thoughts on uocava voting - mit csailpeople.csail.mit.edu/.../rivest-thoughtsonuocavavoting.pdf ·...
TRANSCRIPT
![Page 1: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/1.jpg)
Thoughts on UOCAVA Voting
Ronald L. Rivest
Viterbi Professor of EECSMIT, Cambridge, MA
UOCAVA Workshop2010-08-06
![Page 2: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/2.jpg)
Outline
Introduction
Remote voting
Security
Risk assessment
![Page 3: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/3.jpg)
UOCAVA voters
How should soldiersand overseas citizensbest exercise theirright to vote?
![Page 4: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/4.jpg)
Remote voting
Remote voting has many flavors:I Ballots sent to voter by: mail | internetI Ballots are: paper | electronic | bothI Voters are: supervised | unsupervisedI Ballot “marked” by: voter | kiosk | voter PCI Ballots returned by: mail | internet | bothI Auditing: none | moderate | comprehensive
“Internet voting”
My recommendation
![Page 5: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/5.jpg)
Remote voting
Remote voting has many flavors:I Ballots sent to voter by: mail | internetI Ballots are: paper | electronic | bothI Voters are: supervised | unsupervisedI Ballot “marked” by: voter | kiosk | voter PCI Ballots returned by: mail | internet | bothI Auditing: none | moderate | comprehensive
“Internet voting”
My recommendation
![Page 6: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/6.jpg)
Remote voting
Remote voting has many flavors:I Ballots sent to voter by: mail | internetI Ballots are: paper | electronic | bothI Voters are: supervised | unsupervisedI Ballot “marked” by: voter | kiosk | voter PCI Ballots returned by: mail | internet | bothI Auditing: none | moderate | comprehensive
“Internet voting”
My recommendation
![Page 7: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/7.jpg)
Short summary of this talk:
I Remote voting is trade-off between franchiseand risk.
I The risks of “internet voting” more thannegate any possible benefits from anincrease in franchise.
I We should give UOCAVA voters the bestpossible paper ballot system we canmanage!
![Page 8: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/8.jpg)
Short summary of this talk:
I Remote voting is trade-off between franchiseand risk.
I The risks of “internet voting” more thannegate any possible benefits from anincrease in franchise.
I We should give UOCAVA voters the bestpossible paper ballot system we canmanage!
![Page 9: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/9.jpg)
Short summary of this talk:
I Remote voting is trade-off between franchiseand risk.
I The risks of “internet voting” more thannegate any possible benefits from anincrease in franchise.
I We should give UOCAVA voters the bestpossible paper ballot system we canmanage!
![Page 10: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/10.jpg)
Evaluation criteria for remote voting systems
I Availability and usabilityI CostI Staffing requirementsI Security and auditability
![Page 11: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/11.jpg)
Evaluation criteria for remote voting systems
I Availability and usabilityI CostI Staffing requirementsI Security and auditability
![Page 12: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/12.jpg)
Remote voting already has known security problems
I Unsupervised remote voting vulnerable tovote-selling, bribery, and coercion.
I Communication with voter, and transmissionof ballots, may be unreliable/manipulable.
I I believe remote voting should be allowed:I only as neededI for at most 5% of voters
I UOCAVA voting meets these criteria.
![Page 13: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/13.jpg)
Internet voting has additional security problems
I Platform insecurity (both client and server)I Network insecurityI Set of attackers enlarged from:
I just those who can touch paper ballots, toI anyone on the planet with a computer
I Attacks can be automated, executed on amassive scale, and done so anonymously
![Page 14: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/14.jpg)
Platform insecurity (both client and server)I Modern computer systems only provide
modest security — they are puzzle boxesrather than vaults.
I Once adversary solves the puzzle, he canopen it (and all others like it).
![Page 15: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/15.jpg)
Internet votingWe may view internet voting as voting ona contraption consisting of a collection ofsuch puzzle boxes, all connected byuntraceable wires to every possibleadversary on the planet.
![Page 16: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/16.jpg)
Internet votingWe may view internet voting as voting ona contraption consisting of a collection ofsuch puzzle boxes, all connected byuntraceable wires to every possibleadversary on the planet.
![Page 17: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/17.jpg)
Network insecurity
Most serious problem may be DDOS attack,which can make remote internet voting systemsimply unavailable to UOCAVA voters.
![Page 18: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/18.jpg)
Risk Assessment of internet voting
Let’s just look at most serious risk:adversarial attack changes the election outcome
— a failure of democracy.
![Page 19: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/19.jpg)
Risk Assessment of internet voting
Let’s just look at most serious risk:adversarial attack changes the election outcome
— a failure of democracy.
![Page 20: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/20.jpg)
Net benefit – a proposed metric
Net benefit
= benefit – loss
= % new voters given franchise–% voters losing franchise through fraud
(We’ll use expected values here, although youcan’t justify using probabilities on adversarialactions!)
