Britain to Launch Electronic Voting Systems
R. A. Hettinga
rah at shipwright.com
Sun Apr 27 18:49:43 EDT 2003
The New York Times
April 27, 2003
Britain to Launch Electronic Voting Systems
By LEE DEMBART
International Herald Tribune
PARIS, April 27 More than 1.5 million Britons will have a chance to vote Thursday in 17 local elections using electronic voting systems that computer security experts on both sides of the Atlantic say are fraught with danger and an invitation to fraud.
Britain's pilot projects in computer voting which include voting over the Internet are the latest examples of the move to electronic voting by several European countries in the interest of efficiency, speed and ease of voting, which is hoped will increase voter turnout. Although Thursday is election day in Britain, the electronic polls are already open in some of the pilot districts.
Elections by computer have previously been conducted in Sweden, Switzerland and France, as well as in Britain. The Netherlands, Italy, Germany, Estonia and the European Union have announced their intention to allow such voting.
Electronic voting has also been conducted in several states in the United States, spurred at least in part by the fiasco in Florida in the 200 presidential election.
In all electronic elections in Europe and most of the United States so far, security experts say, the systems used were vulnerable to wholesale attack and could have been manipulated in undetectable ways that would have made it impossible to determine that the results of an election had been changed, either by accident or design.
Specifically, the experts say, Internet voting could be crippled by a "denial of service" attack against the computer servers recording the vote, for which there is no known defense, and which could disenfranchise large numbers of voters. In addition, they say, since voters use their own computers, election officials have no control over what software is installed on those machines or what viruses might be lurking in it that could be activated in an election to change votes.
Voting over the Internet, said Avi Rubin of Johns Hopkins University in Baltimore, is "an election that a teenager could circumvent."
Rebecca Mercuri of Bryn Mawr College near Philadelphia, one of the world's leading specialists in electronic voting security, said of the voting systems now being used in Britain: "It's horrifically scary. This is an abomination, and I fear for democracy as a result."
David Jefferson, a senior scientist at the Lawrence Livermore National Laboratory in Livermore, Calif., who headed the technical committee of the California Internet Voting Task Force three years ago, said, "All remote Internet voting from private PC's, no matter how you structure it, is seriously dangerous."
In London, Ian Brown, director of the Foundation for Information Policy Research, an independent organization that studies the interaction between information technology and society, said: "We are worried about the security of electronic voting systems, especially remote ones, where people can vote from home using their PC or a mobile phone, which is the kind of technology the British government has been keen on.
"No matter what the twists and turns of the specific scheme that they use, we don't think that home PC's are a secure enough platform for something as truly vital to democracy as the voting system."
David Dill, a professor of computer science at Stanford University in California, agreed, saying, "These systems are open to wholesale vote fraud."
The basic problem in current electronic voting systems, the security experts say, is the lack of an audit trail that would enable all voters to verify for themselves in real time that their vote was recorded as they intended and was counted as they intended.
In addition, they say, there needs to be a publicly available electronic ballot box that can verify that the announced vote total is an accurate tabulation of all the votes cast. This must all be done in a way that maintains the secrecy of each individual's ballot.
About 500 computer technologists in the United States have signed a resolution put forward by Dr. Dill warning that no electronic voting system should be adopted that does not have these protections. A list of the signers and their affiliations is at verify.stanford.edu/EVOTE/endorsements.html.
None of the voting systems that are being used in Britain or elsewhere meet these requirements, Dr. Dill said, though it is technically possible to have such a system using advanced cryptographic techniques.
Jim Adler, the president of VoteHere, a company in Seattle that has provided the software for six of the local elections now under way in Britain, acknowledged that the security protections did not meet the highest standards. "Governments often make usability-security tradeoffs," he said, "and you can see that in the U.K."
In a separate e-mail, he elaborated: "There is no requirement for voters to be able to verify that their vote was `cast as intended' or for election observers to verify that all ballots were `counted as cast.' The technology exists, but the U.K., so far, has not required it."
