Schneier on Security

Now, could anyone remind me why we are so obsessed with security of the process of selection between several candidates which are nominated by some backroom deals and which have no significant differences in their agenda [which can be summarised, pretty much in "give us more money so we can reward our supporters"]?

The security is as weak as its weakest point -- and it is much easier to manipulate candidate nomination process than the vote count; in fact the American democracy already has been truned into a smokescreen allowing ongoing consolidation of power by the political class, outwardly displaying division and competition, but invariantly doing exactly the same things as soon as given power.

This is pretty much similar to worry about strength of crypto protocol when the RNG is broken and yields predictable sequence.

And, yes, this report is merely another part of the smokescreen. "..we are recommending that EAC establish..." - am I the only one who read that as "give us money so we could spend even more on writing papers nobody's going to use?"

> (1) some electronic voting systems did not encrypt cast ballots or system audit logs,
> and it was possible to alter both without being detected;
> (2) it was possible to alter the files that define how a ballot looks and works so that the
> votes for one candidate could be recorded for a different candidate; and
> (3) vendors installed uncertified versions of voting system software at the local level.

Wow, three pretty huge deal-breakers there.

I am particularly interested in how a unit's totals get transferred from the unit to whatever totalizer there is. If this transfer is compromised, then any efforts at securing the voting are wasted. However, this question has never been addressed in any news coverage I've seen.

The transfer is the most obvious place to gaff the election. If all we get is a declaration that a valid transfer took place between the transmitter and the receiver, then all a gaffer has to do is insert an extra device that will receive the valid transfer, replace it with the bogus data, and transmit that through a valid protocol to the receiver, and it's done. Once disconnected, there is no proof there was an insertion.

well, the transfer part is the same weak point as in current paper elections.. how does the local count get to the state election agency or whoever sums them up? Via telephone? As long as the two devices aren't in close proximity and election officials can compare the numbers before and after the transfer, it's prone to be rigged.

There are some safeguards with respect to the transfer. In many jurisdictions, the local totals are separately recorded and publically posted at each precinct on election night. Precinct workers and election observers can check those numbers against precinct by precinct totals published as part of the overall tally.

At least that's one way to make transfer fraud more difficult.

Take away our right to see the source code, and only criminals will see the source code.
In the voting machines, Diebold is using:
(1) WinCE for the OS
(2) A generic VB program to insert data into a
(3) Microsoft Access database
And a simple google search brings:
http://www.evolt.org/article/...
I'm just a 'tard and found out this info. The owner of the software and anybody else given access could have found it easier. Obscurity hides nothing.

How does one get a job at the GAO, anyway? They seem comparatively reliable and honest.

An odd rumor is circulating that the new Secretary of State in California is trying to reverse the previous Secretary of State's decertification of Diebold paperless voting machines:

http://rawstory.com/news/2005/...

For those who have not seen it yet, the Estonian local government councils elections e-voting results at http://www.vvk.ee/engindex.html might be interested. I would say it was quite a success, although the total number of Internet voters was only 1%. The biggest reason why the percentage was not higher is the lack of smartcard readers people have (80% of citizens have already electronic smartcard-based ID cards, but most have not bought smartcard readers for them).

The very fact that I was able to download, inspect and use the very software that was used by Diebold on voting machines in the last election is cause for concern. I was very easily able to alter the parameters and results with a minimum of effort and I am no whiz!

The transfer problem is also major weak point. Tranferred on chips like the small memory cards we all use in cameras, these could easily be exchanged even in full view with a minor skill in prestidigtation (palming one and switching for another), completely avoiding the need to tamper with the machines themselves.

Years ago I proposed a triple redundant encrypted transfer with a paper ballot not touched by the voter (avoids one source of possible tampering), and a voter receipt with a barcode which could easily be compared if there was ever any question.

I have yet to see any system incorporating these basic safeguards to the integrity of the voting system and voter asked for an adopted by any local election commision. At least in California they are now demanding a paper trail.

Isn't time we had a national commision to set minimum voting standards for all states, including who can vote and who cannot? In some states felons who've done their time can vote and in others like Florida they cannot. On a national level this causes distortion as well as other practices such as leaving voters on the rolls even after they've moved (Ohio, 2004).

"The very fact that I was able to download, inspect and use the very software that was used by Diebold on voting machines in the last election is cause for concern. I was very easily able to alter the parameters and results with a minimum of effort and I am no whiz!"

Even worse, the "solution" Diebold wants is for you to not be able to download and inspect the software.

