\documentclass{article}\usepackage{../style}\usepackage{../langs}\begin{document}\fnote{\copyright{} Christian Urban, 2014, 2015, 2016, 2017}%% second angle of the problem%Jonathan Zittrain is interested in algorithmic accountability,%from Facebook’s ability to tell that two people are in a%relationship before they announce it, to their ability to%engineer an election by prompting one side’s supporters.%They’d be in the soup if they were caught, but they have been%near the soup a number of times. One internal meeting had the%question “What responsibility does FB have to prevent%President Trump?†That has repudiated once leaked, but the age%of innocence is behind us. Back in 2005 Google apologised when%the hate site “jew watch news†appeared in search results for%“jewâ€; but the site has morphed from tool to friend.%Facebook’s M and Apple’s Siri are the same. This leads%Jonathan to the idea of “information fiduciaries†whereby the%big firms would have to put user welfare first like doctors or%lawyers. Should Google tell you to vaccinate your child?%Already in Europe they suppress hate speech and promote%counter-narratives. To whom does Uber owe a fiduciary duty –%the driver or the passenger? And should data scientists join%divines, medics, lawyers and surveyors as a learned%profession?% recent%http://www.secretballotatrisk.org%%Andrew Appel has a good two-part essay on securing elections.%https://freedom-to-tinker.com/blog/appel/security-against-election-hacking-part-1-software-independence/%https://freedom-to-tinker.com/blog/appel/security-against-election-hacking-part-2-cyberoffense-is-not-the-best-cyberdefense/\section*{Handout 2 (E-Voting)}In security engineering, there are many counter-intuitivephenomena: for example I am happy (more or less) to use onlinebanking every day, where if something goes wrong, I canpotentially lose a lot of money, but I am staunchly againstusing electronic voting (let's call it e-voting for short).E-voting is an idea that is nowadays often promoted in orderto counter low turnouts in elections\footnote{In my last localelection where I was eligible to vote only 48\% of thepopulation have cast their ballot. I was, I shamefully admit,one of the non-voters. (Update) I finally bothered to vote bymail in the 2017 election.} and generally sounds like a good idea.Right? Voting from the comfort of your own home, or on yourmobile on the go, what could possibly go wrong? Even the UK'shead of the Electoral Commission, Jenny Watson, argued in 2014in a Guardian article that the UK should have e-voting. Herplausible argument is that 76\% of pensioners in the UK vote(in a general election?), but only 44\% of the under-25s. Forwhich constituency politicians might therefore make morefavourable (short-term) decisions is clear. So being not yetpensioner, I should be in favour of e-voting, no?Well, it turns out there are many things that can go wrongwith e-voting, as I like to argue in this handout. E-voting ina ``secure way'' seems to be one of the things in computerscience that are still very much unsolved. It is not on thescale of Turing's halting problem, which is proved that it cannever be solved in general, but more in the category of beingunsolvable with current technology. This is not just myopinion, but also shared by many security researchers amongstthem Alex Halderman, who is the world-expert on this subjectand from whose Coursera course on Securing Digital Democracy Ihave most of my information and inspiration on this topic. Itis also a controversial topic in many countries:\begin{itemize}\item The Netherlands between 1997--2006 had electronic voting machines, but ``hacktivists'' had found they can be hacked to change votes and also emitted radio signals revealing how you voted. Now e-voting has been abandoned in the Netherlands.\item Germany conducted pilot studies with e-voting, but in 2007 a law suit has reached the highest court and it rejected e-voting on the grounds of the mechanisms behind it not being understandable to the general public.\item UK used optical scan voting systems in a few trail polls, but to my knowledge does not use any e-voting in elections.\item The US used mechanical machines since the 1930s, later punch cards, now DREs and optical scan voting machines. But there is a lot of evidence that DREs and optical scan voting machines are not as secure as they should be. Some states experimented with Internet voting, but all experiments have been security failures. One exceptional election happened just after hurricane Sandy in 2012 when some states allowed emergency electronic voting. Voters downloaded paper ballots and emailed them back to election officials.\item Estonia used since 2007 the Internet for national elections. There were earlier pilot studies for voting via Internet in other countries.\item The Australian parliament ruled in 2014 that e-voting is highly vulnerable to hacking and will not use it any time soon. That is because it is still not as secret and secure as paper ballots, the parliamentary committee in charge concluded.