Slashdot Mirror
Estonia Urged To Drop Internet Voting Over Security Fears
wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'"
The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."
"Numerous safeguards and failsafe mechanisms to detect attacks"
In practice, doesn't that end up being an ass-covering official equivalent to "We're pretty sure that Norton hasn't expired and we probably ran Windows Update pretty recently unless the junior admin was out that day" fairly frequently?
We need more internet voting, less centralization and federal governmets.
Hate on e-voting all you want, point out all the ways a malicious person could mess with it, but don't tell me that e-voting is not going to happen. Being able to instantly poll your entire population without having to go through the trouble of setting up polling stations nationwide and get people to those places will transform democracy.
I might be modded down for my opinion on a technology loving website, but sometimes the newest and the most recent is not the best.
Computers are a young invention. I think we need to learn a lot about them, until we should use them to choose our leaders. A vote is not something like writing a slashdot post, or writing an email. It determines who will run a country for the next four (or five or whatever) years. When someone breaks into your online banking account, you will most likely notice it, and you perhaps have a chance to get your vote back. When someone breaks into a voting machine, no one will notice it ever, and you never will have any verification your vote has been counted. Yes, I know, there are systems which allow this also for online voting. But they all have their issues.
The issue is that you only get real security when the people in charge of the security are both well funded and the organization as a whole takes security very seriously.
To my knowledge, the only organizations that really tend to have good security are banks and government intelligence. And in both of these we've seen major security breaches.
I think the attraction of corrupting the voting system simply outweighs the internal pressure to secure the system such that if implemented, a digital voting system would be inherently compromised.
I struggle to think of a solution to this problem that wouldn't be undone by a mixture of inside man corruption, laziness, and external manipulation by powers that want to control the process be they state level or not.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
...we know that Russia won't be able to stuff 100,000 paper ballots marked "yes" for a plebiscite into ballot boxes if they keep the current system...
Plus they might be able to make the vote look in favor of remaining away from Russia by simply manipulating the totals after Russia has manipulated them first...
Do not look into laser with remaining eye.
> Source code is publicly available
I'm going to suggest something: a publicly-accessible read-only port to the ROM where you can put in a USB and pull the entire ROM off automatically. Then people can confirm it matches the official binary, which people can confirm by compiling the source code themselves.
It must be hardware-level and not under control of the processor or ROM so spoofing would require infiltration of the voting machine hardware.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
The next president of Estonia will surely be Cowboy Neal.
Quite simply it comes down to independent auditing. With my bank account, my email or even my Facebook; I can tell if I have been hacked or if these companies are playing fast and loose. I will look at my bank account and bloop I am $30,000 short. Where did it go? I will then begin an investigation and bring my previous bank statements as backup if needed. Worst case scenario the bank won't cooperate and I will take it to the courts where again my evidence will be brought to bare. Lastly I can switch banks. Quite simply it is because I have feedback as to what is happening.
The same with facebook. If suddenly my posts are all encouraging people to help out a Nigerian prince then I've been hacked. I will then be able to take some action.
The reason I mention the above technologies is that I think that we can all assume that our banks, facebook, and our email companies all are very good and work very hard at avoiding being hacked; yet they have all been hacked. Look at Target, they (to use the correct term) were PWNED.
But when I vote online it is fire and forget. I don't know what happened to my vote. There is no physical record for me to point to. I can't check up on my vote after the fact. At least with a paper ballot system I take my physical ballot and I give it to some vaguely trustworthy government person who is closely watched by as many representatives of the various parties as there are parties. Each watching with the interests of their official in mind. So if they see something they don't like then they can call police/election officials/newspapers etc. I like this system. It is not impossible to thwart but close enough.
In my city, Halifax, they added online to the municipal elections and I am truly scared. This should be illegal in 20 different ways. They justify it saying that it cuts costs and increases participation. Basically it didn't cut costs as they had to screw with the system so much, send out so many instructions, and answer so many questions. Plus in the end it basically didn't increase participation. I carefully looked at the votes and luckily none of the online voting was significant enough to have altered an outcome.
But let's say that someone had screwed with the results (as a programmer you can't tell me that it isn't going to be that hard) the only people who are going to cheat are going to be bad people. People who, once they are in, will ensure that only they can continue to cheat. So to me every online voting system is basically waiting for the first set of evil and smart people to come along. That is it. But once it happens, by the altered rules of the voting system, how do I fight the vote? How can it be contested? How can there be a recount?
Now I understand that some voting systems are complicated with many propositions, levels of government, etc being voted on in a single booth. So I have a very simple solution. You press your buttons which then produces a ballot on the screen, you then look at the ballot on the screen and see if you like it. Then you press print. It then produces a ballot that matches the one on the screen and you can compare. Then you say OK and then bring your ballot to the ballot box per normal. Then the computer tallies up the votes and announces a tentative winner. Then the humans can count the votes to see if the computer agrees with the paper ballots. But the key is that the paper ballots have the final say. The computer is only there to help. Then if there is a wild difference between the paper and the computer more interesting auditing mechanisms can come into play.
As a computer programmer I am 100% certain that any online election can easily be rigged. But I am by far not alone. 100% of the time that independent security researchers have gotten their hands on electronic voting systems they have hacked them and usually with ease. So the solution is that these companies don't allow independent auditors but ones of their own choosing and ones that they pay well.
This is a serious problem. Basically online voting is pretty much demanding that some evil person runs our government.
Using computers to register, count, transfer, and archive vote tallies is impossible to do without an almost certain effort to alter the vote totals by parties interior to the project (people creating and maintaining the systems and the show runners) and outside the project ("hackers"). Of the two, the insiders are far more likely.
This is not a failure of tech or of implementation. This is a human thing: those disposed to alter election tallies have infinite motivation to find a way to do it. They can either slip in during the coding phase or the implementation phase, or even during the elections. Like rats, they will find a way.
The difference between paper and electronic is basic: paper leaves a physical trail. E-voting can be rigged to leave NO trace. IS rigged to leave no trace. No audit is possible: all audits are predicated that the datasets and code are correct to begin with. If someone slips in backdoors, they can alter vote totals in real time and therefore all recounts will be "accurate". Paper receipts are useless, because what is printed is not necessarily what actually happened. Paper printouts that are reviewed by the voter on site for accuracy and then stored in boxes by the voting agents *can* be a valuable check, for the paper should match the e-count. But why then the extra step of the computer? Just use paper to begin with. Canada does it (I hope still does) and they count elections by hand in three hours, no matter what the size, local or national, because human counting easily scales.
Source code is worthless as a trace. One never knows what the machine is actually doing from microsecond to microsecond; the code executed need not match what you see on the source. This makes coders heads explode, but it is true. The machine can be programmed to lie. I know this, because I have done it, on orders from my bosses, in the past, to make a bit more money for my company. Cheating is easy and it is undetectable if you are even marginally clever about it. The count can also be altered far from the source tabulating machine and local system, at other levels. Such malignancy will not be accounted for by the counting company; their rep is on the line, they don't believe it is possible and further they don't want to know.
Use e-voting and you will see the powerful grab control, one way or another. Use paper.
It doesn't help that voting is an inherently trickier problem: a lot of the easy and obvious ways of detecting tampering go out the window if you aren't supposed to be watching the behavior of the users in detail. You are also monitoring something that happens infrequently, for relatively high stakes, rather than something (like credit card transactions) that happens all the time, usually for relatively low stakes, which makes statistical detection of anomalies less useful. Cloning a mag-stripe card, or just getting the number, is trivial; but the bank can watch its behavior, freeze it if that behavior changes, and as long as they get it right fast enough and often enough, the cost of the fraud is probably lower than the cost of doing something more architecturally sensible.
I suspect that people would be...less pleased... if they received a call from the government "Your apparent voting patterns have shifted unusually recently, your ballot has been deactivated for security reasons until we complete the verification process...", and since elections are relatively rare, the freeze would almost never be fast enough,
Electronic voting can only be secure if everyone knows how everybody else voted. Otherwise there is no way to know if the outcome has been modified at some point in the process.
The truth is that all men having power ought to be mistrusted. James Madison
Even though it's not on the ballot, Estonia overwhelmingly voted to join Russia.
Well... I think something that might help is if they had a two part secret key system. Where in the identity of any individual vote could only be unlocked by the person that cast it.
Then make it possible for voters to query how their vote was calculated. So if I personally voted for X then I checked the system and it says that my vote was counted as Y then we know there was tampering or at the very least a mistake.
This would make vote altering harder because they wouldn't be able to change the vote tally to match the correct encrypted vote.
Very important to this concept is that only the voter can decrypt the their encrypted vote.
The vote is cast anonymously after some sort of ID verification to make sure you should even vote in the first place. The anti voter ID stuff appears to be nonsense so far as I can tell... possibly an attempt to protect voter fraud schemes. In any case, you need voter ID to have a secure voting system.
So your ID lets you vote, you vote, you are then prompted for a password to encrypt your vote. The actual encryption scheme should be pretty aggressive. The password should be something that can be unique to that specific vote. Write it down on a piece of paper or something. Then after the votes have been officially declared, you can go back into the system, enter the signiture of your vote serial number. Not your personal ID but the ID of that vote which should be anonymous. View what the system labeled it. Then download the file... decrypt it with your password and see if the public record matches the encrypted record.
Obviously this is just out of my ass here. So it could easily be refined by someone with more experience or more thought on the matter.
But a two part system would seem to be less prone to error.
If a significant number of ballots don't match the encrypted version then you might need to invalidate an entire election and start over.
Possible problems with the system are if the system that actually casts the vote is itself compromised. In that way the encrypted vote would be compromised as well. However, the person that cast the vote would still know which way they did vote so they should be able to at least know personally if their vote was tampered with indifferent to whether anyone else believes them.
Another place you could have a security breach is between the system that holds all the individual votes and the system that measures the final tally. If that system were compromised every decrypted vote could say X while the final tally could say anything. This system could be made more secure by making it redundant. Several totally different system could add up the votes simultaneously and then have the results compared. They should match exactly every single time. If they don't then you know you have a problem... mostly likely a software bug but this is something where paranoia is warranted.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I think everyone else is just jealous because they have low voter turnout while Estonia's going to get 3000% in their next election.
The only downside is the overwhelming election of Moot to Prime Minister.
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
No worries, Estonia. NSA will make sure Russia will not hack into your internet voting system.
I'm Italian so let me explain how the mafia things works for real here about elections.
The mafia need only one plain ballot sheet.
1) They sign the "right" party and it gives the sheet to you.
2) You go voting, use the sheet given by mafia and exit with the plain clean sheet given to you.
3) When you handle back the clear sheet to the mafia, they give you 10€, a thanks (and they know you are a "good guy", so nobody hurts you)
4) Back to point 1
So the mafia is smart enough to handle every kind of vote. There is nothing holding them back if they want something.
I expect biometric authentication to help on this point but I think they will find a workaround for this one too.
Way to go, Dice. Placing popup ad containers at the bottom of the frame (which sometimes appear empty - but how will I know what useless thing to buy now?!) is evidently of a much higher priority.
Firstly, people here should understand that e-voting as in voting machines and internet voting are completely different and not really comparable.
One of the opposition parties of Estonia is strongly against internet voting, mainly because their voters are not using it a lot and they are able to mobilize their voters well to go voting on paper as opposed to most other parties. For various reasons they are in power at the capital city and the trip of the researchers to go and observe the current voting process was paid by the city, so already for that they can't claim that they are totally independent. And, of course, the fact that the whole thing came to light a few days before the elections of the European Parliament was just a coincidence. This far they have yet to actually publish the report, which, from what we know this far, doesn't have any new attack vectors, only the ones that were already considered more-or-less from the very beginning.
Estonia has a smardcard-based ID card that can be used for authentication and digital signatures (two different keys). The latter is legally as good as your handwritten one which means you can build all sorts of services on top of that, elections are just one of them. The vote is encrypted with the public key of the current election, signed with the ID card and sent to a central server. Later, the double votes are removed according to the list of people who voted on the election day (so if you were forced to vote for someone and your ID card taken away, you can just grab your passport and go vote again using the paper-based method), votes are separated from the signed container, moved to a physically different machine, decrypted and counted. Anyone can go and see how all the process is done, it is fully auditable and all the video recordings of the whole process are later uploaded to Youtube. By no means it is so that only some certain people are chosen to make the audit to get favourable results.
Additionally, you can also check that the vote made it into the system and was for the correct candidate with your smartphone without compromising secrecy, so even if your computer was infected with malware, you can still make sure everything goes correctly.
See the website of the elections committee for more.
Oh, there are definitely some very interesting voting system designs (mostly cryptographic flavors) out there, though I'm definitely not expert enough to say much of use about them. My point was merely that lots of the really obvious verification systems (the ones that don't need crypto-fu) tend to assume a that total or near-total knowledge of the system by trusted insiders is OK, and that there are (mostly) trusted insiders, worst case not-entirely-trusted-but-know-they-are-being-watched-and-we-know-where-they-live insiders.
With voting, total knowledge is almost always explicitly forbidden (even making it possible for 3rd parties to verify what an individual did in the polling booth is generally considered an issue) and insiders are barely trusted to transport sealed ballot boxes, much less refrain from drawing up death-lists based on who voted how. Doesn't make the problem impossible; but does eliminate most of the obvious direct borrows from banking and the like.
maybe people don't want Estonia to use e voting because they cant control it as well and are possibly scared of the long time effects of e voting. Estonia has been e-voting since 2005 why is this becoming an issue 9 years after they began?
No one can know what you did in the voting booth without the voter's encryption key. Under the system I laid out, the vote could be counted without the voter's encryption key. However, the votes could not be verified without that key.
The point of the encryption is to create an independent and untouchable tally of the vote.
It would be very impractical to audit the list since it would require every voter personally decrypt their vote and cross check it. But it would be secure. No one besides the person that cast the vote would be able to tamper with the vote without it being detected.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
is this your take on being funny?
...how do you expect to get a much more complex system correct? Mind you, I'm aware that the problem is not necessarily the system itself, but the transparency of the system. People probably won't like to hear it but I'd suggest that the only way to eliminate fraud is to have votes linked to your ID so that every vote can be verified as A) not having voted multiple times, B) not voting if you don't exist in at least two separate systems e.g. social security and driver's license, and C) not voting outside of your registered district's area unless it's a national ballot initiative. Further, no more provisional ballots: if you cannot be bothered to register well enough ahead of an election to participate via the normal means, you do not get to vote.
what you say is not really true.
Imagine the voting officials generating a hex number of 32 chars length (using a noise diode and an A/D Converter; essentially an OTP) for each voter and each Decision Option.
you go to your local town house and grab one random, unmarked envelope from a Reverse Ballot Box.
The fact you got your envelope is recorded on a paper record.
Envelope contains 100 of said hex numbers.
In the next election, there are 4 options to chose from, so 4 numbers will be consumed.
You will vote using a TOR-like Onion router for your anonymity.
Your vote will be recorded along with potential bogus votes on massive hard drives.
After voting ends, hard drives will be scanned offline against the possible hex numbers by officials. Valid votes will be published on the internet for each voting district.
You can now check whether your vote has been properly tallied. You can also check whether your vote has been abused in case you did not vote.
This protocol seems to be quite bullet-proof against cheating by state-level actors like NSA-GCHQ or GRU. And it issimple enough for everybody to understand and trust.
Dipl.-Ing.(BA) Frank Gerlach
Gäufelden
Germany
And nobody but a small handful of people will be able to understand your voting system, or even be able to distinguish it from a fraudulent or broken one.
Call it what you want, but when you vote in a way that less than 1% even understand if or how it works you don't have a democracy.
If you're really lucky it's a benevolent dictatorship by those 1%.
In a small country with 1.3 million inhabitants, a couple tens of thousands of votes can be decisive.
Or: How small the margin for a polemic vote? In Mexico, we have had presidential candidates winning with a (much disputed) 0.55% difference to the second place. How many votes do you need to rig such an election?
It might still happen, but many among us will still fight for the population to understand the unavoidable security risks in doing so. We have the duty to do so.
If you can prove your vote was correctly recorded, then you might be more easily persuaded to sell it — be it that you receive a pay for it, or you receive the service of not getting your bones broken.
A vote once cast is just a piece of paper among many. Nothing should tie it to a voter's identity. A voter should be unable to prove he voted a particular way.
Your scheme is very similar to what we use in Debian for voting for the project leader (unlike the fully-open tally sheets for voting on issues, not people). However, this scheme is good only where people trust each other, for ocassions where you know there will be no vote buying/coercion. Not for a national elected government.
There is really nothing to see here. The report was commissioned by the Estonian Centre Party (ostensibly by the City Council of Tallinn, but they are the same thing) and was strategically scheduled to be published a few days before the European Parliament elections. (The Centre Party has been denouncing e-voting for a long time, mostly because they don't do well at those because of the demographics of their core electorate, and of course their own constant campaigning against it.) The team was handpicked from among well-known e-voting contrarians, so the result was a foregone conclusion. I was only surprised how much demagoguery and outright lies went into it, but then, knowing the Centre Party, I should not have been. Cherry-picking the data, wilfully drawing the wrong conclusions, purposefully deceiving the reader, deliberately ignoring information that disproves what they're out to achieve etc etc. Let's just say that the fact that letting the observers know the SSID and the password of the guests' wireless network segment does not constitute a security breach that would merit annulling all the election results. There were other laughable ‘discoveries’ as well, such as “we took the copy of the system home and logged on as root, we were able to change some stuff in it“. Well, duh. If you're on the clock, you must draw the conclusions that the master demands, and even better if you are predetermined to do that anyway because of your convictions (which indeed were the reason you were hired anyway).
http://www.vvk.ee/valimiste-korraldamine/vvk-uudised/vabariigi-valimiskomisjoni-vastulause-the-guardianis-ilmunud-artiklile/
Say this system is approved. Say you want to buy my vote. You demand proof that I voted the way you wanted me to — If the e-voting platform allows me to confirm my vote was properly counted. So, all you have to do is to promise me to hand over the money if I prove you I did what we agreed. (or you can threaten me with physical violence unless I can prove it to you, same reasoning).
