Nation, from time-to-time it may become necessary to have someone else cover issues on this blog as their expertise dictates. Certainly, in the case of on-line voting, it's a much better idea to have someone who understands the technology involved to give their opinion than it is to have an Enlightened Savage who can just BARELY handle html try to tell you what is and isn't possible on the cutting edge of technology.
Today, we're going to hear from former candidate for the Parliament of Canada Mr. Kirk Schmidt. His text begins... now.
Let's face it. I am a computer geek, having received a math degree from Waterloo and having programmed computers since grade 5. I am a web developer, a database guru, and an all-around good IT analyst. I love politics, and I feel that politics is an exceptionally important facet in our lives. Shouldn't I be the first to line up for the idea of e-voting?
Elections Canada has announced its intentions. They want to push for legislation in the fall, and have electronic voting available by 2013.
And yet, when you look at the survey of candidates from the 2008 election, a startling number jumps out. 75% are in favour of being able to register online to vote. 46% are in favour of electronic voting (48% are against). I was one of those who responded in favour of online registration, but not online voting.
But why Kirk? Why deprive people of the chance to vote at their workplace? Their home? Overseas? From outer space? Inside the groupthink bubble?
Well, I'll tell you.
Let's first lay out what is important for an election here.
1) Votes should be verifiable. I should have a way to ensure that when I clicked for Candidate A, that the vote was recorded for Candidate A.
2) Vote was actually counted. There must be a way to ensure that the vote was actually used in official counts (it was not lost, deleted, changed, etc).
3) A voter can only vote once.
4) A voter's choice cannot be reverse engineered from the ballot.
5) A vote cannot be "listened to".
6) A vote is secure from tampering.
No, these are not redundant. I know what you're thinking. A verifiable vote means the vote is secure, doesn't it? No, not necessarily, because the whole question is what end we're looking from. From the users' end, it could look like the vote is verified, but it actually was tampered with. Yes, welcome to the wonderful world of computer security. These goals are all related to each other, but are written specifically with certain attacks on the system in mind. Follow along as I go through the "what could go wrong" scenarios.
Now, this DOES NOT MEAN that electronic voting is impossible. This is more of an "I'm going to scare the crap out of you and hope that we build a system that looks at all of this." I am not against electronic voting so much as fearful of its implementation and the possible problems.
Welcome to what's inside my head. Don't say I didn't warn you.
DoS
It used to be an acronym for Disk Operating System, but now DoS is used mostly in reference to a Denial-of-Service. Ever been to a website where you cannot access it because of load? That's what this is. Perhaps you remember having trouble finding out where you had to go vote because everyone else was checking at the same time... but let's not discuss server-load needs during an election. Oh, wait.
DoSes can happen for one of two reasons: Natural load, or attacks. We won't talk to much about DoS and DDoS (Distributed Denial of Service) attacks too much, but just keep in mind that there can be some groups out there who want to prevent you from voting, and so it's conceivable that this could happen. Interestingly enough, a friend of mine has a Ph.D. thesis where one section looks at Denial of Service resilience. http://www.douglas.stebila.ca/research/papers/Ste09/
Meanwhile, natural load would basically be what happens during an election. I think we could reasonably expect that most of the voting-online users will attempt before work, when they arrive at work, lunchtime, just before leaving work, just after getting home, and just before close of polls. In fact, I would say the likelihood is that the biggest load will be within the last hour of polls closing.
The problem here, of course, is that a denial of service at this point may very well prevent people from voting altogether. While encountering it early in the day might just give you resolve to get to the poll, what happens if you log in half hour before, and the system is down. 10 minute before. Are you getting to the polls? Are you even going to try or are you going to give up. I'm sure the people who ensure that they vote every election would make every effort, but keep in mind that Elections Canada is attempting this to try to help voter turnout problems. Are the people who don't go to the polls normally going to try to get on the system again, much less try to get to the polls at the last minute? I doubt it.
What we tend to see in the fundraising world is if the system is awful slow or down, people often will simply not donate. I would suspect the same is true here. If people attempt to vote online, and it's not working, you may have lost the chance. This is the inherent risk.
The other risk here is that people who *DO* vote and choose to do it online could also be alienated this way.
Voter Verifiable Ballot
First off, read "Brave New Ballot" by Dr. Aviel Rubin. That would be the professor whose students cracked the Diebold voting machines in the United States. Think paper ballots aren't important? Think again.
