Aktiv Demokrati

[MrPerfect72]

A guy I know claims...

"We need a secure voting terminal made from dedicated hardware and dedicated software. Any large operating system such as Linux or Windows is too complex to verify and avoid corruption of voting operations. A fundamental principle of secure systems is that the system must be simple enough to verify as 100% error free.

We need open source software AND open hardware. No custom design chips from any corporation. It must use generic programmable hardware such as FPGA (Field Programmable Gate Array). All key generation, encryption functions, input and output must be self contained in the device creating a trusted and verifiable platform for trusted voting.

All communication in and out of the secure device is packaged within secure envelopes which can be verified and decrypted by a compatible secure system in the central database.

It should also be combined with an open database available for the public but with anonymity provided by a voter-ID generated by the device and known only to the voter and the secure database. "

For the voter, as I understand it, a small "calculator"/"micro computer" with a USB-connection that only communicates with encryption with the voting system.

[Emvie]

Interesting. I guess this is in the far future. The party did not start a hardware factory yet, I guess.

[MrPerfect72]

Sorry I forgot to answer. No, no factory yet, Emvie. I guess the design should be simple enough for any smaller electronic company to build and test. The safety should be built on simplicity, openness and very strong krypto. Do you know anything about electronic design, Emvie? Maybe you could do the the design job for us on your fee time?

I imagine it would be the size of a cell phone with a simple menu system being able to read info sent from the server and confirm with yes/no. The thing should also be able to prioritize between sent posts and increase and decrease budget posts that are sent from the trusted server network. Let's say it should at least be able to store 100 posts per transmission and 100 issues and showing let's say five rows in the display. ...and a USB-connection of course ... and a replaceable rechargeable battery driving the little thing whilst pondering about the issues in the park.

PS. It looks on your picture that you are a woman. We need more women on our front page and in parliament. Want to take a step forward?

[Emvie]

About the invitation:
Oh thanks for inviting me, that is very nice of you, but I am quite busy with my own stuff, but I'll probably join the party more actively when there is a bigger budget and more members join in, but I promise to talk about your movement until then.

About the device:
I wonder how safe the dedicated trusted computer voting device would be compared to comparable banking systems? What would you have to go through to hack it? How would you check it from being hacked?

[MrPerfect72]

Thank you Emvie for talking about the party here and there! It is worth much more than you think to get more members and more votes in the election in Sweden.

It took some time but I have now discussed this matter with some different people and they all seem to agree that the dedicated trusted voting device would be much much safer than any existing safety on the Internet, but only if it is "crude"/simple and open for control by many different people/companies.

They all agree on that it is the Trojan horses ( "Trojan horse wikipedia" ) that is the main problem when voting democratically but if you make an external device you will bypass that problem. The next threat is big corporations putting anti-democratic controlling hardware into computers for s.c. "security reasons" and this device solves both these issues.

According to the people I spoke to, you would be able to put a video camera watching the person typing his/her code and then using the device and vote until the person discovers the deed.

A person might re-program the device if he/she gets hold of it so that it votes faulty and this can only be discovered by an engineer. However, any electric/computer-engineer should be able to check the code.

Cracking the encryption of the sent message will be impossible if it is encrypted hard enough and I think it is possible to get special permission to encrypt very hard for such a device considering its limited purpose.

[pH7.3]

For the voter, as I understand it, a small "calculator"/"micro computer" with a USB-connection that only communicates with encryption with the voting system.

Alright, for argument's sake, let's say that the device brings 100% security to the voting. But having the device using the computer's internet connection to communicate with a voting server allows for one big vulnerability - a trojan could block the traffic (or put garbage in the data stream, but I guess the effect would be the same). It would be better if the device could use an internet connection natively.

[Magnus Gustavsson]

A person might re-program the device if he/she gets hold of it so that it votes faulty and this can only be discovered by an engineer. However, any electric/computer-engineer should be able to check the code

So it is better to just have a software, verifiable by any other internetuser/server.

[MrPerfect72]

"natively"? You mean having a LAN modem inside?

[pH7.3]

Yes. The type of technology doesn't matter, but 3G would be the obvious choice today.

[MrPerfect72]

WLAN vs 3G?
http://www.folketsvilja.se/donald/english.html
I would prefer the lower energy WLAN, but if you are already in a hotspot you might as well connect with USB to a computer in my opinion.

[pH7.3]

Or why not both? Use WLAN when that connection works, otherwise 3G. But you simply cannot compare connecting via a hotspot to USB. Sure, the hotspot host could potentially be sabotaged, but IMHO extremely unlikely compared to personal computer installations. Same thing with accesspoints in our homes. Furthermore, if WLAN fails (which is the only thing that could happen) then the device could switch to 3G. Really, this is a pseudo-problem.

WLAN vs 3G from a health perspective is something else entirely, where I can't say if one is better than the other, let alone if either is good/bad for your health. But it is interesting to note that they say...

"People's Will demand a full stop of further expansion of all wireless microwave-based communication networks."

That wording means it includes WLAN:s too.

[MrPerfect72]

Or why not both? Use WLAN when that connection works, otherwise 3G.

Well at least one reason for choosing to use only ONE technology is obvious. Cost. There is a USB-connection available on most connected computers and it is usually easy to access. If you don't have or like wireless technology then USB to an old computer with a slow modem still works.

Sure, the hotspot host could potentially be sabotaged, but IMHO extremely unlikely compared to personal computer installations.

It seems to be a good argument...to reinstall using Linux Ubuntu. No, it is a very good argument.

Same thing with access points in our homes. Furthermore, if WLAN fails (which is the only thing that could happen) then the device could switch to 3G. Really, this is a pseudo-problem.

Well, I guess most young people today have 3G-phones and gladly presses them to the head. In this case it will be used away from the head and only a very short time while transmitting, but most young people using 3G also have access to computers with USB-connection.
About health: As I understand it, WLAN is similar to 3G. Waves of data on similar frequencies amplified by anyone who likes to amplify. I think it is all about dosage increasing chance of ill effects so I just try to minimize the damage by not staying to close to the senders. Putting a 3G-phone to the head is probably the worst thing you can do or living under powerlines with high voltage. Add smoking, alcohol, stress and bad eating habits and see what you get! Future will tell. http://en.wikipedia.org/wiki/Electromag ... ansmission

[pH7.3]

Well at least one reason for choosing to use only ONE technology is obvious. Cost.

How much would you save on using a single technology? I'd say peanuts.

There is a USB-connection available on most connected computers and it is usually easy to access.

1. Security risk as mentioned before - you can't get around that one.
2. Accessibility - Not every one has a computer. My grandma should be able to vote too, you know.

[MrPerfect72]

Well, for grandma on the countryside WLAN or 3G wont help much either, I guess.

I guess she would prefer a piece of paper with some selected important issues where she can mark her opinion and then maybe send by snail mail or call up by phone and enter her opinion on her voting account.

Are you a salesperson for the operators selling 3G?

[pH7.3]

Well, for grandma on the countryside WLAN or 3G wont help much either, I guess.

You guess wrong.

According to PTS http://www.pts.se in 2005 85% of the population had 3G coverage (in Sweden that is).
In 2007 almost 8.9 million people were covered, which is about 95%.


It might very well be that the majority of grandmas would prefer to continue voting every four years or so - and in person when health permits. Whether or not this is the case doesn't matter for the original argument: USB sucks because trojans can block the device's access. 3G suffices, but a device that also includes WLAN is great. But even the accessibility issue remains. 3G gives people more freedom to use the device, and this ought to be something good. Or are you afraid people will vote too much?

Of course, when you plan on using multiple technologies anyway, the device could just as well have a USB connection included too.

[MrPerfect72]

You guess wrong.

Yes, maybe I am wrong.

According to PTS http://www.pts.se in 2005 85% of the population had 3G coverage (in Sweden that is).
In 2007 almost 8.9 million people were covered, which is about 95%.

Interesting. I guess the party eventually could make a deal with the providers if the people wants that. So how many people are actually using 3G? I guess you could use lower frequency systems as well, couldn't you? They are still supported I guess. I am thinking about GSM and GPRS.

USB sucks because trojans can block the device's access.

Seems to be a very good argument to me.

If people can use their sim-card in the device to connect, then we are close to using a normal cellphone. aren't we? Maybe it should even be a cell phone? A dedicated trusted crude cellphone and voting device?

[MrPerfect72]

re: Voting technology discussion. I will put a bit of time into it but it will be limited ...

I tried registering on your forum but after 2 attempts it blocked me out. I don't think there was a problem either time except maybe reading the CAPCHA code which was quite difficult and error prone.

Briefly ... pH7.3's arguments about security of device appear flawed or at least lack depth of analysis or description.

The foundation of security, the executive auditing mechanism, needs to be extremely simple and open making it verifiable by a large number of engineers. This principle cannot be over-stated, it is paramount. This means that whatever hardware the trusted voting device uses must be very crude, hence the idea of a USB connected device. However one could make a device which contains two sections: 1) a trusted module and 2) some other more complex untrusted sub-system providing flexible communication such as USB, Wifi, 3G, 4G etc.

One principle which must not be broken is this ... the input (keypad) , output (screen) devices must be an integral part of the trusted module. One cannot rely on some sort of untrusted external I/O hardware/software such as provided by a phone manufacturer. Ideally if phones were all fitted with a standard communication port (such as USB ) the trusted voting device could be plugged into them and everything else. But current trends indicate it is unlikely all phone manufactures would provide such a port.

The argument about trojans being able to block data traffic is valid but fails to see the bigger picture ....
1) system security protocols will ensure vote data traffic cannot be altered without detection and also prevents a voter from being tricked into believing his/her vote was posted and counted if it was not. i.e. full end-to-end verfication and confirmation will be provided by the device.
Voters would need to be educated to check both ...
1) the trusted module's self test/audit verification code (which would be widely published, known and trusted) and
2) the vote registration verification/confirmation message which is sent back to the device when posting votes.

If a trojan was present (in the untrusted system) and blocked or corrupted the voting data packets, the vote confirmation message (2 above) would never occur. To avoid human error it might be useful to use a color display which continously displays a big RED "Vote NOT yet counted" message until the confirmation is received,at which time the display would change to a green "Your VOTE on issue xxxx registered as yyyy. Confirmation code zzzz" or whatever. (or perhaps a list of confirmation in the case of a vote on multiple issues in one post). It would be simpler and perhaps useful to limit the voting to a single vote per message. These details need to be worked out in the design requirements process.

If the voter is blocked by an infected untrusted communication pathway (certainly a possibility), the voter will be aware of this and able to plug their voting device into any number of available communication systems until a successful vote is posted. Because such blocking attempts would be futile and inaffective at altering voting behaviour i think we can assume such hacking modes to be unlikely, infrequent and irrelevant.

Before delving ino the specifics of port type, communication technology etc. used by the trusted voting device, we need to look at more relevant security considerations.

Rogue parties will typically attack any security system at it's weakest link. In this case, assuming a proper and well verified technical implementation, the weakest link will likely be in the human processes involved with registering and binding voting devices with eligible voters. Such a process would probably involve some sort of traditional paper based voter register with human auditors. I think this is the most practical (unless everyone is fitted with an RFID device which obviously has other insidious consequences and therefore not acceptable).

A problem is that some humans need to be trusted somewhere in this process. To thwart corruption of the human processes one could implement pretty good safeguards and procedures similar to those used in other high security systems such as banks. A common approach is to require many people together to open locks,. the idea being that it is much less likely that the whole team conspire and collaborate to subvert the system. This is not fool-proof but the technology can assist in the case of voter registration by binding and storing an administator (human) authorisation ID or signature to the device and it's registration data.

Let me explain ....

Let's say a government employee has the job of verifying the ID of a Swedish citizen and registering their voting module with the voting system. There are various ways this process could be corrupted and I think this is probably one of the weakest links in the proposed voting system - along with the process of issuing some sort of citizen ID document or device. As part of the registation process the government employee would need to electronically sign the registration data with another trusted ID device (such could be exactly the same device as the voting module but used slightly differently). This electronic signing would form the backbone of an audit trail which could trace and pinpoint any rogue voter registrations down to specific human individuals, administation functions, dates and times. The audit trail itself cannot prevent corruption but provides full transparancy all the way through the voting system. The risk of detection, exposure and severe punishment for deliberate wrong doing would hopefully be an effective deterent and keep the government processes honest and maintain integrity on the voting system. (Similar auditing processes could be implemented at every level of government to reduce corruption at all levels - but that is a much bigger subject!)

The secure identification of people becomes a necessity in the context of security and auditing of critical processes such as voting and voter registration. The trusted voting module could be made as a generic electronic ID and signing device but having some important differences to an RFID device:

1. an RFID works passively without requiring the consent of the person which it identifies, but a voting/ID device requires the acceptance and action by the human being identified.

# an RFID device links the identification event to a visible human, but a voting device can be used remotely and anonomously (anonomously to humans but with secure identification and secrecy within the voting process and data storage). The voter module could be used anonomously or not as required according to the choice of the person using it. i.e. according to the circumstances the person could submit data with a publicly available ID or not.
# because an RFID doesn't require the authorisation of the ID holder to transmit it's ID data, it doesn't have intrinsic protection against identity theft. With RFID, stealing a chip amounts to sealing an identity (except when bound to a photo passport or whatever) but a voting device identifies the person by something they possess (the device) and something they know (a secret password). This is called two factor authorisation. Biometric readers could also be used to thwart identity theft but not really required.

sorry, I've reached my time limit for today ....

[pH7.3]

Briefly ... pH7.3's arguments about security of device appear flawed or at least lack depth of analysis or description.

Well of course, both my knowledge and time are limited.

. However one could make a device which contains two sections: 1) a trusted module and 2) some other more complex untrusted sub-system providing flexible communication such as USB, Wifi, 3G, 4G etc.

I thought that was obvious. (Maybe not.)

1) system security protocols will ensure vote data traffic cannot be altered without detection

Again, yes obviously.

Voters would need to be educated...

And there you have the problem.

I understand now that I have been sloppy in my commenting!

[MrPerfect72]

Re: Trusted Voting Module - a couple of mistakes/typos, plus some more ..
last paragraph ...

With RFID, stealing a chip amounts to stealing an identity (except when bound to a passport, photo or whatever) but a voting device identifies the person by something they possess (the device) and something they know (a secret password). This is called two factor authentication. Biometrics (e.g. thumb reader) could also be added, giving 3 factor authentication, to thwart identity theft but probably not necessary or desirable. Unreliable biometric readers could cause voting problems.

An important outcome for any such voting system is that it wins the trust of the people. For the system to gain wide acceptance any mishap must be avoided. Even small anomolies could be used by direct democracy opponents for spreading distrust in DD. It is therefore advisable to implement such a voting system in a trial mode a long time before using it for anything like national voting. It could be used in small scale DD for a long as it takes for interested people to understand the principles, become familiar with it's operation, refine it as needed, and develop trust in the system.

In addition to developing the concepts for a trusted electronic voting system, I would also like to propose a system of DD which uses a form of proxy voting as we previously discussed.

According to the people I spoke to, you would be able to put a video camera watching the person typing his/her code and then using the device and vote until the person discovers the deed.

A 3 factor authentication (requiring a voter's body part such as thumb) would avoid this possibility. But I think voter education and diligence (care taken while entering passwords) would be sufficient security. Significantly altering election results by this method is totally impractical and thus highly unlikely.

A person might re-program the device if he/she gets hold of it so that it votes faulty and this can only be discovered by an engineer. However, any electric/computer-engineer should be able to check the code.

It would be extremely difficult for large numbers of rogue versions of voting modules to be produced without detection and this fact alone should be a strong deterrent against such activity. Anyone caught doing it or attempting to do it would hopefully face severe penalties.

How would rogue modules be detected?

An important part of the device is it's self integrity check function. Admittedly this is quite tricky to implement in a trusted and tamper-proof way. There could be some dummy voting servers which are used to test the integrity of your device. You could do some trial votes with those servers and verify that your votes were recorded as intended, indicating the device is working as expected. The voting communication protocol would be designed to make it virtually impossible for a hacked version of a device to appear to work properly on the test server but incorrectly on the real voting server. But this requirement needs some serious security analysis and design work!

Better still is for everyone to be encouraged to verify their actual vote was registered as intended by looking up their vote on the public server. Actually this vote confirmation function is mainly designed to build confidence in the system rather than catch out rogue modules.

Here is how it might work ...

Each voter can look up and confirm their vote using 2 unpredictable and secret codes:

1) the secret vote confirmation code (VCC) which their voting module displayed in their vote confirmation message.
together with
2) a shared secret chosen by the user (a password entered into the voting device prior to voting) for accessing the vote confirmation data.

The VCC would be stored in your voting module memory for retrieval as required. However the password could not be read but only entered or reset.

Server hackers would not be able to trick voters into believing their vote was registered correctly while subverting the system because they could not reliably predict what vote confirmation data to send to the user each time. Although the user's computer for this operation is untrusted and therefore not reliable, any such hacking scenario would be quickly detected by sufficient voters for alarm bells to start ringing rendering such hacking attempts ineffective and futile.

Also ... auditing and monitoring systems could be implemented which automatically post dummy votes and verify that those votes appear as posted. But this would over complicate things somewhat and perhaps introduce a loophole. More thought required on this.

Or more simply ... hackers wouldn't try this because it would be easily and quickly detected and this rendered futile. However it is feasible that hackers would do this if only to create mistrust in the voting system. Perhaps server redundancy and diversity would be used to reduce this effect and make it less attractive for server hackers.

Designers also need to consider denial-of-service (DOS) attacks against both vote posting servers and vote confirmation servers. Constant server monitoring and clever rapid response mechanisms would need to be in place to avoid significant voter frustration by DOS attacks.

Intrusion detection and honeypots could also be used to make it more risky for hackers and to provide triggers for self-healing and server recovery strategies.

A full implementation for reliable large scale voting would require expert security analysis, advanced network security engineering, auditing and monitoring, etc. But compared to the cost of traditional style elections, the engineering required for a reliable DD voting system should be easily affordable for national or state governments.

Cracking the encryption of the sent message will be impossible if it is encrypted hard enough and I think it is possible to get special permission to encrypt very hard for such a device considering its limited purpose.

Strong encryption technology is now freely available and not an issue at all.

[MrPerfect72]

So. As I understand We should mainly focus on a module with display and some buttons and a USB contact?

And I guess the providers of communication and companies can focus on the other part if they see it as profitable and if people see a need for it?

Any unemployed electric engineers out there who want to have a fun time playing around with the first sketches of the electronics for the device or should we just wait until we have more money?