Linked by Thom Holwerda on Thu 2nd Feb 2017 22:48 UTC
Privacy, Security, Encryption

Let's talk about elections! Except not the American ones, but the Dutch elections, coming up in March.

Concerned about the role hackers and false news might have played in the United States election, the Dutch government announced on Wednesday that all ballots in next month's elections would be counted by hand.

We haven't been using electronic voting ever since it was demonstrated the machines were quite easily hackable, but everything higher up in the stack was still electronic - such as counting the paper ballot and tallying up the results from the individual voting districts. The upcoming election will now be entirely done by hand - voting, counting, and tallying, making it that much harder for foreign powers to meddle in our elections.

This switch to full manual voting is taken two days after Sijmen Ruwhof posted a detailed article explaining just how easy it would be to hack our voting process.

Journalists from Dutch TV station RTL contacted me last week and wanted to know whether the Dutch elections could be hacked. They had been tipped off that the current Dutch electoral software used weak cryptography in certain parts of its system (SHA1).

I was stunned and couldn't believe what I had just heard. Are we still relying on computers for our voting process?

Turns out the "security" of the counting machines and software, as well as the practices of everything around it, is absolutely terrible. The article is an endless stream of facepalms - and really shines a light on just how lacklustre the whole electronic part of the process was, and hence provides an interesting look behind the scenes of an election.

Order by: Score:
There is a great sense...
by dionicio on Fri 3rd Feb 2017 01:15 UTC
dionicio
Member since:
2006-07-12

Of accomplishment and confidence, on doing that way. Congratulations.

Reply Score: 4

Facepalm
by Alfman on Fri 3rd Feb 2017 01:34 UTC
Alfman
Member since:
2011-01-28

I immediately realized that this optional final paper audit forms a critical weakness in our current voting system (risk #1 critical). It means that our pencil-and-paper voting is basically security theater in its current implementation. Because when analog voting results are inserted into computers, which subsequently calculate the results, we are still, effectively, using electronic voting.

I was both amazed and frightened by this fact.

Anyone with a certain level of IT-security knowledge will tell you that a computer cannot be trusted. Whatever steps you take to secure a computer, it will always be possible to hack it. And against state-sponsored hackers you have almost zero chance. To put it bluntly: you can’t protect a computer system against experienced and well-funded state-employed hackers.



While I appreciate the research he puts into investigating legitimate procedural issues, he seems unable to grasp why computers aren't the fundamental problem. The problem isn't computers so much as it is putting all eggs in one basket. This risk of tampering applies to both computers as well as humans. The solution isn't to become a Luddite though, the legitimate & secure CS solution is clearly to add redundancy: Don't trust anything to a single machine, vendor, person, etc.

Redundancy allows us to detect tampering, both human and digital, with an arbitrarily high degree of certainty. Heck, at the logical extreme, they could even turn ballot counting into a public event where anyone could bring a video camera and scan the ballots immediately as they enter the official scanners. They could even stream these online if they wanted and the public could tabulate the results with their own software on their own machines. Tampering becomes futile when there are so many targets that would need to be compromised. Any alleged hacking would be easily proved or disproved publicly thanks to the redundancy.

Anyone with a certain level of IT-security knowledge will tell you that while you can fool some computers some of the time, you can't fool all computers all of the time ;)

Edited 2017-02-03 01:43 UTC

Reply Score: 5

RE: Facepalm
by loic on Fri 3rd Feb 2017 08:58 UTC in reply to "Facepalm"
loic Member since:
2012-09-23

The main problem with every single electronic or mechanical voting system is that a random guy/woman in a crowd of voters cannot audit the system. You can make these as secure and as open as you want, as long as the average Joe cannot ensure by himself the voting process is fraudless, it cannot be democracy, it's a technocracy.
Here, in France, I participated several times to manual ballot counting and I have to say that it is simple. Anybody can figure out the system, and it is totally accountable if you got enough citizens participating. Isn't it what democracy is about?

Edited 2017-02-03 08:58 UTC

Reply Score: 3

RE[2]: Facepalm
by Alfman on Fri 3rd Feb 2017 13:54 UTC in reply to "RE: Facepalm"
Alfman Member since:
2011-01-28

loic,

The main problem with every single electronic or mechanical voting system is that a random guy/woman in a crowd of voters cannot audit the system. You can make these as secure and as open as you want, as long as the average Joe cannot ensure by himself the voting process is fraudless, it cannot be democracy, it's a technocracy.


