It freaks me out that people are so nonchalant about this. Browsers and OSes get cracked on a regular basis: you can't trust the server, you can't trust the client, and you can't trust the pipe in between.
There is no voting algorithm in the world that can be trusted in that environment, full stop.
Seriously, I'd love to hear how I'm wrong. And if not, then how could we possibly consider handing power over our laws, our courts, our armies, to whoever manages to figure out how to exploit this first? It's not like there isn't reams of evidence that people will attempt to rig votes; so if there is a way, eventually someone will succeed.
I have no idea why people are so fixated on electronic voting. Running elections with paper ballots may be costly, but relative to other costs it's very little - it's also probably the single most important service the government provides.
It's not even like voting is particularly taxing in Australia. You go to your local school on a Sunday, wait in line for a while then grab a sausage or a lamington and go home. If that's too inconvenient there are pre-polling stations open for weeks ahead of time.[0]
I think any software that has the potential to influence election outcomes should be provably correct (the whole stack), open source and probably have been out in the wild for years before getting used in a real election.
[0] As far as I'm aware, the AEC actually double-checks electronic results by doing a human recount. When they use electronic voting it's so they can declare a winner sooner.
My point, though, is that it doesn't really matter if the whole stack is open source if the binaries have been compromised, or if the browser/OS it runs on has.
There hasn't been a widely used OS without a remote exploit, in fact it's not even infrequent for the biggies. Once you control the voter's OS, the game is over. So the way I see it, if you have a few 0-day exploits (enough to get into the majority of popular OS versions), a talent for covering your tracks, and a few swing-ridings, you can decide an election.
It's just such an insane risk, and you're absolutely correct: there isn't even much to gain from moving to online voting.
I was including the OS in the stack. Is there any reason why vote-casting or vote-tallying software should be running on a fully-fledged OS? It introduces a massive attack surface in exchange for a benefit that is really only felt at development time (development ease and cost). Write something custom, get it formally validated, audited, etc. and then go through a similar process to ensure the hardware is trustworthy.
Of course that won't happen. The only real reason to move to electronic voting is to save money, but that's rendered moot if you have to invest a huge amount upfront just to get something trustworthy.
Right. Given the number of countries and companies and people that are involved as you move up the chain from transistor to application, how complex even the smallest stack is, and how many opportunities there are for inserting code at every level - the effort it would take to do a full audit, and then to prove that it's uncrackable from external sources - it's not even remotely realistic.
Again, I can't figure out why anyone takes the assertion that electronic voting can be secured seriously.
Ha! I started reading your "how we vote in Australia" and was thinking "don't forget the sausage sizzle"...
I remember going to a talk by an electoral research specialist (Vanessa Teague) at a security conference, who had a very interesting talk on the shortcomings of electronic voting (and was particularly dark on the NSW version). I have a longer synopsis in a previous comment here[1], but I should see if there's a video online somewhere, because I don't do her justice.
Edit: I have no sound on this machine to confirm, but it looks like the interview here is Teague on the same topic (the article text describes the lecture I saw) http://corruptednerds.com/pod/c00008/
> I think any software that has the potential to influence election outcomes should be provably correct (the whole stack), open source and probably have been out in the wild for years before getting used in a real election.
Let's remember that even when paper ballots are used, the counting is done electronically. It's not something people often take time to consider.
When the ballot boxes are emptied, the ballots are scanned with scanners, and the results put into some sort of software to be processed further. This is how it's been done in Norway for many years, and we're only 5 million people here, so I can't imagine other countries doing it any differently.
Norway introduced a new voting system a few years ago, which also included Internet voting, but that has later been put on hold, as it was blocked by political reasons. The entire system was open source (you could read the code, but not allowed to use it), but I don't think it has been released since then, and I'm not sure what the plans were. Fun fact, the settlement algorithm that ranks the candidates is a Postgres stored procedure (http://goo.gl/PPMipF).
There is already a lot of places where there is software that can influence election outcomes, and it's definitely not proved to be correct. Given how trojans have been found everywhere in the recent years, I'd not be surprised if some countries election software stack has been compromised.
I've been an election helper for years (in Germany). We've counted everything by hand - and more than once.
I believe scanners are in use in other states, however this is vastly better than fully eelectronic voting as you can still do a hand count when the result is very close or suspicious.
In Germany the constitutional court has set the bar for electronic voting so hight, that it's virtually impossible.
Also: "– Här skannar vi valsedlar. Tekniken går framåt, tidigare har vi suttit och räknat manuellt för hand. Nu finns teknik för att läsa valsedlar och då gör vi det, säger Anita Attersand, projektledare och handläggare för valfrågor vid Länsstyrelsen i Stockholm." http://sverigesradio.se/sida/artikel.aspx?programid=83&artik...
It's often overlooked how including external Javascript impacts the security of your website (see also the recent Healthcare.gov information leak). It's not just the external sites' TLS configuration you have to worry about, but all their security and privacy practices. Even if piwikpro.com had had a perfect TLS configuration, if an attacker had been able to compromise (or corrupt/coerce) them, the attacker would have been able to execute arbitrary Javascript on NSW's online voting website.
Stripe is the only external Javascript I load on my websites. I trust Stripe a lot more than most, but still I would prefer not to load their Javascript. This policy is frustrating because it means I can't use a lot of cool tools, but I care too much about security and the privacy of my visitors to do otherwise.
An online voting site should not use javascript. Period. It should be bare-bones simplest possible HTML form posting with all validation and logic happening server-side. For one thing it needs to be accessible to disabled voters and the more complex the UI implementation, the less accessible it will be. Also for security peace of mind it should be usable with all scripting and plugins disabled.
A ballot is not a complex UI. A basic HTML form with checkboxes and/or radio buttons is all that's needed.
the site included additional JavaScript from an external server, ivote.piwikpro.com. (Piwik is an analytics tool used to track site visitors.)
What is really disturbing is that this JS is not even tangentially related in any way to the actual voting process. Why does a voting site need to track its visitors at all?!
New South Wales, where this election is being conducted, does actually need a slightly more complex UI: it uses "optional preferential voting", requiring voters to number the candidates in order of preference from 1, stopping at any point after that. (The upper house ballot also has the option of numbering either the group boxes above the line, or the individual candidate boxes below).
Of course it does. Following that argument: It isn't illegal to run on the streets, it does not follow you have a legal right to run on the streets? Clearly absurd. The population's rights include all except what is expressly forbidden by the laws, and the government's rights include none except what is expressly enumerated in law.
> It isn't illegal to run on the streets, it does not follow you have a legal right to run on the streets?
It does NOT follow thaty ou have a legal right to run in the streets.
It some entity declared a street to be walking-only, then you could not claim "WAH! I HAVE A RIGHT TO RUN IN STREETS!"
Similarly, if an entity will only allow you to submit votes that are "correct" as per the definition of preferential voting, you can not claim "WAH! I HAVE A RIGHT TO SUBMIT INFORMAL VOTES!"
That means those legal rights exist until the authority decides otherwise. So for now according to the laws the government has passed informal votes are a legal right. It is a quirk of the software it isn't implemented. Imagine a sidewalk paved with a material you can't run on, it's perfectly reasonable to write a complaint to your local council about the quality of the road because everyone deserves to have a space to run, according to existing laws that have not prohibited running.
In Australia you have a legal right to vote informally. Perhaps other countries are different? Here you are legally required to submit a ballot paper but you are not required to fill it out.
What I'm saying is the government does not necessarily have to facilitate your ability to vote informally.
As in, a blind person has a 'right' to vote and vote anonymously, hence the government should have at least one way for them to do this.
But I'm saying it does not follow you have a 'right' to vote informally just because it's legal. It does not follow the government has to give you a way to do this.
If they do, you can do it since it's legal. But if they don't, you can't sue since it's not necessarily a 'right'.
Not necessarily true. Ideally you want things like vote encryption and confirmation code generation to occur in the client, where they can be verified by the voters themselves. Otherwise, who is to say the election server itself is not compromised or outright designed to manipulate results. Of course, this is only useful paired with a voting protocol that allows verifying that your own vote was counted, while obscuring its association with any individual voter. See [1].
