Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Internet and Electronic Voting

From: Dave Farber <farber () cis upenn edu>
Date: Tue, 12 Dec 2000 20:36:19 -0500


 From Peter Neumann

A recurring mantra heard from some entities involved in the development and
promotion of Internet-based voting systems is that they have conducted
"public tests" and thus their systems are secure.  If hackers don't break
into such systems, the tests are declared a success.

This is of course illogical on its face, because it seems unlikely that
people (both U.S. and internationally based) with an interest in subverting
the U.S. election process would care to tip their hands by participating in
what are essentially publicity stunts.  These might attract your average
12-year old hacker, but not the pros who wait for production systems for
their carefully mounted attacks.

In fact, using such "tests" as any sort of validation technique runs
contrary to long-established computer and engineering verification
practices, and makes a mockery of the rigorous design and testing that is
required of systems that are to be deemed secure through extensive and
methodical processes (e.g., to gain certification under the ISO Common
Criteria or its predecessors TCSEC/ITSEC).  "I left my Porsche out in the
parking lot with the doors unlocked and the key in the ignition and since it
doesn't appear to have been stolen this must be a safe neighborhood," would
be an equally nonsensical statement of supposed validation.  All proposed
voting systems should be subjected to rigorous evaluation, public
inspection, and *open-source code* license agreements.  Some applicable
methodologies do exist, but have not been required.  For example, Level 4
Common Criteria should be a *minimum* standard, although even that is not
enough.

Security is only as strong as its weakest links.  Internet voting (I-voting)
will *always* be limited in its integrity by factors beyond the I-voting
algorithms.  For example, encryption can be an important part of an overall
election system.  However, although we have strong cryptographic algorithms,
we do not have systems with adequate security into which the cryptography
can be embedded.  Furthermore, voter authentication, vote integrity, voter
anonymity, auditability, accountability, recountability, and so on, are all
involved, and many of these requirements operate at cross-purposes with one
another.  The massive vulnerabilities of standard personal-computer
operating systems represent very serious concerns, in terms of hidden
viruses, worms, Trojan horses, and further surprises unknowingly downloaded
by the user with other packages, and waiting to pounce on election day.  One
proposed solution would be to boot a fresh system from external media in
order to vote, but even such an approach does not adequately address these
potential vulnerabilities.

Deficient network protocols and the opportunities for insider fraud and
accidental misuse abound.  In addition to the issues noted above are the
weaknesses that result from inadequate operational environments.  Neither
the client nor the server systems will be adequately secure under
foreseeable technology -- including Internet Service Providers and Web
servers.  For example, proposals such as the use of rotating IP numbers and
multiple systems to try to defend against denial of service attacks can be
rendered impotent by similar attacks on network concentration points.

As always in any election environment, there are many opportunities for
fraud, mischief, and manipulation -- despite ostensible checks and balances.
These problems are exacerbated with electronic and Internet voting, where
the lack of any physical ballots makes such manipulations impossible to
detect and correct -- because there is no meaningful recount capability.
Extraordinary vigilance is necessary, but never sufficient.

In the wake of the recent Presidential election problems, the knee-jerk
reaction of "gee, can't we modernize and solve all this with electronic
and/or Internet voting?" is predictable, but still wrongheaded.  The shining
lure of these "hype-tech" voting schemes is only a technological fool's gold
that will create new problems far more intractible than those they claim to
solve.

Peter Neumann, Rebecca Mercuri, and Lauren Weinstein

-----

Peter Neumann moderates the ACM Risks Forum, Chairs the ACM Committee
   on Computers and Public Policy, and is a cofounder of PFIR --
   People For Internet Responsibility <http://www.pfir.org>.

Rebecca Mercuri is a Professor of Computer Science at Bryn Mawr College.
   She has provided expert testimony on voting systems throughout the past
   decade.  For information on her Penn doctoral thesis and other writings
   on this subject, see http://www.notablesoftware.com .

Lauren Weinstein <lauren () vortex com> and <lauren () pfir org> moderates the
   Privacy Forum <http://www.vortex.com> and is a cofounder of PFIR -- People
   For Internet Responsibility <http://www.pfir.org>, and Member of the ACM
   Committee on Computers and Public Policy.

Information on the Common Criteria is at
   http://csrc.nist.gov/cc
An earlier statement on I-voting is at
   http://www.pfir.org/statements/voting 



For archives see: http://www.interesting-people.org/
Previous By Date Next
Previous By Thread Next

Current thread: