Tuesday, January 26, 2010
Internet voting dialogue: brief morning summary
I was most impressed with Tarvi Martens' presentation about the technical details of the Estonian Internet voting system. They have clearly thought very seriously about the various issues involved, and have very very heavy physical security for the data centre, and no remote admin access outside the datacentre. He also emphasized they had a principle of "no black box systems" in the data centre, so they use Debian, an open source operating system, rather than Windows. The fact they have a national ID card addresses the key distribution and network encryption issues (because the ID card includes an encryption key, a public/private digital signature key). They also put ISPs on high alert during the election period and monitor continuously for attacks.
I did ask him the security of the user's desktop and his answer was reasonable but to me, ultimately still unsatisfactory. They are using what I assume are honeypot systems to monitor for emerging trojans that pretend to be some component of the desktop voting system (or presumably the ecard reader driver etc.) They also have as the first step of their voting procedure that the user should ensure their system is scanned for viruses. However there are multiple issues including the innumerable vectors for home system attack, the fact that most users WON'T secure or scan their systems no matter how often you educate them about the issue, and the possibility for root kit or other subtle elusive trojans that might not be picked up by their honeypots.
He did say, which I think is an important contingency measure, that in the event they did detect a widespread trojan attack they have the possibility to simply shut down Internet voting and tell people to vote on paper on their regular voting day (Sunday).
The other thing I heard from multiple speakers is that Internet voting is not having substantial impact on turnout. What it is doing is making it more convenient... for people who would have already voted.
UPDATE: Have exceeded the status update limit for @papervote (!) - already just for the first session. Have moved to liveblogging on FriendFeed at http://friendfeed.com/electronic-voting-in-canada
Monday, January 25, 2010
knowing the players
This is simply an analysis of the players from a computer security standpoint. Three main points are examined:
1. What is their academic background in computer security
2. What are their stated positions about Internet voting or, in the absence of statements, what is their corporation's position on Internet voting
3. If they are providing Internet voting technology, what information is publically available about the security analysis for these systems? It is incumbent for all voting technology providers to address all realistic threats to their systems in an open manner. There is no security through obscurity. A failure to do so shows an unseriousness about security.
I also want to make a key point: elections do not hinge on voter perceptions of security and convenience. Elections hinge on ACTUAL security. Asking members of the public if they think Internet voting is secure enough or if they are comfortable voting online or if it is convenient to vote online does not mean, in any way whatsoever, that the actual vote is ACTUALLY SECURE.
If citizens perceive a bank as (financially) safe but government regulation actually creates a situation where the bank fails (as has happened repeatedly in the United States), then it is clear the citizen perception was meaningless, what was important was the government failure to actually deliver an appropriate level of ACTUAL security.
And again, even if the system was actually secure, which is somewhere between highly unlikely and impossible, it still doesn't mean the system meets necessary requirements for a functioning democracy.
* Michael Alvarez, California Institute of Technology (Caltech)
- Dr. Alvarez is a Professor of Political Science at Caltech and Co-Director of the Caltech/MIT Voting Technology Project. His BA, MA and PhD are in Political Science.
- info from CalTech site
The mission of the Voting Technology Project is, not surprisingly, around technology: "All of this research and policymaking activity seeks to develop better voting technologies, to improve election administration, and to deepen scientific research in these areas."
It is important to remember that US elections are much more complicated than Canadian elections, with many more candidates running for many more positions, in addition to (in many states), multiple complicated ballot initiatives (direct democracy issues to be voted upon).
* Kimberley Kitteringham, Town Clerk, Town of Markham
- reported in media as advocating Internet voting
"We definitely think our early voting turnout was a direct result of the increase participation of people in the online voting process because online voting, from our staff and post-election survey, engages the voter that has been typically apathetic or difficult to reach. It offers a convenient solution for them because they can do it from anywhere in the world," Ms Kitteringham said.
yorkregion.com - Internet gateway to election reforms in Vaughan - September 30, 2009
* Andrew Brouwer, Deputy Town Clerk, Town of Markham
- Bachelor of Environmental Studies , Urban and Regional Planning; Master of Public Administration , Local Government Program (from LinkedIn profile)
* Cathy Mellett, Acting Clerk/Manager, Halifax Regional Municipality
- reported in media as advocating Internet voting
"We had people vote from Sri Lanka, from Korea, from over 50 Canadian cities and 25 American states," said Cathy Mellett, e-voting project manager for the Halifax Regional Municipality.
"That's really been the objective from the very beginning, it's about getting voters accessible and participating in the overall election here in the HRM."
Mellett said there were no serious glitches in the system during the voting period.
CBC News - 10% of HRM voters cast e-ballots - October 7, 2008
* John McKinstry, Sales Manager, Dominion Voting Systems
- a company that has literally trademarked the word democracy: "Dominion Democracy™ is our comprehensive yet flexible voting suite, designed to uphold the principles and ideals of the electoral process."
- message is shaped entirely around turnout
Voter turnouts continue to fall even in the face of aggressive communications campaigns at all levels of government. One way to improve turnouts is to give the voters more voting choice; choices that reflect changing technologies. Chief among these alternative choices is remote voting. In taking voting to the voter, you remove one of the barriers to turnout.
Taking the voting booth to the voter
- according to Google search (site:www.dominionvoting.com security) entire site has exactly two mentions of security
Everything before and after the ballot is hosted on computer servers. There may not even paper ballots, as is the case with Internet voting.
Dominion can host your elections on our secure servers to ensure the integrity of your election. We pride ourselves on the security and permanency of our server system.
Hosting your election
In summary: your election, hosted on a private company's servers. How do you know they are secure? Because they pride themselves on security.
2. There is a single instance of the word "security" in their document Democracy Suite EMS Edition 2007 (PDF)
To address the sensitivity of the election process from a security standpoint, the system provides role-based authentication and authorization, while all data transactions are protected for greater confidentiality and data integrity.
While it is good that the system uses authorisation to limit access, and "protection" for data transactions (whatever that means), this assumes that a) the authentication credentials have not been compromised b) the network transmission is a particularly vulnerable and interesting place to attack.
Just on the second point: HTTPS encyrption of web transactions is essentially like using an armored car to transport money between two completely unsecure endpoints, between a house with no locks on its doors and a bank vault with no lock or security system. Attackers target system weaknesses. Since the Democracy Suite uses Windows computers, isn't an attacker more likely to attack the servers themselves using known Windows vulnerabilities, than to try to intercept the data in transit? The document does not address these issues. You have to secure Internet voting systems END-TO-END, from keystroke on the desktop to calculated results on the datacentre servers. This is impossible to do with anything approaching a high level of security (a high level of risk mitigation) for an election threat model.
* Alexander Trechsel, European University Institute, Florence
- Professor of Political Science and the first full-time holder of the Swiss Chair in Federalism and Democracy at the European University Institute (EUI) in Florence, Italy.
- info from EUI site
- PhD in Political Science (from LinkedIn profile)
* Tarvi Martens, Development Director, Certification Centre, Estonia
- MSc IT, Tallinna Tehnikaülikool (from LinkedIn profile)
- Program Manager for Internet Voting at Estonian National Electoral Committee (currently)
- Development Director at SK (currently)
- SK is a company that provides "provision of different certificates to physical persons and organisations. Currently, the largest project handled by SK involves issuing authentication and digital signature certificates to Estonian ID cards." - http://www.sk.ee/pages.php/0203
That is, SK is a private company in the business of providing certification technology.
* Urs Gasser, Harvard University
- Dr. Urs Gasser is the Berkman Center for Internet & Society's Executive Director.
- graduate of the University of St. Gallen (S.J.D. 2001, J.D. 1997) and Harvard Law School (LL.M. 2003) (Note: these are all law degrees)
- info from Berkman Center site
* Tom Hawthorn, The Electoral Commission
Remote electronic voting via the internet and telephone was once the future of British elections. But trials held in the 2003 local elections found it made little difference to turn-out and raised concerns about security, privacy and transparency.
Tom Hawthorn, electoral modernisation manager for the Electoral Commission, says that remote e-voting is unlikely this decade, although he believes the idea may return. "In the short- to medium-term, there's things about the existing voting system - voting stations and postal ballots - which can be improved," he says.
guardian.co.uk - Voting searches for the x-factor - Nov 23, 2005
- 2006 presentation "What voters expect from a voting system" indicates high degree of concern about "my vote being private" and "my vote being safe from fraud and abuse" (in terms of percentages these are the top two concerns expressed)
* Adam Froman, President, Delvinia Interactive
- corporation that promotes Internet voting
- "Internet voting made a positive impact on the election results." from blurb on page for their report "Understanding the Digital Voter Experience"
* Dean Smith, President, Intelivote Systems Inc.
- corporation that provides Internet voting
- eight results for site search on "security" (site:www.intelivote.com security)
* Jason Gallagher, Open Source Software Developer
- I don't actually know who this is. The most likely match appears to be: "Lead Open Source Software Developer for McMaster University, Dept. of Family Medicine" (from PCHRI 2006 participants)
* Peter Wolf, International Institute for Democracy and Electoral Assistance (IDEA), Stockholm
- MSc., GraZ University of Technology (from IDEA site)
I welcome corrections and clarifications and I will update this posting if more information becomes available.