Tuesday, September 29, 2015

E-voting, New Zealand, something something

Jon Worth posted this link on Facebook and asked e-voting advocates to address the points in it, specifically as it concerns the prospects of e-voting in the EU.
So I did.
So Jon asked me to put them in a separate blog post for easy reference.
So I did.

(As always, I encourage you to read that entire post to understand my replies.)

Myth 1: 

"How to verify that an eligible voter cast a vote that arrives at a voting system’s door remains an unsolved problem."
Wrong. Secure digital ID is a reality, and several countries have deployed state-backed PKI systems that identify persons online to a sufficient level of reliability (no lower than comparing the person in front of you to a passport photo). Now, most of the EU doesn't have digital identities deployed yet, but the eIDAS Regulation does stipulate that they ought to eventually. I know where they can buy an e-government-in-a-box, at very reasonable rates.

"They may have sent the correct credentials, but who is to say it was them who was doing the voting, and not some “helpful” malware installed on their computer?"

In the last couple of elections, Estonia has deployed a second-device authentication mechanism. You vote on a computer, and get a time-limited QR code that you scan with a phone app, it then talks to the e-voting servers and shows how your vote has been recorded. Furthermore, while many have tried, nobody has successfully demonstrated a viable in-the-wild attack on the authentication mechanism. As Jon knows, being subjected to such constant tests is how systems become more secure.

"Good luck with that when you have an online voting system, and malware to manipulate votes is discovered on many New Zealanders’ computers a day after the results have been declared."

Fortunately, e-voting allows you to re-do the process after malware has been cleaned out or the software changed to close the attack vector. And, like all critics of e-voting, this author makes the assumption that judges and scrutineers are infallible and incorruptible.

Myth #2: 

Technology moves so fast that computer systems built today need constant maintenance, monitoring and patching just to keep them operational. In the case of an online voting system, defences against the latest threats and constantly upgrading underlying software and operating systems will make the cost even higher than for the average system. It’s likely the budget for these systems will be in the millions of dollars a year.
Only relevant if you set up a separate designated system for online voting. The eIDAS Regulation requires digital identities to be provided anyway, and the system easily pays itself in the savings on bureaucracy eliminated by e-government. Nevermind the general benefit to the economy of digital identities being widely available.

Myth #3:

"“21 percent of non-voters said they did not vote in the 2011 General Election because they ‘didn’t get round to it, forgot or were not interested’ to vote.”. In a word, disengagement."

Yup, and the way it's been done with us - a long period where e-voting is available, in a very convenient way, before a paper voting day - makes it much easier to get around to it. Plus, don't discount the driving factor of being able to share an "I voted" screenshot to Facebook.

Myth #4:

"What is missing from an online vote is a paper trail — actual paper that can be counted again if a result comes into dispute."
Anyone who has paid attention to, oh, let's say the referendum in Crimea, or recent municipal elections in Russia, can tell you interesting things about the inviolability of paper trails in paper elections.

"With an online system, it’s impossible to trust the results of the count, let alone a recount."
It is possible, though, to build tamper-proof databases and systems with end-to-end encryption. (They exist for specific government purposes; but the overhead means they are uncommon and not visible to most people. Here is an example I found with some very quick google-fu, of a tamper-proof solution in an environment where the receiver does not trust the sender at all and expects them to cheat.)

It is possible to build an IT system that is secure as long as you trust one or two core administrators - same as a paper voting system is only secure as long as you trust the returning officers.

Myth 5:

"What our system can’t do, is verify that our voters clicked on what they thought they did (hint: malware can change web pages), or rely upon showing the voters their choices later (not only did we just break the “secret” part of secret ballot, but our malware is back and changing pages again)."

Well, I described above how that's been solved in practice, although it's true that the functioning of the system would be much more transparent and understandable to most voters if you give up the secrecy of the vote. There are philosophical arguments for it as well, but I doubt they would be broadly convincing.

"Scrutineers are told to watch out for husbands hovering over their wives at polling booths. In an abusive household, the victim has no right of secrecy, making coercion by abusive or judgemental people far easier. Outright vote selling also becomes simple. And in families with voting-age children living at home with their parents and disengaged with the election process, maybe a parent will decide that one extra vote for them won’t hurt?"

Again, has actually been addressed in practice. This is why you get to e-vote repeatedly over a long period, and only the last vote counts; you can vote how your boss/spouse/school bully tells you to, show them that you did, then vote the other way a few hours later.

"It’s too hard for one person to manipulate thousands of votes."

But not too hard for a group of people. And I've talked before in these conversations about how e-voting actually makes it possible to set up independent voting watchdogs that are much more efficient than the Carter Center.

Myth #6:

Er, this is just babble. Not sure how I'm supposed to respond to that. "No, YOU're stupid"?


Unknown said...

Hmm. Not sure I agree with much of your rebuttal. Regardless, your rebuttal fails to address a few uncomfortable facts about online voting:
1. unlike ballot (or even postal) voting, by using the Internet, online voting suddenly allows global attacks on the system (outside of the voting jurisdiction, which makes holding a fraudster accountable very difficult).
2. unlike ballot (or even postal) voting, online voting moves scrutiny from the realm of "any moderately intelligent person" to a small, elite group of very specialised technical people, greatly increasing the likelihood of conflict of interest and bribery, etc.
3. there's no indication that online voting doesn't achieve the one thing that drove its introduction: increasing voter participation. It might, however, erode the trust of voters in jurisdictions where it's adopted. Take for instance, the "online voting poster child" of Estonia. At maximum only 30% of registered voters used their online system despite the fact that probably almost all of them could have done so. To me that strongly suggests a lack of trust in the online system. Worth pointing out that Estonia (and Switzerland, and a few other places) has persisted with online voting despite very strong, well-founded technical recommendations that it cease doing so immediately due to known or likely vulnerabilities in its online voting system.

I think online voting is a fundamentally bad idea, and fully concur with Bruce Schneier who characterised online voting this way: "Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it."

Unknown said...

And unfortunately, my name didn't appear against the last comment. I'm Dave Lane from New Zealand.

Unknown said...

And a further apology - I only just realised you're based in Estonia. I think it's really unfortunate that your country is persisting with online voting. Dave Lane

antyx said...

Hi Dave,

1) Hmm, as opposed to a bunch of Swiss bankers influencing a paper election in Sierra Leone? Anyway, hackers do get caught and extradited all the time. I even know some personally.

2) For one, "any moderately intelligent person" is not necessarily going to know the intricacies of electoral law or be wary of the tricks of ballot-stuffers; nor are they in any way a defense against other vote manipulation tactics, such as gerrymandering and discriminatory voter ID laws like they have in the US, ostensibly a free democracy. Whereas online voting, with certified receipts and end-to-end encryption, enables the use of any number of independent watchdogs.

For another, any system - ANY system, whether online or offline - is only secure insofar as it is scrutinized. I am all in favor of people demanding close and continuous scrutiny of online voting systems, because that is the only way to keep a system secure. Whereas people residing in established, long-running democracies take the security of offline voting for granted.

Online voting systems can indeed be corrupted, but to corrupt a properly built, maintained and scrutinized one requires a conspiracy not smaller than to corrupt a paper ballot.

3) Several wrong assumptions there. For one, Estonia is a country with very boring politics. We have a populist opposition and a broad multiparty coalition (that actually combines the pro-business libertarians, the family-values nationalists, and the unionist social democrats). There just aren't any significant policy differences between Estonia's major political parties, which is the reason behind overall voter apathy.

For another, we did not introduce online voting to fight voter apathy - we did it because we could. We had secure digital IDs already (and so will all EU member states eventually, under the eIDAS Regulation), and because we have a general drive towards innovation and reduction of government bureaucracy. And obviously people do trust the e-state infrastructure, because they do their banking through it, as well as their taxes, registering change of ownership for cars, etc.

The "technical recommendations" were not well-founded once you looked into them, and we are not in the habit of refusing to innovate because of *likely* vulnerabilities. I think it's really unfortunate that you are.

Unknown said...

Do you have a secret ballot? How? The services you list (banking, taxes, etc.) are no secret. That is a completely different security problem (frankly, I'm surprised you'd bring that up with the implication that it's somehow comparable)... I hope for your sake that Estonia's system isn't exploited by malcontents... of course, you may never know. Anyway, I'll be encouraging NZ to observe your (and Switzerland's) experiences and learn from your mistakes for a few years (or decades) before trying to do "technology for technology's sake"... I find myself thinking that online voting is very prone to the Dunning-Kruger effect.

antyx said...

Yes, we have a secret ballot. This is why the second-device verification system only works for 30 minutes after you cast your vote - after that the record of who cast the vote is deleted. (If you don't believe that it is, my reply is, how do you know there are no pinhole cameras in your voting booths?)

As I said, there are some interesting implications to limiting how secret the ballot can be. If you can check retroactively how your vote was counted, it is possible to set up an independent watchdog that does a sort of exit poll - people would voluntarily integrate with whomever they trust, register how they voted, then the watchdog could compare its records to the official polling records and see if there are any serious discrepancies.

Anonymous said...

I think the original paper that criticised the I-voting system was fair and balanced

As far as I can see everything they worry about has actually been known to happen in the wild.

(I for the record would be happy for I-voting to be used in minor local elections in the UK.)

> Online voting systems can indeed be corrupted, but to corrupt a properly built, maintained and scrutinized one requires a conspiracy not smaller than to corrupt a paper ballot.

I would dispute that. You only need one person (or device) in the build chain for the client binaries or server software. Or one person (or device) in both the telecoms and at one certificate authority.

Things like
exist, but they're of very limited use in a secret ballot system.

> If you don't believe that it is, my reply is, how do you know there are no pinhole cameras in your voting booths?

You need a whole chain of people to install the camera, maintain it, do the data entry, beat people up for voting the wrong way, etc. And in a democratic society all of this is illegal and everyone needs to shut up about it.

