[liberationtech] E-Voting

Rich Kulawiec rsk at gsp.org
Wed Dec 7 06:24:41 PST 2016 

On Fri, Dec 02, 2016 at 02:26:49PM -0500, Andres wrote:
> Rich, the article you link to talks about the risk of one individual voting machine being tampered with.

I think you missed the point Schneier was making.  It's NOT about one
individual voting machine, it's about attacker budgets.  Look at the
big picture, not the small one he used to illustrate the point.

An attacker with a $100M budget (a conservative estimate in 2004, now
clearly only a fraction of that available) isn't going to use it to
attack just one voting machine: that'd be a poor return on investment.
A 2016 attacker, who could have a budget an order of magnitude larger,
would likely attack in a systemic, distributed -- and subtle -- fashion.

> When voting online you can use any hardware (PC, Mac, Linux, iPhone
> or Android phone, public or private) to vote and later verify your vote.

That last part ("...later verify your vote") disqualifies the system
from use.  This is a well-known problem with election systems (electronic
of otherwise): if you can verify your vote at some later point, then
so can someone else.  And if someone else can verify your vote, then
you can be induced (willingly or otherwise) to vote as directed.

And even if that's addressed, there's a massive problem with this approach,
or ANY approach that allows voters to use their own computing systems.
End-user systems are compromised in enormous numbers.  This is a well-known
problem that's been discussed at length for much of this century, e.g.:

	Vint Cerf: one quarter of all computers part of a botnet
	http://arstechnica.com/news.ars/post/20070125-8707.html

When Cerf made that estimate, I thought -- based on my own research and
consultation with others doing similar work -- that it was too high by
perhaps 25% to 50%.  With the benefit of hindsight, I think he was right
and I was wrong.  Given the passage of time since then, the numbers are
undoubtedly far higher.  (Doubly so since nothing truly effective has
been done to reduce them or even slow down the growth rate, and many
things have happened to make the situation much, much worse.)  I suspect
that the number of compromised systems is probably ten times what it was
ten years ago and no doubt the mass deployment of IoT devices with horrible
(or no) security will make this even worse.  And if various governments
are successful in forcing vendors to build in backdoors, it will get
MUCH worse in a big hurry.

Why does this matter?  Because (as I've said ad nauseum) if someone else
can run arbitrary code on your computer, it's not YOUR computer any more.

If your phone is compromised, and you use it to vote, and you later
use that phone to verify that your vote was cast as you think it was,
how do you know that what you're seeing on the screen is correct?
Why couldn't the same malware that redirected your vote from candidate
A to candidate B also show you that you voted for candidate A?  (That isn't
a particularly challenging software problem given that the former has
been solved.)

Remember: it's not your phone any more.  It's theirs.  You may walk
around with it, you may use it, but you don't own it.  Not any more.
So why would you expect someone else's phone to behave as you think
or believe or want it to?

Does that malware exist?  I don't know.  But I do know that if a
sizable enough population starts using their phones to vote, it WILL
exist, because it will become worth someone's effort.  (And by the way:
this will require far less than even the small $100M budget from 2004.)

Substitute "tablet" or "laptop" or "smart home IoT device" or "desktop"
or whatever without loss of generality for "phone". 

Any voting system which allows voters to use their own computing devices
is fatally flawed and must be dismissed, with prejudice, immediately.

---rsk

More information about the liberationtech mailing list