Tuesday, January 26, 2010
Internet voting dialogue: brief morning summary
I was most impressed with Tarvi Martens' presentation about the technical details of the Estonian Internet voting system. They have clearly thought very seriously about the various issues involved, and have very very heavy physical security for the data centre, and no remote admin access outside the datacentre. He also emphasized they had a principle of "no black box systems" in the data centre, so they use Debian, an open source operating system, rather than Windows. The fact they have a national ID card addresses the key distribution and network encryption issues (because the ID card includes an encryption key, a public/private digital signature key). They also put ISPs on high alert during the election period and monitor continuously for attacks.
I did ask him the security of the user's desktop and his answer was reasonable but to me, ultimately still unsatisfactory. They are using what I assume are honeypot systems to monitor for emerging trojans that pretend to be some component of the desktop voting system (or presumably the ecard reader driver etc.) They also have as the first step of their voting procedure that the user should ensure their system is scanned for viruses. However there are multiple issues including the innumerable vectors for home system attack, the fact that most users WON'T secure or scan their systems no matter how often you educate them about the issue, and the possibility for root kit or other subtle elusive trojans that might not be picked up by their honeypots.
He did say, which I think is an important contingency measure, that in the event they did detect a widespread trojan attack they have the possibility to simply shut down Internet voting and tell people to vote on paper on their regular voting day (Sunday).
The other thing I heard from multiple speakers is that Internet voting is not having substantial impact on turnout. What it is doing is making it more convenient... for people who would have already voted.
Their system was audited by a paid auditor only. The audit results were not publicly released. Why?
Parties sent no observers.
Split public key with parts given to separate people, then all the parts are given to one guy for some reason. They didn't mention that in their slides? ;-)
And the secret ballot? They don't need it because no person in their right mind would buy or sell votes...
When you talk about "engagement", of course Estonia would be a role model, because of a big increase in turnout in last elections. But think of the questions that really matter and you will see a not so pretty picture.