Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Estonia Urged To Drop Internet Voting Over Security Fears

Unknown Lamer posted about 5 months ago | from the still-better-than-a-diebold-machine dept.

Security 116

wiredmikey (1824622) writes "A team of global IT experts have urged Estonia to drop electronic voting from this month's European elections, saying they had identified major security risks. They also said the system's operational security is lax, transparency measures are insufficient. and the software design is vulnerable to cyber attacks. 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,' said U.S. computer scientist J. Alex Halderman, a co-author of the report released Tuesday. 'Either of these would be an attractive target for state-level attackers, such as Russia.'" The source for the voting system is available for anyone to inspect. The Estonian National Electoral Committee released a statement dismissing the researchers claims: "At this point, we can give only preliminary answers to allegations published in the Guardian, as the researchers have not shared the full results of their work with us. The researchers met with officials from the electoral committee in October 2013, and could have contacted us at any point in the last 6 months to share the initial findings of their research. ... The researchers have not discovered any new attack vectors that had not already been accounted for in the design of our system as a whole. ... It is not feasible to effectively conduct the described attacks to alter the results of the voting. ... The electoral committee has numerous safeguards and failsafe mechanisms to detect attacks against the elections or manipulated results."

Sorry! There are no comments related to the filter you selected.

Nazi Estonia (-1, Flamebait)

For a Free Internet (1594621) | about 5 months ago | (#46999099)

Another statelet run by NATONazis.

Ooh... (3, Funny)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46999141)

"Numerous safeguards and failsafe mechanisms to detect attacks"

In practice, doesn't that end up being an ass-covering official equivalent to "We're pretty sure that Norton hasn't expired and we probably ran Windows Update pretty recently unless the junior admin was out that day" fairly frequently?

Re:Ooh... (0)

Anonymous Coward | about 5 months ago | (#46999193)

Looking at the git repository linked in the summary, I think the "Numerous safeguards and failsafe mechanisms to detect attacks" is most accurately translated as "Linux is immune to viruses, right?"

Re:Ooh... (0)

Anonymous Coward | about 5 months ago | (#46999851)

Perhaps if would actualy take care to look at the code in the git repository, then you would have less stupid assumptions and more understanding of what "safeguards" and "failsafe" mechanisms are in this case.

Re:Ooh... (2)

hotdiggity (987032) | about 5 months ago | (#47000009)

Estonia has already weathered the brunt of a Russian cyberattack. They are recognized to be world leaders in cybersecurity at the government level, and host the NATO Cooperative Cyber Defence Centre of Excellence.

http://www.zdnet.com/the-poste... [zdnet.com]

So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton. Open sourcing their code reduces the black-box vulnerabilities well beyond that level to begin with.

Re:Ooh... (0)

Anonymous Coward | about 5 months ago | (#47002555)

So yes, I think their safeguards and failsafes extend beyond Windows Update and Norton. Open sourcing their code reduces the black-box vulnerabilities well beyond that level to begin with.

If you control the voting of a major nation you have access to billions of dollars. Estonia is a NATO ally and successful European Union member - their votes in the EU are probably worth Trillions of dollars alone. This is at the level where it might be worth making a dedicated chip plant just to produce special processors to compromise their voting machines. "failsafes" that "extend beyond Windows Update and Norton" would only be considered sufficient in this situation by a total clown.

There is only one solution to this; someone somewhere has to take a completely obscure anti-corporate anti-major party and anti-evoting grouping and given them 110% of their national vote. Put their candidates and members as write in ballots in every location in your contry. The Pirate party would be a good choice.

After that has happend several times, mainstream parties will never again let voting machines be used. Any computer programmer working on voting who is not aiming for this goal is basically working as a traitor to humanity.

Re:Ooh... (1)

kwbauer (1677400) | about 5 months ago | (#47004547)

And on a different thread somebody was making the claim that nobody has ever posted such a comment.

Re:Ooh... (0)

Anonymous Coward | about 5 months ago | (#47001977)

Why yes. And what else could they do? Not merely because of the usual they're officials now with high risks of egg on their faces, but also because Estonia went big with the "digital" --digital voting, chipped identity cards, cyber-interfacing with the government, you name it-- and so they can't really afford for the chickens to come home to roost.

Re:Ooh... (0)

Anonymous Coward | about 5 months ago | (#47002403)

It's called a Cargo Cult. They use all the Hipster crap they can possibly use. Apache, Python, Smart Cards, Asymmetric crypto etc etc.

Of course they do not realize each of these Hipster things add Attack Surface. Pascal or Ada would not be Hipster enough.

Why do you need BEGIN and END if you can have the opportunity to change semantics of your code using wrong Vi tab settings ???

It is entirely possible NSA has broken RSA already, given their history (Enigma was once considered a top-notch cipher). Plus they are only as secure as the display device, which may or may not run lots of viruses.

Frank Gerlach
Gäufelden, Germany

bollocks (0)

Anonymous Coward | about 5 months ago | (#46999179)

We need more internet voting, less centralization and federal governmets.

Re:bollocks (5, Insightful)

gl4ss (559668) | about 5 months ago | (#46999247)

maybe.

but for voting of the parliamentary DO NOT FUCKING USE INTERNET VOTING.

why? technical cheating? actually no. that's just one worry. even if it worked 100% secure the main problem of *being able to sell your vote* remains. that also means your spouse can intimidate you into voting who he/she wants. your employer can intimidate you to vote who they want you to vote for. the local mafia can pay a visit and demand you vote for their candidate.

Re:bollocks (1)

Savage-Rabbit (308260) | about 5 months ago | (#46999401)

maybe.

but for voting of the parliamentary DO NOT FUCKING USE INTERNET VOTING.

why?

NSA..... nuff said.

Re:bollocks (1)

jader3rd (2222716) | about 5 months ago | (#46999427)

the local mafia can pay a visit and demand you vote for their candidate.

That's just not scalable though. How many people can the mafia personally witness voting and have it affect an election, and keep it under wraps? Measures to prevent those scenarios are non-technical measures.

Re:bollocks (1)

Luckyo (1726890) | about 5 months ago | (#46999741)

In former Soviet countries?

As many as they want. All they need to do is hire additional hands.

Re:bollocks (1)

gl4ss (559668) | about 5 months ago | (#46999871)

every vote counts.
they can do enough.

but being deprived of your right to vote who you want is enough, even if it just happens for 100 000 or whatever, easily done if they have 1000 enforcers. but that's not really the point, it's enough that their candidate gets more votes than the candidate who wasn't cheating.

  and they don't really need that much in estonia. if they got a party/coalition that gets without cheating 100 000 votes and they get 100 000 extra votes through cheating or whatever then they'll be the dominant party in estonia - and they don't really need that! all they need is a dominant candidate in the coalition/party and that takes just 30 000 or so votes. buuut what if many groups take these approaches? and womens magazines get to promoting the idea that if women don't get to choose the mens votes then men are not to get sex? and a few big industry employers get the bright idea of giving a bonus if they vote for company candidate *while at work* ? the result being that no candidate playing fair gets through...

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#47000389)

That's just not scalable though. How many people can the mafia personally witness voting and have it affect an election, and keep it under wraps? Measures to prevent those scenarios are non-technical measures.

I would say that each person could monitor about 100 voters each if they first give the instruction "If you vote before I show up we will crush you knees."
That is only if they go with the verifiable intimidation.
They can also claim that they have an insider at the ISP and that they can see what you voted for. Sure, it might be a lie but people aren't going to risk their lives over it.

Re:bollocks (3, Informative)

gwolf (26339) | about 5 months ago | (#47002111)

I once asked this to an Estonian government person at a e-voting presentation in my country. Her answer: "We let you vote many times. Only the last one counts."

That would allow you to vote at the workplace, then go home and vote again.

Of course, you can gather people at the election day, two hours before booths close, and have everybody vote for $foo. Then, throw a party and lock them in (or something like that), and secure the vote is "right".

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#47003175)

Electronic voting lasts several days and ends before the election day. You can still change your electronic vote by using paper ballot voting on the election day.

Sure, someone might somehow obstruct a large number of people to cast their ballot on the election day, but you can imagine the same scenario even when there was no electronic voting in the mix.

How many do you need? (1)

gwolf (26339) | about 5 months ago | (#47002083)

In a small country with 1.3 million inhabitants, a couple tens of thousands of votes can be decisive.

Or: How small the margin for a polemic vote? In Mexico, we have had presidential candidates winning with a (much disputed) 0.55% difference to the second place. How many votes do you need to rig such an election?

Re:bollocks (1)

Rei (128717) | about 5 months ago | (#46999779)

That's easy. Let the user register as many accounts as they want with the electoral commission, with only one actually tied to their voter ID and actually tallied (note: registration should be *not* over the net! Should ideally be in person, with photo ID presented). A second party can thus sit right behind you during the election, watch you log in and cast a vote... and they have no idea if they were watching you actually vote or just register a fake vote on an account not connected with anything.

On the other hand, with paper voting, the person can (usually) just take a photo of their ballot with their cell phone to prove who they voted for.

There's a lot of opposition to internet voting. I get it; it's VERY easy to do wrong. But that doesn't mean it's *inherently* flawed. All types of voting systems have flaws. Most conventional voting systems have literally hundreds of ways they could be rigged, from the pathetically simple to the so-elaborate-only-the-CIA-could-pull-it-off. You'll never get 100% impossible to mess with from any system, internet or not. Internet voting adds its own new potential attack vectors and eliminates a number of ones from conventional voting.

The problem you mentioned, gl4ss, is one of the four main new vectors. The other three are DoS, compromised computers, and compromised software.

Actually, "compromised computers" isn't entirely new, compromised polling machines are a common fear that has on occasion proven true, and more concerningly, it's often impossible to prove whether they were compromised or not. The main solution to this for internet voting is actually every geek's favorite boogieman - Trusted Computing (you know, that set of hardware capabilities that was supposedly going to make it so that PCs can only run Windows and you won't be able to copy MP3s any more ;) ). Basically with TC, you have a chain of trust. Your bios is profiled before it starts up. Your bootloader can be assured that it's running a "safe" unmodified BIOS, your OS can be assured that both the bios and bootloader are safe, and apps can be assured that the bios, and os are safe. And if they're not they can refuse to even decrypt themselves. Your voting software can come on a CD or read-only flash drive with both an app and a Live CD, for people who don't have a TC-compliant OS but do have a TC-compliant bios.

TC isn't perfect, of course. Support isn't universal. It's vulnerable to cold boot attacks - although that requires physical access and there's countermeasures. And defining "safe" or "unmodified" is always going to be a balance between being as expansive as possible but not letting potentially vulnerable systems through the safety net. For people who don't have a valid TC system, the electoral commission could provide a Raspberry Pi or similar for $25-50, setup specifically for voting.

Compromised software is fairly easy to deal with (man in the middle attacks); banks already do this (banks are a good analogy, BTW - why are people so willing to deal with their life savings on the net but terrified of net voting? It all comes down to secure implementations). When the user registers (to reiterate, not over the net), you let them pick confirmation text and/or a confirmation image. When the software starts and you log in, it downloads this info from the electoral commission and prominently displays it before you continue on to actually vote.

With DoS (or non-malicious net failure), there's a lot of things you can do. The simplest is simply to redirect the user to any other form of voting - phone, mail, polling place, at the registrar's office, or whatnot. This can be casting a normal vote there as the non-internet-voters do, or a streamlined version - your computer could print out a pre-filled-out ballot, for example, or supply you with a alphanumeric hashed version of your ballot, optionally timestamped and with your voter ID. In some implementations, a TC-assured timestamp can be made available and the user's vote securely timestamped, allowing it to be submitted after the voting period at any point, up to the point that the official vote tally is certified. ISPs can furthermore inform the electoral commission of outages and the commission can automatically give an extension to any affected parties.

Any voting system should have an audit trail - whether internet voting or otherwise, of course. For example, each voter could have a randomly generated code which they received when they registered, and the registrar could publicly release a list (possibly broken down to the precinct level) matching up codes with votes. A voter can then match their code up with the list to make sure their vote was recorded correctly, and anyone can re-tally the list. If so desired, it could be set up if there are serious allegations of fraud on behalf of the electoral commission, an independent commission could be given access to information connecting voter codes with contact information so that they can interview a statistically-significant sampling. It all comes down to whatever balance is desired between privacy and fraud prevention.

This is just for starters, of course. But the key point is, these aren't insurmountable problems. And while internet voting creates its new attack vectors, it also solves a ton of traditional attack vectors that continually plague elections. Just like people try to steal bank information with phishing and viruses, one would expect interest in hacking elections (though honestly I think there'd be more interest in the former). Yet that hasn't stopped internet banking - and that's totally insecure compared to what we're describing above. Internet voting has the potential to increase turnout, convenience, reduce cost, even facilitate direct democracy or representative direct democracy. I personally think we should pursue it. Slowly, cautiously, and with a HUGE security and code audit process along the way, absolutely. But that's no excuse to never start.

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#46999869)

Already solved in a different way: you can vote any number of times you want and only the last vote counts.

Taking away person's ID card and preventing them access to computers doesn't scale at all.

Re:bollocks (1)

Tranzistors (1180307) | about 5 months ago | (#47000639)

> with paper voting, the person can (usually) just take a photo of their ballot with their cell phone to prove who they voted for.

Take picture of one ballot and submit another.

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#47000841)

If the officials are paying attention, you will only be given one ballot.

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#47001993)

That's not how it works, exactly for that reason (and the fact that you might have made a genuine mistake filling in). Unless your officials haven't understood how voting works, which would be fairly embarassing.

The mafia thing... (0)

Anonymous Coward | about 5 months ago | (#46999933)

I'm Italian so let me explain how the mafia things works for real here about elections.

The mafia need only one plain ballot sheet.
1) They sign the "right" party and it gives the sheet to you.
2) You go voting, use the sheet given by mafia and exit with the plain clean sheet given to you.
3) When you handle back the clear sheet to the mafia, they give you 10€, a thanks (and they know you are a "good guy", so nobody hurts you)
4) Back to point 1

So the mafia is smart enough to handle every kind of vote. There is nothing holding them back if they want something.
I expect biometric authentication to help on this point but I think they will find a workaround for this one too.

Re:bollocks (1)

3h (309321) | about 5 months ago | (#46999969)

Only your last vote counts. So you can sell your vote as many times as you like. You'll just vote again after that.

Re: bollocks (0)

Anonymous Coward | about 5 months ago | (#47002169)

So then what I buy from you is not your vote but your credentials. And if I monitor any other logon with them I kill you and all of your family.

Re:bollocks (1)

cjb658 (1235986) | about 5 months ago | (#47000195)

Most states allow voting by mail. Doesn't that present the same problems?

Re:bollocks (1)

amorsen (7485) | about 5 months ago | (#47003613)

Some of the same problems. In many cases you can cancel your mail vote by going to a voting booth.

If mail voting was popular, it would need to be made more secure.

Re:bollocks (1)

mikael_j (106439) | about 5 months ago | (#47000369)

People can still sell their votes right now. Put your vote in envelope in clear view of person who is paying you, enter voting place with them, they observe you putting the envelope in the ballot box, done.

Re:bollocks (1)

Tranzistors (1180307) | about 5 months ago | (#47000575)

Already solved by not allowing non-voting persons in voting area (not only in voting booth).

Re:bollocks (0)

Anonymous Coward | about 5 months ago | (#47001955)

Much simpler reason.
If I were to claim there was massive fraud and manipulation, can you argue that this was not the case in a way an ordinary person can understand and verify?
If the answer is no (and I guarantee you it is for any internet-base system) you have a voting system that _completely relies_ on almost everyone simply believing it works correctly as its _only_ legitimacy. If your voters go with it that only proves that they are probably very easy to fool if anyone really tried.

Re:bollocks (1)

TsuruchiBrian (2731979) | about 5 months ago | (#47002271)

I think being able to explain something to an ordinary person is an unreasonable requirement given the level of intelligence of an ordinary person. I don't think it's desirable to have an election system that does not involve any math.

What percentage of American citizens understand the electoral college?

The results of a proper electronic election are better able to be verified by intelligent people.

With electronic voting, you can store not only the vote totals, but also who voted for what in a way that is scrambled, and make the results public. This way each person can verify that their vote was counted without allowing others to see how they voted.

Re:bollocks (1)

TsuruchiBrian (2731979) | about 5 months ago | (#47002163)

By your reasoning, mail in ballots are just as problematic as internet voting. People can offer to buy your mail in ballot. Your spouse or employer can intimidate you in to signing up for mail voting and vote for you. The mafia can pay you a visit and demand you sign up for mail voting and give the ballot to them.

Re:bollocks (2)

camperdave (969942) | about 5 months ago | (#46999367)

Right! Because internet voting and less centralization is how we get the highest quality stories on Slashdot.

Re:bollocks (1)

TangoMargarine (1617195) | about 5 months ago | (#47001473)

But we can't send in the troops to coerce them to vote our way if they do it online!

Er, I mean, the populace can't vote 107% for breaking away from their oppressive government.

Potential for abuse dwarfed by benefits (1)

Anonymous Coward | about 5 months ago | (#46999183)

Hate on e-voting all you want, point out all the ways a malicious person could mess with it, but don't tell me that e-voting is not going to happen. Being able to instantly poll your entire population without having to go through the trouble of setting up polling stations nationwide and get people to those places will transform democracy.

Re:Potential for abuse dwarfed by benefits (2)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46999227)

Installation of blackhats as society's new ruling class would count as a 'transformation' of democracy, I suppose...

Re:Potential for abuse dwarfed by benefits (4, Insightful)

Sique (173459) | about 5 months ago | (#46999233)

E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.

Re:Potential for abuse dwarfed by benefits (1)

camperdave (969942) | about 5 months ago | (#46999423)

E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.

That all depends on the implementation. For example: voter logs into secure site and enters vote. Secure site is connected to a card punch. After polls close cards are fed into card reader and counted. Hand counting can still be done.

Re:Potential for abuse dwarfed by benefits (2)

Sique (173459) | about 5 months ago | (#46999767)

No. Doesn't work. We have examples of voting fraud where the election officials swapped ballot-boxes after the vote to manipulate the outcome in different distincts. The only way to make sure this doesn't happen is to have all votes collected in front of the public and the ballot-boxes then opened in public and immediately counted.

Nein (0)

Anonymous Coward | about 5 months ago | (#47002027)

what you say is not really true.

Imagine the voting officials generating a hex number of 32 chars length (using a noise diode and an A/D Converter; essentially an OTP) for each voter and each Decision Option.
you go to your local town house and grab one random, unmarked envelope from a Reverse Ballot Box.

The fact you got your envelope is recorded on a paper record.

Envelope contains 100 of said hex numbers.

In the next election, there are 4 options to chose from, so 4 numbers will be consumed.

You will vote using a TOR-like Onion router for your anonymity.

Your vote will be recorded along with potential bogus votes on massive hard drives.

After voting ends, hard drives will be scanned offline against the possible hex numbers by officials. Valid votes will be published on the internet for each voting district.

You can now check whether your vote has been properly tallied. You can also check whether your vote has been abused in case you did not vote.

This protocol seems to be quite bullet-proof against cheating by state-level actors like NSA-GCHQ or GRU. And it issimple enough for everybody to understand and trust.

Dipl.-Ing.(BA) Frank Gerlach
Gäufelden
Germany

Re:Potential for abuse dwarfed by benefits (1)

camperdave (969942) | about 5 months ago | (#47004931)

Sounds like the scrutineers were asleep at the switch. All bets are off in any system if there is no verifiable chain of custody.

Re:Potential for abuse dwarfed by benefits (0)

Anonymous Coward | about 5 months ago | (#46999947)

Russia has something to say about that and fair voting. All done on paper.

Re:Potential for abuse dwarfed by benefits (1)

Sique (173459) | about 5 months ago | (#47000001)

If you have the full control over the voting process, every voting is vulnerable. Important thus is the transparency, and transparency means that virtually everyone can watch the voting process.

Re:Potential for abuse dwarfed by benefits (0)

Anonymous Coward | about 5 months ago | (#47000869)

E-Voting per se is wrong. There is only one method to make sure that every vote counts, and that is public counting of the vote. Every tabulation of votes in a machine makes a public counting impossible.

Humans are a machine, therefore democracy will always be wrong?