Mr. Adler, who is in the business of selling electronic voting systems, said: "I applaud the Avi Rubins and Rebecca Mercuris." He said their critiques of current voting systems were correct.
In London, the Office of the Deputy Prime Minister, which runs British elections and oversees them, responded to questions by e-mail.
"There is a range of measures in place to guard against abuse in the e-voting pilots," according to the statement by a spokesman for the Office of the Deputy Prime Minister. The statement said that the votes were encrypted and that the security requirements were "devised in consultation with the government's security experts."
"When a voter casts a vote," the statement said, "they will receive confirmation from the voting channel that the vote has been recorded," adding that the confirmation would be "along the lines of `Thank you your vote has been accepted.' "
But computer security experts said that this was no guarantee that the vote had not been tampered with, either on the machine where it was cast or in transmission to the counting place or in the tabulation itself.
"You know your vote has been counted because you get an `I voted' sticker back," Dr. Dill said. "But that doesn't say it was going to be counted correctly. It doesn't say it's counted as cast or counted as intended. How is it that the voter knows that the vote that went into the electronic ballot box is the vote he intended?"
The Office of the Deputy Prime Minister also said, "All e-voting pilots will be subject to pre-election independent security checks (Qinetiq and Echelon are doing the work) and post-election surveys and evaluation, the results of which will be made available to participating authorities and the public."
But Peter Neumann, principal scientist at the Computer Science Laboratory of SRI International in Menlo Park, Calif., said: "The pre- and post- testing stuff doesn't prove anything at all. I can build a system that will show you that your vote went in correctly and still did not record it correctly.
"What you do is build a shadow system that lurks underneath and that demonstrates that everything is perfect, except that the actual results are coming from the other system. There are a lot of ways that you can skin the cat without any evidence whatsoever."
The Office of the Deputy Prime Minister also pointed to e-voting pilots conducted in Britain in 2000 and 2002 and said that analysis "showed that the arrangements put in place did not enhance the opportunity for fraud or undermine the secrecy and security of the poll."
To which Dr. Rubin of Johns Hopkins responded: "Everything in security is predicated on paranoia. The question is, `Is there an existing vulnerability?' not, `Has it ever been exploited?' "
Several experts noted that if people intended to rig an electronic election, they would not waste their time and effort on a minor local election with little consequence, thereby tipping off the authorities to the vulnerability of their election system. Such people would ignore small, pilot project elections, like those currently under way, in order to increase the authorities' confidence in the system. They would wait until a big election, such as a national one, before attacking.
"If it were a national election in any country, I would consider this to be a national security issue for that country," said Dr. Jefferson of Lawrence Livermore Laboratory.
Dr. Mercuri of Bryn Mawr said, "It's only a matter of time before somebody's going to target one of these elections."
She and others spent a week in London last autumn explaining all of the dangers to cabinet officials and the election authorities, without persuading them to implement stricter controls, according to her and Mr. Brown, the London researcher, who was also at the meeting. (Minutes of the meeting can be found at www.notablesoftware.com/Papers/UKTranscript.html.)
"These are basic underlying computer technology facts," Dr. Mercuri said, "but no one wants to listen to this. They want to operate under, `It's not going to happen to us,' or, `This is just gloom and doom' or `You're a bunch of Luddites.'
"But that's not the case. The virus problems and the auditability problems strike at the underpinnings of major computer science concepts that we have not been able to solve. The people are just shunning this and flying in the face of this."
Mr. Brown recalled: "They just said, `We're convinced it's secure. All we need is that it's at least as secure as the existing system, and paper ballots aren't perfect.' My response to that is, yes, there are opportunities for fraud, but it's on a much smaller scale. You can't invisibly, quietly manipulate the vote across the entire country, which would be possible with an electronic system."
Dr. Rubin said: "You hear the famous line, `Why are we using 18th-century technology to vote in the 21st century?' And the answer is because it works, and 21st-century technology is not well-suited to elections."
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography