Estonia Urged To Drop Internet Voting Over Security Fears 116
wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'"
The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."
Ooh... (Score:4, Funny)
In practice, doesn't that end up being an ass-covering official equivalent to "We're pretty sure that Norton hasn't expired and we probably ran Windows Update pretty recently unless the junior admin was out that day" fairly frequently?
Re: (Score:3)
http://www.zdnet.com/the-poste... [zdnet.com]
So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton. Open sourcing their code reduces the black-box vulnerabilities well beyond that level to begin with.
Re: (Score:2)
And on a different thread somebody was making the claim that nobody has ever posted such a comment.
Re: (Score:2)
Well, I don't know how much you know about European geography and politics, but I am afraid that Estonia es far from being a "Mayor" country, it's rather on the small-ish size, even compared to my country, the Netherlands. It's votes in the EU have a certain weight, but well... they aren't exactly shit, but I wouldn't say they ar e worth "trillions" of anythings, except for Zimbabwean dollars, maybe.
And regarding the adjective "succesful", well if in your dictionary this means "not totally ruined" you might
Re:bollocks (Score:5, Insightful)
maybe.
but for voting of the parliamentary DO NOT FUCKING USE INTERNET VOTING.
why? technical cheating? actually no. that's just one worry. even if it worked 100% secure the main problem of *being able to sell your vote* remains. that also means your spouse can intimidate you into voting who he/she wants. your employer can intimidate you to vote who they want you to vote for. the local mafia can pay a visit and demand you vote for their candidate.
Re: (Score:2)
maybe.
but for voting of the parliamentary DO NOT FUCKING USE INTERNET VOTING.
why?
NSA..... nuff said.
Re: (Score:2)
the local mafia can pay a visit and demand you vote for their candidate.
That's just not scalable though. How many people can the mafia personally witness voting and have it affect an election, and keep it under wraps? Measures to prevent those scenarios are non-technical measures.
Re: (Score:2)
In former Soviet countries?
As many as they want. All they need to do is hire additional hands.
Re: (Score:2)
every vote counts.
they can do enough.
but being deprived of your right to vote who you want is enough, even if it just happens for 100 000 or whatever, easily done if they have 1000 enforcers. but that's not really the point, it's enough that their candidate gets more votes than the candidate who wasn't cheating.
and they don't really need that much in estonia. if they got a party/coalition that gets without cheating 100 000 votes and they get 100 000 extra votes through cheating or whatever then they
Re:bollocks (Score:4, Informative)
I once asked this to an Estonian government person at a e-voting presentation in my country. Her answer: "We let you vote many times. Only the last one counts."
That would allow you to vote at the workplace, then go home and vote again.
Of course, you can gather people at the election day, two hours before booths close, and have everybody vote for $foo. Then, throw a party and lock them in (or something like that), and secure the vote is "right".
How many do you need? (Score:2)
In a small country with 1.3 million inhabitants, a couple tens of thousands of votes can be decisive.
Or: How small the margin for a polemic vote? In Mexico, we have had presidential candidates winning with a (much disputed) 0.55% difference to the second place. How many votes do you need to rig such an election?
Re: (Score:2)
That's easy. Let the user register as many accounts as they want with the electoral commission, with only one actually tied to their voter ID and actually tallied (note: registration should be *not* over the net! Should ideally be in person, with photo ID presented). A second party can thus sit right behind you during the election, watch you log in and cast a vote... and they have no idea if they were watching you actually vote or just register a fake vote on an account not connected with anything.
On the ot
Re: (Score:2)
> with paper voting, the person can (usually) just take a photo of their ballot with their cell phone to prove who they voted for.
Take picture of one ballot and submit another.
Re: (Score:1)
Only your last vote counts. So you can sell your vote as many times as you like. You'll just vote again after that.
Re: (Score:2)
Most states allow voting by mail. Doesn't that present the same problems?
Re: (Score:2)
Some of the same problems. In many cases you can cancel your mail vote by going to a voting booth.
If mail voting was popular, it would need to be made more secure.
Re: (Score:2)
Re: (Score:2)
Already solved by not allowing non-voting persons in voting area (not only in voting booth).
