Jiri’s Notepad

I have attended a talk by Rebecca Mercuri, who seems to be one of the most prominment and cited experts on security of electronic voting. Some notes from the talk follow.

A list of requirements specific to for voting was mentioned including short timeframe for use of the system, long term period between uses, wide distribution, highly computer illiterate users, users with disabilities, computer illiterate operators, voter anonymity (in the US) or semi-anonymity (UK),

On top of that, the United States have an issue of widely different election laws across states, counties and municipalities.

In terms of the threat profile, election are naturally adversarial situation with large stakes involved, and thus motivation and funding of attackers can be considerable.

Dr Mercuri distinguishes three types of e-voting systems - kiosk, web and phone - each of them with sightly different set of risks associated.

During the part when she talked about a number of vulnerabilities that e-voting systems I was dozing off, it read like a list of common security technical and non-technical vulnerabilities. Lack of capability for the systems to be independently verified was the most serious risk she mentioned. This seems particularly to be a an issue in the US where voting is anonymous.

A section on woes of computerised election in the US followed. There seems to be quite narrow market niche ou there for e-voting systems and vendors understanabably want to maintain their position by locking buyers in into exclusive multi-years contract. Something that IBM is rumoured to have been doing 20-30 years ago, I guess.

According to Mercuri, most of these systems are quite awful, not only from security but also from practical viewpoint covering functionality and usability. I would tend to belief this, given the experience I had and what I have heard about systems with large (100k+) numbers of users. Many deployment issues she talked about striked me as quite amateurish.

What seems to be quite important in the light of the current UK e-voting consultation is that the use of these systems did not increase turnout and did not shorten return which they were supposed to do.

Mercuri is convinced that fully e-voting systems are very risky but the systems using a combination of computer systems and paper evidence trail are viable. She presented her own computer&paper “protocol” that seemed quite OK and several others including David Chaum’s one that looked suspiciously similar to the secure anonymous digital cash protocols (and not very practical).

The discussion after the talk was also quite interesting.

It seems that polititians felt in love with e-voting regardless their nationality (US and UK were mentioned, and besides them, there’s at least Australia, Brasil and Belgium), convinced that it does hold solution to problem of low turnout and are not listening to studies that say that remote voting does not produce increased turnout.

It is likely that home voting (web) will increase risks of vote coercion, in this respect dedicated kiosks in public place like supermarkets or post-office seem to be better solution.
Social function.

In wider sense, e-voting will remove social function that election have on citizens and and local politics.

Maintaining current non-anonymous voting system in the UK and simply replicating it using IT seems to be an invasion of privacy because it would enable monitoring of who voted for whom.