[E-voting] UK shelves plans for e-voting trials
caburt at alphalink.com.au
Sat Sep 10 23:23:25 IST 2005
Thank you for this metered argument. This post is getting pretty long
but I think illustrations help.
>So your assertions that remote voting must be provided and that
improving turnout is irrelevant simply don't stack up against the
goal of an election.
Perhaps I don't convey the urgency of my opening idea well enough. The
gov't has to make voting available to all eligible voters. It doesn't
have to be easy, but it has to be possible. If voters can attend a
polling station, they should. If they can't, it's not their fault
voting is impossible, the gov't has to provide other channels. If the
new channels are weaker than attendance voting then we have to try to
estimate the increased side effects and adjust our margin of error
I think your point is that if the voters already have a choice among
channels ( so they can attend or postal vote as they please) then we are
making voting easier by offering a choice. If the voters all choose to
vote postal when they could have attended then this is a very bad thing
as the reliability of the electoral outcome is weakened. I agree if
this is your assertion.
>Whether it is worth increasing turnout through making it easier to
>vote even at the cost of reducing the accuracy of the vote is the
>question I'd like to put to a statistician.
I think the likelihood of fraud/error having occurred is measured per
election and the result deemed legitimate if we find the likelihood of
fraud is lower than some threshold. A way to measure REV systems is
parallel testing and voter-verification systems. We then look at
whether parallel votes arrive as expected and whether all voters using
the verification service results in no reports of trouble. How many
parallel tests to run can be defined in advance and scale with the
election. How many people use the verification service will vary with
the election so the sum of the two measures cannot be known in advance
as a fixed level of confidence for that REV channel.
>I think Ita Ryan made some good suggestions about increasing turnout
>by encouraging voters, and those suggestions would seem to improve
>the accuracy of the election as a whole without reducing the
>integrity of the voting channel.
And they should all have been implemented years ago.
>>Allowing REV submission of more than one vote (last vote counts)
>>weakens coercion and selling. A biometric of some sort would also
>>make it hard for me to sell my "REV PIN" for someone else to use.
>Your suggestions on mitigating the problems I mentioned are good, and
>would go some way towards solving some of the problems with DRE.
>However very fundamental problems remain that simply cannot be
>resolved using any of the techniques you have mentioned, or any
>technique I have heard.
>[snip] It is possible for a computer program to display one
>thing to the voter while recording another thing in their name. [snip]
Of course this attack is possible and catastrophic for the voter
affected, if the attack is not detected. An REV user's computer
collects perhaps 4 votes in a family of 4 adult voters. A poll site DRE
collects hundreds of votes. The DRE is a much more attractive target
for a hack. The DRE is kept in storage for years and it runs its voting
software assuming it has been kept safe all that time. A home-voter PC
is (now more than ever) runs in a networked, adversarial environment
where we assume various forms of intruder protection are needed, login
access is required and so on.
The much touted theoretical virus that sweeps the country infecting home
PCs before the election is very unlikely to succeed. Here is how it
would have to work in order to succeed with any likelihood at all:
1. some time after the close of withdrawals but before REV polls open
(so, perhaps two weeks) some hackers would have to get to work adjusting
a virus to display the right candidates, or to throw the right votes to
the right candidates on an infected host. It is also likely the REV
package has changed and the virus may need to know how it has changed.
Perhaps they already have viruses in place, but they need to pass the
installed viruses this information.
2. they publish a virus, or they Trojan a candidate website, or they
contact their infected PCs.
3. the infected PC virus needs to act while the voter is voting, on a
very complex stack of windowing software, with other applications, virus
detectors, firewalls etc all running.
4. EVERY SINGLE INSTANCE OF THIS VIRUS NEEDS TO AVOID DETECTION.
Only one vigilant voter (and there are many boffins that like REV) needs
to spot something amiss and the game is up. And lots of other people
will be watching REV too. There are other services out on the Internet
purposefully catching viruses. Symantec, for example, has hundreds of
machines all over the world posing as ordinary unprotected PCs. One
instance of the virus reaching one of these machines gives up the game.
The real risk to REV is denial of service or a virus that disables the
voter's machine. I can't see how this kind of carpet-bomb attack could
in any reliable way cause an election to swing. Denial of Service is a
research area bearing fruit, and viruses that disable PCs are already a
well known nuisance and there is considerable protection against them.
>It is possible for the count program to appear to read the votes,
count them and produce a result when in fact it is producing a result
from some other means.
Unlike the home PC, the count system can be strongly audited and
controlled. The counting software can be kept very simple, short etc,
be published, audited, signed etc. A good REV system encrypts votes at
the voter's PC and a private-key utility decrypts them when several
officials provide parts of the private key or parts of a large shared
password. This means the votes are less vulnerable in transit from the
voter to the counting PC. Tools like this decrypting utility or a
counter can be protected by any number of measures currently used in
mission critical systems.
There is a risk votes get untraceable deleted. The way to detect this
(and so disincentivise the practice) is to allow the voters to check
their votes were decrypted intact by mounting a service which attempts
to regenerate a receipt the REV system issues the voter on their PC.
The receipt is made up of some part of the voter's PIN. The receipt
also includes a word the voter makes up at the end of their voting
session. The verification service gets a forward hash of the voter's
part-PIN and made up word from the decrypted vote data. It forward
hashes these to produce the receipt. If the receipt does not match what
was issued locally to the voter at the time of their vote, then the
voter's vote has been damaged, replaced, re-encrypted etc and the voter
(and only the voter) knows this and can complain.
The worst thing about these to problems is not that they are possible,
but that they are undetectable and unquantifiable. If you could come
up with a proof that these problems could affect no more than x% of
the vote then we could bring the technology back into the picture and
compare it with the accuracy of other technologies. Maybe it would be
worth accepting reduced accuracy if it gives increased turnout.
I think it might be measured by some random sampling of home PCs, the
use of PC's to trap "vote viruses" and other checks and balances on the
process. Like any election we can only know at the end of the process
what the likelihood was of fraud. No one can know in advance :
ultimately is boils down to vigilance.
>But until these problems can be either provably eliminated, or at
>least quantified, then the technology is simply not acceptable.
REV pilots are needed to quantify the risks. They can't be shadow polls
or mock elections as the conditions and constraints are not the same.
This is the way forward, we shouldn't just sit and wait for some new
super alien voting science to appear and then roll it out for the masses.
I'm confident new voting channels can be used to enfranchise voters
without disproportionately (or better, significantly) affecting the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the E-voting