Report Says Internet Voting System Is Too Insecure to Use (fwd)

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 22 Jan 2004 01:34:25 -0600
From: gep2 () terabites com
Subject: [IP] Report Says Internet Voting System Is Too Insecure to Use (fwd)
To: dave () farber net

> Report Says Internet Voting System Is Too Insecure to Use
January 21, 2004
  By JOHN SCHWARTZ

> A new $22 million system to allow soldiers and other
Americans overseas to vote via the Internet is inherently
insecure and should be abandoned, according to members of a
panel of computer security experts asked by the government
to review the program.

There are several issues here which would have to be addressed in order for 
this
system to be credible.

 1)  The system would have to meet suitable standards regarding privacy and
integrity, specifically regarding the registering, communication, and 
collection
of voter responses, and I believe that it is at least CONCEIVABLE that 
suitable
technology can resolve those issues (note that I am NOT confident at this 
point
that the technology envisioned or in place HAS solved those problems, and
apparently this panel of "computer security experts" HAS looked at the current
proposed system in some detail and has come away unimpressed with it too).

 2)  The system that processes and tallies the votes once received must be
robust and have a very high confidence level.  Apparently this is a flaw in 
many
of the current vote counting systems that are put in place at the county
election department level... (e.g. where modifications of the elections 
results
can be done using Microsoft Access or the like, going around whatever limited
controls might be in the "package", and permitting the vote to be falsified 
with
relative ease).

 3)  There *must* be auditability of the vote, permitting the recounting 
of the
votes based on some ABSOLUTELY secure indication of EVERY voter's individual
intent, and which doesn't just get lumped in to a "total count" which is
reported.  Generally, a paper ballot or other individual "hard copy" meets 
this
requirement to at least some degree.  Electronic voting systems which only
report a total offers NO way for officials or judges to verify that the votes
were tallied properly, and virtually no ability to provide for a legally
mandated recount.  The voter MUST be able to see and approve a DURABLE AND
INDIVIDUAL COPY of a ballot that accurately reflects their choices BEFORE they
leave the polling place.  And that ballot MUST be available for purposes of
recounting the vote, should there be a question of the electronic tally.

 4)  (and THIS point there is **no** technological solution for 
whatsoever, and
for me this by itself shoots down just about all conceivable "Internet voting"
proposals) there MUST be a way to be confident that the voter is not voting 
with
a gun (figuratively or even literally) being held to their head.  Voters 
MUST be
able to vote without the possibility of an election official, union shop
steward, parent, child, landlord, boss/employer, welfare case worker, 
'assisted
living' caregiver, neighborhood ganglord, or other thugs looking over their
shoulder to ensure that they vote "the right way".  [It IS true that this is a
problem with existing absentee or mailin ballots, but those at this point
represent a very small percentage of the vote and probably not enough to 
sway an
election.  That will NOT be true of Internet voting, where a comparatively 
large
percentage of the total vote will end up being cast by this admittedly very
attractive voting method.]

 5)  Internet voting (as much as I would personally love the convenience, 
with
me being an Internet fan) is inherently prejudicial because it makes it far
easier and more convenient to vote for those with computers and
"better"[/faster/more reliable] Internet connectivity.  The virtually 
guaranteed
result of such a prejudice will be to get a larger turnout for voting from 
those
folks who have more money to spend on such capabilities, and probably 
having the
additional result that the (now fewer) people voting at in-person polling 
places
will be "consolidated" (more than they are already) into a smaller number of
physical polling places, creating confusion ("but I've always voted at
<wherever> before") and increasing the distances that voters (especially
disadvantaged voters, who for example might have to use public transit to 
try to
get to an inconveniently located polling place) have to travel in order to 
vote.

 6)  It is also inherently prejudicial to provide a system to military 
personnel
to make it substantially easier for them to vote than the general population,
for the same reason.  The fact is that it should be (to the extent possible)
EQUALLY easy to vote for ALL categories of voter.  This is ESPECIALLY critical
when one can envision that a "different/easier/better" voting system will 
favor
one group with distinct political agendas (wealthy, military, racial, 
whatever)
over a different interest group.