This is helpful even if only a tiny fraction of voters do verify it, say by running a browser extension that checksums the downloaded Javascript. Because of birthday paradox like results, if votes are verifiable, and a small percentage of voters properly verify their votes, then the chances that the server can modify the election results significantly (e.g. by shipping malicious javascript to some users) without being caught, are actually fairly small.
p.s. Of course, an issue with this system is that voters voting on a compromised computer might have their votes hijacked anyways (which is true of any remote voting protocol I know), and that verification codes aid in things like vote selling (some solutions exist, using verification code decoys and the like).
Javascript is downloaded by the client and can be verified by the client. I know the server can serve malicious Javascript, but then a client extension can check it. If the server doesn't know which clients are performing verification and which aren't, then it risks being found out.
And yes, that article mentions that it's safer to perform the entire protocol in an extension. But the point of the "verifier extension" is that then you don't need every user to use a modified browser[1], just a threshold number of users. It would be even better if browsers provided decent crypto primitives and more compartmentalized runtimes, of course.
The point of client side processing here can be seen, if you want as "open sourcing the code that will actually handle my vote" vs "open sourcing some code and promising that it is the code that will handle my vote". Even with the limitations of Javascript security, the former is better than the later, and the later is better than closed source in the server, which is the present situation. Arguably a dedicated (phone?) app would be better and dedicated hardware even better[2]. But then you have to deal with rolling that out to tens or hundreds of millions of people.
[1] Chrome extensions are usually also partially compartmentalized Javascript.
A web site poll is not secure enough to be an election, even if its creators do anything perfectly, and a web site poll pretending to be an election does not grant the victor legitimacy.
The fundamental problem is that it leaves no evidence of how people voted except for the testimony of a computer server, which can be hacked. The practical result being that the election can be overturned by a single person inside or outside the country working with a guarantee of secrecy, and it would leave no evidence.
That wouldn't be a hard problem to solve if not for the fact that votes also need to be anonymous. That combination is what makes electronic voting an extremely difficult problem.
> how people voted except for the testimony of a computer server
Well, that's not an accurate claim. There are a number of verifiable voting protocols, e.g., Helios https://vote.heliosvoting.org/. This doesn't mean that online voting is ready for mass adoption, but I think you're too quick to dismiss it.
Should we start using Helios for public-office elections? Maybe US President 2016?
No, you should not. Online elections are appropriate when one does not expect a large attempt at defrauding or coercing voters. For some elections, notably US Federal and State elections, the stakes are too high, and we recommend against capturing votes over the Internet. This has nothing to do with Helios itself: we just don’t trust that people’s home computers are secure enough to withstand significant attacks.
It's conceivable that you can build a formally verified hardware device that handles the actual voting, and you probably also make sure that the software running on this device is all signed and authenticated with your trust rooted in hardware. And you can then secure your connection to the voting servers using this hardware device.
It would be very expensive, and you still can't be sure you don't have bugs, but it would address a lot of the concerns you're raising.
Except, even with something like Helios, it becomes, at best "the testimony of the personal computers of each voter, which are also easily hackable". In the extreme, it gives you a system where Intel can probably decide the result of every election.
Edit: However, see the Estonia example at the bottom of this comment thread. I might be convinced that a combination of technology and procedural safeguards can give us an online voting system at least as "secure" as our deeply flawed but functional online banking/credit system.
IMO the minimal security requirements for online voting must include fully open source code. I don't mean open source licensing, but the entire implementation must be open to public review and audit.
Even with that, I have my doubts. On the other hand, traditional paper ballots are certainly prone to all kinds of fraud, and on balance I'd say an electronic system should be able to do better, if not be perfectly secure.
> and on balance I'd say an electronic system should be able to do better
Based on what evidence?
Paper fraud requires a physical presence, and the scope is limited to what a person or group of people can achieve.
Breaching electronic systems can happen on the server or client (conversations around the latter are noticeably absent from arguments by e-voting proponents). Breaches can be orchestrated from anywhere, including locations which with no extradition agreement, and can use botnets to scale infinitely.
Agreed. I have argued for this with other technical people and they still argue the opposite however.
I am in New South Wales and have raised the source issue to all the candidates in my electorate. I usually get blank stares over this point. This worries my deeply as how can someone who does not understand the implications of what they are doing legislate laws about it.
