Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

E-voting

  • 26-11-2003 12:33pm
    #1
    Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭


    There is supposed to be a switch from the traditional voting method to electronic voting and there is a debate at the moment about whether there should be a print-out of the vote taken and put into a secret ballot box or not have a print out. Is it feasible to have virtually 100% security of an evoting system, without the back-up of a printed vote?


Comments

  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    star gazer - you've probably seen these already on the politics forums
    http://www.boards.ie/vbulletin/showthread.php?postid=1200702#post1200702

    Some Ideas...
    http://www.boards.ie/vbulletin/showthread.php?postid=1182331#post1182331
    http://www.boards.ie/vbulletin/showthread.php?postid=1223001#post1223001

    The current system of tallymen as witnesses (are they all from political parties?) being able to see everything (litterly) and reporting down to street level makes it difficult to cheat, (apart from very well organised box stuffing) or personation (vote early, vote often) - and that is the level you need to get to - my point about what happens if you keep the receipt still stands as does the one about bleaching or colouring inks...


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    Indeed, but is there a way of ensuring that the computer cannot fail in it's function without the need for a paper back up? No system is going to be 100% perfect, but even a small error in software could collapse the whole system, right? So if there is government impetus to roll out evoting, can they have certainty with solely electronic information?

    capt, does that mean your conclusion is either to go with solely electronic voting or solely paper-based?


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by star gazer
    Indeed, but is there a way of ensuring that the computer cannot fail in it's function without the need for a paper back up?

    Basically no. You can attain high levels of assurance that some software is highly unlikely to fail, but any system can fail due to problems with the hardware, software or its usage. The paper back up isn't an attempt to make sure that it doesn't fail in its function, it is to make sure that there is a check and/or audit trail in place in case of dispute or failure.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    So far I've seen no evidence that ANY resonable checks are used - 16 bit checksum in the 21st century....

    That is about 5,192,000,000,000,000,000,000,000,000,000,000 times more likely to miss an error than the de facto 128 bit checksums used for basic internet checking....


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    Folks - don't forget that for most of the history of this state all ballot papers were numbered and could have easily been traced back to the individual voters...

    Also recounts could be interesting - at present when surplus votes are transferred, it it quite litterly picking up a pile of votes and distributing them , not sure what techniques are used to ensure they are a representative sample of the overall votes , but during a recount it may not be those same ballot papers transferred - hence recounts can give different results..

    With e-voting you could run these transfers more than once to procduce more than one complete result. The final results would then be averaged. Recounts would involve more itterations until you arrived at a result unlikely to be changed but more passes... You could have seats being decided by less than a vote. :)


  • Advertisement
  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by Capt'n Midnight
    So far I've seen no evidence that ANY resonable checks are used - 16 bit checksum in the 21st century....

    That is about 5,192,000,000,000,000,000,000,000,000,000,000 times more likely to miss an error than the de facto 128 bit checksums used for basic internet checking....

    That is the funniest thing I've ever read on boards.ie

    Anyway, what is this 'basic internet checking' that you speak of?


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    The voter verifiable audit trail looks vital to any proposed system. The fact that you get to see the vote, verify it (without getting to touch it) and it goes into a secret ballot box seems to be the only way to go. It is troubling that there isn't much of an uproar about this. techies to the rescue. :)


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by star gazer
    techies to the rescue. :)

    To an extent. The issues here aren't really technical though, they just happen to involve technology.

    People should be thinking about the lack of clear evidence in the event of vote tampering and the loss of the ability to spoil your own vote, for example. The extent of the assessment from a technical point of view that needs to be agreed upon and understood is that the new system is not built in a way that assures us that it will work as expected.


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    originally posted by capt'n Midnight
    With e-voting you could run these transfers more than once to procduce more than one complete result. The final results would then be averaged. Recounts would involve more itterations until you arrived at a result unlikely to be changed but more passes... You could have seats being decided by less than a vote.

    afaics it won't be done by fractions
    http://www.irlgov.ie/debates-03/26Nov/Sect3.htm#18
    martin cullen
    As Members will know, in the case of surpluses, we only take the particular portion of those that were transferred. We are maintaining the traditional system in the election next year. If there is a view that we should go much deeper, legislation will be required to change the situation.
    originally posted by ecksor
    To an extent. The issues here aren't really technical though, they just happen to involve technology.
    agreed, however, it will be technical arguments that will be used to persuade the public it works, people opposing will just be labelled anti-technology and anti-progress. That's why it is important to have the tech argument strong or there will be no argument, just simplified generalised statements.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    Originally posted by ecksor
    That is the funniest thing I've ever read on boards.ie

    Anyway, what is this 'basic internet checking' that you speak of?

    'basic internet checking' eg: HTTPS or similar - ie anywhere where you would expect privacy and some security, banks , shopping on line, really anything where would not want impersonation or eavesdropping..

    Even IE 6 comes with 128 bit encryption (M$ not being innovators etc.) and you can't get a windows system without this built in (e-voting seems to be windows based and in order to be patched to the max you need IE6..) Encryption and Authentication are much more complex than checksums..

    Downloads generally have an md5 checksum of 128bits
    microsoft are being taken to court for robbing someones implementations of this..

    It's not expensive rocket science eg:

    Fsum 2.5 - a little dos app that does 15 different types of checksums - only 81KB http://www.slavasoft.com/ and it's free ...
    FSUM -r *.* > crc.txt
    will generate a text file with md5 checksums for files
    FSUM -c crc.txt
    will check all those files for changes later on.
    *no it does not use 16 bit checksums...

    Again re the paper trail - I reckon it could be beaten easily by using photobleaching ink (disappears later) and something based on thermal fax paper (the image appears later) so there will need to be safe guards there. Perhaps a device that punches little holes in the paper - By all accounts Mr Bush swears by them.
    Is a pregnant chad a spoiled vote ??


  • Advertisement
  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    The polling machine would print a hash number - a checksum designed to show the results haven't been tampered with..

    http://www.garykessler.net/library/crypto.html
    Look at table 1 it lists the time and effort to crack the code.
    eg: in 1995 it would take a home user 5 hours to crack a 40 bit code. Today's computers run 50 times faster. Also they have enough ram so you could use look up tables rather than number crunch which dramatically speeds up the operation. - 16 bit check sums would be trivial - you could change votes easily and still get the same checksum when they rechecked it again (after the ink has changed coulour etc.)

    http://www.ece.arizona.edu/~medenis/hw2/sem_pro.htm
    . A machine capable of calculating and searching 10 billion MD5 hashes per second would take nearly 58.5 years to have a 50% chance of finding a matching pair of messages. Consequently, MD5 is probably secure enough for most applications.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by Capt'n Midnight
    'basic internet checking' eg: HTTPS or similar - ie anywhere where you would expect privacy and some security, banks , shopping on line, really anything where would not want impersonation or eavesdropping..

    Which ensures that maliciously creating a collision is very difficult for an attacker to do.

    Your calculation of 2^128 / 2^16 = 2^112 is essentially correct for a random corruption, but you're not looking for protection against a random corruption, you're looking for protection against a malicious collision? So, there may be a simple algorithm for generating a collision.

    However, that doesn't mean that we should advocate the use of cryptographic hash functions for basic sanity checking. In the case of the memory cards in the diebold systems for example, an attacker who is swapping out memory cards and causing a reset is just going to have a different sane state validated by a more expensive algorithm.


  • Registered Users, Registered Users 2 Posts: 370 ✭✭wasabi


    However, that doesn't mean that we should advocate the use of cryptographic hash functions for basic sanity checking. In the case of the memory cards in the diebold systems for example, an attacker who is swapping out memory cards and causing a reset is just going to have a different sane state validated by a more expensive algorithm.

    Be useful if you had an audit log off somewhere else though? A write only one with multiple backups in different places for preference. Then you couldn't either mess with or disappear any votes, but you do have to assume that the voting machine is storing the correct checksum for the vote that it's showing on screen, which is an assumption nobody wants to make I think.

