The abolition of democracy in the US

[ciphergoth]

The SERVE system might appear to work flawlessly in 2004, with no successful attacks detected. It is as unfortunate as it is inevitable that a seemingly successful voting experiment in a U.S. presidential election involving seven states would be viewed by most people as strong evidence that SERVE is a reliable, robust, and secure voting system. Such an outcome would encourage expansion of the program by FVAP in future elections, or the marketing of the same voting system by vendors to jurisdictions all over the United States, and other countries as well. However, the fact that no successful attack is detected does not mean that none occurred. Many attacks, especially if cleverly hidden, would be extremely difficult to detect, even in cases when they change the outcome of a major election. Furthermore, the lack of a successful attack in 2004 does not mean that successful attacks would be less likely to happen in the future; quite the contrary, future attacks would be more likely, both because there is more time to prepare the attack, and because expanded use of SERVE or similar systems would make the prize more valuable. In other words, a "successful" trial of SERVE in 2004 is the top of a slippery slope toward even more vulnerable systems in the future.

-- conclusion (g) of "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)", Dr. David Jefferson, Dr. Aviel D. Rubin, Dr. Barbara Simons, Dr. David Wagner (emphasis mine)

Update: BBC News story indicating that for the Department of Defence, doing the impossible is all in a day's work, coverage in SFGate, New York Times, Slashdot.

Comments

[valkyriekaren.livejournal.com]

Well duh! Nobody serious is going to attack it while they know it's just being trialed and won't make much of a difference; they'll wait until it's up and running in a large number of states, then hit it with everything they've got.

[keirf.livejournal.com]

Doesn't the above apply to any system?

[ciphergoth.livejournal.com]

If a safe fails to protect your money, you're going to find out about it. If large-scale fraud changes the result of an election, you won't necessarily know. So a trial doesn't help you gain confidence in a voting system, but it may appear to if no fraud comes to light.

[keirf.livejournal.com]

I see. So how should you gain confidence in a voting system?

[karmicnull.livejournal.com]

I see. So how should you gain confidence in a voting system?

What he said. The logical inference seems to be vampwillow's conclusion that no electronic voting system can ever be deemed to be secure. Is there not a parallel to be cast with Camelot and other lottery operators who have - or at least appear to have - used electronic number-registering systems with impunity for several years now?

[babysimon]

Two differences:

Camelot issue paper receipts.

Few people would have a problem with identifying themselves to Camelot as a lottery winner.

[karmicnull.livejournal.com]

I was thinking something along the lines of spamming the system with a large enough number of free entries (multiple votes) that it became significantly likely that you would win something. But as you point out, you'd still have to forge the receipt.

Quoting from the report

[ciphergoth.livejournal.com]

The reports remarks on the security requirements of e-voting when compared to e-commerce also roughly apply to e-lotteries:

First, high security is essential to elections. Democracy relies on broad confidence in the integrity of our elections, so the stakes are enormous. We simply cannot afford to get this wrong. Consequently, voting requires a higher level of security than e-commerce. Though we know how to build electronic commerce systems with acceptable security, e-commerce grade security is not good enough for public elections

Second, securing Internet voting is structurally different from and fundamentally more challenging than securing e-commerce. For instance, it is not a security failure if your spouse uses your credit card with your consent; it is routine to delegate the authority to make financial transactions. But it is a security failure if your spouse can vote on your behalf, even with your consent; the right to vote is not transferable, and must not be delegated, sold, traded or given away. Another distinction between voting and e-commerce is that while a denial of service attack on e-commerce transactions may mean that business is lost or postponed, it does not de-legitimize the other transactions that were unaffected. However, in an election, a denial of service attack can result in irreversible voter disenfranchisement and, depending on the severity of the attack, the legitimacy of the entire election might be compromised.

Third, the special anonymity requirements of public elections make it hard to detect, let alone recover from, security failures of an Internet voting system, while in e-commerce detection and recovery is much easier because e-commerce is not anonymous. In a commercial setting, people can detect most errors and fraud by cross-checking bills, statements, and receipts; and when a problem is detected, it is possible to recover (at least partially) through refunds, insurance, tax deductions, or legal action. In contrast, voting systems must not provide receipts, because they would violate anonymity and would enable vote buying and vote coercion or intimidation. Yet, even though a voting system cannot issue receipts indicating how people voted, it is still vital for the system to be transparent enough that each voter has confidence that his or her individual vote is properly captured and counted, and more generally, that everyone else s is also. There are no such requirements for e-commerce systems. In general, designing an Internet voting system that can detect and correct any kind of vote fraud, without issuing voters receipts for how they voted, and without risking vote privacy by associating voters with their votes, is a deep and complex security problem that has no analog in the e-commerce world. For these reasons, the existence of technology to provide adequate security for Internet commerce does not imply that Internet voting can be made safe.

Re: Quoting from the report

[vampwillow]

"But it is a security failure if your spouse can vote on your behalf, even with your consent"

from reports of colleagues, a common failing of postal voting systems already, with or without consent.

