Friday, April 17, 2015
Internet voting risks
I have been tweeting many links about Internet voting risks on the account @papervote
but now it is time to put them together in a blog post.
You can also find links in my bookmarks (which are drawn from many of my accounts, not just @papervote) under tag voting_tech_risks (click link for full list).
Also see extensive materials at http://www.verifiedvoting.org/resources/internet-voting/
Statements from Computer Scientist OrganisationsComputer scientists are best positioned to understand the risks related to the use of computers for voting. They have made clear statements against the use of Internet voting at this time.
✭ US Association for Computing Machinery (ACM) - Internet voting
Internet voting adds additional concerns about security, verifiability and auditability to those already known about electronic voting. ...✭ Computer Technologists' Statement on Internet Voting
At the present, paper-based systems provide the best available technology to [preserve the ability to audit and/or recount the votes].
Several serious, potentially insurmountable, technical challenges must be met if elections conducted by transmitting votes over the internet are to be verifiable.
Government Reports / Tech Reports✭ US Office of the Director of National Intelligence - Opening Statement to Worldwide Threat Assessment Hearing (PDF) - February 26, 2015
Remarks from the Honorable James R. Clapper, Director of National Intelligence:
I'll start with cyber threats. Attacks against us are increasing in frequency, scale, sophistication and severity of impact.✭ Foundation for Information Policy Research - Response to The Speaker’s Commission on Digital Democracy (PDF) - September 27, 2014
this technology still has very significant issues with security, privacy, coercion resistance, auditability and comprehensibility, which preclude its use in high-stakes contests where capable and well-resourced actors (political parties, lobby groups and even foreign governments) may have an incentive to manipulate the system✭ Parliament of Australia - Inquiry into... 2013 General Election - Second Interim Report: An assessment of electronic voting options
This excellent report, licensed in the Creative Commons for reuse (CC BY-NC-ND 3.0 Australia) covers many risks related to Internet voting, with very clear language.
Full report (PDF) can be downloaded; individual sections also available.
✭ NISTIR 7770 - Security Considerations for Remote Electronic UOCAVA Voting (PDF) - February 2011
✭ UK Electoral Commission - Key issues and conclusions: May 2007 electoral pilot schemes (PDF; copy from Archive.org) - August 2007
issues with the security and transparency of the solutions
Expert Analysis✭ Independent Report on E-voting in Estonia
Audio and Video✭ Security Analysis of Estonia's Internet Voting System by J. Alex Halderman - published to YouTube Dec 28, 2014
From the Chaos Communication Conference (31c3) in 2014. You can also see the video on their website.
✭ Why electronic voting is a BAD idea - published to YouTube Dec 18, 2014
The above video is a fantastic clear explanation of why electronic voting machines are a security risk and why Internet voting is even worse.
Presented by Tom Scott for Computerphile, filmed by Sean Riley.
✭ Videos from online course Securing Digital Democracy by J. Alex Halderman
✭ SRI International - Podcast (audio) - Internet voting - October 10, 2010
Interviewing Jeremy Epstein.
Articles, Blog Posts, etc.✭ Freedom to Tinker - Decertifying the worst voting machine in the US - by Jeremy Epstein - April 15, 2015
✭ Remarkable Virginia IT Agency Report Details Reasons for WinVote Decertification - by Doug Chapin - April 15, 2015
✭ Sydney Morning Herald - International experts warn of the risks of Australian online voting tools - March 24, 2015
✭ Communications of the ACM - Security Risks, Privacy Issues Too Great for Internet Voting - March 12, 2015
Above article reports on a presentation by computer scientist David Jefferson.
✭ CBC - Internet voting isn't a big draw for younger voters, researcher says - February 11, 2015
Note that Nichole Goodman is a social sciences researcher, not a computer scientist.
✭ Analyst opinion: Don’t take online voting for granted - by Nick Wallace - January 30, 2015
Government should consider alternatives to online voting. ... Preventing fraud is a tall order. ... An additional challenge is preserving the secret ballot...✭ USA Today - Online voting rife with hazards - November 4, 2014
Above article by computer scientist Barbara Simons.
EducationLearn more about the issues.
