[Fsfe-ie] perspective on e-voting

[Fergal Daly]

On Wed, Mar 03, 2004 at 03:28:52AM -0000, Niall Douglas wrote:
> > Fair enough. I assumed they'd be more expensive. Still doesn't change
> > the fact that when you look at the circuit board all you can see is a
> > plastic package and that there's no non-destructive way of finding out
> > if you've really, really got an genuine xyz military hardened
> > processor or just something pretending to be one.
> 
> x86 processors are /vastly/ more complex than they need to be because 
> of the legacy requirements. Really they're a RISC CPU nowadays with a 
> translation front-end converting the x86 into RISC ops. However that 
> said, there is a huge scale of economy in x86 chips only ARM could 
> probably come close to - hence me suggesting the Atmel.

Thank you, I know what modern x86s do and why they're cheap, hence my
impression that it would be cheaper than a specialised processor.

Again, it doesn't matter in the slightest whether the chip is hardened or
commodity, cheap or expensige or anything else it will still be easy to
replace it with a rigged look-a-like.

> I think you're thinking too much in how it could be compromised on a 
> technical level whilst ignoring the feedback effects of a compromise. 
> Voting is not like a bank vault where if you break it you win 
> outright - at best, you get four years or so of power. In reality, 
> many factors can play to make your term much shorter and certainly if 
> it emerged that an election was tampered with, any sitting government 
> would have to call another election. The media simply wouldn't permit 
> otherwise.
> 
> If you look at the US 2000 presidential elections which were almost 
> certainly rigged, nevertheless Congress allocated quite a lot of 
> money to replace the voting equipment despite the major spending 
> cutbacks of the Bush administration. Unfortunately that's gone on 
> Diebold voting machines which make the Irish voting machines look 
> fantastic, but it's a good example of the feedback system working.

This current government has a slim majority and they have gutted the Freedom
of Information Act despite public and media outcry. They are probably about
to pass fundamentally change our voting system a completely united
opposition and massive media and public discomfort. Once you have a majority
in the Dail you can do what you like as long as it's constitutional and in 5
years that covers a hell of a lot of bad stuff. There is no "congress" which
will come to the rescue. The closest thing is the Seanad which can only
delay legislation, it cannot stop it.

> > You've gone way outside the requirements for a voting machine here. I
> > agree with you that a practically tamper proof machine is possible,
> > however we are talking about machines which will spend 364 days a year
> > switched off in a warehouse in the back of beyond and then they'll
> > spend a full day in an unfriendly environment being used in private by
> > punters.
> 
> What's important is not that the machines are tamper proof - it's 
> that there's *fairly* tamper proof, enough that people trust them and 
> the process. If they emerge to not be so (and there's plenty of 
> journalists sniffing around here never mind whistleblowers), there 
> will be substantial feedback from the public to improve the system. 
> Which means politicians get to give more wads of cash to their 
> friends and thus everyone is happy.

"Fairly" is not enough. The stakes are very high, high enough that someone
could decide to invest quite a chunk of money into winning. Finding
tampering after the fact is a disaster, it's possible that laws would be
unmade, tax "uncollected" and criminals "unconvicted" and it totally
undermines the credibility of any future system.

There is only 1 improvement needed and it makes tamper proofing, open source
and everything else nice to have but not essential. Add paper. Once you have
paper, it doesn't matter how badly the machines perform whether through
tampering or through other errors the paper will not change. Paper is not
perfect of course but it's a hell of a lot harder to fiddle and the attacks
are well known and well understood by the people who are keeping guard.

Everything else is doing things the hard way.

> > One problem is that it greatly complicates vote storage and
> > anonymnity. I can't see it ever being accepted because most people
> > want to know that when they cast their vote it's done and nothing can
> > undo it.
> 
> I did say peer to peer and distributed - therefore there is no 
> central server apart from the trust delegator (which says which 
> phones can vote and which can't). Anonymity is easy to implement in a 
> massively distributed system. And what I really like about such a 
> system is that anyone can ask their mobile what votes were cast for 
> the country and get precisely the same figures as the TV or anyone 
> else gets - obviously if they don't, one can kick up a fuss. My 
> mobile is equal to Bertie's mobile in every way in such a 
> configuration.

I don't see how distributed and peer to peer makes vote revocation and
recasting any easier. If anything it makes it harder because you could have
multiple copies of both your new and your old vote(s) floating around the
system.

The requirements for voting are unusual. In this system you must retain
anonymity without allowing multiple voting which is quite different to
Freenet for example. In the system you favour, you must combine anonymity
with the ability to cancel your old vote and vote again. Also, anonymity and
audit trails do not go well together.

While it may be theoretically possible to design this system correctly, it
would complex, it would still require that you trust the central server
(which could wrongly deny you your right to vote or could be DOSed) and
most importantly, it would be totally incomprehensible to the vast majority
of voters, including many IT professionals,

F