[blah, blah, blah] risk analysis of the voting process, poll
worker security training, and chain of custody controls for
election day operations, [blah] testing equipment,
retaining audit logs, and physically securing voting systems
[blah, blah] security planning and management, risk
management, and procurement.

------------------------

This is all just a nice way of them saying, "We have no
clue about how to 'fix' the system to make it secure, so we're
going to throw out some things that sound technical and call it
good."

The solution is trivially simple; one need only recall the
problem that these systems were originally brought in to solve, and
you'll find the answer: the problems voters in Florida experienced
in using the butterfly ballot, and in performing the recount
afterwards. There was no need to electronically store
the votes. There was no need to transmit the votes to a
central location. There was no need to "make the system more
reliable."

The simple fix is this:

1) The voter uses the tablet to vote (no confusing butterfly ballots).

2) When he is finished voting, he prints out his completed ballot and verifies that it accurately reflects his vote.

3) He then drops the ballot into the voting box.

DONE. The ballots can be quickly scanned and tallied using an
optical reader. In the event of a challenge, the manual recount is
easy because there are no hanging chads to worry about; the vote is
clearly printed upon each and every ballot.

I find it interesting that "EAC sought..substantiation of claims in the reports issued by others." That makes it sound as if they are not attempting to prove that the election process is secure, but merely attempting to avoid someone else proving that it's not secure. That's certainly not a good way to ensure its security.

@ Bryon

I'll one up 'ya:

How about, state by state, county by county, we use already existing and low-cost technology, and perform a reality-show based declaration to vote -- whereby all registered voters stand up, state their name, and who they are voting for, all on "live" "un-edited" and "re-viewable by all" national (satellite) public television?

This could solve lots of problems, including the "I'm afraid to tell people who I'm voting for so I need to stand behind a curtain" - I mean, you'd have to be a real good non-corrupt candidate to run for office and be subjected to this kind of voting procedure, no?

P.S. "non-edited" includes no on-the-fly digital video editing that can be done SO fast that most folks never even notice.

dq.

"How about, state by state, county by county, we use already existing and low-cost technology, and perform a reality-show based declaration to vote -- whereby all registered voters stand up, state their name, and who they are voting for, all on 'live' 'un-edited' and 're-viewable by all' national (satellite) public television?"

Depends if you think a secret ballot is important or not. If you don't, there are all sorts of easy ways to vote securely. It's the secret ballot provision that makes it hard to secure.

@ Bruce

"It's the secret ballot provision that makes it hard to secure."

Hm. Right around 9/11, I was feverishly working on solving every holistic problem I could point to, including this one. While I'm not familiar with the actual "secret ballot provision" (which I will look up), I did boil the solution down to something like this: (it's vague to me now and somewhere buried in my notes which are all in storage)

Tie the voter's ID to their MAC address;
Have the Voting Authority connect to the voter's computer through a VPN;
Do a three-way, four-way, or five-way handshake;
Present the voter his/her options (as well as provide any information on the candidates necessary for those who aren't able to keep up);
Recieve the vote through the VPN

Or something like that. Is this another case where it "sounds good in theory"?

dq.

@ Bruce

re: my post --
"While I'm not familiar with the actual "secret ballot provision" (which I will look up)"

Good Lord. (rolling my eyes at myself). As usual, a quick search provided me enough information around the globe to immediately decide I'm not interested in this particular battle. There are much more interesting/productive ones at this moment in time.

dq.

In India,you don't have to worry about hacking , 'cos it isn't that developed to understand to hack these things or people are less bothered about this...encryption ......

Even if it is done nobody could or can possibly prove it.

This article throwslight onto things ,otherwise,doesn't say how you are going to encrypt the whole data and the intermittent data during transfer...

I would gladly give up secrecy in balloting in return for strong odds in favor of my vote showing in the totals.

Maybe public balloting would fix a lot of things, especially people who vote for someone or something they'd be ashamed to be caught supporting.

"Maybe public balloting would fix a lot of things, especially people who vote for someone or something they'd be ashamed to be caught supporting."

That's another way of saying: with public balloting, people would be more likely to vote what their peers expect rather than what they really believe.

This kind of thing cuts both ways, and I am very leery about giving up a secret ballot.

My problem with the balloting process is that there is an underlying presumption that it is possible to count all of the votes correctly.

It's not.

It doesn't matter what sort of ballots you use, paper or electronic or stone tablet. It doesn't matter what polling strategy you use. It doesn't matter how you count the votes, or how many times you count the votes, or who does the counting. There will always be error. If you're counting a significant number of votes, you're going to have a fudge factor. This isn't rocket science, it's basic human nature.