Re: (Score:2)
I think being able to explain something to an ordinary person is an unreasonable requirement given the level of intelligence of an ordinary person. I don't think it's desirable to have an election system that does not involve any math.
What percentage of American citizens understand the electoral college?
The results of a proper electronic election are better able to be verified by intelligent people.
With electronic voting, you can store not only the vote totals, but also who voted for what in a way that is
Re: (Score:2)
By your reasoning, mail in ballots are just as problematic as internet voting. People can offer to buy your mail in ballot. Your spouse or employer can intimidate you in to signing up for mail voting and vote for you. The mafia can pay you a visit and demand you sign up for mail voting and give the ballot to them.
Re: (Score:3)
Re: (Score:2)
But we can't send in the troops to coerce them to vote our way if they do it online!
Er, I mean, the populace can't vote 107% for breaking away from their oppressive government.
Potential for abuse dwarfed by benefits (Score:1)
Hate on e-voting all you want, point out all the ways a malicious person could mess with it, but don't tell me that e-voting is not going to happen. Being able to instantly poll your entire population without having to go through the trouble of setting up polling stations nationwide and get people to those places will transform democracy.
Re: (Score:3)
Re:Potential for abuse dwarfed by benefits (Score:5, Insightful)
Re: (Score:2)
E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.
That all depends on the implementation. For example: voter logs into secure site and enters vote. Secure site is connected to a card punch. After polls close cards are fed into card reader and counted. Hand counting can still be done.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That must be why we don't do that in the U.S.
I wonder why my state closed all polling stations (vote by mail only) and made it ILLEGAL to ask for ID when signing up to vote.
They allow registrations with a common address such as the county courthouse saying this is needed by the homeless.
Nice follow up was the change in law to require you to know a voters name/age/address if you wanted to challenge votes even in districts whit more votes than registered voters.
It should not happen (Score:2)
It might still happen, but many among us will still fight for the population to understand the unavoidable security risks in doing so. We have the duty to do so.
Re: (Score:2)
I might be modded down for my opinion on a technology loving website
With all due respect, I think you're mistaken. Slashdot is a website where experts in one area of technology complain about how terrible another area of technology is, and how it's risky and doesn't bring much benefit.
We Slashdotters often really hate technology, but we make exceptions for our own fields.
The level of security required seems unsustainable (Score:2)
The issue is that you only get real security when the people in charge of the security are both well funded and the organization as a whole takes security very seriously.
To my knowledge, the only organizations that really tend to have good security are banks and government intelligence. And in both of these we've seen major security breaches.
I think the attraction of corrupting the voting system simply outweighs the internal pressure to secure the system such that if implemented, a digital voting system wou
Re: (Score:2)
Re: (Score:2)
Well... I think something that might help is if they had a two part secret key system. Where in the identity of any individual vote could only be unlocked by the person that cast it.
Then make it possible for voters to query how their vote was calculated. So if I personally voted for X then I checked the system and it says that my vote was counted as Y then we know there was tampering or at the very least a mistake.
This would make vote altering harder because they wouldn't be able to change the vote tally to
Re: (Score:2)
Re: (Score:2)
No one can know what you did in the voting booth without the voter's encryption key. Under the system I laid out, the vote could be counted without the voter's encryption key. However, the votes could not be verified without that key.
The point of the encryption is to create an independent and untouchable tally of the vote.
It would be very impractical to audit the list since it would require every voter personally decrypt their vote and cross check it. But it would be secure. No one besides the person that c
Re: (Score:2)
Your scheme is very similar to what we use in Debian for voting for the project leader [debian.org] (unlike the fully-open tally sheets for voting on issues, not people [debian.org]). However, this scheme is good only where people trust each other, for ocassions where you know there will be no vote buying/coercion. Not for a national elected government.
Re: (Score:2)
I don't see the problem with my scheme in regards to trust. Only I can identify which vote is mine. The votes are anonymous. The ID on each vote would at most say where the vote was cast not who cast it. I would know which vote was mine because I would record the ID number of MY ballot at the time of casting the vote. That ballot ID would not be associated with my identity in any way. Further, that ballot's encrypted ballot would only be accessible to me and only if decrypted it with my password. The point
All nice and dandy, but... (Score:2)
The problem with voter-verifiable systems is that they are very prone to vote coercion or buying. If you can prove your "right way" vote was correctly counted, you can get the cheque. Or avoid the punishment for exercising your free will.
