Slashdot Mirror
In Theory And Practice, Why Internet-Based Voting Is a Bad Idea
A few countries, like Estonia, have gone for internet-based voting in national elections in a big way, and many others (like Ireland and Canada) have experimented with it. For Americans, with a presidential election approaching later this year, it's a timely issue: already, some states have come to allow at least certain forms of voting by internet. Proponents say online elections have compelling upsides, chief among them ease of participation. People who might not otherwise vote — in particular military personnel stationed abroad, but many others besides — are more and more reached by internet access. Online voting offers a way to keep the electoral process open to them. With online voting, too, there's no worry about conventional absentee ballots being lost or delayed in the postal system, either before reaching the voter or on the way back to be counted. The downsides, though, are daunting. According to RSA panelists David Jefferson and J. Alex Halderman, in fact, they're overwhelming. Speaking Thursday afternoon, the two laid out their case against e-voting.
(Read more for more, and look for a video interview with Halderman soon).
Jefferson and Halderman have impressive credentials as analysts and critics of internet voting. Jefferson, a computer scientist at Lawrence Livermore National Laboratory, is chairman of the board of the Verified Voting Foundation, an NGO focused on promoting election integrity, and coauthor of a report that spurred the Department of Defense to withdraw for further consideration its then-plan for online voting, called SERVE, in 2004. Halderman takes a different, hands-on approach, demonstrating (along with his grad students at the University of Michigan) just how polling-station election machines and online voting system can be compromised. "I've probably hacked into and otherwise found vulnerabilities in more polling places than anyone else," he says.
Jefferson and Halderman are careful to define the key element of elections they're trying to expose as unfixably broken: namely, the delivery of completed ballots over the internet, whether that means a web app, email or some other conduit, without a voter-verified paper audit trail. Some kinds of election technology can move from the voting booth to the online world with less risk to the integrity of the election itself — for instance, distribution of blank ballots, or even online voter registration. "This isn't about keeping score of primaries, or gathering information about candidates, but actually voting," said Jefferson. The risk of hacked elections isn't just the possibility of political rivals trying to out-do each other, he said; ultimately, vulnerable election systems compromise national security and ballot secrecy. Even a few hundred votes may suffice to swing a House or Senate race, and that can have cascading consequences for control of elected bodies themselves. "Wherever there's a concentration of votes sufficient to swing a major election, there's a national security concern."
Why assume that election systems can be manipulated? And since paper ballots are not immune to questionable or downright fraudulent counts, why call out the electronic version in particular? In part, he says, because the structure of an electronic voting system is inherently complex, and because it's difficult if not impossible to roll back results if a compromise is suspected. Unlike paper ballots (and in the absence of a paper audit trail backing an electronic voting system), online vote gathering offers no good way to re-count. Jefferson laid out four major and overlapping areas of likely attacks on internet voting systems, any one of which could taint the results of an election.
First, individual voting jurisdictions are vulnerable to attack. (In the U.S., for federal elections, that essentially means counties, totaling more than 7000.) Even in local races, there can be billions of dollars at stake in high-population counties like Cook County or L.A. County. Vendors, both their networks and their source code, are also at risk. Assuming that even best efforts can keep the source code behind the handful of election-system vendors safe is a sucker's bet, Jefferson says. Even large companies with enormous security resources have been hacked, with source code a prime target, as happened to Google and 25 other firms in 2010 in a breach attributed to Chinese operatives. "Who knows if those [online voting software] vendors have already been penetrated? You wouldn't have any idea," said Jefferson.
Even if both local voting authorities and e-voting software vendors were themselves able to deflect all attacks, voters using an online voting system on their home or office PCs would still be at the mercy of the weakest link of the chain — the security of the machines available to them. Targeted malware could be used to present a different set of on-screen options to a voter than it actually sends back to the election counters. Because one of the protections of a secret ballot is to make available to voters proof that they voted but not how they voted, individuals who intended to selected candidate A would have no reason to know their vote was cast for candidate B instead. Malware could also simply vote without user interaction. It may not be election related, but a large fraction of PCs are already infected with some kind of malware, showing how big a problem this could be.
Finally, pure network attacks (or even errors) could disrupt the integrity of an election; exactly that kind of attack brought much of Estonia's online traffic to a halt in May 2007; lucky for Estonians that was not during an election, because Estonia is one of the few countries that has fully adopted online voting. Perhaps more chilling is the brief re-routing in April 2010 of 15 percent of the world's internet traffic through China.
Insecurity on the internet is itself a long-standing problem, so why the fuss? Unlike financial crime, such as credit card fraud, election fraud is hard to detect, and even harder to correct for, in large part because ballot secrecy is key to fair elections.
Voting is different. "Superficially, you'd think the transactions are very similar [to financial transactions], but underneath, all the issues are completely different. The privacy requirements are completely different, for example," says Jefferson. To prevent coerced voting, or simple vote selling, "You're allowed to tell anyone how you voted all you want, but you're not allowed to have proof of how you voted." Rolling back results to investigate suspected breaches is impossible, Jefferson says, without exposing the actual votes of individuals, at the very least to election officials.
Investigating financial crime online is the opposite; there, figuring out exactly who did what and when is the whole point, and the evidence is easy to find: if banking credentials are stolen, he said, "some account will go to zero." But in the case of elections, it's more likely that "the wrong people take office, and life goes on, and it's just never discovered."
And while no election fraud has yet been attributed to it, the trend is growing to institute the version of online voting that Jefferson calls "the worst idea ever" — voting by email. 33 states have modded their voting systems to accept in some cases PDFs of scanned ballots through ordinary e-mail to be entered by election workers. The numbers may be small (typically, this form of voting is limited to overseas voters, and in some cases voters are asked to acknowledge that their vote cannot be kept secret), but this allowance means that "e-mail voting is very widespread in the United States."
While Jefferson works through Verified Voting to influence policy makers to lay out the case against online voting, J. Alex Halderman, in his role as an assistant professor at the University of Michigan, turns theory into reality: he and his students break election systems (devices as well as software) in the U.S. and abroad to show just how easily a malicious attacker could do the same. He offered as an example of several of the ways electronic voting can fail his successful attack on an internet voting plan (see this earlier Slashdot story) that was to have been implemented in 2010 in the District of Columbia. The District had, with Federal grant money, designed an online voting system and already put it nearly into production, and had mailed PINs and voter ID numbers to voters in anticipation.
