POST #300! Didn’t even notice until after I posted it! This is like a geek version of a car odometer rollover.
After the results of their latest election post-mortem, in an effort to ramp up the amount of participation in our electoral process, Elections Canada wants to set up voting over the internet. Boy howdy will that ever increase participation. Probably get well over 100% turnout, in fact!
We already know how hackable, how easily altered, and how insecure the electronic voting machines have turned out to be in the States. What made them insecure? Well, the number of people who could get access to the machines, for one. If those machines were connected to the internet, you’re basically giving access to everyone in the world to the voting lever. Not to mention that as there is no paper trail, recounts are going to be a matter of trusting the people who collected the votes in the first place.
And there’s another problem nobody’s really mentioning here. Those folks that don’t know anything about politics and don’t much care about voting, are still not going to care. So if you see any kind of uptick in the voting, how do you know it isn’t just the equivalent of white noise, or worse, voting for someone on wholly superficial bases? The latter being worse partly because the politicians will inevitably devolve the level of discourse that the politically-awakened already have problems with now, and partly because it means politics will become Canadian Idol instead of Serious Business.
And then there’s the dozens of security problems even just putting such a scheme on paper. Here’s pretty well the only way I could see that you could secure such a system, and it’s going to be multipart, and will probably still have vulnerabilities. First, you should restrict all access to the site via IP to only Canadian IPs, and do your best to block all proxied traffic (though this can be extraordinarily difficult to do, honestly).
Second, send out very long passwords that act as a sort of one-way hash of each person’s social insurance number and randomized salt, in envellopes via registered mail — and any of these registered mails that do not arrive and are not signed for, are invalid until picked up from a local elections office with ID (to service the homeless and no-fixed-address).
Third, since each person’s approximate location is known, and IPs can be geolocated to within a reasonable radius, any attempt to vote outside the person’s known area (per registered mail / pickup at elections office) should be deemed invalid. This has the disadvantage that people could not vote if they are travelling on election day — however, you generally have to vote in your precinct normally, so this isn’t a huge problem.
Fourth, you should secure up the damn network that you’re using as your website. Get a real expert to put together an SELinux implementation and host it on Apache.
Fifth, for the homeless, no-fixed-address, and computerless folks, computers should be provided in the same venues that would normally have the ballot boxes. This will be a huge amount of expense to shoulder for the individual provinces, much larger than supplying paper, pencils and ballot boxes.
Sixth, the source should be open, and have a long history of being secure before it is ever implemented in a real election situation. Closed source “security by obscurity” won’t cut it, when hackers could find vulnerabilities and screw around with the system without anyone knowing the vulnerability was even there to begin with; but having the source code open, many eyes make all bugs shallow. Look at how often Linux gets hacked compared to Windows. The bar is higher specifically because it was built for security and everyone can see the code so it’s going to be higher quality and more bug-free just by virtue of the method of building it. It should be penetration-tested by as many security firms as you can get, and bounties should be given out for every bug successfully found and patched. BIG bounties. And keep raising the bounties until nobody can find any more bugs. Hopefully the “Bad Guys” won’t offer double your current bounty to sell us down the river.
Seventh, all election results for verification purposes must be given out in database format to the folks that are going to verify the results, including the IP addresses from each vote and the encrypted “password” hashes and the “known location” from the voter’s registration database info. This raises a number of massive privacy concerns, because if you’re clever and/or had the cooperation of the ISPs you could determine exactly who voted for whom, but it’s the only way to ensure the data is legitimate and no ballot-stuffing took place (because, no, hacking an election isn’t actually the thing most people are afraid of — it’s having the party in power fuck everyone over by providing entirely false data that you can’t trace back to individuals with whom you can verify their intended votes).
Overall, the whole thing is a pipe dream. I know their hearts are in the right place, or at least I hope they are. But the problems this brings up both in the logistics of the actual security side, the ability to prove the numbers weren’t tampered with, the money factor, and the complications that such a system will inevitably face, makes the whole thing so onerous as to be ridiculous.
I don’t want to sound cynical, but what’s wrong with the hard-to-cheat paper voting we have right now? It’s secure, it’s easy, it gets counted in one night, and if there’s any doubt, there’s always recounting the bits of paper. Call me old-fashioned, but I don’t want to make it easier for our present, or any future, government to steal power and turn this place into Iran.
Hat tip to Slashdot, including the Diebold image!