Re: snake-oil voting?
Anonymous wrote: There is a wide variation in the amount of validation done at polling places. In the local region none of this is done; you are asked to sign, bug your signature is not checked. No ID is required, and observers from political parties are not present. In California, the situation regarding validation is different and improving security-wise, see http://www.ss.ca.gov/elections/elections_q.htm with: In late 1995, the Secretary of State was authorized by the Legislature and Governor to begin development of our first-ever statewide voter registration database. By building this cumulative database and eliminating many of the duplicate or erroneous registrations, known as "deadwood", currently on the 58 county's voter rolls, the state and counties can reduce election costs and take another step toward prevention of fraudulent voting. For the first time, county elections officials will be able to maintain their voter registration files with the assistance of other elections offices throughout the state, as well as interfacing with the Department of Motor Vehicles and the Bureau of Vital Statistics. Duplicate registrations can be cancelled, persons who have died can be removed from voter rolls, and cross-county registrations can be updated once the CALVOTER database is in place. Of relevance here, is that cryptographic protocols may have a better security support if registration data is reliable and can be verified in more than one channel (eg, using DMV data). It seems clear that the system is primarily oriented towards preventing fraud by election officials and those involved in setting up the electronic voting. I can't see VoteHere providing that, as I explained before -- the system is more towards "One Name, Any Vote" than what it claims to be, as "One Person, One Vote". There is no way you can verify if a vote with my name was just stuffed into the ballot, for example -- but if everyone would verify and if everyone would have just one name and if everyone would be 100% honest and if everyone would tell all the others what it verified, then it would work ;-) but, then, no protocol is necessary or even possible for the sheer size of msgs involved. Cheers, Ed Gerck
Re: snake-oil voting?
Did any of you see this http://www.votehere.net/content/Products.asp#InternetVotingSystems that proposes to authenticate the voter by asking for his/her/its SSN#? It looked like the idea for this part was to prevent double voting, plus make sure that only authorized people could vote. It wasn't necessarily SSN, it could be name/address/date of birth or whatever. Similar to what is done when you go and vote in person. It's not similar at all. Here in New York, for example, where I used to be an election inspector, the voter list includes your signature, age, sex, and usually (if you gave them when you registered) your height and eye and hair color. Each voter has to sign, and if the signature isn't similar enough or the other items looked wrong, we'd ask for better ID. Each polling place has both Democrat and Republican inspectors, the inspectors for one party have an incentive to challenge dubious voters of the other party. This is a reasonable level of validation given that voters have to show up in person, making mass vote fraud a lot of work to organize. (For absentee ballots, your entry in the book is marked as absentee, so if someone got a fake ballot for you, you'd know when you tried to vote.) The combination of biometric info and personal appearance makes it fairly difficult to vote fraudulently. The SSN has become a pseudo-secret identifier. That is, the reality is that your SSN is widely available, but many organizations pretend that it's secret and will believe that anyone who presents your SSN is you. Given that the SSN is not secret, the lack of biometric data, and the reality that it's a whole lot easier to fake network transactions than to fake voting in person, this scheme screams "defraud me". Any security system needs a threat model. I can't figure out what the threat model for this system is other than "whip up something quick and easy". Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: snake-oil voting?
Anonymous wrote: Ed Gerck wrote: Did any of you see this http://www.votehere.net/content/Products.asp#InternetVotingSystems that proposes to authenticate the voter by asking for his/her/its SSN#? It looked like the idea for this part was to prevent double voting, plus make sure that only authorized people could vote. It wasn't necessarily SSN, it could be name/address/date of birth or whatever. Similar to what is done when you go and vote in person. The disconnect here is that it does not make sure that only authorized *people* can vote -- but that an authorized he/she/it can vote. Thus, I find that this is not similar to when I go vote in *person*, when election officials will not allow bots or dogs to vote ;-) Here, anything can get an authorization, not just anyone. And, someone could easily have a directory of "voters" (real or made-up) and automatically proceed to obtain authorization and vote with each one of these "voters". There is nothing to prevent bulk voting commanded by one person. There was also this idea of what they earnestly called a VERN, Voter Encrypted Registration Number, which would be distributed in advance to people who were authorized to vote. You'd provide your VERN along with your authenticating info (DOB/SSN/whatever) to prove that you were authorized. Again, one is mislead by the assumption that it would be distributed to people. The VERN voting is similar to what we see in majordomo for example, when a nonce is sent to a *virtual* subscriber and must be mailed back to confirm list subscription, from the same requesting email address -- ie, similar to casting a vote in VoteHere. But, bots can also subscribe using majordomo. So, since the VERN is requested by and provided along with virtual info, there is no verification of the voter's identity even as a person (ie, not a bot) neither when the VERN is sent to the presumed voter nor when the VERN is used. Any voting system ultimately relies on real world proof like this. But, there is no real-world proof here, everything happens entirely in the virtual world. The real point of the protocol is to keep people from finding out HOW each person voted, while assuring that the vote count is correct. There has been a lot of work on crypto protocols for secure voting and this appears to be what they have implemented. I see no protocol, I see a table of names and nonces. Each one can see their name, but no one can verify if two or more names may (wrongly) correspond to one person or, if a nonce listed is the correct one for a name. So, "One Person, One Vote" as declared by VoteHere is more likely "One Name, One Vote". And, what is to prevent populating the table with names/nonces? If absentee ratio is large, there is considerable room to populate the table and still have less than a given number of voters (assuming that the total number of voters is known, which is not true for USENET or in the Internet -- we don't even know how many hosts the Internet has, let alone users, and known host statistics are only relative to in-addr.arpa registration). This looks like a good system although it would be nice to see more details. It certainly sounds better than alternatives. What alternatives do you mean? With current Usenet votes everyone gets to see how you voted. With this VoteHere system you could be assured that your vote was correct (because it would match the encryption you sent in), But, you could not be sure whether any other vote is correct. nobody else could see how you voted, This is not what the site says -- it says: "..decrypted by a simultaneous coordination of election officials and observers, to obtain and/or audit the election results.", which means that such group can decrypt the tally result but does not mean that it cannot decrypt *one* entry from the name/nonce table. Since the table is public, if voting nonces can be decrypted one by one then any vote can be identified. To avoid this, the encryption method used to create the nonces would have to be one-way with trapdoor for the tally but one-way for any nonce. Let us suppose that this is true. But, since a tally is the sum of two or more nonces, if I have *one* known vote (my own) then I can know any other vote in a sum of two nonces. And, knowing two votes I can know the sum of three votes, and so on. I can continue the process and eventually learn how everyone voted, starting only from my own vote -- even under the assumption that the encryption method used to create the nonces is one-way with trapdoor for the tally but one-way for any nonce. and yet you could be sure that the vote total was correct (by running the sum operation on the encrypted data, and verifying that the decryption of this is the claimed sum). Given the information in the site, I cannot see how you deducted this. But, even if what you say is true and I missed it elsewhere, then the argument above shows that knowing only my
Re: snake-oil voting?
John R. Levine writes, quoting others: Did any of you see this http://www.votehere.net/content/Products.asp#InternetVotingSystems that proposes to authenticate the voter by asking for his/her/its SSN#? It looked like the idea for this part was to prevent double voting, plus make sure that only authorized people could vote. It wasn't necessarily SSN, it could be name/address/date of birth or whatever. Similar to what is done when you go and vote in person. It's not similar at all. Here in New York, for example, where I used to be an election inspector, the voter list includes your signature, age, sex, and usually (if you gave them when you registered) your height and eye and hair color. Each voter has to sign, and if the signature isn't similar enough or the other items looked wrong, we'd ask for better ID. Each polling place has both Democrat and Republican inspectors, the inspectors for one party have an incentive to challenge dubious voters of the other party. There is a wide variation in the amount of validation done at polling places. In the local region none of this is done; you are asked to sign, bug your signature is not checked. No ID is required, and observers from political parties are not present. The SSN has become a pseudo-secret identifier. That is, the reality is that your SSN is widely available, but many organizations pretend that it's secret and will believe that anyone who presents your SSN is you. Given that the SSN is not secret, the lack of biometric data, and the reality that it's a whole lot easier to fake network transactions than to fake voting in person, this scheme screams "defraud me". Note that the original scheme did not refer to the SSL as being especially secret. It was used in parallel with date of birth as an example of something which would not be widely known about a person. Obviously date of birth is not particularly secret, but it merely adds an extra amount of security to the protocol. Here is how they describe the authentication process: : Each registered voter is sent a VERN (Voter Encrypted Registration Number) : to serve as something the voter "is given." The VERN can be sent by : email or traditional postal mail. The VERN is often accompanied by a web : site address where the voter can log-on to the Internet to vote. Once at : the voting web site, the voter enters the VERN and additional pieces of : information known only to the voter and election officials (e.g., DOB, : SSN#) to serve as something the voter "knows." The main authentication is this VERN which is sent directly to the registered voters. The additional DOB/SSN adds extra security, it is not the basis for the whole authentication. Any security system needs a threat model. I can't figure out what the threat model for this system is other than "whip up something quick and easy". It seems clear that the system is primarily oriented towards preventing fraud by election officials and those involved in setting up the electronic voting. Historically, this is the greater danger in election fraud. Stuffing the ballot box is much easier if you are the one in charge of delivering the ballots or counting the ballots. If you actually have to get a bunch of people to try to vote under false names it is a huge undertaking and unlikely to be kept secret. Fraud by corrupting officials is much more cost effective and hence more dangerous. In this case, the point of the system is to allow everyone to verify that the counting and recording of the ballots was done honestly. This insures that the officials and operators of the election are doing their jobs correctly. It therefore addresses the primary form of election fraud.
Re: snake-oil voting? voter authentication
At 11:18 PM 9/23/99 -0700, Ed Gerck wrote: that proposes to authenticate the voter by asking for his/her/its SSN#? It looked like the idea for this part was to prevent double voting, plus make sure that only authorized people could vote. It The disconnect here is that it does not make sure that only authorized *people* can vote -- but that an authorized he/she/it can vote. Thus, I find that this is not similar to when I go vote in *person*, when election officials will not allow bots or dogs to vote ;-) Here, anything can get an authorization, not just anyone. NB: In America, *anyone* with an address who can write [1] *can* in practice vote because there is no authentication of citizenship. Note that *everyone* is not legal to vote ---you must be a citizen, for instance, and not a felon--- but there is *no* authentication done on your citizenship when you register to vote. With absentee ballots, dogs and cats can and do vote. (It is of course a crime, as is noncitizen voting...) And dead people are well known to keep voting after internment. This is a regular source of November entertainment in SoCal, where the Republicrats accuse the Demopublicans of encouraging voting by illegal aliens (who tend to vote with them). Some years, the former party posts unofficial guards and "Citizens Only" signs near voting places in the barrios, and gets abuse for it later. Look up the Dornan vs. Sanchez race. NB: There is no requirement in the US to carry identification unless you're driving a car in public. And there are no laws requiring ID to vote. My point being, authentication of voters is a *very* tricky political subject, because it has to do with political power allocation. Much like plans to mess with the US census rose very quickly all the way to the supreme court. The census is how US congresscritters are allocated. (Apologies for civics pedagogy/local anecdotes; I'm assuming there are furriners reading) [1] Probably illiterate citizens can vote too; the law lets a witnessed "X" be a signature, and these days illiterates would claim ADA applied... certainly blind (and braille-illiterate) citizens vote.
Re: snake-oil voting?
It seems clear that the system is primarily oriented towards preventing fraud by election officials and those involved in setting up the electronic voting. Historically, this is the greater danger in election fraud. Stuffing the ballot box is much easier if you are the one in charge of delivering the ballots or counting the ballots. If you actually have to get a bunch of people to try to vote under false names it is a huge undertaking and unlikely to be kept secret. Fraud by corrupting officials is much more cost effective and hence more dangerous. Indeed, but I don't see how this scheme offers any defense against ballot box stuffing. The election officials know the VERN and whatever "private" info the voters are supposed to provide for validation purposes, so it seems to me that it'd be no trouble at all to whip up a few thousand forged e-mails with exactly the right voter info, much easier than scribbling fake signatures into a book. To make a system like this forgery resistant, you need to collect some sort of token with each vote that's known to the voter but not known to the officials, so in case of doubt about authenticity you can go back to the voter and validate the token. In a world with widely deployed crypto, that would mean public key signatures, but lacking that, a question like "what color shirt are you wearing today?" might do. Having said all this, I realize that there's a tradeoff between security and usability. Anyone who owns stock in a publicly traded company has probably gotten a proxy form that refers to ADP's proxyvote.com. To vote there, you need only enter a 12 digit number found on the proxy form, or punch it into your phone if voting via their 800 number. That's pretty weak security, but it seems adequate for the purpose, since most corporate elections are uncontested or close to it. I have no idea if they use something more secure when they have an actively contested proxy battle. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
Re: snake-oil voting?
At 15:20 23/09/1999 , Ed Gerck wrote: List: Did any of you see this http://www.votehere.net/content/Products.asp#InternetVotingSystems that proposes to authenticate the voter by asking for his/her/its SSN#? And, by the contents of ... an email msg sent to him/her/it? What about the privacy issues here? Is this not collecting a substantial database of Name SSN details? Would this not be the ideal start for a widespread project of identity theft? (I can't believe people are still using SSNs for this sort of stuff. Have no lessons be learnt? Browse almost any issue of RISKS digest for examples of SSN misuse.) J - James Robertson Step Two Designs Pty Ltd SGML, XML HTML Consultancy http://www.steptwo.com.au/ [EMAIL PROTECTED] "Beyond the Idea" ACN 081 019 623
Re: snake-oil voting?
Did any of you see this http://www.votehere.net/content/Products.asp#InternetVotingSystems that proposes to authenticate the voter by asking for his/her/its SSN#? It looked like the idea for this part was to prevent double voting, plus make sure that only authorized people could vote. It wasn't necessarily SSN, it could be name/address/date of birth or whatever. Similar to what is done when you go and vote in person. There was also this idea of what they earnestly called a VERN, Voter Encrypted Registration Number, which would be distributed in advance to people who were authorized to vote. You'd provide your VERN along with your authenticating info (DOB/SSN/whatever) to prove that you were authorized. Any voting system ultimately relies on real world proof like this. Until we have a worldwide secure system of cryptographic credentials for proving membership in various groups (like registered voters) you aren't going to get away from this. In something like Usenet newsgroup votes, you could still use this but you wouldn't use SSN, you'd just use names/emails as you do now. It's not perfectly secure against double voting but it is good enough in most cases. The real point of the protocol is to keep people from finding out HOW each person voted, while assuring that the vote count is correct. There has been a lot of work on crypto protocols for secure voting and this appears to be what they have implemented. Some systems in the literature involve encrypting votes in a manner such that summing can be done with the encrypted data, without decrypting them. Sounds like something similar is done here. This looks like a good system although it would be nice to see more details. It certainly sounds better than alternatives. With current Usenet votes everyone gets to see how you voted. With this VoteHere system you could be assured that your vote was correct (because it would match the encryption you sent in), nobody else could see how you voted, and yet you could be sure that the vote total was correct (by running the sum operation on the encrypted data, and verifying that the decryption of this is the claimed sum). It certainly doesn't look like snake oil, rather an attempt to bring these theoretical crypto protocols into the real world. It's always tough to join theory and practice and so there may be some rough edges at the interface. But it looks like the idea has significant potential. Otherwise we're going to get "just trust us" electronic voting like some areas are using already.