Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"

Subject: Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"

From: Jon Roland

Date: 10/6/2010, 9:50 AM

To: Joseph Lorenzo Hall

CC: Jefferson David <d_jefferson@yahoo.com>, election-law <election-law@mailman.lls.edu>

Reply-to:

"jon.roland@constitution.org"

On 10/06/2010 10:47 AM, Joseph Lorenzo Hall wrote:

e should perhaps take this off-list...

Perhaps not yet. There are some geeks on this forum. :-)

however, how do you propose a
voter would get a set of personalized cryptographic credentials that
she could sign her ballot in a way that would not conntect the ballot
to her?

There's a rich literature developing in the use of cryptography in
voting, and the state-of-the-art uses things called "mixnet" shuffling
where a series of trustees shuffle and provide pieces of a larger
decryption key.  I can put you in touch with people like Ben Adida who
know this literature very well.

I am familiar with this literature, and it offers one approach. Another is to give each voter a unique device, like a cell phone, that is only used for voting, and that only that person can use, or portable "voting booths" that can do a biometric verification that the person in the booth is a unique voter, but not tie the ballot to that person's identity. Not very practical.

> The entire voter registration list
> would have to be digitally encrypted to prevent ballot stuffing by
> fictitious voters. That would only leave the problem of someone looking over
> the shoulders of voters to unduly influence the way they vote, so the system
> would still need to have voters use voting booths where their votes could
> not be observed by others. Such booths could be made conveniently available
> everywhere, or even brought to voters unable to get to them otherwise.

I think you're underestimating the risks of client-side
vulnerabilities.  That is, lately many of us on the technical side
have been thinking about the larger problem of "remote voting" (which
technically includes anything that is not traditional polling place
voting).  The models include both supervised and unsupervised (are
their trained pollworkers present) and controlled and uncontrolled
architectures (is the voting machine the user's PC, or some sort of
known and hardened device like a simple, secure voting machine under a
secure chain of custody).  It's these client-side vulnerabilities that
most of us are most worried about (and note that the DC hack did not
attempt to install viruses, etc. on voters' computers... it just
played the Michigan fight song).

I'm not underestimating the vulnerabilities of the tools presently available to voters. We would need a new generation of interfaces between humans and the voting systems, but that would raise more issues of threats to personal liberty.

> Needless to say, doing all this would be an enormously complex process that
> would be difficult for most voters to grasp. On the other hand, we are
> probably going to have to do something like that for personal identification
> generally, using not centralized identification systems, but a digital
> notary system based on circles of trust. This could lead to a situation in
> which most people are digitally connected, but a substantial part of the
> public is left unconnected, digital "nonpersons".

Yes, having ubiquitous (or just mostly available) credentials can help
voting applications and processes quite a bit... but there does need
to be a buffer between *authentication* (verifying that a particular
set of credentials belongs to a particular human) and whatever token,
key, etc. is used to *authorize* the casting of the ballot.

Yes, but it is a problem for which we have to have to develop a workable solution, because it is not just a problem for voting, but for digital interactions generally in our daily lives. Everyone stealing everyone else's identity from microsecond to microsecond is even less workable. Imagine everyone being able to write checks on everyone else's bank accounts or use everyone else's credit cards. And banks think they can solve the problem by demanding SSNs of all their account signatories?

Ultimately we would need quantum-encryption systems entangled with our brains, except that our brains are not static, but are evolving processes. There may ultimately be no way to authenticate humans because we are always changing. If people think the world has become unmanageable, they haven't seen anything yet. The singularity approacheth.

I'll respond to further email on this thread off-list, as I realize
that not many out there are likely technophiles. ::)

You just never know when a geek will pop out of a whack-a-mole system.

-- Jon

----------------------------------------------------------
Constitution Society               http://constitution.org
2900 W Anderson Ln C-200-322              Austin, TX 78757
512/299-5001                   jon.roland@constitution.org
----------------------------------------------------------