A critical flaw in Switzerland's e-voting system is a microcosm of everything wrong with e-voting, security practice, and auditing firms


#1

Originally published at: https://boingboing.net/2019/03/13/principal-agent-problems.html


#2

Swiss Post contracted with Barcelona firm Scytl to build the system …

It’s spelled Scytle, but it’s pronounced “scuttle”.


#3

Picture of the CEO:
image


#4

Of course Swiss Post can be trusted to never, ever tamper with an election, but if the new Governor* of the State of Georgia finds out about this, expect him to take a very keen interest in licensing their work.


#5

If you can’t easily explain how the votes are tallied and verified to the average voter, then your system is opaque, undemocratic, and ripe for abuse. FUCK electronic voting.


#6

Italian%20Job_switching%20the%20computer%20tape


#7

#8

Stuff like this is why I’m permanently opposed to e-voting. It’s a terrible solution to a non-existent problem.


#9

The first paragraph of the post and the susequant paragraphs seem to have two different pints of view.

From the first paragraph:

e-voting is a terrible idea and the general consensus among security experts who don’t work for e-voting vendors is that it shouldn’t be attempted

Interesting conjecture. Given full compliance with any given set of voting requirements, why would e-voting differ in any way with meat-world voting?

Putting it another way: people game all systems - past, present and future. Which will be the harder to hack in the future world: bits of paper or bits of bytes? The response is “all media are hackable therefore do your best to minimize the alteration of the probable outcome”.

The subsequent paragraphs describe nefarious practices embedded in proprietary code promulgated by a private entity. And it looks like this entity will be eventually hoisted in its own petard.

Here’s the point: let us not conflate electronic voting with bad actors. If, via the Internet, you may receive valid, beneficial and current knowledge then, via the Internet, you should be able to convey your considered, informed and timely vote on any given matter up for a vote. At any time in the future you should be able to review what you voted on and how you voted. And you should be able to verify these either by visiting a cubbyhole in some town hall somewhere or by swiping you phone enough times.


#10

voter a selects vote a’ and “verifies” it:
a -> a’
a <- a’

e-voting machine tallies vote:
a’ -> b

voter reads about (incorrect) total:
b’s won, we a’s lost.

only computer scientists can verify that voting machine tally correctly, and even that dependent on published source code and careful reading.

in normal paper voting a’s don’t become b’s. and it’s relatively easy to verify that’s the case.


#11

@doctorow, I am in no way criticising your intentions here, but your view of science is that of a total outsider.

Literally nothing of what you wrote in the quoted section is standard in science, nor even widespread.
We are moving towards this as an aim for the future. Which we will probably never achieve, but nevertheless we are slowly moving towards it.

Yes, we do accept scientific research without data, without data processing, without the full analysis (e.g., statistical programming code). Even if published, none of this is usually accessible to everyone. Paywalls and institutional repositories see to that.

What we do is trust the scientific community to ensure scientific quality, e.g. by peer review. The process can be flawed, and certainly we can do better. But it works, mostly!

I do trust science to a great extent, and I know that my post might stir scepticism in the wrong people. That’s where climate change ignorance etc. is coming from, partly, I reckon.

But as someone who knows some parts of science pretty ok-ish, my toenails roll upwards and my teeth ache when I read your take. It hurts. Please. Don’t do that.


#12

I’m not against electronic voting in principle; there’s nothing that renders it fundamentally unsafe given sufficient maturity(which it notably lacks at present); nor are ill-implemented paper systems immune; but it’s important to keep speed and scale in mind:

One of the reasons why people like(or at least grudgingly accept) IT systems is that they can munge data in industrial quantities really fast. Paper, less so.

‘Hacking’ paper is a comparatively slow process that requires getting access to (usually distributed) ballot boxes, tampering with or swapping them individually, disposing of a bunch of undesired ballots and fabricating their…amended…replacements; and so on. Doable; but requires a fairly quiet and comprehensive network of loyalists(or just enough impunity to have the People’s Republic Of Tyranny Interior Ministry squads walk in and swap the ballot boxes).

A vulnerable electronic system, like this one, is vastly more convenient: single instance of privileged access and you can modify everything nice and neatly. Electronic systems just don’t have the same inertia as paper ones.

All that said, the unpleasant thing about securing voting systems is that even formally correct isn’t necessarily good enough: being able to tamper after the fact is obviously bad; but classics like “just don’t stock polling places you don’t want to hear from properly” still work against impeccably airtight processing systems because those can only protect the integrity of the input they are given.


#13

I don’t think that’s true. How are you going to explain something like a zero knowledge proof to the average voter? Not gonna happen.


#14

Difficult, but doable.

What you need is a hit TV show named Zero Knowledge Proof – something like 24 or Person of Interest, but focused on cryptography and its metaphors.

If that don’t learn 'em, I don’t know what will.


#15

The requirement is the reverse of this, and that’s part of where the problem with all electronic voting occurs. Coercion is a real threat the system must defend against. It’s the same reasons cameras are not allowed in the voting booth.

A voter should be able to cast a vote, that at time of capture is impossible to change, done in secret, with no possible linkage between the voter and the vote value.

An election audit should be able to track from an outcome backwards to all of the cast votes. However, it should NOT be able to track back to the voter.

A paper ballot provides a vote record that cannot be changed, and once cast it is completely independent from the voter. An entire electronic counting process after that is fine. Audits can (and should) be done to prove that source paper ballots match electronic totals.

An electronic only ballot can be changed. There is no way to capture it and guarantee that it’s reported as the same value intended by the voter after it’s cast. An audit trail that tied back to the voter could solve this problem but it would completely break the secret part fundamental to the election process.

This difference is why banking is so easy and electronic voting is so hard. Linking your ATM transaction back to the specific person doing it is fundamental to the banking process.


#16

That is a very big “if” that kinda punches holes in the rest of your paragraph…


#17

In which case, FUCK electronic voting. Unless you do it in a way that any concerned party can verify and check (say, paper ballots counted electronically) then scrap that shit. We don’t need a system where only someone from an incredibly small pool of experts can actually verify whether a count is accurate. Fuck that. Fuck it in the ear.


#18

I think that explained the dental dam aesthetic voting machines tend to have…


#19

I remember when US electronic voting systems were new, someone examined the code in machines made by Diebold. They found a line that said “Divide by x”. There was a line of code that would allow anyone who had access to the system to reduce the total number of votes cast for one party or the other to a fraction of what the real vote had been.

I knew right from the start that evoting would be a national horror and disgrace. The only people who ever wanted it were idiots and thieves. If you are too freaking lazy to go to a polling place you don’t deserve to vote. If you really, truly can’t make it to a polling place on election day and you can’t bother yourself to remember to do early voting, you don’t deserve to vote.


closed #20

This topic was automatically closed after 5 days. New replies are no longer allowed.