Europe) not so long ago.

Re:E-voting sucks. What we have today sucks more

[Shut+the+fuck+up!]

Today I have to sign my ballot

You sign the actual ballot? Or a security envelope? In Washington, you sign a security envelope that contains your ballot. Once the signature is verified and the ballot is removed, there is no way to tie the ballot to the person unless the person opening it made some sort of record of it and/or your votes. That of course would require a conspiricy of epic proportions, no?

Pentagon??!

[k98sven]

Can anyone explain to me why the friggin' Pentagon is involved in this?

How is this a defense issue and not something which should be handled by the Federal Election Commision?

Hackers and terrorists? Come on! Fixing the poor-quality voting machines in certain US states would have more significance than those of us foreign residents who actually bother to vote.

(And yes, I'm one.. and absentee-voting is a real bureaucratic hassle.. this sucks.)

Interested in putting together a panel in NYC

[Sam+Nitzberg]

There are going to be more stories and issues related to Internet voting - here, in the US, and abroad, ranging from small club functions being voted on, through governmental matters from local - to - larger levels...

My concern is that any system be appropriately thought out, formally and precisely defined, using rigidly designed systems (not necessarily off-the-shelf), made to precisely and verifiably conduct voting tansactions, without being able to disclose, leak, or bleed any information that is not supposed to escape the system.

The Johns Hopkins study is an excellent reference and resource on the issues that have to be addressed.

I am personally interested in setting up a panel in New York in Mid-July (not much - just about an hour), but at an interesting venue. I am not offering funding, but there could be some visibility.

I would welcome hearing from anyone who is doing interesting work in this area - in the US or overseas, that would be interested in participating on such a panel, to include related topics on technology-and-democracy.

Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com

Re:Electronic Voting? Easy

[stratjakt]

bank of americas entire ATM network was comprimized by SQL slammer.

Ever notice those stickers on banks saying "Insured by FDIC"? Ever see on on your ballot?

Banks can plan for a potential hack, elections are more of a one shot deal.

Internet does have a limited use

[PineHall]

I believe that the internet could be used to send the results from overseas military voting places. It would have to be encrypted and verifiable that no tapering took place, and there would be paper audit trail at the voting site that could be sent later. This would get the results in quicker.

Re:Can't this be fixed?

[El]

Yes, but then you know which ISP to complain to (or which server to DoS), don't you? Also, that identical copy is going to get added to Spam filters pretty quickly; spammers now try to send DIFFERENT emails to every recipient to get around spam filters. And, if the URL in invalid (e.g. because the server has been shut down due to complaints) then your email reader can discard the header for you, and you never have to even know it was there.

Re:E-voting sucks. What we have today sucks more

[demachina]

This is NOT a viable approach nor is it anonymous. If you give each person a receipt and a number associating them with their vote, then someone who is either buying votes or intimidating voters can demand to see your receipt and verify how you voted.

Nice try but its not acceptable.

Re:E-voting sucks. What we have today sucks more

[xenocytekron]

Whats to stop people who voted for, say, a third party candidate like the green party to say their vote was "mistaken" if a republican candidate wins, so said perso could change their vote to the democratic party? Besides that, a very interesting idea.

Re:Good call

[ChaoticLimbs]

If the democrats held all three branches of government they would logically be receiving the lion's share of lobbyists' money.

More likely...

[MintSlice]

While the Pentagon claims it "won't use an Internet voting system for overseas U.S. citizens this fall because of concerns about its security", its more like they don't want US citizen's who haven't been brain-washed by the US media expressing their informed opinions in the voting both.

Who knows what someone who has been exposed to non-US media might think about any given topic? There's no way any right thinking politician would try to guess the voting habits of the well informed. ;-]

Why don't they use the PKI Keys on DOD ID cards

[quan74]

I presume that the pentagon was researching this to allow soldiers, DOD civilians, and contractors who are overseas to vote. All US soldiers, DOD Civilians, and DOD Contractors now have an ID card that contains a smart chip with a PKI key on it. You're telling me that the Pentagon could not come up with a secure, anonymous, yet auditable method of voting using that?? What a shame. I guess the DOD needs more geeks, or maybe just some geeks with real skills and not an MBA.

Not the voter anonymity problem

[Gorimek]

One fundamental flaw with Internet voting is that there is no way to verify that the voter does not have a gun held to his head while voting, or is subject to some other pressure.

Only by having the voter go in alone in a booth to vote out of sight of everyone else can that be assured.