Monday, October 3, 2011

ICEGov 2011 and Internet Voting.

It was a great conference: Tallinn is a very nice city and the organization has been just  perfect. Nice food, worm and cosy rooms, nice sessions and detailed conference information. So what is my post about ? My post is about Internet voting. A special session about internet voting during the last days opened my doubts on the ingenuity of people. Ingenuity often comes from disinformation. Disinformations about hacking, disinformation about security holes and disinformation about what the attacks can do in real life. I am not going to bore you writing about successful past attacks, but I am really interested on what Internet voting is for. 

Internet voting enables people to vote for their favorite candidate directly from home, or from coffee shops or wherever they prefer. The first main issue about "voting by home" is that voters can technically be able to prove what they voted for. This issues triggers the so called "covert channel attacks" where candidates can buy votes by asking proves of them. It's pretty obvious that letting the voting period be one week long does not prevent this kind of attack. Indeed the attacker might force voters to vote in the last day, he might install Malware on the voters computer to control what they voted for or he might gather people in the same room during the last voting "night" and force them to vote for a specific candidate. This scenario is pretty common, just lets try to think about organizations, political movements, religious groups etc. Kiosk election, theoretically, doesn't let you in the position of proving what you voted for. Cameras, cell phones, copy markers and whatever,  are not allowed in the kiosk room. States that enforce this laws put security checks before the poling stations, for example Iran, Iraq, some Africa states are well enforcing this law.


 

Another interesting issue that people that are using Internet voting don't care about is the trust of people platforms. When I asked: "  How do you deal with Malware  on voters computer ? ", Estonian's Internet Voting chief answered me: " We need to trust people !". This is false. Except few rare cases, people wont to install Malware on their own machines. Malware get installed for many different reasons but not because people want to install them on their computer. So it is not about trusting voters, is about trusting Internet, is about trusting the entire world, even enemies that might hire hackers to compromise your elections. A well studied malware can easily change the vote directly on the voter's machine without the voters know it; it can easily try to compromise the election server and it can easily monitor what you voted for. Even more complicated is when a voter uses an Internet caffe. In this scenario the Internet Voting system must trust a "mercenary" machine. Where with the word "mercenary" I mean a machine that has been used by many different people, potentially used by attackers too. In a well implemented kiosk systems (where voters are checked before getting close to the system) this scenario is not possible since the kiosk operative system is controlled and enforced.



Another huge problem about voting from home, even if by using smart-cards or identification tokens is about "family voting". In other words smart-cards, if used in the way many Internet voting systems are doing, can be borrowed to friends, family members and group leaders. A smart card if used "at home" does not identify the voter, it identifies the cardholder (the same problem we had with credit card bearer). The result is that the cardholder can vote for the real voter. In a kiosk system this cannot happen since pol workers identify the real voter and control that his card is with his name on it.




At this point people can think about paper mail systems. They do allows these insecurity levels too. But again, it is not an excuse to say: "they do bad I can do bad as well". What's the point here ? We are talking about democracy, and as we all know, who leads the democracy of a country can have a huge impact to the real life of citizens.

I am not saying that Internet voting is totally wrong and that we should never use it. I do believe that Internet voting is the future, it increases participation, it easy to manage, it is economic and cheaper then a paper system, it is fast and potentially with low errors rate. My point here  is that right now we don't have enough tools to ensure democracy,  if using Internet voting systems. Internet voting is good, even nowadays, but for "secondary" elections not for "primary ones". "Secondary" elections can be a great test cases for Internet voting systems but letting the presidential election to the hands of Internet voting system could be very dangerous.




2 comments:

BattosaiHimura said...

Really nice article. You made me think about all the eGovernment stuff that's going on and I just believe this kind of system is still too vulnerable to hacking attacks and, as you said, even "brute-force tricking". Unfortunately there's no way to provide a service that's 100% safe and clear... Even in the current voting system we know there's always something that goes wrong.
The real challenge is to develop a secure internet voting system but, again, not only computer-side.

Marco Ramilli said...

Thank you BattosaiHimura. Yes, I totally agree with you.