What makes more sense to me than anything else is to admit this and come up with a reasonable way to measure the error margin, then impose the error factor in an election.

The error margin needs to be established by people who have no vested interest in the process of balloting and counting.

If your method of counting is accurate +/- 5%, then the margin of victory must be > 5% (ie, if it's a straight majority to pass, > 55% need to vote yes, if it's a supermajority then >71.666% need to vote yes, etc.)

Suddenly very error-prone methods of counting will be very unlikely to have public support. In the event of a presidental election, if you can't determine an outcome outside of the error margin, neither side gets the electoral votes.

Now some people will say that this is taking away "one person, one vote". But "one person, one vote" isn't true now. Whether or not it had an affect on the outcome of the 2000 election, people in Dade County were robbed of their vote. In a mayoral vote in San Diego people who wrote in one candidate (but then failed to blacken in the oval on the ballot next to the write in candidate) were robbed of their votes. You can argue that either/both was reasonable or unreasonable given the rules of balloting, but the end point is still that the voters had a desire to cast a vote one way, and the vote wasn't counted.

"This is all just a nice way of them saying, "We have no
clue about how to 'fix' the system to make it secure, so we're
going to throw out some things that sound technical and call it
good.""
Yeah, absolutely. This GAO report is as fudgy as could be, and don't expect anything to change because of that. If you want fair and reliable elections, you'll have to stand up for it. A lot of people will have to stand up for it, otherwise your votes will just continue to be rigged.

@Pat Calahan: "If you're counting a significant number of votes, you're going to have a fudge factor. This isn't rocket science, it's basic human nature."
There's a huge difference between a host of human vote counters making some anavoidable but unsystematic errors, and an election technology that makes it possible to systematically manipulate the results. Furthermore, as long as close results can be verified by recounting, the anavoidable error margin (which can be reduced if at least four eyes count each vote) doesn't prevent reliability.

@Bryan: You are apparently not blind or sight impared--if you were that would not seem like a solution at all.

@Pat Calahan & piglet
You have both inadvertenly hit on why many electoral systems demand preliminary and runoff elections (which are party agnostic) instead of our party/caucuss primary system.
It is also worth noting that while the repeated counting of anything will decrease error when those things can be identified individually, any systematic source of error will be the limiting factor (not just things related to people and their lack of disinterest in an election that will affect the way that the place that they live in is run)--but there is no guarantee that repeated recounts under EXACTLY the same conditions will decrease the error rate of counting annonymous items (standard ballots, for example).

The idea of using "digital" systems (may they be mechanical or software-based) is that recounting will not be needed due to the on/off nature of the vote data (assuming the security of such data) itself. This is why people are turning to computers. Those of us in computer security-related (and mathematics-related) fields know why this is folly--but we are by far in the minority.

As for the need of a secret ballot--I have to say that I agree with Bruce. Look at what President Mugabe is doing to the people in his country whom supported the opposition party. No more needs to be said.

Remember, where there is no trust there cannot be true security. Where is the weak link?

@ piglet

> There's a huge difference between a host of human vote counters making some anavoidable
> but unsystematic errors, and an election technology that makes it possible to systematically
> manipulate the results.

Oh, I agree totally. I wasn't trying to give the impression that I thought that voting machines were "okay" because all counting methods are flawed. Voting machines are decidedly less okay (IMO) because both their tallying ability and their auditing ability are integrated into one dingus. This is bad.

> Furthermore, as long as close results can be verified by recounting, the anavoidable
> error margin (which can be reduced if at least four eyes count each vote) doesn't prevent reliability.

My point is that "close" results can't be verified by recounting, because the recounting is going to be inaccurate as well (for some value of "close").

Imagine this as a test: I hand out 100,000 paper ballots to 100,000 people. It doesn't really matter how I tell them to mark them up -> ovals you dark in, holes you punch, whatever. I have everyone "vote" on say 10 different "issues", and turn them in.

Now it's time to count. Some ballots will be smudged, or have hanging chads, or will have end-user errors or some sort (write-in candidate with no corresponding darkened oval, or someone just has voting dyslexia and darkened the wrong oval), or whatever.

Any way you count it (even if you have 100% accuracy on the "countable" votes), you're going to have an inaccurate representation of what those 100,000 people originally wanted. This is what we're trying to reduce, right?

So you have someone analyze the method you use to distribute, cast, collect, and count the ballots and come up with a reasonable fudge factor (this is admittedly hand-wavy, I don't know what the best way is to do this, I just think it's a good idea).

