Pentagon Cancels Internet Voting System

Ben B writes "The Pentagon won't use an Internet voting system for overseas U.S. citizens this fall because of concerns about its security, an official said Thursday. The official, who requested anonymity, said Deputy Defense Secretary Paul Wolfowitz made the decision to scrap the system because Pentagon officials were not certain they could 'assure the legitimacy of votes that would be cast.' Computer security experts who last month reviewed the Secure Electronic Registration and Voting Experiment, or SERVE, had urged the Pentagon to scrap the system, saying it was too vulnerable."

I really have to question

[barenaked]

I question the whole premise of using the internet in the voting process. The flaws are unsolvable because they are fundamental to the architecture of the internet. Using a voting system based upon the internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official. The report recommends that the Serve project be shut down and nothing like it be tried until "both the internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear." With which I wholeheartedly agree

Re:I really have to question

[Rotten168]

Well, the Pentagon considered the implication that worldwide "hackers" could alter the outcome of the election. And seeing as how popular GWB is worldwide, their decision was wise.

Re:I really have to question

[El]

Unless you assume that the machine doing the encryption has already been compromised.

Re:I really have to question

[osewa77]

High security can always be layered on top of the 'unreliable' internet as it is; the problem is that the stock software has so many easily exploited loopholes (trojans? keyword capture? windows exploits?) that it would introduce messy, situations, which would not help the current government's bid for the next elections (better safe than sorry?)

Re:I really have to question

[gewalker]

In Florida they had a big fiasco. They tried to fix it by recounting the PAPER ballots repeatedly. This did not make anyone too happy either. George W. won all of the recounts, including ones done by the independent press, but lots of people still argue a fix was on, Bush stole the election, etc. -- Note:, I'm not arguing that Bush did or did not steal the election, or if he would be the first that had if he did -- I'm focusing on the controversy surrounding it to the day.

How in the world would the U.S. react if you could reasonably argue that the system could have been hacked, etc. -- Strikes me that this would be a very chaotic result.

The Internet based system does not and probably cannot have a useful audit trail that is equivalent to the paper ballots.
Foreign nationals are certainly limited in their voting flexibility and I think the Pentagon was trying to incorporate them betting in the voting process. Is there not a reasonable compromise that would meets the needs of voters and voting integrity?

Re:I really have to question

[sholden]

People vote differently in secret ballots than they do in public ballots. That's a pretty significant reason to keep them.

Secret ballots prevent many problems associated with elections (breaking the legs of those who don't vote how you told them, for example). Of course with non-compulsary voting you can perform similar attacks anyway - prevent a bunch of people who will cast more votes for your opposition than for you from voting at all.

The UK has a system in which votes are tagged with unique identifiers that match a voter to a ballot - but the link is locked away somewhere "safe" and legally can't be accessed except on a court order and are destroyed after a year. That provides most of the benefits of a secret ballot, but still allows the votes to be checked if the election is suspect. See here for a short blurb on the system.

Now whether than system is good or bad is another matter, but it shows you can have some of the benefits of a secret ballot and also the main benefit of a non-secret ballot.

Re:I really have to question

[MuParadigm]

"...George W. won all of the recounts, including ones done by the independent press..."

Actually, not to get into the argument of whether there was a fix or not, but the independent press tally came up with different winners, depending on how the vote was counted.

Ironically, using the counting method that the Democrats recommended would have resulted in a Bush victory, and using the counting method advocated by the Republicans would have resulted in a Gore victory.

But then the Supreme Court stepped in at the Republicans request, called off the recounts, and gave the victory to Bush. So the proper counting method for the recounts became a moot issue.

Re:I really have to question

[MillionthMonkey]

You can solve all manner of these types of problems using certificates with high encryption strength.

No you can't. People concentrate on encryption strength as if that's everything. It's like the height of a wall. Doubling it doesn't help if people can walk around the wall. The key length is only one of many vulnerabilities in a system. Think of all the computer security breaches you've heard about. How many happened because an attacker succeeded in brute forcing a key? As opposed to, say, using an easily guessed default password? Unless you're using DES, or crappy exportable encryption, brute forced keyspaces are probably not how you will go down.

