[Reproduced from Dave Farber's IP distribution,
Date: Tue, 12 Dec 2000 20:36:19 -0500.]
A recurring mantra heard from some entities involved in the development
and
promotion of Internet-based voting systems is that they have conducted
"public tests" and thus their systems are secure. If hackers
don't break
into such systems, the tests are declared a success.
This is of course illogical on its face, because it seems unlikely that
people (both U.S. and internationally based) with an interest in subverting
the U.S. election process would care to tip their hands by participating
in
what are essentially publicity stunts. These might attract your
average
12-year old hacker, but not the pros who wait for production systems
for
their carefully mounted attacks.
In fact, using such "tests" as any sort of validation technique runs
contrary to long-established computer and engineering verification
practices, and makes a mockery of the rigorous design and testing that
is
required of systems that are to be deemed secure through extensive
and
methodical processes (e.g., to gain certification under the ISO Common
Criteria or its predecessors TCSEC/ITSEC). "I left my Porsche
out in the
parking lot with the doors unlocked and the key in the ignition and
since it
doesn't appear to have been stolen this must be a safe neighborhood,"
would
be an equally nonsensical statement of supposed validation. All
proposed
voting systems should be subjected to rigorous evaluation, public inspection,
and *open-source code* license agreements. Some applicable methodologies
do exist, but have not been required. For example, Level 4 Common
Criteria
should be a *minimum* standard, although even that is not enough.
Security is only as strong as its weakest links. Internet voting
(I-voting)
will *always* be limited in its integrity by factors beyond the I-voting
algorithms. For example, encryption can be an important part
of an overall
election system. However, although we have strong cryptographic
algorithms,
we do not have systems with adequate security into which the cryptography
can be embedded. Furthermore, voter authentication, vote integrity,
voter
anonymity, auditability, accountability, recountability, and so on,
are all
involved, and many of these requirements operate at cross-purposes
with
one another. The massive vulnerabilities of standard personal-computer
operating systems represent very serious concerns, in terms of hidden
viruses, worms, Trojan horses, and further surprises unknowingly downloaded
by the user with other packages, and waiting to pounce on election
day. One
proposed solution would be to boot a fresh system from external media
in
order to vote, but even such an approach does not adequately address
these
potential vulnerabilities.
Deficient network protocols and the opportunities for insider fraud
and
accidental misuse abound. In addition to the issues noted above
are
the weaknesses that result from inadequate operational environments.
Neither the client nor the server systems will be adequately secure
under
foreseeable technology -- including Internet Service Providers and
Web
servers. For example, proposals such as the use of rotating IP
numbers and
multiple systems to try to defend against denial of service attacks
can be
rendered impotent by similar attacks on network concentration points.
As always in any election environment, there are many opportunities
for
fraud, mischief, and manipulation -- despite ostensible checks and
balances.
These problems are exacerbated with electronic and Internet voting,
where
the lack of any physical ballots makes such manipulations impossible
to
detect and correct -- because there is no meaningful recount capability.
Extraordinary vigilance is necessary, but never sufficient.
In the wake of the recent Presidential election problems, the knee-jerk
reaction of "gee, can't we modernize and solve all this with electronic
and/or
Internet voting?" is predictable, but still wrongheaded. The
shining lure
of these "hype-tech" voting schemes is only a technological fool's
gold that
will create new problems far more intractable than those they claim
to solve.
Peter Neumann, Rebecca Mercuri, and Lauren Weinstein
-----
Peter Neumann moderates the ACM Risks Forum, Chairs the ACM Committee
on Computers and Public Policy, and is a cofounder of PFIR --
People For Internet Responsibility <http://www.pfir.org>.
Rebecca Mercuri is a Professor of Computer Science at Bryn Mawr College.
She has provided expert testimony on voting systems throughout
the past
decade. For information on her Penn doctoral thesis and
other writings
on this subject, see <http://www.notablesoftware.com>.
Lauren Weinstein <lauren@vortex.com> and <lauren@pfir.org> moderates
the
Privacy Forum <http://www.vortex.com>
and is a cofounder of PFIR -- People
For Internet Responsibility <http://www.pfir.org>,
and Member of the ACM
Committee on Computers and Public Policy.
Information on the Common Criteria is at:
http://csrc.nist.gov/cc
An earlier statement on I-voting is at:
http://www.pfir.org/statements/voting