> The system, Secure Electronic Registration and Voting
Experiment, or SERVE, was developed with financing from the
Department of Defense and will first be used in this year's
primaries and general election.

Democracy is one of the most basic and critical processes in our government 
(at
ALL levels).  We saw to our horror how the flawed election process in 
Florida in
2000 resulted in a hideously "thrown" election that forever changed the 
history
of our nation and of the world.  (see http://www.defend-democracy.org).

We *must* return ABSOLUTE confidence in the integrity of the voting system in
this country.  And, unfortunately, we seem to be headed in EXACTLY the 
OPPOSITE
direction.  :-((

> The authors of the new report noted that computer security
experts had already voiced increasingly strong warnings
about the reliability of electronic voting systems, but
they said the new voting program, which allows people
overseas to vote from their personal computers over the
Internet, raised the ante on such systems' risks.

Absolutely... and worse, most Americans don't understand why this is such a
serious problem (although it's NOT a difficult concept to grasp, once properly
explained).  The press has largely abdicated their responsibility to put a
spotlight on this problem, and like SO MANY terrible decisions on the part of
our government over the last three years, it seems that they're just going to
slide it through with most of the public being none the wiser.  :-(

Hey, it SOUNDS like a good idea, right?  :-((((

> The system, they wrote, "has numerous other fundamental
security problems that leave it vulnerable to a variety of
well-known cyber attacks, any one of which could be
catastrophic." Any system for voting over the Internet with
common personal computers, they noted, would suffer from
the same risks.

Personally, I believe that MOST of those problems could be resolved (again, 
I'm
NOT confident that they have been).  I still insist that it is NOT possible to
envision ALL of them being resolved.

> The trojans, viruses and other attacks that complicate
modern life and allow such crimes as online snooping and
identity theft could enable hackers to disrupt or even
alter the course of elections, the report concluded. Such
attacks "could have a devastating effect on public
confidence in elections," the report's authors wrote, and
so "the best course to take is not to field the SERVE
system at all."

Those of us who understand the technology, as well as the social and political
implications of this incredibly ill-considered approach to the election 
process,
are generally horrified to see this approach continuing inexorably to what is
likely to be widespread adoption, in spite of (or worse, perhaps BECAUSE of!)
the tremendous likelihood of fraud and abuse it offers.  :-((

> A spokesman for the Department of Defense said the critique
overstated the importance of the security risks in online
voting.

Although I haven't read the specific critique in question, my strong suspicion
is that if anything they UNDERSTATED the problem, probably by ignoring the
"voter privacy/anonymity" concern and dealing instead with the technological
issues (as indeed, most of us technical types tend to do).

> "The Department of Defense stands by the SERVE
program," the spokesman, Glenn Flood, said. "We feel it's
right on, at this point, and we're going to use it."

Why does this sound disturbingly like the White House's decision to wage 
war in
Iraq, despite widespread disapproval both at home and abroad and based largely
on lies and misrepresentations, because "my mind is made up", regardless of 
what
anybody else thinks?  :-(

> An official of Accenture, the technology services company
that is the main contractor on the project, said the
researchers drew unwarranted conclusions about future plans
for the voting project.

We can only judge the system based on what is being proposed for NOW.  If they
in fact solve the problems (including those I've detailed above) then I might
reconsider my FIRM opposition.  But I don't think that ANY feasible technology
can POSSIBLY solve the privacy issue (short of perhaps allowing "Internet
voting" but having it still take place from public polling places as the law
requires today, under the vigilance of authorized election clerks,
representatives of at least both major parties, and "poll watchers" and all 
the
other protections currently provided for under the law).  I can't imagine that
any of the current Internet voting approaches requires those protections, or
that it resolves the inherently discriminatory favoring and facilitating the
voting by those wealthier folks owning computers and having Internet
connectivity.