Re: (Score:2)
As I said, that's a reasonable criticism. The alternative appears to be leaving the system so vague that insiders could easily fake votes, inflate voter roles, or simply miscount the votes.
Again, we've had many districts report in with more people voting then are registered to vote. That isn't possible... unless there is fraud.
You can't be complacient about that and then claim to give a shit about voter intimidation or vote buying. Because at the end of the day creating votes out of thin air is a great deal
Re: (Score:2)
Less then 1 percent of our population has ever really understood the system. What percentage of internet users actually understand the internet?
Probably less then 1 percent.
Your argument that they need to understand it for it to be practical is absurd. People interact with and use things all the time without fully understanding their inner workings.
What is most important is that those inner workings are self consistent with stated goals, transparent, efficient, and sustainable.
The existing system runs contr
Verifiable vote is coercible vote (Score:2)
If you can prove your vote was correctly recorded, then you might be more easily persuaded to sell it — be it that you receive a pay for it, or you receive the service of not getting your bones broken.
A vote once cast is just a piece of paper among many. Nothing should tie it to a voter's identity. A voter should be unable to prove he voted a particular way.
Re: (Score:2)
A voter should be able to prove to *themselves * that they voted in a particular way and it was registered and counted, but not be able to prove it to *others*.
How do you expect that to be feasible? (Score:2)
Say this system is approved. Say you want to buy my vote. You demand proof that I voted the way you wanted me to — If the e-voting platform allows me to confirm my vote was properly counted. So, all you have to do is to promise me to hand over the money if I prove you I did what we agreed. (or you can threaten me with physical violence unless I can prove it to you, same reasoning).
A secure voting system should never allow me to prove what was my vote — But that would make me very suspicious, as
Re: (Score:2)
Like I just said, it should be able to prove it to *you*, but not in a manner you should be able to prove to *others*. Why did you ignore what I wrote and go on and on about a system wherein it would be possible to prove to others?
You have a brain. Information can reside in your brain. You cannot (reasonably) prove to others what information exists in your brain, but you can use that information to validate what you see to yourself. Thus, if there is any piece of information in your brain that you cannot co
Re: (Score:2)
I did read your previous comment, and did reply to it.
Again: I offer you $100 for your vote, if you prove me you voted for my candidate. You go in and vote. You generate this secret code, known only to you. Then, you come to my evil lair, connect via my computer to Teh Interwebz, and type in your secret code. The system verifies you voted for my Master, and I give you your well-earned money.
That should be impossible. But any system where you can prove *to yourself* you voted a certain way opens the door to
Re: (Score:2)
And how do you know it's *actually* my secret code, and not a dummy code showing a vote registered for someone else or not registered at all?
This is simply false. You can prove things to yourself without bei
Re: (Score:2)
You make a good point. This was something that did happen in the US at one point. People were intimidated to vote a given way and bribes were offered for people that voted one way or the other. Typically the bribes were something cheap like free beer or something. The threats were as you said broken bones... or in some cases employers would hang out at the polling station and fire people that voted contrary to his instructions.
So I really do appreciate your point. That said, I would like the confidence to k
At least... (Score:2)
Plus they might be able to make the vote look in favor of remaining away from Russia by simply manipulating the totals after Russia has manipulated them first...
Re: (Score:2)
Seriously, A+. People act as if non-internet voting isn't already plagued with huge problems, many of which a secure net voting system can eliminate. I mean, come on, in the last presidential election Chechnya had 99.59% turnout with 99.82% voting for the "Butcher of Grozny" [nytimes.com], with one precinct in Grozny with turnout over 107%. Think that's legit? Vote corruption in places like Russia is often done at the precinct/district level, levels which are entirely eliminated by net voting. You also reduce the threat
Re: (Score:2)
Even in Chechnya, where bad guys control pretty much all parts of the voting process, it is obvious to an intelligent person that there is fraud.
With electronic voting, the fraud will be much harder to spot.
