[E-voting] UK shelves plans for e-voting trials

Craig Burton caburt at alphalink.com.au
Sat Sep 10 23:23:25 IST 2005


Thank you for this metered argument.  This post is getting pretty long 
but I think illustrations help.

>So your assertions that remote voting must be provided and that 
improving turnout is irrelevant simply don't stack up against the 
goal of an election.

Perhaps I don't convey the urgency of my opening idea well enough.  The 
gov't has to make voting available to all eligible voters.  It doesn't 
have to be easy, but it has to be possible.  If voters can attend a 
polling station, they should.  If they can't, it's not their fault 
voting is impossible, the gov't has to provide other channels.  If the 
new channels are weaker than attendance voting then we have to try to 
estimate the increased side effects and adjust our margin of error 

I think your point is that if the voters already have a choice among 
channels ( so they can attend or postal vote as they please) then we are 
making voting easier by offering a choice.  If the voters all choose to 
vote postal when they could have attended then this is a very bad thing 
as the reliability of the electoral outcome is weakened.  I agree if 
this is your assertion. 


>Whether it is worth increasing turnout through making it easier to 
>vote even at the cost of reducing the accuracy of the vote is the 
>question I'd like to put to a statistician.
I think the likelihood of fraud/error having occurred is measured per 
election and the result deemed legitimate if we find the likelihood of 
fraud is lower than some threshold.  A way to measure REV systems is 
parallel testing and voter-verification systems.  We then look at 
whether parallel votes arrive as expected and whether all voters using 
the verification service results in no reports of trouble.  How many 
parallel tests to run can be defined in advance and scale with the 
election.  How many people use the verification service will vary with 
the election so the sum of the two measures cannot be known in advance 
as a fixed level of confidence for that REV channel.

>I think Ita Ryan made some good suggestions about increasing turnout 
>by encouraging voters, and those suggestions would seem to improve 
>the accuracy of the election as a whole without reducing the 
>integrity of the voting channel.
And they should all have been implemented years ago.

>>Allowing REV submission of more than one vote (last vote counts)
>>weakens coercion and selling.  A biometric of some sort would also
>>make it hard for me to sell my "REV PIN" for someone else to use.
>Your suggestions on mitigating the problems I mentioned are good, and 
>would go some way towards solving some of the problems with DRE.
>However very fundamental problems remain that simply cannot be 
>resolved using any of the techniques you have mentioned, or any 
>technique I have heard.
>Two examples:
>[snip] It is possible for a computer program to display one 
>thing to the voter while recording another thing in their name. [snip]
Of course this attack is possible and catastrophic for the voter 
affected, if the attack is not detected.  An REV user's computer 
collects perhaps 4 votes in a family of 4 adult voters.  A poll site DRE 
collects hundreds of votes.  The DRE is a much more attractive target 
for a hack.  The DRE is kept in storage for years and it runs its voting 
software assuming it has been kept safe all that time.  A home-voter PC 
is (now more than ever) runs in a networked, adversarial environment 
where we assume various forms of intruder protection are needed, login 
access is required and so on.
The much touted theoretical virus that sweeps the country infecting home 
PCs before the election is very unlikely to succeed.  Here is how it 
would have to work in order to succeed with any likelihood at all:

1. some time after the close of withdrawals but before REV polls open 
(so, perhaps two weeks) some hackers would have to get to work adjusting 
a virus to display the right candidates, or to throw the right votes to 
the right candidates on an infected host.  It is also likely the REV 
package has changed and the virus may need to know how it has changed.  
Perhaps they already have viruses in place, but they need to pass the 
installed viruses this information.
2. they publish a virus, or they Trojan a candidate website, or they 
contact their infected PCs.
3. the infected PC virus needs to act while the voter is voting, on a 
very complex stack of windowing software, with other applications, virus 
detectors, firewalls etc all running.

Only one vigilant voter (and there are many boffins that like REV) needs 
to spot something amiss and the game is up.  And lots of other people 
will be watching REV too.   There are other services out on the Internet 
purposefully catching viruses.  Symantec, for example, has hundreds of 
machines all over the world posing as ordinary unprotected PCs.  One 
instance of the virus reaching one of these machines gives up the game.

The real risk to REV is denial of service or a virus that disables the 
voter's machine.  I can't see how this kind of carpet-bomb attack could 
in any reliable way cause an election to swing.  Denial of Service is a 
research area bearing fruit, and viruses that disable PCs are already a 
well known nuisance and there is considerable protection against them.

 >It is possible for the count program to appear to read the votes, 
count them and produce a result when in fact it is producing a result 
from some other means.

Unlike the home PC, the count system can be strongly audited and 
controlled.  The counting software can be kept very simple, short etc, 
be published, audited, signed etc.  A good REV system encrypts votes at 
the voter's PC and a private-key utility decrypts them when several 
officials provide parts of the private key or parts of a large shared 
password.   This means the votes are less vulnerable in transit from the 
voter to the counting PC.  Tools like this decrypting utility or a 
counter can be protected by any number of measures currently used in 
mission critical systems.

There is a risk votes get untraceable deleted.  The way to detect this 
(and so disincentivise the practice) is to allow the voters to check 
their votes were decrypted intact by mounting a service which attempts 
to regenerate a receipt the REV system issues the voter on their PC.  
The receipt is made up of some part of the voter's PIN.  The receipt 
also includes a word the voter makes up at the end of their voting 
session.  The verification service gets a forward hash of the voter's 
part-PIN and made up word from the decrypted vote data.  It forward 
hashes these to produce the receipt.  If the receipt does not match what 
was issued locally to the voter at the time of their vote, then the 
voter's vote has been damaged, replaced, re-encrypted etc and the voter 
(and only the voter) knows this and can complain.

The worst thing about these to problems is not that they are possible, 
but that they are undetectable and unquantifiable. If you could come 
up with a proof that these problems could affect no more than x% of 
the vote then we could bring the technology back into the picture and 
compare it with the accuracy of other technologies. Maybe it would be 
worth accepting reduced accuracy if it gives increased turnout.

I think it might be measured by some random sampling of home PCs, the 
use of PC's to trap "vote viruses" and other checks and balances on the 
process.  Like any election we can only know at the end of the process 
what the likelihood was of fraud.  No one can know in advance : 
ultimately is boils down to vigilance.

>But until these problems can be either provably eliminated, or at 
>least quantified, then the technology is simply not acceptable.
REV pilots are needed to quantify the risks.  They can't be shadow polls 
or mock elections as the conditions and constraints are not the same.   
This is the way forward, we shouldn't just sit and wait for some new 
super alien voting science to appear and then roll it out for the masses.

I'm confident new voting channels can be used to enfranchise voters 
without disproportionately (or better, significantly) affecting the 
election outcome.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.stdlib.net/pipermail/e-voting/attachments/20050911/e1215bbd/attachment.htm

More information about the E-voting mailing list