Electronic vote poses big security risk

bonkey

Originally posted by Fooger
the count in a paper-vote is still a transparent system and therefore has an inherent advantage.

I fail to see the advantage.

As Shinji already pointed out, if you're gonna cheat the system, you do so before the count, not during.

If you honestly believe there is an advantage, then please tell us what it is.

My point being that if the e-voting system is so tamper-proof why NOT use a receipt and cartridge.

Simple - because it is unnecessary. It serves no practical purpose. It introduces risks (such as the afore-mentioned ability to sell your vote, given that you can now prove what way you voted.)

Its the same reason that a paper-based vote doesnt supply you with a carbon copy of your voting paper as a receipt. Its unnecessary, serves no practical purpose, and introduces risks.

The e-vote system would then therefore have to be perfect which I doubt it is.

OK - let me say this one last time because it doesnt seem to be sinking in.

The e-voting system in Ireland is not perfect, not transparent, and not proven to be secure enough for anyone's liking.

This, however, has no bearing on the argument that e-voting can be transparent, proveably secure, and as close to perfect as mankind is capable of.

Like I've already said - corrupt paper-based elections do not mean paper-based systems cannot be dependable. Similarly, badly designed e-voting systems have no bearing on the dependability which is achievable when the design is correct.

Look at it this way....

what if we said...fine...the e-voting system will generate a hard-copy, machine-readable summary of all the votes, which will be handled by counting machines, and made available to the public.

This way the public can verify that the count is accurate.

BUT, I hear you say....how do we know the machine-readable output is correct. Well, quite honestly, you dont. Then again, as Shinji already pointed out, how do you know the boxes being counted accurately represent the votes cast? You dont. In both cases, you have to take someone else's word for it.

Now, I can take this analagy, and show that you can cut out the need for the machine-readable results to be in any format bar electronic. I can show how we can have at least as much faith in an electronic vote collection/storage system as we can have in a paper-based one, and probably more so.

Note I am still NOT talking about the current Irish implementation.

jc

Fooger

At no point did anyone say that there should be a machine-readable printout. As was it would be a receipt or card which would then be put into a ballot box to verify the electronic vote. Any receipt system that does not let the voter see there own receipt would be a flawed system and I also doubt they can prove to someone else how they voted when said receipt is in the ballot box. This has been gone over already. No system can be perfect but with no way to really crosscheck the electronic vote you are just putting a dangerous flaw in the system.

bonkey

Originally posted by Fooger
No system can be perfect but with no way to really crosscheck the electronic vote you are just putting a dangerous flaw in the system.

And exactly how do you perform the equivalent cross-check on a paper-based ballot?

Or, if you dont, why do the same dangers not apply?

jc

aine

whatever about the security risk...is anybody else going to miss the excitement and the atmosphere that defines count centres???
the tallymen's first estimates etc......
I mean does anybody else think that the manner in which Nora Owen lost her seat in the last election was a complete anticlimax to her career in politics??? at least by the old system she would have had some idea that it was coming, but she became Fine Gael's first casualty in such a horrible fashion!!e-voting completely dehumanises the system and makes it into something very clinical!

ironape

this argument comes up everywhere: crypto, electronic money, paper money, email....blaa blaa blaa.

It all boils down to the fact that we are all big hypocrites. On the one hand we complain that a new technonlogy isn't safe/invades our privacy/makes life sterile, yet it is these technologies that, over time, we embrace blindly and wholly.

Valid credit card numbers can be made up from a formula that a ten year old could understand. I certainly wouldn't call that safe. A couple of months ago my sister received a strange credit card bill with transactions somewhere in spain. Now obviously she didn't have to pay these because she bought something five minutes later 1000 miles away so there wasn't much difficulty in convincing the credit card company that it wasn't a valid transaction. Yet, in reality we (credit card holders) are the ones who have to pay for these poor security holes (someone has to). So we use a very poor technology and pay to get shafted by it. Doesn't make sense to me.

Back to the point: The e-voting system has the potential to be as weak as the paper system but it (e-voting) has the advantage of having the potential to be much, much more secure than the paper sysem. So the problem lies not with the idea of e-voting itself but with its implementation (which in my opinion is poor - anyone who adopt a security through obscurity method is copping out in my book).

So: its our own fault

Ape

bonkey

Originally posted by ironape
Valid credit card numbers can be made up from a formula that a ten year old could understand. I certainly wouldn't call that safe.

Now, see, theres more of it. Explain why it isnt safe. GO on. Here...let me help you on your way.....

1) Physical transactions need the card.

