4767455
story
Comments: 171 +- News: Is Arizona's Internet Voting System Safe Enough? on Saturday June 06 2009, @02:38PM
Posted
by
timothy
on Saturday June 06 2009, @02:38PM
from the bear-alternatives'-problems-in-mind dept.
from the bear-alternatives'-problems-in-mind dept.
background: url(//a.fsdn.com/sd/topics/topicgovt.gif); width:57px; height:80px;
government
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicus.gif); width:80px; height:61px;
usa
background: url(//a.fsdn.com/sd/topics/topicnews.gif); width:60px; height:66px;
news
JMcCloy writes "Kevin Poulsen, senior editor at Wired News, asks readers 'Is internet voting safe?' and has a poll at the end of the article. So far, 32% responding actually think that internet voting is worth it, risks and all. It is scary how easily people can be persuaded to trust a system that is so vulnerable." The system described, used in Arizona in last year's election process, isn't just checking a box and clicking a button, but Poulsen lays out some scenarios by which it could be subverted.
Related Stories
Technology: Using the Internet To Subvert Democracy 202 comments
Submission: Is Internet Voting Safe? Vote Here by Anonymous Coward
Necessity is a mother.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
Full Results of Poll: ' Is internet voting safe?' (Score:5, Funny)
Yes 32%
No 22%
Ron Paul 46%
Re:Full Results of Poll: ' Is internet voting safe (Score:5, Interesting)
I actually have the opposite view. I think the reason electronic voting is being done so poorly is to prevent allowing a true democracy strip the power from the current 2 party system.
While not simple to get right, a effective convenient secure system would make voting too simple. We could actually have more rounds of votes, and eliminate needing just 2 candidates at the beginning of the election. More issues could be voted on, more laws, quicker correction on corrupt politicans, etc, etc. Those in power have much more interest in preventing trust-able e-voting than not.
Parent
Re: (Score:2)
Which would mean we need this. http://en.wikipedia.org/wiki/Bureau_of_Sabotage [wikipedia.org]
Because the mob can be non-sentient.
No, no, no (Score:5, Insightful)
I am politically active student (Member of the Left Youth of Finland, etc.) in a country that doesn't use two party system and I disagree with all of your points.
I actually have the opposite view. I think the reason electronic voting is being done so poorly is to prevent allowing a true democracy strip the power from the current 2 party system.
Well, I live in a country which has never used electronic voting in electing the parliament. There are currently 14 active political parties in Finland (15 in a few weeks as the Pirate Party recently managed to get enough supporters to register themselves as a party), 8 of which are currently represented in the parliament. (The remaining parties only have representatives at municipal level).
You can't blame the two party system on normal voting being so complicated and electronic voting being the answer or anything. It is political system that has it's merits and flaws but it not only can be but is also very easy to implement even without electronic voting.
While not simple to get right, a effective convenient secure system would make voting too simple. We could actually have more rounds of votes, and eliminate needing just 2 candidates at the beginning of the election.
We have more than two candidates here with still a few rounds of votes. We use this [wikipedia.org] method. Each party has it's own list. Let's say I vote a candidate in the Left Alliance as do 1000 others. The most popular candidate within the left alliance gets 1000 votes, the second most popular within the left alliance gets 500 votes, the third most popular gets 333 votes... After that, candidates from all parties use those numbers to see who gets elected. Again, it has it's flaws but it works quite well.
More issues could be voted on, more laws, quicker correction on corrupt politicans, etc, etc. Those in power have much more interest in preventing trust-able e-voting than not.
Direct democracy is beautiful idea. However... If your problem is that you feel people don't pay enough attention to politics in elections (they don't remember the bad decisions politician have made, etc.) then how do you expect them to pay enough attention that they would have good, well thought out and educated opinion on even more issues?
Also... We aren't talking about electronic voting here. We are talking about internet voting. The kind where violent husband can force his wife to vote for extremist parties because there can not be any precautions to protect from that.
Parent
Re: (Score:2)
Ok, what the hell. The title; "The 'Robinson Method' a really simple way to have trustworthy elections".
Fine. Did you see how long it took to explain? And I thought STV [wikipedia.org] was difficult to explain! Anything that requires 4000+ words to explain is either not simple or badly explained. I suspect in this case it's a little from column a and a little from column b.
Irony is... (Score:3, Insightful)
... an Internet poll about the "safety" of Internet polls.
Especially if you are "persuaded to trust" the results and derive some sort of observation from it.
Re: (Score:2)
http://www.escapistmagazine.com/forums/read/7.109951 [escapistmagazine.com]
I know there's an observation in this one, at least.
Safe or not... (Score:3, Interesting)
I already consider online banking to be at least as secure as ATM transactions, and I see no reason why a properly designed online voting system couldn't be the same.
That being said, the current state of the industry is pathetic. For instance, not too long ago a Diebold machine was exploited by its anti-virus software. If you have anti-virus software running on your electronic voting system you're doing it wrong.
Re:Safe or not... (Score:4, Insightful)
For me, the biggest problem with e-voting isn't the level of security you can achieve, it's the amount of damage someone can do once they're 'in'. Sure there's bits of fraud and error here and there with conventional ballots, but to guarantee a result requires a lot of suspicious activity. Right now even the military, DoD, etc... can't seem to keep hackers out all the time. Imagine what a back door to an election would be worth on the black market.
Parent
bits of fraud and error? (Score:3, Insightful)
You have got to be kidding.
Were you watching Minnesota in the last congressional election?
How many ballots have to be 'found' a week after the election to be more then a 'bit of fraud'?
Amazing how they 'found' just enough ballots for their chosen party to pull out the election.
Nothing matters unless they also fix the registration fraud problem anyway.
If you can 'vote early and often' it doesn't matter how you are voting.
Re:bits of fraud and error? (Score:4, Insightful)
Were you watching Minnesota in the last congressional election?
which is the entire point. You could watch it because physical ballot papers had to be found. If you are right that it was fraudulent, and I have no idea, then the fraudsters put themselves at a much greater risk. The ballot papers they added could have their genetic material or chemical contamination or many other signs of tampering. With an e-voting system there will be nothing to tell you that there was fraud and they won't have to wait until afterwards to know whether they need to "just add a few more fraudulent ballots". They'll add just enough to be safe (e.g. avoid a recount; avoid a suspicious miscount etc.).
Try not to think about what you could do to make a safe voting system. Instead think "how could I manipulate an e-voting system". When you think about it, you'll find lots of ways to do it for fun and profit. I recommend that everybody in the USA with the opportunity starts trying to fix ballots to go to third parties (even if you support the Republicrats or Democans). That will get e-voting off the agenda quicker than you can possibly imagine.
Parent
Re: (Score:3, Insightful)
What you describe is pretty small time, most of the time. Yes when an election is close you can game the system right now, but for most elections, ones where a candidate is ahead by at least a percentage point, fraud on that scale would be too damned obvious.
With internet voting, where a .01% change and a 1% change require the same amount of effort, swinging an election via fraud becomes much easier.
Re: (Score:2)
The source code would have to be open before I would trust it.
Crypto behind e-voting has some similarities with e-cash. Its a really interesting topic.
Open source no pancea (Score:3, Interesting)
Re:Safe or not... (Score:5, Insightful)
I still refuse to believe that eventually we couldn't make Internet voting more secure than paper ballots.
Your physical security is also an issue.
If you go to a polling station then you can be sure no one will force you to cast your vote on his preferred candidate.
But if you vote from your home via the internet then members of the local mafia can stand behind your back while you're voting and they can force you to vote on the politician who pays them.
How could you fix this "security hole" in the internet voting scheme?
Parent
Re: (Score:2, Insightful)
Your physical security is also an issue.
If you go to a polling station then you can be sure no one will force you to cast your vote on his preferred candidate.
But if you vote from your home via the internet then members of the local mafia can stand behind your back while you're voting and they can force you to vote on the politician who pays them.
How could you fix this "security hole" in the internet voting scheme?
Allow the user to change his vote until the poll closes. It may not be perfect but the mob has a set limited amount of resources and to make a large enough impact they must move on to other homes.