Re: (Score:2)
And electronic voting solve any of these problems?
The article points out that Estionian e-elections increase(!) risk of fraud. You just said, that since there can be fraud with conventional elections, it doesn't matter, how elections are done. It just makes no sense. If there are risks of fraud, they should be minimised, not increased.
Re: (Score:2)
That doesn't even remotely resemble what I wrote.
Cat tongue (Score:1)
> Source code is publicly available
I'm going to suggest something: a publicly-accessible read-only port to the ROM where you can put in a USB and pull the entire ROM off automatically. Then people can confirm it matches the official binary, which people can confirm by compiling the source code themselves.
It must be hardware-level and not under control of the processor or ROM so spoofing would require infiltration of the voting machine hardware.
Self Auditing and independent auditing (Score:5, Insightful)
The same with facebook. If suddenly my posts are all encouraging people to help out a Nigerian prince then I've been hacked. I will then be able to take some action.
The reason I mention the above technologies is that I think that we can all assume that our banks, facebook, and our email companies all are very good and work very hard at avoiding being hacked; yet they have all been hacked. Look at Target, they (to use the correct term) were PWNED.
But when I vote online it is fire and forget. I don't know what happened to my vote. There is no physical record for me to point to. I can't check up on my vote after the fact. At least with a paper ballot system I take my physical ballot and I give it to some vaguely trustworthy government person who is closely watched by as many representatives of the various parties as there are parties. Each watching with the interests of their official in mind. So if they see something they don't like then they can call police/election officials/newspapers etc. I like this system. It is not impossible to thwart but close enough.
In my city, Halifax, they added online to the municipal elections and I am truly scared. This should be illegal in 20 different ways. They justify it saying that it cuts costs and increases participation. Basically it didn't cut costs as they had to screw with the system so much, send out so many instructions, and answer so many questions. Plus in the end it basically didn't increase participation. I carefully looked at the votes and luckily none of the online voting was significant enough to have altered an outcome.
But let's say that someone had screwed with the results (as a programmer you can't tell me that it isn't going to be that hard) the only people who are going to cheat are going to be bad people. People who, once they are in, will ensure that only they can continue to cheat. So to me every online voting system is basically waiting for the first set of evil and smart people to come along. That is it. But once it happens, by the altered rules of the voting system, how do I fight the vote? How can it be contested? How can there be a recount?
Now I understand that some voting systems are complicated with many propositions, levels of government, etc being voted on in a single booth. So I have a very simple solution. You press your buttons which then produces a ballot on the screen, you then look at the ballot on the screen and see if you like it. Then you press print. It then produces a ballot that matches the one on the screen and you can compare. Then you say OK and then bring your ballot to the ballot box per normal. Then the computer tallies up the votes and announces a tentative winner. Then the humans can count the votes to see if the computer agrees with the paper ballots. But the key is that the paper ballots have the final say. The computer is only there to help. Then if there is a wild difference between the paper and the computer more interesting auditing mechanisms can come into play.
As a computer programmer I am 100% certain that any online election can easily be rigged. But I am by far not alone. 100% of the time that independent security researchers have gotten their hands on electronic voting systems they have hacked them and usually with ease. So the solution is that these companies don't allow independent auditors but ones of their own choosing and ones that they pay well.
This is a serious problem. Basically online voting is pretty much demanding that some evil person runs our government.
Re: (Score:2)
...Online voting is pretty much demanding that some evil person runs our government.
So... status quo?
Re: (Score:2)
But if someone is cheating their way into office then they are planning evil from day one. Also even though big money has bought government they still have to fight over it. But if you had a single rich party cheat someone into office then there won't even be competing inte
E-voting should not, can not (safely) be done (Score:5, Insightful)
Using computers to register, count, transfer, and archive vote tallies is impossible to do without an almost certain effort to alter the vote totals by parties interior to the project (people creating and maintaining the systems and the show runners) and outside the project ("hackers"). Of the two, the insiders are far more likely.
This is not a failure of tech or of implementation. This is a human thing: those disposed to alter election tallies have infinite motivation to find a way to do it. They can either slip in during the coding phase or the implementation phase, or even during the elections. Like rats, they will find a way.
