# HG changeset patch # User Christian Urban # Date 1412176731 -3600 # Node ID 4ee6812ab436882f32d27968f3dfde12b3744f8e # Parent 9961bbb8c8af9b4fd9d2552b9f8340ebb6672332 updated diff -r 9961bbb8c8af -r 4ee6812ab436 handouts/ho02.pdf Binary file handouts/ho02.pdf has changed diff -r 9961bbb8c8af -r 4ee6812ab436 handouts/ho02.tex --- a/handouts/ho02.tex Tue Sep 30 12:44:16 2014 +0100 +++ b/handouts/ho02.tex Wed Oct 01 16:18:51 2014 +0100 @@ -6,98 +6,163 @@ \section*{Handout 2 (E-Voting)} -In security engineering, there are many counter-intuitive phenomena: -for example I am happy (more or less) to use online banking every day, -where if something goes wrong, I can potentially lose a lot of money, -but I am staunchly against using electronic voting (lets call it -e-voting for short). E-voting is an idea that is nowadays often -promoted in order to counter low turnouts in elections\footnote{In my - last local election where I was eligible to vote only 48\% of the - population have cast their ballot. I was, I shamefully admit, one of - the non-voters.} and generally sounds like a good idea. Right? -Voting from the comfort of your own home, or on your mobile on the go, -what could possibly go wrong? Even the UK's head of the Electoral -Commission, Jenny Watson, argued in 2014 in a Guardian article that -the UK should have e-voting. Her plausible argument is that 76\% of -pensioners in the UK vote (in a general election?), but only 44\% of -the under-25s. For which constituency politicians might therefore make -more favourable (short-term) decisions is clear. So being not yet +In security engineering, there are many counter-intuitive +phenomena: for example I am happy (more or less) to use online +banking every day, where if something goes wrong, I can +potentially lose a lot of money, but I am staunchly against +using electronic voting (lets call it e-voting for short). +E-voting is an idea that is nowadays often promoted in order +to counter low turnouts in elections\footnote{In my last local +election where I was eligible to vote only 48\% of the +population have cast their ballot. I was, I shamefully admit, +one of the non-voters.} and generally sounds like a good idea. +Right? Voting from the comfort of your own home, or on your +mobile on the go, what could possibly go wrong? Even the UK's +head of the Electoral Commission, Jenny Watson, argued in 2014 +in a Guardian article that the UK should have e-voting. Her +plausible argument is that 76\% of pensioners in the UK vote +(in a general election?), but only 44\% of the under-25s. For +which constituency politicians might therefore make more +favourable (short-term) decisions is clear. So being not yet pensioner, I should be in favour of e-voting, no? -Well, it turns out there are many things that can go wrong with -e-voting, as I like to argue in this handout. E-voting in a ``secure -way'' seems to be one of the things in computer science that are still -very much unsolved. It is not on the scale of Turing's halting -problem, which is proved that it can never be solved in general, but -more in the category of being unsolvable with current technology. This -is not just my opinion, but also shared by many security researchers -amogst them Alex Halderman, who is the world-expert on this subject -and from whose course on Securing Digital Democracy I have most of my -information and inspiration. It is also a controversial topic in many -countries: +Well, it turns out there are many things that can go wrong +with e-voting, as I like to argue in this handout. E-voting in +a ``secure way'' seems to be one of the things in computer +science that are still very much unsolved. It is not on the +scale of Turing's halting problem, which is proved that it can +never be solved in general, but more in the category of being +unsolvable with current technology. This is not just my +opinion, but also shared by many security researchers amogst +them Alex Halderman, who is the world-expert on this subject +and from whose course on Securing Digital Democracy I have +most of my information and inspiration. It is also a +controversial topic in many countries: \begin{itemize} \item The Netherlands between 1997--2006 had electronic voting - machines, but ``hacktivists'' had found they can be hacked to change - votes and also emitted radio signals revealing how you voted. + machines, but ``hacktivists'' had found they can be + hacked to change votes and also emitted radio signals + revealing how you voted. -\item Germany conducted pilot studies with e-voting, but in 2007 a law - suit has reached the highest court and it rejected e-voting on the - grounds of not being understandable by the general public. +\item Germany conducted pilot studies with e-voting, but in + 2007 a law suit has reached the highest court and it + rejected e-voting on the grounds of not being + understandable by the general public. -\item UK used optical scan voting systems in a few trail polls, but to - my knowledge does not use any e-voting in elections. +\item UK used optical scan voting systems in a few trail + polls, but to my knowledge does not use any e-voting in + elections. -\item The US used mechanical machines since the 1930s, later punch - cards, now DREs and optical scan voting machines. +\item The US used mechanical machines since the 1930s, later + punch cards, now DREs and optical scan voting machines. \item Estonia used since 2007 the Internet for national - elections. There were earlier pilot studies for voting via Internet - in other countries. + elections. There were earlier pilot studies for voting + via Internet in other countries. -\item India uses e-voting devices since at least 2003. They used - ``keep-it-simple'' machines produced by a government owned company. +\item India uses e-voting devices since at least 2003. They + used ``keep-it-simple'' machines produced by a + government owned company. \item South Africa used software for its tallying in the 1993 - elections (when Nelson Mandela was elected) and found that the - tallying software was rigged, but they were able to tally manually. + elections (when Nelson Mandela was elected) and found + that the tallying software was rigged, but they were + able to tally manually. \end{itemize} -The reason that e-voting is such a hard problem is that we have -requirements about the voting process that conflict with each -other. The five main requirements for voting in general are: +The reason that e-voting is such a hard problem is that we +have requirements about the voting process that conflict with +each other. The five main requirements for voting in general +are: \begin{itemize} \item {\bf Integrity} \begin{itemize} - \item The outcome of the vote matches with the voters' - intend. - \item There might be gigantic sums at stake and need to be defended against. + \item By this we mean that the outcome of the vote matches + with the voters' intend. Note that it does not say + that every vote should be counted as cast. This might + be surprising, but even counting paper ballots will + always have an error rate: people after several hours + looking at ballots will inevitably miscount votes. But + what should be ensured is that the error rate does not + change the outcome of the election. Of course if + elections continue to be on knives edges we need to + ensure that we have a rather small error rate. + + \item There might be gigantic sums at stake and need to be + defended against. The problem with this is that if + the incentives are great and enough resources are + available, then maybe it is feasible to mount a DoS + attack agains voting server and by bringing the + system to its knees, change the outcome of an + election. \end{itemize} + \item {\bf Ballot Secrecy} \begin{itemize} - \item Nobody can find out how you voted. + \item Nobody can find out how you voted. This is to avoid + that voters can be coerced to vote in a certain way + (for example by relatives, employers etc). + \item (Stronger) Even if you try, you cannot prove how you - voted. The reason is that you want to avoid vote selling as has - been tried, for example, by a few jokers in the recent - Scottish referendum. + voted. The reason is that you want to avoid vote + coercion but also vote selling. That this is a problem + is proved by the fact that some jokers in the recent + Scottish referendum tried to make money out of their + vote. \end{itemize} + \item {\bf Voter Authentication} \begin{itemize} - \item Only authorised voters can vote up to the permitted number of votes - (in order to avoid the ``vote early, vote often''). + \item Only authorised voters can vote up to the permitted + number of votes (in order to avoid the ``vote early, + vote often''). \end{itemize} + \item {\bf Enfranchisement} \begin{itemize} \item Authorised voters should have the opportunity to vote. + This can, for example, be a problem if you make the + authorisation dependent on an ID card, say a + driving license: then everybody who does not have a + license cannot vote. While this sounds an innocent + requirement, in fact some parts of the population + for one reason or the other just do not have + driving licenses. They are now excluded. Also if + you insist on paper ballots you have to have special + provisions for them. \end{itemize} + \item {\bf Availability} \begin{itemize} - \item The voting system should accept all authorised votes and produce results in a timely manner. - \end{itemize} + \item The voting system should accept all authorised votes + and produce results in a timely manner. If you move + an election online, you have to guard agains DoS + attacks. + \end{itemize} \end{itemize} +\noindent While these requirements seem natural, the problem +is that they often clash with each other. For example + +\begin{center} +integrity vs.~ballot secrecy\\ +authentication vs.~enfranchisement +\end{center} + +\noindent If we had ballots with complete voter +identification, then we can improve integrity because we can +trace back the votes to the voters. This would be good when +verifying the results. But such an identification would +violate ballot secrecy (you can prove to somebody else how you +voted). In contrast if we remove all identification for +ensuring ballot secrecy, then we have to ensure that no +``vote-stuffing'' occurs. + +Similarly, if we improve authentication, \ldots + To tackle the problem of e-voting, we must first have a look into the history of voting and how paper-based ballots evolved. We know for sure that elections were held in Athens