Viewing a single comment thread. View all comments

Weak_Bus8157 t1_itqlj99 wrote

Do you have any national elections system besides US that might worth your special consideration?

7

TheOfficialACM OP t1_itr167q wrote

U.S. elections are quite unusual relative to most other countries. Of particular note, we're often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore we must have computers around, but we need processes like risk limiting audits (the topic of this post!) to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter's computer from tampering with their vote? What do you do to protect the servers against denial of service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated Internet attacker. There's nothing a foreign nation-state adversary can do over the Internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there's a strong demand for Internet voting, and an ongoing challenge to see if they can mitigate against those risks.

16

Natanael_L t1_itsim44 wrote

As a cryptography nerd, I think electronic remote voting for national elections is terrifying. Even the best possible technical solutions can be attacked with trivial workarounds if the users' devices can be compromised, or even substituted. Supply chain security for the hardware involved, handling issuing/registering keypairs and handling lost keypairs, etc. Coercion, targeted denial of service, etc.

Even without the actual election system being hacked, the processes around it can still be compromised. State of the art cryptography doesn't help when the keys are stolen and the inputs were replaced.

3