Re:Potential for abuse dwarfed by benefits (1)

drainbramage (588291) | about 5 months ago | (#47003557)

That must be why we don't do that in the U.S.
I wonder why my state closed all polling stations (vote by mail only) and made it ILLEGAL to ask for ID when signing up to vote.
They allow registrations with a common address such as the county courthouse saying this is needed by the homeless.
Nice follow up was the change in law to require you to know a voters name/age/address if you wanted to challenge votes even in districts whit more votes than registered voters.

Re:Potential for abuse dwarfed by benefits (-1)

Anonymous Coward | about 5 months ago | (#46999269)

Hate on e-voting all you want, point out all the ways a malicious person could mess with it, but don't tell me that e-voting is not going to happen. Being able to instantly poll your entire population without having to go through the trouble of setting up polling stations nationwide and get people to those places will transform democracy.

Maybe, but any republican country would be against it as it'd lower the power held by the politicians.

Re:Potential for abuse dwarfed by benefits (0)

Anonymous Coward | about 5 months ago | (#47002167)

The Swiss have direct voting on essentially everything.

Coincidentally, they are one of the few countries around here who don't categorically suck up to the U.S.

Certainly they don't allow foreign armies on their soil like the suckers do.

It should not happen (1)

gwolf (26339) | about 5 months ago | (#47002141)

It might still happen, but many among us will still fight for the population to understand the unavoidable security risks in doing so. We have the duty to do so.

Do not use computers for voting a gvt (0)

Anonymous Coward | about 5 months ago | (#46999191)

I might be modded down for my opinion on a technology loving website, but sometimes the newest and the most recent is not the best.
Computers are a young invention. I think we need to learn a lot about them, until we should use them to choose our leaders. A vote is not something like writing a slashdot post, or writing an email. It determines who will run a country for the next four (or five or whatever) years. When someone breaks into your online banking account, you will most likely notice it, and you perhaps have a chance to get your vote back. When someone breaks into a voting machine, no one will notice it ever, and you never will have any verification your vote has been counted. Yes, I know, there are systems which allow this also for online voting. But they all have their issues.

Re:Do not use computers for voting a gvt (1)

Sarten-X (1102295) | about 5 months ago | (#46999887)

I might be modded down for my opinion on a technology loving website

With all due respect, I think you're mistaken. Slashdot is a website where experts in one area of technology complain about how terrible another area of technology is, and how it's risky and doesn't bring much benefit.

We Slashdotters often really hate technology, but we make exceptions for our own fields.

The level of security required seems unsustainable (1)

Karmashock (2415832) | about 5 months ago | (#46999209)

The issue is that you only get real security when the people in charge of the security are both well funded and the organization as a whole takes security very seriously.

To my knowledge, the only organizations that really tend to have good security are banks and government intelligence. And in both of these we've seen major security breaches.

I think the attraction of corrupting the voting system simply outweighs the internal pressure to secure the system such that if implemented, a digital voting system would be inherently compromised.

I struggle to think of a solution to this problem that wouldn't be undone by a mixture of inside man corruption, laziness, and external manipulation by powers that want to control the process be they state level or not.

Re:The level of security required seems unsustaina (1)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46999373)

It doesn't help that voting is an inherently trickier problem: a lot of the easy and obvious ways of detecting tampering go out the window if you aren't supposed to be watching the behavior of the users in detail. You are also monitoring something that happens infrequently, for relatively high stakes, rather than something (like credit card transactions) that happens all the time, usually for relatively low stakes, which makes statistical detection of anomalies less useful. Cloning a mag-stripe card, or just getting the number, is trivial; but the bank can watch its behavior, freeze it if that behavior changes, and as long as they get it right fast enough and often enough, the cost of the fraud is probably lower than the cost of doing something more architecturally sensible.

I suspect that people would be...less pleased... if they received a call from the government "Your apparent voting patterns have shifted unusually recently, your ballot has been deactivated for security reasons until we complete the verification process...", and since elections are relatively rare, the freeze would almost never be fast enough,

Re:The level of security required seems unsustaina (1)

Karmashock (2415832) | about 5 months ago | (#46999607)

Well... I think something that might help is if they had a two part secret key system. Where in the identity of any individual vote could only be unlocked by the person that cast it.

Then make it possible for voters to query how their vote was calculated. So if I personally voted for X then I checked the system and it says that my vote was counted as Y then we know there was tampering or at the very least a mistake.

This would make vote altering harder because they wouldn't be able to change the vote tally to match the correct encrypted vote.

Very important to this concept is that only the voter can decrypt the their encrypted vote.

The vote is cast anonymously after some sort of ID verification to make sure you should even vote in the first place. The anti voter ID stuff appears to be nonsense so far as I can tell... possibly an attempt to protect voter fraud schemes. In any case, you need voter ID to have a secure voting system.

So your ID lets you vote, you vote, you are then prompted for a password to encrypt your vote. The actual encryption scheme should be pretty aggressive. The password should be something that can be unique to that specific vote. Write it down on a piece of paper or something. Then after the votes have been officially declared, you can go back into the system, enter the signiture of your vote serial number. Not your personal ID but the ID of that vote which should be anonymous. View what the system labeled it. Then download the file... decrypt it with your password and see if the public record matches the encrypted record.

Obviously this is just out of my ass here. So it could easily be refined by someone with more experience or more thought on the matter.

But a two part system would seem to be less prone to error.

If a significant number of ballots don't match the encrypted version then you might need to invalidate an entire election and start over.

Possible problems with the system are if the system that actually casts the vote is itself compromised. In that way the encrypted vote would be compromised as well. However, the person that cast the vote would still know which way they did vote so they should be able to at least know personally if their vote was tampered with indifferent to whether anyone else believes them.

Another place you could have a security breach is between the system that holds all the individual votes and the system that measures the final tally. If that system were compromised every decrypted vote could say X while the final tally could say anything. This system could be made more secure by making it redundant. Several totally different system could add up the votes simultaneously and then have the results compared. They should match exactly every single time. If they don't then you know you have a problem... mostly likely a software bug but this is something where paranoia is warranted.

Re:The level of security required seems unsustaina (1)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#47000307)

Oh, there are definitely some very interesting voting system designs (mostly cryptographic flavors) out there, though I'm definitely not expert enough to say much of use about them. My point was merely that lots of the really obvious verification systems (the ones that don't need crypto-fu) tend to assume a that total or near-total knowledge of the system by trusted insiders is OK, and that there are (mostly) trusted insiders, worst case not-entirely-trusted-but-know-they-are-being-watched-and-we-know-where-they-live insiders.

With voting, total knowledge is almost always explicitly forbidden (even making it possible for 3rd parties to verify what an individual did in the polling booth is generally considered an issue) and insiders are barely trusted to transport sealed ballot boxes, much less refrain from drawing up death-lists based on who voted how. Doesn't make the problem impossible; but does eliminate most of the obvious direct borrows from banking and the like.

Re:The level of security required seems unsustaina (1)

Karmashock (2415832) | about 5 months ago | (#47001285)

No one can know what you did in the voting booth without the voter's encryption key. Under the system I laid out, the vote could be counted without the voter's encryption key. However, the votes could not be verified without that key.

The point of the encryption is to create an independent and untouchable tally of the vote.

It would be very impractical to audit the list since it would require every voter personally decrypt their vote and cross check it. But it would be secure. No one besides the person that cast the vote would be able to tamper with the vote without it being detected.

Re:The level of security required seems unsustaina (0)

Anonymous Coward | about 5 months ago | (#47002079)

And nobody but a small handful of people will be able to understand your voting system, or even be able to distinguish it from a fraudulent or broken one.
Call it what you want, but when you vote in a way that less than 1% even understand if or how it works you don't have a democracy.
If you're really lucky it's a benevolent dictatorship by those 1%.

Re:The level of security required seems unsustaina (1)

gwolf (26339) | about 5 months ago | (#47002515)

Your scheme is very similar to what we use in Debian for voting for the project leader [debian.org] (unlike the fully-open tally sheets for voting on issues, not people [debian.org] ). However, this scheme is good only where people trust each other, for ocassions where you know there will be no vote buying/coercion. Not for a national elected government.

Re:The level of security required seems unsustaina (1)

Karmashock (2415832) | about 5 months ago | (#47005181)

I don't see the problem with my scheme in regards to trust. Only I can identify which vote is mine. The votes are anonymous. The ID on each vote would at most say where the vote was cast not who cast it. I would know which vote was mine because I would record the ID number of MY ballot at the time of casting the vote. That ballot ID would not be associated with my identity in any way. Further, that ballot's encrypted ballot would only be accessible to me and only if decrypted it with my password. The point of which would only be to compare the official recording of the ballot with an encrypted file created at the same time which should mirror that ballot.

If A does not match B then you know there is a problem. That is the point.

Auditing all the ballots would require literally everyone that voted to individually decrypt every single ballot personally. Obviously not possible for more then a small sample set. Which the voting public under my scheme would be encouraged to do on their own.

Anyone that found a mismatch would then be encouraged to contact the authorities to begin an investigation.

The above would make some types of vote tampering more complicated. The issue I'm most worried about though is ballot box stuffing. Where some individual or group fills out hundreds or thousands of illegitimate ballots and submits them for counting.

To address this, you need voter ID and you need to have good records of who voted in each election. They compare the list of registered voters to the census beuro/IRS to make sure they actually exist as real people. And then you compare the total number of votes counted with the total number of people that were recorded as voting.

All three records should match.

All people that vote should be real people.

And the number of people that voted should equal the number of votes recorded.

I suspect that if you applied this standard to many elections the numbers would not match. I think many people that are said to vote are not actually real people. Some of them are dead. Some of them are entirely fictitious. Mickey Mouse has been known to vote occasionally. And of course sometimes there are a lot more ballots cast then the number of people that actually voted. The most striking examples of this is when the number of people voting exceeds the number of people registered to vote. Which is impossible unless non-registered voters are voting... a non registered voter voting is sort of like a non-registered driver driving. Yes, you have a right to vote while driving is a privilege... but only citizens with no felonies on their record are allowed this right... and they have to be alive and not cartoon characters.

Verifiable vote is coercible vote (1)

gwolf (26339) | about 5 months ago | (#47002193)

If you can prove your vote was correctly recorded, then you might be more easily persuaded to sell it — be it that you receive a pay for it, or you receive the service of not getting your bones broken.

A vote once cast is just a piece of paper among many. Nothing should tie it to a voter's identity. A voter should be unable to prove he voted a particular way.

Re:Verifiable vote is coercible vote (1)

Rei (128717) | about 5 months ago | (#47004027)

A voter should be able to prove to *themselves * that they voted in a particular way and it was registered and counted, but not be able to prove it to *others*.

How do you expect that to be feasible? (1)

gwolf (26339) | about 5 months ago | (#47004181)

Say this system is approved. Say you want to buy my vote. You demand proof that I voted the way you wanted me to — If the e-voting platform allows me to confirm my vote was properly counted. So, all you have to do is to promise me to hand over the money if I prove you I did what we agreed. (or you can threaten me with physical violence unless I can prove it to you, same reasoning).

A secure voting system should never allow me to prove what was my vote — But that would make me very suspicious, as it could be recording false votes from the beginning, right? Right. The only solution is to have voters deposit papers with their stated vote (and no personal identifying marks!) in a booth, and allow for recounts if needed.

At least... (1)

TWX (665546) | about 5 months ago | (#46999217)

...we know that Russia won't be able to stuff 100,000 paper ballots marked "yes" for a plebiscite into ballot boxes if they keep the current system...

Plus they might be able to make the vote look in favor of remaining away from Russia by simply manipulating the totals after Russia has manipulated them first...

Re:At least... (1)

Rei (128717) | about 5 months ago | (#46999855)

Seriously, A+. People act as if non-internet voting isn't already plagued with huge problems, many of which a secure net voting system can eliminate. I mean, come on, in the last presidential election Chechnya had 99.59% turnout with 99.82% voting for the "Butcher of Grozny" [nytimes.com] , with one precinct in Grozny with turnout over 107%. Think that's legit? Vote corruption in places like Russia is often done at the precinct/district level, levels which are entirely eliminated by net voting. You also reduce the threat of violence by not having to show up in person.

Nothing is perfect. But a lot of the stuff against net voting seems to me knee-jerk and based on implementations with half-arsed security audits or no security audit at all, with a complete ignoring of how easy conventional elections often are to manipulate.

Re:At least... (0)

Anonymous Coward | about 5 months ago | (#47002275)

If the Cletocrat International had not fucked up Russia and Saudis not funded terrorism in Chechnya, nothing of this would be existent.

Re:At least... (1)

amorsen (7485) | about 5 months ago | (#47003669)

Even in Chechnya, where bad guys control pretty much all parts of the voting process, it is obvious to an intelligent person that there is fraud.

With electronic voting, the fraud will be much harder to spot.

Re:At least... (1)

Tranzistors (1180307) | about 5 months ago | (#47000761)

And electronic voting solve any of these problems?

The article points out that Estionian e-elections increase(!) risk of fraud. You just said, that since there can be fraud with conventional elections, it doesn't matter, how elections are done. It just makes no sense. If there are risks of fraud, they should be minimised, not increased.

Re:At least... (1)

Rei (128717) | about 5 months ago | (#47003999)

That doesn't even remotely resemble what I wrote.

Cat tongue (1)

Impy the Impiuos Imp (442658) | about 5 months ago | (#46999231)

> Source code is publicly available

I'm going to suggest something: a publicly-accessible read-only port to the ROM where you can put in a USB and pull the entire ROM off automatically. Then people can confirm it matches the official binary, which people can confirm by compiling the source code themselves.

It must be hardware-level and not under control of the processor or ROM so spoofing would require infiltration of the voting machine hardware.

Slashdotters should favor online voting (0)

Anonymous Coward | about 5 months ago | (#46999279)

The next president of Estonia will surely be Cowboy Neal.

Self Auditing and independent auditing (4, Insightful)

EmperorOfCanada (1332175) | about 5 months ago | (#46999299)

Quite simply it comes down to independent auditing. With my bank account, my email or even my Facebook; I can tell if I have been hacked or if these companies are playing fast and loose. I will look at my bank account and bloop I am $30,000 short. Where did it go? I will then begin an investigation and bring my previous bank statements as backup if needed. Worst case scenario the bank won't cooperate and I will take it to the courts where again my evidence will be brought to bare. Lastly I can switch banks. Quite simply it is because I have feedback as to what is happening.

The same with facebook. If suddenly my posts are all encouraging people to help out a Nigerian prince then I've been hacked. I will then be able to take some action.

The reason I mention the above technologies is that I think that we can all assume that our banks, facebook, and our email companies all are very good and work very hard at avoiding being hacked; yet they have all been hacked. Look at Target, they (to use the correct term) were PWNED.

But when I vote online it is fire and forget. I don't know what happened to my vote. There is no physical record for me to point to. I can't check up on my vote after the fact. At least with a paper ballot system I take my physical ballot and I give it to some vaguely trustworthy government person who is closely watched by as many representatives of the various parties as there are parties. Each watching with the interests of their official in mind. So if they see something they don't like then they can call police/election officials/newspapers etc. I like this system. It is not impossible to thwart but close enough.

In my city, Halifax, they added online to the municipal elections and I am truly scared. This should be illegal in 20 different ways. They justify it saying that it cuts costs and increases participation. Basically it didn't cut costs as they had to screw with the system so much, send out so many instructions, and answer so many questions. Plus in the end it basically didn't increase participation. I carefully looked at the votes and luckily none of the online voting was significant enough to have altered an outcome.

But let's say that someone had screwed with the results (as a programmer you can't tell me that it isn't going to be that hard) the only people who are going to cheat are going to be bad people. People who, once they are in, will ensure that only they can continue to cheat. So to me every online voting system is basically waiting for the first set of evil and smart people to come along. That is it. But once it happens, by the altered rules of the voting system, how do I fight the vote? How can it be contested? How can there be a recount?

Now I understand that some voting systems are complicated with many propositions, levels of government, etc being voted on in a single booth. So I have a very simple solution. You press your buttons which then produces a ballot on the screen, you then look at the ballot on the screen and see if you like it. Then you press print. It then produces a ballot that matches the one on the screen and you can compare. Then you say OK and then bring your ballot to the ballot box per normal. Then the computer tallies up the votes and announces a tentative winner. Then the humans can count the votes to see if the computer agrees with the paper ballots. But the key is that the paper ballots have the final say. The computer is only there to help. Then if there is a wild difference between the paper and the computer more interesting auditing mechanisms can come into play.

As a computer programmer I am 100% certain that any online election can easily be rigged. But I am by far not alone. 100% of the time that independent security researchers have gotten their hands on electronic voting systems they have hacked them and usually with ease. So the solution is that these companies don't allow independent auditors but ones of their own choosing and ones that they pay well.

This is a serious problem. Basically online voting is pretty much demanding that some evil person runs our government.

Re:Self Auditing and independent auditing (1)

BForrester (946915) | about 5 months ago | (#46999611)

...Online voting is pretty much demanding that some evil person runs our government.

So... status quo?

Re:Self Auditing and independent auditing (1)

EmperorOfCanada (1332175) | about 5 months ago | (#47003025)

Actually I think even worse. My guess is that while many people who go into office are ego-maniacal nitwits they aren't evil; they just discover (as they go into or arrive in office) that government is bought and paid for by big money.

But if someone is cheating their way into office then they are planning evil from day one. Also even though big money has bought government they still have to fight over it. But if you had a single rich party cheat someone into office then there won't even be competing interests.

Lastly while there are military related companies that like things like war most companies are just wanting money for themselves. So their purchase of government is somewhat evil (more pollution, less worker's rights) but someone cheating might be truly off the scale evil. A simple example (one of a zillion) is that there are quite a few fundamentalists who would like to bring about the end times so that they can experience the second coming of Christ. Who knows what fruitcake stuff they would get up to when in power. Then in other countries there is a secular majority with a close second of a religeous minority. But this minority would love to impose their religeous laws on everyone. So they would cheat in order to "do the right thing." which would probably be 1000x worse than a greedy corporation.

Re:Self Auditing and independent auditing (0)

Anonymous Coward | about 5 months ago | (#47000287)

wow fear mongering and straw men, you sure make a great argument. because as it stands the powerful remain in control through the modifying of voter laws anyways, that and the pervasive use of money in campaign finance and the lobbying industry. your argument is pretty much that we shouldn't try and march forward? most of those problems you list will eventually be worked out through use of said systems and if done properly would be rolled out in small scale before being deployed for federal elections..

everyone who argues against e voting seems to forget the flip side of the coin. once a system is functional and in place, more votes can happen, meaning more referendums and more control for the general population. it would be alot of effort to rig every vote if citizens are voting every day on democratic issues. Instead of complaining about the problems, why dont you (as a programmer) check out their OPEN SOURCE git repository and check out their implementation, and then if there are the problems help out and contribute.

oh and to solve your independent auditing issue, that's simple, post every vote online on a website and no secret ballots, instead use a hash of important individual data markers to create an id number that is individual and unique. that way when you vote, you get your id number and can then independently audit your vote, problem solved. oh and it helps when the code is open source and can already be independently audited.

E-voting should not, can not (safely) be done (5, Insightful)

Catbeller (118204) | about 5 months ago | (#46999303)

Using computers to register, count, transfer, and archive vote tallies is impossible to do without an almost certain effort to alter the vote totals by parties interior to the project (people creating and maintaining the systems and the show runners) and outside the project ("hackers"). Of the two, the insiders are far more likely.

This is not a failure of tech or of implementation. This is a human thing: those disposed to alter election tallies have infinite motivation to find a way to do it. They can either slip in during the coding phase or the implementation phase, or even during the elections. Like rats, they will find a way.

The difference between paper and electronic is basic: paper leaves a physical trail. E-voting can be rigged to leave NO trace. IS rigged to leave no trace. No audit is possible: all audits are predicated that the datasets and code are correct to begin with. If someone slips in backdoors, they can alter vote totals in real time and therefore all recounts will be "accurate". Paper receipts are useless, because what is printed is not necessarily what actually happened. Paper printouts that are reviewed by the voter on site for accuracy and then stored in boxes by the voting agents *can* be a valuable check, for the paper should match the e-count. But why then the extra step of the computer? Just use paper to begin with. Canada does it (I hope still does) and they count elections by hand in three hours, no matter what the size, local or national, because human counting easily scales.

Source code is worthless as a trace. One never knows what the machine is actually doing from microsecond to microsecond; the code executed need not match what you see on the source. This makes coders heads explode, but it is true. The machine can be programmed to lie. I know this, because I have done it, on orders from my bosses, in the past, to make a bit more money for my company. Cheating is easy and it is undetectable if you are even marginally clever about it. The count can also be altered far from the source tabulating machine and local system, at other levels. Such malignancy will not be accounted for by the counting company; their rep is on the line, they don't believe it is possible and further they don't want to know.

Use e-voting and you will see the powerful grab control, one way or another. Use paper.

Re:E-voting should not, can not (safely) be done (0)

Anonymous Coward | about 5 months ago | (#46999555)

Paper? No way, CIA has invisible ink and whatnot! The only sure thing is CLAY!

I think the only sure thing we could all rely on would be getting back to ostracism. This is the only reliable method of getting rid of anyone who thinks of using computers and internet for anything else than cat pictures and comments.

http://en.wikipedia.org/wiki/Ostracism

Re:E-voting should not, can not (safely) be done (1)

swillden (191260) | about 5 months ago | (#46999575)

Use e-voting and you will see the powerful grab control, one way or another. Use paper.

Or if you like, use both.

Using some cryptographic design principles plus paper ballots for marking votes and computers for tallying them, and including some random verification processes to tighten the whole thing, Chaum and Rivest's Scantegrity II [wikipedia.org] system provides and end-to-end verifiable system which allows every voter to verify that their vote was counted correctly, without giving them the ability to prove how they voted to anyone else (an important anti-coercion feature). It also allows anyone to verify (with arbitrarily high probability) that the votes were tallied correctly.

It's awesome from a voting security/integrity point of view, and also very practical.

It is not, however, possible to do it online. There's simply no way to make that secure while retaining anonymity. And any kind of at-home voting (including mail-in paper ballots) is inherently vulnerable to vote buying and coercion.

Re:E-voting should not, can not (safely) be done (1)

Dr_Barnowl (709838) | about 5 months ago | (#46999731)

Indeed.

While there are ways to make electronic voting more secure, the systems as a whole are too complex for one person to audit. The more fancy crypto you add, the fewer people understand the components. The fewer potential auditors you have, the cheaper it is to buy them off / lock them up for political crimes.

It's easy to audit a ballot box. Virtually everyone of average intelligence understands the technology.

Re:E-voting should not, can not (safely) be done (0)

Anonymous Coward | about 5 months ago | (#47000337)

It's easy to audit a ballot box. Virtually everyone of average intelligence understands the technology.

you sure about that? how many times have they had to recount Florida ballot boxes?

but yes lets stop any kind of technological innovation because people wont be able to understand it.. how about you spend some money on your schools instead of the military industrial complex, maybe then your youth wouldn't be rated on the bottom end of the scale and you would have an education system worth being proud of and the states might go back to leading the world in technological innovation.

Re:E-voting should not, can not (safely) be done (0)

Anonymous Coward | about 5 months ago | (#46999765)

tl;dr - This shit is really, really complicated and there is a lot of tricky crypto involved to make it pretty damn secure and VERY auditable / verifyable. It's way safer than you think, and a hell of a lot better than traditional paper vote-by-mail. Take off your tin-hats - this isn't your typical e-commerce platform.

There are a lot of safeguards in the mix with internet voting systems that are not well publicized. For Example:

Typically with systems like this, there is extensive use of immutable media, like WORM drives and SD cards. Images of system are taken before, during and after and compared to the running live system. Also typical, a third party auditor (Corporate like PwC, or independent NGO like IFES) literally come into the data center and take a snap of the running system, and compare it to a previously audited copy of the code / system to ensure no tampering.

Additionally with the WORM media, you always have an audit trail, this also includes the (encrypted) votes. Recounts are not only possible but typical for auditing purposes. The way votes are stored are generally done in the same way as paper absentee ballots, where they are encrypted in two layers (think envelopes). The first envelope contains the voter UID, the second the voting information itself.

The code that does the tally and counts the votes sits on different, isolated systems relative to the systems that collect the votes (electronic ballot box). Prior to taking the ballots from the ballot box and sending them to the tally machine, they are stripped of identifying information and verifiably shuffled (via a mixnet). So, in short the process looks like this:
1. Voter logs into system (in estonas case they use a smart chip for identification). Also in estonas case they can cast as many ballots as they want - only the last ballot counts.
2. Ballot is sent to the ballot box systems either via SSL (yes, risky) or via alternative method via a java applet which is preferable for security, but you lose access to accessibility for voters with disabilities
(crypto below will vary by implementation, but this is typical)
3. Ballot box creates ephemeral symmetrical key specific for this ballot, encrypts ballot and stuffs it into the ballot box
4. Ballot box encrypts ephemeral symmetrical key with asymmetric public key, private key is stored offline
5. Ballot box destroys ephemeral key
(rinse, repeat until voting period ends)
6. Ballot box is downloaded, usually to offline, boot-off-cd laptop or similar, with no hard drive or ethernet card
7. Private asymmetrical key is loaded, used to open the symmetrical key database, anonymize ballots
(several audits are performed at this step to remove / check for duplicates or other fishyness)
8. Anonymous ballots are then taken to another set of systems and shuffled by a verifiable mixnet
9. Ballots are then sent to the tally system where they are tabulated (or in some case printed, where electronic tally is not feasible, such as preference voting)

There are a few more detailed steps above not outlined, but all of this is well documented for the Norway, Australia, Estonia, Switzerland, Canadian (and yes, even USA) systems.

Re:E-voting should not, can not (safely) be done (0)

Anonymous Coward | about 5 months ago | (#47000297)

You still have a centralisation problem: one breach, you lose everything. It is very likely that a PWNer can influence whether who wins the vote.
With presence voting, even if one office was completely manipulated, you have lost only a few hundred votes. Sometimes this can matter, but most times not.

About immutable media: SD cards are only immutable on a firmware mode, aren't they? does the ro-switch really cut off the write_data lanes to the flash chips? For immutability, I think that hashes are the only way to ensure this. A computer displays a hash when it writes to an SD card, someone notes it and then signs it. On the reading side just the opposite. But even here you have centralisation. One SD card can hold millions of votes.

Only if we do away with secret ballots (1)

Attila Dimedici (1036002) | about 5 months ago | (#46999375)

Electronic voting can only be secure if everyone knows how everybody else voted. Otherwise there is no way to know if the outcome has been modified at some point in the process.

Re:Only if we do away with secret ballots (2)

jbmartin6 (1232050) | about 5 months ago | (#46999849)

A good point, which hooks into some of the above posts. Is it even possible to have an election that isn't secret ballot? I recall from history that the early elections in England were huge frauds until they instituted secret ballots. There were a lot of abuses such as the local landlord's thugs openly threatening anyone who voted for the wrong candidate. I don't think human nature has changed at all since then, so we would see the same sorts of problems. Maybe we could have a system where voters have to register in person for some sort of ticket or key, and then they could vote anonymously using that key. The public record would just say "key ### voted for John Smith". So any key holder could check on their own vote but no one could track the key back to them.

Re:Only if we do away with secret ballots (1)

Attila Dimedici (1036002) | about 5 months ago | (#47000061)

Your key idea does not work because while you could check who you voted for there would be no way to check that all of the votes were right...and it would not be that hard to have your key logged to who you entered to vote for without actually counting it that way. Without some way to compare how many real life people voted a certain way with the tallies that the computer lists for who voted a certain way there is no way to secure electronic voting. Just look at how hard it is to secure paper ballots where we can keep track of the physical record. Now, transfer that to an electronic record where the only way to keep track of the record is to trust that the system does what someone else tells you it does.

Re:Only if we do away with secret ballots (1)

jbmartin6 (1232050) | about 5 months ago | (#47001327)

True, we have the same weakness in the current system. It is just a lot harder to pull off since physical ballots are widely distributed.

Re:Only if we do away with secret ballots (0)

Anonymous Coward | about 5 months ago | (#47000121)

The key system has the problem that others can force you to give them your key. If you give it to them they can see who you voted for, and then they can punish you if you didn't vote as they have asked you to do. If you don't give them your key, they will punish you too.

We aren't sure what happened (3, Funny)

mwfischer (1919758) | about 5 months ago | (#46999447)

Even though it's not on the ballot, Estonia overwhelmingly voted to join Russia.

pardon? (0)

Anonymous Coward | about 5 months ago | (#47001289)

is this your take on being funny?

Jealous? (3, Funny)

Loki_1929 (550940) | about 5 months ago | (#46999783)

I think everyone else is just jealous because they have low voter turnout while Estonia's going to get 3000% in their next election.

The only downside is the overwhelming election of Moot to Prime Minister.

NSA will save the day (1)

xfizik (3491039) | about 5 months ago | (#46999905)

No worries, Estonia. NSA will make sure Russia will not hack into your internet voting system.

Great job, editors (0)

Anonymous Coward | about 5 months ago | (#46999981)

[...] transparency measures are insufficient. and the software design is vulnerable to cyber attacks 'Estonia's Internet voting system blindly trusts the election servers and the voters' computers,. said U.S. computer scientist J. Alex Halderman [...]

Way to go, Dice. Placing popup ad containers at the bottom of the frame (which sometimes appear empty - but how will I know what useless thing to buy now?!) is evidently of a much higher priority.

FUD (2)

linnumees (1147107) | about 5 months ago | (#47000175)

Firstly, people here should understand that e-voting as in voting machines and internet voting are completely different and not really comparable.

One of the opposition parties of Estonia is strongly against internet voting, mainly because their voters are not using it a lot and they are able to mobilize their voters well to go voting on paper as opposed to most other parties. For various reasons they are in power at the capital city and the trip of the researchers to go and observe the current voting process was paid by the city, so already for that they can't claim that they are totally independent. And, of course, the fact that the whole thing came to light a few days before the elections of the European Parliament was just a coincidence. This far they have yet to actually publish the report, which, from what we know this far, doesn't have any new attack vectors, only the ones that were already considered more-or-less from the very beginning.

Estonia has a smardcard-based ID card that can be used for authentication and digital signatures (two different keys). The latter is legally as good as your handwritten one which means you can build all sorts of services on top of that, elections are just one of them. The vote is encrypted with the public key of the current election, signed with the ID card and sent to a central server. Later, the double votes are removed according to the list of people who voted on the election day (so if you were forced to vote for someone and your ID card taken away, you can just grab your passport and go vote again using the paper-based method), votes are separated from the signed container, moved to a physically different machine, decrypted and counted. Anyone can go and see how all the process is done, it is fully auditable and all the video recordings of the whole process are later uploaded to Youtube. By no means it is so that only some certain people are chosen to make the audit to get favourable results.

Additionally, you can also check that the vote made it into the system and was for the correct candidate [www.vvk.ee] with your smartphone without compromising secrecy, so even if your computer was infected with malware, you can still make sure everything goes correctly.

See the website of the elections committee [www.vvk.ee] for more.

Re:FUD (0)

Anonymous Coward | about 5 months ago | (#47002221)

> Anyone can go and see how all the process is done

I'd really like to know how you see how the computer decrypts stuff. Do they use relay-based computers? Because otherwise there's no way to know. And don't come with that "but the source code is available" stupidity, I can hardly compile it myself and put it on the election computer.

anyone look at this from the other direction? (0)

Anonymous Coward | about 5 months ago | (#47000445)

maybe people don't want Estonia to use e voting because they cant control it as well and are possibly scared of the long time effects of e voting. Estonia has been e-voting since 2005 why is this becoming an issue 9 years after they began?

If you can't get paper ballots correct... (1)

Loopy (41728) | about 5 months ago | (#47001681)

...how do you expect to get a much more complex system correct? Mind you, I'm aware that the problem is not necessarily the system itself, but the transparency of the system. People probably won't like to hear it but I'd suggest that the only way to eliminate fraud is to have votes linked to your ID so that every vote can be verified as A) not having voted multiple times, B) not voting if you don't exist in at least two separate systems e.g. social security and driver's license, and C) not voting outside of your registered district's area unless it's a national ballot initiative. Further, no more provisional ballots: if you cannot be bothered to register well enough ahead of an election to participate via the normal means, you do not get to vote.

The report is part of a political gambit (1)

Freultwah (739055) | about 5 months ago | (#47003133)

There is really nothing to see here. The report was commissioned by the Estonian Centre Party (ostensibly by the City Council of Tallinn, but they are the same thing) and was strategically scheduled to be published a few days before the European Parliament elections. (The Centre Party has been denouncing e-voting for a long time, mostly because they don't do well at those because of the demographics of their core electorate, and of course their own constant campaigning against it.) The team was handpicked from among well-known e-voting contrarians, so the result was a foregone conclusion. I was only surprised how much demagoguery and outright lies went into it, but then, knowing the Centre Party, I should not have been. Cherry-picking the data, wilfully drawing the wrong conclusions, purposefully deceiving the reader, deliberately ignoring information that disproves what they're out to achieve etc etc. Let's just say that the fact that letting the observers know the SSID and the password of the guests' wireless network segment does not constitute a security breach that would merit annulling all the election results. There were other laughable ‘discoveries’ as well, such as “we took the copy of the system home and logged on as root, we were able to change some stuff in it“. Well, duh. If you're on the clock, you must draw the conclusions that the master demands, and even better if you are predetermined to do that anyway because of your convictions (which indeed were the reason you were hired anyway).

Re:The report is part of a political gambit (1)

Freultwah (739055) | about 5 months ago | (#47003315)

And since I cannot edit my own post, here is the rebuttal of the Estonian National Electoral Committee: http://www.vvk.ee/valimiste-ko... [www.vvk.ee]

just for information (0)

Anonymous Coward | about 5 months ago | (#47004147)

http://www.vvk.ee/valimiste-korraldamine/vvk-uudised/vabariigi-valimiskomisjoni-vastulause-the-guardianis-ilmunud-artiklile/

Meanwhile in Estonia... (0)

Anonymous Coward | about 5 months ago | (#47004717)

Meanwhile in Estonia... Estonians don't give a fuck about "e-voting sucks!" experts.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?