Thursday, January 21, 2010
Ottawa Jan 26, 2010 Elections Canada event on Internet voting
Very worrying.
NOTE: The registration deadline was JANUARY 21, 2010. Here's the (somewhat difficult to find) registration link: http://www.zoomerang.com/Survey/WEB229ZQUQUZMT
UPDATE 2010-01-25: I just realised I forgot to include a link to the event itself. Here is the Elections Canada link - Elections Canada: Media: Special Events and Conferences: Internet Voting and the Carleton link - Canada-Europe Transatlantic Dialogue (CETD) Events: Internet Voting. ENDUPDATE
Look at the issues they're examining:
* cost
* legal requirements
* software
* security
Let's revisit what I have called the "Democracy Requirements" for voting:
* preserving the secret ballot
* retaining the right to an uncoerced vote
* the integrity and accuracy of the vote count (all votes gathered and correctly counted)
* the simplicity of the system (can voters understand how the entire voting system works?)
Do you see the problem? They're talking about voting, but as usual, they're talking about it as if it were any other government "service" that is "delivered", rather than the single foundational element of our democratic society. This is what they always do, focus on the technology rather than the actual requirements for the integrity of the vote.
I can guarantee what the Internet voting presenters will discuss is three main things: convenience, turnout, and security. They will make a bunch of abstract claims about encryption and secure networks that will sound good but that, if you are an actual computer security expert, are actually nonsense.
You CANNOT, as in impossible:
* use technological security to ensure perfect end-to-end chain of custody for Internet voting
* construct a system in which the ballot is actually secret and anonymous
While it is true that there are theoretical computer constructs that can accomplish this, they run on theoretical computers over theoretical networks to theoretical servers. They do not run on Windows 7 computers on an ISP Internet connection to a bunch of servers in an actual datacentre.
Just think of the thousands, probably millions of phishing attempts every day, and the large number of these attempts that are successful. Just think of the recent security attacks on Google. Just think of the endless litany of lost passwords, lost user accounts, compromised commercial organisations. The home computer and the public Internet is one of the LEAST SECURE possible places I can imagine to hold an election.
Just off the top of my head I can list numerous possible compromises:
* if the password is sent in the physical mail, requiring at most some publically-discoverable extra piece of information (e.g. the user's birthdate), then I can attack the password distribution, in the same way that people steal credit cards and identities
* if it's not sent by mail, how do you solve the huge problem of secure key distribution to 30 million people? (secure key distribution is one of the single hardest problems in computer security)
* If your machine is already on a botnet, and millions of compromised machines already are, I have basically unlimited freedom to alter and compromise the election. I can watch your keystrokes and record who you voted for. I can watch your keystrokes and then, behind the scenes, CHANGE who you voted for. I can decide I don't like the parties running and use my botnet to attack the election servers (if you say "well, the datacentre can just block the attack" - yes, but the attackers are CITIZEN COMPUTERS)
* I can skip the end user and compromise the physical security of the data centre. And/or I can insert code into the servers that counts whatever votes for whatever candidates I want.
Even if the security is done well, there are insurmountable issues.
But even worse, the security is almost never done well. Because it is about cost, it goes often to the lowest bidder. Do you seriously want your entire election run by some private company that was the lowest bidder? Or consultants for Elections Canada that gave the best price? What "best price" means is, as was shown repeatedly for Diebold, the elections technology provider takes off-the-shelf technology (how could they not, and still provide the lowest cost), hacks together some amateurish backend with a somewhat pretty frontend, and then serves that up as a secure elections solution, leaving NOT ONLY all the security issues with e.g. running on Windows, but introducing ADDITIONAL security issues with code that is almost always woefully insecure, badly designed, and not available for review by outside computer security experts.
And even if, by some miracle, none of these things happens, ok we run an election.
It ends like the 1995 Quebec Referendum, 50.58% "No" to 49.42% "Yes" (note: elections are razor close ALL THE TIME).
So you say, all settled then, 50.58% "No".
And I say: PROVE the computers, the Internet, and the data centre were not compromised. PROVE the votes were not coerced. PROVE that it was actually Canadians voting, once, and not stolen accounts anywhere in the world voting multiple times.
You cannot prove this. Goodbye decisive elections. Hello endless battles.