Is that even a legit concern? That sounds like more of a social problem than a technical issue.
Re: (Score:2)
It's a social problem, yes, but one that historically people who think about voting in a free society have been concerned with. One way to subvert a nominally democratic system is to add social (or physical, or monetary) pressure to vote for or against someone; one way to make that harder is to make the voter unable to prove who they voted for, so they can just say "yeah I voted for you" and nobody can verify whether that's the case or not.
Re: (Score:3, Insightful)
That's a reaction to a symptom, and not a solution. Much more likely is that many controlling spouses will force their partners to vote a certain way. Or would vote for their elderly relatives. And yes, even though thi
Re: (Score:2, Funny)
Vote selling is possible (Score:3, Funny)
Last time I voted, I wasn't strip-searched for cameras.
Here's how Tony the Mobster buys your vote: you'll deliver to him a small video of you in the booth, with the ballot clearly made out as a vote for what he wants, and you exiting the booth putting the vote in the urn. The he won't shoot your kneecaps.
He'll probably even help you with a good enough covert camera if your cell phone will attract too much attention.
Anybody got an idea for how to limit this? Tony is a resourceful man, he can send goons to
Security isn't the question though... (Score:5, Insightful)
But security isn't the question. The problem is that with secure and anonymous electronic voting there is no outside way to verify that the results reported have anything to do with the votes cast. Whoever controls the system can make it report whatever results they want, and there's no way to tell if they are telling the truth or not. If your first thought is "well, make it open source," think again [bell-labs.com].
The difference being that the banks (which run both ATMs and online banking sites) don't also control the money supply. If they did (e.g., if they could just create money the way the government does) we'd have a major problem. No matter how secure the process is, once it subsumes enough levels that you have know way of knowing if it's just reporting made-up numbers, you have a problem.
--MarkusQ
Parent
Re: (Score:2)
Lack of imagination.
For example, consider a commit-or-verify scheme. After you cast a ballot you can either commit the ballot or verify that it was recorded correctly and repeat the process.
Check out VoteBox:
http://www.usenix.org/events/sec08/tech/full_papers/sandler/sandler_html/index.html [usenix.org]
Lack of paranoia (Score:3, Insightful)
Phooey. For any such system you can devise, it would be possible to implement a "mock-up" system that appeared to use your clever safe, secure, and trustworthy system but in fact did not (to see this just consider the fact that any software solution could itself be simulated in software). This simulation could be pr
VoteBox (Score:3, Insightful)
The system you linked to has numerous obvious flaws for internet voting, even after skipping over the fact that it isn't intended for use in an unsupervised environment. For example, a compromised machine could simply delay transmission of a ballot it wished to tamper with until after the user had decided to challenge or cast it. Likewise, the central tabulator could still produce bogus results. And the
Security can be had. (Score:2)
But security isn't the question. The problem is that with secure and anonymous electronic voting there is no outside way to verify that the results reported have anything to do with the votes cast.
Have a look at this: http://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems [wikipedia.org]
What you might be saying (and what I'll claim) isn't that there is no secure way of implementing the currently implemented protocol. It's that it's the wrong protocol, since it's basically "1. Tell the vote-counter what your vote is; 2. trust the vote-counter to report the correct final tally."
There are ways to remove the trust requirement.
Re: (Score:3, Insightful)
Agreed. Specifically, the anonymity "requirement" means that you're left with nothing but trust, because ultimately you'll want to address problems of the form "These N people voted for X yet X only got N-1 votes" a
Internet voting vulnerable at all ends (Score:3, Interesting)
As others have already pointed out, it becomes impossible to verify that our elections officials are acting honestly. Some do; some don't; most have an unfounded trust in their employees/volunteers (to not assist in fraud). This is the big problem.
There are myriad other problems too. What happens if the polls are closed early by to a DDoS attack? How can you guarantee the server won't be hacked? (It happens to banks sometimes.) What about the machines people are voting from? If they're voting from hom
Recipe for pseudo democracy (Score:4, Insightful)
Re:Recipe for pseudo democracy (Score:5, Funny)
Second thing - hookers and blackjack in the white house. On second thought, forget the dictatorship.
