global wireless e voting is a terrible idea After Hurricane Sandy in 2012, election officials in some parts of America decided that they would allow e-voting in relief from home.
You downloaded a ballot, you filled it out and you email or fax it back to them. And yes, some people still fax. This was a terrible idea and here’s why. Physical voting is centuries old.
During that time, virtually every conceivable method of fraud has been tried and since defended. Because of this, attacks on physical voting do not scale well.
It takes so much effort, so many people, and it only takes one person to leak your conspiracy and it all falls apart. Electronic voting, though?
You can attack with a person. It may require the same effort to change a voice as it does to change a million. And it can be done without even going down in the country whose choices you try to rig.
There are two key parts of a choice. Anonymity and trust. First of all, anonymity. You can’t let anyone pay, bribe or threaten to change any votes. If you put an identification tag on your paper ballot, if you sign it, if you write your name on it,
if you do something that in theory can be used to control how you voted, your vote is thrown out and ignored, just so no one can be forced or bribed to vote a certain way.
And yet, because you marked your ballot and you put it in a sealed box and that box was only unsealed when it was surrounded by everyone with a stake in the election, you know that your vote is still counted even if you I will never see it again. That’s the second key: trust.
You never, ever, never trust anyone. Ideally, you don’t trust two or three. People can be bribed, threatened or incompetent. I mean, hell, people have been all these things. But like I said: the more physical voices you want to change, the more people take it and the less possible your attack becomes. Everyone can see what’s happening and keep an eye on each other,
especially if they don’t trust the other side. So let’s talk about voting machines. Problem 1: Software and Hardware Audit In theory, you could have open source software that everyone has checked and is happy with and that has been used for years.
In theory. Remember, you only actually do a full-scale test of this software every couple of years when there is actually a choice, let’s say theoretically that it can be done. But how do you make sure that the software is actually loaded on the voting machine in front of you on Election Day?
And I know that immediately someone will comment on checksum or crypto. Which is great, except now you have to rely on the software that checks this hash.
Or, more likely, the one person who checks it for you. You just moved the problem. And if you think “I could verify it,” then turn your brain the other way and think “how could I break it?”
because there are trillions of dollars – that’s not an exaggeration – running on the result of big choices, and that’s an incredible motivation. If you come up with fancy ways to get around it … believe me, so are many other people.
It may be an angry techie, but it can be an entire political party, or the huge corporations that want a party to win, or entire nation states that want a party to win.
And all you suppose is that you even have permission to confirm the software that runs like you never are, because it is a bad idea to connect unknown USB sticks to a choice machine.
Not that stopping people from plugging unknown USB sticks into a voting machine. It has literally happened. Let us remember that these machines must be left in a room with the voter and no one else in order for them to cast their vote anonymously.
Oh, by the way, the machines are often programmed by inserting a USB into each of them in turn, so if you compromise on the first, jackpot. In practice, you do not have open source software, you have proprietary, unannounced software that you just have to rely on.
This is by the way in the world, there are some choices running on this. And do you remember what I said? This is a choice.
You have no confidence. And maybe you think you could have an audit trail, you could have a paper backup that the machine prints while you vote.
In that case, congratulations, you just invented the world’s most expensive pencil. One of the reasons the UK gives people pencils for voting, by the way, is because we are afraid that pens might be changed by any voter to contain disappearing ink.
Deleting pencil voices? Takes time and if you can do it, you can just throw them away. Is ink disappearing? It may be an urban legend, but it can actually be a plausible attack vector. This is the level of paranoia we need to work on here.