Interesting People mailing list archives
IP: Internet and Electronic Voting
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 12 Dec 2000 20:36:19 -0500
From Peter Neumann A recurring mantra heard from some entities involved in the development and promotion of Internet-based voting systems is that they have conducted "public tests" and thus their systems are secure. If hackers don't break into such systems, the tests are declared a success. This is of course illogical on its face, because it seems unlikely that people (both U.S. and internationally based) with an interest in subverting the U.S. election process would care to tip their hands by participating in what are essentially publicity stunts. These might attract your average 12-year old hacker, but not the pros who wait for production systems for their carefully mounted attacks. In fact, using such "tests" as any sort of validation technique runs contrary to long-established computer and engineering verification practices, and makes a mockery of the rigorous design and testing that is required of systems that are to be deemed secure through extensive and methodical processes (e.g., to gain certification under the ISO Common Criteria or its predecessors TCSEC/ITSEC). "I left my Porsche out in the parking lot with the doors unlocked and the key in the ignition and since it doesn't appear to have been stolen this must be a safe neighborhood," would be an equally nonsensical statement of supposed validation. All proposed voting systems should be subjected to rigorous evaluation, public inspection, and *open-source code* license agreements. Some applicable methodologies do exist, but have not been required. For example, Level 4 Common Criteria should be a *minimum* standard, although even that is not enough. Security is only as strong as its weakest links. Internet voting (I-voting) will *always* be limited in its integrity by factors beyond the I-voting algorithms. For example, encryption can be an important part of an overall election system. However, although we have strong cryptographic algorithms, we do not have systems with adequate security into which the cryptography can be embedded. Furthermore, voter authentication, vote integrity, voter anonymity, auditability, accountability, recountability, and so on, are all involved, and many of these requirements operate at cross-purposes with one another. The massive vulnerabilities of standard personal-computer operating systems represent very serious concerns, in terms of hidden viruses, worms, Trojan horses, and further surprises unknowingly downloaded by the user with other packages, and waiting to pounce on election day. One proposed solution would be to boot a fresh system from external media in order to vote, but even such an approach does not adequately address these potential vulnerabilities. Deficient network protocols and the opportunities for insider fraud and accidental misuse abound. In addition to the issues noted above are the weaknesses that result from inadequate operational environments. Neither the client nor the server systems will be adequately secure under foreseeable technology -- including Internet Service Providers and Web servers. For example, proposals such as the use of rotating IP numbers and multiple systems to try to defend against denial of service attacks can be rendered impotent by similar attacks on network concentration points. As always in any election environment, there are many opportunities for fraud, mischief, and manipulation -- despite ostensible checks and balances. These problems are exacerbated with electronic and Internet voting, where the lack of any physical ballots makes such manipulations impossible to detect and correct -- because there is no meaningful recount capability. Extraordinary vigilance is necessary, but never sufficient. In the wake of the recent Presidential election problems, the knee-jerk reaction of "gee, can't we modernize and solve all this with electronic and/or Internet voting?" is predictable, but still wrongheaded. The shining lure of these "hype-tech" voting schemes is only a technological fool's gold that will create new problems far more intractible than those they claim to solve. Peter Neumann, Rebecca Mercuri, and Lauren Weinstein ----- Peter Neumann moderates the ACM Risks Forum, Chairs the ACM Committee on Computers and Public Policy, and is a cofounder of PFIR -- People For Internet Responsibility <http://www.pfir.org>. Rebecca Mercuri is a Professor of Computer Science at Bryn Mawr College. She has provided expert testimony on voting systems throughout the past decade. For information on her Penn doctoral thesis and other writings on this subject, see http://www.notablesoftware.com . Lauren Weinstein <lauren () vortex com> and <lauren () pfir org> moderates the Privacy Forum <http://www.vortex.com> and is a cofounder of PFIR -- People For Internet Responsibility <http://www.pfir.org>, and Member of the ACM Committee on Computers and Public Policy. Information on the Common Criteria is at http://csrc.nist.gov/cc An earlier statement on I-voting is at http://www.pfir.org/statements/voting For archives see: http://www.interesting-people.org/
Current thread:
- IP: Internet and Electronic Voting Dave Farber (Dec 12)