Subscription Center
June 19, 2012
| 
12
Professors Steve Schneider and Alan Woodward are at the Department of Computing in the University of Surrey, UK. Alan writes extensively in the wider press trying to explain cyber security to those who have little or no computing experience. Steve is an investigator currently working on an initiative entitled “Trustworthy Voting Systems”, funded by the UK Engineering and Physical Sciences Research Council . Both specialise in security where Steve has built an international reputation in the analysis and verification of protocols, and Alan has become well known for his work in analysing the cyber threat, and forensics. Alan continues to spend part of his time outside of the University advising organisations, including governments, on cyber security. Follow on Twitter @ProfWoodward.
With the Presidential elections looming up, some have been asking why the United States is not making more of electronic voting. It’s being adopted in many other countries around the world, with India, Brazil, Estonia, Norway and Switzerland as notable examples. However, the United States has several examples in recent years where it has backed out of electronic voting that it had already implemented.
For example, in 2010, a trial system for remote voting over the Internet in Washington DC (known as the “Digital vote by mail”) was shown to be vulnerable, when it was penetrated by a research team from the University of Michigan, demonstrating how a real attack could render any results unsound, without detection. The attack was documented in a recent paper by researchers from the University of Michigan.
So who is right?
First, it’s important to differentiate between the types of e-voting. To some it means using controlled kiosks in polling stations which collect the votes locally. For others it means those kiosks sending the votes to some central collection system. To others, e-voting is about being able to vote remotely, typically over the Internet. In all cases, the key element of e-voting is that the vote is captured and processed electronically. This has several perceived benefits:
Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?
It comes down to two principles which are peculiar to these types of elections:
The key difference between this and, say, online banking rests on the fact that we can check bank statements and retain records of transactions, which lets us catch any errors and unauthorised transactions. We can’t do this for voting systems because of the need for ballot secrecy, so we have to trust the voting system instead. This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.
The Holy Grail for electronic voting is “verifiability” which provides the highest level of trust by publishing the election data in a way that can be checked independently. Finding a way to do this is a challenge, but some systems have been proposed which make use of cryptography to secure votes while preventing them from being changed, whilst allowing vote processing to be done in an open and verifiable way.
Scantegrity were the first to run a municipal election in this way, at Takoma Park in November 2009 (and again in 2011), which was independently audited and resulted in no serious objections. Similarly, Helios has run several verifiable elections over the Internet, the largest being for the election of the Recteur (Principal) of the Catholic University of Louvain in Belgium.
Another voter-verifiable system is Prêt à Voter, originally proposed by Peter Ryan of the University of Luxembourg, and which is currently being implemented by the University of Surrey. In Prêt à Voter, “verification” comprises publishing each step in the election process, from the point where the vote is first cast right through to the final tally. It’s just like paper based elections where observers can see votes physically placed in the ballot boxes and watch that they are not tampered with throughout the collection and counting process.
Prêt à Voter makes use of cryptographic techniques to preserve the secrecy of the ballot. It secures the information so that it cannot be tampered with, nor can the person who cast the vote claim it wasn’t them that made a specific vote. All of this is done in such a way that voters can track their vote without providing a casual observer with the linkage between individuals and a specific vote. The processing steps come with mathematical proofs that the votes have been processed, decrypted and tallied correctly.
It’s clear that successful e-voting systems work on the principle of “assume voters will trust but allow them to verify if they wish”. As more e-voting is implemented using this this principle it will become something demanded by voters, as it is not just an automated version of the current manual systems, but something that offers truly verifiable democracy. In an era when people are jaded about the political process, that must surely be a good thing.
About the Author: Professors Steve Schneider and Alan Woodward are at the Department of Computing in the University of Surrey, UK. Alan writes extensively in the wider press trying to explain cyber security to those who have little or no computing experience. Steve is an investigator currently working on an initiative entitled “Trustworthy Voting Systems”, funded by the UK Engineering and Physical Sciences Research Council . Both specialise in security where Steve has built an international reputation in the analysis and verification of protocols, and Alan has become well known for his work in analysing the cyber threat, and forensics. Alan continues to spend part of his time outside of the University advising organisations, including governments, on cyber security. Follow on Twitter @ProfWoodward.
12 Comments
Add a Comment
You must sign in or register as a ScientificAmerican.com member to submit a comment.
Click one of the buttons below to register using an existing Social Account.
The Cognitive Science of Star Trek
It's not about predators, it's about journal quality
Dear Guardian: You've Been Played
Anti-Psychiatry Prejudice? A response to Dr. Lieberman
Scour: Why Most Bridges Fail
Northern Elephant Seals: Increasing Population, Decreasing Biodiversity
See what we're tweeting about
marisfessenden Women have always fought. Read this. (Also includes awesome art) HT @roseveleth http://t.co/x4g846BpBB via @skepchicks
FlyingTrilobite Rob Ford didn't smoke crack. He said so. It's all over. (Please let it be over. I miss the jokes about the army digging us out of snow.) FlyingTrilobite A hearty thank you to all my non-Toronto friends for not dropping me like a hot potato for all the angry Rob Ford tweets and RT this week.
YES! Send me a free issue of Scientific American with no obligation to continue the subscription. If I like it, I will be billed for the one-year subscription.
Share
Email
Print
Evoking has not been adopted by Switzerland. It is tested, for some votations, in some cantons. The risk/benefit ratio is not clear for e majority of the citizens. The main “remote” voting system is snail mail for most of the voters and stillhas plenty of advantages.
Link to thisVoting a month or so before results are posted might give time to receive a verifying statement and rectify any discrepancies.
Link to thisMathematicians should be employed in designing any e-voting system. And ‘Applied Cryptography’ by Bruce Schneier must be a handbook for system designer.
Link to thisI think the political parties know that once e-voting comes on line with encrypted security, finger prints identifications, and user passwords (your voter registration number) and systems that can keep track of the voters (name, address and such) just like a secure bank can with your transactions, political parties know that they no longer can ‘stuff the ballet box’ or toss out a ballot because they say they cannot read the pencil marks or buy a judge off to declare them the winner, there may be more honest politicians coming into elections and more honest people wanting to cast their vote. Pay Pal bank can already do that with their banking system and there is no reason you cannot do the same thing with a voting booth. The best thing about electronic voting, the vote can be counted as soon as it is cast and the voter can see who that vote was cast for, and if there is a conflict, the voter can recall their ballet and a booth helper can help them recall their vote and then cast it for whomever they want. If the ballot makes the same mistake again, the ballot can be renewed and the voter can start over, and you can cast your vote from where ever you are in the world.
Link to thisVoting should be at least as hard as buying a beer. If someone cannot be bothered to get out and vote the old fashioned way, who cares what their vote might have been?
But if we are going to do this, then I want to be in charge of the servers and software. Oh, and the virus writing people the Obama admin outed in the Stuxnet virus case. I want to be in charge of them too.
I fell a landslide coming! And once again it is going my way.
Link to this@ JamesDavis – It sounds like you don’t remember the 2004 US presidential election, when the president of Diebold – who manufactures e-voting machines – promised to ‘deliver’ Ohio to George Bush.
Link to thisOne other key element not discussed is the need for national IDs (including biometrics) which guarantees voter eligibility (and likely access to government benefits generally).
The e-voter technology will be viewed as easy compared to the need for a national ID system.
Link to this“Trust But Verify” – You must mean there are those who are not to be trusted; this is exactly the point of photo ID at the polls, or “chop” (thumbprint) on a touch-screen, or video voting on the net, etc.
Link to this@LarryW I feel that is the crux of the problem, Americans don’t want a secure ID for themselves. They fear it will allow “them” to track them and what not (even though their current info is so freely dispersed all over by themselves and the companies that exploit it). Fear of new technology really. The argument of “all the data will be centralized” is silly since the Government already collects all the data centrally via taxes and other means. A secure citizen ID would make many things much easier, more secure and more cost effective.
Link to thisAs Doug Jones and I show in our book “Broken Ballots: Will Your Vote Count?”, Internet voting is far too dangerous to be used in any major election. Schneider and Woodward appear to argue that cryptographically based systems can be safely used for Internet voting and that such systems can offer “truly verifiable democracy”. One of the examples they cite of such a system is Helios. Yet, Ben Adida, the developer of Helios, has publicly stated: “All the verifiability doesn’t change the fact that a client side corruption in my browser can flip my vote even before it’s encrypted.” Adida further observed that powerful viruses like Stuxnet illustrate that critical Internet-based elections would be vulnerable to attack.
The authors also mention the all too common argument: “Given that we already do online banking and shopping, and even remotely vote for popular TV shows, what’s so different about electing our politicians through electronic voting?” But they then neglect to educate the reader about how millions of dollars are stolen annually from online bank accounts. The banks quietly cover the losses, since online banking still saves them the costs of paying for additional teller windows and tellers.
The authors also ignore many other threats to Internet voting, including massive denial of service attacks and the inability to conduct a recount, should the announced results be questioned.
Encryption-based voting schemes may be fine to use for relatively unimportant elections. But they should not be deployed for any major U.S. elections. As Ron Rivest, the “R” in RSA has observed, “Coming up with ‘best practices for Internet voting’ is like coming up with ‘best practices for drunk driving.’ You don’t really want to go there.”
Barbara Simons
Link to thisGood-on-yer to the authors for saying “This is like running your bank account without getting statements or receipts, and trusting the bank to keep track of your balance accurately.” However, to fully understand how e-banking is not a good model for voting, there are two follow-on points:
1) With e-banking there are real financial losses from real unauthorized transactions, and there is a responsible party (the bank) for reversing them.
2) In voting, there is no one like the bank who can take responsibility for reversing an unauthorized transaction;
once your secret ballot has been cast (by you or anyone else) and counted (as intended by you or not) you cannot reverse your votes.
Achieving both ballot secrecy and fraud prevention is a big job even for in person voting on paper ballots. Doing both with Internet voting from home computers, in elections run by US counties’ election officials, obeying all election law and regulation in force today … a nearly insurmountable task.
– John Sebes
Link to thisOpen Source Digital Voting
http://osdv.org
http://trustthevote.org
With this is of technology, we cannot deny that casting of votes can be possibly done thru the internet. It may sound impossible to some voters but online voting has make its toll for a more easy election. Although this process has been carefully studied, there are also some people who are not convinced about the accuracy of it. There are also some secrecy issues where the vote and the identity of the voter may be jeopardize. This online voting shoudl be resolved properly, giving the people the trust and confidence in order to give the country a clean and honest election.
SurveyAndBallotSystems.com
Link to this