Why Anonymous Electronic Voting has Security Issues

[thorfinn]

In Australian Greens MP Adam Bandt's post "Do you think should people be able to enrol to vote online?", a number of people in the post also wanted to actually vote online (or electronically).

My response to that is that electronic voting is currently not possible to secure because of the requirement to preserve anonymity of voting.

With most electoral voting systems today, an essential part of the system is that the vote cannot be linked with the original voter. If votes can be linked to voters, then you open the likelihood that people may not vote honestly, because they can targeted due to the nature of their vote.

The difficulty is that all electronic data is essentially trivially copiable, and an edited version is usually indistinguishable from an original. For example, your computer copies the digital original every single time you look at something online - that's how it gets from the server to your computer so that your computer can even display it to you.

This text you are reading now has been copied in that way lots of times, and you could trivially make more copies of it, edit it however you like, and release a digital text which has been modified, but is in exactly the same format to the original text and nobody can truly verify which one was the real original.

There is only one kind of electronic data that is not editable in that way - that is electronic data which has been securely digitally signed in a non anonymous fashion. That means that if the data is edited, the digital signature will no longer match. For example, digital signatures are used by online banking systems to verify to your web browser that the online website you are talking to is actually the bank you think it is, not someone else pretending to be the bank.

The problem is, digital votes that are secure and verifiable must remain attached to their original digital signature - which fully identifies the voter. Once you detach the digital vote from the digital signature, they can immediately be trivially copied and faked (just like this unsigned digital text you are reading), and cannot be verified using any means.

No matter how much auditing you do on the software and hardware, at any point between the detachment of the digital signature and the final vote count, there is the possibility of trivial and currently impossible to check and verify against digital vote fraud.

Paper votes are physical objects which are much much harder to create copies and fakes of. Once the voter is identified, they can be given a blank voting paper, and the physical vote can then be passed around and verified without having any link to the voter any more.

As regards the original question posed, enrolling to vote online is actually fine, just like Internet banking and similar systems, the point is to be identified to prove that you are you. It could even tie in well to the electoral system at booths - secure identification that ties in with your digital enrolment at the tick off point in order to receive the physical voting papers would actually improve voting security, not decrease it.

In short: Online voter registration, no worries. Online voting, just no.

Comments

[chaos_crafter]

So in essence the problem is not of identity - as you say, we manage the disconnect in a physical environment. The problem is the fact that a digital ballot paper can be readily reproduced.
That to me suggests that we should be looking at the mechanisms that are used to handle that. In the physical form, the ballot paper is signed by the electoral officer to mark it as genuine - that can be reproduced digitally. The person filling in the document then modifies it - that could be done by anyone, but a local physical security is used to make sure that doesn't occur. Again that can be managed in a digital fashion, though I'll admit with some provisos. Finally the document is placed in a nominally secure facility for counting (again, this stage is easily replicated digitally).
In the real world, to interrupt that process means fiddling with the contents of the locked box, or adding false records to it - in the digital environment both of these are more readily prevented.
The other mechanism of attack is to interfere in the physical voting process - pretending to be someone else (you seem happy enough that this can be avoided), taking over the entire voting centre and forcing electoral officials to fill things in the way you want (not so common here, but not unknown elsewhere), or standing over the person voting to make them vote as you wish (This is to my mind one of the worst risks in digital voting.)

It seems to me that much of the digital process is exactly as securable. The issue is security within an application (which we don't trust) vs. security within a polling station (which at least here we can trust)
If we could secure and be sure of the application, then to my mind digital voting is able to be better secured than physical. The real problem is we can't prevent someone forcing others to vote as we wish, if they don't get to vote in an environment where they are safe from observation (and I don't just mean digital snooping)

Mind you, all this assumes you are happy you can secure a communications channel from user to polling app, and you have some mechanis to validate the applications - the equivalent of making sure you don't have armed scrutineers, or someone hiding a box of fake ballots in a corner somewhere.

Certainly, I'm not convinced digital voting is actually meaningfully different from physical, once you get people to turn up in person to vote.

[thorfinn]

The digital process is inherently vastly more difficult to secure than the physical process.

Just ask the RIAA, or anyone else interested in DRM.

A physical object is not trivially replicable, and modifications to that physical object leave traces that can be detected and found.

A piece of digital data is trivially replicable, and is trivially editable in the process, and the editing process generally leaves no identifying marks to indicate that the data has ben edited.

You cannot inspect the workings of a running application - even if you inspect the source code for the entire machine, it is exceedingly trivial to run a different binary code not built from that source. Or even to run binary built from that source, which is then modified on the fly by some trojan software installed elsewhere on the voting machine...

There are a *huge* number of points of possible injection of vulnerabilities on any computing system, starting with the manufacturer of literally any single component of the computing system, up through every single layer of the operating system, on to any piece of software running on the operating system, through to the very devices that transport data between that computer and anywhere else.

It's not practical to audit every level of that for a voting system, and then hand build and cross check and triple verify every installation.

Injecting malware into a physical polling station? That leaves rather heavy physical evidence and witnesses... and funnily enough, elections get looked at very oddly if none of the polling officials live through the day.

[pauamma]

http://cm.bell-labs.com/who/ken/trust.html

[pauamma]

I'm wondering whether a combination of blind signing and protocols similar to the digital cash ones described in Schneier would solve some of the problems.

[thorfinn]

Blind signatures mean that Bob can sign Alice's data without knowing what Alice has written... but Alice has to encrypt that data first. I guess in theory, Alice could then provide the random encryption key to Charlie, who deletes all trace of who it came from, and passes it to Dave, who can later decrypt what Bob has signed in order to reveal the vote.

But that's still damn complicated - and how are you going to get the normal public to actually securely encrypt their digital vote before sending it to Bob to sign, and only send their random encryption key to Charlie?

Also, Charlie and Bob can still conspire to just make up votes - all they have to do is generate their own list of encryption keys, and then Bob can sign whatever votes he likes...

The only way for Alice to validate that the vote was correct was to reveal the original key to Dave... who then knows how Alice voted. :-/

Any time you introduce a cut-out for anonymity, there's a point where you introduce loss of the ability to validate. That's the problem, fundamentally.

[bens_dad]

I agree. As far as I can see any system which allows the returning officer to prove to Dave that he has correctly counted Alice's vote reveals Alice's vote.

بانه

[(Anonymous)]

Thank you for being able to follow my favorite topics on your site and I am very happy. https://banehmarket.com
.

[cdybedahl]

"Impossible" is a big word... It took me less than a minute to come up with the idea of using a trusted intermediary layer (which we have in paper voting today too). You send a signed-by-you vote to the intermediary, which verifies your signature, signs the vote with its own key, securely logs the fact that you have voted and then deletes the vote you sent in. Presto, signed anonymous vote.

Now, I don't for a moment doubt that there are problems with that scenario. But I also don't doubt that if someone who actually knows crypto protocol stuff spent significantly more than a minute thinking about the problem it could be solved. Personally, I think the paper voting system we (as in Sweden) have works rather well and I don't think we should change it without thinking about the problem for several election cycles at least. But declaring that it's impossible to create an electronic system that works at least as well as paper ones... well, you need a much better argument than you're providing here.

[thorfinn]

No good. How do you validate that trusted intermediary is, in fact, trustworthy?

Trusted intermediary can sign as many votes that say "somebody voted this way" as they receive original votes, and nobody can validate that trusted intermediary has, in fact, done the right thing. You've in fact just introduced the man-in-the-middle attack directly.

With a paper vote, you can recount. With the e-vote, it's gone.

I *do* doubt that it is possible - you cannot reconcile the fundamental problem of retention of true anonymity and verifiability and recountability. For a digital object to be truly verifiable, it must be non-anonymously so. As soon as you introduce anonymity, you introduce a layer where verifiability is lost.

Impossible vs "not solved yet"

[thorfinn]

Actually, you know what? I apologise. Impossible is a big word, and I'm going to edit the post accordingly.

I'm still on the side of "there's a fundamental problem here that I don't believe is solvable", but I'm willing to be proven wrong.

