4 |
4 |
5 \begin{document} |
5 \begin{document} |
6 |
6 |
7 \section*{Handout 2 (E-Voting)} |
7 \section*{Handout 2 (E-Voting)} |
8 |
8 |
9 In security engineering, there are many counter-intuitive phenomena: |
9 In security engineering, there are many counter-intuitive |
10 for example I am happy (more or less) to use online banking every day, |
10 phenomena: for example I am happy (more or less) to use online |
11 where if something goes wrong, I can potentially lose a lot of money, |
11 banking every day, where if something goes wrong, I can |
12 but I am staunchly against using electronic voting (lets call it |
12 potentially lose a lot of money, but I am staunchly against |
13 e-voting for short). E-voting is an idea that is nowadays often |
13 using electronic voting (lets call it e-voting for short). |
14 promoted in order to counter low turnouts in elections\footnote{In my |
14 E-voting is an idea that is nowadays often promoted in order |
15 last local election where I was eligible to vote only 48\% of the |
15 to counter low turnouts in elections\footnote{In my last local |
16 population have cast their ballot. I was, I shamefully admit, one of |
16 election where I was eligible to vote only 48\% of the |
17 the non-voters.} and generally sounds like a good idea. Right? |
17 population have cast their ballot. I was, I shamefully admit, |
18 Voting from the comfort of your own home, or on your mobile on the go, |
18 one of the non-voters.} and generally sounds like a good idea. |
19 what could possibly go wrong? Even the UK's head of the Electoral |
19 Right? Voting from the comfort of your own home, or on your |
20 Commission, Jenny Watson, argued in 2014 in a Guardian article that |
20 mobile on the go, what could possibly go wrong? Even the UK's |
21 the UK should have e-voting. Her plausible argument is that 76\% of |
21 head of the Electoral Commission, Jenny Watson, argued in 2014 |
22 pensioners in the UK vote (in a general election?), but only 44\% of |
22 in a Guardian article that the UK should have e-voting. Her |
23 the under-25s. For which constituency politicians might therefore make |
23 plausible argument is that 76\% of pensioners in the UK vote |
24 more favourable (short-term) decisions is clear. So being not yet |
24 (in a general election?), but only 44\% of the under-25s. For |
|
25 which constituency politicians might therefore make more |
|
26 favourable (short-term) decisions is clear. So being not yet |
25 pensioner, I should be in favour of e-voting, no? |
27 pensioner, I should be in favour of e-voting, no? |
26 |
28 |
27 Well, it turns out there are many things that can go wrong with |
29 Well, it turns out there are many things that can go wrong |
28 e-voting, as I like to argue in this handout. E-voting in a ``secure |
30 with e-voting, as I like to argue in this handout. E-voting in |
29 way'' seems to be one of the things in computer science that are still |
31 a ``secure way'' seems to be one of the things in computer |
30 very much unsolved. It is not on the scale of Turing's halting |
32 science that are still very much unsolved. It is not on the |
31 problem, which is proved that it can never be solved in general, but |
33 scale of Turing's halting problem, which is proved that it can |
32 more in the category of being unsolvable with current technology. This |
34 never be solved in general, but more in the category of being |
33 is not just my opinion, but also shared by many security researchers |
35 unsolvable with current technology. This is not just my |
34 amogst them Alex Halderman, who is the world-expert on this subject |
36 opinion, but also shared by many security researchers amogst |
35 and from whose course on Securing Digital Democracy I have most of my |
37 them Alex Halderman, who is the world-expert on this subject |
36 information and inspiration. It is also a controversial topic in many |
38 and from whose course on Securing Digital Democracy I have |
37 countries: |
39 most of my information and inspiration. It is also a |
|
40 controversial topic in many countries: |
38 |
41 |
39 \begin{itemize} |