\item Norway experimented with Internet voting, but their interest fizzled away after some tries. Their idea was to get Internet voting ``right'' --- it is a small, prosperous and stable country, which can afford with playing with new ways of exercising their democratic voting rights. Well, e-voting is an incredibly difficult problem, even in such favourable circumstances, as explained in this video from the Chaos Computer Club conference in 2014: \begin{center} \url{https://www.youtube.com/watch?v=KawZ3m_EeSU} \end{center} \item India uses e-voting devices since at least 2003. They use ``keep-it-simple'' machines produced by a government owned company. There was some trouble for an Indian researcher after he and an international team of hackers showed that the devices are not as secure as the government claimed.\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected) and found that the tallying software was rigged, but they were able to tally manually. \end{itemize}\noindent If you are interested in the recent state of affairsof e-voting machinery, I recommend a talk by Jeremy Epstein\begin{center}\url{https://www.usenix.org/sites/default/files/conference/protected-files/jets15_slides_epstein.pdf}\end{center}\noindent The abstract says:\begin{quote}\it ``In April 2015, the US Commonwealth of Virginia decertified theAdvanced Voting Solutions (AVS) WinVote voting machine, afterconcluding that it was insecure. This talk presents theresults of Virginia's analysis of the WinVote, and exploreshow we got to the point where a voting machine using anunpatched version of Windows XP from 2004, using hardwired WEPkeys and administrator passwords, could be used for over adecade in most of Virginia.''\end{quote}The reason that e-voting is such a hard problem is that wehave requirements about the voting process that conflict witheach other. The five main requirements for voting in generalare:\begin{itemize}\item {\bf Integrity} \begin{itemize} \item By this we mean that the outcome of the vote matches with the voters' intend. Note that it does not say that every vote should be counted as cast. This might be surprising, but even counting paper ballots will always have an error rate: people after several hours looking at ballots will inevitably miscount votes. But what should be ensured is that the error rate does not change the outcome of the election. Of course if elections continue to be on knives edges we need to strive for rather small error rates. \item There might be gigantic sums at stake and need to be defended against. The problem with this is that if the incentives are great and enough resources are available, then maybe it is feasible to mount a DoS attack against the voting server and by bringing the system to its knees, change the outcome of an election. Not to mention to hack the complete system with malware and change votes undetectably. \end{itemize}\item {\bf Ballot Secrecy} \begin{itemize} \item Nobody can find out how you voted. This is to avoid that voters can be coerced to vote in a certain way (for example by relatives, employers etc). \item (Stronger) Even if you try, you cannot prove how you voted. The reason for this is that you want to avoid vote coercion, but also vote selling. That this can be a problem is proved by the fact that some jokers in the recent Scottish referendum tried to make money out of their vote. \end{itemize}\item {\bf Voter Authentication} \begin{itemize} \item Only authorised voters can vote up to the permitted number of votes (in order to avoid the ``vote early, vote often''). \end{itemize}\item {\bf Enfranchisement} \begin{itemize} \item Authorised voters should have the opportunity to vote. This can, for example, be a problem if you make the authorisation dependent on an ID card, say a driving license. Then everybody who does not have a license cannot vote. While this sounds an innocent requirement, in fact some parts of the population for one reason or another just do not have driving licenses. They are now excluded. Also if you insist on paper ballots you have to have special provisions for blind people. Otherwise they too cannot vote. \end{itemize}\item {\bf Availability} \begin{itemize} \item The voting system should accept all authorised votes and produce results in a timely manner. If you move an election online, you have to guard against DoS attacks for example. \end{itemize}\end{itemize}\noindent While these requirements seem natural, the problem is that they often clash with each other. For example\begin{center}integrity vs.~ballot secrecy\\authentication vs.~enfranchisement\end{center}\noindent If we had ballots with complete voteridentification, then we can improve integrity because we cantrace back the votes to the voters. This would be good whenverifying the results or when recounting. But such anidentification would violate ballot secrecy (you can prove tosomebody else how you voted). In contrast, if we remove allidentification for ensuring ballot secrecy, then we have toensure that no ``vote-stuffing'' occurs. Similarly, if weimprove authentication by requiring to be present at thepolling station with an ID card, then we exclude absenteevoting.To tackle the problem of e-voting, we should first have a lookinto the history of voting and how paper-based ballotsevolved. Because also good-old-fashioned paper ballot votingis not entirely trivial and immune from being hacked. We knowfor sure that elections were held in Athens as early as 600BC, but might even date to the time of Mesopotamia and also inIndia some kind of republics might have existed before theAlexander the Great invaded them. Have a look at Wikipedia aboutthe history of democracy for more information. These electionswere mainly based on voting by show of hands. While