... more to come
Wednesday, October 19, 2011
City of Markham's Internet voting story at GTEC 2011
Using Digital Technology to Connect with Citizens in the Town of Markham
Given the apparent decrease in voter engagement, Canadian governments are faced with seeking innovative ways to connect with the public. When used strategically, digital technologies are an effective means to engage citizens. Through the use of Internet voting and the implementation of multiple interactive online initiatives, the Town of Markham has become a leader in eDemocracy. In this session attendees will hear from the Mayor of Markham, the visionary behind Markham’s innovative use of digital technologies to engage citizens, as well as the CEO of Delvinia, the firm behind the initiatives and the only organization to collect consumer data on Internet voting in three consecutive elections.
from GTEC 2011 Conference Program at a Glace
Wednesday, September 28, 2011
in which I help the news media
"Our latest DIG report examines the Town of Markham’s experience with Internet voting in the 2003, 2006 and 2010 municipal election"
This is good.
In 2010, with the support of Ryerson University, Delvinia secured an Engage Grant from the Natural Sciences and Engineering Research Council (NSERC) to commission Nicole Goodman, a PhD candidate specializing in Canadian political institutions and alternative voting methods, to provide a scholarly perspective on the data collected following the 2010 election as well as a comparison to the data Delvinia collected in the 2003 and 2006 elections.It is also excellent to see academic research in this field and a rigorous report.
The DIG report is available online at www.delvinia.com/dig. The full research report is available for purchase through Delvinia. Please refer to our order form to obtain a copy of the report.from http://www.delvinia.com/delvinia-releases-dig-report-on-edemocracy-and-citizen-engagement/
So objective fact 1: Delvinia is selling the full report.
In addition to helping the Town raise awareness of Internet voting in the 2003, 2006 and 2010 municipal elections, Delvinia also conducted in-person and online surveys to collect data regarding public attitudes, feelings and beliefs toward Internet voting in each of those elections.from http://www.delvinia.com/should-canadians-have-the-opportunity-to-vote-online/
So objective fact 2: Delvinia was paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010 (the same years in the same city concerning the same topic that the newly-released evoting report covers).
4) The correct way to report this, providing the full context, would be
Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham. The report concludes Internet voting was a great success.
I am not criticising Delvinia or the report, I am just stating the objective facts of the context of the report.
So I will now help some news reporting organisations.
This is what the Star wrote
Internet voting in advance polls in Markham has helped increase overall voter turnout, engage non-voters to vote and greatly improve overall voter satisfaction, according to a research and public opinion report released Monday.http://www.thestar.com/news/article/1059558
In the report by Delvinia, a digital strategy firm, voter turnout in Markham has increased by 35 per cent since the introduction of Internet voting in 2003, and much of that is attributed to the advent of online voting.
You may note that neither in this extract nor indeed anywhere in the entire article does it mention the context I provided above. The article with context would be
Internet voting in advance polls in Markham has helped increase overall voter turnout, engage non-voters to vote and greatly improve overall voter satisfaction, according to a research and public opinion report released Monday.This is what IT World Canada wrote
In the report by Delvinia, a digital strategy firm, voter turnout in Markham has increased by 35 per cent since the introduction of Internet voting in 2003, and much of that is attributed to the advent of online voting. Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham.
New data culled from Markham, Ont. voters could make a case for the introduction of Internet voting across all levels of government in Canada, according to a new report from user experience design firm Delviniahttp://www.itworldcanada.com/news/e-voting-gets-almost-unanimous-praise-study-finds/144015
The Toronto-based digital consultancy released the findings of its eDemocracy and Citizen Engagement report on Monday, which focused on the Town of Markham’s recent online voting initiatives. The municipality has offered online voting for its local elections since 2003.
And here, again, is the article with the actual full context added
New data culled from Markham, Ont. voters could make a case for the introduction of Internet voting across all levels of government in Canada, according to a new report from user experience design firm DelviniaI want to be completely up-front: I am profoundly disappointed that major Canadian news media are not providing the full context of this report. I expect the news media to provide context for ANY press release, announcement, speech, interview or think-tank report. Information without context is no foundation for democracy.
The Toronto-based digital consultancy released the findings of its eDemocracy and Citizen Engagement report on Monday, which focused on the Town of Markham’s recent online voting initiatives. The municipality has offered online voting for its local elections since 2003. Delvinia, a company paid by the City of Markham to promote Internet voting in 2003, 2006 and 2010, is now selling a detailed report about Internet voting in Markham.