To D.C.'s credit, Halderman says, the election officials at least asked first for advice from security experts around the country, and invited them to test it in advance of using the system in an actual election, though mere days before the system was to have gone live. "It's not every day you're invited to hack into government computers without the threat of jail hanging over your head," says Halderman, who was attracted to the challenge of investigating the system itself, as well as curiosity about how the D.C. officials would respond to a system compromise.
Though Halderman says the Ruby on Rails-based system was written in "generally clean code," his team discovered a shell injection vulnerability which gave them access to the D.C. system (see his full paper as a PDF for the details), and immediately set about playing.
Web apps tend to be brittle, says Halderman, and D.C.'s was no exception. "App frameworks are written in ways that allow small mistakes to have big consequences," especially when vulnerabilities are often widely disseminated soon after discovery, and not always by white hat hackers like him.
"The first thing we did was steal all the important stuff," he says — credentials, keys, and more. Simply snooping on the data wasn't enough to fully demonstrate the problems in the system, though; the team replaced the information on all of the ballots as well, replacing the actual candidates with ones of their choice, offering up options like Hall 9000, and Bender for school board, and forced client machines to play the University of Michigan's fight song, before erasing the logs that would have allowed their intrusion to be properly analyzed by the system's administrators.
Their attack also led them to gain full access to a terminal server on the same network, and after they'd hacked into this ("using the default password from the owner's manual," Halderman notes) they noticed there was evidence in the logs of other attacks. In particular, some of the attacks appearing to originate in Iran and in China. While Halderman doubts these represent an attack specifically on the DC system voting system, the evidence of such attacks is "an illustration of how vulnerable things are."
Halderman acknowledges that voting in person, especially by electronic means, is far from foolproof, but he joins Jefferson in saying that online voting is categorically worse, and suggests that everyone who takes an interest in security or the mechanics of democratic elections raise the issues of privacy and security. His conclusion and advice for election officials in the U.S.: Voting online is a bad idea, and it simply can't be fixed in the foreseeable future. All the security problems of e-voting machines at polling stations apply directly to internet voting, too, which means that anyone on Earth can attack an online election.
"If my vote is insecure, everyone else who lives under that same government is harmed by that."
(Read more for more, and look for a video interview with Halderman soon).
Jefferson and Halderman have impressive credentials as analysts and critics of internet voting. Jefferson, a computer scientist at Lawrence Livermore National Laboratory, is chairman of the board of the Verified Voting Foundation, an NGO focused on promoting election integrity, and coauthor of a report that spurred the Department of Defense to withdraw for further consideration its then-plan for online voting, called SERVE, in 2004. Halderman takes a different, hands-on approach, demonstrating (along with his grad students at the University of Michigan) just how polling-station election machines and online voting system can be compromised. "I've probably hacked into and otherwise found vulnerabilities in more polling places than anyone else," he says.
Jefferson and Halderman are careful to define the key element of elections they're trying to expose as unfixably broken: namely, the delivery of completed ballots over the internet, whether that means a web app, email or some other conduit, without a voter-verified paper audit trail. Some kinds of election technology can move from the voting booth to the online world with less risk to the integrity of the election itself — for instance, distribution of blank ballots, or even online voter registration. "This isn't about keeping score of primaries, or gathering information about candidates, but actually voting," said Jefferson. The risk of hacked elections isn't just the possibility of political rivals trying to out-do each other, he said; ultimately, vulnerable election systems compromise national security and ballot secrecy. Even a few hundred votes may suffice to swing a House or Senate race, and that can have cascading consequences for control of elected bodies themselves. "Wherever there's a concentration of votes sufficient to swing a major election, there's a national security concern."
Why assume that election systems can be manipulated? And since paper ballots are not immune to questionable or downright fraudulent counts, why call out the electronic version in particular? In part, he says, because the structure of an electronic voting system is inherently complex, and because it's difficult if not impossible to roll back results if a compromise is suspected. Unlike paper ballots (and in the absence of a paper audit trail backing an electronic voting system), online vote gathering offers no good way to re-count. Jefferson laid out four major and overlapping areas of likely attacks on internet voting systems, any one of which could taint the results of an election.
First, individual voting jurisdictions are vulnerable to attack. (In the U.S., for federal elections, that essentially means counties, totaling more than 7000.) Even in local races, there can be billions of dollars at stake in high-population counties like Cook County or L.A. County. Vendors, both their networks and their source code, are also at risk. Assuming that even best efforts can keep the source code behind the handful of election-system vendors safe is a sucker's bet, Jefferson says. Even large companies with enormous security resources have been hacked, with source code a prime target, as happened to Google and 25 other firms in 2010 in a breach attributed to Chinese operatives. "Who knows if those [online voting software] vendors have already been penetrated? You wouldn't have any idea," said Jefferson.
Even if both local voting authorities and e-voting software vendors were themselves able to deflect all attacks, voters using an online voting system on their home or office PCs would still be at the mercy of the weakest link of the chain — the security of the machines available to them. Targeted malware could be used to present a different set of on-screen options to a voter than it actually sends back to the election counters. Because one of the protections of a secret ballot is to make available to voters proof that they voted but not how they voted, individuals who intended to selected candidate A would have no reason to know their vote was cast for candidate B instead. Malware could also simply vote without user interaction. It may not be election related, but a large fraction of PCs are already infected with some kind of malware, showing how big a problem this could be.
Finally, pure network attacks (or even errors) could disrupt the integrity of an election; exactly that kind of attack brought much of Estonia's online traffic to a halt in May 2007; lucky for Estonians that was not during an election, because Estonia is one of the few countries that has fully adopted online voting. Perhaps more chilling is the brief re-routing in April 2010 of 15 percent of the world's internet traffic through China.
Insecurity on the internet is itself a long-standing problem, so why the fuss? Unlike financial crime, such as credit card fraud, election fraud is hard to detect, and even harder to correct for, in large part because ballot secrecy is key to fair elections.
Voting is different. "Superficially, you'd think the transactions are very similar [to financial transactions], but underneath, all the issues are completely different. The privacy requirements are completely different, for example," says Jefferson. To prevent coerced voting, or simple vote selling, "You're allowed to tell anyone how you voted all you want, but you're not allowed to have proof of how you voted." Rolling back results to investigate suspected breaches is impossible, Jefferson says, without exposing the actual votes of individuals, at the very least to election officials.