I would like to see it done better. No idea how but perhaps the taking of a test to prove some level of knowledge before being allowed to vote on any issue.
Sure there are risks to online voting but it's significantly less risky than many of the other pieces of critical infrastructure that rely on the Internet. The risks of online voting can generally be controlled through policy and oversight, in a similar way to non-online elections.
Paper ballots work fine and, in Australia, would require the systematic subversion of hundreds of electoral officials and thousands of mutually-hostile scrutineers to rig a vote.
Meanwhile, no electronic voting system, no matter how clever, is any further than one fuckup or one dirty sysadmin away from being a total fraud.
Democratic legitimacy is an expensive feature, but it is worth every cent.
> no electronic voting system, no matter how clever, is any further than one fuckup or one dirty sysadmin away from being a total fraud.
Not entirely true. The best electronic voting systems require multiple fuckups and/or multiple dirty developers and hardware manufacturers to become a total fraud. Not saying that is safe enough for elections yet, though. But there is no reason why you can't add multiple checks and balances and mutually-hostile guarantors to an electronic voting system.
The biggest problem is that the NSW Electoral Commission is holding secrets (the source code among other things). That's fundamentally at odds with a secure voting system.
If the system is algorithmically secure, there should be no need to rely on the security of the NSWEC, past a set of secret keys.
If the system relies on the security of the NSWEC then it is open to subversion by someone who knows the NSWEC's secrets.
If the system is algorithmically secure, and the NSWEC is still not releasing information, then the NSWEC is simply undermining trust in its own system.
I suspect that part of the problem is that the NSWEC is a bureaucracy, which has to justify its own existence. A secure on-line voting system, with minimal secrets, would largely make the NSWEC redundant on election day. The NSWEC need to accept that its job is to set up a secure system, then on the day relegate itself to a monitoring function on a par with any other interested citizen.
> Not entirely true. The best electronic voting systems require multiple fuckups and/or multiple dirty developers and hardware manufacturers to become a total fraud. Not saying that is safe enough for elections yet, though. But there is no reason why you can't add multiple checks and balances and mutually-hostile guarantors to an electronic voting system.
But any citizens can check each of the paper voting system steps and it is definitely not possible for electronic voting system.
It is possible: provided the system generates the right kind of audit information and voting receipts, and the citizen has a trusted device in which to check the protocol computation. You can use signatures for verification and mix-nets or homomorphic encryption for anonymity. There are plenty of security risks in practical implementations of electronic voting, but I would not say "definitely not possible". Not saying I trust the system being discussed or that I think we should have mass online elections just yet, but this is an area under research and the results look more in the direction of "likely feasible" rather than "likely unfeasible". Which is actually quite important if we are ever going to move towards any form of democracy more direct/gradual than voting every X years for people who vote on the actual decisions.
Note that the paper voting systems are also quite hackable in practice. It is actually pretty hard to track your own vote and make sure it was counted correctly, that the votes in all districts were added correctly and, when you find your vote miscounted, proving fraud is quite hard as well. I should know, I voted in this election: https://en.wikipedia.org/wiki/Mexican_general_election,_2006...
You lost me there but I agree you are right concerning the possibilities of electronic voting systems and its inherent safety and accountability depending on the implementation.
But then I say paper requires less technical skills and is an order of magnitude less expensive than the cost associated with a safe and sane voting system ?
> Note that the paper voting systems are also quite hackable in practice. It is actually pretty hard to track your own vote and make sure it was counted correctly, that the votes in all districts were added correctly and, when you find your vote miscounted, proving fraud is quite hard as well. I should know, I voted in this election: https://en.wikipedia.org/wiki/Mexican_general_election,_2006....
> On August 28, the TEPJF announced the results of the partial recount, subtracting 81,080 votes for Calderón, 76,897 votes for López Obrador, 63,114 for Roberto Madrazo, 5,962 for Patricia Mercado, 2,743 for Roberto Campa, and 7,940 for the remaining candidates. A total of 237,736 votes were annulled out of the approximately 4 million votes recounted. Than means around 6% of the recounted votes were annulled.[29][30]
Wow. That is indeed a good example in favour of electronic voting system.