(If you're in country that's prone to political violence and has an e-ID system that is itself reasonably fraud free, outsourcing your election to Estonia might be the least bad option.)

Anonymous said...

And nothing in https://www.ria.ee/e-voting-is-too-secure/ fills me with confidence. (Although I suspect the people actually running the system are more thoughtful.)

antyx said...

Sure, and the operational issues in that paper must be addressed. This is specifically why this kind of public scrutiny is allowed for the online voting process.

Anonymous said...

I suppose you could have every university in Estonia independently create a voting server. But you would also need to do that for almost every part of the system including the client. (And everything that was used to produce the client, which I doubt can do deterministic builds [same source code == same binary].)

And that still wouldn’t deal with things like…


Which, like it or not, are part of the threat model for a national voting system. I’m sure every major country has similar abilities, including both of mine. (I’m picking on the US as they have nice slides :-) I don’t think they’re particularly likely to want to change Estonia’s election results.)

People do bank online, do property transactions online, etc - and their machines might be infected or the servers might be corrupt etc. But those risks are manageable because we close-the-loop outside of the user’s PC and the server they’re using - courts, investigations etc. This cannot be done effectively with secret ballot elections, which is why they terrify people like Dave and me. The nature of the requirements removes every familiar tool we have. We feel lost. It is cold and at night the ice weasels come. And although that fear is factually grounded, it does explain why opposition to only voting is sometimes so shrill. (Although not as shrill as the Estonian RIA’s defence - same fears, different situation.)

Attacks that don’t annoy anyone, don’t break much, have a tiny footprint and are only active for a few days… :-( We just don’t know how to deal with them. We find and convict attacker by following the money and/or boasting. The industry is not capable at finding intrusions that don’t inconvenience people. We only find a tiny minority of the ones that do. State-sponsored attacks usually go undetected for years - or forever if they clean up after themselves.

In the meantime, I suppose it does give the elderly and disabled an easy way to vote - and there’s a social value in including everyone. (Like UK postal voting which is awful, but we let it go on for those reasons.) But supposing an anti-Western/Immigrant/Privatisation/Europe/Men/Short People/Fascist party came in at 67% of the internet vote despite only being expected to get 2 or 3%. 37%? 23%? 9%? Do you use the other voting channels as a base-line? Do you use exit polls? What happens if the paper votes are only a 1/5th of those cast?

(In Sweden our third largest party is one that it is impossible to find anyone who admits to voting for.)

P.S. I think there’s a great deal of milage in improving verifiability by loosening ballot secrecy. Suppose we want to allow the user to verify their vote, but for the government not to know. In that case can let people come to the polling station weeks (or years) in advance and draw a single-purpose voter e-ID from a pile. The government knows that the “voter ID” was issued at a certain polling station but not to whom. Every vote can be published (through some sort of anonymised routing) with the signature of the one-off ID. No-one can easily (easily) check who’s voting, but user’s can check their own. This allows for vote buying and door-to-door intimidation, but nothing systemic. If the voter ID hardware was programmed to self-erase after X days and/or 20 signings. That would be interesting…

antyx said...

"And that still wouldn’t deal with things like…"

There's no way to deal with things like that until they target something that people actually care about. The reason why the NSA has gotten away with it for so long, and why the Snowden revelations have changed almost nothing, is that most people don't feel like end-to-end encryption and physical token authentication is a worthwhile effort to secure their kitten GIFs.

"But those risks are manageable because we close-the-loop outside of the user’s PC and the server they’re using - courts, investigations etc."

Because there is a baseline of trust towards the individual rather than the corporation. Similarly, if there is an independent voting watchdog that shows a significant difference between the self-reported outcome and the official one, that is cause for an investigation outside of the voting loop. Yes, it can be done. And just so that you don't think too highly of the out-of-the-loopness of the paper voting process, the 2000 US presidential elections were decided in the public eye on the actions of a pretty small group of people messing about with paper votes - did not help.

"State-sponsored attacks usually go undetected for years - or forever if they clean up after themselves."

I want you to re-read that sentence again and give it a little bit more thought. (And that's separate from well-known state-sponsored attacks like Stuxnet, and the idea that just because governments don't always brag about suffering attacks doesn't mean they don't detect them.)

"Do you use the other voting channels as a base-line? Do you use exit polls? What happens if the paper votes are only a 1/5th of those cast?"

Described several times before. Independent verification can be set up with online voting much more cheaply, reliably and efficiently than with paper voting.

"(In Sweden our third largest party is one that it is impossible to find anyone who admits to voting for.)"

I've been accused of being an idealistic legislative purist, but I'm gonna be honest here - if you're afraid of people finding out you voted for a particular party, maybe you shouldn't be voting for it.

" Suppose we want to allow the user to verify their vote, but for the government not to know. In that case"

Yes, this is how the Estonian second-device verification system works now. Except instead of a single-use physical token, it's a single-use certificate generated at the moment of voting, and self-deleting after a time.


| More