42 \begin{itemize} |
40 \item The Netherlands between 1997--2006 had electronic voting |
43 \item The Netherlands between 1997--2006 had electronic voting |
41 machines, but ``hacktivists'' had found they can be hacked to change |
44 machines, but ``hacktivists'' had found they can be |
42 votes and also emitted radio signals revealing how you voted. |
45 hacked to change votes and also emitted radio signals |
|
46 revealing how you voted. |
43 |
47 |
44 \item Germany conducted pilot studies with e-voting, but in 2007 a law |
48 \item Germany conducted pilot studies with e-voting, but in |
45 suit has reached the highest court and it rejected e-voting on the |
49 2007 a law suit has reached the highest court and it |
46 grounds of not being understandable by the general public. |
50 rejected e-voting on the grounds of not being |
|
51 understandable by the general public. |
47 |
52 |
48 \item UK used optical scan voting systems in a few trail polls, but to |
53 \item UK used optical scan voting systems in a few trail |
49 my knowledge does not use any e-voting in elections. |
54 polls, but to my knowledge does not use any e-voting in |
|
55 elections. |
50 |
56 |
51 \item The US used mechanical machines since the 1930s, later punch |
57 \item The US used mechanical machines since the 1930s, later |
52 cards, now DREs and optical scan voting machines. |
58 punch cards, now DREs and optical scan voting machines. |
53 |
59 |
54 \item Estonia used since 2007 the Internet for national |
60 \item Estonia used since 2007 the Internet for national |
55 elections. There were earlier pilot studies for voting via Internet |
61 elections. There were earlier pilot studies for voting |
56 in other countries. |
62 via Internet in other countries. |
57 |
63 |
58 \item India uses e-voting devices since at least 2003. They used |
64 \item India uses e-voting devices since at least 2003. They |
59 ``keep-it-simple'' machines produced by a government owned company. |
65 used ``keep-it-simple'' machines produced by a |
|
66 government owned company. |
60 |
67 |
61 \item South Africa used software for its tallying in the 1993 |
68 \item South Africa used software for its tallying in the 1993 |
62 elections (when Nelson Mandela was elected) and found that the |
69 elections (when Nelson Mandela was elected) and found |
63 tallying software was rigged, but they were able to tally manually. |
70 that the tallying software was rigged, but they were |
|
71 able to tally manually. |
64 \end{itemize} |
72 \end{itemize} |
65 |
73 |
66 |
74 |
67 The reason that e-voting is such a hard problem is that we have |
75 The reason that e-voting is such a hard problem is that we |
68 requirements about the voting process that conflict with each |
76 have requirements about the voting process that conflict with |
69 other. The five main requirements for voting in general are: |
77 each other. The five main requirements for voting in general |
|
78 are: |
70 |
79 |
71 \begin{itemize} |
80 \begin{itemize} |
72 \item {\bf Integrity} |
81 \item {\bf Integrity} |
73 \begin{itemize} |
82 \begin{itemize} |
74 \item The outcome of the vote matches with the voters' |
83 \item By this we mean that the outcome of the vote matches |
75 intend. |
84 with the voters' intend. Note that it does not say |
76 \item There might be gigantic sums at stake and need to be defended against. |
85 that every vote should be counted as cast. This might |
|
86 be surprising, but even counting paper ballots will |
|
87 always have an error rate: people after several hours |
|
88 looking at ballots will inevitably miscount votes. But |
|
89 what should be ensured is that the error rate does not |
|
90 change the outcome of the election. Of course if |
|
91 elections continue to be on knives edges we need to |
|
92 ensure that we have a rather small error rate. |
|
93 |
|
94 \item There might be gigantic sums at stake and need to be |
|
95 defended against. The problem with this is that if |
|
96 the incentives are great and enough resources are |
|
97 available, then maybe it is feasible to mount a DoS |
|
