The abolition of democracy in the US

Jan. 22nd, 2004 12:10 pm
ciphergoth: (iris)
[personal profile] ciphergoth
The SERVE system might appear to work flawlessly in 2004, with no successful attacks detected. It is as unfortunate as it is inevitable that a seemingly successful voting experiment in a U.S. presidential election involving seven states would be viewed by most people as strong evidence that SERVE is a reliable, robust, and secure voting system. Such an outcome would encourage expansion of the program by FVAP in future elections, or the marketing of the same voting system by vendors to jurisdictions all over the United States, and other countries as well. However, the fact that no successful attack is detected does not mean that none occurred. Many attacks, especially if cleverly hidden, would be extremely difficult to detect, even in cases when they change the outcome of a major election. Furthermore, the lack of a successful attack in 2004 does not mean that successful attacks would be less likely to happen in the future; quite the contrary, future attacks would be more likely, both because there is more time to prepare the attack, and because expanded use of SERVE or similar systems would make the prize more valuable. In other words, a "successful" trial of SERVE in 2004 is the top of a slippery slope toward even more vulnerable systems in the future.
-- conclusion (g) of "A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE)", Dr. David Jefferson, Dr. Aviel D. Rubin, Dr. Barbara Simons, Dr. David Wagner (emphasis mine)

Update: BBC News story indicating that for the Department of Defence, doing the impossible is all in a day's work, coverage in SFGate, New York Times, Slashdot.

  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2004-01-22 05:24 am (UTC)
From: [identity profile] keirf.livejournal.com
I see. So how should you gain confidence in a voting system?

Date: 2004-01-22 05:53 am (UTC)
From: [identity profile] karmicnull.livejournal.com
I see. So how should you gain confidence in a voting system?

What he said. The logical inference seems to be [livejournal.com profile] vampwillow's conclusion that no electronic voting system can ever be deemed to be secure. Is there not a parallel to be cast with Camelot and other lottery operators who have - or at least appear to have - used electronic number-registering systems with impunity for several years now?



Date: 2004-01-22 06:35 am (UTC)
babysimon: (Default)
From: [personal profile] babysimon
Two differences:

Camelot issue paper receipts.

Few people would have a problem with identifying themselves to Camelot as a lottery winner.

Date: 2004-01-22 06:42 am (UTC)
From: [identity profile] karmicnull.livejournal.com
I was thinking something along the lines of spamming the system with a large enough number of free entries (multiple votes) that it became significantly likely that you would win something. But as you point out, you'd still have to forge the receipt.

Quoting from the report

Date: 2004-01-22 06:45 am (UTC)
From: [identity profile] ciphergoth.livejournal.com
The reports remarks on the security requirements of e-voting when compared to e-commerce also roughly apply to e-lotteries:
First, high security is essential to elections. Democracy relies on broad confidence in the integrity of our elections, so the stakes are enormous. We simply cannot afford to get this wrong. Consequently, voting requires a higher level of security than e-commerce. Though we know how to build electronic commerce systems with acceptable security, e-commerce grade security is not good enough for public elections

Second, securing Internet voting is structurally different from and fundamentally more challenging than securing e-commerce. For instance, it is not a security failure if your spouse uses your credit card with your consent; it is routine to delegate the authority to make financial transactions. But it is a security failure if your spouse can vote on your behalf, even with your consent; the right to vote is not transferable, and must not be delegated, sold, traded or given away. Another distinction between voting and e-commerce is that while a denial of service attack on e-commerce transactions may mean that business is lost or postponed, it does not de-legitimize the other transactions that were unaffected. However, in an election, a denial of service attack can result in irreversible voter disenfranchisement and, depending on the severity of the attack, the legitimacy of the entire election might be compromised.

Third, the special anonymity requirements of public elections make it hard to detect, let alone recover from, security failures of an Internet voting system, while in e-commerce detection and recovery is much easier because e-commerce is not anonymous. In a commercial setting, people can detect most errors and fraud by cross-checking bills, statements, and receipts; and when a problem is detected, it is possible to recover (at least partially) through refunds, insurance, tax deductions, or legal action. In contrast, voting systems must not provide receipts, because they would violate anonymity and would enable vote buying and vote coercion or intimidation. Yet, even though a voting system cannot issue receipts indicating how people voted, it is still vital for the system to be transparent enough that each voter has confidence that his or her individual vote is properly captured and counted, and more generally, that everyone else s is also. There are no such requirements for e-commerce systems. In general, designing an Internet voting system that can detect and correct any kind of vote fraud, without issuing voters receipts for how they voted, and without risking vote privacy by associating voters with their votes, is a deep and complex security problem that has no analog in the e-commerce world. For these reasons, the existence of technology to provide adequate security for Internet commerce does not imply that Internet voting can be made safe.

Re: Quoting from the report

Date: 2004-01-22 07:48 am (UTC)
vampwillow: Westminster portcullis (portcullis)
From: [personal profile] vampwillow
"But it is a security failure if your spouse can vote on your behalf, even with your consent"

from reports of colleagues, a common failing of postal voting systems already, with or without consent.

"voting systems must not provide receipts, because they would violate anonymity"

It is a requirement and fact of the current UK system that exactly how each voter cast their ballot can be traced if there is a court order to do so. The fact that a voter voted (either in person or by post) is available on request after election day for a specified period (which ends with the destruction of the paper record).

Re: Quoting from the report

Date: 2004-01-22 08:17 am (UTC)
From: [identity profile] ciphergoth.livejournal.com
For my part I definitely consider that latter to be a failing of the UK voting system. "Spycatcher" reports that lists of Communist voters were drawn up as a matter of course.

I am reminded of...

Date: 2004-01-22 07:52 am (UTC)
vampwillow: (animeblue)
From: [personal profile] vampwillow
the difference between faith, belief and knowledge.

The mother *knows* that the child is hers,
the father *believes* that the child is his,
the child has *faith* that they are its parents.

We can have faith in the results produced by an electronic viting system; we may believe that it has displayed the correct result. We can never *know* that it is the true result.

Re: I am reminded of...

Date: 2004-01-22 08:19 am (UTC)
From: [identity profile] ciphergoth.livejournal.com
The fact that we cannot have perfect certainty doesn't mean we should adopt any old crap, though, does it?

Re: I am reminded of...

Date: 2004-01-22 08:31 am (UTC)
vampwillow: (Default)
From: [personal profile] vampwillow
Absolutely!

Re: I am reminded of...

Date: 2004-01-22 09:08 am (UTC)
From: [identity profile] karmicnull.livejournal.com
Which in turn reminds me of one of the articles Eddie Mair presented on R4 recently.

This comment got a bit big, so I turned it into a post here

Date: 2004-01-22 06:04 am (UTC)
From: [identity profile] ciphergoth.livejournal.com
Statically: you describe how the system would function, and allow the international community of security experts to verify that if the things any citizen can observe go as they should then we can have high confidence that there was no large-scale fraud.

Trials test the workability of a system, but not the security.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

ciphergoth: (Default)
Paul Crowley
My Website

January 2025

S M T W T F S
   1234
5678 91011
12131415161718
19202122232425
262728293031 

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Dec. 25th, 2025 09:10 am
Powered by Dreamwidth Studios