IETF Logo Mail Archive

Re: Voting Security (was: The Next Genaration)

Joseph Lorenzo Hall <joe@cdt.org> Sun, 15 September 2019 20:40 UTC

Return-Path: <jhall@cdt.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF43712008F for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 13:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC6BmyjYp6Wx for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28CA1120041 for <ietf@ietf.org>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
Received: by mail-io1-xd41.google.com with SMTP id m11so74133556ioo.0 for <ietf@ietf.org>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Now4Ydy3dJkH2v2uOiy0GUe3gj0p+Rr5LdiIykCrDEg=; b=mePkU0T4Tey6a3k8Su6rtNnMJ+OIWqdG9NrK1G1JLr1/rPyxs31OY0Q+yyw7cVIKeg 4Kl4nklmGhl3+1/rXKAWQ6hdUYZRZ6GVrBPAZtCHwdVmBnWYICt4k3DfsbJgPzgw7b0g uVIFz0Ntp7Dd3elyfwtP1K8Io81Y66ewIQsEQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Now4Ydy3dJkH2v2uOiy0GUe3gj0p+Rr5LdiIykCrDEg=; b=VuDV/DN1KUPKGqKnMGeKuaurIHIdG+nOmsUK1VyPWYJgnJaTwEGSJxGDtO598sA0PP Q0RSjbc44cFeR3ecJM2TtXzT3q5PLFPPKRauiSqShl06mYYyyDNg0+Gx44kHIu54Dm/8 miDjDCcOiBxjt9uG7bKiItxnpDPowVtdtLFzYhdiLz3DZe7MUo0O0dtGhtB4yf27DQAM yki7FWCarqXYATfOUozoI9z9xZgleo0kUEU/IbCvWHV45dTqOwglfxs+G4bIqHM7aLCa GzzTkJc2nfccSc+VG29x4srhWhVTc9dymCZ9k1hn25NEJe1Oidf8eeXmKnFpCIus6B2V hvxg==
X-Gm-Message-State: APjAAAXhEAQ+0EFYzVid/c9xth+b5YlEF5t5PSXopFUkl+wExd8bxbFU sQLFQoVpl1BMKtcTQO4fVY58T4RDUMskUAmnfUnDoQ==
X-Google-Smtp-Source: APXvYqx+umw46Kta9UeYNRRe/qRWDWwnHCQadAK/PPrhnu9cs+uJNM44eenja7FLisgYZaWDUWKsjacNu1pUzHvNQH0=
X-Received: by 2002:a6b:db10:: with SMTP id t16mr13227027ioc.260.1568580013284; Sun, 15 Sep 2019 13:40:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sz3j0iLGsB2bGvfitPzCkiTCJYHfmUF5S-8zPYMt1r+3A@mail.gmail.com> <6.2.5.6.2.20190911094010.0c933fa8@elandnews.com> <20190911194723.GC18811@localhost> <6.2.5.6.2.20190911131143.11401cb8@elandnews.com> <CAMm+Lwi2CDBCDUhMG7Z487G-BYVp4rRJ=YG73Z=M=TkZ=jaAbQ@mail.gmail.com> <alpine.DEB.2.21.1909121135080.32554@sleekfreak.ath.cx> <CABcZeBMp7dzvTGnPTk=q79pf5KYiMd0eepEXiyFw=imPNkSfBg@mail.gmail.com> <B7BC79DD-617E-4FFA-A414-76C5C0287C00@hopcount.ca> <alpine.DEB.2.21.1909140303190.32554@sleekfreak.ath.cx> <CABtrr-UQXtjUmEMHxr_eV=jJ-h8YtwtEY60aLe9u_Bb+zAiJdg@mail.gmail.com> <4908F69C-29E8-438C-BCCF-E399EA229C66@gmail.com> <CABtrr-WV4u7Up2Oj1ABj151ZwvVnBHukmy6e9EF2zbgAQwGLeQ@mail.gmail.com>
In-Reply-To: <CABtrr-WV4u7Up2Oj1ABj151ZwvVnBHukmy6e9EF2zbgAQwGLeQ@mail.gmail.com>
From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Sun, 15 Sep 2019 16:40:02 -0400
Message-ID: <CABtrr-Xq4nKHvjxhWGHyTVseuY2DkJxMujAHc1s2ESUfy8SCkw@mail.gmail.com>
Subject: Re: Voting Security (was: The Next Genaration)
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, shogunx@sleekfreak.ath.cx
Content-Type: multipart/alternative; boundary="0000000000007e746505929d7e5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/p2eWYK6Xz40G8_MGd7NhL-KotzU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 20:40:18 -0000

On Sun, Sep 15, 2019 at 16:38 Joseph Lorenzo Hall <joe@cdt.org> wrote:

>
>
> On Sun, Sep 15, 2019 at 06:20 Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>>
>>
>> Sent from my mobile device
>>
>> On Sep 14, 2019, at 1:19 PM, Joseph Lorenzo Hall <joe@cdt.org> wrote:
>>
>> (I've had this argument dozens maybe hundreds of times, not going to do
>> that here.)
>>
>>
>> Since you cited yourself and EKR as experts that could work on this,
>> where would you like to have the conversation?  A draft perhaps as a
>> starting point as the IETF likes to do things on list, so maybe timing was
>> bad?  A collection of problems with reasoned responses could be useful if
>> this was taken on as work. Or do you have a paper reference with your
>> thoughts/a response?
>>
>>
> There is a vast literature here. I would be happy to talk more about it
> with anyone interested in a more synchronous medium (I'll be in SIN for
> 106). It doesn't seem to have a lot of relevance to issues at IETF, unless
> I'm missing something.
>
> Until then, here is a bit:
>
> The first chapter of my PhD thesis talks about the necessity of
> mechanization (and now computerization) of elections in the United States,
> good cites there to a handful of books:
> https://josephhall.org/papers/jhall-phd.pdf
>
> Doug Jones and Barbara Simons' book has since come out and it is marvelous
> on this, I recommend the whole thing:
>

https://www.press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html


> Here are some good, deep popular articles:
>
> Ronnie Dugger, "Counting Votes" New Yorker (October 30, 1988),
> https://www.newyorker.com/magazine/1988/11/07/counting-votes
>
> Jill Lapore, "Rock, Paper, Scissors; How we used to vote" New Yorker
> (October 6, 2008),
> https://www.newyorker.com/magazine/2008/10/13/rock-paper-scissors
>
> Rebecca Onion, "How did they count all those balls before voting machines"
> Slate (November, 8 2016)
> https://slate.com/news-and-politics/2016/11/how-did-they-count-ballots-before-voting-machines.html
>
>
> Best regards,
>> Kathleen
>>
>>
>> On Sat, Sep 14, 2019 at 3:28 AM <shogunx@sleekfreak.ath.cx> wrote:
>>
>>> >
>>> > This is pretty off-topic for IETF, but might be interesting to people.
>>> >
>>> > I certainly agree that software independence
>>> > (https://en.wikipedia.org/wiki/Software_independence) is a good
>>> > objective for voting systems, and hand-counted paper ballots are one
>>> > good way to achieve that.
>>>
>>> Hand counted paper ballots are the only way, IMHO.
>>>
>>> > However, there are voting environments where
>>> > they are problematic. Specifically, because the time to hand-count
>>> > ballots scales with both the number of ballots and the number of
>>> > contests, in places like California where there a large number of
>>> > contests per election it can be difficult to do a complete hand-count
>>> > in a reasonable period of time.
>>>
>>> This depends on what we consider reasonable.  If it takes a month, it
>>> takes a month, just like the good old days.  The wait is a small price
>>> to
>>> pay in order to ensure the correct functioning of this critical
>>> component
>>> of democracy, difficult or not.
>>>
>>> >
>>> > One good alternative is hand-marked optical scan ballots which are
>>> > then verified via a risk limiting audit
>>> > (https://en.wikipedia.org/wiki/Risk-limiting_audit). This can provide
>>> > a much more efficient count that still has software independence up to
>>> > a given risk level \alpha.
>>>
>>> I, for one, am not really willing to risk optical scan machines having
>>> hardware backdoors in the processor, as has been demonstrated, or easily
>>> manipulated firmware, particularly in the name of expediency.  Further,
>>> this does nothing to address the vectors of vulnerability that lie in
>>> the
>>> central tabulators, or the route the data takes from collection point to
>>> tabulation point. The latter is potentially an IETF matter, and if so,
>>> should be addressed with no less fervor than BGP security.
>>>
>>> I would cite Bush v Gore, 2000; specifially -19000 votes for Gore in
>>> Volusia County, FL.  Was the vector the optical scan ballot system, the
>>> tabulation system, or a routing MITM?  Tough to know, although the
>>> localization and sneakernet transport system from balloting to
>>> tabulation
>>> in FL generally would rule out a routing problem in this instance.
>>> IIRC,
>>> there was a questionable route involved in the Ohio, 2004 discrepancy,
>>> although this could have been manual routing through tunnels that caused
>>> the issue.  Would publicly hand counted paper ballots have prevented
>>> these
>>> attacks, potentially 18 years of war, falling behind on climate
>>> adaptation, and a host of other wrongs?  Quite possibly.  This much, I
>>> know for sure:  without legitimate elections in a democracy, there can
>>> be
>>> no legitimate government.
>>>
>>> >
>>> >
>>> > The theory and practice of elections and the specific challenges with
>>> > on-line voting is a whole ecosystem of its own with conferences,
>>> journals
>>> > and an active community of academics, vendors and governments
>>> discussing a
>>> > fairly broad spectrum from information theory, statistics and
>>> cryptography
>>> > through to operational and platform security, software quality, public
>>> > policy and law.
>>> > I am no expert in any of this but I happen to have an academic
>>> supervisor
>>> > who is. If anybody would like an introduction to that world e.g. as an
>>> > alternative to trying to reinvent it at the IETF, I'd be happy to make
>>> one.
>>> >
>>> >
>>> > Joe
>>> >
>>> >
>>>
>>>
>>
>> --
>>
>> Joseph Lorenzo Hall
>> Chief Technologist, Center for Democracy & Technology [
>> https://www..cdt.org <https://www.cdt.org>]
>>
>>
>> 1401 K ST NW STE 200, Washington DC 20005
>> <https://www.google.com/maps/search/1401+K+ST+NW+STE+200,+Washington+DC+20005?entry=gmail&source=g>
>> -3497
>> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
>> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>
>> --
> Joseph Lorenzo Hall
> Chief Technologist, Center for Democracy & Technology [https://www.cdt.org
> ]
> 1401 K ST NW STE 200, Washington DC 20005-3497
> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>
-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

v2.23.0 | Report a Bug | By Email