[heliumbreath]

The case of a voter being threatened is an extreme case; vote-buying is something that used to happen quite a bit. Eve, acting as candidate's agent for the Bribery Party, offers modest sums of money to Alice, Bob, and Charlie if they'll vote for her candidate. The current ballot system (at least in Canada) tries to make it impossible for Alice to prove how she voted to anyone else, and thus Eve doesn't know if the vote went to the Honest Party instead and the vote-buying scheme fails.

[thorfinn]

*nod* Good point - vote buying is definitely a more common tactic, at least in western societies. :-)

[greylock]

People are stupid.
I can't help but hope the physical act of voting makes them think.

[thorfinn]

I hope it does too, but the cynic in me says that it doesn't. :-) If it did, we'd have a lot more minor party action.

[reddragdiva]

When I first voted in the UK, my head exploded when I saw that each ballot paper was numbered with the number recorded against my name. I nearly walked out and didn't vote. (I did vote and still do.)

[thorfinn]

Yeah, that would worry the heck out of me too. :-)

[vatine]

I believe that was actually gone, last time I voted in the UK. It made me happy to see a small amount of progress.

[bens_dad]

As reddragdiva says, the premise that voting is anonymous is not valid under the current long standing completely manual physical voting system in the UK.

I think the justification is that if I come in to vote and find that someone has already voted in my name (we don't have to prove our identity, just claim it, when collecting a ballot paper) the imposter's vote can be removed from the count.

However an electronic system would make it easier for someone to find out how an individual voted or generate a list of people who voted a particular way.

[thorfinn]

That is a bit odd, I have to say. I mean, if they don't require you to prove your identity (and in fact the AEC doesn't either, which I find interesting), then they can't tell which of you us the real Spartacus, and therefore which vote should be kept, if any...

[bens_dad]

Presumably if I claim that someone else has stolen my vote I will then be asked to prove my identity. I guess that means that we assume trust most of the time but can back-date verification of trust should anyone object.

If you kill me when I object then no one else can verify that it is my vote, so you get to keep the vote you stole :-(

[thorfinn]

*nodnod* Makes sense. I think that's what I'm talking about with online registration systems that might tie in with second-factor type verification too - if you have the ability to receive live SMS or perhaps even just to bring a recently generated printout of an appropriate QR code containing a dated and signed identifier from the online registration system, you can verify your identity live to the election official, who can then hand you your ballot paper and check you off on the central database as having voted, so nobody else can pretend to be you and vote.

Fallback if none of that works is the identity papers model and then the trust model, so that still works. The digital verification is just an extra layer on top that becomes available if people choose to use it.

Open field of research -- don't write it off so easily.

[(Anonymous)]

There are definitely problems with electronic (or, indeed, online) voting, but the conclusions you draw here are far too simplistic. If you look around you'll find that this is an open research area with a variety of relatively robust and developed solutions. Many of them suffer from various levels of complexity, but your assumption that anonymity and verifiable voting are mutually exclusive is simply not true.

Rather than going into the details, you might want to have a quick look at the Prêt à Voter system (http://www.pretavoter.com/index.php), which is a relatively recent approach that gives some strong properties. (For the details, read the paper: http://www.pretavoter.com/publications/PretaVoter2010.pdf)

There's plenty of other work on verifiable anonymous voting, using Chaumian mixnets; see, for example: http://www.rsa.com/rsalabs/node.asp?id=2062

Spotting the basic problems of electronic voting is fine, and there are certainly no commercial products available now, but your claim of impossibility (and that "no matter how much auditing you do on the software and hardware, at any point between the detachment of the digital signature and the final vote count, there is the possibility of trivial and currently impossible to check and verify against digital vote fraud") is simply untrue.

When looking at a problem like this, it's really worth Googling around a bit to see if anyone has approached the problems first. Electronic voting is a very active, and very interesting, current area of crypto research.

(No offence intended! It's great that people care about this topic. :D)

Re: Open field of research -- don't write it off so easily.

