236 |
236 |
237 \noindent Whenever people argue in favour of e-voting they |
237 \noindent Whenever people argue in favour of e-voting they |
238 seem to be ignoring this basic premise.\bigskip |
238 seem to be ignoring this basic premise.\bigskip |
239 |
239 |
240 \noindent After the debacle of the Florida presidential |
240 \noindent After the debacle of the Florida presidential |
241 election in 2000, many voting precincts in the US used |
241 election in 2000, many voting pre\-cincts in the US used |
242 Direct-Recording Electronic voting machines (DREs) or optical |
242 Direct-Recording Electronic voting machines (DREs) or optical |
243 scan machines. One popular model of DREs was sold by a |
243 scan machines. One popular model of DREs was sold by a |
244 company called Diebold. In hindsight they were a complete |
244 company called Diebold. In hindsight they were a complete |
245 disaster: the products were inadequate and the company |
245 disaster: the products were inadequate and the company |
246 incompetent. Direct recording meant that there was no paper |
246 incompetent. Direct recording meant that there was no paper |
248 the voters had no visible assurance whether the votes were |
248 the voters had no visible assurance whether the votes were |
249 correctly cast. Even if there is a printout provided; |
249 correctly cast. Even if there is a printout provided; |
250 it does not give any guaranty about what is recorded on |
250 it does not give any guaranty about what is recorded on |
251 the memory card. |
251 the memory card. |
252 |
252 |
253 The machines behind these DREs were ``normal'' windows |
253 The machines behind these DREs were ``normal'' Windows |
254 computers, which could be used for anything, for example for |
254 computers, which could be used for anything, for example for |
255 changing votes. Why did nobody at Diebold think of that? I |
255 changing votes. Why did nobody at Diebold think of that? I |
256 have no idea. But that this was eventually done undetectably |
256 have no idea. But that this was eventually done undetectably |
257 is the result of the determination of ethical hackers like |
257 is the result of the determination of ethical hackers like |
258 Alex Halderman. His group thoroughly hacked Diebold's DREs |
258 Alex Halderman. His group thoroughly hacked Diebold's DREs |
271 \caption{Direct-Recording Electronic voting machines above; |
271 \caption{Direct-Recording Electronic voting machines above; |
272 an optical scan machine below.\label{machines}} |
272 an optical scan machine below.\label{machines}} |
273 \end{figure} |
273 \end{figure} |
274 |
274 |
275 What made matters worse was that Diebold tried to hide their |
275 What made matters worse was that Diebold tried to hide their |
276 incompetency and the inferiority of their products, by |
276 incompetence and the inferiority of their products by |
277 requiring that election counties must not give the machines up |
277 requiring that election counties must not give the machines up |
278 for independent review. They also kept their source secret. |
278 for independent review. They also kept their source code |
279 This meant Halderman and his group had to obtain a machine not |
279 secret. This meant Halderman and his group had to obtain a |
280 through the official channels. They then had to reverse |
280 machine not through the official channels. They then had to |
281 engineer the source code in order to design their attack. What |
281 reverse engineer the source code in order to design their |
282 this all showed is that a shady security design is no match to |
282 attack. What all this showed is that a shady security design |
283 a determined hacker. |
283 is no match for a determined hacker. |
284 |
284 |
285 Apart from the obvious failings (for example no papertrail), |
285 Apart from the obvious failings (for example no paper trail), |
286 this story also told another side. While a paper ballot box |
286 this story also told another side. While a paper ballot box |
287 need to be kept secure from the beginning of the election |
287 need to be kept secure from the beginning of the election |
288 (when it needs to be ensured it is empty) until the end of the |
288 (when it needs to be ensured it is empty) until the end of the |
289 day, electronic voting machines need to be kept secure the |
289 day, electronic voting machines need to be kept secure the |
290 whole year. The reason is of course that one cannot see |
290 whole year. The reason is of course that one cannot see |
291 whether somebody has tampered with the program a computer is |
291 whether somebody has tampered with the program a computer is |
292 running. Such a 24/7 security is costly and often even |
292 running. Such a 24/7 security is costly and often even |
293 impossible, because voting machines need to be distributed |
293 impossible, because voting machines need to be |
294 usually the day before the election to the polling stations. |
294 distributed---usually the day before the election---to the |
295 These are often schools where the voting machines are kept |
295 polling stations. These are often schools where the voting |
296 unsecured overnight. The obvious solution of putting seals on |
296 machines are kept unsecured overnight. The obvious solution of |
297 computers did not work: in the process of getting these DREs |
297 putting seals on computers did not work: in the process of |
298 discredited (involving court cases) it was shown that seals |
298 getting these DREs discredited (involving court cases) it was |
299 can easily be circumvented. The moral of this story is that |
299 shown that seals can easily be circumvented. The moral of this |
300 election officials were incentivised with money by the central |
300 story is that election officials were incentivised with money |
301 government to obtain new voting equipment and in the process |
301 by the central government to obtain new voting equipment and |
302 fell prey to pariahs which sold them a substandard product. |
302 in the process fell prey to pariahs which sold them a |
303 Diebold was not the only pariah in this area, but one of the |
303 substandard product. Diebold was not the only pariah in this |
304 more notorious ones. |
304 area, but one of the more notorious ones. |
305 |
305 |
306 Optical scan machines are slightly better from a security |
306 Optical scan machines are slightly better from a security |
307 point of view but by no means good enough. Their main idea |
307 point of view but by no means good enough. Their main idea |
308 is that the voter fills out a paper ballot, which is then |
308 is that the voter fills out a paper ballot, which is then |
309 scanned by a machine. At the very least the paper ballot can |
309 scanned by a machine. At the very least the paper ballot can |
317 \noindent An interesting solution for e-voting was designed in |
