48 never be solved in general, but more in the category of being |
48 never be solved in general, but more in the category of being |
49 unsolvable with current technology. This is not just my |
49 unsolvable with current technology. This is not just my |
50 opinion, but also shared by many security researchers amongst |
50 opinion, but also shared by many security researchers amongst |
51 them Alex Halderman, who is the world-expert on this subject |
51 them Alex Halderman, who is the world-expert on this subject |
52 and from whose Coursera course on Securing Digital Democracy I |
52 and from whose Coursera course on Securing Digital Democracy I |
53 have most of my information and inspiration. It is also a |
53 have most of my information and inspiration on this topic. It |
54 controversial topic in many countries: |
54 is also a controversial topic in many countries: |
55 |
55 |
56 \begin{itemize} |
56 \begin{itemize} |
57 \item The Netherlands between 1997--2006 had electronic voting |
57 \item The Netherlands between 1997--2006 had electronic voting |
58 machines, but ``hacktivists'' had found they can be |
58 machines, but ``hacktivists'' had found they can be |
59 hacked to change votes and also emitted radio signals |
59 hacked to change votes and also emitted radio signals |
60 revealing how you voted. Now e-voting has been abandoned |
60 revealing how you voted. Now e-voting has been abandoned |
61 in the Netherlands. |
61 in the Netherlands. |
62 |
62 |
63 \item Germany conducted pilot studies with e-voting, but in |
63 \item Germany conducted pilot studies with e-voting, but in |
64 2007 a law suit has reached the highest court and it |
64 2007 a law suit has reached the highest court and it |
65 rejected e-voting on the grounds of not being |
65 rejected e-voting on the grounds of the mechanisms |
66 understandable by the general public. |
66 behind it not being understandable to the general |
|
67 public. |
67 |
68 |
68 \item UK used optical scan voting systems in a few trail |
69 \item UK used optical scan voting systems in a few trail |
69 polls, but to my knowledge does not use any e-voting in |
70 polls, but to my knowledge does not use any e-voting in |
70 elections. |
71 elections. |
71 |
72 |
72 \item The US used mechanical machines since the 1930s, later punch |
73 \item The US used mechanical machines since the 1930s, later |
73 cards, now DREs and optical scan voting machines. But there is a |
74 punch cards, now DREs and optical scan voting machines. |
74 lot of evidence that DREs and optical scan voting machines are not |
75 But there is a lot of evidence that DREs and optical |
75 as secure as they should be. Some states experimented with Internet |
76 scan voting machines are not as secure as they should |
76 voting, but all experiments have been security failures. One |
77 be. Some states experimented with Internet voting, but |
77 exceptional election happened just after hurrican Sandy in 2012 when |
78 all experiments have been security failures. One |
78 some states allowed emergency electronic voting. Voters downloaded |
79 exceptional election happened just after hurrican Sandy |
79 paper ballots and emailed them back to election officials. |
80 in 2012 when some states allowed emergency electronic |
|
81 voting. Voters downloaded paper ballots and emailed them |
|
82 back to election officials. |
80 |
83 |
81 \item Estonia used since 2007 the Internet for national |
84 \item Estonia used since 2007 the Internet for national |
82 elections. There were earlier pilot studies for voting |
85 elections. There were earlier pilot studies for voting |
83 via Internet in other countries. |
86 via Internet in other countries. |
84 |
87 |
99 elections (when Nelson Mandela was elected) and found |
102 elections (when Nelson Mandela was elected) and found |
100 that the tallying software was rigged, but they were |
103 that the tallying software was rigged, but they were |
101 able to tally manually. |
104 able to tally manually. |
102 \end{itemize} |
105 \end{itemize} |
103 |
106 |
|
107 \noindent If you are interested in the recent state of affairs |
|
108 of e-voting machinery, I recommend the talk Jeremy Epstein |
|
109 |
|
110 \begin{center} |
|
111 \url{https://www.usenix.org/sites/default/files/conference/protected-files/jets15_slides_epstein.pdf} |
|
112 \end{center} |
|
113 |
|
114 \noindent The abstract says: |
|
115 |
|
116 \begin{quote}\it |
|
117 In April 2015, the US Commonwealth of Virginia decertified the |
|
118 Advanced Voting Solutions (AVS) WinVote voting machine, after |
|
119 concluding that it was insecure. This talk presents the |
|
120 results of Virginia's analysis of the WinVote, and explores |
|
121 how we got to the point where a voting machine using an |
|
122 unpatched version of Windows XP from 2004, using hardwired WEP |
|
123 keys and administrator passwords, could be used for over a |
|
124 decade in most of Virginia. |
|
125 \end{quote} |
104 |
126 |
105 The reason that e-voting is such a hard problem is that we |
127 The reason that e-voting is such a hard problem is that we |
106 have requirements about the voting process that conflict with |
128 have requirements about the voting process that conflict with |
107 each other. The five main requirements for voting in general |
129 each other. The five main requirements for voting in general |
108 are: |
130 are: |
237 also independent observers. |
259 also independent observers. |
238 |
260 |
239 One interesting attack against completely anonymous paper |
261 One interesting attack against completely anonymous paper |
240 ballots is called \emph{chain vote attack}. It works if the |
262 ballots is called \emph{chain vote attack}. It works if the |
241 paper ballots are given out to each voter at the polling |
263 paper ballots are given out to each voter at the polling |
