Re: Voting Security (was: The Next Genaration)
Joseph Lorenzo Hall <joe@cdt.org> Sun, 15 September 2019 20:40 UTC
Return-Path: <jhall@cdt.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF43712008F for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 13:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC6BmyjYp6Wx for <ietf@ietfa.amsl.com>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28CA1120041 for <ietf@ietf.org>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
Received: by mail-io1-xd41.google.com with SMTP id m11so74133556ioo.0 for <ietf@ietf.org>; Sun, 15 Sep 2019 13:40:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Now4Ydy3dJkH2v2uOiy0GUe3gj0p+Rr5LdiIykCrDEg=; b=mePkU0T4Tey6a3k8Su6rtNnMJ+OIWqdG9NrK1G1JLr1/rPyxs31OY0Q+yyw7cVIKeg 4Kl4nklmGhl3+1/rXKAWQ6hdUYZRZ6GVrBPAZtCHwdVmBnWYICt4k3DfsbJgPzgw7b0g uVIFz0Ntp7Dd3elyfwtP1K8Io81Y66ewIQsEQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Now4Ydy3dJkH2v2uOiy0GUe3gj0p+Rr5LdiIykCrDEg=; b=VuDV/DN1KUPKGqKnMGeKuaurIHIdG+nOmsUK1VyPWYJgnJaTwEGSJxGDtO598sA0PP Q0RSjbc44cFeR3ecJM2TtXzT3q5PLFPPKRauiSqShl06mYYyyDNg0+Gx44kHIu54Dm/8 miDjDCcOiBxjt9uG7bKiItxnpDPowVtdtLFzYhdiLz3DZe7MUo0O0dtGhtB4yf27DQAM yki7FWCarqXYATfOUozoI9z9xZgleo0kUEU/IbCvWHV45dTqOwglfxs+G4bIqHM7aLCa GzzTkJc2nfccSc+VG29x4srhWhVTc9dymCZ9k1hn25NEJe1Oidf8eeXmKnFpCIus6B2V hvxg==
X-Gm-Message-State: APjAAAXhEAQ+0EFYzVid/c9xth+b5YlEF5t5PSXopFUkl+wExd8bxbFU sQLFQoVpl1BMKtcTQO4fVY58T4RDUMskUAmnfUnDoQ==
X-Google-Smtp-Source: APXvYqx+umw46Kta9UeYNRRe/qRWDWwnHCQadAK/PPrhnu9cs+uJNM44eenja7FLisgYZaWDUWKsjacNu1pUzHvNQH0=
X-Received: by 2002:a6b:db10:: with SMTP id t16mr13227027ioc.260.1568580013284; Sun, 15 Sep 2019 13:40:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sz3j0iLGsB2bGvfitPzCkiTCJYHfmUF5S-8zPYMt1r+3A@mail.gmail.com> <6.2.5.6.2.20190911094010.0c933fa8@elandnews.com> <20190911194723.GC18811@localhost> <6.2.5.6.2.20190911131143.11401cb8@elandnews.com> <CAMm+Lwi2CDBCDUhMG7Z487G-BYVp4rRJ=YG73Z=M=TkZ=jaAbQ@mail.gmail.com> <alpine.DEB.2.21.1909121135080.32554@sleekfreak.ath.cx> <CABcZeBMp7dzvTGnPTk=q79pf5KYiMd0eepEXiyFw=imPNkSfBg@mail.gmail.com> <B7BC79DD-617E-4FFA-A414-76C5C0287C00@hopcount.ca> <alpine.DEB.2.21.1909140303190.32554@sleekfreak.ath.cx> <CABtrr-UQXtjUmEMHxr_eV=jJ-h8YtwtEY60aLe9u_Bb+zAiJdg@mail.gmail.com> <4908F69C-29E8-438C-BCCF-E399EA229C66@gmail.com> <CABtrr-WV4u7Up2Oj1ABj151ZwvVnBHukmy6e9EF2zbgAQwGLeQ@mail.gmail.com>
In-Reply-To: <CABtrr-WV4u7Up2Oj1ABj151ZwvVnBHukmy6e9EF2zbgAQwGLeQ@mail.gmail.com>
From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Sun, 15 Sep 2019 16:40:02 -0400
Message-ID: <CABtrr-Xq4nKHvjxhWGHyTVseuY2DkJxMujAHc1s2ESUfy8SCkw@mail.gmail.com>
Subject: Re: Voting Security (was: The Next Genaration)
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, shogunx@sleekfreak.ath.cx
Content-Type: multipart/alternative; boundary="0000000000007e746505929d7e5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/p2eWYK6Xz40G8_MGd7NhL-KotzU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Sep 2019 20:40:18 -0000
On Sun, Sep 15, 2019 at 16:38 Joseph Lorenzo Hall <joe@cdt.org> wrote: > > > On Sun, Sep 15, 2019 at 06:20 Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > >> >> >> Sent from my mobile device >> >> On Sep 14, 2019, at 1:19 PM, Joseph Lorenzo Hall <joe@cdt.org> wrote: >> >> (I've had this argument dozens maybe hundreds of times, not going to do >> that here.) >> >> >> Since you cited yourself and EKR as experts that could work on this, >> where would you like to have the conversation? A draft perhaps as a >> starting point as the IETF likes to do things on list, so maybe timing was >> bad? A collection of problems with reasoned responses could be useful if >> this was taken on as work. Or do you have a paper reference with your >> thoughts/a response? >> >> > There is a vast literature here. I would be happy to talk more about it > with anyone interested in a more synchronous medium (I'll be in SIN for > 106). It doesn't seem to have a lot of relevance to issues at IETF, unless > I'm missing something. > > Until then, here is a bit: > > The first chapter of my PhD thesis talks about the necessity of > mechanization (and now computerization) of elections in the United States, > good cites there to a handful of books: > https://josephhall.org/papers/jhall-phd.pdf > > Doug Jones and Barbara Simons' book has since come out and it is marvelous > on this, I recommend the whole thing: > https://www.press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html > Here are some good, deep popular articles: > > Ronnie Dugger, "Counting Votes" New Yorker (October 30, 1988), > https://www.newyorker.com/magazine/1988/11/07/counting-votes > > Jill Lapore, "Rock, Paper, Scissors; How we used to vote" New Yorker > (October 6, 2008), > https://www.newyorker.com/magazine/2008/10/13/rock-paper-scissors > > Rebecca Onion, "How did they count all those balls before voting machines" > Slate (November, 8 2016) > https://slate.com/news-and-politics/2016/11/how-did-they-count-ballots-before-voting-machines.html > > > Best regards, >> Kathleen >> >> >> On Sat, Sep 14, 2019 at 3:28 AM <shogunx@sleekfreak.ath.cx> wrote: >> >>> > >>> > This is pretty off-topic for IETF, but might be interesting to people. >>> > >>> > I certainly agree that software independence >>> > (https://en.wikipedia.org/wiki/Software_independence) is a good >>> > objective for voting systems, and hand-counted paper ballots are one >>> > good way to achieve that. >>> >>> Hand counted paper ballots are the only way, IMHO. >>> >>> > However, there are voting environments where >>> > they are problematic. Specifically, because the time to hand-count >>> > ballots scales with both the number of ballots and the number of >>> > contests, in places like California where there a large number of >>> > contests per election it can be difficult to do a complete hand-count >>> > in a reasonable period of time. >>> >>> This depends on what we consider reasonable. If it takes a month, it >>> takes a month, just like the good old days. The wait is a small price >>> to >>> pay in order to ensure the correct functioning of this critical >>> component >>> of democracy, difficult or not. >>> >>> > >>> > One good alternative is hand-marked optical scan ballots which are >>> > then verified via a risk limiting audit >>> > (https://en.wikipedia.org/wiki/Risk-limiting_audit). This can provide >>> > a much more efficient count that still has software independence up to >>> > a given risk level \alpha. >>> >>> I, for one, am not really willing to risk optical scan machines having >>> hardware backdoors in the processor, as has been demonstrated, or easily >>> manipulated firmware, particularly in the name of expediency. Further, >>> this does nothing to address the vectors of vulnerability that lie in >>> the >>> central tabulators, or the route the data takes from collection point to >>> tabulation point. The latter is potentially an IETF matter, and if so, >>> should be addressed with no less fervor than BGP security. >>> >>> I would cite Bush v Gore, 2000; specifially -19000 votes for Gore in >>> Volusia County, FL. Was the vector the optical scan ballot system, the >>> tabulation system, or a routing MITM? Tough to know, although the >>> localization and sneakernet transport system from balloting to >>> tabulation >>> in FL generally would rule out a routing problem in this instance. >>> IIRC, >>> there was a questionable route involved in the Ohio, 2004 discrepancy, >>> although this could have been manual routing through tunnels that caused >>> the issue. Would publicly hand counted paper ballots have prevented >>> these >>> attacks, potentially 18 years of war, falling behind on climate >>> adaptation, and a host of other wrongs? Quite possibly. This much, I >>> know for sure: without legitimate elections in a democracy, there can >>> be >>> no legitimate government. >>> >>> > >>> > >>> > The theory and practice of elections and the specific challenges with >>> > on-line voting is a whole ecosystem of its own with conferences, >>> journals >>> > and an active community of academics, vendors and governments >>> discussing a >>> > fairly broad spectrum from information theory, statistics and >>> cryptography >>> > through to operational and platform security, software quality, public >>> > policy and law. >>> > I am no expert in any of this but I happen to have an academic >>> supervisor >>> > who is. If anybody would like an introduction to that world e.g. as an >>> > alternative to trying to reinvent it at the IETF, I'd be happy to make >>> one. >>> > >>> > >>> > Joe >>> > >>> > >>> >>> >> >> -- >> >> Joseph Lorenzo Hall >> Chief Technologist, Center for Democracy & Technology [ >> https://www..cdt.org <https://www.cdt.org>] >> >> >> 1401 K ST NW STE 200, Washington DC 20005 >> <https://www.google.com/maps/search/1401+K+ST+NW+STE+200,+Washington+DC+20005?entry=gmail&source=g> >> -3497 >> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key >> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 >> >> -- > Joseph Lorenzo Hall > Chief Technologist, Center for Democracy & Technology [https://www.cdt.org > ] > 1401 K ST NW STE 200, Washington DC 20005-3497 > e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key > Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871
- The Next Generation Rob Sayre
- Re: The Next Generation Dan Harkins
- Re: The Next Generation Keith Moore
- Re: The Next Generation Rob Sayre
- Re: The Next Generation Kyle Rose
- Re: The Next Generation Melinda Shore
- Re: The Next Generation Keith Moore
- Re: The Next Generation Jared Mauch
- Re: The Next Generation Dan Harkins
- Re: The Next Generation Rob Sayre
- Re: The Next Generation John C Klensin
- Re: The Next Generation Michael StJohns
- Re: The Next Generation Alissa Cooper
- Re: The Next Generation Kyle Rose
- Re: The Next Generation Rob Sayre
- Re: The Next Generation lloyd.wood@yahoo.co.uk
- Re: The Next Generation Keith Moore
- Re: The Next Generation Leif Johansson
- Re: The Next Generation George Michaelson
- Re: The Next Generation Masataka Ohta
- Re: The Next Generation Keith Moore
- RE: The Next Generation Michel Py
- Re: The Next Generation Kathleen Moriarty
- Re: The Next Generation Keith Moore
- Re: The Next Generation John C Klensin
- Re: The Next Generation Keith Moore
- Re: The Next Generation John C Klensin
- Re: The Next Generation S Moonesamy
- Re: The Next Generation Nico Williams
- Re: The Next Generation Warren Kumari
- Re: The Next Generation Rob Sayre
- Re: The Next Generation S Moonesamy
- Re: The Next Generation Phillip Hallam-Baker
- Re: The Next Generation shogunx
- Voting Security (was: The Next Genaration) Eric Rescorla
- Re: Voting Security (was: The Next Genaration) Joe Abley
- Re: The Next Generation Phillip Hallam-Baker
- Re: Voting Security (was: The Next Genaration) Joseph Lorenzo Hall
- Re: Voting Security (was: The Next Genaration) shogunx
- Re: Voting Security (was: The Next Genaration) Joseph Lorenzo Hall
- Re: Voting Security (was: The Next Genaration) Kathleen Moriarty
- Re: Voting Security (was: The Next Genaration) Joseph Lorenzo Hall
- Re: Voting Security (was: The Next Genaration) Joseph Lorenzo Hall
- Re: Voting Security (was: The Next Genaration) Salz, Rich
- Re: Voting Security Keith Moore
- Re: Voting Security shogunx
- Re: Voting Security (was: The Next Genaration) Eric Rescorla
- Re: Voting Security Phillip Hallam-Baker
- Re: Voting Security shogunx
- Re: Voting Security Vittorio Bertola