David, Paul, Simon, and others on the list,
The issues in voting security are NOT the same as ATM security. The
issue at the base is not financial fraud but voting fraud i.e. the
hijacking of an governmental election in a democracy. I.e. the placing
of a candidate (or passing of an issue) that the people did not vote
for. Who wants to live in that democracy - even if they can SMS and
have their bank accounts secured?
David RRW states below that billions are spent on elections - and this
is right. But the issue is not that these billions may have been
fraudulently taken for someone's (a fraudster or thief's) benefit - but
that the vote is "fixed". I think the comparison of voting and banking
systems *may not* be the best metaphor to use. Imagine if in exit polls
of an ATM machine you were asked your bank balance! In some ways the
"average" citizen values his vote less than his money. In other ways
the vote is *more* valuable to those who would want to fix an election
and to those who would like to promote and protect democracy.
Likewise the comparison of American Idol polls and e.g. Presidential
Election polls - while we may debate whether presidential elections are
beauty contests or not - may also put a spin on the debate that is not
in the best interests of the people who are promoting electronic voting
(us). We need to seriously address the unique security issues of
electronic voting systems - which DRRW did in a ppt "Trusted Logic
Voting Systems" not too long ago posted on the OASIS site. We need to
make metaphoric comparisons carefully and point out the flaws in the
comparisons (SMS though ubiquitous and somewhat trusted by the naive
user is not secure, ATM's do not promote anonymity,...) Let's focus on
a careful reading of the GAO report and posting some positive ways to
promote secure electronic voting.
One debate which I would be interested in mooting on this list is: "Is
secure electronic voting compatible with proprietary software solutions
in the space? How and How not?
Keep those votes coming in!
David Petraitis
p.s. Off to my wading through 107 turgid pages of GAO prose!!!
David RR Webber (XML) wrote:
Just because the average citizen can grok SMS does not mean it
is a
safe and reliable means of accurately running a serious voting
application.
Notice in the USA here they had to re-do an American Idol poll
because someone made a glitch in how SMS votes were routed to the
various counting buckets. This stuff is just too hard to
accurately audit and ensure there has not been any sophisticated
manipulation of the results.
In the USA literally billions of $$$ are on the line in each
Presidential Election - so the stakes are so high - everyone has to be
more than just "used to it" to make sure it is not being compromised by
sophisticated agents.
I've looked at company voting services - they seem the last
place
where open standards may sell - they all want closed systems that lock
in their clients. Unless somoene like the EU mandates - a la XBRL
- that they have to use EML - they are not going to - is my assess
there!
DW
-------- Original Message --------
Subject: RE:
[election-services] GAO report on election system security
From:
"Paul Spencer" <paul.spencer@boynings.co.uk>
Date: Mon,
October 24, 2005 12:35 pm
To: <sibain@tendotzero.com>, "David
RR Webber (XML)" <david@drrw.info>
Cc:
<election-services@lists.oasis-open.org>
I think SMS
voting is being pushed by politicians in the UK on the basis
that
"if millions of 18-24s vote by SMS on Big Brother, they will vote
in
parliamentary elections as well if they can use SMS". Making
democracy is
interesting(?) as Big Brother doesn't seem to enter the
equation, any more
than security.
Simon is absolutely right
that those who understand the issues should do the
educating. If we
could get e-voting (preferably using EML) adopted in
less
controversial areas, the acceptance would increase. This
probably means the
private sector and remote voting. There are a
limited number of companies in
the UK that manage much of the voting
for unions and company AGMs. Perhaps
these are the people (or their
customers) we should be convincing. Thinking
aloud though, companies
may not want people voting themselves at their AGMs
rather than just
appointing the chairman as a proxy with no guidance on how
to use
their votes.
Regards
Paul, from an equally wet and windy
southern'ish UK
> -----Original Message-----
> From:
Simon Bain [mailto:sibain@tendotzero.com]
> Sent: 24 October 2005
15:40
> To: David RR Webber (XML)
> Cc:
election-services@lists.oasis-open.org
> Subject: RE:
[election-services] GAO report on election system
security
>
>
> Hi,
>
> Agreed about the
reconcilliation. However.
>
> It is still a percieved
threat/worry. And as such we should not ignore or
> throw it to
one side. Just as we should not let it lead us. What we need
> to
do is participate and educate.
>
> There is always a concern
about the unknown, what we as "informed
> users/developers/"
should do is show people that there concerns are
>
understandable, but can be proven to be incorrrect.
>
> It
is an educational job. This is of course easier said than done, and
is
> best suited to the actual adoption of electronic voting. As
using is by
> far the best method of allaying
fears.
>
> On a slightly perverse note I do not think that
the general public has
> such fears as in the UK. (So called
informed people may, and these maywell
> be publisiced, but the
general public?). People in some areas actually
> want to use
text messaging (SMS) to vote... Something that I would never
> do
because of the security risks. The reasons I believe that they do
not
> percieve risks here is:
>
> 1) They use SMS
hourly (minutely in the case of my kids)
> 2) we have telivision
programms in the UK which ask for votes to be sent
> in by
SMS
> 3) It has been aorund for what seems like
ever.
>
> In other words people are now comfortable with
the technology.
>
> This is where evoting in whatever
guises needs to get to. Once it has been
> used by a critical
mass "successfully" then most fears will be allayed.
> Just as
they were with:
>
> on line banking
> and
> on
line tax returns
>
> All the best from a warm wet and windy
eastern'ish UK
>
> Simon
> --
> Simon
Bain
> TENdotZERO
> Mobile: 07793 769 846
> Office:
0845 056 3377 - 44 (0) 1234 359090
> Fax: 44 (0) 208
882 9411
>
> <quote who="David RR Webber
\(XML\)">
> > Simon, Unfortunately while on the
surface they may appear similar -
> > there are key
differences. The most obvious is that in banking you are
>
> able to ultimately reconcile your monthly activity with your
paper
> > transactions, and also have that overall statement.
In voting
> - because
> > of the need for privacy
you do not have that ultimately tracability.
> > Notice also
that most deployed systems do not have even paper
> trails.
And
> > then there is the issue of transparency.
IMHO I believe the GAO is
> > clearly seeing the right things
in terms of the significant
> gaps yet to be
> > fixed
here to get to that same level of trust as e-Banking. DW
>
>
> >
> > -------- Original Message
--------
> > Subject: Re: [election-services] GAO report on
election system security
> > From: "Simon Bain"
> >
Date: Mon, October 24, 2005 2:23 am
> > To: "David RR Webber
(XML)"
> > Cc: election-services@lists.oasis-open.org
>
>
> > David hi.
> >
> > Are these not the
same fears that users had for online banking?
> >
> >
Which although there are headline cases, has proved to be very
securre.
> > With the majority of bank accounts in the UK at
least now having online
> > access.
> >
> >
I think the biggest hurdle for electonic voting is user perception.
So
> > training / education would be a large part of any
installation.
> Just as it
> > was when we first had the
ballot box, which (although before my time) I
> > believe
people were very distrusting of.
> >
> >
Cheers
> >
> > Simon
> > --
> >
Simon Bain
> > TENdotZERO
> > Mobile: 07793 769
846
> > Office: 0845 056 3377 - 44 (0) 1234 359090
>
> Fax: 44 (0) 208 882 9411
> >
>
>
> >> The GAO produces 107 page report on
security of voting
> systems The GAO
> >> has
released a 107 page on the security of voting systems today.
>
>>
> >> What the GAO found -
> >>
>
>> "While electronic voting systems hold promise for
improving
> the election
> >> process, numerous
entities have raised concerns about their
> security and
>
>> reliability, citing instances of weak security controls,
system design
> >> flaws,
> >> inadequate
system version control, inadequate security testing,
> >>
incorrect
> >> system configuration, poor security
management, and vague or incomplete
> >> voting system
standards."
> >>
> >> Examples of Voting System
Vulnerabilities and Problems:
> >>
> >> • Cast
ballots, ballot definition files, and audit logs could be
>
>> modified.
> >> • Supervisor functions were
protected with weak or easily guessed
> >>
passwords.
> >> • Systems had easily picked locks and power
switches that were exposed
> >> and
> >>
unprotected.
> >> • Local jurisdictions misconfigured their
electronic voting systems,
> >> leading to election day
problems.
> >> • Voting systems experienced operational
failures during elections.
> >> • Vendors installed
uncertified electronic voting systems.
> >>
>
>> The full 107 report is here.
> >>
>
---------------------------------------------------------------------
To
> >> unsubscribe from this mail list, you must leave the
OASIS TC that
> >> generates this mail. You may a link
to this group and all your TCs in
> >> OASIS at:
>
>>
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
> >
> >
---------------------------------------------------------------------
>
> To unsubscribe from this mail list, you must leave the OASIS TC
that
> > generates this mail. You may a link to this
group and all your TCs in
> > OASIS
> > at:
>
>
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
---------------------------------------------------------------------
To
> > unsubscribe from this mail list, you must leave the
OASIS TC that
> > generates this mail. You may a link to
this group and all your TCs in
> > OASIS at:
> >
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
---------------------------------------------------------------------
>
To unsubscribe from this mail list, you must leave the OASIS TC
that
> generates this mail. You may a link to this group
and all your
> TCs in OASIS
> at:
>
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|