98 attack agains voting server and by bringing the |
|
99 system to its knees, change the outcome of an |
|
100 election. |
77 \end{itemize} |
101 \end{itemize} |
|
102 |
78 \item {\bf Ballot Secrecy} |
103 \item {\bf Ballot Secrecy} |
79 \begin{itemize} |
104 \begin{itemize} |
80 \item Nobody can find out how you voted. |
105 \item Nobody can find out how you voted. This is to avoid |
|
106 that voters can be coerced to vote in a certain way |
|
107 (for example by relatives, employers etc). |
|
108 |
81 \item (Stronger) Even if you try, you cannot prove how you |
109 \item (Stronger) Even if you try, you cannot prove how you |
82 voted. The reason is that you want to avoid vote selling as has |
110 voted. The reason is that you want to avoid vote |
83 been tried, for example, by a few jokers in the recent |
111 coercion but also vote selling. That this is a problem |
84 Scottish referendum. |
112 is proved by the fact that some jokers in the recent |
|
113 Scottish referendum tried to make money out of their |
|
114 vote. |
85 \end{itemize} |
115 \end{itemize} |
|
116 |
86 \item {\bf Voter Authentication} |
117 \item {\bf Voter Authentication} |
87 \begin{itemize} |
118 \begin{itemize} |
88 \item Only authorised voters can vote up to the permitted number of votes |
119 \item Only authorised voters can vote up to the permitted |
89 (in order to avoid the ``vote early, vote often''). |
120 number of votes (in order to avoid the ``vote early, |
|
121 vote often''). |
90 \end{itemize} |
122 \end{itemize} |
|
123 |
91 \item {\bf Enfranchisement} |
124 \item {\bf Enfranchisement} |
92 \begin{itemize} |
125 \begin{itemize} |
93 \item Authorised voters should have the opportunity to vote. |
126 \item Authorised voters should have the opportunity to vote. |
|
127 This can, for example, be a problem if you make the |
|
128 authorisation dependent on an ID card, say a |
|
129 driving license: then everybody who does not have a |
|
130 license cannot vote. While this sounds an innocent |
|
131 requirement, in fact some parts of the population |
|
132 for one reason or the other just do not have |
|
133 driving licenses. They are now excluded. Also if |
|
134 you insist on paper ballots you have to have special |
|
135 provisions for them. |
94 \end{itemize} |
136 \end{itemize} |
|
137 |
95 \item {\bf Availability} |
138 \item {\bf Availability} |
96 \begin{itemize} |
139 \begin{itemize} |
97 \item The voting system should accept all authorised votes and produce results in a timely manner. |
140 \item The voting system should accept all authorised votes |
98 \end{itemize} |
141 and produce results in a timely manner. If you move |
|
142 an election online, you have to guard agains DoS |
|
143 attacks. |
|
144 \end{itemize} |
99 \end{itemize} |
145 \end{itemize} |
|
146 |
|
147 \noindent While these requirements seem natural, the problem |
|
148 is that they often clash with each other. For example |
|
149 |
|
150 \begin{center} |
|
151 integrity vs.~ballot secrecy\\ |
|
152 authentication vs.~enfranchisement |
|
153 \end{center} |
|
154 |
|
155 \noindent If we had ballots with complete voter |
|
156 identification, then we can improve integrity because we can |
|
157 trace back the votes to the voters. This would be good when |
|
158 verifying the results. But such an identification would |
|
159 violate ballot secrecy (you can prove to somebody else how you |
|
160 voted). In contrast if we remove all identification for |
|
161 ensuring ballot secrecy, then we have to ensure that no |
|
162 ``vote-stuffing'' occurs. |
|
163 |
|
164 Similarly, if we improve authentication, \ldots |
100 |
165 |
101 To tackle the problem of e-voting, we must first have a look |
166 To tackle the problem of e-voting, we must first have a look |
102 into the history of voting and how paper-based ballots |
167 into the history of voting and how paper-based ballots |
103 evolved. We know for sure that elections were held in Athens |
168 evolved. We know for sure that elections were held in Athens |
104 as early as 600 BC, but might even date to the time of |
169 as early as 600 BC, but might even date to the time of |