Year: 2015

The limits of Democracy w/o Information

Last week Secretary of the State, Denise Merrill, addressed the League of Women Voters of Northeastern Connecticut on a variety of topics. One of the items discussed was the lack of education in civics and its possible link to the lack of participation by younger voters. The two are certainly related, yet we also live in an age when the at least over the last two administrations, the Constitution has been ignored in the name of security – just when those voters have come of age.

Also I recently read “They Know Everything About You”, which I highly recommend. This week the author, Robert Scheer, was interviewed in a seven part series at the Real News. Part three is particularly relevant to the subject of Democracy and information available to the voters. <video>

Last week Secretary of the State, Denise Merrill, addressed the League of Women Voters of Northeastern Connecticut on a variety of topics.  One of the items discussed was the lack of education in civics and its possible link to the lack of participation by younger voters.  The two are certainly related, yet we also live in an age when the at least over the last two administrations, the Constitution has been ignored in the name of security – just when those voters have come of age.

Also I recently read “They Know Everything About You”, which I highly recommend.  This week the author, Robert Scheer, was interviewed in a seven part series at the Real News.  Part three is particularly relevant to the subject of Democracy and information available to the voters. <video>

Too Reliable Computers: A threat to life and to democracy!

Most people are aware of the risks of unreliable computers, yet tend to be oblivious to the distinct risk of too reliable computers.  If computers were as unreliable as people, we would not be at risk of excess trust and overconfidence.

One particular anecdote from lasts night’s Newshour highlights the risks of computers that are too reliable, yet not perfect.  When it comes to medicine (or robotic weapons) too reliable computers can cause harm, including death.  When it comes elections too reliable computers can kill democracy.

Most people are aware of the risks of unreliable computers, yet tend to be oblivious to the distinct risk of too reliable computers.  If computers were as unreliable as people, we would not be at risk of excess trust and overconfidence.

One particular anecdote from lasts night’s Newshour highlights the risks of computers that are too reliable, yet not perfect.  When it comes to medicine (or robotic weapons) too reliable computers can cause harm, including death.  When it comes elections too reliable computers can kill democracy.

This week the Newshour is covering Artificial Intelligence, a subject first covered in the McNeil-Lehrer Report in 1985, if I recall correctly. Last night’s segment was Why We’re Teaching Computers to Diagnose Cancer <read/video>

Here is the critical excerpt:

DR. ROBERT WACHTER: A lot of medicine kind of lives in that middle ground, where it’s really messy. And someone comes in to see me and they have a set of complaints and physical exam findings all that. And it could be — if you look it up in a computer, it could be some weird — it could be the Bubonic plague, but it probably is the flu.

HARI SREENIVASAN: Wachter is also concerned about fatal implications that can result from an over-reliance on computers. In his book, he writes about a teenage patient at his own hospital who barely survived after he was given 39 times the amount of antibiotics he should have received.

DR. ROBERT WACHTER: So, in two different cases, the computers threw up alerts on the computer screen that said, this is an overdose. But the alert for a 39-fold overdose and the alert for a 1 percent overdose looked exactly the same. And the doctors clicked out of it. The pharmacists clicked out of it. Why? Because they get thousands of alerts a day, and they have learned to just pay no attention to the alerts.

Where the people are relegated to being monitors of a computer system that’s right most of the time, the problem is, periodically, the computer system will be wrong. And the question is, are the people still engaged or are they now asleep at the switch because the computers are so good?

There are several related problems all contributing to increase the risk of too reliable computers:

  • High Reliability: Most of the time the computers are more accurate than people, especially when the people are unsure of the diagnosis or remedy.
  • Irrational Trust: The people are told and correctly believe the machine is more reliable than they are, especially when they are unsure or outside their expertise. Its likely our nature instilled by evolution to trust what has proven accurate.  Its only irrational when the trust exceeds the risk.  People are good at estimating accuracy, but not so good at intuiting the risks of lower probability events. We have biases for irrational fear and irrational trust, both can be costly, yet in different ways.
  • Mesmerization: We get jaded or used to things going a particular way and miss the details that may indicate something is different. Here it is medical staff used to seeing irrelevant or low level warnings, missing the implications of a similar significant risk.  Airline pilots, railroad engineers, drivers, doctors, and dentists among many others are subject to Mesmerization.

Another similar situation is too great a trust in vehicle electronics.  Either a manufacturer relying on electronics to always apply the break or accelerator correctly when the pedal is pushed, or people trusting that car computers always work as designed and tested, with no danger of being hacked.

How does this apply by analogy to elections and too reliable voting machines?

It seems that almost everyone trusts electronic voting machines.  We are used, for the most part, to computers working when they seem to work.  When we use a spreadsheet we tend to assume it is working properly.  Yet, beyond the chance of error in the spreadsheet software, we tend to trust the formulas put into spreadsheets by people.  Even though we are flawed individuals,we tend to forget that equally flawed individuals (even ourselves) may have made a simple error in creating formulas e.g. adding up only some of the numbers, double counting others, or made a “small, harmless” change after testing the spreadsheet.

Election officials tend to have trust in voting machines. They are told that all types of voting machines or online voting machines are created by very smart people and include certification and “military grade” security.  Yet, we are given no effective proof of those claims and typical officials are not able to judge such proofs. Officials see reports of tests and post-election audits that claim the machines are flawless, increasing their trust in the machines.  Typically if they count ballots by hand and they do not match the machine counts, they count again and usually the machine was accurate.

On the other hand, those that are familiar with election equipment, computers and computer science know:

  • No computer or software can ever be proven error free. In fact, most, even modestly complex, software is very likely to have multiple undetected bugs.
  • It has not happened often, but computers and computer systems have counted incorrectly. Including in CA, FL, N.J., D.C., and in Connecticut.
  • Without paper ballots and effective post-election audits there is no reason to trust that machines count accurately, or to know how often they do not.
  • Machines are programmed for each election and voting district, so errors can be introduced into the system at any time.
  • Beyond errors, insiders have multiple means of changing election results.  Often a single individual insider can change results alone or with the help or by the intimidation of outsiders.
  • A voting machine can be entirely accurate, yet its results or the total result can be changed independently of the voting machine.  Unless the results are audited end-to-end or in each step of the process, the result cannot be legitimately trusted.

What about Connecticut?

  • We have post-election audits, but they are not conducted in a manner that gives justified confidence.  Errors in machine results have been detected, yet most differences between machine results and manual audits have been accepted as a human counting error without investigation.  This makes common sense since usually when results are checked the human was wrong the first time – common sense that is at least as risky and unjustified as the unjustified trust in medical artificial intelligence directives in the Newshour story above.
  • Connecticut is considering legislating Machine Audits, based on procedures to be approved by the Secretary of the State.  Common sense supports a method demonstrated by UConn and the Secretary of the State’s office and touted in a paper presented at a conference – unjustified common sense.  There is no scientific justification for that method demonstrated, and worse, every reason to believe that it would be subject to unjustified official trust in computers and mesmirization.  Professor Alex Shvartsman of UConn has agreed that the procedures is insufficient to provide public verification.

Fortunately, there is a very effective solution available.  We have proposed a sound method of Machine Assisted Audits based on proven scientific methods.  Using Machine Assisted Audits in an effective manner could result in more accurate, trusted audits at less cost and stress to local election officials. If machine audits become law, we will work to insist on effective transparent and publicly verifiable procedures are employed. (Still, we would much prefer a law that mandated sufficient requirements now, that could not be weakened by a future Secretary of the State) <read more in our comments on the bill before the Connecticut General Assembly>

 

Non-Science: “What you know for sure that just ain’t so.”

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” – Mark Twain

Non-Science Nonsense is bad enough. But even worse is what we all thing is true that is not.  Five examples from just the FBI and our common understanding, as articulated in The Intercept: Five Disturbing Things You Didn’t Know About Forensic “Science”

When it comes to voting, the public, election officials, and legislators believe many false facts,

“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” – Mark Twain

Non-Science Nonsense is bad enough. But even worse is what we all thing is true that is not.  Five examples from just the FBI and our common understanding, as articulated in The Intercept: Five Disturbing Things You Didn’t Know About Forensic “Science” <read>

When it comes to voting, the public, election officials, and legislators believe many false facts, including:

  • Secure/safe Internet voting – no such thing yet proven, and unlikely at least for years
  • Military Level Encrypton
    • There is no such official definition
    • The military has been unable to protect its networks and secrets
    • Encryption is not a panacia
  • Email/fax voting is not Internet voting
    • Email uses the Internet
    • Email is hacked all the time, and is available to the NSA, Google, ATT etc.
    • Fax uses the equivalent or the actual Internet
  • Internet banking is safe – banks lose billions each year to Internet fraud
  • Voting is the same as banking – Voting is harder to secure that banking
  • Connecticut’s Post-Election Audits have proven our scanners are always accurate
    • The audits have been conducted in a manner that would not recognize errors
    • Our scanner results have been inaccurate, audits have discovered errors
    • Fraud has been shown to be possible with our scanners at any time
  • Time to stop auditing since the scanners have been proven accurate
    • Audits of Taxes, Business, and Government will always be necessary

We can be sure there are many more that we all believe, or most of us believe.

Elections and Voting Summit Joseph Kiniry: Technical Tradeoffs

Last January I attended the annual Elections and Voting Summit. I was most interested in a presentation by Joseph Kiniry on Technical Trade0ffs. It is a relatively brief presentation, with some important thoughts: Online voting convenience vs. risks, transparent systems vs. proprietary rights etc.

Last January I attended the annual Elections and Voting Summit.  I was most interested in a presentation by Joseph Kiniry on Technical Trade0ffs.  It is a relatively brief presentation, with some important deep ideas:  Online voting convenience vs. risks, transparent systems vs. proprietary rights, etc.

Internet Voting Roundup: At the Not-OK Corral

Texas likes to do things big. But when it comes to Internet voting it is as they say “All hat and no cattle”.

We always tend to side with science and the best independent expert analysis, and tend to be skeptical of vendors seeking profit and officials looking for the easy way to look good.

Texas likes to do things big.  But when it comes to Internet voting it is as they say “All hat and no cattle”.  As reported in Election Line Bexar County successfully tests email ballots for military members<read>

Under a bill approved by the Texas Legislature, in 2014 Callanen was allowed to not only email ballots to service members, but she was also able to accept voted ballots via email from military members serving in hostile fire zones.

According to a report from the secretary of state’s office, the pilot program in Bexar was a success even if the numbers were small. In the May 2014 primary the county received three ballots via email and in the November 2014 general election eight ballots were returned via email.

Service members must first sign an affidavit confirming that they are indeed in a hostile fire zone. Then they are assigned a one-time use secure email address, are sent their ballot, allowed to vote it and return it to the county.

Three ballots, eight ballots pretty slim test an not much success to fill much of a hat.  We point out that there is not much to a “secure email address” unless those service members use some very very strong and difficult encryption methods along with the county.  Others wonder how that email address was sent to those service members – Was it through some secure email address developed by the service member? Perhaps they could help out Sony, whose email was allegedly hacked by North Korea, and with those same emails provided for all to see at Wikileaks. We wonder how much did such security such cost to develop our purchase? – we will learn this a bit later.

“It took a lot of push and shove,” Callanen said “[Because] the presumption was that it was so close to Internet voting. We had to make sure it was absolutely secure.”

That seems to be a pretty common error – that emails are somehow sent without the Internet or somehow do not constitute Internet voting.  Emails use the Internet and if anything are less secure that online voting.  Perhaps because, in addition to compromise in transit, they are easily and often,  must be, seen by people – local election officials:

The county has a dedicated computer set up in the tabulation room to receive the ballots. Only three people in the office, all who have also signed sworn affidavits, including Callanen, have access to the computer. Once received, the ballot is remade onto an optical scan ballot, put in a secrecy envelope and treated like any other ballot.

And apparently that “secure email” came at very little cost and effort:

“We did this on a thin dime,” Callanen said. “Sure it takes some time to have the computer people set up the emails, but we’ve gone from mailing thousands of ballots to emailing them.”

We can be sure it works because they did an apparently confidential (secure?) survey that proved how wonderful it was.  They actually claim about 1400% a response rate from the small base of users, supposedly in combat zones:

Following the elections, Callanen surveyed the service members using Survey Monkey to find out how they felt about the process and got back more responses to the survey — 117 — than they did ballots.

“The general response was that it’s wonderful,” Callanen said. “I wish you could see the raw, unedited comments we got.”

Obviously they did not use a secure email to send the survey to the actual users.

Meanwhile, just how secure is Internet/Email voting?  Some good and not so good news from McClachyDC: As states warm to online voting, experts warn of trouble ahead <read>

The not so good news and some good news:

A Pentagon official sat before a committee of the Washington State Legislature in January and declared that the U.S. military supported a bill that would allow voters in the state to cast election ballots via email or fax without having to certify their identities.

Military liaison Mark San Souci’s brief testimony was stunning because it directly contradicted the Pentagon’s previously stated position on online voting:

It’s against it.

Along with Congress, the Defense Department has heeded warnings over the past decade from cybersecurity experts that no Internet voting system can effectively block hackers from tampering with election results.

And email and fax transmissions are the most vulnerable of all, according to experts, including officials at the National Institute of Standards and Technology, which is part of the Commerce Department.

San Souci declined to comment. A Pentagon spokesman, Lt. Cmdr. Nathan Christensen, said the Defense Department “does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.”

The Washington state legislation is dead for this year. But the episode provides a window into how the voting industry, with an occasional boost from the Pentagon, is succeeding in selling state and local officials on the new technology, despite predictions of likely security breaches.

It’s also put state lawmakers and election officials at odds with their counterparts in the other Washington: the nation’s capital…

Susannah Goodman, director of a voting integrity project for the citizens’ lobby Common Cause, worries that many state officials lack the technical expertise to avoid being manipulated by the vendors.

“I’ve seen the vendors characterize their products as being secure when the most prominent cybersecurity experts in the country will tell you they’re not,” she said. “The state legislators and the election officials are only hearing from one side. . . . That’s putting our democracy at risk.”

For example, election officials in Washington’s Pierce and King counties, which include the Tacoma and Seattle metro areas, offer voters the option of faxing or emailing ballots. They said the process was not online voting – even though emails travel over the Internet.

We always tend to side with science and the best independent expert analysis, and tend to be skeptical of vendors seeking profit and officials looking for the easy way to look good.

S.B. 1051: Too much, too little, too risky

Last week the Government Administration and Elections Committee passed a modified version of S.B. 1051, hailed by the Secretary of the State and ROVAC (Registrars Of Voters Association of Connecticut) as a ‘bipartisan’ compromise.

Yet, all the compromising seems to be the agreement of election officials on a bill that would make registrars jobs easier while adding largely undefined and unchecked powers for the current and future Secretaries of the State.

Last week the Government Administration and Elections Committee passed a modified version of S.B. 1051, hailed by the Secretary of the State and ROVAC (Registrars Of Voters Association of Connecticut) as a ‘bipartisan’ compromise.

Yet, all the compromising seems to be the agreement of election officials on a bill that would make registrars jobs easier while adding largely undefined and unchecked powers for the current and future Secretaries of the State.

Two members of the Republican minority voted against the bill primarily because it would give the Secretary sole authority decide to temporarily remove registrars from office for any complaint filed by the Secretary or failing to maintain certification. We agree it goes too far in that provision.  It should and does provide a more objective means for permanently removing registrars.  We fail to see where a provision for the Secretary to temporarily remove registrars would have solved the recent problems noticed in the heat of election days. If that were the only weak and risky provision we might be able to live with the bill and some of its helpful provisions.

We are all in favor of effective training, certification, and fair procedures for removing registrars from office.  The bill has what we suspect will turn out to be relatively weak certification requirements and an alternate procedure for removal by charges from the state’s attorney and any superior court judge.  Even that seems to be a bit weak, requiring only a single judge to rule on removing an elected official from office. Consider:

  • Their is an ‘advisory’ committee to create certification.  In the existing law, never implemented, the committee was not advisory.  Now the current or future Secretary of the State approves the certification program.
  • The committee consists of six members, five appointed by the Secretary.
  • Decertifying a registrar does take concurrence of a majority of the committee.
  • Strengthening the existing law, sitting registrars must be certified within two years of taking office, except perhaps untended,  the law requires registrars who are appointed to fill the remainder of two-year terms to complete certification by the end of the term.
  • We can hope that the actual certification, examination, and continuing education result in relevant, meaningful requirements.

We support professionalization.  Certification in election matters is only part of that.  Additional skills, education, and experience also play a part. We are skeptical that without increased compensation that many highly skilled, organized, and experienced individuals will be attracted to the jobs in small towns.  We wonder how much certification would have prevented the problems seen in recent years in Hartford, West Hartford, and Bridgeport. We support professionalization through regionialization.  That might be the result of another bill passed by the committee, S.B. 1083.

There are other risky, insufficiently defined provisions in the bill associated with closing of the polls and reporting results:

  • One requires quicker reporting of partial results “Once completed, the vote totals produced by the tabulator shall be prepared for transmission to the Secretary of the State”.
  • This is ambiguous.  Yet, according to the Secretary’s testimony on the bill, it seems that the intention is to transmit the results from optical scanners to the central GEMs system for automated calculation of results.
  • To connect our optical scanners to the GEMS requires reversing longstanding security policy implemented by the Bysiewicz administration to keep the scanners sealed from communication that risks infecting the scanners with fraudulent code.
  • We add that the GEMS system is no gem.  It figured prominently in the reporting errors discovered in the Humboldt Project.  We also recall Bev Harris demonstrating to Howard Dean how easy it would be for him to change election results on the GEMS, undetected.
  • Maybe it will turn out OK.  Once again, we are left to hope that in the end, this Secretary and all future secretaries work to maintain security of the scanners, memory cards, and their programming.

Further, the bill gives officials 48 hours after the election to report the rest of the results: hand counted ballots, write-in ballots, and for checkers to sign the pollbooks.

  • We are all for giving officials time to get thing right. Especially in situations like Bridgeport in 2010 where there are huge numbers of unexpected ballots to count by hand.  We wish the media could hold off the pressure for “results, any results”.
  • Yet, these changes seem to lack any security and transparency requirements.  If counting is stopped to continue later, we need convincing, sufficient, enforceable, and enforced security for ballots and checkin lists. We need formal requirements for notification of the public of when counting will resume.
  • When it comes to checkin lists, we see no point in not having checkers total and sign the lists at the polling place on election night — except it they are using electronic pollbooks and the lists are not printed until later by someone else — then we see nt good reason to have them sign printed paper lists that they have not created, from a system they do not understand, and have not held in custody.  Perhaps they or the polling place moderator should have a form to record the number of voters the machine reports as having checked in – signed and submitted on election night.

Finally, we come to electronic auditing.  The bill has this provision near the end:

Notwithstanding   any provision of title 9 of the general statutes, the Secretary of the State, in consultation  and  coordination  with  The  University  of  Connecticut, may  authorize  the  use  of  electronic  equipment  for  the  purpose  of conducting any audit required pursuant to section-320f of the general statutes,  as  amended  by  this  act,  for  any  primary  or  general  election held on or after January 1, 2016, provided (1) the Secretary of the State prescribes  specifications  for  (A)  the  testing,  set-up  and  operation  of such equipment,  and  (B)  the  training  of election officials  in  the  use  of such equipment; and (2) the Secretary of the State and The University of  Connecticut  agree  that  such  equipment  is  sufficient  in  quantity  to accommodate  the  total  number  of audits  to  be conducted.  Nothing  in this  section  shall  preclude  any  candidate  or  elector  from seeking additional remedies pursuant to chapter 149 of the general statutes as a result of any information revealed by such process.

As readers of CTVotersCount know, we have long been supporters of machine assisted auditing.  We are here left to hope that the Secretary and UConn do the right thing i.e. support a method of auditing that is transparent and meets the requirements of evidence based elections, such that the public can verify the results of the audit without depending on officials.  How is that possible? It has been outlined by three leading experts in the field of election auditing and prototyped in CA and CO.

In fact, we provided a bill which included a provision for safe machine assisted auditing this year, S.B. 1041. Even though that bill received wide support and no opposition in testimony, it did not move forward.

If S.B. 1051 moves forward in its current form we are left to hope that the Secretary and UConn will use its provisions to provide safe verifiable auditing.  Yet, left with the concern that they might not, and that some future Secretary and some future UConn scientist or UConn leader collude to disregard science to provide some all but useless, untrustworty version of electronic “black-box” auditing.

Bill to study regionalization of elections moves forward

Last week Government Administration and Elections Committee (GAE) on passed a modified version of S.B. 1083out of committee. It would empower a task force to study regionalization of election administration. Earlier we testified in favor of the bill pointing to the possible benefits of such a task force.

Last week Government Administration and Elections Committee (GAE) on  passed a modified version of S.B. 1083  <here> out of committee. It would empower a task force to study regionalization of election administration. Earlier we testified in favor of the bill pointing to the possible benefits of such a task force. <read>

No bill is perfect and all our subject to modification before passage by the General Assembly.  In this case we would be pleased if the bill passed in its current form.  However, we believe that the time frame for the task force completion before the next legislative session is too constraining.  We suggest it be extended for a year.

UK Considers risky online voting…Safe enough for democracy?

Guardian article, apparently titled by an editor who trusts MPs opinions more than scientists and experience: Why electronic voting isn’t secure – but may be safe enough .

Safe enough, not for democracy. The link to the article says it better “Why Electronic Voting is NOT SECURE.

Guardian article, apparently titled by an editor who trusts MPs opinions more than scientists and experience: Why electronic voting isn’t secure – but may be safe enough <read>

Safe enough, not for democracy. The link to the article says it better “Why Electronic Voting is NOT SECURE.

From the Article:

The UK has run trials for local elections before – in 2002, 2003 and 2007 – and Estonia famously became the first to offer online voting for its general election for parliament in 2007.

However, Meg Hillier, Labour MP and member of the digital commission that wrote the 2020 report, admitted that the team was “not set up to investigate in detail the issues of security and the mechanisms for delivering that,” hoping that the Electoral Commission “and others will take that on”…

The MPs debating that report all accepted that e-voting security was a concern, but believe the challenges are outweighed by the benefits.

Campaign group WebRoots Democracy laid out the argument for online votes in its own report, claiming two thirds of respondents to a survey would be more likely to vote if they could do so online, and that’s particularly true for younger voters.

Plus, the report claimed online voting would cut the cost per vote by a third to £2.59 and reduce the number of accidentally spoiled ballots.

Those same promises have been made before, each time the UK has previously trialled the idea. In 2002, five city councils let voters cast a ballot by home internet, text message and “kiosk”; in 2003, that was expanded to 14 councils.

Turnout increased by an average 4.9 points, but varied widely, with South Tyneside leaping by 20 percentage points and Vale Royal sliding by two points.

Following the 2003 elections, a report by the BBC showed e-voting “failed to make much of an impact”. Voters were given a ballot number and a PIN, but there were issues with technology – in St Albans, PCs in polling booths had connectivity issues and had to be abandoned for paper ballots…

All of the potential benefits are moot if we can’t trust the result, but so far there haven’t been any attacks against e-voting systems – or at least none we’re aware of.

As a report into e-voting in Switzerland from Harvard’s cyber law department pointed out, the digital option has remained poorly used by the electorate.

“It is reasonable to assume, however, that the systems will be exposed to higher numbers of attempted attacks and manipulation as the use of e-voting becomes more widespread,” the report noted.

If the government does press forward with e-voting trials, as it appears set to do, it needs to get some experts in, Anderson said – and there’s one Green politician who knows the issue inside and out.

UK should consider e-voting, elections watchdog urges

Despite spending years developing GNU.FREE, a free online voting system, Jason Kitcat – leader of Brighton and Hove City Council – isn’t a fan of e-voting (nor is his party).

“Through working on this I came to the conclusion, now shared by most computer scientists, that e-voting cannot be delivered securely and reliably with current technology. So I stopped developing the system but continued to campaign on and research the issues,” he said…

“When I and colleagues have monitored trials we have always observed serious flaws in the security and reliability of the systems used,” he said. “Yes, we have found problems every single time, and we have documented these at great length in peer-reviewed articles.”

Kitcat argued there are three requirements for robust political elections: security, anonymity and verifiability. “Meeting those three requirements is a very difficult problem quite unlike other transactions,” he said….

”Online banking suffers problems but refunds are possible after checking your bank statement. You can’t ‘refund’ a vote and ‘vote statements’ can’t be provided to check your vote was correctly recorded as that would enable vote selling and coercion.”
All that paper in standard ballots may seem old fashioned, but it leaves a trail that votes cast from PCs and phones don’t, agreed other experts. “There’s a fundamental conflict between verification and keeping votes anonymous,” Jim Killock, executive director of the Open Rights Group. “Paper ballots do this very neatly but computers find this hard because they leave audit trails.”

Voting away from polls raises the spectre of vote manipulation, explained Ross Anderson, a computer security professor at the University of Cambridge.

“When you move from voting in person to voting at home (whether by post, by phone or over the internet) it vastly expands the scope for vote buying and coercion, and we’ve seen this rising steadily in the UK since the 2001 election where postal votes first became a right,” he said. “All the parties have been caught hustling up the vote in various ways.”…

“Internet voting is frankly scary,” he said. “When security experts looked at the Estonia election, they were shocked at how easy it was to defraud the system and steal votes … We shouldn’t gamble with democracy.”

Lack of transparency is another major security issue – especially if the data collection, analysis and storage happens in IT systems that aren’t fully transparent or are difficult to understand.

New South Wales wails: Researchers find flaws in Internet voting system

New South Wales, Australia is holding an election with a significant number of online votes. Researchers point out several concerns…

New South Wales, Australia is holding an election with a significant number of online votes.  Researchers point out several concerns:

  • Votes could have been easily changed with nobody the wiser
  • The touted user verification has its own flaws.
  • The system was taken down to fix (correct) the ballot.
  • The source code is not disclosed, so there is no means to assess its vulnerabilities

Read the summary report and the researchers response to the response/criticisms from New South Wales officials <read>

As the summary concludes, this is not the first time flaws and risks have been exposed in Internet voting schemes:

The vulnerability to the FREAK attack [name for the particular attack mechanism demonstrated]  illustrates once again why Internet Voting is hard to do securely. The system has been in development for years, but FREAK was announced only a couple of weeks before the election. Perhaps there wasn’t time to thoroughly retest the iVote system for exposure. We can bet that there are one or more major HTTPS vulnerabilities waiting to be discovered (and perhaps already known to sophisticated attackers). Verification is a vital safeguard against such unknown problems, but at best it detects problems rather than preventing them.

To election security researchers, these problems aren’t surprising. We’ve already seen dire security problems with Internet voting in Estonia and Washington, D.C. Securing Internet voting requires solving some of the hardest problems in computer security, and even the smallest mistakes can undermine the integrity of the election result. That’s why most experts agree that Internet voting cannot be adequately secured with current technology.