Voter Verifiable Ballot (which I will hereinafter abbreviate as VVB) is important from an auditing perspective. If we all submit our vote to a random machine half-way across the country, how do we know that what we voted for is what was counted? In the US, with the electronic machines, a VVB would be a paper printout of your ballot (of course, you're still assuming that the paper ballot is reading correctly what will be counted, and not giving you the answer "you wanted" rather than what it actually stored, but I digress).
Here's the wrench in the VVB. The system needs to be able to provide you the value of how you voted, WITHOUT providing the system with a way of reverse-engineering the vote to find out who voted what.
Some people may see that as unimportant, but our system has a lot of rules to ensure that you cannot be identified as having voted a particular way. Did you know if you write your name or anything else that can identify you on the ballot, the ballot must be removed?
Now, there are ways you can do this. For example, you could make a database entry where you have a cryptographic key, whereby another key that you have will combine to give you how you voted. It's actually pretty cool. But now the user has to have their key at all times, and one must not be able to run all keys against all vote results in order to determine who voted for what. There's some mathemagics involved - it's possible, but it's going to be complicated explaining that to the voter. Isn't electronic voting supposed to make things easier?
Anyway, I will touch upon this a bit later as well.
One Vote per Voter
One needs to be able to mark when a person votes. Anyone who has done database work knows that this is actually rather easy. But as part of this procedure, we need to make sure that only one link exists between the keys of voters and the keys of votes. This is more of a systems end, but it's about ensuring that the number of votes on Table "Votes" is the same number of people on table "Voters" where hasVoted is true.
So what happens when the numbers are off? Each ballot, as I mentioned, needs a link to the voters, but not in a way that the voters' individual votes can be reverse-engineered. The way we would do this would be to create some sort of link that allows us to verify that each vote is valid. Again, this would likely involve some sort of cryptographic hash (a hash is a random set of characters that is generated from something else, in layman’s terms. For example, when you enter a password into a website, it tends to be turned into a hash. And it compares the hash value of the password you entered with the hash value of the password that you created when you first signed up. That way a website administrator can't say, "ES uses the password KirkIsAwesome on our site, so let's try it on his bank account.") that is designed to ensure that a hash of (voter key + a vote key) = valid hash. It's mathemagical!
Marking vote as counted
Ideally, once votes are counted, it should mark the "vote" as "counted". Then, when you log in and grab the key of the vote you voted with, it will tell you that it was voted. Again, when you add your key to it, it then tells you how you voted. People at EC would have to be able to check random values for you (phone up from a payphone, tell them "LXV0034YHG" and they say, "HYFGFDHHH". Then you do some sort of fun thing on your end with your other key, "KIRKISGREAT", and it gives you an answer of "Kirk Schmidt" (as in, who you voted for).
Man in the Middle
Ok, back to doom and gloom.
You and I know that Elections Canada's website is elections.ca. Maybe the vote site is vote.elections.ca. But what if someone registers thisisaspoof.com and sets up the subdomain of vote.elections.ca.thisisaspoof.com. And, they get a valid security certificate, so it looks like a secure site. Except, unfortunately, they play the man in the middle. That is, they take your input, send it to Elections Canada on your behalf (aw, how nice), receive the values back from EC, and because they know everything about the keys you have, they change the keys so that they vote the way they want, and you still think you voted the way you attempted to.
Welcome to the wonderful world of security certificates and spoofs.
Oh, we won't all be fooled by them. But you can bet that it's being considered.
Recently at the Blackhat conference (what is this? Umm... move along...), hacker Moxie Marlinspike presented how one actually gets around SSL encryption. If you're a techie, read it. If you're not, know that for the most part, as long as you go to sites that you know and trust and specifically type the name of the site into your browser rather than googling it, you're fine. However, it presents topics on how one actually gets around secure websites and act as a go-between, getting whatever you want in the process.
This is why I say that the vote being secure from tampering and that the vote is verifiable are actually two different things. One can verify the ballot, but it does not mean the verification has been tampered with.
Systems Security
All of this is based on the idea that systems on both the Elections Canada end and the user end have not been compromised. This should go without saying, but one has to understand that even the compromising of one's own home system is enough to allow for the "wrong vote" to occur. Again, if you think of the man-in-the-middle approach, imagine how bad it would be if it was your own computer system providing you the wrong results. At least with a spoofed website you might be able to realize it and get out, or bring it up to Elections Canada. If your own system is compromised, you might never know.
