[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Report Finds Risks in Internet Voting by Americans Overseas

You're right on, Neal.  The section of the report they refer to is worth
reading.  It says, ...

1.3 Why security for Internet voting is far more difficult than for
e-Commerce

Many people mistakenly assume that since they can safely conduct commercial
transactions over the Internet, that they also can safely vote over the
Internet. First, they usually underestimate the hazards of online financial
transactions, and are unaware of many of the risks they take even if they
are careful to deal only with "secure" web sites through the SSL protocol.
But they also assume that voting is comparable somehow to an online
financial transaction, whereas in fact security for Internet voting is far
more difficult than security for e-commerce. There are three reasons for
this: the high stakes, the inability to recover from failures, and important
structural differences between the requirements for elections and
e-commerce.

First, high security is essential to elections. Democracy relies on broad
confidence in the integrity of our elections, so the stakes are enormous. We
simply cannot afford to get this wrong. Consequently, voting requires a
higher level of security than e-commerce. Though we know how to build
electronic commerce systems with acceptable security, e-commerce grade
security is not good enough for public elections.

Second, securing Internet voting is structurally different from-and
fundamentally more challenging than-securing e-commerce. For instance, it is
not a security failure if your spouse uses your credit card with your
consent; it is routine to delegate the authority to make financial
transactions. But it is a security failure if your spouse can vote on your
behalf, even with your consent; the right to vote is not transferable, and
must not be delegated, sold, traded or given away. Another distinction
between voting and ecommerce is that while a denial of service attack on
e-commerce transactions may mean that business is lost or postponed, it does
not de-legitimize the other transactions that were unaffected. However, in
an election, a denial of service attack can result in irreversible voter
disenfranchisement and, depending on the severity of the attack, the
legitimacy of the entire election might be compromised.

Third, the special anonymity requirements of public elections make it hard
to detect, let alone recover from, security failures of an Internet voting
system, while in e-commerce detection and recovery is much easier because
e-commerce is not anonymous. In a commercial setting, people can detect most
errors and fraud by cross-checking bills, statements, and receipts; and when
a problem is detected, it is possible to recover (at least partially)
through refunds, insurance, tax deductions, or legal action. In contrast,
voting systems must not provide receipts, because they would violate
anonymity and would enable vote buying and vote coercion or intimidation.
Yet, even though a voting system cannot issue receipts indicating how people
voted, it is still vital for the system to be transparent enough that each
voter has confidence that his or her individual vote is properly captured
and counted, and more generally, that everyone else's is also.  There are no
such requirements for e-commerce systems. In general, designing an Internet
voting system that can detect and correct any kind of vote fraud, without
issuing voters receipts for how they voted, and without risking vote privacy
by associating voters with their votes, is a deep and complex security
problem that has no analog in the e-commerce world. For these reasons, the
existence of technology to provide adequate security for Internet commerce
does not imply that Internet voting can be made safe.


------------------------
Al Kolwicz
CAMBER - Citizens for Accurate Mail Ballot Election Results
2867 Tincup Circle    Boulder, CO 80305
303-494-1540
AlKolwicz@xxxxxxxxx 
www.users.qwest.net/~alkolwicz 

-----Original Message-----
From: Neal McBurnett [mailto:neal@xxxxxxxxxxxxxxxxx] 
Sent: Saturday, January 24, 2004 9:40 AM
To: bcv@xxxxxxxxxxx
Subject: Re: Report Finds Risks in Internet Voting by Americans Overseas

I think this quote from the New York Times article at

 http://www.nytimes.com/2004/01/21/technology/23CND-INTE.html

gets to the heart of this matter, and of the DRE issues, and of the
broader issues that we are now working on:

 The dual requirements of authentication and anonymity make voting
 very different from most online purchases, they wrote, and failures
 and fraud are covered by Internet merchants and credit card
 companies. "How do we recover if an election is compromised?" they
 wrote.

All the comparisons to e-commerce and ATM machines etc are off the
mark because voting has to be anonymous and vote buying must be
prevented.  Voting has a unique set of requirements, and we must
respond with a mind set that does not fall back on flawed analogies.

Neal McBurnett                 http://bcn.boulder.co.us/~neal/
Signed and/or sealed mail encouraged.  GPG/PGP Keyid: 2C9EBA60

On Fri, Jan 23, 2004 at 11:24:52PM -0700, Paul Walmsley wrote:
> On Fri, 23 Jan 2004, Tiger, Paul wrote:
> > Report Finds Risks in Internet Voting by Americans Overseas
> Here's the report itself that the article refers to:
>     http://www.servesecurityreport.org/