Parent
Re:Recipe for pseudo democracy (Score:5, Insightful)
Parent
Re: (Score:2)
It's all about the candidates. If all of the options are all you then who cares if they use e-voting? It really doesn't matter. All the choices are for your team(s).
That's how I see this debate over e-voting. Until the two party system behind it is fixed it's really not going to matter. Paper ballots can be rigged easily, there is hardly any security. Oh you got a phone bill and a state ID? well that seems legit, step into the ballot booth Mr. Popadopolis.
Re: (Score:2)
paper vote fraud (usually) - O(n)
electronic vote fraud - O(1)
I agree that the two-party false-dichotomy is a bigger problem, but we can't deal with that in a vacuum. Electronic fraud is much easier to perpetrate (particularly when mixed with corruption). Paper fraud without corruption: much harder to do. (It does happen, and needs to be addressed, but it's not nearly as big a worry.)
Re: (Score:2)
"If I ever start a dictatorship, first thing I do, is get everybody voting electronically."
If I ever start a dictatorship, the first thing I do, is abolish voting alltogether and start a massive propaganda campaign. But that's just me.
Internet Voting (Score:4, Insightful)
There is a negative correlation between a knowledge of computer security and the desire to introduce Internet voting. The more you have of the first the less you want the second. If crackers can get into the Pentagon computers and when we find the plans of Marine Helicopter One in a Tehran coffee shop, then we should realize that getting into a domestic voting system to alter the results is trivial.
The voting machines are about the same security level as WEP.
Re: (Score:2)
Let the computers count the votes (Score:2, Insightful)
Starting one day after computers are granted the right to vote.
Until then let's have people do it. If it's not important enough of an issue for some people to take the time to even count the votes, it's not important enough to put to a vote.
Scary? (Score:2, Informative)
So far, 32% responding actually think that internet voting is worth it, risks and all. It is scary how easily people can be persuaded to trust a system that is so vulnerable."
So you're saying that an internet poll (something that's guaranteed to have a bias towards everything internet) has a strong majority of people agreeing that internet voting is not worth it, and the conclusion you reach is that "[it's] scary how easily people can be persuaded to trust a system that is so vulnerable?" The numbers seem to suggest that it actually isn't all that easy to persuade people to trust such a system.
Radical transparency? (Score:2)
With things like 'registered republican' or 'registered democrat' in place, I see no problem with this.. Majority of people that do vote also do not cover their political views anyway, so do we really need anonymous voting ? E-voting or not, this is the only way for voting to be accountable and truly verifiable.
Work in a union shop? (Score:4, Interesting)
You better have voted correctly or you're going to get your legs broken.
Yes we need a secret ballot.
If you are fool enough to trust unions substitute employer, same answer.
Parent
Not much different than mail in ballots (Score:5, Informative)
Whereas "true" Internet voting is a phenomenally bad idea (when implemented in a way that's acceptable to the majority of voters), the Arizona system isn't really Internet voting. It's more "absentee ballots" that use the Internet as the delivery mechanism rather than the normal postal system.
Mail-in ballots are extremely common in Arizona ever since they changed the "absentee balloting" system into a more generic "everybody can use it" system. For instance, I have a ballot automatically mailed to be before every election, no matter how big or small, without me having to do anything but sign up a couple years ago. It's very slick.
The ballot is a normal paper one exactly like those found in the polling place. I fill it out by completing arrows pointing to my choice (easy and not even remotely ambiguous) then put it in a specially coded envelope that I sign and mail in. On the other end, a poll worker opens the envelope, marks that I voted (to prevent multiple votes), saves off my signature, and puts the ballot through the normal recording devices to record my vote. The voter lists in my local polling place have me marked as "mail in" so if I were to drop by on election day, they would accept my ballot but it would only be counted after all other ballots are counted and they can verify that I hadn't already voted.
It's extremely convenient and has made the difference between voting only in the major elections to voting in all of them (and learning a lot more about local candidates in the process). The drawback is that I have to trust that my vote isn't tied with my name. See, when you are at a polling station, then they record that you voted, but your actual ballot isn't in any way tied to you. With the mail-in process, it's possible that that is still the case (maybe the person/system opening the envelopes isn't the one recording the votes)... but you can't know for sure. For all I know, they may have a database mapping people with who they vote for. Honestly, that doesn't bother me at this point. I am pretty vocal about who I vote for and have even publicly posting my voting lists for the world to see before. I guess I would stop the mail-in only if I had reason to believe that my vote wasn't being counted.
Anyway, that's the mail-in system. The "Internet voting" system is effectively that but for people overseas. That option was never available for me since I'm local. The only difference is that instead of putting their ballot into an envelope and signing that, they instead scan it in and upload it to a server. Everything else is identical.
The article does make a few good points on some ways that that system could be subverted. Yeah, there are definitely a few more attack points... but they seem a little far fetched at this point. The level of effort required to implement any of the attack vectors would only be worth it if done at a bigger scale. That is, if this started being available to ALL AZ residents, then it starts to matter. For now... meh.
Re:Not much different than mail in ballots (Score:5, Insightful)
The flaw of mail-in voting is it's not secret. Your spouse, priest, employer -- name-power-trip-here -- can make sure you are voting "right". Only the booth secures that it is your own private decision.
Parent
The alternative isn't safe, either (Score:2)
The bad thing is work can fource you to vote there (Score:2)
The bad thing is work can force you to vote there way my makeing you vote at work while they see the why that you are voting.
Re: (Score:2)
The problem is TV News (Score:2)
If the US had "proper" laws controlling the press, this might not be a problem. If TV News had a shred of ethics, this might not be a problem. Neither is the case, so we are faced with a very difficult situation.
The TV News is going to announce a winner before everyone goes to bed. In the case of national elections, this pretty much means midnight Eastern time. They have to do this or they lose relevence and people won't bother watching their election coverage. This then directly affects ratings and th
Speaking as a citizen of Arizona (Score:3, Insightful)
Any change, technological or otherwise, that reduces the influence of the idiots in this state can only be a good thing. Sweet merciful Christ, just look at our senators, our representatives... Napolitano is the first governor in decades that didn't end her term in disgrace or prison, and she gets promoted out-of-state. McCain is our sane senator.
Easily secured (Score:2)
Poulsen's avenue of attack is discussed as if it were an intractable problem of Internet voting. Really, Arizona could defeat this attack with a simple addition to the process: require an additional mailed copy of the ballot. Compare the physical copy with the electronic copy. If anyone's differs significantly, you know there's someone trying to rig the election. As an added bonus, you have a trail for the FBI to follow in determining who's going to spend some quality time in a small room.
Re: (Score:3, Interesting)
Good enough isn't good enough here (Score:4, Interesting)
We have to assume that if the Internet is secure enough for us to buy stuff, then it is secure enough for voting.
Not true, for several reasons. There are several additional security constraints on voting. For example, you cannot be allowed to prove how you voted. Therefore, you cannot receive feedback on how you voted. You can't "balance your checkbook", so to speak. They know this and can set the online balance to whatever they choose. That's without hacker involvement. Online purchases are actually much riskier than most people are willing to consider. "Identity theft" has skyrocketed, and compromising online purchases is one way that's done. Sure the transmission may be secure, but either the client or server may be compromised (and are, regularly). Banks have simply decided to live with a particular level of fraud. HTTPS is only a small part in the equation.
From a practical standpoint, only close elections can be stolen anyway.
Again, not true. The public only needs to belive that it was close. That's not too hard, really.
If a close election is stolen, then approximately the same number of persons disagree with the result as if the election were not stolen, so what difference does it really make from the standpoint of quality of outcome?
I see your point from a pragmatic point of view, but I disagree. I don't want to see people with power getting away with abusing us and grabing more power. It's the principle of the thing. Besides, we don't want to encourage corruption. Period.
Parent
Re: (Score:2)
people like me could vote
People like you can vote, you just choose not to.
You probably wouldn't vote if they made it real easy. Its just apathy, there is no cure for that.