What you have here is something that is pretending to be a solution to a problem that is pretending to be a solution in search of a problem. There are really two problems here- the one you are addressing (short key length), and a more fundamental one, which is that there is no reason for we the voting public to be hearing the words "Internet" and "voting" in the same sentence at all, nor is there any reason why we should have to assume a collective responsibility for safeguarding our own votes in this election process when we weren't even the ones who had anything to gain from endangering the democratic process in the first place.

Re:I really have to question

[Free_Meson]

But then the Supreme Court stepped in at the Republicans request

Yeah... after the Democrats took it to the courts to begin with.

Neither party's hands are clean in the whole fiasco.

I hope you aren't saying that it was somehow wrong to take that election to court. That's the reason we have courts -- when everything else breaks down, they are the final arbiters of right and wrong. They are the referees that determine which rules are just and how they should be interpreted and enforced. You can't have a truly democratic system without a powerful court because those abused by the tyranny of the majority have no recourse. As for the case of Gore v. Bush, it looks like the court failed. It didn't fail because Bush won (though I would have prefered Gore), it failed because in a situation that needed a conclusive end it rendered the worst possible verdict for the sanctity of democracy in the United States. They said that a recount should happen, but becuase of an artificial deadline ~50 days before the winner would take office and less than a day after the decision, a full recount requiring less than a week would just be too inconvenient to endure. The case should have been about how to count the votes, with the democrats arguing one way and the republicans arguing another. Instead, the republican council argued that there should be no recount at all... As a litigation tactic, this was good -- if you won the first count, argue against any subsequent recounts. As it concerns the country, though, this was a horrible argument, and a less radical court would have seen the importance of deciding the election with a universal standard of fairness rather than doing what it did. The Gore v. Bush decision may have been the single worst supreme court decision since the Dred Scott v. Sanford decision, but at least in Scott the court had a sound legal principle to support its decision.

Anyway, I can't believe you're claiming the democrats should somehow be blamed or tarnished for seeking a recount in an election where equal protection had obviously been violated. The fact that such a request even made it into a court should tell you that the republican party, at least at the time, cared more about being in power than it cared about the democratic nature of the united states or its constitution.

That's nice. Does it finally kill the idea?

[ObviousGuy]

It's bad enough that the internet was going to be used to count votes outside the country. How much worse would it be with all those illegals voting online here inside the U.S. borders?

Why trust internet banking then?

[MrRTFM]

If this 'internet' is so insecure , why are the big corps. trusting it to transfer billions of dollars around.

I must be missing something - this is technically feasible, they are just doing it the wrong way.

Re:Why trust internet banking then?

[Rufus88]

Because they have a way of verifying after the fact that their transactions occurred as they should, in case they suspect fraud. With internet voting, you can't. In fact, regardless of the voting mechanism, it's important that you not be able to verify that your individual vote was recorded properly, because that would imply being able to prove who you voted for, which would permit vote-selling and make people susceptable to vote-extortion.

Re:Why trust internet banking then?

[stratjakt]

Banks are insured. Elections aren't.

Re:Why trust internet banking then?

[zeugma-amp]

Yes. You are missing something. The fundamental problem with internet voting is that it needs to be able to assure three things:

First, that the person voting is eligible to vote. This is not too hard to do. We know how to verify identity, though there are a few issues with this that are not present in a financial relationship.

Second, that the person's vote is anonymous. Anonymous voting is trivially implmented. There is a problem when you combine the above verification requirement with the need to keep a given person's vote secret.

Third, that the election be auditable. THere was yeling and finger-pointing in the last American presidential election. Could you imagine what it would be like if votes just suddenly marterialized out of the ether with no way to audit them?

Combine all three of the above requirements and you have a very tough problem at hand. We don't want to be able to have some political hack analyze the raw vote data and b able to say "Joe Blow voted for candidate X, as this could, for various reasons result in repercussions of one kind or another on Joe, thus allowing others to intimidate his vote.

This is one reason why I really dislike mail-in ballots. Mail ballots allow an agent of Party y to hand an absentee ballot to Joe, make sure he marks for the 'correct' candidate, and then mail it in, assured of the vote rendered. It is a also a sitation custom made for fraud on a massive scale. With in-person voting, party X can pay Joe $5 dollars to vote, but when Joe deposits the ballot in the box, there is no way to guarantee that Joe voted "correctly".

Now, there some bright fellows have proposed cryptographic protocols that solve the problems mentioned above. Unfortunately, you are dealing with an electorate too stupid to figure out how to punch holes in a ballot reliably. The Protocols for secure, anonymous internet voting are far too complex to ever be used in the real world.

From a non-expert perspective

[The+I+Shing]

I'm not a security expert, but voting on the internet strikes me as being about as secure as locking up your bicycle with twist-ties.

I'm glad they've dropped this idea.

Re:Can't this be fixed?

Couldn't they just require every voter to encrypt and sign their vote with a unique PGP key?

OMG! You solved the problem! And in one sentence too! Could you tackle spam next? Thanks.

This issue doesn't apper to be closed after all

[Flexagon]

This more complete article has a quote that suggests this issue really isn't closed after all:

Wolfowitz's memo, written to David Chu, under secretary of defense for personnel and readiness, allows the Pentagon to continue work already in progress to look into "other technical applications for voting on the Internet or electronically," the defense official said.

"The door is still open to other methods. It's just that the SERVE we have decided not to use," he said.

Admit it

[ObviousGuy]

Aren't you just the tiniest bit curious to see how cool a Sharpton presidency would be?

Just imagine all the quotes he'll leave for posterior.

Big problem

[Mieckowski]

The projects home page states that it "will let eligible U.S. citizens vote from any Windows-based computer with Internet access" WHAT? Making it harder for linux users to vote? (and as a result having less of them represented) Supporting Microsoft?

I don't see how this got so far already.

E-voting sucks. What we have today sucks more

[fnord123]

I look forward to the day that electronic voting comes in as long as it provides a some means of of doing verification, because I do not trust my goverment (that includes both the Demopublicans and the Republicrats) enough to trust their vote counting today even without electronic voting coming into it.

Today I drop my ballot in the mailbox (I live in a mail-in ballot state) and just have to trust everything is on the up and up from there.

What I would like instead is to have every voter to get a receipt when they vote, that uniquely identifies their precinct and vote, and shows a unique number for that vote/voter combo. Something like:

Vote #: 54353654354 Precinct: 58 Voted for: Mickey Mouse (or whoever)

Then I'd like those all those numbers published somewhere after every election so that anybody can download it. Note that my vote is still anonymous, nobody knows who vote 54353654354 is because of the nature of one way functions.

Any voter could go look at the published list to see that their vote was counted correctly. If it was counted incorrectly (I.e. the count showed my vote to be for Dopey instead of Mickey Mouse), then I could step forward with my biometric data to prove it. If enough people step forward, the election was clearly bogus and needs to be redone.

Any voter could download the entire list and count the votes for themselves, at least minimizing the chances of large #s of votes appearing out of thin air in any particular precinct, and making counting of votes very clear and open to all to verify.

Is it foolproof? Nope, but it is a lot more transparent process than we have today, where I have no visibility whatsoever into my vote being counted, what the real totals where, etc.

S.E.R.V.E

[skzbass]

SERVE another acronym brount to us by the people who concocted such obcenities as: US VISIT and US PATRIOT ACT. Who is this wonderful group you ask? why the Federal Acronym Reasearch Team (who mysteriously doesn't go by their acronym)

Secret ballots?

[Mieckowski]

If any computer can be used to vote, how are the ballots kept secret? If someone's vote is observed (and they might be pressured into this by husband/wife/friend etc...) I can easily see people avoiding voting for controversial canidates, or somebody who their friends oppose.

Re:Can't this be fixed?

[El]

Actually, I do have a partial solution to spam, but in involves changing the email protocol to require the SENDER to store the email, rather than the receiver. The current protocol was devised in uucp days, when it was common to store-and-forward email over several dial-up hops to it's destination. These days, everybody that has an email server also has a web server. If you sent only a URL and (optional) encryption/access key via the old protcol, then retrieved the rest of the message from the URL, this would elimate spoofing and put more of the burden on the sender and less on the receiver. It would also be more efficient -- currently, if I send the exact same message to 100 people, it uses up 100 times the size of the message in disk space on the receiver's servers. But if was stored on the sender's server, it could use the same copy for everybody! Yes, there is some additional overhead to track whether specific addressees have downloaded the message and determine when to delete it, but I think with some work it could be turned into a useful system -- certainly an improvement over the current system.