![Page 21: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/21.jpg)
Net benefit – a proposed metric
Net benefit
= benefit – loss
= % new voters given franchise–% voters losing franchise through fraud
(We’ll use expected values here, although youcan’t justify using probabilities on adversarialactions!)
![Page 22: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/22.jpg)
Net benefit – a proposed metric
Net benefit
= benefit – loss
= % new voters given franchise–% voters losing franchise through fraud
(We’ll use expected values here, although youcan’t justify using probabilities on adversarialactions!)
![Page 23: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/23.jpg)
Benefit
What is plausible benefit? (Worked example)I Suppose UOCAVA voters are 2% of
registered eligible voters.I Suppose that new technology enables
increase in franchise by 1% .(E.g. suppose increase from 0.5% to 1.5% )(I consider this an optimistic estimate!)
I We’ll estimate (potential) benefit as 1%.
![Page 24: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/24.jpg)
Loss
Can we estimate % voters we expect to losefranchise through fraud?
Fact:If adversary determines election outcome,all voters are disenfranchised!
We no longer have a democracy in action...
![Page 25: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/25.jpg)
Loss
Can we estimate % voters we expect to losefranchise through fraud?
Fact:If adversary determines election outcome,all voters are disenfranchised!
We no longer have a democracy in action...
![Page 26: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/26.jpg)
Hall of Shame Factor
I What is “loss” whenelection is stolen?Just the 100% loss offranchise?
I Let’s add an additionalHall of Shame Factor(HOSF), for stolenelections. (Not onlyshame, but if electionsare (or could be) stolen,voters may get cynicaland not vote again!)
![Page 27: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/27.jpg)
Loss
I Suppose we let HOSF = 4(something between 1 and 10)
I Then loss for a stolen election is100% ∗ HOSF = 400%.
Expected loss= expected % voters disenfranchised by fraud= Prob(Adv steals election)∗ 100% ∗ HOSF
= 400% ∗ Prob(Adv steals election)
![Page 28: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/28.jpg)
Prob(Adv steals election)
Prob(Adv steals election) =Prob(election is close enough) ∗Prob(Adv attacks voting system) ∗Prob(attack succeeds)
![Page 29: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/29.jpg)
How often are elections “close”?I Def: The margin of victory (MOV) is
(winner’s share) - (loser’s share) as % .
I Empirically Prob(MOV ≤ x%) = x%.I 2008 Congressional election data:
0 50 1000
50
100
x
Pro
babi
lity
MO
V <
= x
![Page 30: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/30.jpg)
How often are elections “close”?I Def: The margin of victory (MOV) is
(winner’s share) - (loser’s share) as % .I Empirically Prob(MOV ≤ x%) = x%.I 2008 Congressional election data:
0 50 1000
50
100
x
Pro
babi
lity
MO
V <
= x
![Page 31: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/31.jpg)
How often are elections “close enough” for fraud?
I Suppose UOCAVA votes are 1.5% of total.I If security were truly terrible, and Adv
controlled all cast UOCAVA votes, then Advcould steal election 1.5% of the time (whenMOV ≤ 1.5%), by casting all UOCAVA votesfor his candidate, who would otherwise lose.
I So, in this example,Prob(election is close enough) = 1.5%
![Page 32: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/32.jpg)
Will Adversary attack voting system?
I Is the Pope Catholic?I Will someone pick up $20 left on sidewalk?I There is nothing to deter attacker – Adv can
attack anonymously over the Internet until hesucceeds.
I Do you know of any computer systems thathave never been attacked?
I Prob(Adv will attack voting system) = 100%
![Page 33: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/33.jpg)
Some may say “Adversary won’t attack”
![Page 34: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/34.jpg)
Will Adv succeed in attack?I Would you even know?I If there are no audits, no one will be the
wiser, and he can continue successful attackmethod in each election.
I Days are past for IIB election management.(IIB = Ignorance Is Bliss)(Also known as WIDKWHM policy.)
![Page 35: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/35.jpg)
Will Adv succeed in attack?
I Large institutions (banks, Google) aresuccessfully attacked all the time. They havemuch better staff and budgets!
I Bob Morris (NSA) said: “You will alwaysunderestimate the effort the enemy will maketo break your system.”
![Page 36: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/36.jpg)
A bigger attack than you expected!
![Page 37: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/37.jpg)
Superior force wins the day!Who has more IT capability – your local electionIT staff or the Chinese?
(They lost.)
![Page 38: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/38.jpg)
Superior force wins the day!Who has more IT capability – your local electionIT staff or the Chinese?
(They lost.)
![Page 39: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/39.jpg)
Will Adv succeed in attack?
I We do not currently have the technology tomake internet voting secure (and maynever).
I We can’t make such technology appear bywishful thinking, just trying hard, makinganalogies with other fields, or running pilots.
I It is imprudent (irresponsible?) to assumethat determined effort by adversaries can’tdefeat security objectives of internet voting.
Prob(Adv succeeds) = 100%
![Page 40: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/40.jpg)
Will Adv succeed in attack?