If you have 100,000 votes with a manual four-person recount, your error factor will be very very small. But in 100,000 people, at least *some* are going to be boneheads and mark the ballot wrong or what have you. They may be at fault for screwing up, or there may be a problem with the balloting procedure or whatever, but the fact remains those people are disenfranchised.

My point is that this is unavoidable (at least in a secret ballot) -> some people are always going to be disenfranchised. By its very nature you can't have a good audit trail for a secret ballot, or the ballot isn't secret anymore. There's really nothing you can do to guarantee that everyone's vote is counted accurately (unless you want to go to a multiple-balloting system, but then people won't vote because it's too aggravating a procedure to "vote" for the same things two or three times using different methods).

Forcing the count to pass the error threshold means that you're more likely to get a result that is what the people want. It also means that if someone analyzes a balloting technique and says, "Using this device results in an error margin of 20%", nobody's going to use that device.

@ RvnPhnx

> As for the need of a secret ballot--I have to say that I agree with Bruce. Look at what
> President Mugabe is doing to the people in his country whom supported the opposition
> party. No more needs to be said.

We don't even need to go abroad. Imagine what the McCarthy hearings would have looked like if HUAC could get their hands on voting records, "Mr. Schneier, I have in my hands your voting records from 1936. You voted for a Socialist candidate in the mayoral election in Chicago. And you say you're not a Communist sympathizer?!?!?"

@ myself

> at least *some* are going to be boneheads and mark the ballot wrong or what have you.

Case in point, I'm looking at my midterm in my graduate school class and I darkened one oval completely wrong. I knew the correct answer, and just bubbled in the wrong circle.

"bonehead" is a human state of mind and not an indicator of intelligence :)

Pat, I'm not sure whether you are right but this is a technical question that doesn't interest me much. "But in 100,000 people, at least *some* are going to be boneheads and mark the ballot wrong or what have you." Well, but it's the boneheads' own fault, isn't it? You can't prevent this. The Swiss once voted on whether to close down their nuclear power stations. A close majority voted against, but polls showed afterwards that a considerable number of voters had voted "No" in the belief to vote against nuclear energy - but they should have voted "Yes, we want to close those nuclear plants".

Citizens shouldn't act that stupid, but it happens. One of the Achilles heels of democracy is lack of interest, and of competence, on the part of the citizens. This is not a technical problem and can't be addressed by the choice of voting procedures. The other Achilles heel is the lack of real choice, the power of corporations and media conglomerates and partisan machines. I hold this to be much more serious than the human error factor.

@ piglet

Righto. The interest of the citizens is only amplified by an (in)ability to process sufficient information to make a correct decision.

There are some countries where all the candidates and ballot measures are represented by icons, due to a high rate of illiteracy. You either vote for the chair or the snake -- and you can imagine the implications of the images themselves. I also just read that during the recent California ballot initiative some people recieved propoganda saying "these famous people want you to vote yes" and so that's how they voted. It wasn't until after the election that they discovered they'd been fooled.

Secret balloting is needed (at least in places like Chicago where I live) to make buying votes impractical. Right now you could give me $100 for my vote, but there is no way for me to prove I voted for you. If you make proof easy, vote buying will follow en masse.

"Secret balloting is needed (at least in places like Chicago where I live) to make buying votes impractical. Right now you could give me $100 for my vote, but there is no way for me to prove I voted for you. If you make proof easy, vote buying will follow en masse."

As long as there are mail-in ballots, vote buying is practical. If you give me $100, I can give you my blank signed absantee ballot.

@ piglet

> I'm not sure whether you are right but this is a technical question that doesn't interest me much.

Fair enough. I don't remember all of my undergraduate statistics, but there is considerable research in polling error margins (think Gallup).

Counting without audit is really hard.

> Well, but it's the boneheads' own fault, isn't it?

Sure.

I was just including that as an illustration that the current "infallible one man one vote" theory is... uh... fallible.

I've tried to argue the addition of an error margin with quite a few people and they always seem to think that I'm talking about throwing people's votes away. "On the contrary," I tell them, "I'm trying to make sure that the balloting process results in an accurate picture of the majority."

@ Bruce

Mail-in voting ("It will increase turnout and make things easier on the electorate") exists because (a) people are lazy and (b) somebody somewhere thinks that increasing voter turnout is a worthy goal in and of itself.

It's not, IMO. I'd rather have an accurate tally of the set of people that care about voting than a potentially polluted tally with exactly that sort of ballot stuffing enabled.

We know that mail in ballots are a source of fraud. But because they are tied in with emotional issues (military service, elderly and disabled citizens, etc) you can't get rid of this - to say that these voters don't "care about voting" won't wash with most Americans.

