Sunday, June 07, 2015
The code that the machine runs must be correct (without significant bugs or errors), which is difficult (and expensive).
Worse, you must be certain that the code you have validated is actually the code it runs for every vote during the election, which is impossible. As in, literally impossible. The problem is, the only way to find out what code the machine is running is to ask it. Because machines are programmed by humans, machines can lie, just like humans.
Here's how it works:
Computer running the validated code1. Computer expert queries the computer about what code it is running
2. Computer says "I am running the validated code"
Computer running hacked code1. Computer is hacked, adding malicious (lying) code to the validated code
2. Computer expert queries the computer about what code it is running
3. The malicious code lies and says "I am running the validated code"
This is not theoretical, this is exactly what a rootkit does.
So if the machine only records votes electronically, you can never be sure if your vote was correctly recorded. (This is not to mention the possibility of alteration during a long electronic chain of transmission to get to the final election results.)
The only way to verify your vote is to get a paper printout, so that you can look at the paper and validate that it shows your vote as cast. But again, remember the computer can lie. You can vote for party A, the computer can record the vote for party B and then print a paper receipt saying you voted for party A.
The only way to actually be certain of the vote count is to count the paper...
which means you just spent millions of dollars replacing a pen.
These are just the core issues, in an ideal system.
In reality, there are many more problems with voting machines. Although some were based on ATMs, ATMs are physically bigger, have a simpler job, have much clearer transactional validation (ask for $100, complain if you don't get $100), and have dedicated maintenance teams. While some voting machines were build by ATM manufacturers (like Diebold), the coding was rushed (at least we assume so, we don't get to see the coding), the machines are only used once a year at most, and the maintenance is done by amateurs who don't have the bank's monetary motivations for maintaining accuracy. In such a situation, voting machines can have many errors including:
* touchscreen misalignment
* coding errors
* introduction of malicious code e.g. via USB
* failure due to poor storage or aging out
* existing software vulnerabilities (particularly since most run Windows) that are uncovered during the lifetime of the machine but never patched, opening them to network or USB attack
Friday, April 17, 2015
Internet voting risks
I have been tweeting many links about Internet voting risks on the account @papervote
but now it is time to put them together in a blog post.
You can also find links in my bookmarks (which are drawn from many of my accounts, not just @papervote) under tag voting_tech_risks (click link for full list).
Also see extensive materials at http://www.verifiedvoting.org/resources/internet-voting/
Statements from Computer Scientist OrganisationsComputer scientists are best positioned to understand the risks related to the use of computers for voting. They have made clear statements against the use of Internet voting at this time.
✭ US Association for Computing Machinery (ACM) - Internet voting
Internet voting adds additional concerns about security, verifiability and auditability to those already known about electronic voting. ...✭ Computer Technologists' Statement on Internet Voting
At the present, paper-based systems provide the best available technology to [preserve the ability to audit and/or recount the votes].
Several serious, potentially insurmountable, technical challenges must be met if elections conducted by transmitting votes over the internet are to be verifiable.
Government Reports / Tech Reports✭ US Office of the Director of National Intelligence - Opening Statement to Worldwide Threat Assessment Hearing (PDF) - February 26, 2015
Remarks from the Honorable James R. Clapper, Director of National Intelligence:
I'll start with cyber threats. Attacks against us are increasing in frequency, scale, sophistication and severity of impact.✭ Foundation for Information Policy Research - Response to The Speaker’s Commission on Digital Democracy (PDF) - September 27, 2014
this technology still has very significant issues with security, privacy, coercion resistance, auditability and comprehensibility, which preclude its use in high-stakes contests where capable and well-resourced actors (political parties, lobby groups and even foreign governments) may have an incentive to manipulate the system✭ Parliament of Australia - Inquiry into... 2013 General Election - Second Interim Report: An assessment of electronic voting options
This excellent report, licensed in the Creative Commons for reuse (CC BY-NC-ND 3.0 Australia) covers many risks related to Internet voting, with very clear language.
Full report (PDF) can be downloaded; individual sections also available.
✭ NISTIR 7770 - Security Considerations for Remote Electronic UOCAVA Voting (PDF) - February 2011
✭ UK Electoral Commission - Key issues and conclusions: May 2007 electoral pilot schemes (PDF; copy from Archive.org) - August 2007
issues with the security and transparency of the solutions
Expert Analysis✭ Independent Report on E-voting in Estonia
Audio and Video✭ Security Analysis of Estonia's Internet Voting System by J. Alex Halderman - published to YouTube Dec 28, 2014
From the Chaos Communication Conference (31c3) in 2014. You can also see the video on their website.
✭ Why electronic voting is a BAD idea - published to YouTube Dec 18, 2014
The above video is a fantastic clear explanation of why electronic voting machines are a security risk and why Internet voting is even worse.
Presented by Tom Scott for Computerphile, filmed by Sean Riley.