> "We are doing a small, controlled
experiment," said Meg McLauglin, president of Accenture
eDemocracy Services.

No doubt it's ONLY large enough to provide the relatively small (and hopefully
distributed enough to make it not so TERRIBLY obvious) push the RNC 
believes is
going to be necessary to throw the 2004 election, just as their thugs in 
Florida
(and, less widely understood, here in Texas where the corresponding (and even
greater!) outrage took place in the courts while everyone was busier watching
Florida...) bullied their way to the White House in 2000.

If you're interested in learning more about probably the biggest single reason
why Al Gore isn't presently occupying the White House, and are interested in
seeing and understanding just how Election 2000 was stolen, the following link
is fascinating reading:

http://www.txnd.uscourts.gov/judges/notable2.html#jonesbush

(You can also get there by navigating through:
http://www.txnd.uscourts.gov
then click on "Judges"
select "Notable cases" on the dropdown menu
click on "Jones vs Bush")

The whole thing is pretty much worth reading, although if you get bogged down,
as I recall the documents in the case numbered about 29-34 contain a lot of 
the
'meat' of what happened there.  (Note that the electoral college votes for 
Texas
were *far* more numerous and important in the end than the relatively smaller
number of electoral college votes involved in Florida).

> The Federal Voting Assistance Program, part of the
Department of Defense, plans to officially introduce the
program in the next few weeks.

> Seven states have signed up
so far to participate: Arkansas, Florida, Hawaii, North
Carolina, South Carolina, Utah and Washington. As many as
100,000 people are expected to use the system this year,
and the total eligible population would about one million.

> A move to that larger population of voters is far from
certain, Ms. McLauglin said, and the final system could be
very different from the one being used this year. "It will
be up to Congress and the states to determine if this gets
expanded, and how," she said.`

<sarcasm>I'm sure that they will deploy it in a way at least as
party-and-agenda-neutral as Tom DeLay's outrageous Republican powergrab that
resulted in the outrageous congressional redistricting fiasco that they've
apparently managed to bulldoze into place here in Texas.</sarcasm>

> "Without doing these experiments, we won't learn more and
we won't learn how to help these folks vote in the future,"
she said.

I wouldn't count on them "helping" voters (a) in a neutral way, and (b) in 
a way
immune to the fraud and voter pressure I mentioned earlier in this post.

> Trying to vote overseas can be a frustrating ordeal. And
Internet voting makes intuitive sense to Americans who have
grown accustomed to buying books, banking and even finding
mates online.

Oh, no denying that it looks VERY attractive, until you realize and understand
the inherent way it skews the results of the election by favoring one class of
citizen and voter over another.  (This is exactly the "dual standards" 
argument,
ironically enough, that the Supreme Court used in 2000 in blocking the planned
recount of only "some" of the vote in Florida.)

> But the authors of the report adamantly state that what
works for electronic commerce doesn't work for electronic
democracy: "E-commerce grade security is not good enough
for elections," they wrote. The dual requirements of
authentication and anonymity make voting very different
from most online purchases, they wrote, and failures and
fraud are covered by Internet merchants and credit card
companies. "How do we recover if an election is
compromised?" they wrote.

Indeed.  As we've seen all too well, a compromised election can (and did, in
2000) result in absolutely irreparable damage.

> The report states, "We recognize that no security system is
perfect, and it would be irresponsible and naïve to demand
perfection; but we must not allow unacceptable risks of
election fraud to taint our national elections."

I think it's important to understand that "risks" barely begins to cover the
issue;  the proposed system is doubtless OUTRAGEOUSLY flawed and prejudicial,
and probably CANNOT be made neutral and secure.

> They said any new system "should be as secure as current
absentee voting systems and should not introduce any new or
expanded vulnerabilities into the election beyond those
already present."

