Tagged voting security

The Real Crisis of US Election Security

With the United States midterm elections coming soon, US election systems are already under attack, via false or misleading stories on social media (disinformation attacks). These systems are also vulnerable to more serious subversion attacks, where digital components are targeted and compromised to alter or manipulate the actual casting of ballots and tabulation of results. How did the US reach this crisis point, where this critical infrastructure is now so vulnerable? Is there any way to remedy this threat to the most fundamental building block of a healthy democracy, a secure and reliable voting system?

Read more

Another Laudable Online Voting Architecture Concept But…

Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system.  But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it.  The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article.  I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.

First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software.  The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client.  We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients.  This is one of the well known ingredients.

There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system.  This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works).  For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.

At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill.  As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”

So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today.  And it has to have the ability to do both:

  • a normal local boot into a full service mobile device OS to work as a phone browser, etc.; and
  • a boot from an external physical device with the boot image for something else.

One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc.  That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.

Now for the “But…” part of this.  Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem.  From what we can tell, Citrix is moving in that direction.

So to summarize, at the end of the day,

  1. Do we believe Citrix has a solution for iVoting? No.
  2. Do we believe the author of both articles referenced here, Ahmed Sallam (now since departed from Citrix and CEO of DeepSAFE) has a credible vision and concept for online voting? Yes.
  3. Do we believe that concept is complete and in terms of what we understand about the totality of the problem? No.
  4. Will the hardware root of trust (hardware layer security below the operating system), such as the elegant model embodied in iOS and articulated by the NIST Guidelines be a key ingredient going forward? Yes.
  5. Are we (anyone) there yet for a voting App/system? No.

OSDV Responds to FCC Inquiry about Internet Voting

The Federal Communications Commission (FCC) asked for public comment on the use of the Internet for election-related activities (among other digital democracy related matters).  They recently published the responses, including those from OSDV.  I’ll let Greg highlight the particularly public-policy-related questions and answers, but I wanted to highlight some aspects of our response that differ from some others.

  • Like many respondents, we commented on that slippery phrase “Internet voting”, but focused on a few of the specific issues that apply  particularly in the context of overseas and military voters.
  • Also in that context, we addressed some uses of the Internet that could be very beneficial, but are not voting per se.
  • We contrasted other countries’ experiences with elections and the Internet with the rather different conditions here in the U.S.

For more information, of course, I suggest reading our response. In addition, for those particularly interested in Internet voting and security, you can get additional perspectives from the responses of TrustTheVote advisors Candice Hoke and David Jefferson, which are very nicely summarized on the Verified Voting blog.

— EJS