SoylentNews is people
SoylentNews
Estonia is the world leader in using online voting for its national elections. Its government has done a great deal to improve the security of the system, which is now used by up to 25% of voters. The country's "I-voting system" is touted by proponents of online voting in the U.S. to claim that secure Internet voting is possible.
It isn't. Early in May an international team of independent security experts accredited by the Estonian government reported severe security vulnerabilities in that country's "I-voting system." Elections, the researchers found, "could be stolen, disrupted, or cast into disrepute."
These results have serious implications for the push to internet voting in other countries, particularly in the U.S.
This discussion has been archived.
No new comments can be posted.
Hack the Vote: The Perils of the Online Ballot Box
|
Log In/Create an Account
| Top
| 22 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
In Tulsa, Oklahoma, it is against the law to open a soda bottle without
the supervision of a licensed engineer.
(Score: 2) by mhajicek on Friday May 30 2014, @05:20AM
I think the problems are largely the same whether votes are paper or electronic. The only secure system I can think of would be to log each vote in a central database with a unique vote id number, which is given to the voter like a receipt. Then anyone should be able to check any vote id number for its results, and an individual bearing their receipt would have the power to have their vote corrected if it's been altered. This still leaves open the problem of extra votes, but allows anyone to sample or count votes and allows anyone to ensure their vote was cast correctly.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Insightful) by Angry Jesus on Friday May 30 2014, @05:37AM
> allows anyone to ensure their vote was cast correctly.
So, basically get rid of anonymous voting.
(Score: 0) by Anonymous Coward on Friday May 30 2014, @07:09AM
Votes being tied to unique numbers would not require votes to be tied to an individual. The numbers could be randomly generated and never repeated.
(Score: 2) by lx on Friday May 30 2014, @10:44AM
Attention Bitcoin freaks everywhere. Show us how you can use the blockchain to ensure a secure vote.
You know what? That plan is so crazy it might just work.
Votecoin anyone?
(Score: 3, Insightful) by Angry Jesus on Friday May 30 2014, @01:08PM
> Votes being tied to unique numbers would not require votes to be tied to an individual.
Of course they would be tied. Someone pays you or threatens you to make you vote a certain way and requires that you give them your id number so they can verify that you voted as they wanted you to.
(Score: 2) by Geotti on Friday May 30 2014, @05:14PM
Allow for the inclusion of plausible deniability (i.e. give out 10 IDs per person and only you know, which one was actually cast) and this problem is solved.
I disagree with the central database, though (single point of failure/attack). It should be a CRC-checked, verified and vetted distributed system. It seems the bitcoin idea from above has some merit.
(Score: 2) by Angry Jesus on Friday May 30 2014, @06:26PM
> Allow for the inclusion of plausible deniability (i.e. give out 10 IDs per person and
> only you know, which one was actually cast) and this problem is solved.
That's an interesting idea, but I don't think it will scale because of the exponential increase in complexity. Once there are more than 2 different elections on the same ballot, keeping mental track of which ID is "real" is going to move beyond the abilities of the average voter. A mnemonic device like using pictures instead of numbers might bump retention up by a few more races, but I'm guessing that, best case, 5 would still be a limit for a majority of the population.
(Score: 3, Insightful) by Yog-Yogguth on Friday May 30 2014, @08:23AM
And as we all know they would love that since non-anonymous voting is nearly as "good" as no voting when every society in the end runs on an aggregate of social pressures (or much worse). Maybe next the powers that be will decree voting by simple acclamation like some political parties do (particularly so-called labor parties and their myriad of enslaved organizations and unions). I've gotten the impression some cult ideologies made it far enough to achieve specialized styles of clapping, maybe that's still the case in North Korea or Cuba.
There ought to be ways of making it possible for the entire public to validate the entire election process (and not just whatever part they might be helping out with) without connecting specific votes to the individuals who cast them.
I'd have much more confidence in elections if I and everyone else could at least keep constant track of the boxes with votes. Technology ought to be able help with that: as the votes are cast one could constantly publicly surveil the hell out of the boxes they are collected in. But how? What would work? How would one test it and provide working reference implementations? Some kind of open international competition? How would one force working systems onto corrupt politicians with a lot of voters already beaten down into submission, drooling stupidity, or inane Pavlovian and perhaps even hereditary repetition?
