Friday, February 8, 2008

Secure and Easy Internet Voting

Giampiero E. G. Beroggi "Secure and Easy Internet Voting" IEEE Computer Volume 41 Number 2, February 2008 This is one of those articles that inadvertently provides examples of why computerized computing is a bad idea. Starting with the second paragraph, where Beroggi says "One reason for the delay in implementing more technologically sophisticated voting methods is the computer science community's almost unanimous wariness of Internet-based elections." Rather than addressing this, he goes on to list putative advantages of e-voting, and then starts the third paragraph "Fortunately, in light of these strong advantages, more countries are beginning to consider e-voting...." He has listed advantages, and just dismissed the computing community's reservations by simply not mentioning them. Is electronic voting really scarier than other methods? I think so. Any of a number of people can trot out problems with any voting technology, including paper. But I have yet to see an e-voting advocate address either of the following two problems except to say that computer security professionals are too obsessed with unlikely events. Of course, many popular, oft-successful attacks initially seemed unlikely, especially to non-security people. This is what scares me when I hear political scientists say it's safe, or usability experts say that if we address the usability issues, e-voting will be fine. If we address usability issues, the accuracy of unhacked machines is improved. Anyhow, the two issues:
  1. The class break. With e-voting, there's the possibility that a small group of people could modify a large number of geographically disparate machines.
  2. The technological sophistication needed to understand the hacks. Boards of Elections and state assemblies don't have the the ability to intelligently discuss attacks against e-voting, let alone detect them.
The author of this article dismisses these problems by simply not mentioning them directly. His attitude appears to be that computer scientists have issues, but we can ignore them. There are at least two troubling aspects to the author's section entitled "Security." First, is the repeated claim that the system uses SSL and 1024 bit encryption. If he's talking about RSA keys, this is a bit light. If he's talking about the symmetric algorithm, well, I doubt he is. So, for all we know they're just using DES or something like that. Then there's the statement that "The literature on e-voting emphasizes the danger of making source code available as a way to build trust in the system, since attackers with such access could modify voting and auditing records." I'll have to read his reference, but I don't see how a single 3-page CACM article equates to "the literature." Keeping the source code secret does, as the author suggests, reduce trust. Shouldn't voting be an open process? Shouldn't citizens be able to judge the quality of the voting system? As it is now in the US, the answer is no: corporations' proprietary "rights" trump voter confidence. And should voting systems rely upon security by obscurity? If so, then the first disgruntled employee to leave the manufacturer or a certifying body or whatnot can spill the beans, and then we'll all wish it had been open and enough people had cared to find the bug that Beroggi advocates covering up.

No comments: