Re: [EL] Fw: David Jefferson responds: Halderman on "Hacking the D.C. Internet Voting Pilot"

Subject: Re: [EL] Fw: David Jefferson responds: Halderman on "Hacking the D.C. Internet Voting Pilot"

From: Candice Hoke

Date: 10/6/2010, 10:12 AM

To: "election-law@mailman.lls.edu" <election-law@mailman.lls.edu>

CC: Jefferson David <d_jefferson@yahoo.com>

As requested, the URL is now available for David Jefferson's discussion of the DC pilot in on-line voting.��

http://blog.verifiedvoting.org/2010/10/06/975#more-975

As a further note: Seems we owe considerable praise and thanks to the DC BOEE election officials and their vendor who sought a public test of the innovative voting system.�

Would also seem that those deeply concerned for honest, accurate, accessible elections that are also fiscally sound
--need to seek improvements in voting technologies and
-- not condemn those brave enough to invent and try out new systems, so long as
�� -- the testing occurs outside the real election context and
�� -- provides sufficient independent evaluation of the system to warrant its trust and use in public elections.�

But one question remains:� Will our election legal and policy communities accept certain technical limitations imposed by the current Internet's engineering and software, or continue to legislate for demo projects that are on the order of whether placing a wet finger in a live electrical outlet can cause serious burns or death?

The preeminent computer and network security experts have stressed that use of the Internet via personal computers/ devices for the return of *voted* ballots is a no-brainer on the level of the wet-finger-the-live-outlet example.�

The good news:� NSF is funding numerous research projects that are designed to lead to a better Internet(s).� These may eventually permit on-line voting (that includes return of voted ballots) in a secure, accurate, and accessible manner.� But that's not this Internet.�

--Candice Hoke

C|M|Law
CSU
Cleveland, OH� 44115
216.798.4643

On 10/6/10 12:14 PM, Jon Roland wrote:

My point was that although it is possible in principle, it would be so inconvenient as to be unworkable for most human beings. We found that in trying to develop a secure operating system, which required users to enter passwords so often that they got careless with the passwords.

One solution is to abandon voting and going to a system of sortition. Then the problem becomes stacking of the selection pool.

The only reliable way anyone has found to solve the public choice problem is stop making public choices that anyone would want to unduly influence. But anarchy has its downside.

-------- Original Message --------
Subject: �� Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"
Date: �� Wed, 6 Oct 2010 08:15:50 -0700
From: �� David Jefferson <d_jefferson@yahoo.com>
To: �� jon.roland@constitution.org
CC: �� David Jefferson <d_jefferson@yahoo.com>, Candice Hoke <ch@electionexcellence.org>

Dear Mr. Roland,

Thank you for cc'ing me on your comment to Election Law Blog.� I think the security issues are deeper than you outline here.� Many security experts have studied these problems, and there are no easy answer even in principle.� Even the best-defended systems, owned by organizations with vast security resources, are penetrated, and the penetration goes undetected for long periods of time. Recall the attacks on Google and dozens of other high tech firms earlier this year.� From my position in the national security community at Lawrence Livermore National Laboratory (a nuclear weapons lab) I know of many others.

I consider Internet voting to be a national security threat.� We need to consider our election infrastructure to be a vital national infrastructure that has to be protected from, not exposed to, cyber attack.

I have taken the liberty to comment inline in your message below.

Best wishes,
David

On Oct 6, 2010, at 7:56 AM, Jon Roland wrote:

> It is something of an
overstatement to say that an effective defense

> is virtually impossible. It is possible in principle for each voter

> to get a digital key pair and digitally sign his ballot in a way
that

> would authenticate him and also insure the ballot does not get

> altered, while maintaining secret ballot standards.

Voter's ballots were transmitted encrypted and were stored encrypted.� They were still compromised totally.� Cryptography is vital, but it just shifts the attack to other weak points.

> The entire voter registration list
would have to be digitally

> encrypted to prevent ballot stuffing by fictitious voters.

This was not ballot stuffing; it was replacement of ballots one for one by ballots from the same fake voters as the originals.

> That would only leave the problem
of someone looking over the

> shoulders of voters to unduly influence the way they vote, so the

> system would still need to have voters use voting booths where
their

> votes could not be observed by others. Such booths could be made

> conveniently available everywhere, or even brought to voters unable

> to get to them otherwise.

This system was designed to allow voters to vote from their private machine, the goal of most Internet voting enthusiasts.� So the vote privacy problem remains, but it is no worse than that for ordinary paper absentee ballots.

> Needless to say, doing all this
would be an enormously complex

> process that would be difficult for most voters to grasp.� On the

> other hand, we are probably going to have to do something like that

> for personal identification generally, using not centralized

> identification systems, but a digital notary system based on
circles

> of trust. This could lead to a situation in which most people are

> digitally connected, but a substantial part of the public is left

> unconnected, digital "nonpersons".

Thanks again,
David