Being "paranoid" I have zero confidence in the voting system in my country (and negative confidence about the elections in neighboring countries here in western Europe), even though it's manual and even though it recently gave a change in government at home and political upsets abroad, it's too obscure at a distance and too limited close up. Even the OSCE is becoming a politicized joke these days due to Ukraine, the OSCE monitoring measures are not good enough and have to be deeply flawed when "half of two thirds" of a country are not at all participating in the vote (and that's without considering the turn-out) and it still isn't a problem for the OSCE. That kind of stuff is as ridiculous as Baghdad Bob yet there's no outcry because every power involved cares less about the vote than about forcing the winner to take some shred of responsibility; defendable as a piece of international realpolitik but making fools out of the voters.
Of course I'm setting the bar way too high when people already get away with open political violence and intimidation, and removing the ballot papers for specific political parties. These are examples from multiple "first world" western "democratic" countries, not Pakistan, Egypt, or Syria. Where cast votes end up scattered on the freeway or the dump or voting urns/boxes vanish until the counting is done with feeble excuses of them being sent as normal postage. These are all examples from the western world and in particular Sweden which has become a stinking shithole par excellence as far as these things go (and surveillance as well, glad I don't live there and the US has recently promised not to take action if the Russians liberate them --although that was just an open public attempt at trying to force them into NATO).
Rawr! This world is chock full of shit and stupidity and I have trouble learning not to care #end rant
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by Magic Oddball on Saturday May 31 2014, @11:56AM
"I'd have much more confidence in elections if I and everyone else could at least keep constant track of the boxes with votes. Technology ought to be able help with that: as the votes are cast one could constantly publicly surveil the hell out of the boxes they are collected in. But how?"
We don't need technology for that -- in California, at least, oversight is rigorous enough (speaking as someone that has volunteered behind-the-scenes for 12 years) that the incidence of voter fraud is negligible. Here is the setup we have:
6:00AM - Team (assigned at random by headquarters) arrives. We set up the equipment, which requires breaking a thick plastic zip-strip lock for anything security-related, documenting the numbers in two places and putting the locks into a plastic bag to be turned in at the end of the day.
7AM - At all voting precincts, the person in charge shows the voters waiting in line that the metal voting box is empty, then pulls out the maroon zip-strip and locks the metal box closed, so the only opening is the slit for ballots. The box is then placed in full view of the check-in table (where 3+ of us sit at all times).
Each voter steps up to the check-in table. We make sure they're assigned to us and aren't listed as a mail-in voter, then have them print and sign their name in the official register & logbook. The person is then handed a set of multiple-choice card ballots & secrecy envelope; when they've voted, they return and they or we place it into the metal box.
If the voter *isn't* one of ours, we give them a phone number to find out where they're supposed to be. If they can't easily get there, we process them as a Provisional Voter: they sign into a special sheet, and must seal their completed ballot into an envelope with their name/street/etc. before putting it in the metal box, so it isn't counted with all other votes. Up at headquarters the next day, the provisional ballots are all sorted to be sure there's only one under each name, that the name wasn't also used to vote normally, and the signatures/info are electronically compared to what the person is registered under. If there's a problem, they manually double-check, and reject the ballot if appropriate.
During the day, we update a reference list every 15 minutes that shows the street address, name and political affiliation of each voter, and put it on display for volunteers from the political parties, journalists, or bored citizens (anyone can also hang out watching everything). We also check to be sure that our two reference indexes (one ordered by name & one by street) have the same ID numbers checked off, that the ID also matches the line numbers in the name register and sign-in sheet -- if anyone tried to sneak a name or whatever in (or more realistically, if one of us goofed) the problem becomes obvious in a hurry!
At 8pm, we process any voters in line or just arriving, then close & lock the doors ASAP. We put equipment away, which means putting (and recording numbers of) new locks on security items. We cut the lock on the metal voting box. We make sure we have the same number of provisional ballots as people signed into the Provisional Roster, put the roster & ballots into a clear bag, write the number down on the outside, and seal that.
We then dump all of the normal ballots onto the working table, pull them from their secrecy envelopes, and start stacking them into groups of 10 with the corner-cut in the same direction. We triple-check, jot the number down, and make sure it matches the number of voters on our regular sign-in roster, name index, etc. We then place them into a special box, put the lid on, lock it with a giant seal (adhesive all the way around, no way to remove it) and have 3 volunteers sign & witness each other's signatures.