242 station. Then an attacker can give the prefilled ballot to a |
264 station. Then an attacker can give a prefilled ballot to a |
243 voter. The voter uses this prefilled ballot to cast the vote, |
265 voter. The voter uses this prefilled ballot to cast the vote, |
244 and then returns the empty ballot paper back to the attacker who now |
266 and then returns the empty ballot paper back to the attacker who now |
245 compensates the voter. The blank ballot can be reused for the |
267 compensates the voter. The blank ballot can be reused for the |
246 next voter. I let you ponder why it is important for this |
268 next voter. I let you ponder why it is important for this |
247 attack that the voter returns the empty ballot to the |
269 attack that the voter returns the empty ballot to the |
248 attacker. |
270 attacker. |
249 |
271 |
250 To sum up, the point is that paper ballots have evolved over some time |
272 To sum up, the point is that paper ballots have evolved over some time |
251 and no single best method has emerged for preventing fraud. |
273 and no single best method has emerged for preventing fraud. |
252 But the involved technology is well understood in order to |
274 But the involved technology is well understood in order to |
253 provide good enough security with paper ballots. |
275 provide good enough security with paper ballots\ldots{}unless |
|
276 you lived in Florida at around 2000. |
|
277 |
254 |
278 |
255 \subsection*{E-Voting} |
279 \subsection*{E-Voting} |
256 |
280 |
257 If one is to replace paper ballots by some electronic |
281 If one is to replace paper ballots by some electronic |
258 mechanism, one should always start from simple premise taken |
282 mechanism, one should always start from simple premise taken |
259 from an Australian white paper about e-voting: |
283 from an Australian government white paper about e-voting: |
260 |
284 |
261 \begin{quote} \it ``Any electronic voting system should |
285 \begin{quote} \it ``Any electronic voting system should |
262 provide at least the same security, privacy and transparency |
286 provide at least the same security, privacy and transparency |
263 as the system it replaces.'' |
287 as the system it replaces.'' |
264 \end{quote} |
288 \end{quote} |
265 |
289 |
266 \noindent Whenever people argue in favour of e-voting they |
290 \noindent Whenever people argue in favour of e-voting, they |
267 seem to be ignoring this basic premise.\bigskip |
291 seem to be ignoring this basic premise.\bigskip |
268 |
292 |
269 \noindent After the debacle of the Florida presidential |
293 \noindent After the debacle of the Florida presidential |
270 election in 2000, many voting pre\-cincts in the US used |
294 election in 2000, many voting pre\-cincts in the US used |
271 Direct-Recording Electronic voting machines (DREs) or optical |
295 Direct-Recording Electronic voting machines (DREs) or optical |
303 |
327 |
304 What made matters worse was that Diebold tried to hide their |
328 What made matters worse was that Diebold tried to hide their |
305 incompetence and the inferiority of their products by |
329 incompetence and the inferiority of their products by |
306 requiring that election counties must not give the machines up |
330 requiring that election counties must not give the machines up |
307 for independent review. They also kept their source code |
331 for independent review. They also kept their source code |
308 secret. This meant Halderman and his group had to obtain a |
332 secret. This meant Halderman and his group could not obtain a |
309 machine not through the official channels. They then had to |
333 machine through the official channels, but whoever could hope |
310 reverse engineer the source code in order to design their |
334 that revented them from obtaining a machine? Ok, they got one. |
311 attack. What all this showed is that a shady security design |
335 They then had to reverse engineer the source code in order to |
312 is no match for a determined hacker. |
336 design an attack. What all this showed is that a shady |
|
337 security design is no match for a determined hacker. |
313 |
338 |
314 Apart from the obvious failings (for example no paper trail), |
339 Apart from the obvious failings (for example no paper trail), |
315 this story also told another side. While a paper ballot box |
340 this story also told another side. While a paper ballot box |
316 need to be kept secure from the beginning of the election |
341 need to be kept secure from the beginning of the election |
317 (when it needs to be ensured it is empty) until the end of the |
342 (when it needs to be ensured it is empty) until the end of the |
326 putting seals on computers did not work: in the process of |
351 putting seals on computers did not work: in the process of |
327 getting these DREs discredited (involving court cases) it was |
352 getting these DREs discredited (involving court cases) it was |
328 shown that seals can easily be circumvented. The moral of this |
353 shown that seals can easily be circumvented. The moral of this |
329 story is that election officials were incentivised with money |
354 story is that election officials were incentivised with money |
330 by the central government to obtain new voting equipment and |
355 by the central government to obtain new voting equipment and |
331 in the process fell prey to pariahs which sold them a |
356 in the process fell prey to pariahs which sold them |
332 substandard product. Diebold was not the only pariah in this |
357 substandard products. Diebold was not the only pariah in this |
333 area, but one of the more notorious ones.\footnote{An e-voting |
358 area, but one of the more notorious ones.\footnote{An e-voting |
334 researcher recently made a connection between the VW-exhaust |
359 researcher recently made a connection between the VW-exhaust |
335 scandal and e-voting: His argument is that it is very hard |
