Main points from talk by Barbara Simons (Cambridge)

Here follow the main points Barbara Simons made at the Cambridge talk last Thursday on Internet voting and the SERVE project:


This should only be a technical issue, not a political one [said BS]. However, there is a willingness on the part of policy-makers to believe what vendors tell them, perhaps owing to policy-makers having little or no understanding of technology. There have been verbal attacks on computer scientists voicing concerns in the US. The issue of voter confidence is going to be a problem.

E-voting is hard
- the question from the public is: "if I can buy a book from Amazon.com, why can't I vote?
- but e-voting is harder than e-commerce: the stakes are exceedingly high, democracy depends on voter confidence, more challenging
- Denial of Service attacks on e-commerce may prevent some sales - with voting, does not invalidate those that do succeed
- interference may be difficult to detect e.g. no bank statement; with e-commerce, failure can be detected
- anonymity of voting (in US) makes it impossible to determine if votes correctly counted
- how to detect failure? - airplanes crash (less of an incentive to make airplanes crash), books are not delivered
- there are more incentives to fix an election than to fix some other types of system

Some solutions sound fine from a comp.sci. perspective, but in the real world, politics intervenes - can't count on provisions for holding election again.

SERVE project
- in US, voting is regulated at state and then county level - a small number signed up for SERVE
- USD22m Department of Defense project for 2004 elections and primaries
- would allow voting by: any military, civilians outside country
- despite declarations, website still up and nothing about it being cancelled on the site

- academics invited to come in, including Barbara's team; also included social scientists who "didn't want to see it killed"
- policy makers wanted to go ahead because of concern over military votes in 2004 election

SERVE - conclusions
- SERVE contains all security vulnerabilities of paperless touchscreen voting machines
- Internet and PC-based systems are vulnerable to many potentially catastrophic well-known cyber attacks
- attacks could be large-scale, launched by anyone from anywhere
- impossible to estimate the probability of successful cyberattack on one election
- major elections are tempting targets

- the people who are running SERVE are well meaning but working with flawed set of premises
- are going ahead with SERVE but on the basis of "votes don't count" they say (so what's the incentive to attack?)
- could appear to work flawlessly but lack of detected attacks does not mean there are none

SERVE system requires voters to have
- Win95 or above, MS Explorer 5.5 or above/Netscape Navigator etc.
- the users are responsible for maintaining security of their computers
- voting allowed from public computers with Internet access

Major security problems with SERVE
- software bugs: election software is supposed to be certified whenever mods made; but there is a disincentive to fix bugs as have to get sys certified, which takes 2 weeks at least (all systems), so won't be done just before the election; hard deadline of election, so not a lot of time (also, they don't do a code review)
- insider attacks - can't address; can be very cleverly hidden, could be v hard to detect (see for eg MS Excel 97, which had hidden flight simulator)
- security vulnerabilities on client side: own computer may be insecure - people are not very good about security on their own machine; security risks of computers not owned by voter; especially an issue for minorities and disadvantaged; employer-owned computers may be monitored
- remote attacks on voter's computer (Denial of Service in many possible varieties)
- viruses and worms: virus checking software only works against previously known viruses; small-scale worm can selectively target small sectors e.g. people who visit a certain candidate's site; could lead to selective disenfranchisement; once a computer is infected, all bets are off

Automated buying and selling
- provide credentials (password etc) to purchaser, who could then vote

Recent Internet election - Michigan Democratic Party's Primary
- Internet voting an option
- took place after SERVE report
- their report focus is all on main server, not on client side because they can't know anything about that
- they say there are no attacks (naive)

Election officials
- tend to like the machines, as get immediate results and can go home
- have an unhealthily close relationship with vendors
- well meaning, but often don't understand tech

The big question
- what will this do to the fabric of American democracy, if the same thing happens again? [as in 2000]
- what is the agenda here? - to replace punch card machines? - Simons is not an advocate of PCMs but often, and especially in poorer areas, they are not properly maintained

Recent Spanish elections
- would the unexpected result have been so easily accepted had the voting system been electronic? Probably not

Forthcoming Indian elections
- equipment manufactured by defence industry/department of defence (?)
- what happens in India will be interesting

Anonymity
Anonymity (in the US have, in UK not) is a good idea - civil rights struggles in the South - many blacks not allowed to vote - concern that local councils could see how they voted. US has a recent history of people killed for trying to vote.

The right way to do e-voting
- use optical scan machines in the polling place; this gives feedback
- with earphones attached (for the blind)
- ideally, scanner and voting machine should be made by separate companies
- in whatever case, there should be a percentage manual recount...but what they do generally is print out what's on the machine!