diff -r 4ee6812ab436 -r f675aa15b6d0 handouts/ho02.tex --- a/handouts/ho02.tex Wed Oct 01 16:18:51 2014 +0100 +++ b/handouts/ho02.tex Fri Oct 03 06:17:25 2014 +0100 @@ -62,7 +62,7 @@ via Internet in other countries. \item India uses e-voting devices since at least 2003. They - used ``keep-it-simple'' machines produced by a + use ``keep-it-simple'' machines produced by a government owned company. \item South Africa used software for its tallying in the 1993 @@ -97,7 +97,8 @@ available, then maybe it is feasible to mount a DoS attack agains voting server and by bringing the system to its knees, change the outcome of an - election. + election. Not to mention to hack the complete + system with malware and change votes undetectably. \end{itemize} \item {\bf Ballot Secrecy} @@ -106,13 +107,12 @@ that voters can be coerced to vote in a certain way (for example by relatives, employers etc). - \item (Stronger) Even if you try, you cannot prove how you - voted. The reason is that you want to avoid vote - coercion but also vote selling. That this is a problem - is proved by the fact that some jokers in the recent - Scottish referendum tried to make money out of their - vote. - \end{itemize} + \item (Stronger) Even if you try, you cannot prove how + you voted. The reason for this is that you want to + avoid vote coercion, but also vote selling. That + this can be a problem is proved by the fact that + some jokers in the recent Scottish referendum tried + to make money out of their vote. \end{itemize} \item {\bf Voter Authentication} \begin{itemize} @@ -125,22 +125,22 @@ \begin{itemize} \item Authorised voters should have the opportunity to vote. This can, for example, be a problem if you make the - authorisation dependent on an ID card, say a - driving license: then everybody who does not have a - license cannot vote. While this sounds an innocent - requirement, in fact some parts of the population - for one reason or the other just do not have - driving licenses. They are now excluded. Also if - you insist on paper ballots you have to have special - provisions for them. - \end{itemize} + authorisation dependent on an ID card, say a driving + license. Then everybody who does not have a license + cannot vote. While this sounds an innocent + requirement, in fact some parts of the population for + one reason or another just do not have driving + licenses. They are now excluded. Also if you insist on + paper ballots you have to have special provisions for + blind people. Otherwise they cannot vote. + \end{itemize} \item {\bf Availability} \begin{itemize} \item The voting system should accept all authorised votes and produce results in a timely manner. If you move an election online, you have to guard agains DoS - attacks. + attacks for example. \end{itemize} \end{itemize} @@ -155,24 +155,81 @@ \noindent If we had ballots with complete voter identification, then we can improve integrity because we can trace back the votes to the voters. This would be good when -verifying the results. But such an identification would -violate ballot secrecy (you can prove to somebody else how you -voted). In contrast if we remove all identification for -ensuring ballot secrecy, then we have to ensure that no -``vote-stuffing'' occurs. +verifying the results or recounting. But such an +identification would violate ballot secrecy (you can prove to +somebody else how you voted). In contrast, if we remove all +identification for ensuring ballot secrecy, then we have to +ensure that no ``vote-stuffing'' occurs. Similarly, if we +improve authentication by requiring a to be present at the +polling station with an ID card, then we exclude absentee +voting. -Similarly, if we improve authentication, \ldots +To tackle the problem of e-voting, we should first have a look +into the history of voting and how paper-based ballots +evolved. Because also good-old-fashioned paper ballot voting +is not entirely trivial and immune from being hacked. We know +for sure that elections were held in Athens as early as 600 +BC, but might even date to the time of Mesopotamia and also in +India some kind of ``republics'' might have existed before the +Alexander the Great invaded it. Have a look at Wikipedia about +the history of democracy for more information. These elections +were mainly based on voting by show of hands. While this +method of voting satisfies many of the requirements stipulated +above, the main problem with hand voting is that it does not +guaranty ballot secrecy. As far as I know the old greeks and +romans did not perceive this as a problem, but the result was +that their elections favoured rich, famous people who had +enough resources to swing votes. Even using small coloured +stones did not really mitigate the problem with ballot +secrecy. The problem of authorisation was solved by friends or +neighbours vouching for you to prove you are elegible to vote +(there were no ID cards in ancient Greece and Rome). -To tackle the problem of e-voting, we must first have a look -into the history of voting and how paper-based ballots -evolved. We know for sure that elections were held in Athens -as early as 600 BC, but might even date to the time of -Mesopotamia and also in India some kind of ``republics'' might -have existed before the Alexander the Great invaded it. -Have a look at Wikipedia about the history of democracy for -more information. +Starting with the French Revolution and the US constitution, +people started to value a more egalitarian approach to voting +and electing officials. This was also the time where paper +ballots started to become the prevailing form of casting +votes. While more resistant against voter intimidation, paper +ballots need a number of security mechanisms to avoid fraud. +For example you need voting booths to fill out the ballot in +secret. Also transparent ballot boxes are often used in order +to easily detect and prevent vote stuffing (prefilling the +ballot box with false votes). + +\begin{center} +\includegraphics[scale=2.5]{../slides/pics/ballotbox.jpg} +\end{center} +\noindent Another security mechanism is to guard the ballot +box against any tampering during the election until counting. +The counting needs to be done by a team potentially involving +also independent observers. One interesting attack against +completely anonymous paper ballots is called \emph{chain vote +attack}. It works if the paper ballots are given out to each +voter at the polling station. Then an attacker can give the +prefilled ballot to a voter. The voter uses this prefilled +ballot to cast the vote, and then returns the empty ballot +back to the attacker who now compensates the voter. The blank +ballot can be reused for the next voter. +The point is that paper ballots have evolved over some time +and no single best method has emerged for preventing fraud. +But the involved technology is well understood in order to +provide good enough security with paper ballots. + +\subsection*{E-Voting} + +If one is to replace paper ballots by some electronic +mechanism, one should always start from simple premise taken +from an Australian white paper about e-voting: + +\begin{quote} \it ``Any electronic voting system should +provide at least the same security, privacy and transparency +as the system it replaces.'' +\end{quote} + +\noindent Whenever people argue in favour of e-voting they +seem to be ignore this basic premise. %\subsubsection*{Questions}