A secure voting system should never allow me to prove what was my vote — But that would make me very suspicious, as it could be recording false votes from the beginning, right? Right. The only solution is to have voters deposit papers with their stated vote (and no personal identifying marks!) in a booth, and allow for recounts if needed.
Meanwhile in Estonia... Estonians don't give a fuck about "e-voting sucks!" experts.
I don't see the problem with my scheme in regards to trust. Only I can identify which vote is mine. The votes are anonymous. The ID on each vote would at most say where the vote was cast not who cast it. I would know which vote was mine because I would record the ID number of MY ballot at the time of casting the vote. That ballot ID would not be associated with my identity in any way. Further, that ballot's encrypted ballot would only be accessible to me and only if decrypted it with my password. The point of which would only be to compare the official recording of the ballot with an encrypted file created at the same time which should mirror that ballot.
If A does not match B then you know there is a problem. That is the point.
Auditing all the ballots would require literally everyone that voted to individually decrypt every single ballot personally. Obviously not possible for more then a small sample set. Which the voting public under my scheme would be encouraged to do on their own.
Anyone that found a mismatch would then be encouraged to contact the authorities to begin an investigation.
The above would make some types of vote tampering more complicated. The issue I'm most worried about though is ballot box stuffing. Where some individual or group fills out hundreds or thousands of illegitimate ballots and submits them for counting.
To address this, you need voter ID and you need to have good records of who voted in each election. They compare the list of registered voters to the census beuro/IRS to make sure they actually exist as real people. And then you compare the total number of votes counted with the total number of people that were recorded as voting.
All three records should match.
All people that vote should be real people.
And the number of people that voted should equal the number of votes recorded.
I suspect that if you applied this standard to many elections the numbers would not match. I think many people that are said to vote are not actually real people. Some of them are dead. Some of them are entirely fictitious. Mickey Mouse has been known to vote occasionally. And of course sometimes there are a lot more ballots cast then the number of people that actually voted. The most striking examples of this is when the number of people voting exceeds the number of people registered to vote. Which is impossible unless non-registered voters are voting... a non registered voter voting is sort of like a non-registered driver driving. Yes, you have a right to vote while driving is a privilege... but only citizens with no felonies on their record are allowed this right... and they have to be alive and not cartoon characters.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Less then 1 percent of our population has ever really understood the system. What percentage of internet users actually understand the internet?
Probably less then 1 percent.
Your argument that they need to understand it for it to be practical is absurd. People interact with and use things all the time without fully understanding their inner workings.
What is most important is that those inner workings are self consistent with stated goals, transparent, efficient, and sustainable.
The existing system runs contrary in many aspects to the stated goal. It is generally closed off from public scrutinty in that we appoint people to audit it but the actual auditing process is rarely exposed to the public. And our current voting system is so inefficient that it costs tens of millions to billions of dollars every election cycle which makes it impractical for us to have elections with much frequency.
A secure digital system would also be much more efficient which would give voters more opportunities to vote which would also likely make the government more responsive to public opinion.
We could have minor elections all the time. Major city council decisions could be put to a full city vote on a weekly basis. Log in... cast your vote... log out... wait for the election results... query what your vote was recorded as... they should match... the number of people that are real versus those that are registered should match. The number of people that voted should equal the number of ballots recorded.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The problem with voter-verifiable systems is that they are very prone to vote coercion or buying. If you can prove your "right way" vote was correctly counted, you can get the cheque. Or avoid the punishment for exercising your free will.
From the summary the points seems to be in the territory of just conjectures. This is confirmed by this disclaimer in the Downloads page: DOWNLOADS We will be providing partial code for our proof-of-concept attacks after the conclusion of the May 2014 European Parliamentary elections.
You're not living in a democratic society, if you cannot vote with https://en.m.wikipedia.org/wik...
In democracy it's your vote that counts; In "feudalism" it's your count that votes. -Jallberg
Casteism