    Anyway we're talking Access databases without even a password here, so checksums are in a whole other league. :ninja:

    And it certainly doesn't beat a VVAT for elegance and simplicity. Why use a hammer...


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,596 Mod ✭✭✭✭Capt'n Midnight


    The point was that they were using a 16 bit check sum (any bets it was linear addition rather than CRC16 ) so to beat that you don't need to do ANY calculations.
    For up to 32 bits all you need is a huge lookup table eg: 4GB.
    When you see the check sum from the REAL election, you then look up the "Adjusted" result with the same checksum...

    Agree that there are ways around checksums by swapping cards etc. - but you have to start somewhere - point is the system must be more secure than then current human one - simply because a human isn't looking over your shoulder every step of the way.

    Swapping cards raises another issue - redundancy - at no point should a single hardware failure cause a lost vote. eg: you would have the vote stored in a transaction log on a different machine as well before you commit on the first one - this means that once the person confirms their vote it is now stored in at least two places. Truth be told since most voting stations are schools they REALLY should have broadband already to deliver votes centrally - but that would raise other security options. But you could post zero knowledge proofs of each vote as they happen - this would make it more difficult to "stuff" the ballots...

    Biometrics to prevent personation - very messy especially if it could be traced back to your vote by time...


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by wasabi
    Be useful if you had an audit log off somewhere else though?

    Potentially ...
    you do have to assume that the voting machine is storing the correct checksum for the vote that it's showing on screen, which is an assumption nobody wants to make I think.

    ... but this point hits the nail on the head. People can blow smoke about bit-size of un-named algorithms until the cows come home, but the context of its use has to make sense. I.e, what assumptions are being made.
    And it certainly doesn't beat a VVAT for elegance and simplicity. Why use a hammer...

    Agreed.


  • Closed Accounts Posts: 94 ✭✭boo-boo


    fyi
    there a campaign to get (at a minimum) VVAT used in evoting here - its at
    http://evoting.cs.may.ie/
    if anyones interested


  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    There is a presentation by the people in boo boo's link to a Dáil committe tomorrow among others, perhaps there will be a greater understanding of the system eminating from that.
    The assumptions point is a very important one. Assuming where there should be a safegaurd and transparency.


  • Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    It seems the presentation to the oireachtas comittee yesterday went quite well.

    The spokeswomen for the Irish Citizens for Trustworthy E-Voting (see the http://www.evoting.cs.may.ie link), Margret McGaley was interviewd on the Pat Kenny radio show on rte1 this morning.

    http://www.rte.ie/rams/radio/latest/Thu/rte-todaywithpatkenny.smil

    Seemingly it's about 4 minutes into the stream. Haven't had a chance to listen to it myself yet.

    There was also an article in todays Irish Times on the topic.

    http://www.ireland.com/newspaper/ireland/2003/1211/2783620428HM9EVOTING.html
    Call for review of electronic voting plan
    Arthur Beesley, Political Reporter




    The Fianna Fáil chairman of an Oireachtas Committee is to write to the Minister for the Environment, Mr Cullen, expressing concern about the electronic voting system after an academic said voters could not trust the system.

    The Kildare TD, Mr Seán Power, who chairs the Joint Oireachtas Committee on Environment and Local Government, said he would ask Mr Cullen to spend no more money on the system until the Committee had finished examining the plans.

    With the Government planning to use the €38 million system at polling stations throughout the State in the local and European elections next June, Mr Power said the Committee wanted to hear from officials at Mr Cullen's Department next Thursday.

    He was speaking after a computer scientist from the National University of Ireland at Maynooth, Ms Margaret McGaley, told the committee that the system should modified radically if it was to be used in the elections.

    She said "absolutely not" when when asked whether the system should be used in the elections without being changed, and added that voters must assume that errors were possible.

    Ms McGaley warned that it was possible to programme the machine to check for votes for a particular party and change the vote to another party. Such a system could transfer every fifth vote. She said it was impossible to verify that the system was safe because the Government had refused to publish the "source code" of the computer system for a transparent public audit.

    Ms McGaley, who is working on a PhD on electronic voting, is founder the Irish Citizens for Trustworthy E-Voting, a lobby group which aims to convince the Government that the system as planned "poses a genuine threat to our democracy".

    It was not enough for Mr Cullen or the Government or the Opposition to be satisfied with the system, she said. "The electorate must be satisfied. As it stands the proposed system is not worthy of their trust."

    The greatest problem with the system was that the results could not be independently verified.

    "If the proposed system is not behaving as it should - either by accident or malicious tampering - effects on vote outcomes might never be detected."

    Ms McGaley said the system should be modified so that a paper record should be made of every vote taken. These official records of votes would could also be used for spot-checks or recounts.

    Two computer experts, who are Labour party members, also made a presentation warning of that the Government system was unsafe.

    Mr Robert Cochran said the system was not transparent to voters or to an audit process. The concerns of independent consultants to the Government were "largely ignored" by the Government, he said.

    His colleague, Mr Shane Hogan, said the basic steps to manage the system were not documented in the guide for returning officers during the trial of the system in the general election last year.

    The independent TD, Mr Jackie Healy-Rae, predicted that voters unfamiliar with computers would make mistakes during the rush to vote in the final hour of polling.

    © The Irish Times


  • Registered Users, Registered Users 2 Posts: 332 ✭✭spod


    And, for those who are interested in this sort of thing and not on the e-voting list for whatever reason, here's the statement margret gave wednesday.
    Statement by Ms Margaret McGaley at the Joint Committee on Environment and Local Government on 10 December 2003



    Electronic Voting in Ireland



    Good afternoon. Before I begin, I would like to thank the Chairman and the Committee for inviting me to give a presentation today. I hope that I can address some of the issues of concern to the Committee with regard to electronic voting.



    My name is Margaret McGaley. I am currently working on a PhD on electronic voting at NUI Maynooth - which is where I got my BSc in computer science. My final year project was about electronic voting, and my conclusions let me to set up Irish Citizens for Trustworthy Evoting (evoting is just short for electronic voting, and refers to any voting system which has electronic parts).



    Irish Citizens for Trustworthy Evoting - or ICTE - was set up to convince the Irish Government that evoting in its proposed form poses a genuine threat to our democracy. Many of our members are computer professionals. We are not Luddites, afraid of technology, but concerned citizens who recognise the very real dangers associated with electronic voting. We are not saying that evoting is unworkable, but we are calling for some minimum safety precautions.



    There are several issues I will not have time to cover in my presentation, but I will be happy to answer any questions you have on such issues as the use of formal methods and opening the source code to public scrutiny. These are important issues, but they are secondary to what I will be talking about today.



    Let me first explain the dangers we see in the proposed system, and then I will describe the solution we propose.



    Nedap/Powervote claim that their software is 100% accurate. If their software had been developed to the highest standard possible - for example to the standard generally attained by NASA in their software projects - it would still be expected to contain a minimum of 60 faults. NASA, who's employees' lives depend on the reliability of their software, are among the world's most accurate software developers. Now if NASA (who are rocket scientists) could expect 60 faults in a software project the size of the Nedap/Powervote system, then how many more faults could we expect to find in a system developed by a company who are nowhere near that calibre? My own experience has taught me that no software developer worth their salt would ever dream of claiming 100% accuracy.



    The main problem is that if the proposed system was not behaving as it should - either by accident or because of malicious tampering - effects on vote outcomes might never be detected. This is because results cannot be independently verified.



    As a voter, what proof do I have that the vote displayed on the voting machine is the one stored? What proof do I have that it is counted correctly? I have to trust that the hardware and software are storing and counting my vote correctly. That means that instead of trusting Gardaí and election officials as we do in the all-paper system, we must trust individual software engineers.



    Furthermore, any succesful tampering with the all-paper system affects one constituency, once, whereas a successful attack on the electronic system could affect every constituency every time the system was used.



