Subject: Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"
From: Joseph Lorenzo Hall
Date: 10/6/2010, 8:47 AM
To: jon.roland
CC: Jefferson David <d_jefferson@yahoo.com>, election-law <election-law@mailman.lls.edu>

On Wed, Oct 6, 2010 at 10:56 AM, Jon Roland <jon.roland@constitution.org> wrote:

It is something of an overstatement to say that an effective defense is
virtually impossible. It is possible in principle for each voter to get a
digital key pair and digitally sign his ballot in a way that would
authenticate him and also insure the ballot does not get altered, while
maintaining secret ballot standards.


We should perhaps take this off-list... however, how do you propose a
voter would get a set of personalized cryptographic credentials that
she could sign her ballot in a way that would not conntect the ballot
to her?

There's a rich literature developing in the use of cryptography in
voting, and the state-of-the-art uses things called "mixnet" shuffling
where a series of trustees shuffle and provide pieces of a larger
decryption key.  I can put you in touch with people like Ben Adida who
know this literature very well.


The entire voter registration list
would have to be digitally encrypted to prevent ballot stuffing by
fictitious voters. That would only leave the problem of someone looking over
the shoulders of voters to unduly influence the way they vote, so the system
would still need to have voters use voting booths where their votes could
not be observed by others. Such booths could be made conveniently available
everywhere, or even brought to voters unable to get to them otherwise.


I think you're underestimating the risks of client-side
vulnerabilities.  That is, lately many of us on the technical side
have been thinking about the larger problem of "remote voting" (which
technically includes anything that is not traditional polling place
voting).  The models include both supervised and unsupervised (are
their trained pollworkers present) and controlled and uncontrolled
architectures (is the voting machine the user's PC, or some sort of
known and hardened device like a simple, secure voting machine under a
secure chain of custody).  It's these client-side vulnerabilities that
most of us are most worried about (and note that the DC hack did not
attempt to install viruses, etc. on voters' computers... it just
played the Michigan fight song).


Needless to say, doing all this would be an enormously complex process that
would be difficult for most voters to grasp. On the other hand, we are
probably going to have to do something like that for personal identification
generally, using not centralized identification systems, but a digital
notary system based on circles of trust. This could lead to a situation in
which most people are digitally connected, but a substantial part of the
public is left unconnected, digital "nonpersons".


Yes, having ubiquitous (or just mostly available) credentials can help
voting applications and processes quite a bit... but there does need
to be a buffer between *authentication* (verifying that a particular
set of credentials belongs to a particular human) and whatever token,
key, etc. is used to *authorize* the casting of the ballot.

I'll respond to further email on this thread off-list, as I realize
that not many out there are likely technophiles. ::)

best, Joe
_______________________________________________
election-law mailing list
election-law@mailman.lls.edu
http://mailman.lls.edu/mailman/listinfo/election-law