Tuesday, September 29, 2015

E-voting, New Zealand, something something

Jon Worth posted this link on Facebook and asked e-voting advocates to address the points in it, specifically as it concerns the prospects of e-voting in the EU.
So I did.
So Jon asked me to put them in a separate blog post for easy reference.
So I did.

(As always, I encourage you to read that entire post to understand my replies.)

Myth 1: 

"How to verify that an eligible voter cast a vote that arrives at a voting system’s door remains an unsolved problem."
Wrong. Secure digital ID is a reality, and several countries have deployed state-backed PKI systems that identify persons online to a sufficient level of reliability (no lower than comparing the person in front of you to a passport photo). Now, most of the EU doesn't have digital identities deployed yet, but the eIDAS Regulation does stipulate that they ought to eventually. I know where they can buy an e-government-in-a-box, at very reasonable rates.

"They may have sent the correct credentials, but who is to say it was them who was doing the voting, and not some “helpful” malware installed on their computer?"

In the last couple of elections, Estonia has deployed a second-device authentication mechanism. You vote on a computer, and get a time-limited QR code that you scan with a phone app, it then talks to the e-voting servers and shows how your vote has been recorded. Furthermore, while many have tried, nobody has successfully demonstrated a viable in-the-wild attack on the authentication mechanism. As Jon knows, being subjected to such constant tests is how systems become more secure.

"Good luck with that when you have an online voting system, and malware to manipulate votes is discovered on many New Zealanders’ computers a day after the results have been declared."

Fortunately, e-voting allows you to re-do the process after malware has been cleaned out or the software changed to close the attack vector. And, like all critics of e-voting, this author makes the assumption that judges and scrutineers are infallible and incorruptible.

Myth #2: 

Technology moves so fast that computer systems built today need constant maintenance, monitoring and patching just to keep them operational. In the case of an online voting system, defences against the latest threats and constantly upgrading underlying software and operating systems will make the cost even higher than for the average system. It’s likely the budget for these systems will be in the millions of dollars a year.
Only relevant if you set up a separate designated system for online voting. The eIDAS Regulation requires digital identities to be provided anyway, and the system easily pays itself in the savings on bureaucracy eliminated by e-government. Nevermind the general benefit to the economy of digital identities being widely available.

Myth #3:

"“21 percent of non-voters said they did not vote in the 2011 General Election because they ‘didn’t get round to it, forgot or were not interested’ to vote.”. In a word, disengagement."

Yup, and the way it's been done with us - a long period where e-voting is available, in a very convenient way, before a paper voting day - makes it much easier to get around to it. Plus, don't discount the driving factor of being able to share an "I voted" screenshot to Facebook.

Myth #4:

"What is missing from an online vote is a paper trail — actual paper that can be counted again if a result comes into dispute."
Anyone who has paid attention to, oh, let's say the referendum in Crimea, or recent municipal elections in Russia, can tell you interesting things about the inviolability of paper trails in paper elections.

"With an online system, it’s impossible to trust the results of the count, let alone a recount."
It is possible, though, to build tamper-proof databases and systems with end-to-end encryption. (They exist for specific government purposes; but the overhead means they are uncommon and not visible to most people. Here is an example I found with some very quick google-fu, of a tamper-proof solution in an environment where the receiver does not trust the sender at all and expects them to cheat.)

It is possible to build an IT system that is secure as long as you trust one or two core administrators - same as a paper voting system is only secure as long as you trust the returning officers.

Myth 5:

"What our system can’t do, is verify that our voters clicked on what they thought they did (hint: malware can change web pages), or rely upon showing the voters their choices later (not only did we just break the “secret” part of secret ballot, but our malware is back and changing pages again)."

Well, I described above how that's been solved in practice, although it's true that the functioning of the system would be much more transparent and understandable to most voters if you give up the secrecy of the vote. There are philosophical arguments for it as well, but I doubt they would be broadly convincing.

"Scrutineers are told to watch out for husbands hovering over their wives at polling booths. In an abusive household, the victim has no right of secrecy, making coercion by abusive or judgemental people far easier. Outright vote selling also becomes simple. And in families with voting-age children living at home with their parents and disengaged with the election process, maybe a parent will decide that one extra vote for them won’t hurt?"

Again, has actually been addressed in practice. This is why you get to e-vote repeatedly over a long period, and only the last vote counts; you can vote how your boss/spouse/school bully tells you to, show them that you did, then vote the other way a few hours later.

"It’s too hard for one person to manipulate thousands of votes."

But not too hard for a group of people. And I've talked before in these conversations about how e-voting actually makes it possible to set up independent voting watchdogs that are much more efficient than the Carter Center.

Myth #6:

Er, this is just babble. Not sure how I'm supposed to respond to that. "No, YOU're stupid"?


| More