Is Security the Problem for E-Voting?
John Sebes
One of the most vexing frequent issues in e-voting debates is the idea of security vulnerabilities. I don’t think that security is *the* problem with actual e-voting systems, but I do think that in-security concerns are a significant problem with the way many people think about how we do e-voting.
There are many voices in the debate on insecure voting systems, but taking exception to the debate itself is one voice I think is noteworthy: Michael Shamos. For a recent, brief look into his views, see a recent C|net interview "Shamos: Why e-voting paper trails are a bad idea."
In addition to the question "Is paper the solution?" the interview touches on the question "Is security the problem?" You can read for yourself why Shamos says "no" to both, but I wanted to add a (hopefully) simple pair of observations.
1. (In)security is not a fundamental techical issue for voting systems; it is a derived or secondary issue. It’s derived from (as I think Shamos would agree) the fact that some voting systems are poorly engineered and have demonstrated unreliability. Starting there, sure you can assume plenty of potential security vulnerabilities, and easily find a few.
2. Security concerns arise from awareness of flakey voting systems; that awareness (for most people) arises from press coverage, blogging, etc. about incidents of voting machine mishehavior. The concerns get magnified with more coverage of potential security problems with the flakey machines. These concerns are a relevant issue for voting systems. Trust in the election process is critical, and it’s undermined by these concerns, and by the incidents and coverage that drive them.
As Shamos points out, we know that purely paper based systems can be easily subverted. Adding computing to the election system is going to help only if the technology can be trusted at least as well, or better, than pure paper systems. The current market approach has failed there. Adding paper trails to the computers might help with some people’s concerns over transparency — making an important contribution to trust — but it won’t make the existing computers more worthy of public trust, nor will it alleviate security concerns over the use of of those current systems that appear to be unreliable.
So, electronic ballots or paper ballots, electronic systems with or without paper trail, we still need to develop trustworthy election technology. So, I better get back to work!
EJS
Developing a trustworthy election technology is half the battle – the other half is doing so in such a way that you can persuade the general public that it is secure.
You are absolutely correct that a top-down “patch the vulnerabilities” approach will not result in a trustworthy system. What is needed is a design approach that focuses on the threat environment, the security objectives that counter the identified threats, and the functional and assurance requirements that will be used to implement those objectives.
Thanks, Scott, for your comment to John’s post; we were swamped today so apologies for it taking a silly stupid 9 hours to approve your comment post. This would be a perfect time to invite you to join our community so we can grant you instant posting. This is particularly true here because I found your comment to be spot on.
Perception is 90% of one’s reality on a bad day. Who said that? But its true. And to your point about design approach, I may be making a fool of myself, but you either have had access to internal documents our CTO and a couple of tech staff are working, or have actually spoken with John (for which I am foolishly unaware).
Point is, much discussion is raging about approach, and in particular [a] focus on threat environment {real, perceived, potential, actual}, [b] the objectives to counter, and [c] requirements. Of these issues, requirements gathering will be a significant and critical undertaking.
Let me say something more about that. We’ve said all along (I’ll dig up a reference here at some point) that the success of this project is predicated on the participation of the public. We’ve asserted that anyone who is eligible to vote can help. But to be specific about "help" we intend to recruit as many state elections officials and administrators as we can — ideally every single member of NASED if possible.
These stakeholders have had a bum rap to date wherein we’ve heard stories of vendors promising them active participation in design reviews to pre-release access and promises to incorporate feedback into design revisions. Seldom (apparently) has any of this really happened. In this case, the OSDV Foundation believes participation of these stakeholders is essential to the outcome. However, it doesn’t stop there. These stakeholders, while the most conversant about their particular requirements and usage experience, they are not necessarily domain experts about digital data security, privacy controls, or the details of software, hardware or systems design. People — perhaps such as yourself — become an equally imperative participant in requirements gathering, design, RFC processes, peer-reviews, and the like.
That awkward segue brings me to you, Scott. Certainly individuals like yourself are imperative you the success of this project. So we certainly hope we can engage your creativity and common sense and others like you. So, your ball.
Cheers
GAM|out