--- a/handouts/ho02.tex Tue Sep 30 12:44:16 2014 +0100
+++ b/handouts/ho02.tex Wed Oct 01 16:18:51 2014 +0100
@@ -6,98 +6,163 @@
\section*{Handout 2 (E-Voting)}
-In security engineering, there are many counter-intuitive phenomena:
-for example I am happy (more or less) to use online banking every day,
-where if something goes wrong, I can potentially lose a lot of money,
-but I am staunchly against using electronic voting (lets call it
-e-voting for short). E-voting is an idea that is nowadays often
-promoted in order to counter low turnouts in elections\footnote{In my
- last local election where I was eligible to vote only 48\% of the
- population have cast their ballot. I was, I shamefully admit, one of
- the non-voters.} and generally sounds like a good idea. Right?
-Voting from the comfort of your own home, or on your mobile on the go,
-what could possibly go wrong? Even the UK's head of the Electoral
-Commission, Jenny Watson, argued in 2014 in a Guardian article that
-the UK should have e-voting. Her plausible argument is that 76\% of
-pensioners in the UK vote (in a general election?), but only 44\% of
-the under-25s. For which constituency politicians might therefore make
-more favourable (short-term) decisions is clear. So being not yet
+In security engineering, there are many counter-intuitive
+phenomena: for example I am happy (more or less) to use online
+banking every day, where if something goes wrong, I can
+potentially lose a lot of money, but I am staunchly against
+using electronic voting (lets call it e-voting for short).
+E-voting is an idea that is nowadays often promoted in order
+to counter low turnouts in elections\footnote{In my last local
+election where I was eligible to vote only 48\% of the
+population have cast their ballot. I was, I shamefully admit,
+one of the non-voters.} and generally sounds like a good idea.
+Right? Voting from the comfort of your own home, or on your
+mobile on the go, what could possibly go wrong? Even the UK's
+head of the Electoral Commission, Jenny Watson, argued in 2014
+in a Guardian article that the UK should have e-voting. Her
+plausible argument is that 76\% of pensioners in the UK vote
+(in a general election?), but only 44\% of the under-25s. For
+which constituency politicians might therefore make more
+favourable (short-term) decisions is clear. So being not yet
pensioner, I should be in favour of e-voting, no?
-Well, it turns out there are many things that can go wrong with
-e-voting, as I like to argue in this handout. E-voting in a ``secure
-way'' seems to be one of the things in computer science that are still
-very much unsolved. It is not on the scale of Turing's halting
-problem, which is proved that it can never be solved in general, but
-more in the category of being unsolvable with current technology. This
-is not just my opinion, but also shared by many security researchers
-amogst them Alex Halderman, who is the world-expert on this subject
-and from whose course on Securing Digital Democracy I have most of my
-information and inspiration. It is also a controversial topic in many
-countries:
+Well, it turns out there are many things that can go wrong
+with e-voting, as I like to argue in this handout. E-voting in
+a ``secure way'' seems to be one of the things in computer
+science that are still very much unsolved. It is not on the
+scale of Turing's halting problem, which is proved that it can
+never be solved in general, but more in the category of being
+unsolvable with current technology. This is not just my
+opinion, but also shared by many security researchers amogst
+them Alex Halderman, who is the world-expert on this subject
+and from whose course on Securing Digital Democracy I have
+most of my information and inspiration. It is also a
+controversial topic in many countries:
\begin{itemize}
\item The Netherlands between 1997--2006 had electronic voting
- machines, but ``hacktivists'' had found they can be hacked to change
- votes and also emitted radio signals revealing how you voted.
+ machines, but ``hacktivists'' had found they can be
+ hacked to change votes and also emitted radio signals
+ revealing how you voted.
-\item Germany conducted pilot studies with e-voting, but in 2007 a law
- suit has reached the highest court and it rejected e-voting on the
- grounds of not being understandable by the general public.
+\item Germany conducted pilot studies with e-voting, but in
+ 2007 a law suit has reached the highest court and it
+ rejected e-voting on the grounds of not being
+ understandable by the general public.
-\item UK used optical scan voting systems in a few trail polls, but to
- my knowledge does not use any e-voting in elections.
+\item UK used optical scan voting systems in a few trail
+ polls, but to my knowledge does not use any e-voting in
+ elections.
-\item The US used mechanical machines since the 1930s, later punch
- cards, now DREs and optical scan voting machines.
+\item The US used mechanical machines since the 1930s, later
+ punch cards, now DREs and optical scan voting machines.
\item Estonia used since 2007 the Internet for national
- elections. There were earlier pilot studies for voting via Internet
- in other countries.
+ elections. There were earlier pilot studies for voting
+ via Internet in other countries.
-\item India uses e-voting devices since at least 2003. They used
- ``keep-it-simple'' machines produced by a government owned company.
+\item India uses e-voting devices since at least 2003. They
+ used ``keep-it-simple'' machines produced by a
+ government owned company.
\item South Africa used software for its tallying in the 1993
- elections (when Nelson Mandela was elected) and found that the
- tallying software was rigged, but they were able to tally manually.
+ elections (when Nelson Mandela was elected) and found
+ that the tallying software was rigged, but they were
+ able to tally manually.
\end{itemize}
-The reason that e-voting is such a hard problem is that we have
-requirements about the voting process that conflict with each
-other. The five main requirements for voting in general are:
+The reason that e-voting is such a hard problem is that we
+have requirements about the voting process that conflict with
+each other. The five main requirements for voting in general
+are:
\begin{itemize}
\item {\bf Integrity}
\begin{itemize}
- \item The outcome of the vote matches with the voters'
- intend.
- \item There might be gigantic sums at stake and need to be defended against.
+ \item By this we mean that the outcome of the vote matches
+ with the voters' intend. Note that it does not say
+ that every vote should be counted as cast. This might
+ be surprising, but even counting paper ballots will
+ always have an error rate: people after several hours
+ looking at ballots will inevitably miscount votes. But
+ what should be ensured is that the error rate does not
+ change the outcome of the election. Of course if
+ elections continue to be on knives edges we need to
+ ensure that we have a rather small error rate.
+
+ \item There might be gigantic sums at stake and need to be
+ defended against. The problem with this is that if
+ the incentives are great and enough resources are
+ available, then maybe it is feasible to mount a DoS
+ attack agains voting server and by bringing the
+ system to its knees, change the outcome of an
+ election.
\end{itemize}
+
\item {\bf Ballot Secrecy}
\begin{itemize}
- \item Nobody can find out how you voted.
+ \item Nobody can find out how you voted. This is to avoid
+ that voters can be coerced to vote in a certain way
+ (for example by relatives, employers etc).
+
\item (Stronger) Even if you try, you cannot prove how you
- voted. The reason is that you want to avoid vote selling as has
- been tried, for example, by a few jokers in the recent
- Scottish referendum.
+ voted. The reason is that you want to avoid vote
+ coercion but also vote selling. That this is a problem
+ is proved by the fact that some jokers in the recent
+ Scottish referendum tried to make money out of their
+ vote.
\end{itemize}
+
\item {\bf Voter Authentication}
\begin{itemize}
- \item Only authorised voters can vote up to the permitted number of votes
- (in order to avoid the ``vote early, vote often'').
+ \item Only authorised voters can vote up to the permitted
+ number of votes (in order to avoid the ``vote early,
+ vote often'').
\end{itemize}
+
\item {\bf Enfranchisement}
\begin{itemize}
\item Authorised voters should have the opportunity to vote.
+ This can, for example, be a problem if you make the
+ authorisation dependent on an ID card, say a
+ driving license: then everybody who does not have a
+ license cannot vote. While this sounds an innocent
+ requirement, in fact some parts of the population
+ for one reason or the other just do not have
+ driving licenses. They are now excluded. Also if
+ you insist on paper ballots you have to have special
+ provisions for them.
\end{itemize}
+
\item {\bf Availability}
\begin{itemize}
- \item The voting system should accept all authorised votes and produce results in a timely manner.
- \end{itemize}
+ \item The voting system should accept all authorised votes
+ and produce results in a timely manner. If you move
+ an election online, you have to guard agains DoS
+ attacks.
+ \end{itemize}
\end{itemize}
+\noindent While these requirements seem natural, the problem
+is that they often clash with each other. For example
+
+\begin{center}
+integrity vs.~ballot secrecy\\
+authentication vs.~enfranchisement
+\end{center}
+
+\noindent If we had ballots with complete voter
+identification, then we can improve integrity because we can
+trace back the votes to the voters. This would be good when
+verifying the results. But such an identification would
+violate ballot secrecy (you can prove to somebody else how you
+voted). In contrast if we remove all identification for
+ensuring ballot secrecy, then we have to ensure that no
+``vote-stuffing'' occurs.
+
+Similarly, if we improve authentication, \ldots
+
To tackle the problem of e-voting, we must first have a look
into the history of voting and how paper-based ballots
evolved. We know for sure that elections were held in Athens