✭ Videos from online course Securing Digital Democracy by J. Alex Halderman
✭ SRI International - Podcast (audio) - Internet voting - October 10, 2010
Interviewing Jeremy Epstein.
Articles, Blog Posts, etc.✭ Freedom to Tinker - Decertifying the worst voting machine in the US - by Jeremy Epstein - April 15, 2015
✭ Remarkable Virginia IT Agency Report Details Reasons for WinVote Decertification - by Doug Chapin - April 15, 2015
✭ Sydney Morning Herald - International experts warn of the risks of Australian online voting tools - March 24, 2015
✭ Communications of the ACM - Security Risks, Privacy Issues Too Great for Internet Voting - March 12, 2015
Above article reports on a presentation by computer scientist David Jefferson.
✭ CBC - Internet voting isn't a big draw for younger voters, researcher says - February 11, 2015
Note that Nichole Goodman is a social sciences researcher, not a computer scientist.
✭ Analyst opinion: Don’t take online voting for granted - by Nick Wallace - January 30, 2015
Government should consider alternatives to online voting. ... Preventing fraud is a tall order. ... An additional challenge is preserving the secret ballot...✭ USA Today - Online voting rife with hazards - November 4, 2014
Above article by computer scientist Barbara Simons.
EducationLearn more about the issues.
... more to come
Wednesday, October 19, 2011
City of Markham's Internet voting story at GTEC 2011
Using Digital Technology to Connect with Citizens in the Town of Markham
Given the apparent decrease in voter engagement, Canadian governments are faced with seeking innovative ways to connect with the public. When used strategically, digital technologies are an effective means to engage citizens. Through the use of Internet voting and the implementation of multiple interactive online initiatives, the Town of Markham has become a leader in eDemocracy. In this session attendees will hear from the Mayor of Markham, the visionary behind Markham’s innovative use of digital technologies to engage citizens, as well as the CEO of Delvinia, the firm behind the initiatives and the only organization to collect consumer data on Internet voting in three consecutive elections.
from GTEC 2011 Conference Program at a Glace
Wednesday, September 28, 2011
in which I help the news media
"Our latest DIG report examines the Town of Markham’s experience with Internet voting in the 2003, 2006 and 2010 municipal election"
This is good.
In 2010, with the support of Ryerson University, Delvinia secured an Engage Grant from the Natural Sciences and Engineering Research Council (NSERC) to commission Nicole Goodman, a PhD candidate specializing in Canadian political institutions and alternative voting methods, to provide a scholarly perspective on the data collected following the 2010 election as well as a comparison to the data Delvinia collected in the 2003 and 2006 elections.It is also excellent to see academic research in this field and a rigorous report.
The DIG report is available online at www.delvinia.com/dig. The full research report is available for purchase through Delvinia. Please refer to our order form to obtain a copy of the report.from http://www.delvinia.com/delvinia-releases-dig-report-on-edemocracy-and-citizen-engagement/
So objective fact 1: Delvinia is selling the full report.
In addition to helping the Town raise awareness of Internet voting in the 2003, 2006 and 2010 municipal elections, Delvinia also conducted in-person and online surveys to collect data regarding public attitudes, feelings and beliefs toward Internet voting in each of those elections.from http://www.delvinia.com/should-canadians-have-the-opportunity-to-vote-online/
So objective fact 2: Delvinia was paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010 (the same years in the same city concerning the same topic that the newly-released evoting report covers).
4) The correct way to report this, providing the full context, would be
Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham. The report concludes Internet voting was a great success.
I am not criticising Delvinia or the report, I am just stating the objective facts of the context of the report.
So I will now help some news reporting organisations.
This is what the Star wrote
Internet voting in advance polls in Markham has helped increase overall voter turnout, engage non-voters to vote and greatly improve overall voter satisfaction, according to a research and public opinion report released Monday.http://www.thestar.com/news/article/1059558
In the report by Delvinia, a digital strategy firm, voter turnout in Markham has increased by 35 per cent since the introduction of Internet voting in 2003, and much of that is attributed to the advent of online voting.
You may note that neither in this extract nor indeed anywhere in the entire article does it mention the context I provided above. The article with context would be
Internet voting in advance polls in Markham has helped increase overall voter turnout, engage non-voters to vote and greatly improve overall voter satisfaction, according to a research and public opinion report released Monday.This is what IT World Canada wrote
In the report by Delvinia, a digital strategy firm, voter turnout in Markham has increased by 35 per cent since the introduction of Internet voting in 2003, and much of that is attributed to the advent of online voting. Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham.
New data culled from Markham, Ont. voters could make a case for the introduction of Internet voting across all levels of government in Canada, according to a new report from user experience design firm Delviniahttp://www.itworldcanada.com/news/e-voting-gets-almost-unanimous-praise-study-finds/144015
The Toronto-based digital consultancy released the findings of its eDemocracy and Citizen Engagement report on Monday, which focused on the Town of Markham’s recent online voting initiatives. The municipality has offered online voting for its local elections since 2003.