Intuitively: you can add a list of encrypted numbers and then decrypt only the result. Additionally, you can prove that the decryption is correct without revealing the private keys. Decryption keys can be distributed so that no single person can decrypt the votes directly. So, you track your encrypted and signed vote until it goes into the counting process and then you verify the zero-knowledge proofs that tell you the counting was done correctly, but the counting itself doesn't tell anyone anything about individual votes, just the sum of votes for each candidate.
> But then I say paper requires less technical skills and is an order of magnitude less expensive than the cost associated with a safe and sane voting system ?
Right now? For national elections every X years? With our current understanding and computing infrastructure? Absolutely! I am not in favor of online voting right now (except perhaps for a limited number of remote votes for nationals outside their countries, possibly with reduced anonymity).
Where secure electronic voting could shine is in direct democracy systems, where you vote on at least some important resolutions directly or where you can revoke an administration's mandate at any time by getting a threshold number of "votes of no confidence" on it. If you have to vote every week, or every month (let alone daily...), then paper voting is unworkable.
> Wow. That is indeed a good example in favour of electronic voting system.
Actually, we have had electronic fraud before as well (in the global counting). So, I doubt electronic voting would fix democracy in Mexico either. At least not by itself. Just pointing out that the system being replaced is not infallible either...
Given that we're generally happy to trust online banking, my feeling is that there is a way to make electronic voting secure enough. Where you want to draw that line is subjective though!
>Given that we're generally happy to trust online banking, my feeling is that there is a way to make electronic voting secure enough. Where you want to draw that line is subjective though!
I don't think this is the right analogy.
* Citizens constantly monitor their bank accounts
* Citizens are *extremely* upset if an error harms them.
* There are procedures for reversing errors.
* There is a legal system for recourse if errors aren't reversed.
If a party wins an election fraudulently, and gains power, we don't have a good, non-traumatic mechanism for correcting that.
Changing $15,000 back to $18,742 is an easy, painless process. Replacing the ruling party is anything but.
Note that the screw up was easily observed and there was a mechanism in place to cope. It was also the first time in approximately 100 years that the recovery mechanism was needed.
Show me one system -- one computer system ever -- with a proved, actual (not projected) MTBF of 100 years.
> Paper ballots work fine and, in Australia, would require the systematic subversion of hundreds of electoral officials and thousands of mutually-hostile scrutineers to rig a vote
An "indicative count" is available on the night of an election, and final results take a few weeks.
A few weeks versus extremely high assurance of a legitimate count is an excellent tradeoff, in my view. Who is hurt by the delay? Nobody. It's already expected and accounted for.
As a profession we love benchmark porn -- latency! throughput! TPS! BPS! -- but optimisation is pointless if you undermine key guarantees. It's pointless to have an instant count if it can't be trusted. And the sheer unwieldiness of a paper ballot drastically amplifies the difficulty of subverting it.
The same way we make sure that non-online votes aren't tampered with.
Audits (of the procedures, devices and people involved in the votes as well as the results) as well as impartial (or mutually hostile) observers as well as a legal framework for declaring the legitimacy of the result with provision for partial or full reruns on the election in cases of doubt.
The security flaws found by that independent review aren't particularly worrying.
Clearly there are improvements that could be made but almost all of the problems that they found were procedural and the ones that were technical amounted to "if I can control the server I can control all the votes" or "if I can control a user's computer I can control their vote", which is not a surprising outcome.
If I control the vote counting depot I also control all the votes, if I coerce a person I also control their votes. We have dealt with these problems for more than a century, we can deal with them in an online context.
There is one way to make online voting secure that hasn't been discussed here: make the votes public. Publish a full list of who voted online and who they voted for. You could then vote online publicly or in person privately.
There is no voting algorithm in the world that can be trusted in that environment, full stop.
Seriously, I'd love to hear how I'm wrong. And if not, then how could we possibly consider handing power over our laws, our courts, our armies, to whoever manages to figure out how to exploit this first? It's not like there isn't reams of evidence that people will attempt to rig votes; so if there is a way, eventually someone will succeed.
Why are people OK with this?