Furthermore, remember that unless we see an open database schema, we do not know exactly what EC is storing. Let's say, for example, the primary key on the vote end was an auto-number (essentially, the first vote was #1, the second was #2, etc.). And then, what happens if the voter table timestamps your vote. Now, on a system like this, there will be multiple votes at the same millisecond. But there will also be times where there's not. (Also, remember we're separated into ridings, and then polls - what are the odds you vote at the same time as your neighbour to the millisecond?)
So, one sorts the timestamp on the votes ascending, divides it by riding and poll. Then sorts the primary key on the vote table ascending, separating it by the people on the ballot as per the riding one is in. Or by poll if that's stored. Huh. Well, screw the mathemagics, I'm just going to the database admin to find out who voted for what.
Paper or Peripherals?
One of the security decisions that needs to be looked at is what happens when people attempt to vote with both methods. One would assume they will have electronic voting stations at the polls to use the database's own locks to prevent it. Or, maybe they can just look up on the database whether you have voted or not...
Assuming no denial of service. Oh, hey, we've gone full circle.
Essentially, those of us entirely fearful of what could happen are likely going to have to rely on the system anyway... Or, they're going to have to be able to cancel the online vote if one goes and votes in person, too... without identifying who voted what.
I sound like a broken record. I'm actually laughing right now as I write this. You probably think I'm a paranoid freak. You're probably right. Anyway...
Declined/Spoiled/Nonconfidence Ballots
How will Elections Canada handle non confidence ballots. You know, where you grab your ballot, and put it in the box without marking it. Yes, you can do this. I have. And I checked with EC first that it would, indeed, be a valid vote cast for nobody.
So, will we be able to not click a radio button and click submit? Or will there be a none-of-the-above option?
Something to think about.
But I do online banking or my taxes all the time
I'm sure you've been paying attention, but let's say you missed some of my points. The difference between banking online or doing your taxes is that, at all times, the bank or CRA knows who is logged into its system, and provides you information based on knowing that.
The sheer complexity in an online voting system is trying to maintain voter verifiable ballots and a transparent voting system without compromising your right to anonymity at the ballot box. So at any given time, the system needs to know who you are, without knowing who you are. It needs to be able to tell that you've voted, but not be able to tell you how you've voted, but have the ability to give you something that you can use to tell you have voted.
In the End
Look. There's a way that this can be implemented well. It can be implemented to minimize possible attacks, made robust to handle load, made cryptographically possible to verify your vote without having to give away how you voted. Yes, this is all possible.
This isn't some simple login/logoff and vote in between system that any web developer with half a brain can create. This involves cryptography on a level that you probably don't even want someone with a Bachelors of Mathematics degree to be working on (although I would, if asked... and paid well). This is democracy, and we can't afford to screw it up.
Imagine, if you will, the implications of not implementing this properly. If Elections Canada is considering implementing this for the sole purpose of increasing voter turnout, imagine the dangers involved in screwing this up. We have one of the most secure voting systems in the world. It's archaic and environmentally unfriendly, yes, but the one thing that very few people exude as a reason for not voting is confidence in the electoral system itself (confidence in politicians is another thing). Imagine if that were to be compromised.
That's all I ask. That before we give this approval carte-blanche, that we know what we're getting into.
... an attempt to make sense of politics and political happenings in Calgary, Alberta, Canada, and North America.
10 comments:
Enlightened Savage is really Kirk Schmidt and trying to prove he is not by pretending Kirk wrote that guest blog for him.
Only, Enlightened Savage really has a split personality and doesn't know he is Kirk Schmidt because when he is Kirk Schmidt he can't remember that he is Enlightened Savage.
I'm on to you!!!
Should this come to pass, I can the Harperites pulling a Florida George Bush to ensure Harper gets his majority.
Kirk, this is an excellent post, and thanks to the Enlightened Savage for hosting it.
I'm not sure I believe that the inability to vote online is the major cause of turnout declines, but in any event it would be terrible if something conceived of as a solution to this problem, if not properly implemented, wound up undermining confidence in the whole process.
The Chief Electoral Officer's proposed timeline, unless considerable work has been done on the methodology already, does seem optimistic I fear.
I think to add this as an option and secure it, even if they know my identity as well as how I voted would be fine, especially if the information could only be acessed by the chief electoral office.
I am sure many people do not care who knows how they vote and this may cure some of the voter apathy. They already have all of my info in the system, give me a pin# and I would submit electronically.
