E-Voting could improve on our 100 year old system

E-Voting systems are, by their very nature, complex systems that involve segregation of processes, advanced cryptography and rigorous development methods, and Jason is correct to point out that administration of such complex systems is a difficult area to address. It is therefore unsurprising that many of the current implementations of e-Voting systems have been, shall we say, lacking in a number of key areas. Academics tend to concentrate on the development of a new idea (for example a cryptographic protocol) rather than attempting to build a complete functional system that can be used correctly by stakeholders ranging from electoral administrators and council workers to the general public.

But this doesn’t mean that such a system can’t be built: simply that it is unlikely to emerge organically from academia or from the Open Source Software community. The only realistic environment that’s going to be able to engage all the stakeholders and create an electronic voting system is the business community, and only then if there is the incentive of a ready market. It wouldn’t be cheap to develop (the cost of a team of 10 developers working for a year would be around £400,000 for salary costs alone), but the cost of developing and implementing e-Voting systems pales in comparison to the costs of other government sponsored initiatives (see the NHS computer systems, ID cards, etc.) and can be further mitigated by leveraging the solutions into non-statutory commercial environments.

In fact, remote voting systems are similar in many ways to already existing sensitive on-line applications (despite Jason’s claims) and many of the lessons learnt in the remote banking sector can be applied to the remote e-Voting sphere. Verifiable auditing that guarantees immutability of audit records, message tracking and double checking, exception reporting, all of these are applicable to the area of electronic voting.

One final thing, which I hear denied so often by people that do know better, and on which the whole debate about e-voting seems to turn: currently voting in the UK is NOT anonymous! Your ballot paper has a number on it, and the number is written down against your name on the electoral roll. This information can only be released under judicial order, but it is entirely possible for your vote to be found after it is cast. We’ve had this system for over a 100 years, and it seems to be the elephant in the room for the anti-e-Voting campaigners in the UK. Because of this legal requirement e-Voting systems can be very similar to banking and e-commerce systems, since there is always a final link that can be examined by a judge if severe problems arise.

E-voting, in other words, may be complex to implement and administer, but is technically feasible to develop, and not too dissimilar from already existing, secure commercial systems - and has the potential to duplicate, or even improve on, our existing 100 year old system.

Cross posted from OurKingdom

ORG report

You can't have missed that ORG have release their report on this years pilots. Unsurprisingly they've declared them a 'threat' to democracy, couldn't have seen that coming could we? A few problems with their reporting method though:

• The outcome of the report had already been decided, i.e. eVoting bad.
• Individual reports on pilots are not available, instead we get the edited highlights, i.e. the juicy bad bits, no breakdowns on how each pilot fared. Guess we'll have to wait for the Electoral Commissions report before we get that.
• Makes recommendations for how to improve the process, whilst slamming the very idea, strange contradiction.

Something occurred to me whilst reading the report though. It's when Jason talks about Opt2Vote using .NET (no not on the client Jason, their solution is ASP.NET it's server side, but let's not let technical accuracy get in the way of a bit of good old MS bashing eh?) and bangs on about how Java is better, and then in a piece about auditing (about how there's no crypto that proves they were audited in the correct order, such as using dodgy hashing techniques). The two are subtle pointers towards... GNU.FREE! This fits with Jason's assertions that the process needs fixing whilst slamming the very idea... get the current round of pilots pulled and get GNU.Free involved.

Having said all that I'd have to agree that a more stringent testing and accreditation regime would be beneficial, perhaps Jason & ORG would like to put in some constructive comment on how this can be achieved? Unlikely.

And another one turns

Remember the site www.electronic-voting.org that I blogged about a while back? Well there must be something in the water as the author of that site has... guessed what? Devised an evoting system!

This makes the 3rd sceptic who's developing / distributing an evoting system, which seems to be a growing trend; attack the existing suppliers with your own product alongside.

Our friend Mr Kitcat has spoken up in defense of Emanuele Lombardi before, I wonder what he'd think of these lovely little lines:

The process for making such software is named ClearSoftware® and it is patented together with ClearVoting®

Since ClearSoftware® is patented, its details are not shown here

So Emanuele has come up with the perfect system for ensuring transparency and trust in a software system, but wouldn't publicly reveal details of it! I need to get me a patent like that.

Slashdot article

They've picked up a story I was going to post about anyway:

UK Voters Want to Vote Online

Some interesting comments in the story (bear in mind the majority of contributors are from the US, so they tend not to know about the odd bits of UK legislation):

"One of my biggest gripes about elections is how simplified the issues have become, and how difficult it is to understand what each candidate *really* stands for.IF they instituted online voting they could have drop down boxes for each candidate with summaries of opinions and hyperlinks to voting records, speeches... Hell, they could even link in the publically disclosed lists of contributors. I believe most voters don't have the time or inclination to do this sort of research on their own, but might be more inclined if the info was more easily accesible.A voter could spend all the time they like reading about each candidate and issue on the ballot *while* casting their vote.All it would take is some legislation and a bit of funding to amass the linked materials.Political spin would have a reduced effect on anyone with enough motivation to click a couple of links.Regards."

I turn, U turn

Jason's seems to be turning again. Despite eVoting being incredibly dangerous and a huge threat to democracy he's now posting links to OSS eVoting projects! (Shurely shome mistake?)

The article's very interesting, as it seems to contradict a number of arguments that Jason has raised, namely that of interception, alteration, co-ercion, receipts, etc.

I'll see if I can sniff out the source of this, could be an interesting read. But all in all a strange link for Jason to be posting... seems he only really dislikes non-OSS eVoting systems. I wonder if he'd be as positive if the source to a commercial system were released for peer-review?

It doesn't matter how many times you repeat it...

... it still doesn't make it true, and Becky Hogge of all people should know this isn't true:

"in an election, your identity cannot be associated with your vote without your privacy being breached"

From a New Statesman article. Go disinformation!

Edit : I see what she's done there. Only mention the link of ballot to voter in the context of eVoting as a way of rubbishing electronic voting... nice work Becky! I would have thought that ORG were all about being open and completely truthful, seems they're not adverse to spinning to get their way.

Daftness

Some very silly thinking from Jason :

"Then Ms Prentice tells us that because electors will be able to provide a password of their choice the potential for credentials being stolen or misused will be reduced. Which is rather doubtful in my view. The password picked by the elector has to be sent to the election office, an obvious address for cherry-picking from the post. Furthermore these passwords will need to be entered into the system manually - so they'll be lying around, typed in by who (we don't know) and then stored in a central database ripe for the picking. Human picked passwords are going to be easier to brute-force guess also."

That's absolutely right Jason:

1. It's impossible to collect these details through, say, an electronic registration process (God, he'll scream blue murder about that... guess what? It's better than paper). Therefore no paper interception (maybe a man-in-the-middle, but they still haven't got all the credentials then, they're missing a PIN and possible PCIN / Candidate info in the case of a pre-encrypted ballot) and no manual re-entry (which century are we living in by the way? I forget when I'm reading Jasons blog sometimes).
2. Who in the name of all that's holy stores the secret in plain-text? Hash it at least (try a salt to prevent the GNU.Free mistake of easy brute forcing from the DB)
3. Is the "brute-force guess" meant to be at authentication for remote voting? If so that's impossible to detect... no really it is, I can't think of a single way to spot someone trying... aaaa, bbbb, cccc, etc in code, impossible I tells ya! If only there was something to tell me where authentication requests came from on the Interweb, maybe an address of some kind... nah.

"Next Ms Prentice helpfully tells us that electors will be using identifiers unique to them and that there will be no receipt to show to others how they have voted. But print screen, a photo of the computer screen or even an audio recording of the telephone vote would work as a receipt - there is no protection and receipts are possible. The unique identifiers don't protect from intimidation either - they just limit it to one vote that can be stolen at a time by intimidation."

What, exactly, stops an attacker from forcing me to take a photo of my ballot paper with a camera phone in the booth? Especially if the attacker is in the polling station to ensure I don't get a new ballot paper.

And Jason is well aware that an e-voting system could be configured to allow many votes off one set of credentials with only the last counting, and that it would be possible to issue new credentials to a voter that has been attacked and allow them to cast a new ballot (that can be adjudicated during the counting process).

Start thinking Jason. You're deliberately making issues where there aren't any, these problems CAN be, and will be solved.

Updated : polling station, not booth. Dangit!

Mr Self Destruct – Deconstructing GNU.Free

Sorry it's been a while, but I've started a fairly heavy development cycle at work, and haven't had the time to post (along with playing EVE). As promised here's the results of a brief analysis I've been doing of the GNU.Free codebase.

Encryption Techniques

A lot of attention has been paid to encryption of the data going from the clients to servers / inter server on this system, but then the backdoor has been left wide open with some crummy encryption on the DB.

The databases encryption uses symmetric algorithms where the key is derived from the following process:

User enters “password” -> generate hash -> generate key

This technique is so simple to crack it's hardly worth talking about (but we will!). Users enter weak passwords, and the use of the isSafe function to limit the enterable characters means an attacker has a well defined character set to work from, and easy ways to detect generation of the correct key (the ER server DB contains a single char flag that has two possible values, nice). So guessing the key to the databases is relatively straight forward.

Then in the ER server we have the usernames / passwords for every possible user, which are stored as hashes... but individually! This means that an attacker merely needs to generate a list of all possible 8 digit values, compare the decrypted values to the list and BINGO! A big long list of credentials to vote with. What should of happened is to hash the credentials together using a hash algorithm with a salt, this would've delayed an attacker by an enormous amount of time.

The use of this symmetric technique also means it's very easy to conduct a count of votes in the RTServer before the end of polling, you don't even need to crack the key to get totals (you just won't know who the total is for, but you'll be able to see if there is a clear lead). This is a very bad thing. Electoral law requires that no count can be conducted until the end of polling and only then under the authority of a returning officer. Asymmetric encryption should be used here, store the counters public key on the server, stick the private key on a secure device (such as a smart card) encrypt with the public key, decrypt with the private. Not exactly quantum physics is it?

Also alteration of data in the count DB is trivial if you've broken the key. No record is kept in a separate system of the vote (nor in the much heralded, yet ultimately foolhardy SecureAppender), such that there is nothing to check these values against. If you've broken the key, pick your winner!

Coding

There's some badly coded methods that look impressive in size, but could be boiled down to something much more elegant very easily. Take the oft repeated (naughty, naughty, refactor early, refactor often) isSafe function, 90 lines that can easily be condensed into 10 lines (no switch statement should be that size ever!)

I ran the various packages through PMD (a static analysis tool similar to FXCop, although it does include a Copy'n'Paste detector similar to Simian as well) and got the following violation counts:

ERServer – 419
Free – 631
Free.DBPool – 97
Free.util – 131
FreeClient – 271
FreeInstall – 360
PollManager - 212

I've not had a chance to review all the violations, but it would be fair to sat at least 50% should be addressed.

Now onto commenting, the following line comes from the comments on the PMProtocol class in PollManager:

The source code is extremely readable and best explains the full functionality.

What follows is a class with one method that's 170 lines long... this is not readable code! Readable code is concise and broken into procedural chunks. See also the process method on the ServerProtocol class in the Free package... 220+ lines in that one.

Exception Handling

Handling of exceptions is extremely inconsistent and often exceptions are caught and then not handled at all (see the SecureAppender class for an appalling example of this, if an audit message fails to be written the whole operation should fail, end of story). No specific Exception classes exist within the system, so all exceptions thrown by the system are of type Exception (naughty, naughty). Also the details of exceptions are not completely recorded, at best all you're going to get is the exception message without any useful diagnostic data such as the stack trace (because all you need to trace a bug is the message surely?)

Networking

Rolling your own networking systems is dangerous and should not be attempted by amateurs. GNU.Free makes liberal use of TCP sockets but implements no real management of them. Once a socket is open you're free to stuff as much (or as little) data down the pipe as you like, and there's no timeout management, so simply open lots of sockets, stuff 1Mb of data down it and hold it open. Watch as the heap space for the app disappears in a matter of minutes. Can anyone say Denial of Service attack?

Missing Processes

There's very little verification within GNU.Free of the data that's in any of the databases, there's a utility to check the hashes of log files (and those are virtually impossible to forge aren't they?), but that's about it. Nothing to check the rate of failed authentications from a source address, for example. Coding the core application is only about 30% of the job, everything else is process around it, if you don't bother with that then you've not solved the problem.

Keys are stored in the CODE! Do I really have to say how bad this is? No attempt has been made to provide a mechanism for loading keys from different locations at runtime, the cheapest, easiest, and least secure option has been chosen instead (how, exactly, do you publish the source of your system, when that source contains the secrets for secure operation of the system?)

In Conclusion

The webpages for GNU.Free state:

This was (and still is as far as we know) the only Free Software Internet Voting package designed for legally binding elections and not little web-based polls.

I don't know which country they were planning to use this little puppy in, but in the UK... no chance. You'd need a significant amount of reworking to get this even remotely close to being a viable solution, and at that point it would probably be better to start again from scratch... with real developers... oh and a real architect... real development processes... source control... maybe some ongoing analysis.... design documents (apparently there are some, but I've not seen them, if someone could point me to them I'd be grateful)... clear requirements.... and a basic knowledge of cryptography would be handy.

Updated : Corrected a scary number of typos. Posted it a little too quickly and didn't proof read it first.

Links on Blindside Wiki

Have a look at that eVoting article on the Blindside Wiki... some interesting links to Open Source eVoting projects. Also note that the majority of changes have been made by Glyn (ORG)... are ORG silently advocating OSS as a solution for eVoting in the UK? I hope not, as their eVoting campaign pages clearly state they oppose any electronic voting solutions.

Still it would explain why GNU.Free (despite it's huge flaws, lack of legal requirements, general bad coding) is still available. Although the amount of work it would take to get it suitable for use in an election means Jason could earn some huge consultancy fees (you'd have to re-write from scratch... oh and design it this time... around some requirements. How goes the reading of the SOR by the way?)

Blindside

Interesting article over the El Reg about the setting up of Blindside that includes this choice quote:

The big question: can you do real information gathering on a publicly accessible wiki without finding it filled with "the awkward squad"?

Too late.

GNU.Free, TCP and port scanning

I've been diving into the GNU.Free code recently in the evening (it's fun in a perverse way), thought I'd share this gorgeous little tidbit from one of the server classes:

/* SECURITY NOTE: VERY IMPORTANT! */
// constant to store value being used as FREE port number
// For security reasons I recommend this is changed every election
private static final int freePort = 1111;

That's right Jason, switch the port numbers between elections, no-one will ever be able to figure that one out (if only there was some kind of software that could quickly scan a host for open ports, nah!) Who says OSS is free from security by obscurity coding?

Bait and switch on eVoting

If you've read Sir Grahms recent speech at the AEA you'll know he expressed serious concerns around the process of voter registration. He has called for the introduction of a number of measures around registration to strength the system and help prevent fraud... whether it be on paper ballots, postal ballots or eBallots (did I just make that one up?). And his concerns lead him to ask that this years pilots be suspended until such time as the registration process can be strengthened (as is his right).

Does this mean he is condemning eVoting? NO! I've read over his speech a number of times and I'd like to know where his specific concerns over eVoting were in the speech. As to the recent Commons debate you'll also notice that the majority of concerns raised were again about the registration process... not eVoting! (there was one comment about findings from FIPR, a sister-ish organisation of ORG)

So why is Jason continually pointing at this as a damning condemnation of the very idea of electronic voting? Maybe because no there's very little else to talk about? He seems to be widening his remit from merely commenting on eVoting to all of the electoral modernisation process... is he really trying to take on the DCA and Electoral Commission on all these issues? I'm not sure where his experience in postal voting or registration comes from, but having said that his credentials in eVoting are hardly the most luminous (still waiting Jason, why is GNU.Free still available?).

Request for clarification from ORG

I've got a request for the good people at ORG. Could you clarify the scope of your objections to eVoting in the UK?

Are you opposed to :

1. Any eVoting system
2. Any eVoting system that doesn't include VVPAT
3. Any eVoting system that isn't OSS / include VVPAT
4. Any eVoting system that is commercial, but has a code release policy

There's some confusion I think in the ORG ranks on this. I've read different articles from different people calling for different things.

New views on the GNU.Free issue

I managed to have some good discussions yesterday about the issue of hating eVoting and distributing an eVoting system.

I know my previous idea was complex so a number of new ideas were put forward:

• Jason has no idea of the contradicition inherent in saying eVoting is a danger to democracy and then distributing an eVoting system
• Jason builds his credibility in the eVoting sphere upon GNU.Free (and therefore can't take it down, I really hope it's this one, as I've been pulling GNU.Free to pieces recently, it's very poor, very poor indeed)

I'm sure there was another one, but can't think of it now. Maybe I'll post it later if it comes back to me.

AEA Brighton 2007

I spent yesterday afternoon at the AEA conference in Brighton, very strange experience as there was a clutch of people waiting for me, ready to shake my hand and be my friend! Turns out I've become something of a darling within eVoting circles, without really trying.

Apparently Jason was there (on Monday, along with two "helpers", Ania and Becky) pretending to be a "student", although he didn't stick around for long... wonder why? I don't think he got anything out of his fishing expedition as there's been nothing posted about the conference (apart from his twisted intepretation of Sir Grahams speech).

GNU.Free availability

I know I've asked this question many times before : "Why if Jason Kitcat is so set against eVoting is the source for GNU.Free still available on his website?".

I've had problems resolving these two, surely if you're set against something you're not going to attempt to provide a mechanism for doing it.

I asked Jason about this (for about the fourth time) on his site and received a response basically saying he'd already answered here. I'm afraid I don't agree, and I'm sure any sane reader would agree, that page advocates eVoting within a certain context (i.e. free and open software), which is a direct contradicition to his and the ORGs stance that all eVoting is a "bad thing". Nowhere on that page does it say that eVoting should never be used, which is his general opinion.

So what's the story? It seems that Mr Kitcat is fighting against all forms of eVoting in an attempt to stop commercial organisations from being involved. Why? So that a free and open implementation can be pushed... guess what's (in his mind) the top candidate? GNU.Free of course! Please bear in mind this is just my thinking on the subject, I've got no concrete evidence to support this, just my conclusions from Jasons arguments.

I wonder how the good people at ORG would feel knowing that they're possibly being used to kill commercial eVoting to promote one persons agenda (and product)?

As I've said these are just my thoughts and are not presented as fact, if anyone else has a different intepretation of what may be going on please comment. I'd love to have a different view on this.

Old Slashdot discussion

From November last year, suprisingly (given all the problems the Americans have had with their suppliers) the tone is quite upbeat. The answers provided by Hugh Thompson indicate his willingness to accept eVoting within the framework of... good auditting and well defined security procedures! Just like I was advocating. We really need to get together.

Linky

Estonian elections

Looks like the Estonians are gearing up for their next online parliamentary election.

Good luck guys.

Brett Kimberlin

Just came across this article on the Time magazine website about a very strange individual who seems to be at the root of some of the anti-eVoting movement in the US. I'll let you draw your own conclusions...

Still there

The source for GNU.Free is still available at the j-dom.org site (linky). I'm still unclear as to why this tremendous threat to democracy is still available online, particularly since the author now feels that eVoting is the worst thing to happen to the world since the A-bomb, why hasn't it been removed? To prove his programming credentials? In the vain hope that someone, somewhere will pickup and finish what he couldn't? Who knows. We can only hope that common sense will prevail and this blot upon the coding landscape be removed, won't someone please think of the children?