[thorfinn]

I can already see an anonymity vulnerability with Prêt à Voter - how do you guarantee that the ballot printouts have not been snooped at any point between their generation and the voter receiving the ballot? Whatever generates the ballot is supposed to delete the information - but digital information is trivially easy to copy and also actually resistant to deletion. Anything stored on a disk at any point is relatively trivial to retrieve using well known tools.

Even printers these days generally retain what they've printed - most of them have a disk in them to spool the item before printing it.

Yes, that system gives you verifiability, but it doesn't guarantee anonymity. It makes it less likely you'll have your anonymity violated - but it doesn't at all guarantee it, because you can't trust the printer to have actually deleted the ballot papers.

The Mixnets sound pretty good, but I do still see issues with anonymity before you even get to the mixnet on the voter end of things... Some piece of software has to encrypt the ballots and not snoop or modify them in the process. If you assume that voters are using some vendor software, rather than software they wrote themselves, then the ballot generating software can trivially modify the ballot before even sending it to the Mixnet...

I do see a lot of people approaching the problem - but what I also see is that you have a huge potential for issues, especially when you have to assume that any point where any electronic device is involved in the process is potentially completely untrustworthy. Someone else has already linked to Ken Thompson's trusting trust article, and nothing has changed at all about the issues in that space. You essentially cannot validate an entire computing system end to end.

As I admitted above in comments when called on it though, it may be possible - this post is no mathematical proof of impossibility. :-)

ETA: But - the basic problem I see *is* a logical conflict:

To preserve anonymity, the only person who should have knowledge of how an individual voter voted is the voter themselves.

Therefore, the only person who can validate that a specific vote is included and correct is the voter themselves.

In order for the individual voter to be able to validate that their vote was included *and* that the vote was included correctly, they must be able to determine after the election that their specific ballot was counted and what the content of the ballot was.

If the individual voter can do that, then their vote is no longer anonymous. (Even though it may be counted anonymously, which is what the Chaumian mixnet allows.)

[jeshyr]

OTOH for the purposes of "we should give an OPTION for electronic voting which MAY be taken up by somebody who finds physical at-poll-station voting difficult for any reason" the non-anonymity factor may not be a big problem (please excuse my RFCish capitalisation of keywords here).

Assuming that the vast majority (as now) will still vote at the polling place in the regular physical way, and that there's still an OPTION to use the anonymous-as-now postal vote (they double-bag these with the outer sealed envelope only being identifiable and the vote in the inner - with a presumably-trusted man in the middle), having the OPTION to use a non-anonymous electronic vote could be a real boon for remote, disabled, overseas, etc. peoples.

I think this is especially relevant for those whose disabilities prevent them from voting in an independent way anyway. Requiring physical help to fill in a ballot paper renders you non-anonymous in a very immediate way to somebody who's usually a person you depend on every day (and who therefore has both explicit and implicit power over you) whereas a signed digital ballot renders you non-anonymous to a probably-unknown polling official who probably has no immediate power over you or wish to make your life difficult because you didn't vote the way they wanted. Remembering that most blind people and a large number of quadriplegic and other-disabled people fit into these categories, it's a non-trivial category of voters who should be given a chance. And assuming you're implementing it for these people anyway, it would be stupid not to allow other voters the OPTION to make use of it.

r

[thorfinn]

I think the problem is that having a non-anonymous vote does potentially undermine the voting system.

Having non-anonymous votes open the possibilities of both:
1. Vote buying
2. Vote coercion

The difficulty is really that digital voting *is* more convenient - there's no doubt about it. The question is whether we are willing to sacrifice convenience for voting system integrity.

I think there's certainly a very good argument to be had that exceptions can (and should) be made from anonymity in the cases where the physical act of voting is already going to be non-anonymous (because the person in question requires physical aid to do it). As you say, it's not going to be an anonymous vote anyway, so you might as well at least defer the anonymity over to someone who's not directly connected to the voter.

But I think that opening that to everyone - that opens you to the potential of actual widespread vote buying.

Most of the electronic voting systems don't even seem to be trying to do anything along those lines though - they try to preserve anonymity , and I've yet to see a system that does so without compromising verifiability.

[jeshyr]

I had not thought of that. Damm.

There's always a catch, isn't there.