UPDATE: I should also mention, in case you think this is a minor nuance on an obscure story buried in the back pages of the paper, that "Online voting changes the game" was the Toronto Star's front-page, above-the-fold, banner full-width headline story for Monday September 26, 2011. In newspaper terms, they declared it the single most important story in the world for September 26, 2011.
Monday, May 02, 2011
May 2, 2011 - Election Day
Wednesday, April 27, 2011
Canadian online voting discussion on The Rutherford Show
You can listen to the show live - click the large "Listen Live" icon at the top of the web page.
Wednesday, April 20, 2011
if I can do X online, then why not voting
Let’s boost participation by allowing online voting
Canada.com - April 15, 2011
And this is a kind of typical "hey our government cybersecurity research lab was hacked" story
Top Federal Lab Hacked in Spear-Phishing Attack
Wired Threat Level - April 20, 2011
Because the answer is, you don't bank online securely. People's online banking is hacked ALL THE TIME. Everyone's systems, including national cybersecurity facilities in the US and Canada, get broken into by determined, sophisticated attackers.
Let me make it clear, I respect Ms. Almeida's question. It is not at all obvious to someone who hasn't stepped through the properties of our current paper-based system one-by-one, and who hasn't analysed the risks of a purely Internet-based system, why online voting shouldn't be as simple as filing your taxes online.
What you CAN do with banking is have their experts follow a forensics trail, undo the unauthorized changes, and return your account to its correct state. As happened to me recently when my credit card number was stolen.
But you CANNOT DO THIS WITH A ONE-TIME, ONE-VOTE, ANONYMOUS ELECTION.
If your vote is reversable 1) it has to be personally identifiable 2) ANYONE with technical knowledge can reverse it.
So that's why you can't vote online. It's not a technical problem. There are no technical barriers to voting online. Amongst many, many other things it's a security problem. Even if you can solve the security problem, you still can't verify what code is running (so open source doesn't help). Even if you could solve the security AND the code verification problems, you still can't stop someone standing over you at home as you vote, and threatening you if you don't vote the correct way (the coercion problem). Or someone can just steal someone's voting credentials and skip the bother of threatening them (the authentication problem).
Hackers will attack your vote, it's just a question of whether they succeed. And the company or individuals writing the code could be malicious, corrupted or threatened. Or the company making the servers. Or the people in the server room. Or actively malicious insiders anywhere along the network chain. Or citizens can be systematically intimidated into voting a certain way. Or the voting credentials of huge numbers of people who don't bother to vote can simply be stolen (e.g. monitoring the mailboxes of students and other young people for convenient mailings with PIN numbers that are unlikely to be used).
Oh, and even if someone miraculously everyone involved in the long chain between you and your vote being recorded on a distant server is trustworthy and not malicious, the software can still have bugs. In fact it's pretty much guaranteed to have bugs. Bugs which may not show up until millions of real users start hammering the real system on election day. So it can still fail spectacularly. Or even worse, fail silently and undetectably, misrecording or losing votes.
But other than that, online voting is a great idea.
PS If you think the TV shows have mastered this problem, I suggest googling so you think you can dance vote hacked or head right to
How the 'Dancing' vote was hacked - MSNBC Cosmic Log - November 19, 2010
Please note: the following reproductions are a copy of the promotional icons that are published by Elections Canada and the reproductions have not been produced in affiliation with, or with the endorsement of Elections Canada.
UPDATE: Removed in accordance with May 2 deletion requirement. ENDUPDATE
In general Elections Canada could use some major website and social media help.
That would move youth turnout a lot more than online voting.
Note to self: Apparently I am to make these icons disappear after May 2, 2011.
* You are hereby granted a limited license to reproduce and display the promotional icons on your website for purposes of providing information to the public about the current general election by offering a link to Elections Canada's web site;
* The rights granted herein are for a limited term ending on May 2, 2011;
* You must reproduce the promotional icons in the format and in the color displayed herein and you may not modify, alter or adapt the promotional icons or any part of them;
* You will acquire no right or interest in the promotional icons or the copyright therein, except for the limited license granted herein; and
* You must indicate to the public that the reproduction is a copy of the promotional icons that are published by Elections Canada and that the reproduction has not been produced in affiliation with, or with the endorsement of Elections Canada.
