National | CTVotersCount.org

Prof. Ron Rivest, MIT: Military/Overseas Internet Voting Risks and Rewards

Yesterday, MIT Professor Ronald L. Rivest provided his analysis of Internet voting for military and overseas voters.The talk centered on the balance between risks and rewards of using Internet voting vs. paper ballots for military and overseas voting. You will find many of Ron’s slides entertaining, some a bit technical, yet all serious. The conclusions are straight-forward and convincing:

“The risks of “internet voting” more than negate any possible benefits from an increase in franchise.”

Yesterday, MIT Professor Ronald L. Rivest provided his analysis of Internet voting for military and overseas voters in an entertaining and occasionally technical slide presentation at the UOCAVA Workshop on Remove Voting Systems, in Washington, D.C <View>

Professor Rivest is a security expert, the ‘R’ in RSA Security, and 2002 winner of the Turing Award, the highest honor in computing. When Ron talks security, everyone including legislators and election officials should listen carefully.

The talk centered on the balance between risks and rewards of using Internet voting vs. paper ballots for military and overseas voting. You will find many of Ron’s slides entertaining, some a bit technical, yet all serious. The conclusions are straight-forward and convincing. Some of the highlights below, view the presentation for the details and graphics:

Evaluation Criteria:

Availability and usability

Cost

Staffing requirements

Security and auditability

Rivest points out that paper based absentee voting and mail-in voting is already risky and recommends such voting be limited – in order to limit the overall election risk:

Unsupervised remote voting vulnerable to
vote-selling, bribery, and coercion.

Communication with voter, and transmission
of ballots, may be unreliable/manipulable.

believe remote voting should be allowed:

only as needed

for at most 5% of voters

UOCAVA voting meets these criteria.

The risks to democracy:

If adversary determines election outcome,
all voters are disenfranchised!

We no longer have a democracy in action…

What is “loss” when election is stolen?
Just the 100% loss of franchise?

Let’s add an additional Hall of Shame Factor (HOSF), for stolen elections. (Not only shame, but if elections are (or could be) stolen, voters may get cynical and not vote again!)

Will Adversary attack voting system?

Is the Pope Catholic?

Will someone pick up $20 left on sidewalk?

There is nothing to deter attacker – Adv can attack anonymously over the Internet until he succeeds.

Do you know of any computer systems that have never been attacked?

Prob(Adv will attack voting system) = 100%

Internet voting has additional security problems

Platform insecurity (both client and server)

Network insecurity

Set of attackers enlarged from:

just those who can touch paper ballots, to

anyone on the planet with a computer

Attacks can be automated, executed on a massive scale, and done so anonymously

Will they succeed?

Large institutions (banks, Google) are successfully attacked all the time. They have much better staff and budgets!

Bob Morris (NSA) said: “You will always underestimate the effort the enemy will make to break your system.”…

Who has more IT capability – your local election IT staff or the Chinese?…

We do not currently have the technology to make internet voting secure (and may never).

We can’t make such technology appear by wishful thinking, just trying hard, making analogies with other fields, or running pilots.

It is imprudent (irresponsible?) to assume that determined effort by adversaries can’t defeat security objectives of internet voting.

Risk Assessment Conclusion:

Based on this risk assessment, we expect Internet voting for UOCAVA voter to disenfranchise many more voters than it would franchise.

The apparent gains in franchise for internet voting are misleading and illusory—the apparent gains are more than cancelled by the risks.

Argument is robust — conclusion remains the same even if numbers are varied significantly. In addition, there may be a DDOS attack with probability near 100%.

Summary:

Remote voting is trade-off between franchise and risk.

The risks of “internet voting” more than negate any possible benefits from an increase in franchise.

Faith in Technology: Drilling, Driving, and Voting

“Deep anxiety aroused by the deaths in the water and on the interstates is calmed by the ameliorating belief that technology will save us, and if not now, soon. After all, the promise of technology is in the better life to come.”

Food for thought. As states and voters consider Internet for voting, based on faith in vendors that say it works, and ignoring the vast majority of independent technologists and studies that say it is unproven and risky, we point to this cautionary tale: Why Do We Worship at the Altar of Technology? <read>

If there is one true religion in the US, it leads us to worship at the altar of technology. Christian or Jew, Muslim or atheist, we accept the doctrine of this shared faith: that technology provides the main path to improving our lives and that if it occasionally fails, even catastrophically, it will just take another technology to make it all better. It is this doctrine that connects BP’s Deepwater Horizon and Toyota’s sudden acceleration debacles – and the responses to them…

Of course, corporations don’t see this as their first mission, operating as they do on cost containment and profit maximisation, not cutting-edge technology as an end in itself. But their customer base has been convinced that each time they buy a new car, they are buying the future and lucky that the world’s smartest geologists and engineers are helping fuel their experience of it. Never mind that the technology they are largely buying is media and telecom gadgetry

As the article points out oil and automobiles are linked by more than technology. The analogy to voting also breaks down in another way — when it comes to voting technology, vendor profit maximization is directly linked to the technology.

Our response to BP and Toyota’s failures expose the danger in our faith. Deep anxiety aroused by the deaths in the water and on the interstates is calmed by the ameliorating belief that technology will save us, and if not now, soon. After all, the promise of technology is in the better life to come.

Recall the Help America Vote Act (HAVA) designed to use technology to save us from the alleged problems with punch-cards and lever machines, yet effectively providing us with new expensive voting equipment left vulnerable to the same risks as our previous voting systems, error and fraud.

In fact, like oil and automobiles, the problem with voting is not the technology. The problem is believing that technology itself is the source of the problems, the only necessary component of a solution, and fervent faith that the proposed next technology is the solution.

[We cannot help but point out the related natural human tendency to avoid responsibility. We seldom read that a driver drove off the road, into a house, or a tree. It seems it was almost always the car that went off the road.]

Court Allows UConn/Dr. Shvartsman Test Of Nassau County, NY Voting Machines

Over the objections of the NY Board of Elections, The Supreme Court of the State of New York Nassau County, ordered the testing of voting machines by the University of Connecticut and Dr. Alex Shvartsman.

Courthouse News Service <read>

A state Supreme Court judge ordered that the New York Board of Elections submit the electronic voting machines it approved for the September primaries to a testing facility in Connecticut. Nassau County and its Republican and Democratic Elections Commissioners claimed that the machine at issue, the ES&S DS-200, malfunctioned in Florida during the 2008 presidential elections.

The Court Order <read>

The petitioners seek to be able to continue using lever as opposed to electronic voting machines. The petitioners challenge the New Yourk Elections and Modernization Act, the legality of the manner in which the New York State Board of Elections(“NYSBOE”) has implemented it…

The petitioners seek an odder expressly authorizing their experts to conduct testing…at their Connecticut facility.

The petitioners claim that the new machines proposed by the state are “gravely flawed and subject to technical malfunction and deliberate distortion and manipulation”

See the end of page 2 and the beginning of page 3 of the court order for the details on the UConn testing order.

Dr. Shvartsman’s testimony <read>

Opinion: Dr. Shvartsman has done excellent work in testing voting machines for the State of Connecticut, Nassau County has made a good choice of testing facilities. We agree that all computer systems are vulnerable, however, so are lever machines. We like voter created paper ballots with public counting by optical scanner, followed by strong independent audits — it is about the only reasonable, safe voting system available, with our without the Help America Vote Act (HAVA).

CA Prop 14: Unsafe at any but greed?

Winsted, Connecticut native, Ralph Nader tells us why Prop 14 is good for big business and unhealthy for democracy. We place the misguided voter support of Prop 14 on our “list of good sounding ideas for fighting the last election.

Winsted, Connecticut native Ralph Nader tells why Prop 14 is good for big business and unhealthy for democracy <read>

Big Business interests shamelessly dealt our already depleted democracy a devastating blow by misleading California voters into approving Proposition 14, without their opponents being able to reach the people with rebuttals. This voter initiative provides that the November elections in that state for members of Congress and state elective offices are reserved only for the top two vote-garnering candidates in the June primary.

There are no longer any party primaries per se, only one open primary. Voters can vote for any candidate on the ballot for any office. Presidential candidates are still under the old system.

Since the two major parties are the wealthiest and have the power of incumbency and favored rules, the “top two” as this “deform” is called, will either be a Republican and a Democrat or, in gerrymandered districts, two Republicans or two Democrats.

Goodbye to voter choices for smaller third party and independent candidates on the ballot in November who otherwise would qualify, with adequate signature petitions, for the ballot. Goodbye to new ideas, different agendas, candidates and campaign practices. The two Party tyranny is now entrenched in California to serve the barons of big business who outspent their opponents twenty to one for tv and radio ads and other publicity.

To seal this voter incarceration by the two-party duopoly, Proposition 14 decreed that even write-in votes in November by contrarian citizens could no longer be counted.