Investigating financial crime online is the opposite; there, figuring out exactly who did what and when is the whole point, and the evidence is easy to find: if banking credentials are stolen, he said, "some account will go to zero." But in the case of elections, it's more likely that "the wrong people take office, and life goes on, and it's just never discovered."
And while no election fraud has yet been attributed to it, the trend is growing to institute the version of online voting that Jefferson calls "the worst idea ever" — voting by email. 33 states have modded their voting systems to accept in some cases PDFs of scanned ballots through ordinary e-mail to be entered by election workers. The numbers may be small (typically, this form of voting is limited to overseas voters, and in some cases voters are asked to acknowledge that their vote cannot be kept secret), but this allowance means that "e-mail voting is very widespread in the United States."
While Jefferson works through Verified Voting to influence policy makers to lay out the case against online voting, J. Alex Halderman, in his role as an assistant professor at the University of Michigan, turns theory into reality: he and his students break election systems (devices as well as software) in the U.S. and abroad to show just how easily a malicious attacker could do the same. He offered as an example of several of the ways electronic voting can fail his successful attack on an internet voting plan (see this earlier Slashdot story) that was to have been implemented in 2010 in the District of Columbia. The District had, with Federal grant money, designed an online voting system and already put it nearly into production, and had mailed PINs and voter ID numbers to voters in anticipation.
To D.C.'s credit, Halderman says, the election officials at least asked first for advice from security experts around the country, and invited them to test it in advance of using the system in an actual election, though mere days before the system was to have gone live. "It's not every day you're invited to hack into government computers without the threat of jail hanging over your head," says Halderman, who was attracted to the challenge of investigating the system itself, as well as curiosity about how the D.C. officials would respond to a system compromise.
Though Halderman says the Ruby on Rails-based system was written in "generally clean code," his team discovered a shell injection vulnerability which gave them access to the D.C. system (see his full paper as a PDF for the details), and immediately set about playing.
Web apps tend to be brittle, says Halderman, and D.C.'s was no exception. "App frameworks are written in ways that allow small mistakes to have big consequences," especially when vulnerabilities are often widely disseminated soon after discovery, and not always by white hat hackers like him.
"The first thing we did was steal all the important stuff," he says — credentials, keys, and more. Simply snooping on the data wasn't enough to fully demonstrate the problems in the system, though; the team replaced the information on all of the ballots as well, replacing the actual candidates with ones of their choice, offering up options like Hall 9000, and Bender for school board, and forced client machines to play the University of Michigan's fight song, before erasing the logs that would have allowed their intrusion to be properly analyzed by the system's administrators.
Their attack also led them to gain full access to a terminal server on the same network, and after they'd hacked into this ("using the default password from the owner's manual," Halderman notes) they noticed there was evidence in the logs of other attacks. In particular, some of the attacks appearing to originate in Iran and in China. While Halderman doubts these represent an attack specifically on the DC system voting system, the evidence of such attacks is "an illustration of how vulnerable things are."
Halderman acknowledges that voting in person, especially by electronic means, is far from foolproof, but he joins Jefferson in saying that online voting is categorically worse, and suggests that everyone who takes an interest in security or the mechanics of democratic elections raise the issues of privacy and security. His conclusion and advice for election officials in the U.S.: Voting online is a bad idea, and it simply can't be fixed in the foreseeable future. All the security problems of e-voting machines at polling stations apply directly to internet voting, too, which means that anyone on Earth can attack an online election.
"If my vote is insecure, everyone else who lives under that same government is harmed by that."
ugh... blackroll
Mark Anthony Collins
Ugh. Only slightly less disgusting that goatse.
It is pretty obvious that electronic voting requires both anonymity (to remove fear of retributions) and accountability (to remove fraud).
About the only way to do that is to issue each person to have a pass-phrase coupled pair of electronic "vote cards" that is non-identifying. It would require the present of both cards and the pass-phrase to vote. If you lost one card, you can use the other (plus the pass phrase) to invalidate the lost card (and any recently casted votes.) If you lost both cards, you are SOL. No vote for you.
So, you just can't have a reliable electronic voting system.
Punchscan and other E2E methods. I guess too complicated is the drawback.
Any concerns using machines just to speed up counting of the votes?
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
or Russian or Lower Slobbovian or Crown Prince of Liberia seeking assistance in returning 500$million from us banks.
or a basement dweller scripting 170,456 votes for write-in U. B. Silly for mayor of Podunk, Kansas.
if this is supposed to be a new economy, how come they still want my old fashioned money?
You can't have both privacy and accountability over the Internet. You need accountability to ensure that votes are counted correctly and that nobody votes more than once. You need privacy because people have to be able to feel safe voting against individuals or groups who have the means to assert unlawful control over a particular jurisdiction. I can't see how you could ensure both privacy and accountability through purely electronic means.
Simple example: I could easily commit fraud by submitting a vote for my wife if I knew she hadn't voted yet. Complex example: I could hack the voter database with ten minutes until the polls close... find out everybody who hadn't already voted... and use a botnet to cast their votes a particular way. Slightly less Complex example: I could use a botnet to cast everybody's vote a particular way within the first 17 seconds of the polls opening -- Election Over... Landslide Victory for Kodos!
Voting is already easy, just check some boxes on the form the mail you and stick it back in the mail box. If you cant handle that, perhaps you shouldn't be voting?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Over the last few decades, American states have tried one thing after another to "make voting easier" in an attempt to increase participation (and, usually, to sway elections by increasing the number of voters aligned with one major party or the other). Two of the most significant have been the passage of "motor voter" laws (you can register to vote when you get or renew your driver's license) and "vote by mail". However none of these have really worked. People (like me) who are inclined to vote will do so, whether by mail or by traveling to an assigned polling place. The majority of American voters, though, simply don't seem engaged in the process.
I'd be all for e-voting with the right technology (secure and economical), but it's just about convenience for me. But I'll vote in any case - I have no illusions it'd increase participation.
#DeleteChrome
1. Identify areas where [opposing party] voters are likely to outnumber [supported party] voters.
2. DDoS routers / MITM block voting site for those areas.
3. Power.
No, I didn't miss a step.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Who will witness the voting ? It's totally hidden. Somebody could open free sex massage saloon especially for voters of his favourite player...
There's total scam possible. Starting from especial viruses made like for Iran, and ending with hookers for "free"...
That's nonsense.
Nobody can witness, that elections are really democratic.
The problem is not with online voting itself, but with the current unsecure implementations. We simply don't have a working online election system yet. As in all fields, progress in cryptography requires time and hard work, but in my opinion with enough determination we can solve all problems in 5 years. Before that, online voting is lunacy. After it has been made secure, I will be all for it.
As noted in the introduction, the easier it is to vote (internet, mail, motor-voter registration, etc.), the more people vote who wouldn't otherwise have voted. This is the best reason there is for not making voting easier, for it is these marginally-motivated people who are the least informed and the most ill-informed.
The are no downsides to voting online. There is no one that would try to tamper the online voting without making it obvious it is a fraud. I mean Russia would have an interest to it, but they have better chance of buying off the main parties to actually putting their candidates in power.
People's home computers are an awfully weak link in the chain. TFA mentions it, but I think it bears repeating: an embarrassing number of US home computers are infected with some sort of malware. I've read estimates as high as 60% of all computers.
I won't trust most strange computers enough to log into my Gmail account (even using two-factor authentication), unless they live under the control of either me or a very short list of other people I know and trust to keep a clean system. So obviously there's not a chance in hell I'd trust those malware lockers with the keys to our government.
Porquoi?
it's so easy to game I'm surprised somebody even suggested it. Seriously, besides all the botnets and hacks and other obvious things... what prevents goons to start selling parts of "their territory" to candidates, and then set up a voting place at some location, making sure everybody votes "the right one" at gunpoint?
It's as if politicians in america were trying to use technology to make fraud easier by the day.
I'm unsure about the "as if"
It's not hackers is the people makeing the voteing systems that are in the best place to fix them.
tl;dr
Just look at what is currently taking place in Canada, and the issues during the 'hanging chads' incidents in the US... is electronic voting any worse than what we have?
I suspect that a combination of electronic and paper might be a solution, e.g.
You get a pincode do your vote, but when you are done voting you have to print out a electronic confirmation that gets mailed back to validate the election if a recount is needed...
Maybe the Americans just need to simplify their elections a bit... in our federal elections I generally mark one x on one ballot... provincial elections, same, municipal elections, I often have to fill in THREE items... holy cats!
2.) The problem is not stopping cheating, but detecting it.
3) Which clearly illustrates the problem with using internet voting.
The most interesting thing about internet/computer technology is the huge decrease in the number of humans necessary to do work. An executive with good words skills doesn't need a secretary pool.
Similarly the real problem with the internet/computer based voting is that now a small group of hackers can cause MAJOR election fraud with a far fewer number of conspirators. The traces are much harder to find, or worse, to prove.
It is not the ease of cheating that is the problem, but instead the difficulty of detecting it.
excitingthingstodo.blogspot.com
Bad idea because it will allow Anonymous votes?
The difficulties of coding a secure voting system are no more difficult than those of coding a secure debit or credit card payment transaction, and subject to EXACTLY the same risks.
The bigger issue is that every single electronic voting platform I've heard of to date has been a closed-source solution, uninspected, unverified, and unaudited. With a proper open source solution that could be inspected and vetted by the hundreds of thousands of programmers out there who'd be interested in finding flaws, I've no doubt a proper solution could be implemented.
It would beat the heck out of the robocall scandal currently plaguing Canada. Making calls to misdirect voters to non-existent polling stations would be futile if people were voting from home.
As to the issue of verifying identity, when you apply for unemployment insurance, your ID is checked online and a card sent to your last registered snail-mail address with the security code needed for initial systems access. I'd think a similar system would be adequate for online voting registration.
The bigger problem is that voters would be pretty much guaranteed to forget their passwords between elections, and that would be a huge problem with the process.
I do not fail; I succeed at finding out what does not work.
Electing requires anonymity.
Voting directly on issues, however, can be done publicly. Then everything is verifiable, because you can see if your vote is registered properly.
All practical methods for voting are vulnerable to fraud. Some methods, like paper ballots, provide better resistance to systemic fraud, others provide better resistance to small-scale fraud. Systemic fraud is the greater risk, by a huge margin. Vote by mail is vulnerable to manipulation on a household level, but is very hard to systemically defraud. For example, a household tyrant might steel the vote of other household members and intimidate them into silence, but this same villain would have a hard time stealing the votes of neighboring households. With electronic voting, whomever hires the best hackers can steal the election.
I've done most of my voting in the US State of Oregon. In Oregon all voting is done by mail. All registered voters receive a ballot with an anonymity envelope. You fill out the ballot, put your ballot in the anonymity envelope, put that in the envelope with your name on it, sign the outer ballot, and send it off in the mail. All the paper ballots are there for future physical counting, and you can check whether your vote was received. There is no election day voting, except to drop your last-minute ballot off at the Post Office before polls close. Voting is done by mail days or weeks in advance. Vote-by-mail is a secure, effective, and practical voting method, and is virtually immune to the sorts of systemic fraud that plague electronic voting.
I encourage other Slashdot readers to support vote by mail in their locale.
Well, what they do in Sweden for voting is still old-school paper ballots... in fact, to a former North American it is almost a bit scary as the political parties are allowed to hang around the polling stations handing out polling slips... yes, you use a specific polling slip for the party you want to vote for, and the well-organized and well-funded parties will sometimes send out the voting slips ahead of time! What they also have in Sweden is a national ID system - everyone has an ID number that is used for everything - taxes, healthcare, picking up packages from the post office - everything! And tied to that system are the major bank systems, many of which us a Bank-ID token which you load on your computer to allow online tax submissions, health insurance claims, parental leave (hello 480 days paid leave!), etc. The online part of the ID validation is based on either a single-use scratch bankcard or a keypad that you insert your bankcard into, which you enter a validation code, your PIN, and then it returns a validation code. So, my guess is that switching to e-voting in Sweden would be a breeze, and the security would definitely be strong. Now that I think about it, no idea really why there is no e-voting here yet - heck, you can file your taxes by SMS here!
sig? what sig? i didn't see any sig...
