My point was that although it is possible in principle, it would be so
inconvenient as to be unworkable for most human beings. We found that
in trying to develop a secure operating system, which required users to
enter passwords so often that they got careless with the passwords.
One solution is to abandon voting and going to a system of sortition. Then
the problem becomes stacking of the selection pool.
The only reliable way anyone has found to solve the public choice
problem is stop making public choices that anyone would want to unduly
influence. But anarchy has its downside.
-------- Original Message --------
Subject: Re: [EL] Halderman on "Hacking the D.C. Internet Voting
Pilot"
Date: Wed, 6 Oct 2010 08:15:50 -0700
From: David Jefferson <d_jefferson@yahoo.com>
To: jon.roland@constitution.org
CC: David Jefferson <d_jefferson@yahoo.com>, Candice Hoke
<ch@electionexcellence.org>
Dear Mr. Roland,
Thank you for cc'ing me on your comment to Election Law Blog. I think
the security issues are deeper than you outline here. Many security
experts have studied these problems, and there are no easy answer even
in principle. Even the best-defended systems, owned by organizations
with vast security resources, are penetrated, and the penetration goes
undetected for long periods of time. Recall the attacks on Google and
dozens of other high tech firms earlier this year. From my position in
the national security community at Lawrence Livermore National
Laboratory (a nuclear weapons lab) I know of many others.
I consider Internet voting to be a national security threat. We need
to consider our election infrastructure to be a vital national
infrastructure that has to be protected from, not exposed to, cyber
attack.
I have taken the liberty to comment inline in your message below.
Best wishes,
David
On Oct 6, 2010, at 7:56 AM, Jon Roland wrote:
> It is something of an
overstatement to say that an effective defense
> is virtually impossible. It is possible in principle for each voter
> to get a digital key pair and digitally sign his ballot in a way
that
> would authenticate him and also insure the ballot does not get
> altered, while maintaining secret ballot standards.
Voter's ballots were transmitted encrypted and were stored encrypted.
They were still compromised totally. Cryptography is vital, but it
just shifts the attack to other weak points.
> The entire voter registration list
would have to be digitally
> encrypted to prevent ballot stuffing by fictitious voters.
This was not ballot stuffing; it was replacement of ballots one for one
by ballots from the same fake voters as the originals.
> That would only leave the problem
of someone looking over the
> shoulders of voters to unduly influence the way they vote, so the
> system would still need to have voters use voting booths where
their
> votes could not be observed by others. Such booths could be made
> conveniently available everywhere, or even brought to voters unable
> to get to them otherwise.
This system was designed to allow voters to vote from their private
machine, the goal of most Internet voting enthusiasts. So the vote
privacy problem remains, but it is no worse than that for ordinary
paper absentee ballots.
> Needless to say, doing all this
would be an enormously complex
> process that would be difficult for most voters to grasp. On the
> other hand, we are probably going to have to do something like that
> for personal identification generally, using not centralized
> identification systems, but a digital notary system based on
circles
> of trust. This could lead to a situation in which most people are
> digitally connected, but a substantial part of the public is left
> unconnected, digital "nonpersons".
Thanks again,
David