We are not from California and cannot vouch for the details leading to the passage of Prop 14 as articulated by Mr. Nader. However, we can add to his arguments our vision of the dilemma facing the intelligent voter on primary day: Faced with five, ten, or thirty candidates for an office: Who do you vote for, your favorite, or one you think might have a chance at being in the top two; one that might be more acceptable than others the poll say have a chance? It is just another, perhaps more complex crap shoot.

Nader goes on to articulate the inaccurate information given to voters about the proposition. And in a side note points to one of the concerns some candidates have with mail-in voting:

The final vote was 53.7% for and 46.3% against. The pro side advertisements, distorted as they were, reached millions of more voters than did the penurious opposition.

Curiously, if the by-mail voters were taken out of the equation, more voters who went to the polls on election day voted against Prop 14 (52%) than for it (48%). Winger suggests this difference may reflect the fact that election day voters benefited from the fuller public discussion of the Proposition 14, including its negatives, in the two weeks before election day.

We attribute much of the misguided voter support of Prop 14 to its place on our “list of good sounding ideas for fighting the last election”. That is, the list of ideas that sound like they would have cured a recent disappointing result, yet are in reality just a different set of dice for a future crap shoot, with the baggage of untended consequences.

Update: Thanks to VotingNews we have this link to an analysis by a mathematics professor who calls Proposition 14 a Primary Jungle: <read>

This seems reasonable, and a “jungle primary” certainly sounds exciting. But in judging an election system, you must ask how well the system will produce a true societal choice. By that measure, the jungle primary has serious drawbacks…

These are not theoretical concerns.

France’s 2002 presidential election used a system similar to the jungle primary. Because there was a large number of left-wing candidates in the initial round of voting, the unpopular incumbent, Jacques Chirac, and the extremely right-wing Jean-Marie Le Pen led in the polls. Each was supported by fewer than one-fifth of the voters, but that was enough to make them the only two candidates in the final round. There was widespread dissatisfaction with these choices, and slogans such as “vote with a clothespin on your nose” appeared.

Every election system has drawbacks. Because the jungle primary system can prevent large portions of voters from having an acceptable choice in a general election and can determine a winner by something other than voters’ decisions, it seems inferior to the system it replaces and to a traditional open primary. Hopefully, California will discard the top-two primary system and consider different and better options.

Who are you going to believe? Scientists or Vendors?

“Enter online voting vendors looking to break into the market on the backs of these two groups. They ride in to save the day with big promises and high-tech solutions. Security becomes little more than sale pitch, like shiny chrome or electronic gadgetry in a new car. ‘You want security – we got security.’…Vendors need to stand in the corner with bankers and oil companies. Just whose elections are these anyway?”

Dan McCrea spells it out on the Huffington Post: Online Voting: All That Glitters Is Not Gold (Unless You’re a Vendor) <read>. To their credit Huffington Post published McCrea’s article, countering a recent vendor puff piece they ran:

Voting over the internet seems like a cool idea whose time has come. But, it depends on who’s doing the talking.

A computer scientist friend calls it whack-a-mole, the way online voting pitchmen keep popping up to announce they’ve fixed security problems and voting over the internet is now secure. You look at their plans and find they’re as full of holes as ever.

You knock down one story and another pops up. Whack – it’s back. Whack. It’s back again. The latest was here on Huffington Post last week, in Sheila Shayon’s seemingly-harmless puff piece for the online voting vendor, Scytl, “Digital Democracy: Scytl, MySociety Secure Funding.”

Ms. Shayon blithely pitched Scytl’s “secure solutions for electoral modernization” and the news that Scytl had closed on a $9.2m investment, “led by Balderton Capital, one of Europe’s largest venture capital investors.” They estimate the online voting market at $1.5 billion. Rival vendor, Everyone Counts, estimates the market at $16 billion over the next five years.

Calling it safe does not make it safe. Using the challenges facing those we would like to help vote, does not mean it would actually be a good idea:

But of course vendors say it is secure – and going to be very profitable. Scientists, on the other hand, say it’s not secure – and the very architecture of the internet makes secure online voting almost impossible today.

Another computer scientist friend describes email voting, the most common way to vote on the internet, this way: You’re in a stadium with eighty thousand random people. It’s time to vote. You write your selections on a post card in pencil, don’t use an envelope, and pass your card down your row to be collected.

It might work. You could have a great election. Your vote might count just as you marked your card. But confidence pretty much sucks – for a pile of obvious reasons, from innocent mishap to conspiratorial fraud to foreign-based cyber war.

Playing on public emotion, vendors have picked two special needs groups to “help” by designing online voting schemes for them. The first group is military and overseas voters, referred to as UOCAVA voters because they fall under special provisions of the federal Uniformed and Overseas Citizens Absentee Voting Act. The second group is voters with disabilities.

McCrea completes the case by referencing Scientists with objections and no money to make:

Who agrees online voting is not secure? Pretty much everyone who isn’t trying to make money on it:

Congress:..
The National Institute of Standards and Technology (NIST)…
Computer Technologists’ Statement on Internet Voting…
The Government Accountability Office (GAO)…
A comment on the May 2007 DoD report on Voting Technologies for UOCAVA Citizens, by several renowned computer scientists…

Will Gov Patrick assign MA votes to states with touch screens and voter suppression?

Perhaps Governor Patrick will consider the arguments of Democrats like Connecticut Secretary of the State Susan Bysiewicz who opposes the Agreement and Minneosota Secretary of State Mark Ritchie who objects for the difficulty in counting the popular vote. We are not in principle against a national popular vote, but as a prerequisite we would require sufficient uniform national voting franchise and integrity laws, enforceable and enforced.

Recently both houses of the Massachusetts Legislature passed the National Popular Vote Agreement/Compact. StateLine.org story: Anti-Electoral College pact could expand <read> The StateLine article and their earlier one attempted to present arguments from both sides, however, missing are the most important arguments against the NPV, especially via the Compact as we have covered in our Case Against “The National Popular Vote“:

The franchise is not uniform from state to state
We cannot trust reported results
Reported popular vote totals are a fiction
The Agreement is likely to result in Presidential Elections being decided by the Supreme Court

The franchise is not uniform from state to state

Internet Voting Called Unfair, Not Observable, and Not Transparent

“Voting methods that utilize web-based technologies and telephone-based balloting do not allow the necessary levels of observability and transparency that exist within the current election process.”

While states prepare to risk military and overseas votes on Internet, email and FAX, the National Association of Manufacturers calls it unsafe for union elections. Their concern is union members being intimidated in remote, unobserved locations. They are correct. Intimidation or the selling of votes is just one of the risks of Internet voting. <read>

Recently the National Labor Relations Board (NLRB) published a request for information regarding industry solutions for procuring and implementing “secure electronic voting services for both remote and on-site elections.” The National Association of Manufacturers (NAM) is concerned with the Board’s intention to pursue the use of electronic systems to allow union representation elections to take place off-site and outside the supervision of the NLRB. The NAM firmly believes the current practice of NLRB-supervised elections that take place on employees’ worksites protects the integrity of the union election process and safeguards employees from intimidation and coercion from third parties…

Voting methods that utilize web-based technologies and telephone-based balloting do not allow the necessary levels of observability and transparency that exist within the current election process. Currently, union organizers are entitled to receive employees’ personal contact information from employers for the purposes of union organizing efforts. Introducingmethods of remote-access elections combined with this access to information exposes workers
to potential unwanted intimidation and harassment…

Such changes to the election process would be a drastic deviation from current practice
and run counter to the principles of fairness and balance inherent in our labor laws. We strongly
urge the Board to maintain the integrity of the current NLRB-supervised union representation
process and refrain from introducing new technologies that remove the necessary protections
currently afforded to employees.

New York: Leveling the playing field for mail-in voting?

We suggest that anyone concerned with the disenfranchisement from New York’s ill programmed voting machines should also be concerned and warn the public of the even greater risks they take when they mail in their votes.

There has been quite a stir in New York about the setup of their new optical scan voting systems. It may disenfranchise voters by not adequately warning them about overvotes. Here is one story from DNA Manhattan Local news: New Voting Machines Spur Concerns About Confusion and Fraud <read>

Questions about the confusing nature of New York’s new voting machines are at the heart of a lawsuit filed Monday.

The Brennan Center for Justice at New York University Law School, which filed the lawsuit about the new machines, says the new machines could confuse voters and thousands of ballots could be thrown out as a result.

That’s where the green button issue comes in. If a voter accidentally “over-votes” — meaning to mark more than one candidate for a particular office — the new machines give voters the option to press green to cast their vote, or red to get their ballot back.

However, the machine doesn’t explain that over-votes aren’t counted, so if you press green, your vote will be tossed, Brennan Center lawyers say.

They say the confusing choices could be fixed easily if the voting machines were reprogrammed.

In the meantime, voting rights advocates are educating people to go against their natural inclination and choose red if they over-vote, said Susan Lerner, executive director of Common Cause New York, which co-hosted Monday’s demonstration of the new machines with Westsiders for Public Participation.

We fully agree with the concerns raised, yet we point out that every form or mail-in voting including absentee voting, and no-excuse absentee voting has the same problem only worse. With mail-in voting the voter has no green button, no red button, no notice, no chance whatsoever to be warned of overvoting – just one of the ways that mail-in voters are unknowingly disenfranchised.

Update: 08/22/2010 New York Times weighs in on scanners and overvotes <read>

Unsafe at any cost – Internet voting

High tech solutions to military and overseas voting seem like the equivalent of a star wars sledgehammer to hit a small nail.

Update: Rescorla adds a post explaining why pilots are of questionable value <read>

As I mentioned earlier, the DC BOEE Internet ballot return project is just the latest in a series of pilots and attempted Internet voting pilots. Superficially, this sounds like a good idea: there’s debate about whether Internet voting is a good idea, so let’s only natural that we’d try it out and see how it works. Unfortunately, this isn’t likely to tell us anything very useful; while we have extremely strong theoretical reasons for believing that Internet voting is insecure, those reasons don’t indicate that every single election is going to fail.

********

Based on the MOVE Act, many states and jurisdictions are experimenting with various forms of email, fax, and Internet voting. Washington, D.C. for example is setting up a pilot program. Eric Rescorla comments on the D.C. pilot at Educated Guesswork <read>

UOCAVA voters are often in remote locations with poor mail access, so traditional Vote By Mail doesn’t work very well, making it an apparently attractive use case for technological fixes. That’s why there have been (at least) two previous efforts to apply Internet voting technology to UOCAVA voters…

Rescorla covers various attacks: Attacks on the Server, Software Attacks on the End-User Client, and Attacks on the End-User. He concludes:

As far as I can tell, a system of this type offers significantly worse security properties than in-person voting (whether opscan or DRE), since it has all the security flaws of both plus a much larger attack surface area. [Note that the intermediate opscan step offers only marginal security benefit because it’s based on electronic records which are untrustworthy.] It also offers inferior security properties to traditional vote by mail. The primary benefit is reducing voter latency, but clearly that comes at substantial risk.

We would add than most technical solutions assume that service members who have poor mail service would have internet service along with access to equipment like printers, scanners and faxes.

Some “solutions” provide a higher level of security using kiosks, eliminating the risks of end-user equipment – imagine the cost and challenges in purchasing, installing, maintaining and securing kiosks around the world in ways that would make them more convenient than express mail. To paraphrase a statement that has been in the news lately: High tech solutions to military and overseas voting seem like the equivalent of a star wars sledgehammer to hit a small nail.

Connecticut makes a good MOVE

Along with Secretary Bysiewicz, we applaud the Legislature’s prudent choice to avoid risky Internet, fax, and email voting schemes.

In its special session, the Connecticut Legislature passed a bill (p. 47) to provide faster absentee ballots and more convenient procedures for military and overseas voters, in compliance with the Federal Military and Overseas Voter Empowerment (MOVE) Act.

We have been critical of the MOVE Act for one of its provisions but not its intent. The MOVE Act included a provision for piloting Internet, fax, and email return of ballots which is risky to the very democracy our soldiers are dedicated to preserving. As we said last November:

While we support our troops and their commitment to democracy, we do not support the MOVE Act in its current form. We object to one provision of the Act passed by the Senate, passed by the House, and signed by the President. Like the Help America Vote Act (HAVA), the MOVE Act is well intended, aimed a solving a real problem, yet has unintended consequences.

The problem of military and overseas voting has several good solutions that have been used in some states and localities and have been effective. The MOVE Act incorporates many of those good solutions. Yet, it also authorizes pilots of electronic submission of actual votes electronically. As of this time there is no known proven method for the security and secrecy of electronic submission of ballots, no proven method of auding such votes, and the bill contains no mandate for the evaluation of pilots for security and secrecy.

Worse, many states are jumping on that bandwagon with risky and often expensive, unproven solutions claiming that the MOVE Act requires such.

Along with Secretary Bysiewicz, we applaud the Legislature’s prudent choice to avoid risky Internet, fax, and email voting schemes.

See: <All posts related to the MOVE Act>