156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
3 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
4 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
5 |
\begin{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
7 |
\section*{Handout 2 (E-Voting)}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
8 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
In security engineering, there are many counter-intuitive phenomena:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
10 |
for example I am happy (more or less) to use online banking every day,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
11 |
where if something goes wrong, I can potentially lose a lot of money,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
but I am staunchly against using electronic voting (lets call it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
e-voting for short). E-voting is an idea that is nowadays often
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
promoted in order to counter low turnouts in elections\footnote{In my
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
last local election where I was eligible to vote only 48\% of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
population have cast their ballot. I was, I shamefully admit, one of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
17 |
the non-voters.} and generally sounds like a good idea. Right?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
18 |
Voting from the comfort of your own home, or on your mobile on the go,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
19 |
what could possibly go wrong? Even the UK's head of the Electoral
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
20 |
Commission, Jenny Watson, argued in 2014 in a Guardian article that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
21 |
the UK should have e-voting. Her plausible argument is that 76\% of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
22 |
pensioners in the UK vote (in a general election?), but only 44\% of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
23 |
the under-25s. For which constituency politicians might therefore make
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
more favourable (short-term) decisions is clear. So being not yet
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
25 |
pensioner, I should be in favour of e-voting, no?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
26 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
Well, it turns out there are many things that can go wrong with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
28 |
e-voting, as I like to argue in this handout. E-voting in a ``secure
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
29 |
way'' seems to be one of the things in computer science that are still
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
30 |
very much unsolved. It is not on the scale of Turing's halting
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
31 |
problem, which is proved that it can never be solved in general, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
32 |
more in the category of being unsolvable with current technology. This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
33 |
is not just my opinion, but also shared by many security researchers
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
34 |
amogst them Alex Halderman, who is the world-expert on this subject
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
35 |
and from whose course on Securing Digital Democracy I have most of my
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
36 |
information and inspiration. It is also a controversial topic in many
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
countries:
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
38 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
39 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
40 |
\item The Netherlands between 1997--2006 had electronic voting
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
machines, but ``hacktivists'' had found they can be hacked to change
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
votes and also emitted radio signals revealing how you voted.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
43 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
\item Germany conducted pilot studies with e-voting, but in 2007 a law
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
suit has reached the highest court and it rejected e-voting on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
grounds of not being understandable by the general public.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
47 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
48 |
\item UK used optical scan voting systems in a few trail polls, but to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
49 |
my knowledge does not use any e-voting in elections.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
50 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
51 |
\item The US used mechanical machines since the 1930s, later punch
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
52 |
cards, now DREs and optical scan voting machines.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
53 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
54 |
\item Estonia used since 2007 the Internet for national
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
55 |
elections. There were earlier pilot studies for voting via Internet
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
in other countries.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
57 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
\item India uses e-voting devices since at least 2003. They used
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
59 |
``keep-it-simple'' machines produced by a government owned company.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
60 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
61 |
\item South Africa used software for its tallying in the 1993
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
62 |
elections (when Nelson Mandela was elected) and found that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
63 |
tallying software was rigged, but they were able to tally manually.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
64 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
65 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
66 |
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
67 |
The reason that e-voting is such a hard problem is that we have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
68 |
requirements about the voting process that conflict with each
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
69 |
other. The five main requirements for voting in general are:
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
70 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
71 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
72 |
\item {\bf Integrity}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
73 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
74 |
\item The outcome of the vote matches with the voters'
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
75 |
intend.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
76 |
\item There might be gigantic sums at stake and need to be defended against.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
77 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
78 |
\item {\bf Ballot Secrecy}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
79 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
80 |
\item Nobody can find out how you voted.
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
\item (Stronger) Even if you try, you cannot prove how you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
voted. The reason is that you want to avoid vote selling as has
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
been tried, for example, by a few jokers in the recent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
Scottish referendum.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
85 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
86 |
\item {\bf Voter Authentication}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
87 |
\begin{itemize}
|
185
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
\item Only authorised voters can vote up to the permitted number of votes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
89 |
(in order to avoid the ``vote early, vote often'').
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
90 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
91 |
\item {\bf Enfranchisement}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
92 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
93 |
\item Authorised voters should have the opportunity to vote.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
94 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
95 |
\item {\bf Availability}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
96 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
97 |
\item The voting system should accept all authorised votes and produce results in a timely manner.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
98 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
99 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
100 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
101 |
To tackle the problem of e-voting, we must first have a look
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
102 |
into the history of voting and how paper-based ballots
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
103 |
evolved. We know for sure that elections were held in Athens
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
104 |
as early as 600 BC, but might even date to the time of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
105 |
Mesopotamia and also in India some kind of ``republics'' might
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
106 |
have existed before the Alexander the Great invaded it.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
107 |
Have a look at Wikipedia about the history of democracy for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
108 |
more information.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
109 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
110 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
111 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
112 |
\subsubsection*{Questions}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
113 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
114 |
Coming back to the question of why I use online banking, but
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
115 |
prefer not to e-vote.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
116 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
117 |
Why do I use e-polling in lectures?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
118 |
|
157
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
119 |
Imagine you have a perfectly secure internet voting system, by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
120 |
which I mean nobody can tamper with or steal votes between
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
121 |
your browser and the central server responsible for vote
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
122 |
tallying. What can still go wrong with such a perfectly secure
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
123 |
voting system, which is prevented in traditional elections
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
124 |
with paper-based ballots?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
125 |
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
126 |
\end{document}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
127 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
128 |
%%% Local Variables:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
129 |
%%% mode: latex
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
130 |
%%% TeX-master: t
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
131 |
%%% End:
|