March 26, 2017

Internet voting-a-go-go

Yes, we know that there’s no such thing as a perfect voting system, but the Estonians are doing their best to get as far away from perfection as possible. According to the latest news reports, Estonia is working up a system to vote from mobile phones. This follows on their earlier web-based Internet voting. What on earth are they thinking?

Let’s review some basics. The Estonian Internet voting scheme builds on the Estonian national ID card, which is a smartcard. You get the appropriate PCMCIA adapter and you can stick it into your laptop. Then, through some kind of browser plug-in, it can authenticate you to the voting server. No card, no voter impersonation. The Estonian system “avoids” the problem of voter bribery / coercion by allowing the voter to cast as many votes as they want, but only the last one actually counts. As I understand it, a voter may also arrive, on election day, at some sort of official polling place and substitute a paper ballot for their prior electronic ballot.

The threats to this were and are obvious. What if some kind of malware/virus/worm contraption infects your web browser and/or host operating system, waits for you to connect to the election server, and then quietly substitutes its own choices for yours? You would never know that the attack occurred and thus would never think to do anything about it. High tech. Very effective. And, of course, somebody can still watch over your shoulder while you vote. At that point, they just need to keep you from voting again. They could accomplish this by simply having you vote at the last minute, under supervision, or they could “borrow” your ID card until it’s too late to vote again. Low tech. Still effective.

But wait, there’s more! The central database must necessarily have your vote recorded alongside your name in order to allow subsequent votes to invalidate earlier votes. That means they’ve almost certainly got the technical means to deanonymize your vote. Do you trust your government to have a database that says exactly for whom you voted? Even if the vote contents are somehow encrypted, the government has all the necessary key material to decrypt it. (And, an aforementioned compromised host platform could be leaking this data, regardless.)

Okay, what about voting by cellular telephone? A modern cell phone is really no different from a modern web browser. An iPhone is running more-or-less the same OS X and Safari browser that’s featured on Apple’s Mac products. Even non-smart-phones tend to have an environment that’s powerful and general-purpose. There’s every reason to believe that these platforms are every bit as vulnerable to software attacks as we see with Windows systems. Just because hackers aren’t necessarily targeting these systems doesn’t mean they couldn’t. Ultimately, that means that the vulnerabilities of the phone system are exactly the same as the web system. No better. No worse.

Of course, crypto can be done in a much more sophisticated fashion. One Internet voting system, Helios, is quite sophisticated in this fashion, doing end-to-end crypto in JavaScript in your browser. With its auditability, Helios gives you the chance to challenge the entire client/server process to prove that it maintained your vote’s integrity. There’s nothing, however, in Helios to prevent an evil browser from leaking how you voted, thus compromising your anonymity. An evil election server could possibly be prevented from compromising your anonymity, depending on how the decryption keys are managed, but all the above privacy concerns still apply.

Yes, of course, Internet and cell-phone voting have lots of appeal. Vote from anywhere! At any time! If Estonia did more sophisticated cryptography, they could at least have a hope at getting some integrity guarantees (which they appear to be lacking, at present). Estonians have absolutely no privacy guarantees and thus insufficient protection from bribery and coercion. And we haven’t even scratched the surface of denial-of-service attacks. In 2007, Estonia suffered a large, coordinated denial-or-service attack, allegedly at the hands of Russian attackers. I’m reasonably confident that they’re every bit as vulnerable to such attacks today, and cell-phone voting would be no less difficult for resourceful attackers to disrupt.

In short, if you care about voter privacy, to defeat bribery and coercion, then you want voters to vote in a traditional polling place. If you care about denial of service, then you want these polling places to be operable even if the power goes out. If you don’t care about any of that, then consider the alternative. Publish in the newspaper a list of every voter and how they voted, for all the world to see, and give those voters a week to submit any corrections they might desire. If you were absolutely trying to maximize election integrity, nothing would beat it. Of course, if you feel that publishing such data in the newspaper could cause people to be too scared to vote their true preferences, then maybe you should pay more attention to voter privacy.

(More on this from Eric Rescorla’s Educated Guesswork.)

Comments

  1. Sami Liedes says:

    What seems even worse to me about this issue is that I have yet to hear any real criticism of this system from any Estonian. I live in a neighboring country (Finland) which tried e-voting (but not on your own computer) a couple of months ago and lost a big chunk of votes. The case is now in the Finnish courts. Even here some politicians used to point to Estonia as an example of a working electronic voting system. If they can do it, why couldn’t we?

    Perhaps it’s just because I don’t follow Estonian media, but I do tend to follow news about technology and rights issues. I’ve read about the Estonian voting system from many mainstream sources, all of them astonishingly quiet about the problems in this approach. It’s almost if nobody in Estonia cared.

  2. “But wait, there’s more! The central database must necessarily have your vote recorded alongside your name in order to allow subsequent votes to invalidate earlier votes. That means they’ve almost certainly got the technical means to deanonymize your vote. Do you trust your government to have a database that says exactly for whom you voted? ”

    I’m not a PKS expert, but couldn’t the voting system use a one-way hash (using, perhaps, the voter’s private key and the voting system’s public key, plus a pin chosen at the time the vote is cast) to securely (as in not reversably) identify the vote-caster yet still allow for vote substitution? There would still have to be some way to disllow multiple vote “hashes” per voter, though…

    • I’m not an expert either, but hashing or even cryptography isn’t much of a solution. Only a very small amount of data, how one voted, is actually secret in any significant way and the amount of total data is also fairly small. The first fact makes known-plaintext attacks very effective and the second one effects fast calculations.
      IDS may help there, but an election in which you end up blocking people from voting isn’t very useful.
      And one still needs to be able to count all the encrypted votes, so an unknown PIN isn’t very useful either.

  3. After digging around for more information on how voting is processed in Estonia, I do not think there is enough information on which to make a judgment. Every system has (or should have) checks and balances. What do the folks use in Estonia? Dunno.

    Dan, you attempted to put voting risks on a quantitative basis earlier (a good thing). Here you are not paying enough attention to likely probabilities. Subverting one vote is not meaningful. To have a meaningful effect you have to subvert a lot of votes, and makes some attacks unprofitable or risky.

    This deserves a more careful run-through, with more knowledge of the exact process. They may have a lower risk of subversion than processes commonly used in the US. Would be kind’a embarrassing to find you criticized a process better than ours.

  4. I’m basing my judgements on what I’ve been able to learn so far. My analysis of two different attacks fits nicely into my earlier framework. The hacked browsers/hacked phones/evil election administration attack is what I’d call a O(1) attack, both for anonymity and integrity. Constant effort, huge payout. The shoulder surfing / phone borrowing attack is an O(N) attack. The burden is really on the Estonians to prove otherwise.

    Probabilities have nothing to do with it. My paper went into great detail as to why I feel that there’s no meaningful way to quantify the probability of an election attack occurring. Either it’s easy or it’s hard, period.

  5. For the system to allow a person’s vote to be replaced, there must be a means by which that particular person’s candidate selections can be determined.

    Using paper ballots, it would be possible to allow people who vote absentee to change their votes and yet retain secrecy; have the physical absentee ballots sent to the polling place. If someone who had voted absentee wants to register a different vote, the election officials would hand the person the sealed envelope in which they had mailed their ballot. The person could inspect it for tampering in front of the officials, and/or request that it be destroyed so he could get a new ballot. Once polls close, all the sealed envelopes would be opened and the contents co-mingled, with members of both parties present to ensure that nobody was observing things they shouldn’t.

    For that general approach to work, however, it must be possible for trustworthy people to ensure that the information about which identify which voter cast which ballot is destroyed before anyone can covertly capture it. When handling paper ballots, that could be done by giving election officials equipment to open envelopes and extract the contents without anyone having to look at them. If it’s impossible to read the ballot while it’s in the sealed envelope, and impossible to tell where it came from immediately after it’s removed, confidentiality will be ensured.

    Unfortunately, maintaining the confidentiality of digital data is a much harder problem. While paper elections can be made secure if anyone is trustworthy, digital elections can only be secure if certain key people are trustworthy. A much more difficult assurance.

  6. Yuliy Pisetsky says:

    I’ve looked at This PDF from the Estonian National Electoral Committee, and the risk of the central system knowing who you voted for seems to be mitigated by keeping the votes encrypted until Election Night, when they’re moved to a physically separate system that has the private key to decrypt them.

    That said, there is a way to fix this to prevent the government from having all of the pieces (private key and voter-signed votes): Allow for multiple tabulating organizations. These could be NGOs, the electoral committee, or any other large, credible organizations. Ideally there would be enough of these that any voter would trust at least one of these. The voter would then grab the public key of that organization, and encrypt their vote with that public key. Then the vote-splitting phase (taking the encrypted votes and the voter signatures associated with them and breaking them apart into voter lists and vote lists, and cancelling duplicates) would compile separate lists of encrypted votes for each of the trusted tabulators, then send those lists to the tabulators, who each produce a count of votes for candidates.

    Ideally at least one of these organizations will be an international organization which can be trusted to be free from government influence.

    The voter will then be able to verify with the election commission that they voted electronically (Note that this DOES leak the tabulator that the voter chose to the government, but that’s it).

    The electoral commission can verify that vote totals from each tabulator match the number of votes designating that tabulator.

    One potential weakness of this system is that you now have the results of the election in the hands of a multitude of tabulators. This can be remedied by having the voter select two distinct tabulators. This will allow the system to detect a single corrupt tabulator, as vote totals from the other tabulators will not match up. (Having the tabulators communicate information about pairwise results with each other using a public key system will prevent information from leaking; each tabulator just reports a MATCH or MISMATCH for each of the other tabulators).