You obviously didn't read what I wrote because I literally proposed a solution where average Joes could ensure the voting process by themselves if they wanted to. Once you have the redundancy, it really doesn't matter if the counters are humans or computers.

Reply Score: 2

RE[3]: Facepalm
by pgeorgi on Sun 5th Feb 2017 21:38 UTC in reply to "RE[2]: Facepalm"
pgeorgi Member since:
2010-02-18

Once you have the redundancy, it really doesn't matter if the counters are humans or computers.


Still, what advantage does it bring to use computers in elections? It provides an additional risk that needs to be accounted for, it provides intransparency that needs to be worked around but doesn't get a more accurate result significantly faster even in the best case.

That has nothing to do with ludditism, just with not looking for a problem for which "voting machines" is the answer.

Reply Score: 2

Hacking ... from inside
by dariapra on Fri 3rd Feb 2017 02:32 UTC
dariapra
Member since:
2012-02-27

Usually the danger of cheating in an election is more likely to come from inside than beyond country borders.

In 1982 Spain, my country, joined NATO. It was a very controversial decision taken by the government. Months later parliamentary elections were held and, as result, there was a new government.

The new government promised that the citizens would be consulted about this issue, and in 1986 a referendum was held. Spaniards were asked if they wanted to leave NATO or continuing as a member. The latter won [1].

Most electoral surveys forecasted that the leave option would be the winner. However, the another option was the winner: 56% of the votes against the 43% gotten by the leave option.

Thus, for many people that result was a big surprise. Some of them (still) claim that the government commited fraud by altering the results at the electronic stage of vote counting.

It is the only election in Spain that I have heard complaints about its regularity.



[1] https://en.wikipedia.org/wiki/Spanish_NATO_membership_referendum,_19...

Edited 2017-02-03 02:33 UTC

Reply Score: 2

Comment by kompak
by kompak on Fri 3rd Feb 2017 04:06 UTC
kompak
Member since:
2011-06-14

Here in Finland all elections have been held with manually counted paper ballots for just that reason. There has been some experiments in electronic voting but they have all failed miserably with votes counted twice and other problems. It seems very unlikely that there will be any electronic voting in the near future and I see that as a very positive thing.

Reply Score: 2

the Australian lesson
by unclefester on Fri 3rd Feb 2017 07:45 UTC
unclefester
Member since:
2007-01-13

In Australia we use paper ballots. They are hand counted by the Australian Electoral Commission under the supervision of scrutineers from the various political parties. The ballots are securely stored for two years after the election in case a recount is needed. A new election for an individual seat or the Senate can be called for numerous reasons including misplaced ballots.

Reply Score: 3

RE: the Australian lesson
by The1stImmortal on Mon 6th Feb 2017 01:31 UTC in reply to "the Australian lesson"
The1stImmortal Member since:
2005-10-20

Given our electoral system is actually a bit complex (especially the senate) it makes sense to use humans.

In the last election I numbered something like 120 candidates, in order of preference, by hand with a pencil. You need humans to sort that out.

Reply Score: 1

Pure gold
by emphyrio on Fri 3rd Feb 2017 09:46 UTC
emphyrio
Member since:
2007-09-11

The reaction of the Dutch electoral council as been pure gold, roughly translated as: "what the heck are we supposed to do now, use calculators?"

Reply Score: 1

Comment by enryfox
by enryfox on Fri 3rd Feb 2017 11:19 UTC
enryfox
Member since:
2012-02-19

For once I'm glad that my country, Italy, never modernise the election process, everything here is still manual with paper, pencil and paper registry. I think that some manufacturer of stationary live only on what is required during the election as nearly every offices bo longer use such antiquated items (wet sponges to flip pages ... )

Hacking an election is not impossible, but it is very expensive.

Reply Score: 2

Is The Alternative Better?
by Brendan on Fri 3rd Feb 2017 11:57 UTC
Brendan
Member since:
2005-11-16

Hi,

Anyone with a certain level of IT-security knowledge will tell you that a computer can't be trusted; and anyone with any common sense knows that humans can't be trusted either.

How many people need to be involved in manually counting votes? How many of these people have the opportunity to change votes before/while counting them? It's not like erasers capable of rubbing out lead/graphite pencil marks don't exist.

- Brendan

Reply Score: 2

RE: Is The Alternative Better?
by Thom_Holwerda on Fri 3rd Feb 2017 12:14 UTC in reply to "Is The Alternative Better?"
Thom_Holwerda Member since:
2005-06-29

Hi,

Anyone with a certain level of IT-security knowledge will tell you that a computer can't be trusted; and anyone with any common sense knows that humans can't be trusted either.

How many people need to be involved in manually counting votes? How many of these people have the opportunity to change votes before/while counting them? It's not like erasers capable of rubbing out lead/graphite pencil marks don't exist.

- Brendan


In a proper democracy, the counting process is 100% accessible to the public. However, with computer counting, it's pretty much impossible to check if the computer is counting properly and hasn't been tampered with (you need some very specific knowledge as well ass access to the hard- and software). With regular counting, though, it's easy to keep an eye on the counters.

Reply Score: 2

RE[2]: Is The Alternative Better?
by dionicio on Tue 7th Feb 2017 15:03 UTC in reply to "RE: Is The Alternative Better?"
dionicio Member since:
2006-07-12

A prerequisite of accountability is openness. A lot of the stack is deliberately kept from participating on the open movement.

Reply Score: 2

dionicio Member since:
2006-07-12

This issue is so huge [at financial interests] that easier would be to create a separate, new stack, just for this kind of computing endeavors.[Ah, and yes, you'll need calculators -for the arithmetically challenged].

Reply Score: 2

RE[2]: Is The Alternative Better?
by dionicio on Tue 7th Feb 2017 15:10 UTC in reply to "RE: Is The Alternative Better?"
dionicio Member since:
2006-07-12

Democracy is expensive. [Time wise, fortunately]. Participation and Diversity at the full work-flow helps a lot to its cleanliness.

Reply Score: 2

Comment by Trenien
by Trenien on Fri 3rd Feb 2017 13:45 UTC
Trenien
Member since:
2007-10-11

Well, in France, ballot is exclusively paper and the counting is done publicly with anyone willing able to watch the process. Ballots are then stored (although I'm not sure for how long).

Whether the next tallying levels are done by hand or computer is irrelevant: the results are published in the next day papers at every level, down to every single polling place. Any tampering would immediately be obvious.

Edited 2017-02-03 13:46 UTC

Reply Score: 2

RE: Comment by Trenien
by Alfman on Fri 3rd Feb 2017 14:46 UTC in reply to "Comment by Trenien"
Alfman Member since:
2011-01-28

Trenien,

Well, in France, ballot is exclusively paper and the counting is done publicly with anyone willing able to watch the process. Ballots are then stored (although I'm not sure for how long).

Whether the next tallying levels are done by hand or computer is irrelevant: the results are published in the next day papers at every level, down to every single polling place. Any tampering would immediately be obvious.


Exactly, computers aren't a problem, humans can commit fraud (and errors) too. The solution is to add redundancy so that we don't rely on too few points of failure that can be tampered with. Once you have redundancy, the fraud is made obvious.

This protest of computers is misguided, instead the protest should be over the lack of redundancy and public oversight.

Reply Score: 3

RE[2]: Comment by Trenien
by ml2mst on Sat 4th Feb 2017 01:02 UTC in reply to "RE: Comment by Trenien"
ml2mst Member since:
2005-08-27

Exactly, computers aren't a problem, humans can commit fraud (and errors) too. The solution is to add redundancy so that we don't rely on too few points of failure that can be tampered with. Once you have redundancy, the fraud is made obvious.

This protest of computers is misguided, instead the protest should be over the lack of redundancy and public oversight.


+1 (Insightful)

I have a bad feeling about this. The reason is more sinister IMO.

The Dutch government and MSM is scared to death the Party For Freedom (Geert Wilders) will win the elections. So they´ll have to "fix" it, one way or the other.

You should have seen the sheer hysteria in Dutch MSM after the victory of President Trump. :-D

Reply Score: 2

RE[3]: Comment by Trenien
by dariapra on Sun 5th Feb 2017 03:17 UTC in reply to "RE[2]: Comment by Trenien"
dariapra Member since:
2012-02-27

+1

In 1986 Spanish citizens were asked about continuing as member of the NATO or leaving. The Spanish government faced a lot of pressure, given the geo-strategic importance of the country. On the other hand, most electoral surveys forecasted the leave option as the winner. Finally the continue option won, Spain did not leave NATO, and some claimed that there was a fraud in vote counting.

Meanwhile: "Dandruff? Caries? Menstrual pain? Putin is guilty!" And by looking at Moscow, we do not pay attention to our own cheaters.

Reply Score: 1

RE[3]: Comment by Trenien
by dionicio on Tue 7th Feb 2017 15:26 UTC in reply to "RE[2]: Comment by Trenien"
dionicio Member since:
2006-07-12

[Lawfully] Forcing a presence as far as possible at all the work-flow would significantly reduce tampering. If Electoral Laws and Regulations missing decent minimals, then People should vote against hegemonic party[es], just for that reason.

Reply Score: 2

Fraud with paper ballots is also a problem
by cropr on Sun 5th Feb 2017 19:30 UTC
cropr
Member since:
2006-02-14

For the record. I was the project manager of one of the suppliers of the Belgian electronic voting system in 1994 and of a similar system in the Netherlands in 1996. I am no longer involved in any voting system currently in use.

Before my company at that time developed a electronic voting system we evaluated manual paper voting processes. A voting system consists of 3 parts: a preparation where the list of candidates are created, the voting by the population and the collection of the votes making the result. In order to have a secure voting system all 3 parts must be secure and must be coordinated into a streamlined process.

The Dutch system described in the article fails miserably in the collection part. For me this is absolutely no surprise. In 1997 the Dutch authorities were during the approval process to my astonishment only interested in the voting process, but not in the preparation or the collection phase. As such, our local commercial partner who sold our voting system to the cities decided to use its own, less secure collection system.

The preparation and collection system we developed in 1994, was using a redundant floppy system. The floppy contained the OS (Ms-DOS), the program and the data, which was encrypted using triple DES. This setup was chosen to make it immune to viruses or any software that was available on a computer hard disk. Was this system hackable? Of course, but it required a coordinated effort by a lot of people, who had both the physical access and the technical knowledge. Tampering with a good designed voting system is quite a challenge, but if the tampering succeeds, the impact can be huge.

This is a major difference with voting with pencil and paper. Here, it is quite easy for a single person (e.g. the president of the election booth) to tamper a few votes, but a few votes are almost never decisive. If you don't believe that it is easy to tamper, I give you some statistics about paper voting in trusted countries: in about 5% of the polling stations there is a mismatch between the number of empty ballots before the start versus the number of empty ballots + votes made after the voting. In one out of 200 voting stations the difference is > 1.

The new system used in Belgium is quite good. The electronic voting booth prints a ballot with a QR code and a human readable vote on an empty ballot. For quick counting the QR is used. For every polling station, the correlation of the QR code and the human readable print is checked for some samples of the votes. If there would be difference, all human readable votes are counted (until now this never happened).

Reply Score: 2

dionicio Member since:
2006-07-12

Haha. Also Unisys at some moment of his History was so unwise as to touch-down this base.

Reply Score: 2

dionicio Member since:
2006-07-12

Haha. You're right. Keeping uncertainty so far downstream not usual. By election time all arrangements and negotiations done.

Reply Score: 2

dionicio Member since:
2006-07-12

Misplaced. Commenting on The1stImmortal argument of late minute tampering.

Reply Score: 2

Fraud is always a problem
by JLF65 on Sun 5th Feb 2017 21:53 UTC
JLF65
Member since:
2005-07-06

No matter how the ballot is handled (paper, electronic, hand counted, whatever), you're ALWAYS going to have fraud. From bosses forcing employees to vote his way, to the "dead" voting, to paying the homeless to vote, to busing in people to the polls, fraud is flourishing, and very little can or will be done about it.

Reply Score: 2

Comment by The1stImmortal
by The1stImmortal on Mon 6th Feb 2017 01:33 UTC
The1stImmortal
Member since:
2005-10-20

making it that much harder for foreign powers to meddle in our elections.


Which foreign powers would you suspect would be attempting to meddle in your ballot counting process?
As far as I'm aware, that's not been an actual alleged issue in any recent election in the developed world...

Reply Score: 1