Good call

[spun]

Not everyone in the US government is a nimrod or a thief. There are plenty of shady goings on, but no over-arching nefarious conspiracies. Certainly, it looks bad when most electronic voting companies donate to Republicans, get contracts from same, and then leave holes in their software, but I think the conspiracy ends at graft and cronyism, not deliberate vote fraud. The companies donate to the Republicans knowing they will get lucrative contracts. The security issues are a seperate problem.

Electronic voting at polling places could be implemented securely, but it would be VERY difficult to make a secure voting system that meets all of our (US) requirements and runs over the Internet.

Interested in putting together a panel in NYC

[Sam+Nitzberg]

There are going to be more stories and issues related to Internet voting - here, in the US, and abroad, ranging from small club functions being voted on, through governmental matters from local - to - larger levels...

My concern is that any system be appropriately thought out, formally and precisely defined, using rigidly designed systems (not necessarily off-the-shelf), made to precisely and verifiably conduct voting tansactions, without being able to disclose, leak, or bleed any information that is not supposed to escape the system.

The Johns Hopkins study is an excellent reference and resource on the issues that have to be addressed.

I am personally interested in setting up a panel in New York in Mid-July (not much - just about an hour), but at an interesting venue. I am not offering funding, but there could be some visibility.

I would welcome hearing from anyone who is doing interesting work in this area - in the US or overseas, that would be interested in participating on such a panel, to include related topics on technology-and-democracy.

Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com

Re:The pentagon counts votes??? You must be kiding

[caudron]

the idea to let the armed forces have anything to do with overseeing voting seems both ridiculous and dangerous.

The Pentagon has an interest in this because these votes are the overseas ballots for the men and women of the U.S. Armed Forces. The Pentagon's job is to make sure there is a reasonable way for their people to get a say in the government back home. They are not involved in the vote tally itself. This is just the Pentagon saying that this method is not acceptable to them. A legitimate and sane response, given the known security risks.

Run the numbers on why it needs to be anonymous

[foniksonik]

Back in the day people were ignorant and there were far fewer voters to persuade in order to determing an election by a) buying votes or b) forcibly compelling them.

In the present day there are millions of voters and we have very good methods of criminal science and investigation to deter lawbreakers. (Now this may not be relevant to regional elections as the number of voters as well as imperative to dissuade criminal activities are lessened.)

SO if someone did want to buy off an election how much would they have to spend to get even 2% of the vote? The CIA factboook says there are a little over 290 million people in the USA, around 60% of whom are of voting age... minus inelligibles, lets say 45% just to be safe, that's a little over 130 million people, lets say that 10% actually vote.. 13 million. 2% of that is 260,000 people for a presidential election. I don't know anyone who'd sell their vote for $10 but just for the hell of it... that would cost 2.6 million dollars to buy 2% of current voters. Now if you brought in all the non-voting but elligibles... the chances are greater that more people would sell their votes but the percent of total voters would change accordingly, meaning that the more voters there are, the less an individual vote counts, so it would take even more money to buy 2%.

Granted that 2.6 million isn't a lot compared to how much the candidates or their parties spend already... but it is illegal, so they would have to somehow pay off that number of people for that large sum of money AND hide it all from the government, the people, the media, etc.

This assumes that people would be willing to commit fraud a federal crime for $10 and risk going to federal prison for any number of years (I don't know the penalties).

As far as extortion goes, extortion is a crime. How many lackeys are really willing to put pressure on people for this? Knowing that they personally can't possibly convince enough people to make a difference.

The question is... do we really need an anonymous vote in the present day? SO what if your friend give you a hard time, you probably already tell them who you voted for anyways and already suffer the ridicule or whatever. We have anti-descrimination laws already on the books that could be extended to cover this as far as your job or any other official relationship is concerned.

Why not have your vote tied to you? The biggest drawback I can see is that you'll open yourself up to election related spam and direct mail campaigns every 4 years.

I'd like to hear about other real concerns and why we still need anonmous voting. bring it.

Not the voter anonymity problem

[Gorimek]

One fundamental flaw with Internet voting is that there is no way to verify that the voter does not have a gun held to his head while voting, or is subject to some other pressure.

Only by having the voter go in alone in a booth to vote out of sight of everyone else can that be assured.