Do you think this is abstract? There was ALREADY a fiasco with electronic voting machines in Quebec, which as terrible as they are, are at least in observable physical space. It was so bad, they had to investigate it, and:
On October 24, 2006 the Chief Electoral Officer of Quebec released a report (in French only) "Report on the Evaluation of New Methods of Voting" (Rapport d'évaluation des nouveaux mécanismes de votation). In a press release, three root causes of problems with electronic voting machines in the 2005 municipal elections were identified:
* an imprecise legislative and administrative framework
* absence of technical specifications, norms and standards
* poor management of voting systems (especially lack of security measures)
He recommended that the current moratorium on the use of these systems be maintained, and leaves it up to the provincial legislature to decide whether or not to use electronic voting in future.
The Canada-Europe Transatlantic Dialogue (Strategic Knowledge Cluster)
Internet Voting: What Can Canada Learn?
This workshop brings together practitioners and scholars to explore issues involved in the development of Internet voting. Speakers include experts from various jurisdictions where Internet voting has been used, and prominent researchers who have studied models of Internet voting. Speakers will detail the development of Internet voting in Canada at the municipal level by examining the cases of Markham, Peterborough and Halifax, and in Europe nationally and sub-nationally by exploring the experiences of Estonia, Switzerland and the United Kingdom. The workshop will consider rationales for the implementation of Internet voting, various features and models of its application, advantages and disadvantages, public acceptance, effects on accessibility and voter turnout, and security issues. Experts will share advice regarding technical considerations such as cost, legal requirements, software and security.
UPDATE 2010-01-25: I just realised I forgot to include a link to the event itself. Here is the Elections Canada link - Elections Canada: Media: Special Events and Conferences: Internet Voting and the Carleton link - Canada-Europe Transatlantic Dialogue (CETD) Events: Internet Voting. ENDUPDATE
Look at the issues they're examining:
* cost
* legal requirements
* software
* security
Let's revisit what I have called the "Democracy Requirements" for voting:
* preserving the secret ballot
* retaining the right to an uncoerced vote
* the integrity and accuracy of the vote count (all votes gathered and correctly counted)
* the simplicity of the system (can voters understand how the entire voting system works?)
Do you see the problem? They're talking about voting, but as usual, they're talking about it as if it were any other government "service" that is "delivered", rather than the single foundational element of our democratic society. This is what they always do, focus on the technology rather than the actual requirements for the integrity of the vote.
I can guarantee what the Internet voting presenters will discuss is three main things: convenience, turnout, and security. They will make a bunch of abstract claims about encryption and secure networks that will sound good but that, if you are an actual computer security expert, are actually nonsense.
You CANNOT, as in impossible:
* use technological security to ensure perfect end-to-end chain of custody for Internet voting
* construct a system in which the ballot is actually secret and anonymous
While it is true that there are theoretical computer constructs that can accomplish this, they run on theoretical computers over theoretical networks to theoretical servers. They do not run on Windows 7 computers on an ISP Internet connection to a bunch of servers in an actual datacentre.
Just think of the thousands, probably millions of phishing attempts every day, and the large number of these attempts that are successful. Just think of the recent security attacks on Google. Just think of the endless litany of lost passwords, lost user accounts, compromised commercial organisations. The home computer and the public Internet is one of the LEAST SECURE possible places I can imagine to hold an election.
Just off the top of my head I can list numerous possible compromises:
* if the password is sent in the physical mail, requiring at most some publically-discoverable extra piece of information (e.g. the user's birthdate), then I can attack the password distribution, in the same way that people steal credit cards and identities
* if it's not sent by mail, how do you solve the huge problem of secure key distribution to 30 million people? (secure key distribution is one of the single hardest problems in computer security)
* If your machine is already on a botnet, and millions of compromised machines already are, I have basically unlimited freedom to alter and compromise the election. I can watch your keystrokes and record who you voted for. I can watch your keystrokes and then, behind the scenes, CHANGE who you voted for. I can decide I don't like the parties running and use my botnet to attack the election servers (if you say "well, the datacentre can just block the attack" - yes, but the attackers are CITIZEN COMPUTERS)
* I can skip the end user and compromise the physical security of the data centre. And/or I can insert code into the servers that counts whatever votes for whatever candidates I want.
Even if the security is done well, there are insurmountable issues.
But even worse, the security is almost never done well. Because it is about cost, it goes often to the lowest bidder. Do you seriously want your entire election run by some private company that was the lowest bidder? Or consultants for Elections Canada that gave the best price? What "best price" means is, as was shown repeatedly for Diebold, the elections technology provider takes off-the-shelf technology (how could they not, and still provide the lowest cost), hacks together some amateurish backend with a somewhat pretty frontend, and then serves that up as a secure elections solution, leaving NOT ONLY all the security issues with e.g. running on Windows, but introducing ADDITIONAL security issues with code that is almost always woefully insecure, badly designed, and not available for review by outside computer security experts.
And even if, by some miracle, none of these things happens, ok we run an election.
It ends like the 1995 Quebec Referendum, 50.58% "No" to 49.42% "Yes" (note: elections are razor close ALL THE TIME).
So you say, all settled then, 50.58% "No".
And I say: PROVE the computers, the Internet, and the data centre were not compromised. PROVE the votes were not coerced. PROVE that it was actually Canadians voting, once, and not stolen accounts anywhere in the world voting multiple times.
You cannot prove this. Goodbye decisive elections. Hello endless battles.
Do you think this is abstract? There was ALREADY a fiasco with electronic voting machines in Quebec, which as terrible as they are, are at least in observable physical space. It was so bad, they had to investigate it, and:
On October 24, 2006 the Chief Electoral Officer of Quebec released a report (in French only) "Report on the Evaluation of New Methods of Voting" (Rapport d'évaluation des nouveaux mécanismes de votation). In a press release, three root causes of problems with electronic voting machines in the 2005 municipal elections were identified:
* an imprecise legislative and administrative framework
* absence of technical specifications, norms and standards
* poor management of voting systems (especially lack of security measures)
He recommended that the current moratorium on the use of these systems be maintained, and leaves it up to the provincial legislature to decide whether or not to use electronic voting in future.
Labels: canada, elections canada, internet voting
Comments:
Hey!
If you go to the conference, I've got some material for you.
OSCE report on i-voting in Estonia in 2007:
http://www.osce.org/odihr-elections/23132.html
OSCE is a very serious international organization in Europe. You can use their findings if they try to present Estonia as a model or rule you out as a fringe activist.
I doubt Switzerland is a member of OSCE but you can find some information on what they are using here:
http://www.geneve.ch/evoting/english/welcome.asp
Greetings from Europe :-)
If you go to the conference, I've got some material for you.
OSCE report on i-voting in Estonia in 2007:
http://www.osce.org/odihr-elections/23132.html
OSCE is a very serious international organization in Europe. You can use their findings if they try to present Estonia as a model or rule you out as a fringe activist.
I doubt Switzerland is a member of OSCE but you can find some information on what they are using here:
http://www.geneve.ch/evoting/english/welcome.asp
Greetings from Europe :-)
Thanks. Very useful links. I do plan to go to the conference and do live tweets followed by one or more summary blog posts.
About UK:
Open Rights Group's May 2007 Election Report
(alternative link)
About French Internet voting pilots :
2006 (one report is in English) and 2009
Something to emphasize : since the beginnings of internet voting (about 10 years ago), turnout has been expected to increase. This has never really happened.
For example, in Switzerland : "Huit votes ont eu lieu depuis la première utilisation de l'application de vote en 2003, le nombre
d'utilisateurs potentiels passant d'un millier à près de 90 000. Après une flambée initiale due à
l'attrait de la nouveauté, le taux de vote par internet semble stagner autour de 9%"
Post a Comment
Open Rights Group's May 2007 Election Report
(alternative link)
About French Internet voting pilots :
2006 (one report is in English) and 2009
Something to emphasize : since the beginnings of internet voting (about 10 years ago), turnout has been expected to increase. This has never really happened.
For example, in Switzerland : "Huit votes ont eu lieu depuis la première utilisation de l'application de vote en 2003, le nombre
d'utilisateurs potentiels passant d'un millier à près de 90 000. Après une flambée initiale due à
l'attrait de la nouveauté, le taux de vote par internet semble stagner autour de 9%"