IETF Logo Mail Archive

Re: Voting Security (was: The Next Genaration)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Sun, 15 September 2019 10:20 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38D20120074 for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 03:20:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxGeea9PAKYn for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 03:20:10 -0700 (PDT)
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72C6812000F for <ietf@ietf.org>; Sun, 15 Sep 2019 03:20:10 -0700 (PDT)
Received: by mail-qt1-x842.google.com with SMTP id l22so39563483qtp.10 for <ietf@ietf.org>; Sun, 15 Sep 2019 03:20:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=z9vnDZiyEC1Jd8YeilGnwwbCV/NDd8+CbHFn08uUvDI=; b=D/D7cb6iQEFmdrbUio4TGTCLPybsd10FgwuFcVH25df9r0/IS4D4+cFDa13Lnb5C6X wRX1B1RBcYgpJXqX1BOlXmzsvL2DW/xjTNwtXugxrARdt0Zy2Ikb/JFfNiZ8bIZusI8G cjJcKGuJS0+hVa1TEU/6L8sVSYgUqGza58Uj0cHZjGai/xCVuu0aiI2HwMQi+tFvTGHX 1JqTkGcikH9k8vlDqsyjGROG9sFT0mo3IITkIub+TDXS5lKZZmhZYTZZRBmBQChNxB76 aVkHLrbafEOWbwg8goJkerf1aXelbM8gA8fBpC+5MXVPEsPaxOaPnwXpnqzxn2bJtiGz 9lng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=z9vnDZiyEC1Jd8YeilGnwwbCV/NDd8+CbHFn08uUvDI=; b=JG/HyU754cQOd9VTeJRV78HAKj3Kcayo5xKAxK25n3dF0pL23CWUPyF4SJ1hMIG/O1 6807AN2mEOQUIZwURvysURdXwvFbvq9R7GfwSUFYEZ+4hEZ8vP6lsPFNI+KS37N+VrWl xBn2+C+NGvlr65LTKeGPtqbRpB5exTqByqbqVCfBhWQtPr03PPveePQAl1jOFkY2+QmR BEhWj7XxAza+Btc4vuQy9QJ4P3ytc5jxTzSZ5B75ruEGvGY2roH9yQV+XrtKbBmO9VlQ fCdURREz4pGQjiiCxTUJWkfD1KWsaghi7BKNXpyiFPiSggrMqrnN3OkSR5sUemMPYxdX NgNg==
X-Gm-Message-State: APjAAAUCFuXXuOjEBmNHUBptHUGtP0j421xQcIAj3rKjr0l35RoTo02E kJ/DAIsw54KtmWLIZyAXsdX4hA4ojic=
X-Google-Smtp-Source: APXvYqwK2THo3wlp9VU+T/Ak1LF3+WAr6SH2ZoqdaTnkOUhjzWQHxQd134pedW83GNWeDeQoNI0KfQ==
X-Received: by 2002:ac8:7401:: with SMTP id p1mr11898504qtq.141.1568542809562; Sun, 15 Sep 2019 03:20:09 -0700 (PDT)
Received: from [192.168.1.4] (146-115-73-78.s5196.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [146.115.73.78]) by smtp.gmail.com with ESMTPSA id k2sm10668455qti.24.2019.09.15.03.20.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Sep 2019 03:20:08 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-971A2265-3809-401F-AE4E-C288D66E4EFB"
Mime-Version: 1.0 (1.0)
Subject: Re: Voting Security (was: The Next Genaration)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <CABtrr-UQXtjUmEMHxr_eV=jJ-h8YtwtEY60aLe9u_Bb+zAiJdg@mail.gmail.com>
Date: Sun, 15 Sep 2019 06:20:08 -0400
Cc: shogunx@sleekfreak.ath.cx, IETF Discussion Mailing List <ietf@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <4908F69C-29E8-438C-BCCF-E399EA229C66@gmail.com>
References: <CAChr6Sz3j0iLGsB2bGvfitPzCkiTCJYHfmUF5S-8zPYMt1r+3A@mail.gmail.com> <6.2.5.6.2.20190911094010.0c933fa8@elandnews.com> <20190911194723.GC18811@localhost> <6.2.5.6.2.20190911131143.11401cb8@elandnews.com> <CAMm+Lwi2CDBCDUhMG7Z487G-BYVp4rRJ=YG73Z=M=TkZ=jaAbQ@mail.gmail.com> <alpine.DEB.2.21.1909121135080.32554@sleekfreak.ath.cx> <CABcZeBMp7dzvTGnPTk=q79pf5KYiMd0eepEXiyFw=imPNkSfBg@mail.gmail.com> <B7BC79DD-617E-4FFA-A414-76C5C0287C00@hopcount.ca> <alpine.DEB.2.21.1909140303190.32554@sleekfreak.ath.cx> <CABtrr-UQXtjUmEMHxr_eV=jJ-h8YtwtEY60aLe9u_Bb+zAiJdg@mail.gmail.com>
To: Joseph Lorenzo Hall <joe@cdt.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/klKuiAWlNc_meiUux5CnO_hNxxw>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 10:20:13 -0000


Sent from my mobile device

> On Sep 14, 2019, at 1:19 PM, Joseph Lorenzo Hall <joe@cdt.org> wrote:
> 
> (I've had this argument dozens maybe hundreds of times, not going to do that here.)

Since you cited yourself and EKR as experts that could work on this, where would you like to have the conversation?  A draft perhaps as a starting point as the IETF likes to do things on list, so maybe timing was bad?  A collection of problems with reasoned responses could be useful if this was taken on as work. Or do you have a paper reference with your thoughts/a response?

Best regards,
Kathleen 

> 
>> On Sat, Sep 14, 2019 at 3:28 AM <shogunx@sleekfreak.ath.cx> wrote:
>> > 
>> > This is pretty off-topic for IETF, but might be interesting to people.
>> > 
>> > I certainly agree that software independence
>> > (https://en.wikipedia.org/wiki/Software_independence) is a good
>> > objective for voting systems, and hand-counted paper ballots are one
>> > good way to achieve that.
>> 
>> Hand counted paper ballots are the only way, IMHO.
>> 
>> > However, there are voting environments where
>> > they are problematic. Specifically, because the time to hand-count
>> > ballots scales with both the number of ballots and the number of
>> > contests, in places like California where there a large number of
>> > contests per election it can be difficult to do a complete hand-count
>> > in a reasonable period of time.
>> 
>> This depends on what we consider reasonable.  If it takes a month, it 
>> takes a month, just like the good old days.  The wait is a small price to 
>> pay in order to ensure the correct functioning of this critical component 
>> of democracy, difficult or not.
>> 
>> > 
>> > One good alternative is hand-marked optical scan ballots which are
>> > then verified via a risk limiting audit
>> > (https://en.wikipedia.org/wiki/Risk-limiting_audit). This can provide
>> > a much more efficient count that still has software independence up to
>> > a given risk level \alpha.
>> 
>> I, for one, am not really willing to risk optical scan machines having 
>> hardware backdoors in the processor, as has been demonstrated, or easily 
>> manipulated firmware, particularly in the name of expediency.  Further, 
>> this does nothing to address the vectors of vulnerability that lie in the 
>> central tabulators, or the route the data takes from collection point to 
>> tabulation point. The latter is potentially an IETF matter, and if so, 
>> should be addressed with no less fervor than BGP security.
>> 
>> I would cite Bush v Gore, 2000; specifially -19000 votes for Gore in 
>> Volusia County, FL.  Was the vector the optical scan ballot system, the 
>> tabulation system, or a routing MITM?  Tough to know, although the 
>> localization and sneakernet transport system from balloting to tabulation 
>> in FL generally would rule out a routing problem in this instance.  IIRC, 
>> there was a questionable route involved in the Ohio, 2004 discrepancy, 
>> although this could have been manual routing through tunnels that caused 
>> the issue.  Would publicly hand counted paper ballots have prevented these 
>> attacks, potentially 18 years of war, falling behind on climate 
>> adaptation, and a host of other wrongs?  Quite possibly.  This much, I 
>> know for sure:  without legitimate elections in a democracy, there can be 
>> no legitimate government.
>> 
>> > 
>> > 
>> > The theory and practice of elections and the specific challenges with
>> > on-line voting is a whole ecosystem of its own with conferences, journals
>> > and an active community of academics, vendors and governments discussing a
>> > fairly broad spectrum from information theory, statistics and cryptography
>> > through to operational and platform security, software quality, public
>> > policy and law.
>> > I am no expert in any of this but I happen to have an academic supervisor
>> > who is. If anybody would like an introduction to that world e.g. as an
>> > alternative to trying to reinvent it at the IETF, I'd be happy to make one.
>> > 
>> > 
>> > Joe
>> > 
>> >
>> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist, Center for Democracy & Technology [https://www..cdt.org]
> 1401 K ST NW STE 200, Washington DC 20005-3497
> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>

v2.23.0 | Report a Bug | By Email