The difference between paper and electronic is basic: paper leaves a physical trail. E-voting can be rigged to leave NO trace. IS rigged to leave no trace. No audit is possible: all audits are predicated that the datasets and code are correct to begin with. If someone slips in backdoors, they can alter vote totals in real time and therefore all recounts will be "accurate". Paper receipts are useless, because what is printed is not necessarily what actually happened. Paper printouts that are reviewed by the voter on site for accuracy and then stored in boxes by the voting agents *can* be a valuable check, for the paper should match the e-count. But why then the extra step of the computer? Just use paper to begin with. Canada does it (I hope still does) and they count elections by hand in three hours, no matter what the size, local or national, because human counting easily scales.
Source code is worthless as a trace. One never knows what the machine is actually doing from microsecond to microsecond; the code executed need not match what you see on the source. This makes coders heads explode, but it is true. The machine can be programmed to lie. I know this, because I have done it, on orders from my bosses, in the past, to make a bit more money for my company. Cheating is easy and it is undetectable if you are even marginally clever about it. The count can also be altered far from the source tabulating machine and local system, at other levels. Such malignancy will not be accounted for by the counting company; their rep is on the line, they don't believe it is possible and further they don't want to know.
Use e-voting and you will see the powerful grab control, one way or another. Use paper.
Re: (Score:2)
Use e-voting and you will see the powerful grab control, one way or another. Use paper.
Or if you like, use both.
Using some cryptographic design principles plus paper ballots for marking votes and computers for tallying them, and including some random verification processes to tighten the whole thing, Chaum and Rivest's Scantegrity II [wikipedia.org] system provides and end-to-end verifiable system which allows every voter to verify that their vote was counted correctly, without giving them the ability to prove how they voted to anyone else (an important anti-coercion feature). It also allows anyone to veri
Re: (Score:2)
Indeed.
While there are ways to make electronic voting more secure, the systems as a whole are too complex for one person to audit. The more fancy crypto you add, the fewer people understand the components. The fewer potential auditors you have, the cheaper it is to buy them off / lock them up for political crimes.
It's easy to audit a ballot box. Virtually everyone of average intelligence understands the technology.
Re: (Score:2)
Audits are possible. However the voting machine designers actively reject calls to add auditing by claiming they are unnecessary, and election boards who are ignorant of computing do whatever the manufacturers ask of them.
Only if we do away with secret ballots (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I think the whole idea of assigning the single-use key is that there would be a complete list of keys and votes, so everyone would be able to look at the same document and see if his vote is registered correctly. Of course, there may be bogus keys in that list and of course that would make the whole event not secret anymore (as there would be a database of links between the key and the voter), but at least such system would be a bit more transparent.
If your token would be known to you long before the vote,
We aren't sure what happened (Score:3, Funny)
Even though it's not on the ballot, Estonia overwhelmingly voted to join Russia.
Jealous? (Score:4, Funny)
I think everyone else is just jealous because they have low voter turnout while Estonia's going to get 3000% in their next election.
The only downside is the overwhelming election of Moot to Prime Minister.
NSA will save the day (Score:1)
FUD (Score:2)
Firstly, people here should understand that e-voting as in voting machines and internet voting are completely different and not really comparable.
One of the opposition parties of Estonia is strongly against internet voting, mainly because their voters are not using it a lot and they are able to mobilize their voters well to go voting on paper as opposed to most other parties. For various reasons they are in power at the capital city and the trip of the researchers to go and observe the current voting proces
If you can't get paper ballots correct... (Score:2)
...how do you expect to get a much more complex system correct? Mind you, I'm aware that the problem is not necessarily the system itself, but the transparency of the system. People probably won't like to hear it but I'd suggest that the only way to eliminate fraud is to have votes linked to your ID so that every vote can be verified as A) not having voted multiple times, B) not voting if you don't exist in at least two separate systems e.g. social security and driver's license, and C) not voting outside of
The report is part of a political gambit (Score:2)
Re: (Score:2)
Proof of concept not published (Score:1)
Postal ballot (Score:1)
In democracy it's your vote that counts; In "feudalism" it's your count that votes. -Jallberg