360 scandal and e-voting: His argument is that it is very hard |
336 to test whether a program works correctly in a hostile |
361 to test whether a program works correctly in a hostile |
337 environment. The program can often recognise when it is |
362 environment. The program can often recognise when it is |
365 that even if very good security design decisions are taken, |
390 that even if very good security design decisions are taken, |
366 e-voting is very hard to get right.\bigskip |
391 e-voting is very hard to get right.\bigskip |
367 |
392 |
368 |
393 |
369 \noindent This brings us to the case of Estonia, which held in |
394 \noindent This brings us to the case of Estonia, which held in |
370 2007 the worlds first general election that used the Internet. |
395 2007 the World's first general election that used the |
371 Again their solution made some good choices: for example voter |
396 Internet. Their solution made some good choices: for example |
372 authentication is done via the Estonian ID card, which |
397 voter authentication is done via the Estonian ID card, which |
373 contains a chip like on credit cards. They also made most of |
398 contains a chip like on credit cards. They also made most of |
374 their source code public for independent scrutiny. Of course |
399 their source code public for independent scrutiny---unlike |
375 this openness means that people (hackers) will look at your |
400 pariah companies like Diebold. Of course this openness means |
376 fingers and find code such as this snippet. |
401 that people (hackers) will look at your fingers and find code |
|
402 such as this snippet: |
377 |
403 |
378 {\footnotesize\lstinputlisting[language=Python,numbers=none] |
404 {\footnotesize\lstinputlisting[language=Python,numbers=none] |
379 {../progs/estonia.py}} |
405 {../progs/estonia.py}} |
380 |
406 |
381 \noindent If you want to have a look at their code it can be |
407 \noindent If you want to have a look at their code, it can be |
382 downloaded from their github |
408 downloaded from their github |
383 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}} |
409 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}} |
384 Also their system is designed such that Internet voting is |
410 Also their system is designed such that Internet voting is |
385 used before the election: votes can be changed an unlimited |
411 used before the election: votes can be changed an unlimited |
386 amount of times; always the last vote is tabulated. You can |
412 amount of times; always the last vote is tabulated. You can |
453 ``magic'', like the Hellman-Diffie protocol which can be used |
479 ``magic'', like the Hellman-Diffie protocol which can be used |
454 to establish a secret even if you can only exchange postcards |
480 to establish a secret even if you can only exchange postcards |
455 with your communication partner. We will look at |
481 with your communication partner. We will look at |
456 zero-knowledge-proofs in a later lecture in more detail. |
482 zero-knowledge-proofs in a later lecture in more detail. |
457 |
483 |
458 The point of these theoretical/hot-air musings is to show that |
484 The point of these theoretical/hot-air musings like above is |
459 such an e-voting procedure is far from convenient: it takes |
485 to show that such an e-voting procedure is far from |
460 much more time to allow, for example, scrutinising whether the |
486 convenient: it takes much more time to allow, for example, |
461 votes were cast correctly. Very likely it will also not pass |
487 scrutinising whether the votes were cast correctly. Very |
462 the benchmark of being understandable to Joe Average. This was |
488 likely it will also not pass the benchmark of being |
463 a standard, a high court ruled, that needs to be passed in the |
489 understandable to Joe Average. This was a standard, a high |
464 German election process. |
490 court ruled, that needs to be passed in the German election |
|
491 process, for example. |
465 |
492 |
466 The overall conclusion is that an e-voting process involving |
493 The overall conclusion is that an e-voting process involving |
467 the Internet cannot be made secure with current technology. |
494 the Internet cannot be made secure with current technology. |
468 Voting has just too high demands on integrity and ballot |
495 Voting has just too high demands on integrity and ballot |
469 secrecy. This is different from online banking where the whole |
496 secrecy. This is different from online banking where the whole |
472 somewhere the money went). Even if there might be more |
499 somewhere the money went). Even if there might be more |
473 gigantic sums at stake in online banking than with voting, it |
500 gigantic sums at stake in online banking than with voting, it |
474 can be made reasonably secure and fraud-safe. That does not |
501 can be made reasonably secure and fraud-safe. That does not |
475 mean there are no problems with online banking. But with |
502 mean there are no problems with online banking. But with |
476 enough thought, they can usually be overcome with technology |
503 enough thought, they can usually be overcome with technology |
477 we have currently. This is different with e-voting: even the |
504 we have currently avialable. This is different with e-voting: |
478 best have not come up with something workable yet. |
505 even the best have not come up with something workable yet. |
479 |
506 |
480 |
507 |
481 This conclusion does not imply that some special cases of |
508 This conclusion does not imply that some special cases of |
482 Internet voting cannot be made to work securely. Just in a |
509 Internet voting cannot be made to work securely. Just in a |
483 general election where stakes are very high, it does not work. |
510 general election where stakes are very high, it does not work. |