On Saturday 18 December 2010 11:26 PM, Eugen Leitl wrote: > No, electronic voting is dead for fundamental reasons. It doesn't matter > how secure or insecure the architecture is. Read what Schneier has to > say about it. He's usually right on the money.
I've almost never found myself disagreeing with Schneier, so googled his views on e-voting. The most relevant (general, not country specific) article I could find was this: http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html Most of the problems discussed are very design-dependent. The e-voting machines used in India, for instance, aren't touch-screen based. Favouring particular candidates in advance (at the factory stage) is difficult because the order of the candidates isn't pre-determined, and there is no certainty which EVM will end up where. Malicious changes in the software can affect thousands, true, but the corrupt politician wouldn't know in advance whether the insider she's contacted will do something that favours her or not—there is simply no way of telling. >> 2. The problems with EVMs should not be evaluated on their own, but >> compared to those with paper ballots. This might not be very important > > Paper is self-documenting. It creates its own documentation trail. A paper-based audit trail can be combined with electronic voting. > Paper is offline, so it can't be scrambled. Paper is distributed > over multiple independant physically securable compartments. They might be multiple and independent compartments, but they aren't secure. > People understand sealed urns, counting, locks, guards. People beat up guards, stuff ballot boxes. > Paper can be trusted to be fully inspectable to uninstrumented humans. Yes, but how useful is that if there isn't much to inspect? > Paper can be counted independently by mutually distrusting observers. The voting process can be observed (and is) by mutually distrusting observers even with e-voting. The seals are inspected by mutually distrusting observers. The difference is that counting isn't involved and the process is much faster. > Paper is physical, and is subject to the usual safety protocols. Which have been demonstrated to be failures. Most of the cracks demonstrated in http://indiaevm.org/evm_tr2010-jul29.pdf are either not specific to e-voting (and are worse with paper ballots), or are close to impossible to realistically carry out as they require physical access to the inner workings of the machine *after* the commencement of voting. Only one of the attacks was (if I recall correctly) even remotely possible. (Disclaimer: I read the report in April, not the apparently revised version of July 2010. So I don't know whether they've come up with new attacks.) > People understand protocols and processes for physical objects. And the hundreds of millions have successfully voted with EVMs in India. > It is possible to combine electronical and paper-based methods, > to combine the advantages (e.g. by allowing voter receipts which > cannot be used as proof to third parties, but can be used to > validate a fishy result after the fact). No such option for > electrons. Not quite clear about this point. Could you elaborate on it? >> in "developed" countries (though the infamous Hanging Chads of Florida > > Paper isn't fool-proof. However, hanging chads is one of the cases > where the problem is discovered by inspection and is understood by > anyone. Many established paper-based methods are easy, and fool-proof. > Don't fix what isn't broken. Show me a system that is fool-proof and I will show you a fool who can outwit that system. >> could be used to argue against that), but in many developed countries >> where problems like ballot-stuff, booth-capturing, etc., are rampant, > > You cannot fix systemic problems with hardware. You need to get > as many people from the opposition monitoring the collection, counting > and reporting up the chain. Booth-capturing happens by all parties. However, because of the limits to the number of votes that can be cast per minute on an EVM, the benefits of booth-capturing are diminished vastly. Thus, in this case, a little bit of technology helps vastly. The alternative proposals I've heard (from people like Arun Mehta who believe paper ballots are better and distrust EVMs) involve (what I believe are) extremely complicated processes. [snip] > make the ballot boxes out of transparent plastic, without a lid so can > only be cut open. I would have long-distance video of the ballots going > into the box, and along the slit through which the ballots enter I would > have an array of LEDs facing an array of photodiodes, feeding > information to a chip that time stamps it. Nobody would be able to fake > the long-distance video and the information the chip provides in a > manner that agrees. [/snip] >> the cracks against EVMs *might* (depending on the design of the EVM) be > > How do you even know an attack has occured? People don't understand > cryptographic protocols, and attacks against such, which are completely > transparent to nonexperts. It is not obvious to a nonexpert who > is an expert and not, so why not eliminate that problem right > from the start. I support an open audit of the software. Security by obscurity is no answer. And then additional processes need to be introduced. Not to ensure that attacks can't occur. Nothing can ensure that. But to ensure that 0) a very simple machine is used; 1) silent attacks (at the factory stage, etc.) are meaningless (by introducing variables that can't be known that far in advance); 2) corrupt officials at any one level (whether at the top, or the bottom) in the hierarchy can't independently influence the performance of the machine; 3) having machine-level safeguards (limits on votes per minute, etc.) which can be physically checked easily enough by independent/multi-party observers; 4) have redundant verifiability built-in (paper trail), just in case. >> more difficult to carry out than against paper ballots. > > The more I know about computers, the less I trust computers. > Don't allow electronic voting machines, if you don't want your > votes to be stolen, even without anyone being the wiser. > > Just don't. I am highly distrustful of EVMs in the US, Germany, Netherlands, as they have well-demonstrated failures. I find the paper on the failures of the Indian EVMs to be very weak. Ed Felten, Bruce Schneier, etc., who featured it, don't analyse it in detail. My conclusion is that the Indian EVMs are much better designed than other EVMs and are better suited to Indian elections than paper ballots.
signature.asc
Description: OpenPGP digital signature
