227 provide at least the same security, privacy and transparency |
227 provide at least the same security, privacy and transparency |
228 as the system it replaces.'' |
228 as the system it replaces.'' |
229 \end{quote} |
229 \end{quote} |
230 |
230 |
231 \noindent Whenever people argue in favour of e-voting they |
231 \noindent Whenever people argue in favour of e-voting they |
232 seem to be ignore this basic premise. |
232 seem to be ignore this basic premise.\bigskip |
|
233 |
|
234 \noindent After the debacle of the Florida presidential |
|
235 election in 2000, many counties used Direct-Recording |
|
236 Electronic voting machines (DREs) or optical scan machines. |
|
237 One popular model of DRE was sold by the company called |
|
238 Diebold. In hindsight they were a complete disaster: the |
|
239 products were inferior and the company incompetent. Direct |
|
240 recording meant that there was no paper trail, the votes were |
|
241 directly recorded on memory cards. Thus the voters had no |
|
242 visible assurance whether the votes were correctly cast. The |
|
243 machines behind these DREs were ``normal'' windows computers, |
|
244 which could be used for anything, for example for changing |
|
245 votes. Why did nobody at Diebold think of that? That this was |
|
246 eventually done undetectably is the result of the |
|
247 determination of ethical hackers like Alex Halderman. His |
|
248 group thoroughly hacked them showing that election fraud is |
|
249 easily possible. They managed to write a virus that infected |
|
250 the whole system by having only access to a single machine. |
|
251 |
|
252 What made matters worse was that Diebold tried to hide their |
|
253 incompetency and inferiority of their products, by requiring |
|
254 that election counties must not give the machines up for |
|
255 independent review. They also kept their source secret. |
|
256 This meant Halderman and his group had to obatain a machine |
|
257 not in the official channels. Then they had to reverse |
|
258 engineer the source code in order to design their attack. |
|
259 What this all showed is that a shady security design is no |
|
260 match to a determined hacker. |
|
261 |
|
262 Apart from the obvious failings (for example no papertrail), |
|
263 this story also told another side. While a paper ballot box |
|
264 need to be kept secure from the beginning of the election |
|
265 (when it needs to be ensured it is empty) until the end of the |
|
266 day, electronic voting machines need to be kept secure the |
|
267 whole year. The reason is of course one cannot see whether |
|
268 somebody has tampered with the program a computer is running. |
|
269 Such a 24/7 security costly and often even even impossible, |
|
270 because voting machines need to be distributed usually the day |
|
271 before to the polling station. These are often schools where |
|
272 the voting machines are kept unsecured overnight. The obvious |
|
273 solution of putting seals on computers also does not work: in |
|
274 the process of getting these DREs discredited (involving court |
|
275 cases) it was shown that seals can easily be circumvented. The |
|
276 moral of this story is that election officials were |
|
277 incentivised with money by the central government to obtain |
|
278 new voting equipment and in the process fell prey to pariahs |
|
279 which sold them a substandard product. Diebold was not the |
|
280 only pariah in this project, but one of the more notorious |
|
281 one. |
|
282 |
|
283 Optical scan machines are slightly better from a security |
|
284 point of view but by no means good enough. Their main idea |
|
285 is that the voter fills out a paper ballot, which is then |
|
286 scanned by a machine. At the very least the paper ballot can |
|
287 serve as a paper trail in cases an election result needs to |
|
288 be recounted. But if one takes the paper ballots as the |
|
289 version that counts in the end, thereby using the optical |
|
290 scan machine only as a device to obtain quickly preliminary |
|
291 results, then why not sticking with paper ballots in the |
|
292 first place?\bigskip |
|
293 |
|
294 \noindent An interesting solution for e-voting was designed in |
|
295 India. Essentially they designed a bespoke voting device, |
|
296 which could not be used for anything else. Having a bespoke |
|
297 device is a good security engineering decision because it |
|
298 makes the attack surface smaller. If you have a fullfledged |
|
299 computer behind your system, then you can do everything a |
|
300 computer can do\ldots{}that is a lot, including a lot of |
|
301 abuse. What was bad that these machines did not have the |
|
302 important paper trail: that means if an election was tampered |
|
303 with, nobody would find out. Even if they had by their bespoke |
|
304 design a very small attack surface, ethical hackers were still |
|
305 able to tamper with them. The moral with Indian's voting |
|
306 machines is that even if very good security design decisions |
|
307 are taken, e-voting is very hard to get right.\bigskip |
|
308 |
|
309 |
|
310 \noindent This brings us to the case of Estonia, which held in |
|
311 2007 the worlds first general election that used Internet. |
|
312 Again their solution made some good choices: |
233 |
313 |
234 %\subsubsection*{Questions} |
314 %\subsubsection*{Questions} |
235 |
315 |
236 %Coming back to the question of why I use online banking, but |
316 %Coming back to the question of why I use online banking, but |
237 %prefer not to e-vote. |
317 %prefer not to e-vote. |