Labels: elections canada
Thursday, April 07, 2011
computers never make mistakes
Like say a former computer programmer.
Who counts the vote on a stand-alone computer. In her office.
And discovers over 7500 extra votes due to a spreadsheet copy error.
Is this kind of farce how you want to run elections?
Waukesha County Clerk Kathy Nickolaus' decision to go it alone in how she collects and maintains election results has some county officials raising a red flag about the integrity of the system.
Nickolaus said she decided to take the election data collection and storage system off the county's computer network - and keep it on stand-alone personal computers accessible only in her office - for security reasons.
"What it gave me was good security of the elections from start to finish, without the ability of someone unauthorized to be involved," she said.
Nonetheless, Director of Administration Norman A. Cummings said because Nickolaus has kept them out of the loop, the county's information technology specialists have not been able to verify Nickolaus' claim that the system is secure from failure.
In March, Nickolaus said, she moved the data off that server and into her own stand-alone system. She has a backup on a second computer, she said. In addition, she said, as she programs for elections, she does frequent backups during the day.
Nickolaus said she was a programmer for 15 years before becoming county clerk. And she said her staff knows how to operate the system, so "if I get hit by a bus, this election is going to run just fine."
from August 13, 2010 Journal Sentinel - Officials dispute reliability of Waukesha County clerk's election data system
and what happened in 2011?
David Prosser gained 7,582 votes in Waukesha County, after a major counting error of Brookfield results was detected, County Clerk Kathy Nickolaus announced in a stunning development this afternoon.
Nickolaus says the reason for the big change is that data transmitted from the City of Brookfield was imported but that she failed to save those results to the database. Brookfield cast 14,315 votes on April 5 -- 10,859 of those votes went to Prosser and 3,456 went to JoAnne Kloppenburg.
"The purpose of the canvass is to catch these kind of mistakes," Nickolaus said. She called it human error that is "common in this process." "I apologize," Nickolaus said.
April 7, 2011 - Journal Sentinel - Prosser's huge gain comes after Waukesha County flub is caught
Now let us imagine this story told this way:
* for security purposes, the elections official has boxes containing all the votes, in her private office
* oh and she's an expert in creating ballots
* oh and she just discovered another box of ballots over there in the corner
Do you think any elections observer in the world would buy this?
But it's all done with computers, so I guess it's impossible there could be anything suspicious.
Human nature doesn't change.
And humans program computers.
And humans create the security for computers.
Computer security does not exist in the abstract. Computers do not defend themselves or program themselves. But somehow people think it is a realm beyond human emotion and failings. In the end it's systems created by humans, used by humans, that have to resist threats from humans.
This is what happens when you vote over the Internet:
* Someone with some credentials they got somewhere votes. Hopefully it's you, with your rightful credentials. But it could be anyone who gained valid credentials, anywhere in the world.
* These credentials are used to vote. This involves your computer, full of hundreds of competing programs created by fallible humans, interacting with a website created by humans, over a network built managed and run by humans.
* The vote... or at least a vote, lands on a server... somewhere, a server running thousands of pieces of human-created software. A server installed, controlled, and managed by humans.
So the good news is, as long as you can absolutely trust every one of the thousands of people involved in that chain, and all of the one billion people on the Internet can't outsmart their security, then your vote is fine.
And the above is all if it's done WELL, not if it's some bogus "the counting computer is in my back closet" ridiculously compromised chain of custody.
Or alternatively, you could set things up so local people from competing political parties are watching one another, mark the votes on paper, watch the ballot box containing the votes, and count all the votes in public. In minutes (for a Canadian election).
So your choice is:
1. If you trust everyone who has ever created or maintained any device or software in the chain from your keyboard to the vote-counting server, and everyone with access to the server room, and everyone else in the world who is on the Internet, then Internet voting is a great choice.
2. If you trust people from your neighbourhood who have the very human motivation of competing interests, with a process that is visible to you end-to-end, and immediate local consequences if fraud is found, then you might want to vote on paper instead.
We are very very good at understanding voting risk scenarios in the physical world. We are very very bad at understanding risk in the digital world.
Where would you rather have your voting taking place?
Labels: electronic voting