317 \noindent An interesting solution for e-voting was designed in |
318 India. Essentially they designed a bespoke voting device, |
318 India. Essentially they designed a bespoke voting device, |
319 which could not be used for anything else. Having a bespoke |
319 which could not be used for anything else. Having a bespoke |
320 device is a good security engineering decision because it |
320 device is a good security engineering decision because it |
321 makes the attack surface much smaller. If you have a |
321 makes the attack surface much smaller. If you have a |
322 full-fledged computer behind your system, then you can do |
322 full-fledged computer behind your voting system, then you can |
323 everything a computer can do\ldots{}and that is a lot, |
323 do everything a computer can do\ldots{}and that is a lot, |
324 including a lot of abuse. What was bad about the devices in |
324 including a lot of abuse. What was bad about the devices in |
325 India was that these machines did not have the important paper |
325 India was that these machines did not have the important paper |
326 trail: that means if an election was tampered with, nobody |
326 trail: that means if an election was tampered with, nobody |
327 would find out. Even if they had by their bespoke design a |
327 would find out. Even if they had by their bespoke design a |
328 very small attack surface, ethical hackers were still able to |
328 very small attack surface, ethical hackers were still able to |
330 that even if very good security design decisions are taken, |
330 that even if very good security design decisions are taken, |
331 e-voting is very hard to get right.\bigskip |
331 e-voting is very hard to get right.\bigskip |
332 |
332 |
333 |
333 |
334 \noindent This brings us to the case of Estonia, which held in |
334 \noindent This brings us to the case of Estonia, which held in |
335 2007 the worlds first general election that used Internet. |
335 2007 the worlds first general election that used the Internet. |
336 Again their solution made some good choices: for example voter |
336 Again their solution made some good choices: for example voter |
337 authentication is done via the Estonian ID card, which |
337 authentication is done via the Estonian ID card, which |
338 contains a chip like on credit cards. They also made most of |
338 contains a chip like on credit cards. They also made most of |
339 their source code public for independent scrutiny. Of course |
339 their source code public for independent scrutiny. Of course |
340 this openness means that people (hackers) will look at your |
340 this openness means that people (hackers) will look at your |
341 fingers and find code such as this snippet. |
341 fingers and find code such as this snippet. |
342 |
342 |
343 {\footnotesize\lstinputlisting[language=Python,numbers=none] |
343 {\footnotesize\lstinputlisting[language=Python,numbers=none] |
344 {../progs/estonia.py}} |
344 {../progs/estonia.py}} |
345 |
345 |
346 \noindent If you want to have a look their code can be |
346 \noindent If you want to have a look at their code it can be |
347 downloaded from their github |
347 downloaded from their github |
348 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}} |
348 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}} |
349 Also their system is designed such that Internet voting is |
349 Also their system is designed such that Internet voting is |
350 used before the election: votes can be changed an unlimited |
350 used before the election: votes can be changed an unlimited |
351 amount of times, always the last vote is tabulated, you can |
351 amount of times; always the last vote is tabulated. You can |
352 even change your vote on the polling day in person. This is an |
352 even change your vote on the polling day in person. This is an |
353 important security mechanism guarding against vote coercion, |
353 important security mechanism guarding against vote coercion, |
354 which of course is an important problem if you are allowed to |
354 which of course is an important problem if you are allowed to |
355 vote via Internet. |
355 vote via Internet. |
356 |
356 |
406 |
406 |
407 \item An auditor can download the entire (shuffled) election |
407 \item An auditor can download the entire (shuffled) election |
408 data and verify the shuffle, decryptions and tally. |
408 data and verify the shuffle, decryptions and tally. |
409 \end{enumerate} |
409 \end{enumerate} |
410 |
410 |
411 \noindent As you can see the whole process is not trivial at |
411 \noindent As you can see, the whole process is not trivial at |
412 all and leaves out a number of crucial details (such as how to |
412 all and leaves out a number of crucial details (such as how to |
413 best distribute public keys for encryption). It even depends |
413 best distribute public keys for encryption). It even depends |
414 on a highly sophisticated process called |
414 on a highly sophisticated process called |
415 \emph{zero-knowledge-proofs}. They essentially allow one to |
415 \emph{zero-knowledge-proofs}. They essentially allow one to |
416 convince somebody else to know a secret without actually |
416 convince somebody else to know a secret without actually |
420 with your communication partner. We will look at |
420 with your communication partner. We will look at |
421 zero-knowledge-proofs in a later lecture in more detail. |
421 zero-knowledge-proofs in a later lecture in more detail. |
422 |
422 |
423 The point of these theoretical/hot-air musings is to show that |
423 The point of these theoretical/hot-air musings is to show that |
424 such an e-voting procedure is far from convenient: it takes |
424 such an e-voting procedure is far from convenient: it takes |
425 much more time to allow, for example, for scrutinising whether |
425 much more time to allow, for example, scrutinising whether the |
426 the votes were cast correctly. Very likely it will also not |
426 votes were cast correctly. Very likely it will also not pass |
427 pass the benchmark of being understandable to Joe Average. |
427 the benchmark of being understandable to Joe Average. This was |
428 This was a standard a court rules that needs to be passed in |
428 a standard, a high court ruled, that needs to be passed in the |
429 the German election process. |
429 German election process. |
430 |
430 |
431 The overall conclusion is that an e-voting process involving |
431 The overall conclusion is that an e-voting process involving |
432 the Internet cannot be made secure with current technology. |
432 the Internet cannot be made secure with current technology. |
433 Voting has just too high demands on integrity and ballot |
433 Voting has just too high demands on integrity and ballot |
434 secrecy. This is different from online banking where the whole |
434 secrecy. This is different from online banking where the whole |