Again, that is NOT adequate, for the simple reason that the number of votes
which will ultimately be cast by an online voting system (which is probably
inherently unauditable, most likely impossible to adequately and reliably
recount, and subject to pressure being applied to the voters) is likely to be
such a large percentage of all votes cast that it *absolutely* can (and
doubtless WILL) be manipulated by the party in power in order to block any
serious likelihood of losing that power.  The reason why this vulnerability is
less serious today is because absentee/mailin balloting represents a really 
VERY
small percentage of ballots cast.

> One of the authors of the report, David Wagner, an
assistant professor in the Computer Science Division at the
University of California at Berkeley, said, "The bottom
line is we feel the solution can't be a system that
introduces greater risks just to gain convenience."

And it MUST be vote-neutral, which I don't believe it can POSSIBLY be.

> Although some of the possible attacks may sound far-fetched
or arcane, the security experts said that each of them had
already been seen in some form out on the Internet.

I don't think that it requires "arcane" or "far-fetched" arguments at all
(although it's worthwhile to keep those in mind, too).  Again, one has to 
wonder
if they're pointing at those just to make it look unlikely, whereas the REAL
vulnerabilities are much less arcane or farfetched.

> "We're not making up any theoretical concepts," said Aviel
D. Rubin, an author of the report and the technical
director of the Information Security Institute at Johns
Hopkins University. "These are all things that occur in the
wild that we see all the time."

> Computers on the Internet have become ever more vulnerable
to malicious software that takes over the machines'
functions to monitor the users' activities, scan them for
private information or press them into service to launch
attacks on other computers, to send spam or advertise
Internet pornography sites online. "And we're going to use
these as voting booths?" Mr. Rubin asked. "It just doesn't
make any sense."

> A major American election would be an irresistible target
for hackers, and the ability of computers to automate tasks
means that many attacks could be carried out on a large
scale, the report said.

Indeed, and it's certainly the case that a whole variety of little cyberfrauds
can swing a "close" election, and for a whole lot less money than the $300-500
million that's likely to be spent this year on the Presidential election
campaigns.  That makes it a "good investment" for those with strong partisan
positions.

(And of course, NOBODY is in a more privileged position to carry out these
frauds than those VERY partisan folks who run the electronic voting equipment
and software companies, and who call the related software "trade secret" and
refuse to allow it to be audited and verified by other tech-savvy computer
professionals... although they are HARDLY the only ones who would be 
involved in
the attacks on "free and fair" elections when/if these terribly unwise
election/voting choices are made.).

> The authors said the Federal Voting Assistance Program,
which runs SERVE, and Accenture, the main contractor,
should not be faulted for their work, which they found
innovative and conscientious. Secure Internet voting, the
panel concluded, is an "essentially impossible task."

I would agree with the panel.  Accenture is being asked to do something 
which is
probably INHERENTLY impossible to do in a way which is vote-neutral and 
which is
immune to unacceptable pressures which WILL be exerted on voters.

> In fact, the panel said, "there really is no good way to
build such a voting system without a radical change in
overall architecture of the Internet and the PC, or some
unforeseen security breakthrough. The SERVE project is thus
too far ahead of its time, and should wait until there is a
much improved security infrastructure to build upon."

I don't see the ULTIMATE problem as being that of the Internet 
infrastructure.
Even if THAT problem were resolved (and, I believe, it could be) there are
further serious (and I believe UNSOLVABLE) problems which remain.

> The risks inherent in SERVE are likely to cripple any
system for Internet-based voting, said Barbara Simons, a
technology consultant and coauthor of the report. "It's not
just a SERVE thing," she said.

> Such concerns are not new. They have formed the basis of
several recent studies of Internet voting. A report in 2001
by the Internet Policy Institute, financed by the National
Science Foundation, concluded that "remote Internet voting
systems pose significant risk to the integrity of the
voting process and should not be fielded for use in public
elections until substantial technical and social science
issues are addressed."

Has ANYBODY reputable and intelligent concluded otherwise, after being made
aware of the VERY real concerns involved (including the ones I've listed 
above)?