I We do not currently have the technology tomake internet voting secure (and maynever).
I We can’t make such technology appear bywishful thinking, just trying hard, makinganalogies with other fields, or running pilots.
I It is imprudent (irresponsible?) to assumethat determined effort by adversaries can’tdefeat security objectives of internet voting.
Prob(Adv succeeds) = 100%
![Page 41: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/41.jpg)
Expected loss
Expected loss= 400% ∗ Prob(Adv steals election)= 400% ∗ Prob (election close)
∗ Prob(Adv attacks)∗ Prob(attack succeeds)
= 400% * 1.5% * 100% * 100%= 6%
![Page 42: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/42.jpg)
What’s the net benefit or loss?
Net benefit= 1% gain
–6% loss
= - 5% net loss
One step forward, six steps backward.
![Page 43: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/43.jpg)
Risk Assessment Conclusion
I Based on this risk assessment, we expectInternet voting for UOCAVA votersto disenfranchise many more voters than itwould franchise.
I The apparent gains in franchise for internetvoting are misleading and illusory—theapparent gains are more than cancelled bythe risks.
I Argument is robust — conclusion remainsthe same even if numbers are variedsignificantly. In addition, there may be aDDOS attack with probability near 100%.
![Page 44: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/44.jpg)
Helios
I Best internet votingsystem I know: “Helios”by Ben Adida (formerPhD student of mine).
I Ben says firmly,“A government election issomething you don’t wantto do over the Internet.”
![Page 45: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/45.jpg)
Helios
I Best internet votingsystem I know: “Helios”by Ben Adida (formerPhD student of mine).
I Ben says firmly,“A government election issomething you don’t wantto do over the Internet.”
![Page 46: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/46.jpg)
Summary
Internet votingis like
drunk driving
(Just too risky!)
![Page 47: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/47.jpg)
Summary
Internet voting
is likedrunk driving
(Just too risky!)
![Page 48: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/48.jpg)
Summary
Internet votingis like
drunk driving
(Just too risky!)
![Page 49: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/49.jpg)
Summary
Internet votingis like
drunk driving
(Just too risky!)
![Page 50: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/50.jpg)
Summary
Internet votingis like
drunk driving
(Just too risky!)
![Page 51: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/51.jpg)
Technology abuse
I Some folks may have had just a bit too muchto drink at the“technology bar”...(Technology can be intoxicating!)
I “What are best practices for internet voting?”to me sounds like“Pleash jush help me inshert the key in thelock, (hic), and I’ll be on my way...”
I The goal should be responsible use oftechnology!
I Friends don’t let friends drive drunk!
![Page 52: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/52.jpg)
Technology abuse
I Some folks may have had just a bit too muchto drink at the“technology bar”...(Technology can be intoxicating!)
I “What are best practices for internet voting?”
to me sounds like“Pleash jush help me inshert the key in thelock, (hic), and I’ll be on my way...”
I The goal should be responsible use oftechnology!
I Friends don’t let friends drive drunk!
![Page 53: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/53.jpg)
Technology abuse
I Some folks may have had just a bit too muchto drink at the“technology bar”...(Technology can be intoxicating!)
I “What are best practices for internet voting?”to me sounds like“Pleash jush help me inshert the key in thelock, (hic), and I’ll be on my way...”
I The goal should be responsible use oftechnology!
I Friends don’t let friends drive drunk!
![Page 54: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/54.jpg)
Technology abuse
I Some folks may have had just a bit too muchto drink at the“technology bar”...(Technology can be intoxicating!)
I “What are best practices for internet voting?”to me sounds like“Pleash jush help me inshert the key in thelock, (hic), and I’ll be on my way...”
I The goal should be responsible use oftechnology!
I Friends don’t let friends drive drunk!
![Page 55: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/55.jpg)
Technology abuse
I Some folks may have had just a bit too muchto drink at the“technology bar”...(Technology can be intoxicating!)
I “What are best practices for internet voting?”to me sounds like“Pleash jush help me inshert the key in thelock, (hic), and I’ll be on my way...”
I The goal should be responsible use oftechnology!
I Friends don’t let friends drive drunk!
![Page 56: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/56.jpg)
![Page 57: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/57.jpg)
![Page 58: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/58.jpg)
The End
![Page 59: Thoughts on UOCAVA Voting - MIT CSAILpeople.csail.mit.edu/.../Rivest-ThoughtsOnUOCAVAVoting.pdf · 2010-08-08 · Remote voting already has known security problems I Unsupervised](https://reader034.vdocuments.us/reader034/viewer/2022050515/5f9ee872604fac1336291c31/html5/thumbnails/59.jpg)
What about “end-to-end” internet voting?
An “end-to-end” voting system providesadditional auditing capabilities for voters andothers to detect when the election has “goneawry.”Without paper ballots, an E2E voting systemdoesn’t provide much in the way of a recoverymechanism to determine and restore the correctelection outcome once a problem is detected.