thismethod of voting satisfies many of the requirements stipulatedabove, the main problem with hand voting is that it does notguaranty ballot secrecy. As far as I know the old Greeks andRomans did not perceive this as a problem, but the result wasthat their elections favoured rich, famous people who hadenough resources to swing votes. Even using small colouredstones, which were also used at that time, did not reallymitigate the problem with ballot secrecy. The problem ofauthorisation was solved by friends or neighbours vouching foryou to prove you are eligible to vote (there were no ID cardsin ancient Greece and Rome).Starting with the French Revolution and the US constitution,people began to value a more egalitarian approach to votingand electing officials. This was also the time where paperballots started to become the prevailing form of castingvotes. While more resistant against voter intimidation, paperballots need a number of security mechanisms to avoid fraud.For example you need voting booths for being able to fill outthe ballot in secret. Also transparent ballot boxes are oftenused in order to easily detect and prevent vote stuffing(prefilling the ballot box with false votes). \begin{center}\includegraphics[scale=2.5]{../pics/ballotbox.jpg}\end{center}\noindent Another security mechanism is to guard the ballotbox against any tampering during the election until counting.The counting needs to be done by a team potentially involvingalso independent observers. One interesting attack against completely anonymous paperballots is called \emph{chain vote attack}. It works if thepaper ballots are given out to each voter at the pollingstation. Then an attacker can give a prefilled ballot to avoter. The voter uses this prefilled ballot to cast the vote,and then returns the empty ballot paper back to the attacker who nowcompensates the voter. The blank ballot can be reused for thenext voter. I let you ponder why it is important for thisattack that the voter returns the empty ballot to the attacker.To sum up, the point is that paper ballots have evolved over some time and no single best method has emerged for preventing fraud.But the involved technology is well understood in order toprovide good enough security with paper ballots\ldots{}unlessyou lived in Florida at around 2000. \subsection*{E-Voting}If one is to replace paper ballots by some electronicmechanism, one should always start from simple premise takenfrom an Australian government white paper about e-voting:\begin{quote} \it ``Any electronic voting system shouldprovide at least the same security, privacy and transparencyas the system it replaces.''\end{quote}\noindent Whenever people argue in favour of e-voting, theyseem to be ignoring this basic premise.\bigskip\noindent After the debacle of the Florida presidentialelection in 2000, many voting pre\-cincts in the US usedDirect-Recording Electronic voting machines (DREs) or opticalscan machines. One popular model of DREs was sold by acompany called Diebold. In hindsight they were a completedisaster: the products were inadequate and the companyincompetent. Direct recording meant that there was no papertrail, the votes were directly recorded on memory cards. Thusthe voters had no visible assurance whether the votes werecorrectly cast. Even if there is a printout provided;it does not give any guaranty about what is recorded onthe memory card.The machines behind these DREs were ``normal'' Windowscomputers, which could be used for anything, for example forchanging votes. Why did nobody at Diebold think of that? Ihave no idea. But that this was eventually done undetectablyis the result of the determination of ethical hackers likeAlex Halderman. His group thoroughly hacked Diebold's DREsshowing that election fraud with them is easily possible. Theyeven managed to write a virus that infected the whole systemby having only access to a single machine.\begin{figure}[t]\begin{center}\begin{tabular}{c}\includegraphics[scale=0.45]{../pics/dre1.jpg}\; \includegraphics[scale=0.40]{../pics/dre2.jpg}\smallskip\\\includegraphics[scale=0.5]{../pics/opticalscan.jpg} \end{tabular}\end{center}\caption{Direct-Recording Electronic voting machines above;an optical scan machine below.\label{machines}}\end{figure}What made matters worse was that Diebold tried to hide theirincompetence and the inferiority of their products byrequiring that election counties must not give the machines upfor independent review. They also kept their source codesecret. This meant Halderman and his group could not obtain amachine through the official channels, but whoever could hopethat prevented them from obtaining a machine? Ok, they got one.They then had to reverse engineer the source code in order todesign an attack. What all this showed is that a shadysecurity design is no match for a determined hacker. Apart from the obvious failings (for example no paper trail),this story also told another side. While a paper ballot boxneed to be kept secure from the beginning of the election(when it needs to be ensured it is empty) until the end of theday, electronic voting machines need to be kept secure thewhole year. The reason is of course that one cannot seewhether somebody has tampered with the program a computer isrunning. Such a 24/7 security is costly and often evenimpossible, because voting machines need to bedistributed---usually the day before the election---to thepolling stations. These are often schools where the votingmachines are kept unsecured overnight. The obvious solution ofputting seals on computers did not work: in the process ofgetting these DREs discredited (involving court cases) it wasshown that seals can easily be circumvented. The moral of thisstory is that election officials were incentivised with moneyby the central government to obtain new voting equipment andin the process fell prey to pariahs which sold them substandard products. Diebold was not the only pariah in thisarea, but one of the more notorious ones.\footnote{An e-voting researcher recently made a connection between the VW-exhaustscandal and e-voting: His argument is that it is very hardto test whether a program works correctly in a hostileenvironment. The program can often recognise when it istested and behave correctly, but in the ``real test'' can behave maliciously, just like the VW diesel engines.}Optical scan machines are slightly better from a securitypoint of view but by no means good enough. Their main ideais that the voter fills out a paper ballot, which is then scanned by a machine. At the very least the paper ballot can serve as a paper trail in cases an election result needs tobe recounted. But if one takes the paper ballots as the version that counts in the end, thereby using the optical scan machine only as a device to obtain quickly preliminaryresults, then why not sticking with paper ballots in the first place?\bigskip \noindent An interesting solution for e-voting was designed inIndia. Essentially they designed a bespoke voting device,which could not be used for anything else. Having a bespokedevice is a good security engineering decision because itmakes the attack surface much smaller. If you have afull-fledged computer behind your voting system, then you cando everything a computer can do\ldots{}and that is a lot,including a lot of abuse. What was bad about the devices inIndia was that these machines did not have the important papertrail: that means if an election was tampered with, nobodywould find out. Even if they had by their bespoke design avery small attack surface, ethical hackers were still able totamper with them. The moral with Indian's voting machines isthat even if very good security design decisions are taken,e-voting is very hard to get right.\bigskip \noindent This brings us to the case of Estonia, which held in2007 the World's first general election that used theInternet. Their solution made some good choices: for examplevoter authentication is done via the Estonian ID card, whichcontains a chip like on credit cards. They also made most oftheir source code public for independent scrutiny---unlikepariah companies like Diebold. Of course this openness meansthat people (hackers) will look at your fingers and find codesuch as this snippet:{\footnotesize\lstinputlisting[language=Python,numbers=none]{../progs/estonia.py}}\noindent If you want to have a look at their code, it can bedownloaded from their githubrepository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}}Also their system is designed such that Internet voting isused before the election: votes can be changed an unlimitedamount of times; always the last vote is tabulated. You caneven change your vote on the polling day in person. This is animportant security mechanism guarding against vote coercion,which of course is an important problem if you are allowed tovote via Internet.However, the weak spots in any Internet voting system are thevoters' computers and the central server. Unfortunately, theirsystem is designed such that they need to trust the integrityof voters’ computers, central server components and also theelection staff. In 2014, a group of independent observers aroundAlex Halderman were able to scrutinise the election process inEstonia. They found many weaknesses, for example carelesshandling of software updates on the servers. They alsosimulated an election with the available software and wereable to covertly manipulate results by inserting malware onthe voters' computers. Overall, their recommendation is to abandon Internet voting and to go back to an entirelypaper-based voting process. In face of state-sponsoredcyber-crime (for example NSA), Internet voting cannot be madesecure with current technology. They have a small videoclip with their findings at\begin{center}\url{https://estoniaevoting.org}\end{center}\noindent This brings us to the question, what could be aviable electronic voting process in\underline{\smash{\textbf{\emph{theory}}}} with current technology?In the literature one can find proposals such as this one:\begin{enumerate}\item Alice prepares and audits some ballots, then casts an encrypted ballot, which requires her to authenticate to a server.\item A bulletin board posts Alice's name and encrypted ballot. Anyone, including Alice, can check the bulletin board and find her encrypted vote posted. This is to make sure the vote was received by the server.\item When the election closes, all votes are shuffled and the system produces a non-interactive proof of a correct shuffling---correct in the sense that one cannot determine anymore who has voted for what. This will require a shuffling procedure based on zero-knowledge-proofs.\item After a reasonable complaint period, let auditors check the shuffling, all shuffled ballots are decrypted, and the system provides a decryption proof for each decrypted ballot. Again this will need a zero-knowledge-proof-type of method.\item Perform a tally of the decrypted votes.\item An auditor can download the entire (shuffled) election data and verify the shuffle, decryptions and tally.\end{enumerate}\noindent As you can see, the whole process is not trivial atall and leaves out a number of crucial details (such as how tobest distribute public keys for encryption). It even dependson a highly sophisticated process called\emph{zero-knowledge-proofs}. They essentially allow one toconvince somebody else to know a secret without actuallyrevealing what the secret is. This is a kind of cryptographic``magic'', like the Hellman-Diffie protocol which can be usedto establish a secret even if you can only exchange postcardswith your communication partner. We will look atzero-knowledge-proofs in a later lecture in more detail. The point of these theoretical/hot-air musings like above isto show that such an e-voting procedure is far fromconvenient: it takes much more time to allow, for example,scrutinising whether the votes were cast correctly. Verylikely it will also not pass the benchmark of beingunderstandable to Joe Average. This was a standard, a highcourt ruled, that needs to be passed in the German electionprocess, for example. The overall conclusion is that an e-voting process involvingthe Internet cannot be made secure with current technology.Voting has just too high demands on integrity and ballotsecrecy. This is different from online banking where the wholeprocess is designed around authentication. If fraud occurs,you try to identify who did what (somebody’s account got zero;somewhere the money went). Even if there might be moregigantic sums at stake in online banking than with voting, itcan be made reasonably secure and fraud-safe. That does notmean there are no problems with online banking. But withenough thought, they can usually be overcome with technologywe have currently available. This is different with e-voting:even the best have not come up with something workable yet.This conclusion does not imply that some special cases ofInternet voting cannot be made to work securely. Just in ageneral election where stakes are very high, it does not work.For example a good-enough and workable in-lecture onlinevoting system where students' votes are anonymous and studentscannot tamper with the outcome, I am sure, can be implemented(see some of my MSc projects). \subsubsection*{Further Reading}If you want to know more about e-voting, I recommendthe highly entertaining online course by Alex Halderman atCoursera.\begin{center}\url{https://www.coursera.org/course/digitaldemocracy}\end{center}\noindent There is also an entertaining TEDtalk by BarbaraSimons called ``Why can I bank online but not vote online?''\begin{center}\url{https://www.youtube.com/watch?v=Wv3VuGZzdK8}\end{center}\noindent At the beginning she describes the complete break-inby the group of Alex Halderman at the try-out voting atWashington D.C. Halderman's amusing paper about this break in including pictures is at\begin{center}\url{https://jhalderm.com/pub/papers/dcvoting-fc12.pdf}\end{center}\noindentAnother passionate plea to not use electronic voting is the youtubevideo\begin{center}\url{https://www.youtube.com/watch?v=w3_0x6oaDmI}\end{center}\noindentTwo researchers from Galois, Inc., present an interesting attack against home routers which silently alters pdf-basedvoting ballots. This shows that the vote submission viaan unencrypted pdf-file is highly unsafe.\begin{center}\url{http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf}\end{center}\end{document}%unikernels for e-votingTrust, trustworthiness, and the TCBThe notion of trust is important in security. It is also a source ofconfusion, especially if people are sloppy in their terminology, anddo not distinguish between trust and trustworthiness.Depending on your point of view, trust can be something good anddesirable, or something bad and undesirable. Trust between parties isgood in that it enables easy interaction and good collaborationbetween them. However, trust is bad in that trust in another partymeans that party can do damage to you, if it turns out not to betrustworthy. For example, if you give someone your bankcard and tellthem your PIN code, you trust them; this can be useful, for instanceif you want them to do some shopping for you, but is clearly alsopotentially dangerous.Note that if a party is not trustworthy, then it may be sounintentionally (because it is careless or, in the case of software,riddled with security vulnerabilities) or intentionally (because it isdownright malicious). When considering a system that is meant to meetsome security objectives, it is important to consider which parts ofthat system are trusted in order to meet that objective. This calledthe Trusted Computing Base or TCB. Ideally, the TCB should be assmall as possible. The smaller the TCB, the less likely that itcontains security vulnerabilities. (Still, you should never under-estimates people’s stupidity – or an attacker’s creativity – tointroduce security vulnerabilities in even the smallest piece ofsoftware.) Also, the smaller the TCB, the less effort it takes to getsome confidence that it is trustworthy, for example, in the case ofsoftware, by doing a code review or by performing some (penetration)testing.%%% Local Variables: %%% mode: latex%%% TeX-master: t%%% End: