[These were both posted today on Dave Farber's mailing
list. I think Peter makes a lot of good points. While
the system that Ed talks about shows promise, I don't
think there has been enough substantial review of this
system to conclude that it indeed solves all the problems
he claims. As I have said before, just because you
issue an invitation to hackers to hack your system
and nobody succeeds, that's still not proof that your system
is secure. This is not to say that there are necessarily
problems with the Safevote system, but it is certainly
too early to conclude that there are no problems with it. --LFC]
>Date: Sun, 3 Dec 2000 9:59:37 PST
>From: "Peter G. Neumann" <
neumann@...>
>Subject: Perspective on election processes
>
>We have long noted in this forum and before that in the ACM Software
>Engineering Notes (which I created in 1976 and edited for 19 years, until
>succeeded by Will Tracz -- who has carried on the tradition) that there are
>very serious actual and potential problems in computer-related elections.
>The current issue of *The New Yorker* (4 Dec 2000) begins with The Talk of
>the Town section by considering the current mess: ``But it is not as if we
>were without warning.'' The article notes the series of writings of David
>Burnham in *The New York Times* in 1985 and Ronnie Dugger's long article in
>*The New Yorker* issue dated 7 Nov 1988. The article notes that Dugger's
>1988 article quotes Willis Ware, who has long been a wise observer:
>
> There is probably a Chernobyl or a Three Mile Island waiting to happen
> in some election, just as a Richter 8 earthquake is waiting to happen
> in California.
>
>Many people have been asleep at the wheel for too long. See the Election
>material on my Web site
>
http://www.csl.sri.com/neumann
>for pointers to some of the collected RISKS-historical material, especially
>the Illustrative Risks section on Election Problems, a document in which
>I have long cited Burnham's articles from *The NY Times*, 29 and 30 Jul, 4
>and 21 Aug, and 18 Dec 1985. (I have already noted the 14% undervote for
>the Senate race in Florida in 1988.) What we are experiencing now is not a
>new problem. Unfortunately, it had not previously reached Chernobyl-like
>proportions or surfaced in a close presidential election. Nevertheless, the
>process that is currently before us is finally forcing an examination of
>many of the relevant issues. I hope that some of the more basic deeper
>issues will not be ignored in trying to resolve the immediate issues. The
>time has come for a serious reassessment of the entire process.
>
>Apologies for the long gap since the appearance of RISKS-21.12 on 11 Nov
>2000. We have received an enormous amount of e-mail on this topic, although
>some of it has been superseded by events, and some of it is too politically
>motivated to include here. There are so many issues at the moment, such as
>chad slots that have not been cleaned in many years, the causes of dimpled
>punched cards, absentee ballot irregularities, the desirability of manual
>recounts in Florida and New Mexico and elsewhere, etc., that we cannot begin
>to enumerate them here. On the other hand, objectivity would seem to be
>extremely desirable at this time.
>
>Let me offer just a few suggestions:
>
> * In the UK, Canada, France, Germany, and many other places, ballots for
> national elections consist of a single piece of paper with one candidate
> to be selected for one office. This is an extremely reliable process, is
> counted very quickly in a highly distributed fashion, and seldom
> challenged. Perhaps in the U.S., elections for the President should be
> considered a Federal function and conducted by a one-issue paper ballot,
> with all other election issues run by local jurisdiction in their own
> way, as is the case at present. Even in such a simple paper ballot, the
> challenges of avoiding fraud and accidents are significant, but by no
> means unsolvable. The reliability can indeed be greater than in all of
> the alternatives.
>
> * If ballots are to be recorded and counted electronically, some sort of
> nonforgeable, nonalterable, and nonbypassable audit record must exist to
> make electronic tampering and accidents infeasible. Of course, voter
> privacy also needs to be honored. No existing electronic systems have
> anything close to what might be considered adequate, and the election
> system developers (with proprietary closed-source code) do not seem eager
> to take the extra miles needed for greater integrity. Claims of
> integrity are not backed up by standard practice of secure systems
> (which itself is extraordinarily week), and no one seems to be applying
> even the relatively minimal standards of the Generally Accepted System
> Security Principles
>
http://web.mit.edu/security/www/gassp1.html
> or reasonable certification processes.
>
> * Voting by the Internet, even if only from well established polling
> places, is and will remain extraordinarily risky because of the inherent
> untrustworthiness of computer systems attached to the Internet and
> indeed the networking itself. It should not be recommended for use
> in the foreseeable future.
>
> * Fraud and accidents must be anticipated throughout the election process.
> Election systems must be designed, implemented, and operated as systems
> in the large, and the human interfaces (for voters, administrators,
> maintenance personnel, etc.) must be considered as integral parts of
> the system. Any system should have live checking for invalid ballots.
> This existed decades ago in lever machines, and is common in electronic
> systems. If punched cards survive after 2000, card systems could easily
> include a single precinct display device that checks for overvoted or
> otherwise invalid ballots and for undervoted ballots before they are
> deposited.
>
> * I previously noted the doctoral thesis work of Rebecca Mercuri. She has
> devoted an entire dissertation to the topic of election system integrity,
> and particularly the conflicts inherent with process integrity and voter
> ballot privacy. The thesis takes a broad system approach to voting
> security/integrity/reliability, and is in fact relevant in a much broader
> context. Highly recommended. For information, see her Web site:
>
http://www.seas.upenn.edu/~mercuri/evote.html
> Rebecca also considers a proposal for an auditable paper trail of each
> electronic ballot that is verified by each voter before leaving and
> automatically deposited in a tamperproof receptacle. This is still not
> enough, but is worth considering as one more integrity measure. (For
> example, voters should not be allowed to photograph that record, because
> of the requirement that votes must not be salable, for example based on
> paper evidence of how you voted!)
>
>Many wags have cited the aphorism that perfection is the enemy of the good.
>In election systems, there will never be perfection. But the existing state
>of the art is the enemy of sanity, and a rush to all-electronic voting is
>utter madness -- even though it may appeal to advocates of conceptual
>simplicity. It is by no means an easy path, if all of the desired
>requirements of the voting process are to be satisfied. And there is an
>enormous gap between the concept and an implementation that provides any
>real assurances.
>Date: Sun, 10 Dec 2000 10:19:54 -0800
>From: Ed Gerck <
egerck@...
>
>
>Dave Farber wrote:
>
> > >Date: Sun, 3 Dec 2000 9:59:37 PST
> > >From: "Peter G. Neumann" <
neumann@...>
> > >Subject: Perspective on election processes
> > >
> > ....
> > > * Voting by the Internet, even if only from well established polling
> > > places, is and will remain extraordinarily risky because of the
> inherent
> > > untrustworthiness of computer systems attached to the Internet and
> > > indeed the networking itself. It should not be recommended for use
> > > in the foreseeable future.
> > >
>
>The concern is justified but Peter ignores that there is a hacker-proof way
>to make an Internet-connected computer as secure as a non-connected one.
>The method was made public in its details and fire tested in a week-long
>24-hour-a-day open attack test -- as reported in USA Today, Wired, and
>in
http://www.safevote.com/tech.htm
>
>As long as the endpoints fully control the cryptographic key agreement and
>node addressing schemes used, the "Internet as a transfer medium" is extremely
>reliable in accurately delivering opaque blobs of encrypted and certified
>data,
>while Denial-of-Service (DoS) attacks can be forestalled by using the stealth,
>moving target technology described in
http://www.safevote.com/tech.htm.
>
>Indeed, the Internet can support reliable and secure transactions, and does so
>regularly, as long as all endpoints of the transactions are under the
>control of a
>single authority even if multiple keys are used. People are generally
>unaware
>of this quality because it is not the "standard mode of operation" employed by
>the public in web browsing or sending an email.
>
>Further features of the security design are described in The Bell of
>November at
>www.thebell.net, with design principles and limits in the website at
>
http://www.safevote.com/aboutus.htm , is exemplified in the demo at the
>website
>at
http://www.safevote.com/demo2000/index.html , besides clarifications at
>
http://www.safevote.com/contracosta/index.html#Report and
>
http://www.safevote.com/tech.htm
>
>Cheers,
>
>Ed Gerck
For archives see:
http://www.interesting-people.org/
=====================================================================
This message was distributed through the e-lection mailing list.
For info and archives see
http://www.research.att.com/~lorrie/voting/
=====================================================================
Send Email