[Cryptography] election security

John Denker jsd at av8n.com
Fri Nov 11 02:49:04 EST 2016 

On 11/10/2016 09:42 PM, Tom Mitchell wrote:
> On the risk side most audit systems and electronic voting systems risk loss
> of privacy.

That's true ... and there are other risks besides.
 1) Oregon is essentially 100% vote-by-mail.
 2a) In Arizona some municipal elections are 100% vote-by-mail.
 2b) In other elections, it's optional, but even so, about 75%
 of Arizona ballots were cast by mail in this week's general
 election.

This may help put the crypto issues in perspective:  As a
matter of principle, the privacy horse escaped from the barn
a long time ago, because mail-in ballots are vulnerable to all
sorts of coercion, including bribery and extortion.  There's
little evidence of it happening on a large scale, but some
workplace overseer, union boss, ward heeler, or mobster could
demand that you fill out the ballot in his presence ... or
just hand over a blank ballot and a signed but unsealed
signature envelope.

Arizona encourages vote-by-mail, because it's cheaper ...
but I'm not the least bit convinced it's a good idea, because
of the downside risks.

On 11/10/2016 10:31 PM, Bill Frantz wrote:
>> Unless the ballots are dusted for fingerprints, I don't see a way to
>> connect the ballot paper with the voter. But, with the ballot paper,
>> an audit can show that the electronic scanning read and recorded the
>> ballot correctly.

A badly designed ballot-imaging system would make things worse,
permitting /wholesale/ coercion.  Ballot /imaging/ can permit
surreptitious ballot /signing/, which is very bad from an
anti-coercion point of view.

People who worry about corruption at polling places don't know
what they're talking about.  There are significant threats to
the system, but they're at other places and times, not at the
polling place on election day.

At my polling place we had an actual party observer, which
is something that I'd never seen before.  He came looking
for trouble, but soon came to realize that he was an amateur
watching a bunch of professionals.  The poll workers were
skillfully defending the integrity of the election, and there
was nothing the observer could do that would make anything
better or worse.

Even though we were short-handed, we ran 100 voters through
the polling place in the first hour, which is a nifty bit
of choreography.

The part of this that is particularly relevant in this forum
concerns the machines that scan the ballots after the bubbles
have been filled in.  This requires a platform that is resistant
to "tailoring" (in the NSA TAO sense of the word).  Everything
needs to be secured, including the BIOS, N stages of boot loader,
OS, applications, and peripherals.

This is a really hard problem.  It is an "advanced persistent
threat" situation.  One thing we learned from Snowden is that
the "tailors" are very advanced and very persistent.  Also
there are plain old bugs.  Open source is nicer than closed,
but it does /not/ automagically make all bugs shallow.

I reckon there is a role for cut-and-choose at some point:
pick some subset of the machines and tear them down to bare
metal and bare silicon.

I reckon there is also a role for good old-fashioned redundancy.
Count the ballots twice, with two dissimilar systems in tandem.
Arizona already does a bit of this, insofar as they routinely
hand-count 2 percent of the precincts.  I would prefer to see
two redundant machine-counts of everything, followed by a hand-
count of a smallish sample.

The power of this approach was well demonstrated in Humboldt
County in 2008.  Famous story:
  https://www.wired.com/2008/12/unique-election/

More information about the cryptography mailing list