In my view an important property of any ballot is that the great majority of people must be able to understand the whole process. That's the only way for people to have confidence that there's a reasonable chance of detecting and preventing rigging. It also rules out pretty well any form of electronic voting. Internet security involves very serious maths that very few people can handle.
Around here we still write numbers in squares on pieces of paper and drop them in the ballot box. It works. The cost is tiny compared to the cost of government. I just can't see the advantages of more automation being worth the risk.
People might think it weird that an IT guy would have this luddite view but I think, on the contrary, I'm better placed than most to know what could go wrong.
Unlike paper ballots (and in the absence of a paper audit trail backing an electronic voting system), online vote gathering offers no good way to re-count.
What? Push a button, and the recount is done. You could also distribute the votes to multiple data centers to be independently counted by different software, to reduce the possibility of tampering.
In the US it got decided that handicapped people should be able to vote. This meant that 99% of the existing systems in place could no longer be used. How do you have a blind person vote without assistance? How about someone that has lost the use of their arms? Then there are the issues of having to have ballots in the language of the voter's choice. This is the sort of thing that has gotten us where we are today with electronic voting machines.
I think the "right" answer is to tell the handicapped that they need to have a "voter" that they bring in to help them or they just don't get to participate. Because that is a lot simpler than all of the other solutions and impacts the fewest number of votes. Same thing with folks that insist they must have a ballot in Urdo - the answer there is English is the official language and no government documents need be in any other.
The other problem is "subjective voting strategies" like the hanging chads. Clearly, this was proven not to be working and worse, more and more chads got punched out the more the cards were handled. Meaning a perfectly valid ballot (card) was invalidated because another punch was made simply by handling it too much. This clearly needed to go.
Arizona uses paper ballots which are electronically scanned. Handy for the polling place but not so good for blind people and those with serious vision problems. The "bad ballot" problem where someone makes too many or too few (or too light) marks is handled immediately because the ballots are scanned when you hand them to the attendant. But it doesn't satisfy the requirements for allowing nearly all handicapped voters to participate. Nor does it solve language problems - Arizona is pretty simple where they need to print only about 25 different language ballots to meet all of the citizen's needs. But imagine a place like LA or New York with hundreds of different languages mandated by the state to be supported. Every election brings new protests that ballots are not in the "right" languages.
Electronic machines that make paper ballots might be the only way that works, but there is no getting away from the electronic machines. They are the only way to deal with the language problems and the handicapped problems. So we aren't getting rid of electronic voting, ever. We just might make it a lot more complicated though.
I certainly agree that Internet voting is so insecure as to be an absurd idea.
It's a fine idea until 1337 Polibot wins by a margin of 4 billion votes in a write-in campaign and the referendum on dictatorial powers pases. Then the first act of the administration requires us to do our taxes in binary and funds a "Kill all humans" campaign. What? A glitch you say? We can't change it. It's democracy. It's sacred. Kill all humans.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Earlier today Bender was elected head of the DC school board. Now he'll set his sights on President of the United States of America! http://yro.slashdot.org/story/12/03/02/1547206/voting-system-test-hack-elects-futuramas-bender-to-school-board
I prefer to vote projects than parties. The political/judicial/exec system is a huge Ponzi scheme, where the taxpayer has to pay and the politicians and friends collect the monies.
I agree that this is a hard problem and that there are many exposed 'weak links.'
But I don't think it is insolvable.
If someone were to offer $1 million to the best proposed solution, and a handful of $100,000 runner up prizes, the zillion smart people who read /. and are underemployed would come up with some great solutions.
There are some tricks that can be borrowed from current election checking. For example, look carefully at all of the user statistics -- compare to prior elections, registration stats, time of day, IP addresses, user PK certificates, comparison to other, "similar," voting domains, etc. This type of non-privacy-invading audit is good at identifying problems down to about 1% - 3% of the voting population. A hacker, trying something for the first time, has a good chance of getting located this way.
Another trick is sample audits -- a bit like "exit polls," where a fraction of voters are asked how the voted. This can be viewed as privacy invasion, but it happens all the time, now, so there is really no policy change. Again, this can find anomalies down to about 3%.
Another trick is post-election audits of PK certificates. Better late than never.
Another tool is to carefully monitor internet traffic to look for anomalies, particularly DOS attempts.
Another tool is to provide "hardened" computers that voters can use, at places smilar to today's polling locations -- senior centers, gov't offices. These machines have had some type of security audit. And yes -- this approach has its own risks, I know. I would suggest mixing this approach with user's own computers.
I know people want to use web browsers, but I would not do that. Voters have to download a totally dedicated app (see open source, below), and each app has PK signature.
Another trick is give some users hardware keys, like paypal and RSA use. Even if only 1% of voters have a hardware key this provides a very high degree of polling information and that can spot fraud down to a small fraction of a percent.
And finally, all software should be open source. Period. As pointed out repeatedly, relying on secrecy is pretty much a guarantee of breech.
I am not offering a solution here. I am merely pointing out that there are methods and tools that can be used as a starting point for a real solution.
Don't say a problem is insolvable until you have tried seriously to solve it.
And finally, no voting system is 100.000% perfect. Get over it. For example, no system prevents buying votes. No system prevents voters from lying. Build the best system you can.
I will create a sig when innovation restarts in the U.S.
Of course this doen't apply to everyone but If someone is to lazy to vote the old way, I'm not so sure we should want their vote counted anyway
Not that I'm particularly eager to put our elections in the hands of the post office, but before we consider an internet voting system, we need a postal voting system. Many states (including New York) do not allow postal voting unless you can prove you can get to your polling place (if you're out of the state/country). There's a good reason for this, and it's been brought up before: it's not a secret ballot. In theory, your employer can force you to fill out your ballot in front of them.
On the other hand, California allows postal voting. If it works in California, it should work in NY and across the country. Postal voting would make voting about as inconvenient as Netflix.
Online voting has a lot more problems. I can see some pretty insidious botnets getting into the business of faking votes, possibly by just masking the input and display to the voting site. Electoral fraud could become a huge business for individuals, corporations and foreign governments.
Intercepting mailed ballots at least should require a lot more resources, and be much easier to detect.
The right to protest the State is more sacred than the State.
It's really not that complicated. If you file taxes you can vote. Change the election schedule to fall in line with taxes. Those who pay the taxes should be the ones determining who is elected.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
... that means that we're not going to see DialIdol [dialidol.com] modified for many upcoming elections. Too bad. I was looking forward to hearing Obama singing "Another One Bites The Dust".
They can take my LifeAlert pendant when they pry it from my cold dead fingers.
... major issues like media control by corporations. Voting in the states has gotten so bad because of the likes of news organizations like fox news. As long as corporations control the media voting doesn't mean a lot because most voters are horribly misinformed.
1. Voting servers in massively distributed cloud (avoids likelihood of DDOS or particular routers affecting outcome.)
Perhaps even a peer-to-peer cloud. Of course the actual data would be encrypted, fragmented, fragments re-encrypted,
and redundantly distributed. With a peer-to-peer cloud storing fragments of ballots at random, ddos'ing affects all ballots from
everywhere equally.
2. Election made 1 month long. Try keeping up your DDOS attack undetected all month long.
Where are we going and why are we in a handbasket?
I just want to futher point out some features in our e-voting system:
1) Voting is done with secure smart card (which is mandatory for all citizens). So no e-mail based system or anything like that. The card has been in use for 10 years and no one (to my knowledge atleast) has proved it to be faulty or insecure. And the smart card reader costs about 6€ and is availible from every bank office.
2) Buying votes or forcing to vote is avoided through re-voting process - you can recast your ballot infinitely during e-voting and you can also vote traditionally at voting centres, voiding your previously casted ballots.
3) Votes are stored in storage server during voting and not before until the counting process are they transferred to counting server (which has no physical connection to outer world). Beforehand, all voters information is removed from ballots. Voters choices are encrypted with a key (and private key is stored in tamperproof secure machine), so ballots are not readable in the storage server. This should prevent "fixing" the results as it is impossible to know, to who the votes are given.
4) The counting process is based on trust (as is traditional voting). Futhermore, there are independent observers and protocols. At least I belive that the whole process is honest (I also don't observe voting centres, as I also trust the people working there).
Of course, even with all these measures (and more) in place, there is a possibility that some ballots have been tampered with, but comparing it with the pros it gives (mostly allowing citizens abroad to vote), I personally don't find it very disturbing. There was one proof-of-concept attack on the user computer, but detection systems discovered it quite quickly and one faulty ballot, but statistically it is quite insignificant.
The system design is quite open (although I haven't looked for English version of these documents), but the software is closed and released to public just in time so no one would have the possibility to reverse-engineer the program during the short time frame.
There's a running joke with World of Warcraft accounts, where a reasonably sophisticated group of mostly Chinese hackers constantly tries to log in as you. There's been phishing emails (please fill out this survey / you've won a free in-game whatever / your account is in danger of being disabled if you don't confirm you are you), there's phishing whispers in game (player to player direct communication), there's phishing shouts in trade chat (a channel visible to a very large percent of a server at any given time). They post bogus links on forums. Once you follow a link, it's all about exploiting your browser or just fooling you to typing stuff in. You can have an 'authenticator', one of those pseudo-random d00ders that gives you a number, so that stops you from being vulnerable to direct keylogging, unless there is an active agent waiting for that very moment (which has ALSO happened).
This is for WOW GOLD. Imagine what it will be like if it is for THE FATE OF NATIONS.
In addition to all the crap listed above, the amount of manipulation a logged in hacker has to do to gain anything out of your WoW account is actually substantial. It is not substantial to have a tiny thing listed that changes your vote from Bob to Alice, while still telling you that you voted for Bob. Whatever you add to work around this is also trivial to get around for your hacker. Do you send a confirmation email? He sends a fake one, after redirecting yours. Whatever you come up with, there's a a way around it, because YOUR CLIENT IS HACKED and THAT WILL HAPPEN. WoW players are at least reasonably nerdy, but in my guild I've seen a masters in EE get hacked (he trusted a binary, don't say you never have), and I've seen a very consistently clever man with get hacked (he doesn't know how exactly, but it's probably when he accessed from a hotel or something). Let me be brief: the dumbest American gets a damned vote, and it is HIS RIGHT that it get cast correctly, and he- or his army of other mouth breathers that access his machine, such as his also dumb wife and kids, will definitely click on whatever rabbit with the pancakes to ensure his machine is thoroughly 0wzzrd months ahead of time, and he'll think he voted for Bob, and he'll cast a vote for Alice, and then democracy breaks even more than it already is.
If they give you online voting, your vote is literally meaningless.
And this is before all the voter fraud that gets EASIER but happens already.
And this isn't the Demopublicans or the Republicrats ensuring their tool gets in office, this could be foreign interests taking over.
Online voting is the worst thing for Democracy, worse even than a dictator covered in blood with heads on spikes.
You will never know if someone made a copy of your vote before it was anonymized, either on the client or server side. You will never know if someone altered your vote in flight, either at the client or server side. Unlike a visible process you have to trust an invisible process. Instead of compromising thousands of voting locations you can mass compromise the system. Any government could trivially disregard all your pretty rules of how it's "supposed to" work and you'd never know it.
Pretty much all your attempts at verifying results will fail because the more reason you have to fear the outcome, the less honest people will be. That in itself is a huge bias, people will be much less willing to admit voting for controversial parties. Any attempt to verify against a control group of paper voters or RSA key voters fails to take into account that it's a bias in itself, I expect the people to vote online to vote differently than those that don't. Likewise with RSA keys. Even a 1% swing is huge if you can make it in a winner takes-it-all system, if you'd flipped Florida then Bush would never be president. How about a little prod and pull now in the primaries? Even worse in representative systems where you can tweak small parties above or below the minimum limit most countries have.
I think it's a really, really bad idea but people are constantly trying to push it. What I fear is that the most "democratic" countries will do it, because here the threat level is extremely low. Then all the shady regimes with all their shady machines and shady policies will do it too and say "hey, we're just like you". It's an invitation to do even more election fraud than they do today, without all the evidence.
Live today, because you never know what tomorrow brings
Have tried to build online voting systems and have concluded that without quantum technology it is not possible (an highly unlikely even with it).
What amazes me is that people are believing that it is.
The paper ballot has a significant set of advantages. The most important being the "air gap" between the voters hand and the ballot box, and the fact that scrutineers can observe the count from beyond another air gap. You don't have to "trust" anyone, because with enough observational access, you can prove legitimacy and any rorting will only be relatively negligible (an important if rather pragmatic point).
In the digital domain there will alway be someone saying "trust me", and that is always going to be the Achilles heel of online voting. Wether it's the programmer, the returning officer, the person who sets the database security, the guy who has access to tap the main network where the system is housed... just so many points of failure that cannot be audited. Even the auditor can be compromised which makes a mockery of saying that it is safe because it is audited.
In paper ballots, the scrutineers are typically from opposing sides, and this tension along with being able to observe but not touch (second air gap) is crucially why the analogue paper ballot is superior.
Sorry to spoil any digital utopian viewpoints but really it is not possible because of the analogue digital divide. The other example being online piracy where record companies and film production houses continue to believe they can prevent someone from recording a speaker, or filming a monitor.
In short, analogue trumps digital because our senses are analogue. And until we get little digital chips in our head that bridge the analogue/digital divide completely... it always will.
Because counting pieces of paper is oh so reliable and efficient!
With internet voting, you can either have transparancy (what you retards are calling anonymity) or you can give up transparancy to enable validation. /. accounts, calling me troll, and all that shit. Well now you fuckers can actually see the fascists destroying the Constitution and all your rights along with your savings/retirement/investments in the monetary system. Now you can see your jobs going up in vapor, only to be replaced by a police state and unconstitutional DHS. Just remember, this is only ONE part of our elections problems you fuckers couldn't swallow was a problem, now some of you get it, but there's more parts to this problem,.
Now you fuckers can eat the fruits of your apathy and hatrid to what I warned you against for years now. Destroying many of my
1. Corporate owned media steering all issues and candidates.
2. Electoral College bypassing/end run of popular vote
Next stop? False flag, WW3, FEMA CAMPS, and then Agenda 21
How should we should be voting pray tell?
No electronics are to be used in the tabulation or in transferring the results.
Paper Ballots hand counted 100% public oversight until the totals are tabulated, NOT COPS, AND NOT THE OFFICIALS.
The process must be transparent. Which means nobody knows how You voted, and nobody can identify Your fucking ballot.
Want to argue about ID fine. I don't give a shit anymore. Show your ID to the poll book (Which also can't be electronic!!)
The Corporate owned media problem. Where everything is a left right paradigm. Presidential FCC apointee, and the FCC are what allow this..
Today we have got bigger problems than this internet voting crap. Better wake the fuck up before the banksters make it DANGEROUS to walk to the voting polls.
Anyone else thinking of Loud Howard's "Chug and Vote" party from the animated series of Dilbert?
No-one mentions this, and it always annoys me. Aside from the software failings, there's an obvious systematic one caused by internet voting at home.
Elections should be secret to avoid the sale or compulsion of votes. So you go to a secured place and vote in a booth so that no-one can tell how you voted (and try not to think too hard about those tracking numbers on your slips, but hey). You cannot leave an identifying mark on your ballot - sign a ballot, for instance, and it is invalid and not counted.
Vote at home, or postally, or by proxy, and secrecy is lost. You can sell your proxy to someone. You can have someone watch you while you vote. This may not matter to you, but hypothetically (and there have been cases of this) if you live in a less-than-free country your employer or your commanding officer might check your ballot to ensure you voted patriotically.
*This* should be sufficient reason to insist on voting at a controlled location. If you worry about people being simply too idle to vote - or prevented from attending - then you should go the way of Belgium or Australia, where you must turn out and vote on pain of being fined, even if you then choose to spoil your ballot. But you should never neglect the principle of secrecy in the name of expediency.
Let's assume we create the perfect, impossible to hack and manipulate voting machine, completely open, auditable and whatnot to address all those issues. Still one thing remains: It requires special skill to audit the process.
Today, it's fairly easy to debunk someone calling fraud. Here's the paper ballots, count your heart out. Count again and again, it takes a fairly low skill level to do that. You need to be able to identify the intent of the voter (i.e. play "where is the X") and you need to be able to count. Even reading and writing is not a required skill. I'm fairly confident the average 3 year old could accomplish that feat, at least to some degree. And if all he does is make ticks and then compare the amount of ticks made.
To audit a voting machine, you need a fairly specialized and quite high level of skill. This cannot be done by your average 3 year old, hell, it cannot be done by the average adult. A tiny, insignificant portion of the population is able to do that. You'd have to trust those people if they say that the voting machine isn't cheating.
But why should you?
I fear a loss of trust in the democratic process. Even ignoring conspiracy theories where all the security experts are out to bring down humanity by collectively manipulating the machines and keeping it under wraps, it is not possible anymore to eliminate without a doubt any allegations of rigging elections.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It has been mentioned before but create something like Bitcoin. Most of the problems with Bitcoin are when people have their unencrypted wallet stolen. This would not be as much as a problem because the ballot which could be a form of virtual e-money would not be issued until the day of the vote so their would be no wallet. The voter could then send the ballot to the address of which candidate they would like to vote for over the p2p voting network. Votes could be counted within a short amount of time by watching the transactions that are sent to the candidates public address which would make voting fraud or changing the vote harder. Voters could pick up the ballot/bar code/qr code at a voting office and then vote at home, over a phone, library or at the polling station, etc. You would not need to wait around once you have a ballot. The voting software could create a pseudo-anonymous address that would be hard to track who the voter was but it would also allow the voter to verify that their vote still went to the correct candidate by viewing the p2p voting log.
I would NEVER be in favor of online voting. It's too easy to hack the system, no matter how much security you put in place. Yes, paper ballots can be forged, but, there is a PAPER TRAIL. I do not like the argument that "it allows for greater participation" because it makes it easier to vote. Listen Jack...voting is a precious RIGHT. Get up off your lazy bum a** and vote.
The most important aspect of an election is voter trust in the system. People only go along with democracy/voting as long as they think it represents the will of the people. If you think it's rigged then you'll assume most of the people are against it so you may as well join/lead the majority in a rebellion. If you trust the system then you will assume that most people support it so you'll believe an armed rebellion would fail so you'll work on lobbying the people instead.
You said election
It is not that difficult to create a reliable electronic online voting system.
From the client side, all that is required is an application that runs from a bootable CD. Online voting does not mean voting using the regular Windows setup the user uses for gaming, email and browsing. A bootable CD may contain a totally locked down open source operating system (Linux, for example), and a single application that comes up as long as the system boots, without giving any other option to the user except the voting-related options.
From the server side, all that is required is dedicated servers with locked down operating systems that only run the voting software and receive/send data only on specific ports. The server PCs could also work with bootable CDs, ensuring no interference from other software.
The communication between the client and the server would be encrypted using public key cryptogtaphy. The user will have to submit the server's public key to the client application before the voting procedure starts, and then the client application can start an SSL connection, ensuring that the communication with the server is legit. Then the user will submit his vote and get back a unique reference number that corresponds to his vote. This unique reference number can then be used to verify the vote, using the client application on the bootable CD.
you can discuss how to get anonymity, how to prevent double votes, how to identify who sits there voting.
but you cannot detect, if someone stands behind the voter, who payed him to vote for a specific party, checking if he's really voting like this.
Every time there's a news item about Internet voting Estonia is mentioned but no details provided. So I'll try to explain how we vote via SMS and Internet without being complete idiots. Here it goes:
We have paper ballot voting and Internet voting. We don't have electronic voting (ATM like machines).
To vote at a ballot station you must present a valid ID and be registered at that station as voter. If all checks out, your name is crossed off the list and you vote using a double envelope system for anonymity. Election day is always a Sunday afaik.
In Estonia, _every_ citizen has a unique ID number assigned to them. A non-citizen can have one too. The number is not secret. Some find this scary, I think that makes life easier for everybody.
The preferred ID is the national ID card. It's a smart card that contains two x509 certificate key pairs. One is used for authentication, the second for signing. I'll refer to them as PIN1 and PIN2. Access to the private operations is restricted with two PIN codes, the user can change them. Of course you can't extract the private key using only software. So when you sign a hash of a document or whole document (your vote for example) that operation is performed on the smart card.
The ID card is compulsory, though no one has been fined for not having one. IIRC no such fine exists. And if you're paranoid, you can always microwave the circuits. If you don't trust the microwave manufacturer use a drill. Using electronic ID is not compulsory.
The ID card is issued to non citizens too. They can vote in local elections (but not state government or EU parliament) if they are a permanent resident.
I should mention that the PIN2 digital signature is equivalent to a signature on paper, that's written into law. That's the legal bases for voting using certificates.
To vote on the Internet you download the voting application (windows, linux and osx are supported, 64bit too).
You start the application and log in (PIN1). You are presented with options only applicable to you. Choose, confirm and then sign your vote (PIN2).
Yes, if your PC is hacked and the hacker redraws the screen to trick you into voting for another candidate you will be cheated. And there's a chance no one will know.
There's also mobile ID. It's another pair of certificates that is stored on a SIM card of your phone. It uses the SIM Application Toolkit. It's very convenient to use. When logging on somewhere a dialog pops up on my phone where I can enter my PIN1, same for signing. It's pretty much the same as a smartcard only the phone is the pinpad and communications go through SMS. Of course all communications are encrypted. You might remember a news item about Estonia voting via SMS. Not what you thought eh?
However you can vote as many times as you want using your ID card and mID but only the last vote counts. Second, you can always go vote the old fashioned way on election day and the paper ballot overrides your Internet vote. Electronic voting is usually on for 4 or so days half a week before election day. Point being, the double envelope system is used in Internet voting as well (using cryptography of course). Votes are counted at the end of the election day.
The ID card and mID especially are awesome. Mostly they are used for banking and all kinds different services in the private sector. As every citizen has a unique ID and the certificate provides you real name it's very simple to use for the service provider.
In Estonia I can create a new company on the Internet in 5 minutes, no kidding. Declaring taxes took me about one minute this year, that's including the login process. A few days later 122€ arrived on my bank account (returned income tax from donations and training courses, all were already listed without me doing anything). Most communications with the government can be done via In
Comment removed based on user account deletion
It is axiomatic, the less people know about information security the more they want believe in voting.
In a country like Norway for example it would be possible for people to use their government tax website or banking login system to log in and people would trust if the government said "There is absolutely no identifying information between your vote and you. All we track is whether or not you voted at all". Sure there'd be people who didn't trust them, but the vast majority would.
:)
Also Norwegians are generally not shy at all about who they're voting for. It's not like people here are worried that their votes would be help against them. If anything many people are pretty proud and open about who they vote for. So, it wouldn't matter to most people if it were tracked so long as the information wasn't then sent to a telemarketing firm.
In America, it's amazing since over 80% of the people there are more than happy to run around telling everyone who they voted for and yet, they don't want the government to know. Of course, the only two useful government databases in the U.S. is the social security database and the IRS database so any voter tracking can be used to say "Well, those old people or those poor people never vote for me, so screw them, if I need money for a war, I'll just take it from them". Besides, thanks to the well known "covert nature" of many government organizations like DHS, CIA, NSA etc... in the U.S. people wouldn't trust the government with their votes anyway. I've known people to wear latex gloves when voting to make sure their finger prints couldn't be lifted from different buttons in the voting booth.
I'm glad I left
Internet Voting in Estonia
Also a paper discussing the security of such approach (includes comparison with SERVE; PDF)
Military personnel should not be permitted to vote in the first place,since they demonstrated sufficiently that they are too stupid, by joining the murdering thugs,led by the Washington Nazies.
A voting system called "Civitas" at least tries to address the named difficulties. It could appear as cautious if government officials did alike.
http://www.cs.cornell.edu/projects/civitas/
I'm astonished and disappointed how many of these comments are along the lines of "no way, because of hackers".
yes, online voting would be exposed to online attempts to subvert, but it's absurd to claim that this is a fatal flaw. what are you guys, technophobes? using RoR as an analogy is just asinine, since RoR is a huge framework intended to ease programming effort. if you want a secure site, you won't start with something that's vastly general, and assume it can be made secure, but rather first minimize your attack surface.
online voting is just one way we need to improve the whole electoral process. having polling stations online is another, since even if a vote is cast in person, using paper, we still need a realtime mechanism to prevent multiple voting under the same ID. paper trails are great. crypto receipts are great. to what degree can we trust votes cast from insecure terminals? depends on the process: for instance, suppose I can register my vote at any time up to the deadline, and can check to make sure my vote is still the same as when I first cast it. or suppose casting an online vote results in a verification by a second mechanism (phone, probably). none of this is hard, though it does need careful forethought and vetting.
transparency requires use of open source. I hope we're past the point where people claim that source code inspectability is a security risk...