And here, again, is the article with the actual full context added
New data culled from Markham, Ont. voters could make a case for the introduction of Internet voting across all levels of government in Canada, according to a new report from user experience design firm DelviniaI want to be completely up-front: I am profoundly disappointed that major Canadian news media are not providing the full context of this report. I expect the news media to provide context for ANY press release, announcement, speech, interview or think-tank report. Information without context is no foundation for democracy.
The Toronto-based digital consultancy released the findings of its eDemocracy and Citizen Engagement report on Monday, which focused on the Town of Markham’s recent online voting initiatives. The municipality has offered online voting for its local elections since 2003. Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham.
UPDATE: I should also mention, in case you think this is a minor nuance on an obscure story buried in the back pages of the paper, that "Online voting changes the game" was the Toronto Star's front-page, above-the-fold, banner full-width headline story for Monday September 26, 2011. In newspaper terms, they declared it the single most important story in the world for September 26, 2011.
Monday, May 02, 2011
May 2, 2011 - Election Day
Wednesday, April 27, 2011
Canadian online voting discussion on The Rutherford Show
You can listen to the show live - click the large "Listen Live" icon at the top of the web page.
Wednesday, April 20, 2011
if I can do X online, then why not voting
Let’s boost participation by allowing online voting
Canada.com - April 15, 2011
And this is a kind of typical "hey our government cybersecurity research lab was hacked" story
Top Federal Lab Hacked in Spear-Phishing Attack
Wired Threat Level - April 20, 2011
Because the answer is, you don't bank online securely. People's online banking is hacked ALL THE TIME. Everyone's systems, including national cybersecurity facilities in the US and Canada, get broken into by determined, sophisticated attackers.
Let me make it clear, I respect Ms. Almeida's question. It is not at all obvious to someone who hasn't stepped through the properties of our current paper-based system one-by-one, and who hasn't analysed the risks of a purely Internet-based system, why online voting shouldn't be as simple as filing your taxes online.
What you CAN do with banking is have their experts follow a forensics trail, undo the unauthorized changes, and return your account to its correct state. As happened to me recently when my credit card number was stolen.
But you CANNOT DO THIS WITH A ONE-TIME, ONE-VOTE, ANONYMOUS ELECTION.
If your vote is reversable 1) it has to be personally identifiable 2) ANYONE with technical knowledge can reverse it.
So that's why you can't vote online. It's not a technical problem. There are no technical barriers to voting online. Amongst many, many other things it's a security problem. Even if you can solve the security problem, you still can't verify what code is running (so open source doesn't help). Even if you could solve the security AND the code verification problems, you still can't stop someone standing over you at home as you vote, and threatening you if you don't vote the correct way (the coercion problem). Or someone can just steal someone's voting credentials and skip the bother of threatening them (the authentication problem).
Hackers will attack your vote, it's just a question of whether they succeed. And the company or individuals writing the code could be malicious, corrupted or threatened. Or the company making the servers. Or the people in the server room. Or actively malicious insiders anywhere along the network chain. Or citizens can be systematically intimidated into voting a certain way. Or the voting credentials of huge numbers of people who don't bother to vote can simply be stolen (e.g. monitoring the mailboxes of students and other young people for convenient mailings with PIN numbers that are unlikely to be used).
Oh, and even if someone miraculously everyone involved in the long chain between you and your vote being recorded on a distant server is trustworthy and not malicious, the software can still have bugs. In fact it's pretty much guaranteed to have bugs. Bugs which may not show up until millions of real users start hammering the real system on election day. So it can still fail spectacularly. Or even worse, fail silently and undetectably, misrecording or losing votes.
But other than that, online voting is a great idea.
PS If you think the TV shows have mastered this problem, I suggest googling so you think you can dance vote hacked or head right to
How the 'Dancing' vote was hacked - MSNBC Cosmic Log - November 19, 2010
Please note: the following reproductions are a copy of the promotional icons that are published by Elections Canada and the reproductions have not been produced in affiliation with, or with the endorsement of Elections Canada.
UPDATE: Removed in accordance with May 2 deletion requirement. ENDUPDATE
In general Elections Canada could use some major website and social media help.
That would move youth turnout a lot more than online voting.
Note to self: Apparently I am to make these icons disappear after May 2, 2011.
* You are hereby granted a limited license to reproduce and display the promotional icons on your website for purposes of providing information to the public about the current general election by offering a link to Elections Canada's web site;
* The rights granted herein are for a limited term ending on May 2, 2011;
* You must reproduce the promotional icons in the format and in the color displayed herein and you may not modify, alter or adapt the promotional icons or any part of them;
* You will acquire no right or interest in the promotional icons or the copyright therein, except for the limited license granted herein; and
* You must indicate to the public that the reproduction is a copy of the promotional icons that are published by Elections Canada and that the reproduction has not been produced in affiliation with, or with the endorsement of Elections Canada.
Labels: elections canada