Thanks everyone for your comments.
@Alberta_Altruist: As much as I believe there are a number of people who agree with you, there are going to be many who are not.
The other problem comes in when someone in the CEO does breach security. Good security experts never play the game of, "it's never been a problem before," or, "it likely won't be a problem." For good reason.
Not that I ever expect it to happen, but what would happen if political parties got this information and used it to achieve their means. I am ever thankful that we live in a place where we can vote freely and without fear, but allowing someone (anyone) to have access to who-voted-for-whom is a door opening. Again, I wouldn't expect it to happen, but I also cannot condone a course of action that would make this information available.
Again, there are cryptographic schemes and papers that address this. The problem is with every other piece of computer security around it. That security includes the social engineering around it.
Here's a good read on some social engineering work:
http://tinyurl.com/klos9o
Imagine what were to happen if something similar were to happen where the voting DB is stored.
--
In other news, I was reading some of the abstracts for the next Black Hat conference - there's things there from using voltmeters and power line leakage to sniff keystrokes (scary!), to using binary SMS (text messages) to take root control of someone's iPhone.
Frankly, these security experts are on the leading edge of breaking systems. We could put our democracy in a lot of risk by not taking the necessary time to build this properly.
And then when we look at the cost to do that, one has to wonder whether it was better to put that money into more polling stations, alternate ways to get votes, etc.
As a self admitted techno-luddite, I am one who is whole heartedly in favor of online registration, but not voting. I would urge that registration not be limited to online. There remains a large portion of the population that avoid putting personal information into/onto the Interweb (with due respect to Brent Butt) or, for one reason or another, do not have regular access to it. Voting should remain the domain of a verifiable, tangible method, meaning get off your fat behinds, trudge down to the local school, church, community hall and mark your "X".
Oh yeah, and I'm an old time campaigner who, in this age of so many mediums of communication, can't figure or fathom those who can't take the time to make themselves aware of the issues, the policies of the candidates (or better still, let the candidates know what yours are!) and make a selection.
The issue of voting online is one I have been giving a lot of thought to over the past year. Given that more and more of the logistics of our daily lives is moving online voting would seem to be a logical step. That said the issues it raises are unique, and I think this post does an excellent job of laying them out.
For myself I enjoy the ritual of voting in the company of my fellow citizens, and it may be that this is also the simplest way to maintain the (relative) security of the process.
It is likely that online voting will only draw in those already inclined to vote, like advanced polls, and the record number of votes we hear they receive every election - while turnout keeps going down.
Most worrisome to me is what happens in the home on a family computer, when the privilege of anonomity is not gauranteed.
The polling booth is one of the few places left - I hope - where you are truly alone and can mark or not mark your ballot any way you like. The booth is a protected space; from family/partner scrutiny, social pressure, etc. Home computers or whatever else we may use are not.
Online voting is not the answer to the challenges in our democracy. People need to be interested and informed to care enough to vote, and have faith that their participation is worth their time.
As well, most elections, like BC's recently passed, have several days of voting to make it more convenient to those 'too busy' on election day. BC had 5 days of voting immediately preceding EDay of May 12th.
Cheers to a fellow UWaterloo Math/Comp.Sci. grad.
Picking up on Taylor Gunn's comment, one of my bigger fears outside of the technology questions has to do with physical privacy.
The ballot box system ensures that we can vote without people wanting to "supervise" the way we mark our ballots.
If people are allowed to vote remotely, without being observed (from a distance) by Elections Canada staff, there is substantial potential for abuse.
It doesn't take much imagination to see various organizations or individuals offering to "help" people vote correctly. This "help" could include pressure to cast votes in a particular way -- pressure that could either be overt or subtle.
And with someone you perceive to have power over you standing over your shoulder, would your vote be as free?
While I agree with the above comments about "supervision" of ballot, this likely raises a very large question - what about special ballots?
When I worked as a campaign manager in 2004 (Provincial), I was asked by the RO to deliver special ballots to individuals at their homes, and return it upon completion (sealed, of course). While I ensured that I was not anywhere close to them voting, there's nothing to say that another member of the household could not be there.
This could be the case for anyone whose mobility is highly reduced, or other disabled individuals. In this case, one could essentially "vote for another."
---
The supervision aspect also brings up, not just what happens at home, but what happens at the workplace. In situations where techs have the ability to RDP into one's computer remotely, essentially, one could *watch* another one voting without even being physically present.
Post a Comment