"voting systems must not provide receipts, because they would violate anonymity"

It is a requirement and fact of the current UK system that exactly how each voter cast their ballot can be traced if there is a court order to do so. The fact that a voter voted (either in person or by post) is available on request after election day for a specified period (which ends with the destruction of the paper record).

Re: Quoting from the report

[ciphergoth.livejournal.com]

For my part I definitely consider that latter to be a failing of the UK voting system. "Spycatcher" reports that lists of Communist voters were drawn up as a matter of course.

I am reminded of...

[vampwillow]

the difference between faith, belief and knowledge.

The mother *knows* that the child is hers,
the father *believes* that the child is his,
the child has *faith* that they are its parents.

We can have faith in the results produced by an electronic viting system; we may believe that it has displayed the correct result. We can never *know* that it is the true result.

Re: I am reminded of...

[ciphergoth.livejournal.com]

The fact that we cannot have perfect certainty doesn't mean we should adopt any old crap, though, does it?

Re: I am reminded of...

[vampwillow]

Absolutely!

Re: I am reminded of...

[karmicnull.livejournal.com]

Which in turn reminds me of one of the articles Eddie Mair presented on R4 recently.

This comment got a bit big, so I turned it into a post here

[ciphergoth.livejournal.com]

Statically: you describe how the system would function, and allow the international community of security experts to verify that if the things any citizen can observe go as they should then we can have high confidence that there was no large-scale fraud.

Trials test the workability of a system, but not the security.

[vampwillow]

imnsho, but a "successful" attack is, by the very definition of the word, one that is not detected or traced, even after the event plus, of course, you cannot prove a negative.

Square of paper, pencil, booth, ballot box.

Fee free to count electronically; just retain the audit trail that comes from physical contemporaneous marked records.

now going to follow link and read full article...

[giolla.livejournal.com]

Square of paper, pencil, booth, ballot box.
Vote early, vote often, vote the graveyard.

[drdoug.livejournal.com]

Ah, the old "no known problems != known to be free of problems" chestnut. Clearly SERVE and the DoD haven't read enough science fiction.

can't we all just pretend it works?

[webcowgirl.livejournal.com]

Yes the vote over the internet thing is crap. The security is pathetic. I work in the industry, I should know, our standards are horrible and not something I want to have used to determin the outcome of important races.

It seems typical to me that this is being pushed by the Pentagon, because the Bush squad is going all out to make sure the kind of voters they want to see are represented (in this case assuming soldiers would vote Republican). I wonder if there is some kind of cabal working on this in a state of high secrecy (controlled by Grand Moff Cheney, I'd imagine)? The Republican were also the ones pushing for all ballot counting devices become electronic, which sent tons of money to the companies designing them ... and gives the Republicans special knowledge to cook the books? I can't imagine how the so-called paper trail (the voters get a record of how they voted?) would ever be useful in the forms I've heard described.

But subtle changes can also be done in a very low tech, yet effective, fashion. The Florida Republican Secretary of State purged many legal voters names from the polls because they were similar to those of convicted felons (and the black vote is considered to be Democratic). How could these people possibly challenge their removal from the voting lists effectively the day of the election? "Sorry, check back tomorrow." The success that this tiny change had in the outcome of a national election must surely have energized the Rs, for now we see they've gone to mid-census gerrymandering to encourage that more Republicans are elected to Congress. It's truly incredible, and as a citizen my only hope is that the courts will clean things up ... but their pace is too slow and they're not doing a good job. I'm so frustrated. It's an ugly time to live here.

Re: can't we all just pretend it works?

[ciphergoth.livejournal.com]

What part of the industry do you work in? Specifically electronic voting? It's all pretty worrying - I don't think I'm being entirely alarmist with my article title...

yanking my chain from across a continent and an ocean

[webcowgirl.livejournal.com]

Alas, your title is too, too accurate. It's so embarassing that the process of having our voting (and other civil) rights raped to nothingness in front of us is so incredibly visible to the rest of the world. The only thing more embarassing is listening to my fellow sheep-like citizens making statements like,"Why do I need to worry about the government tapping my phone lines? It's not like I have anything to hide." And they are of course pretending that everything is just fine, because that makes it easy for them to lead television-centered lives and worry about losing weight and whether or not Michael Jackson is going to go to jail. Seriously ... that is the American electorate, most of whom don't vote anyway.

I don't like to be specific about where I work in LJ as I consider it a too transparent forum (although I violated this dictum before I got this job - not thinking it would come through - proof of which can be found in earlier months).

I live in Seattle. I do software quality assurance, mostly for internet companies, never for The Borg. I could be much better at my job, as is made abundantly clear by a lot of the stuff I read through your journal. One of the big voting companies is in the locale, but I don't work there, although this is a damn small community (at least in QA) and I know folks almost everywhere. Just trying to make sure stuff is secure at my own company is plenty of work, although it's not what I'm specifically tasked with. Amusingly enough, I'm doing this work with the peculiar skills granted by years of studying political philosophy - giving me no talent at SQL server administration but plenty at getting a head of steam over the state of the real world.

If you want any more specifics, feel free to contact me off-LJ. And apologies for the horrible grammar and spelling errors in my original response - as a QA person I'm ashamed to see so many in just one post.