Your knowledge of the formula is useless here unless you have some serious card-counterfeiting technology. Also, youre limited to constantly spending under the floor limit and praying that youre not in the 1% of people who get hit by random auths at this level, which will involve sending the real cardholder name, expiration date, etc to Visa for verification.

2) Phone-, mail- and internet- based transactions all require the card-holder name, and expiration date of the card.

Again, your formula is useless without carholder-specific information...which, if you were able to obtain it, would make the formula obsolete.

In fact, I'd love to know how this formula isnt safe, given that Visa et al each sent millions developing a system which was specifically designed to be safe even though the formula you speak of would be well known.

Fear of technology is nothing more than fear of change. People are blindly willing to trust systems they know, or that have been around long enough, but will not accept the same flaws in any new system....mostly because such flaws are "too risky".

jc

ironape

I used to work at....a place...(nothin dodgy)that dealt a lot through credit card transactions - probably half (or more) of their business (phone and face-to-face). And they ONLY used the credit card number to validate the transaction. The card numer was checked against the formula - you could type in gobeldygook for the name, address whatever...people often did (eg. I.P.Freely, I.C.Weiner....) and it wouldn't matter, only the number needed to be a possibly valid number. This was not reassuring considering the staff *frequently* stole from them (cash, not credit cards). However, I once witnessed a person making one up "for a laugh" (he did refund it afterwards). Maybe this type of business is the exception rather than the rule, I don't know. But if visa/mastercard allow a business to operate with that kind of relaxed attitude (and software package) then my faith in the security of a credit card is not entirely firm, considering the moral values of the staff working there. Again I'm sure this is a minority case.

Ok, so physically having the card is needed when you're shopping face-to-face but online I would be to differ. Are credit card names checked against numbers online, live ? I don't personally have any experience with this so I don't know. Anyone care to inform us?

Ape

bonkey

Originally posted by ironape
I used to work at....a place...(nothin dodgy)that dealt a lot through credit card transactions - probably half (or more) of their business (phone and face-to-face). And they ONLY used the credit card number to validate the transaction.

I used to work for a Credit Card issuer/receiver.

Your company was in violation of Visa regulations.

Ok, so physically having the card is needed when you're shopping face-to-face but online I would be to differ. Are credit card names checked against numbers online, live ? I don't personally have any experience with this so I don't know. Anyone care to inform us?

Online you require name, card billing address, expiration date, as well as the number. These regs are, if I remember correctly, identical (or almost identical) to mail-order regs.

You may not need the billing address if there arent physical goods being purchased....I cant remember. You do still require the carholder name (as it appears on the card) and the expiration date.

jc

ironape

I have no doubt that the company was violating visa regulations but I would have thought visa would have inspected the equipment or at least the company would have to report to visa what type of equipment they were using. The company started business with the same software package that they use today(as far as I know) so surely visa must have asked them what hardware/software they were going to use when they were setting up their business? So either they lied (improbable) or else visa allowed them to use this package which, by its very nature, is against their regulations.

Maybe they just do so much business they don't care?

It's visa's responsability to make sure companies are using equipment within their specifications. If people are allowed to use hardware/software which do not meet these requirements then thats a big fat security hole. More importantly, companies are allowed write commercial software packages whose basis is visa's transaction systems and sell them? surely visa know about this? So why do they let people do it? its a big security hole.

Ape

bonkey

Originally posted by ironape
I have no doubt that the company was violating visa regulations but I would have thought visa would have inspected the equipment or at least the company would have to report to visa what type of equipment they were using. ...

So why do they let people do it? its a big security hole.

What is most probably happening is that the company has a license to accept face-to-face transactions, which do not require any information about expiration date etc. - these are supposed to be checked manually by the shopkeeper.

They are then using this license to perform other Visa transactions that they are technically not allowed to. However, unless someone actually complains, Visa have no way of knowing that the transactions they receive were not face-to-face, but actually from phone-calls.

This is exactly the point I was driving at. The problems with the existing systems - voting and credit cards - are open to all sorts of abuse, and it is honestly only those who understand the current systems fully who can see their true strengths and weaknesses. Yet those who do not have that knowledge are still willing to accept them because, well, they seem to work. I happen to have a lot of knowledge about credit card systems, including a fair bit about the best ways to defraud them (which Im not willing to discuss, before anyone asks).

New stuff, on the other hand, is bad because the same not-so-fully informed people can see potential flaws (real or imagined) and this makes the new systems unacceptable. The fact that the same flaws may exist in the current system couldnt be important...cause, like I said, the current system works!!

Its flawed logic. If the current system can work with these flaws, then so can a newer system.

See - and I bet you all thought I was gone hopelessly off topic

jc

PH01

I'm not really concerned about the security element of electronic voting though i do think that if we got a paper receipt that would be posted into a ballot box would be a good idea just in case something happens to all that electonic stuff.

But what I'll miss is the excitement of count day. I took part in the tallies on count day last May and call me 'sad' but it was a fantastic experience. You got to see how the vote was going and who it was going to and where it came from. You found out really early who would be likely to be crying into their beer that night and who'd be swimming in champagne. I was there for the whole day and had then to be dragged from the place.
And the TV, radio and internet coverage is only brilliant. Nothing matches it.

With the electonic voting and results the witness element is taken away. When the polls close there will be two hours of counting and the results published. All over by midnight.
Not very exciting

ironape

why accept a system, existing or new, that has flaws?

I guess we're all just sheep in the end.



baaa.

MrPudding

Originally posted by PH01
I'm not really concerned about the security element of electronic voting though i do think that if we got a paper receipt that would be posted into a ballot box would be a good idea just in case something happens to all that electonic stuff.

What do you do if something happens to the paper stuff. Electronic media is not automatically super easy to destroy, damage or wipe, much the same as the paper used in ballots is not indestructabe. What exactly is it that makes electronic media easier to damage or destroy?

Again, I have not seen the specs but I would hope that that data storage media was well shielded and protected. If it is the case that it is not that has to change. If the engineers put there minds to it I'm sure they could do it.

I understand that people want it to be 100% secure and safe but I don't think that that would be possible. What would, IMO, be possible is a system that is more secure, more accurate, faster and more transparent than the current system.

Earthhorse

If there's really a concern about no cross check then when not have two separate pieces of software doing the tally. The applications could be programmed separately, one could be open source the other not. When the button's pressed a message is sent to both.

Once all votes are cast both programmes do their tally, one sends its result to the blue panel the other to the green panel. If the numbers don't match then the system's been compromised, neh?

ironape

but theres no point in having two programs doing the same thing when you can have one well written, secure one that will do the job properly. The program itself could have redundancies (ie. store the data twice, or three times in encrypted databases on seperate hardware). The machine could digitally sign the database or individual vote for that matter - then each vote would be individually verifiable, assuming the voting machine is physically secure.

Ape

seaghdhas

Would incorporating both methods into one be more trusted to everyone? Maybe a button can be pressed to remove all ambiguity, which would then punch a hole in one tape or another, which could then be counted by machine at speed with a possible manual counting method to back it up. A tape could be as anomymous as any other from the same polling station.

bonkey

Originally posted by ironape
but theres no point in having two programs doing the same thing when you can have one well written, secure one that will do the job properly.

Sure. Thats why Airbus put three seperately coded systems into their fly-by-wire aircraft, which compare answers, looking for unanimity or at least a majority decision.

Like I said at the outset...if this design method is safe enough to trust your life in an airplane with, it should damn well be safe enough to trust your vote with.

jc

Earthhorse

ironape, to reiterate what Bonkey's just said my point was about cross checking rather than data integrity.

seaghdas, your suggestion for me would remove a lot of the benefits of having the system at all. A manual tally will almost certainly produce a different result, particularly in large constituencies, due to human error. The benefits of having the system computerised are increased speed, accuracy and reduced cost. Your proposal would negate these affects.

seaghdhas

Isn't the issue largely to do with trusting a computerised counting system? Holes punched on one long tape for each ballot machine could be counted by machine, basically by reading the position of the holes on the allotted portion of the tape. These could be set up to be counted manually if there was a question about the result. It's a different answer to voting entirely electronically witha slip being printed which would then be counted if necessary since the process of counting electronically and manually is covered by a single physical entry, much like the manual system that exists already.

bonkey

Originally posted by seaghdhas
Isn't the issue largely to do with trusting a computerised counting system?

Only for people who refuse to accept the fact that computerised counting systems can be made 100% reliable....especially when you use multiple independantly coded systems each of which is taking th e same inputs, so you can compare the outputs.

Holes punched on one long tape for each ballot machine could be counted by machine, basically by reading the position of the holes on the allotted portion of the tape.

Sure...and you can replace tape with CD-ROM and burn the bits, or with a HD and store the bits electronically. There is no need to use paper. Besides, with paper, you are still open to the "chad fiasco" of the Florida count - what if the paper only gets partially punched?

For any problem you can imagine with computers (other than hardware failure) there is an analagous problem in a manual or hybrid system, but people refuse to accept that they are actually analagous.

Hardware failure, incidentally, can be worked around.

jc