One of the papers we write all of this onto goes into that box, while a carbon-copy is torn off and placed in an envelope. The person in charge and one other volunteer then drive the supplies to the election center. A *different* volunteer must seal the envelope and mail it to the election center within 48 hours.
I'm overlooking some of the redundancies (dropping off a mail-in ballot is handled the same way as a provisional but with different paperwork, etc.), but you get the picture: layer after layer of security paired with transparency. In fact, every few elections my own vote-in ballot is rejected because the way I sign one or two of the letters in my name has changed, so I have to turn in a new signature for the future -- it's a pain, but as I've reminded a few voters, it means the system's actually working.
(Score: 2) by Geezer on Friday May 30 2014, @09:22AM
Data is data. All data can be manipulated. Whether this makes E-voting more or less secure than the traditional stuffed ballot box is open to debate, but there is not, and can never, ever, be a guaranteed secure system of electronic voting. Why? Because even with "impartial" 3rd-party validation of proprietary software and auditing of results, the so-called impartial 3rd parties will still have human failings and interests, either ideological or monetary (maybe both). All code is written and QA'd by humans. 'nuff said.
(Score: 1, Informative) by Anonymous Coward on Friday May 30 2014, @01:06PM
Electronic signatures can prevent data manipulation (especially since with electronic voting, it suffices if the votes are secure until any dispute has been settled; or at worst until the end of the legislation period).
The challenge is to combine electronic signatures with anonymity on one hand, and the prevention of double-voting or ballot stuffing on the other hand. Anonymity requires that your identity cannot be associated with your vote, while prevention of double-voting/ballot stuffing requires that you actually identify yourself when voting.
(Score: 1, Insightful) by Anonymous Coward on Friday May 30 2014, @12:38PM
No, they are vastly different. The biggest difference is in risk to adversaries in modifying the results of a campaign. With paper ballots you must be physically present to do something (risky), and it's expensive to modify enough physical paper to sway a result (costly). With electronic votes you can modify results from 12,000 miles away (not risky) and only need to change a single bit value to swap a result (not very costly, based on these and many other findings of e-voting systems).
(Score: 0) by Anonymous Coward on Friday May 30 2014, @05:32AM
Do what you're told because you're told, jackboot in the face when you cross the line. Voting is a game, choice is an illusion. It works because we say so, fuck you if you disagree!
(Score: 2) by bob_super on Friday May 30 2014, @04:12PM
You forgot the important part:
Even with half the population having negative net worth, keep them believing that they have a lot to lose by rebelling against the system. Did we mention you'll get raped by big bubba if we put you in jail?
(Score: 3, Interesting) by Anonymous Coward on Friday May 30 2014, @07:26AM
I'm posting from Estonia and the so called "security experts" were friends of the Russian backed opposition party. Other IT experts put out a money price for any security vulnerabilities that can be shown. Nobody has submitted any detail or provided any proof that security vulnerabilities exist. Only vague articles that claim, that the election are not secure, without any proof. The people who made those claims have no knowledge of IT and have been shown to be closely connected with the opposition party, who uses the "unsecured voting" slogan to catch votes for themselves. Unbelievable to me, that western media is spreading, what is basically Russian sponsored propaganda against a EU country.
The same system that is used for electronic voting (national ID-card based), is used for logging into every bank in the country. There has not been any vulnerability reported, as the banks would have quite a lot of trouble in that case. Every contract/document in the country is acceptable with an electronic signature, backed by the same system. Every document for interaction with the state, can be sent via email, signed by the same system. Most companies prefer to keep electronic records with digital signatures, sill the same system, still no problems.
For details - you put your ID-card into a card reader (reader inside the keyboard or separate reader connected to USB) and when you want to log in (and verify its you) you use one pin code and when you want to sign a document or pay for something (or vote), you use another pin code. A third code is available to change both in a utility program. It's very hard to copy someones identity - you need to steal the physical card (that is equivalent to the national passport) and pins.
As for voting one can check online if his electronic vote is still the same (or change ones vote) until the voting ends. So if someone would want you to vote for somebody person, you can vote, collect the bribe, and then go vote for the person you like, by changing your vote later. :)
(Score: 2) by Yog-Yogguth on Friday May 30 2014, @09:07AM
Yes because Russians /sarcasm.
Your system sounds a lot like the test system they've attempted where I live not all that far away from you. It's laughable and over here it was the usual suspects that pushed for it (both the two main parties have totalitarian tendencies, one of them has been more or less in power and with a disproportionate amount of influence for the last sixty years and loved whoring itself out to both the CIA and KGB so it's not much of a surprise. The other party is constantly tempting itself into emulating such successful hoarding of power instead of being ethical). The electronic voting system is so naive as to almost become cute and it was already custom made to be fuckable, no wonder fascists and psychopaths all over the world are ecstatic. No, it's not secure and anyone can make the claim and prove it. I can make the claim, Martians can make the claim, Uranusians can make the claim: you have to prove it is secure, not that it is insecure. Read that a few more times, think about what it says, what it means.
Can you really claim the voting system is anonymous? That whoever piggybacks the voter as they sit in front of a computer in some unknown location and cast their vote doesn't know the facts you've presented and doesn't demand being given everything? The voters will get back their physical card after the vote is done, the people holding a gun to your head or sending you a hooker are very considerate and caring people and if you vote right before the tally you'll only be without your stuff for a day or two at most. Isn't that nice :)
Whoops the concept of fair elections flies right out of the window and it's never coming back. Why? Because you didn't love it sufficiently.
Please don't blame everything true on the Russians, yes I hate communism too and you were wronged as a nation but despite all of that and despite most Russians being nice and likable people they actually don't deserve your unintentional praise. Same (the gist of it) goes for the Chinese.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Friday May 30 2014, @12:34PM
I share your concern that these experts were not objective. However rather than attack the messengers or their financial backers, why not attack their methodologies? Just because an evil person says 1+1=2 does not make it untrue merely because they're evil.
Yes, they have. That's what this article is about, although the editors didn't provide any useful links. Have you read the technical report? It lists very specific attacks they were successful in using.4 /05/IVotingReport.pdf [estoniaevoting.org]
https://estoniaevoting.org/wp-content/uploads/201
What evidence do you have that banks would actually report a vulnerability? If they did, why do you think they would have a lot of trouble? Why do you think they're not dealing with this trouble on a daily, ongoing basis, and simply not making it public? In my country certain banks are blessed by the government and nothing they do will harm them, while other banks are punished severely. I don't know what it's like in Estonia, only relaying my own experiences elsewhere.
It is not a logical conclusion that because a flawed system is used everywhere there must not be any problems. I also question whether any problems would become public knowledge. I've worked for companies that had massive security issues, yet they were never made public, even though they served the public.
(Score: 2) by Angry Jesus on Friday May 30 2014, @01:24PM
> I'm posting from Estonia and the so called "security experts" were friends of the Russian backed opposition party.
That's an interesting ad-hominem. It does not appear to be true. According to the Guardian the researchers were a team from the university of michigan in the US and a guy from Finland. [theguardian.com]
By the way, that article includes videos of them compromising both voting PCs and voting servers in the lab. It is super boring to watch.
(Score: 2) by Angry Jesus on Friday May 30 2014, @01:32PM
As a follow-up here is the site of the researchers dedicated to the problems with the estonian system.
https://estoniaevoting.org/ [estoniaevoting.org]
The FAQ even addresses the ad-hominem:
Aren't your team aligned to the Centre Party or some other political interests in Estonia?
No. This is not the case. Our research work and current visit to Estonia has been done without the funding or involvement from anyone in Estonia -- no political parties and no other organisations. We have no desire to support or favour any political party in Estonia, we are simply offering the results of our research into a unique system which has gained international interest.
(Score: -1, Flamebait) by Anonymous Coward on Friday May 30 2014, @05:42PM
Fuck you, you neo-nazi, racist scumbag. Why don't you go and continue to praise Hitler, your savior, with monuments to Waffen-SS? Piece of shit, history forgetting bigot.
(Score: 1, Informative) by Anonymous Coward on Friday May 30 2014, @12:20PM
Come on editors, this summary provided no real info, only an indirect link from a data-less blurb to a paywalled site! Here's the actual info:
https://estoniaevoting.org/ [estoniaevoting.org]
(Score: 2) by Angry Jesus on Friday May 30 2014, @04:30PM
It wasn't paywalled for me, but then again I use self-destructing cookies [mozilla.org] and spoof my http-referrer [mozilla.org] as google.com which makes me invisible to many paywalls.
I submitted the "blurb" because the VerifiedVoting site has been at the forefront of e-voting analysis and criticism for over a decade and is an important resource on the general topic. This story isn't so much about the specifics of estonia's system but the general topic of the push for insecure evoting systems in the US.