It's not true either. There are legitimate reasons for not being able to vote personally on election day. Mail-in ballots are a security vulnerability but I would think it rather difficult to exploit systematically. In Florida 2000, they decided to breach the rules and count late ballots. The problem was not mail-in ballots but the fact that the responsible authorities were not impartial - actually the worst thing that can happen in an election, and still the biggest vulnerability of the US election system. In 2004, as in 2000, Bush was declared winner by a republican secretary of state and pro-Bush campaigner, a state of affairs which is otherwise only known from one-party-regimes. Heck, how come nobody is talking about that?

I have voted absentee in the past. While it is possible to exploit the system most of the exploits I've heard about had a lot more to do with FAKE ABSENTEE BALLOTS than vote/ballot buying. Also, it is federally illegal to prevent citizens from voting just because circumstances that are not completely under their control prevent them from being within an appropriate distance of an authorized voting location for their district (being in another country getting shot at for minimum wage comes to mind) on election day.
It does, however annoy me that permanent residents of other countries (Israel in particular--not to pick on them, but this is the case) often retain their USA citizenship (and vote in our elections) HAVING NO INTENT WHATSOEVER TO RETURN to the USA as a permanent resident. I think that honestly there should be a requirement to actually reside in the USA for a minimal portion of an election year to be elegible to vote IF you are also a citizen of another country--or that you demonstrate an intent to return (punishable under perjury statutes) for a certian minimal period of time during the term of the shortest appointed political official that you vote for. (I recall that once upon a time such a restriction did exist in a much more draconian form.)

"In 2004, as in 2000, Bush was declared winner by a republican secretary of state and pro-Bush campaigner, a state of affairs which is otherwise only known from one-party-regimes. Heck, how come nobody is talking about that?"

Well, actually the Bush campaign appealed the Florida Supreme Court's ruling that favored Gore and an official recount was stopped by the conservative Federal Supreme Court on a 7-2 decision, and a 5-4 decision said that no new recount would be allowed. Most disturbing, perhaps, is that the Supreme Court even admitted that the block on recounts should not be used as precedent:

http://straylight.law.cornell.edu/supct/html/...

"Our consideration is limited to the present circumstances, for the problem of equal protection in election processes generally presents many complexities. The question before the Court is not whether local entities, in the exercise of their expertise, may develop different systems for implementing elections. Instead, we are presented with a situation where a state court with the power to assure uniformity has ordered a statewide recount with minimal procedural safeguards. When a court orders a statewide remedy, there must be at least some assurance that the rudimentary requirements of equal treatment and fundamental fairness are satisfied."

I'm no lawyer, but every time I read this it says to me "ok, the election results are questionable and probably unfairly influenced, but without ideal conditions for a recount we can not allow the results to be validated".

What makes the results from a system with unknown but potentially severe integrity issues more valid than a recount with oversight and known issues?

Davi, my point is that the rules were interpreted (and even made on the spot) by partisan politicians, not by an independent election board. The people in charge of the Florida election were the brother of the candidate (the governor) and his campaign chair (the secretary of state). It was them who ordered the counties to stop the recounts, and they were in charge of certifying the results and declaring the winner. If this happened, say, in Zimbabwe, nobody would call it a fair election.

@ Piglet

> There are legitimate reasons for not being able to vote personally on election day.

I agree. However, it seems like these legitimate reasons can be lumped into several classes and dealt with on a class basis, instead of enabling a blanket solution of mail in voting.

Obviously people deployed in the military should be allowed their vote. People on diplomatic assignment should be allowed their vote. (Neither of these classes require a mail-in ballot, since polling places "in the field" can be arranged).

Someone who chooses to go on vacation to Fiji during the week surrounding election day, not so much.

>As long as there are mail-in ballots, vote buying is practical. If you give me $100, I can give you my blank signed absentee ballot.

When I was in college in California I voted absentee in Illinois. I received the ballots and instructions by mail. I had to take them to a Notary Public. There was one in the college administraction building. The Notary read the instructions, which told her to first inspect all the ballots to confirm that they were blank. At the time, I didn't undertand the reason for that. Now I do. Then I marked the ballots, keeping their faces toward me and away from her, and sealed them into envelope A (which did not identify me). Then she notarized a document I signed, and we put that document and envelope A into envelope B. (I no longer recall how we mailed envelope B.)
I would say that the procedure we followed was about as receipt-free as it could have been, and gave a reasonable expectation of voter privacy.
I haven't voted absentee since then, but I understand that the practice has become more lax.

--Mike Amling