> David Jefferson, an author of the new report and a computer
scientist at Lawrence Livermore National Laboratory in
Northern California, also worked on a 2000 report for the
California secretary of state that reached similar
conclusions. "Nothing fundamental has changed," he said,
since that report was written.

> "Nothing we've seen makes us think that this can be made
secure," Mr. Jefferson said.

> In attempting to play down the critique of the system, Mr.
Flood of the Defense Department called it a "minority
report,"

It's a "minority" report because the press has largely ignored the issue up to
now.  (Even though the problems are NOT AT ALL limited to esoteric technical
stuff which is somehow "beyond" ordinary public understanding).

> ...since it involved only 4 of the 10 outside experts
asked to review the system. But Mr. Rubin, the report
co-author, noted that the four authors were the only
members of the group who attended both of the three-day
briefings about the system.

I don't believe that ANYBODY made aware of the shortcomings of such a 
system (at
least not as currently envisioned) could possibly conclude otherwise.

> There is no majority report, since the other six experts
have not taken a public stance on the project.

I wonder if that's because they fear for the implications to their jobs or
something?  Or are they in turn subject to political pressure?

> Ms. McLauglin of Accenture said that the company had
contacted the other six members of the outside advisory
group and that five of the six said they would not
recommend shutting down the program.

That's NOT the same as saying that they believe it can lead to a 
non-prejudicial
and robust, secure system which ought to be implemented and used for 
real-world
elections.

> One of the other outside reviewers, Ted Selker, a professor
at the Massachusetts Institute of Technology, disagreed
with the report, saying it reflected the professional
paranoia of security researchers. "That's their job," he
said.

There's an old saying... "It's not that am I being paranoid... but AM I BEING
PARANOID ENOUGH!!?"  Again, I think that anybody who is NOT concerned about 
this
issue (and alarmed by it) simply hasn't been paying enough attention.

> Mr. Selker, an expert in the ways people use technology,
said security is a less pressing concern than mistakes in
registration databases, poor ballot design and inadequate
polling place procedures. "Every single election machine
I've seen - including the lever machine, including punch
card machines, including paper ballots - has
vulnerabilities," he said.

Yes, but SOFTWARE-based vote tallying systems (and particularly in the absence
of a hard-copy, voter-verified permanently marked ballot that can be recounted
if necessary, and with the voting done SECRETLY!! in a pressure-free
environment) is BREATHTAKINGLY vulnerable to fraud and manipulation in a way
that can be difficult or even IMPOSSIBLE to undo after the fact.  The 
intention
to proceed with these systems despite such OBVIOUS and INCONTROVERTIBLE 
problems
leads one to the inescapable question of WHY are these problems being 
ignored?
Clearly, the answer is because it SUITS those in the position to make the
decision, and because they feel they can push the system through regardless,
while the public is looking somewhere else.

And that's a terribly scary thing.

> A security expert and critic of technologically advanced
voting systems who had seen an early draft of the study
applauded the group's work. "What I saw convinced me that
no one should ever vote on that system," said David Dill, a
professor of computer science at Stanford University who
has become active in voting technology issues. "I
understand the problems that people overseas have voting,
especially if they are in the military, and I believe we
have to make it a lot easier for them," he said. "But SERVE
is the wrong solution."

Is the complete study available online somewhere?  It WOULD be interesting to
have a look at it... I'd like to see if they covered all of my objections 
above
(my suspicion is that they covered a lot of the more technical objections, and
probably forgot about some of the other issues I mentioned...)

> http://www.nytimes.com/2004/01/21/technology/23CND-INTE.html?ex=1075722669
&ei=1&en=24c5f9b25e1f0130

What's more... if all these experts who have (even just!) looked at this 
report
are SO concerned.... WHY are we seemingly forging ahead to implement such a
vulnerable, unwise, and *clearly* fraud-prone system?  And JUST in time for 
the
(likely to be close and bitterly divided, as the 2000 one was) 2004 
Presidential
election?

The unavoidable answer is as obvious as it is frightening.  :-((

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/