[E-voting] Commission on Electronic Voting
aecolley at spamcop.net
Thu Mar 11 19:04:19 GMT 2004
On Thu, Mar 11, 2004 at 11:48:46AM +0000, Cian wrote:
> I figure we should get a nice, professional submission in as soon as possible.
> We have a tonne of information to put in it, though - what do people think we
> should prioritise?
I'll quickly blurt out the thoughts I've jotted down on this, just to
make sure each point is thought about, not as a serious draft:
(Outline of the submission)
Introduction - task and setting.
The Commission's task is similar to that of the Supreme Court
on an Article 26 reference. The proposed system is to be
evaluated and approved or rejected in a vacuum and on a limited
timescale. At least the Commission is explicitly allowed to
hear evidence! The proposed system has a fundamental design flaw
which, despite widespread credible documentation, has been neither
recognised by the DoEHLG nor accepted by the vendor.
Threat - tampering scenarios.
The most low-level chapter, in which the technical problem
itself is discussed:
VM reprogramming (by manufacturer, by insider, by intruder)
VM hardware redesign (by same attackers)
Rewriting module in PRU
RO mistakenly sealing machine without impractically-full inspection
Only two seals - no independent sealing by opposition candidates
Implementation - lack of mechanism to prevent threats.
This includes analysis of the requirements of elections and
the capabilities of computers, including the theoretical
limits making secure DRE impossible, pointing to the necessity
for a VVPB.
Engineering - faulty analysis and consequent defective design and test.
Requirements analysis failure to identify voter verification.
Quote vendor from JCELG 2003-12-18 giving insight into analogues
(e.g. ballot record for ballot paper) which formed basis of
specification. Explain how failure to capture requirements
leading to customer rejection is common in industry (need
examples). Show how Nedap experience typical. Condemn vendor's
claimed "audit trail" and question mindset of its designer.
Project management - faulty planning failing to uncover engineering defect.
Evaluation based on amateurly designing whole process, then
dividing it into six nonoverlapping parts, each for a different
consultant. Focus on lack of expertise in system integration,
and consequent neglect of need to validate whole system. Also
point to extant research and published statements on e-voting
security from ACM, Mercuri et al., and ask why no attempt was
made to validate vendor's claims by looking for such opposing
Cited evaluations - each one analyzed w.r.t. security.
Project planning - failing to consult.
Inception of e-voting project in DoEHLG still a bit mysterious.
No consultation with public involved, which might have brought
problems to public prominence much earlier. Must wonder why
no evaluation on such a fundamental change considered necessary.
(FoI documents may be enlightening here.)
Responsibility - failing to take objections seriously once raised.
A very serious matter (possibly outside the commission's remit)
is the way in which DoEHLG handled valid criticisms of the
system. Early dismissals as idle Luddism are understandable
and perhaps forgivable; later rejections of well-founded
research with material misrepresentations both as to the
features of the system and the details of the research are
not, and indicate bad faith (IMHO).
Initiative - improper process of selecting vendor and evaluation strategy.
The tech was chosen before the Bill was introduced, the money
was spent before the contract was signed, and the process of
evaluating the equipment was chosen in a way which happened not
to examine the faulty aspects of the system's design. Does it
appear that the vendor was chosen first and that everything else
was chosen to suit the vendor?
Legislative - insufficient airing of Bill, confusion with other matters.
Although the problems with the system were identified on the
first day of debate on the Electoral (Amendment) Bill, 2000,
they went unheeded by the bulk of the Oireachtas, concerned as
they were with the other weighty and controversial matters
collected into the omnibus Bill. Insufficient care was taken
in scrutinising the Bill before passing it (which was, in the
end, by guillotine in both Houses).
Constitutional - shift of burden of proof from officials to objectors.
The secrecy of the ballot is constitutionally required, and so
is the integrity of the ballot. The secrecy requirement must
be satisfied not on the balance of probabilities, but to the
satisfaction of any reasonable voter (must get the exact
wording from the judgement). The integrity requirement is
similarly critical and needs similar protection. The proposed
system shifts the burden of proof (of ballot integrity) onto
the voter or candidate who feels aggrieved, without allowing
for any meaningful investigation that could establish such proof.
GPG 0x43D3AD19 17D2 CA6E A18E 1177 A361 C14C 29DB BA4B 43D3 AD19
More information about the E-voting