Interesting new anti eVoting angle - Privatisation is bad

There's an interesting (though that may be the wrong word) article over on Jason Kitcats blog at the moment about the "privatisation of democracy".

I can agree with Jason that the practice of refusing to supply US election officials with equipment because of them exposing the equipment to scrutiny is wrong (that's just an official doing their duty), but I can't agree with the overall tone of the article. Is Jason saying that private companies (who are motivated by profit. Horror!) shouldn't be involved in the electoral process at all? If so I'd like to see a paper election run without the printers to print the ballot cards and Royal Mail to deliver them (both potential weak points security wise).

We may well have seen too much involvement by the vendors in the UK, but this is most likely down to the fact we're still in the pilots stage. Believe me vendors don't want to get into the business of running elections, they're here to do what they do and almost none want to run elections. They want to supply (eventually) commodity systems to be used by electoral officials. End of story.

And if that list of companies is a fish Jason, try again. I don't work for any of them. I work for a UK firm that has a strong ethical direction and belief in doing the right thing for the right cost, yes we want to make a profit, but that isn't our only motivation.

And the government doesn't dictate the supplier to Local Authorities they get to choose from the list.

Jason then has a go at privatisation in general (a completely different discussion). I'm assuming that he agrees it's OK for private businesses to make money from public institutions since the line up of clients at his firm Swing Digitial seems to be mainly schools (though mostly private schools, who's being elitist now? Seems only the rich can afford online communities).

Electronic voting is the privatisation of our elections. It's not right.

Wow - just wow. Do the vendors own the elections? No. Do they own the officials? No. Do they pay their wages? No. Do they decide who's eligible to vote? No (different to the US, what with the list "cleaning" and all). Do they decided who's eligible to stand? No. Then it's hardly privatisation is it?

Pre-encrypted ballots

I'm assuming from the angle that Jason Kitcat came in onto this subject that he agrees that pre-encrypted ballots do successfully protect votes on the wire from alteration and inspection? He's not offered any counterclaims in this respect so I think it's safe to assume he does agree (not that he could ever say so).

I'm not sure which description Jason was reading with regard to the allocation of PCINs / response codes as the following statement is just downright wrong:

Indeed, because the candidate numbers are unique to that voter then voters will worry that their vote will be more easily traceable than before.

BZZZT! Sorry, PCINs are not unique to the voter, they just have to be unique in combination with the voters credentials and the contest being voted in. I'd be interested to hear how a five digit number can be made unique in an election with an electorate of 200,000! For Jason to make this assertion demonstrates:

1. He didn't read the description, or
2. Gathered only the most superficial understanding of the process.

As to whether or not voters will trust the process of PCIN allocation and response code verification we'll have to see. I don't know of any pilots that have made use of the pre-encrypted ballot yet, and would be interested to see how any that did went. But that's largely the point of pilots isn't it? To try things out, find out how they're accepted? I'm sure that any electorate that in general trusts the voting system would be more than capable of trusting a pre-encrypted ballot.

Finally an attack against the list (actually there would be two, split the secret) would require breaking into two systems, gaining access to the private decryption keys (held on smartcards) and decrypting the relevant data, all of which actually improves the security of your vote. To simply make the sweeping statement :

Instead of changing individual digital ballots, why not attack this list?

Assumes we'd just put the list together in clear text. We wouldn't be so dumb, sign the data with the generators private key and you've got another machine to break into and retrieve a private key from a physical smart card. And you can add more security on top of that. It's not 100% secure, but then nothing in the entire history of human existence can claim to be 100% secure, certainly a paper ballot isn't either.

More soon...

Source verifiability in eVoting systems

This is the next part of a series of responses to Mr Kitcats monster post about yours truly.

In defence of the problem found in the GNU.Free codebase I blogged about previously (quick question, why oh why, if you thought electronic voting was a bad idea, would you leave the source for a bad eVoting implementation laying around on the Internet? Maybe so you could point at it and say how clever you were?), Jason wrote:

Anyone has been able to view this code online since 2000, yet this is the first time this problem has been pointed out, which rather shows how few people have the expertise and willingness to audit code.

But then goes on to say :

Well, with the exception of GNU.FREE and the source code leaks in the US, as an ordinary voter you can't see the code.

Why would they want to? Given that it's difficult to audit code, why would the ordinary voter want to see the source code? It's just a jumble of characters, indentation and white space surely? Unless the developer was downright daft and had included a line in the counting engine such as:

if (ballot.party=="Conservative" && !result.winner=="Labor") result.party["Labor"]++;

they wouldn't be able to spot any problems (that's joke code by the way, I'm not saying Labor would try to throw an election).

The question isn't whether the source is available to the general voting public, that is largely pointless (only the conspiracy theorists have room to argue the toss there), but whether the source is available to accredited auditors who's job it is to ensure that code operates correctly? If they've seen the code, and can verify that the software is correctly installed on the voting machines, then where's the problem? I suppose you could argue that you don't trust the auditors, in which case multiple audits could be held... if that doesn't hold off the nay-sayers, well a scrutinised paper ballot isn't going to either (since not everyone can verify all the processes, etc. etc.).

One last thing whilst we're on this subject...

Microsoft have a market capitalisation of $289.80 Billion and have not been able to convincingly resolve the security issues in their software after many years of work.

Nice argument Jason. Because cars crash we shouldn't fly in planes! Shock! Horror! Comparing the production of an operating system that is designed for almost universal use to a single use system is quite frankly ludicrous.

General clarification

I've just realised that I've never defined the scope of my advocation for eVoting (an oversight on my part). I'd like to make it clear that I'm an advocate of remote eVoting, and currently am not a great fan of electronic voting machines in polling stations.

One of the reasons behind this is the difficulty in assuring and securing such a large number of voting machines.

Plea for help...

Does anyone have, or know where to procure, the command set for a GemPlus GXPPRO R3 STD smartcard? Typically the ISO 7816-4 specification doesn't include useful things like standardised CREATE FILE commands, and without the specifics of the card you're a little boned.

I've tried contacting GemPlus... but so for no dice.

Clue stick - definition

A semi-official definition of clue stick, a.k.a. the clue-by-four, can be found here (includes some citations).

Scratch that...

Looks like JK didn't do the fixing I thought he did... which makes the whole thing even funnier. Kinda smacks of the attitudes of certain US voting equipment manufacturers huh?

Remote eVoting

I think I'l start my reponses to Jason Kitcats monster post about me with the low hanging fruit, that being the issues of voter coercion and selling in remote voting.

Note the use of the phrase remote voting rather than eVoting (I'll get to that at the end).

Jason is correct that the destruction of the initial voter credentials allows the attacker to prevent a second vote from being cast that overrides the corrupted vote. However, it does not prevent the voter from being issued with new credentials and using these to cast a tendered ballot. The length of time that eVoting channels are open will typically allow a voter to be able to be issued with these credentials via the post, but it would also be possible for them to be issued in person at the electoral office of their Local Authority if they wished it. The voter then casts another vote, that would override the corrupted vote.

Now I need to make an apology, I incorrectly asserted that Jason was opposed to postal voting. Turns out I was wrong! He is opposed to all postal votes, but then I'm also in favour of allowing voters to choose which voting channel they use, this modernisation process is, after all, all about choice for the electorate.

However... could someone please explain how postal voting is free from the problems of voter coercion and vote selling? Surely these problems are present for all forms of remote voting, and confining the discussion of them to just eVoting seems at best selective and at worst downright deceitful. If a magic bullet solution exists for postal voting then surely it could also be applied to eVoting? If there is a solution, and it's not been mentioned that's even worse, as it implies a deliberate attempt to discredit eVoting when solutions to problems are available.

I'll be interested to hear the answer to this one.

Next response coming soon, when somone adds an extra 4 hours to the day!

Offtopic : Verizon can't do maths

Nothing to do with voting, but this is just chuffing hilarious. Verizon quoted a customer at a rate of 0.02 cents per kilobyte and then charged at a rate of 0.02 dollars per kilobyte. What follows is a quite hilarious series of conversations about how to do math... more on Georges blog.

Quote of the day

Seen in a Slashdot sig :

"He who dares not offend cannot be honest"

- Thomas Paine

Do the "Yes Man" dance!

Blimey! Finally had time to read and digest all of Jason Kitcats post about me. You really know you've arrived on the scene when someone spends all morning writing something that long huh? (and securing their site against some basic security problems).

The main points I see from the article are:

• My confusion over voter trust in electoral processes vs electoral models
  
• Voter trust in pre-encrypted ballots
  
• Coercion and vote selling in remote voting systems
  
• Database tallies
  
• Certification of code
  
• Authority of opinion
  
• Schneiers' quote
  
• Verifiability (process & source)
  
• Backup and disaster recovery
  
• Paper system problems

I think that's the lot, I'll try to knock these off on at a time, but work and life in general are very hectic at the moment (What with Christmas and all). If there's anything that anyone thinks you've missed, please leave a comment.

A tiny victory!

Just noticed that the article over on the Open Rights Group wiki concerning eVoting has been changed to remove a reference to pilots being funded by the Local Authorities (I'd appended a note to the effect that it wasn't being funded by the LAs).

Yes, Jason is correct that not all of the cost is being met by DCA funding, but 95% of it is, with the Local Authorities only having to meet marketing costs (the level of which is up to them), and additional staffing costs (which shouldn't be too high as automation is supposed to reduce staffing, not always the case I know, but certainly the goal).

I will respond...

I will be getting back to Jason Kitcats post about me, when time permits. I'll probably address a point at a time, as this blog isn't part of my job, and the family and hobbies take up a lot of my time at home.

A brief history

I've been asked about my professional history and qualifications, so here's a quick summary :

Education

11 GCSEs, 3 A Levels, HND in Computing

Professional Experience

Currently employed as a Senior Consultant at a leading UK software house that specialises in secure transactional software (don't ask which, I don't want them dragged into this discussion as of yet, these are my opinions, not theirs), where I have worked on :

• eVoting platform used by schools and youth organisations across the country,
• Online banking product currently used by one UK bank, being evaluated by several others,
• Mortgage brokerage system used by a UK high street mortgage provider, which transacts several billion pounds worth of business each year

Before that I worked for redweb Ltd in Poole, Dorset as a Senior Web Developer where I:

• Architected, designed and lead the development of the EPA project for the now IPS government department
• Developed a web framework for content and eCommerce sites
• Architected, designed and developed a bespoke accountancy service allowing small businesses to conduct their accountancy work online

Priort to this I worked as a systems developer / administrator for a couple of SMEs in the south of England.