sen-material: handouts/ho02.tex@f675aa15b6d0 (annotated)

156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	\documentclass{article}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	\usepackage{../style}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5	\begin{document}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7	\section*{Handout 2 (E-Voting)}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	9	In security engineering, there are many counter-intuitive
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	10	phenomena: for example I am happy (more or less) to use online
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	11	banking every day, where if something goes wrong, I can
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	12	potentially lose a lot of money, but I am staunchly against
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	13	using electronic voting (lets call it e-voting for short).
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	14	E-voting is an idea that is nowadays often promoted in order
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	15	to counter low turnouts in elections\footnote{In my last local
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	16	election where I was eligible to vote only 48\% of the
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	17	population have cast their ballot. I was, I shamefully admit,
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	18	one of the non-voters.} and generally sounds like a good idea.
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	19	Right? Voting from the comfort of your own home, or on your
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	20	mobile on the go, what could possibly go wrong? Even the UK's
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	21	head of the Electoral Commission, Jenny Watson, argued in 2014
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	22	in a Guardian article that the UK should have e-voting. Her
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	23	plausible argument is that 76\% of pensioners in the UK vote
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	24	(in a general election?), but only 44\% of the under-25s. For
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	25	which constituency politicians might therefore make more
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	26	favourable (short-term) decisions is clear. So being not yet
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	27	pensioner, I should be in favour of e-voting, no?
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	28
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	29	Well, it turns out there are many things that can go wrong
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	30	with e-voting, as I like to argue in this handout. E-voting in
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	31	a ``secure way'' seems to be one of the things in computer
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	32	science that are still very much unsolved. It is not on the
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	33	scale of Turing's halting problem, which is proved that it can
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	34	never be solved in general, but more in the category of being
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	35	unsolvable with current technology. This is not just my
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	36	opinion, but also shared by many security researchers amogst
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	37	them Alex Halderman, who is the world-expert on this subject
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	38	and from whose course on Securing Digital Democracy I have
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	39	most of my information and inspiration. It is also a
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	40	controversial topic in many countries:
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	41
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	42	\begin{itemize}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	43	\item The Netherlands between 1997--2006 had electronic voting
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	44	machines, but ``hacktivists'' had found they can be
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	45	hacked to change votes and also emitted radio signals
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	46	revealing how you voted.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	47
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	48	\item Germany conducted pilot studies with e-voting, but in
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	49	2007 a law suit has reached the highest court and it
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	50	rejected e-voting on the grounds of not being
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	51	understandable by the general public.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	52
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	53	\item UK used optical scan voting systems in a few trail
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	54	polls, but to my knowledge does not use any e-voting in
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	55	elections.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	56
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	57	\item The US used mechanical machines since the 1930s, later
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	58	punch cards, now DREs and optical scan voting machines.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	59
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	60	\item Estonia used since 2007 the Internet for national
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	61	elections. There were earlier pilot studies for voting
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	62	via Internet in other countries.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	63
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	64	\item India uses e-voting devices since at least 2003. They
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	65	use ``keep-it-simple'' machines produced by a
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	66	government owned company.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	67
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	68	\item South Africa used software for its tallying in the 1993
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	69	elections (when Nelson Mandela was elected) and found
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	70	that the tallying software was rigged, but they were
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	71	able to tally manually.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	72	\end{itemize}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	73
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	74
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	75	The reason that e-voting is such a hard problem is that we
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	76	have requirements about the voting process that conflict with
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	77	each other. The five main requirements for voting in general
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	78	are:
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	79
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	80	\begin{itemize}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	81	\item {\bf Integrity}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	82	\begin{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	83	\item By this we mean that the outcome of the vote matches
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	84	with the voters' intend. Note that it does not say
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	85	that every vote should be counted as cast. This might
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	86	be surprising, but even counting paper ballots will
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	87	always have an error rate: people after several hours
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	88	looking at ballots will inevitably miscount votes. But
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	89	what should be ensured is that the error rate does not
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	90	change the outcome of the election. Of course if
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	91	elections continue to be on knives edges we need to
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	92	ensure that we have a rather small error rate.
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	93
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	94	\item There might be gigantic sums at stake and need to be
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	95	defended against. The problem with this is that if
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	96	the incentives are great and enough resources are
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	97	available, then maybe it is feasible to mount a DoS
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	98	attack agains voting server and by bringing the
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	99	system to its knees, change the outcome of an
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	100	election. Not to mention to hack the complete
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	101	system with malware and change votes undetectably.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	102	\end{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	103
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	104	\item {\bf Ballot Secrecy}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	105	\begin{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	106	\item Nobody can find out how you voted. This is to avoid
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	107	that voters can be coerced to vote in a certain way
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	108	(for example by relatives, employers etc).
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	109
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	110	\item (Stronger) Even if you try, you cannot prove how
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	111	you voted. The reason for this is that you want to
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	112	avoid vote coercion, but also vote selling. That
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	113	this can be a problem is proved by the fact that
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	114	some jokers in the recent Scottish referendum tried
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	115	to make money out of their vote. \end{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	116
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	117	\item {\bf Voter Authentication}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	118	\begin{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	119	\item Only authorised voters can vote up to the permitted
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	120	number of votes (in order to avoid the ``vote early,
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	121	vote often'').
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122	\end{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	123
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	124	\item {\bf Enfranchisement}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125	\begin{itemize}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	126	\item Authorised voters should have the opportunity to vote.
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	127	This can, for example, be a problem if you make the
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	128	authorisation dependent on an ID card, say a driving
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	129	license. Then everybody who does not have a license
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	130	cannot vote. While this sounds an innocent
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	131	requirement, in fact some parts of the population for
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	132	one reason or another just do not have driving
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	133	licenses. They are now excluded. Also if you insist on
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	134	paper ballots you have to have special provisions for
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	135	blind people. Otherwise they cannot vote.
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	136	\end{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	137
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	138	\item {\bf Availability}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	139	\begin{itemize}
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	140	\item The voting system should accept all authorised votes
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	141	and produce results in a timely manner. If you move
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	142	an election online, you have to guard agains DoS
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	143	attacks for example.
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	144	\end{itemize}
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	145	\end{itemize}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	146
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	147	\noindent While these requirements seem natural, the problem
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	148	is that they often clash with each other. For example
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	149
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	150	\begin{center}
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	151	integrity vs.~ballot secrecy\\
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	152	authentication vs.~enfranchisement
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	153	\end{center}
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	154
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	155	\noindent If we had ballots with complete voter
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	156	identification, then we can improve integrity because we can
4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	157	trace back the votes to the voters. This would be good when
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	158	verifying the results or recounting. But such an
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	159	identification would violate ballot secrecy (you can prove to
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	160	somebody else how you voted). In contrast, if we remove all
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	161	identification for ensuring ballot secrecy, then we have to
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	162	ensure that no ``vote-stuffing'' occurs. Similarly, if we
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	163	improve authentication by requiring a to be present at the
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	164	polling station with an ID card, then we exclude absentee
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	165	voting.
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	166
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	167	To tackle the problem of e-voting, we should first have a look
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	168	into the history of voting and how paper-based ballots
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	169	evolved. Because also good-old-fashioned paper ballot voting
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	170	is not entirely trivial and immune from being hacked. We know
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	171	for sure that elections were held in Athens as early as 600
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	172	BC, but might even date to the time of Mesopotamia and also in
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	173	India some kind of ``republics'' might have existed before the
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	174	Alexander the Great invaded it. Have a look at Wikipedia about
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	175	the history of democracy for more information. These elections
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	176	were mainly based on voting by show of hands. While this
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	177	method of voting satisfies many of the requirements stipulated
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	178	above, the main problem with hand voting is that it does not
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	179	guaranty ballot secrecy. As far as I know the old greeks and
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	180	romans did not perceive this as a problem, but the result was
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	181	that their elections favoured rich, famous people who had
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	182	enough resources to swing votes. Even using small coloured
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	183	stones did not really mitigate the problem with ballot
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	184	secrecy. The problem of authorisation was solved by friends or
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	185	neighbours vouching for you to prove you are elegible to vote
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	186	(there were no ID cards in ancient Greece and Rome).
190 4ee6812ab436 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 188 diff changeset	187
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	188	Starting with the French Revolution and the US constitution,
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	189	people started to value a more egalitarian approach to voting
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	190	and electing officials. This was also the time where paper
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	191	ballots started to become the prevailing form of casting
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	192	votes. While more resistant against voter intimidation, paper
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	193	ballots need a number of security mechanisms to avoid fraud.
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	194	For example you need voting booths to fill out the ballot in
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	195	secret. Also transparent ballot boxes are often used in order
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	196	to easily detect and prevent vote stuffing (prefilling the
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	197	ballot box with false votes).
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	198
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	199	\begin{center}
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	200	\includegraphics[scale=2.5]{../slides/pics/ballotbox.jpg}
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	201	\end{center}
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	202
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	203	\noindent Another security mechanism is to guard the ballot
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	204	box against any tampering during the election until counting.
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	205	The counting needs to be done by a team potentially involving
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	206	also independent observers. One interesting attack against
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	207	completely anonymous paper ballots is called \emph{chain vote
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	208	attack}. It works if the paper ballots are given out to each
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	209	voter at the polling station. Then an attacker can give the
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	210	prefilled ballot to a voter. The voter uses this prefilled
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	211	ballot to cast the vote, and then returns the empty ballot
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	212	back to the attacker who now compensates the voter. The blank
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	213	ballot can be reused for the next voter.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	214
191 f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	215	The point is that paper ballots have evolved over some time
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	216	and no single best method has emerged for preventing fraud.
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	217	But the involved technology is well understood in order to
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	218	provide good enough security with paper ballots.
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	219
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	220	\subsection*{E-Voting}
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	221
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	222	If one is to replace paper ballots by some electronic
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	223	mechanism, one should always start from simple premise taken
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	224	from an Australian white paper about e-voting:
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	225
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	226	\begin{quote} \it ``Any electronic voting system should
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	227	provide at least the same security, privacy and transparency
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	228	as the system it replaces.''
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	229	\end{quote}
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	230
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	231	\noindent Whenever people argue in favour of e-voting they
f675aa15b6d0 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 190 diff changeset	232	seem to be ignore this basic premise.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	233
188 2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	234	%\subsubsection*{Questions}
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	235
188 2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	236	%Coming back to the question of why I use online banking, but
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	237	%prefer not to e-vote.
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	238
188 2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	239	%Why do I use e-polling in lectures?
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	240
188 2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	241	%Imagine you have a perfectly secure internet voting system, by
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	242	%which I mean nobody can tamper with or steal votes between
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	243	%your browser and the central server responsible for vote
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	244	%tallying. What can still go wrong with such a perfectly secure
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	245	%voting system, which is prevented in traditional elections
2555552d2c05 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 185 diff changeset	246	%with paper-based ballots?
157 3a8fff66d62b updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 156 diff changeset	247
156 3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	248	\end{document}
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	249
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	250	%%% Local Variables:
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	251	%%% mode: latex
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	252	%%% TeX-master: t
3b831b9dc616 added some initial handouts Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	253	%%% End:

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Fri, 03 Oct 2014 06:17:25 +0100
changeset 191	f675aa15b6d0
parent 190	4ee6812ab436
child 192	2cb42412f3fd
permissions	-rw-r--r--