    The simple solution is to provide tangible evidence to each voter that their vote is recorded correctly. I propose that any evoting system used in Ireland must provide a Voter Verified Audit Trail; that is, every voter sees their vote on a piece of paper go into a ballot box. These papers would be the official record of votes cast and would act as a safeguard. Errors in the electronic system would then be detectable, because results could be independently verified. Recounts would be done using the paper ballots. A system of spot-checks would also be introduced whereby constituencies would be chosen at random and the paper ballots counted to confirm the electronic results. The handout I have provided contains a clear explanation of voter verified audit trails. (The handout included http://www.free-project.org/resolution/explain.html)



    Now I'd like to dispel 3 myths about voter verified audit trails.



    Myth 1) They endanger the secrecy of the ballot.



    Untrue! There would be no connection between vote and voter - just as there is no connection between vote and voter in the all-paper system.



    Myth 2) Recounts based on the paper ballots would give different results to the electronic count.



    Untrue! Just as recounts in the all-paper system make the same transfers as were made in the original count, recounts based on the paper ballots would make the same transfers as were made in the electronic count.



    Myth 3) The proposed system provides an adequate audit trail.



    The so-called "audit trail" provided by the Nedap/Powervote system serves no useful purpose, and certainly does not mitigate the need for a voter verified audit trail. It is a print-out of the votes records, but provides no assurance that the votes recorded are the votes cast.



    The Nedap/Powervote sysetm is not safe as it is. If we must have electronic voting in this country, then we have two main options - replace Nedap/Powervote with a cheaper system using scanners, or alter the Nedap/Powervote system to include a voter verified audit trail.



    The first of these options - a new system based on scanning - would look very similar to the all-paper system from the voter's point of view. At the count centre, votes would be scanned and counted electronically.



    The second option - altering the Nedap/Powervote system - would involve the addition of a printer to each voting machine. When the vote was cast, the ballot paper would be printed. The voter confirms that the printed ballot is correct, and it is deposited into a normal ballot box. With the addition of printed ballots, at least the potential exists to find any faults in the electronic system.



    The minister has repeatedly stated that he is satisfied that the Nedap/Powervote system can be trusted. Well, when it comes to the electoral process, it is not enough that the minister or the government or even the opposition be satisfied. Above all, the electorate must trust the electoral process. As it stands the proposed system is no worthy of their trust.



    Thank you for your time.





    Glossary of Terms



    Computer Science -

    the branch of knowledge that deals with the construction, operation, programming, and applications of computers (Oxford English Dictionary)



    Evoting of Electronic Voting system -

    a voting system which involves electronic components, for example in the counting or vote collection processes.



    Fault -

    an error in software which may lead to undesired behaviour, for example data corruption or system crash.



    Formal Methods -

    a set of rigorous mathematical methods of software development, which can greatly reduce the number of faults in a software system.



    Hardware -

    the physical components of a computer.



    Software -

    the programs and other operating information used by a computer.



    Software engineering -

    the professional development, production, and management of software.



    Source Code -

    human readable instructions, written by software engineers, which describe the actions to be undertaken by a computer.



  • Closed Accounts Posts: 94 ✭✭boo-boo


    theres an excellent report (Report on IES counting software) written by Joe McCarthy, a computing professional with extensive election count experience. A pretty forensic analysis of the publicly available information - its at
    http://evoting.cs.may.ie/reading.shtml

    - its very well written too.

    available in txt & doc format -
    I'd recommend giving it a look.


  • Advertisement
  • Moderators, Society & Culture Moderators Posts: 1,735 Mod ✭✭✭✭star gazer


    E-Voting
    -a new activism forum to discuss this topic as a whole.

    There doesn't seem to be any credence put on the weight of the technical arguments that are put up, especially to that environment committee.
    originally posted by ecksor
    To an extent. The issues here aren't really technical though, they just happen to involve technology.
    You proved right, it did help not having concerns about evoting undermined in technical arguments at the committee but when push came to shove, technical logic went out the window and political reality was master of the day.


Advertisement