[EM] Is Helios online voting secure?

Jameson Quinn jameson.quinn at gmail.com
Thu Feb 23 03:36:23 PST 2012 

2012/2/23 Jameson Quinn <jameson.quinn at gmail.com>

>
>
> 2012/2/22 Kathy Dopp <kathy.dopp at gmail.com>
>
>> Below is a quote from Ben Adida, creator of Helios.
>>
>>    We now have documented evidence ...that viruses like Stuxnet that
>> corrupt nuclear power plants by spreading from one Windows machine to
>> the other have been built. And so if you run a very large scale
>> election for a president of a G8 country, why wouldn’t we see a
>> similar scenario? Certainly, it’s worth just as much money; it’s worth
>> just as much strategically. . . . All the verifiability doesn’t change
>> the fact that a client side corruption in my browser can flip my vote
>> even before it’s encrypted, and if we . . . must have a lot of voters
>> verify their process, I think we’re going to lose, because most voters
>> don’t quite do that yet.
>>
>> - Adida, Ben. 2011. Panelist remarks – Internet voting panel.
>> EVT/WOTE’11, the Electronic Voting Tech. Workshop / Workshop on
>> Trustworthy Elections. Aug. 9, 2011. URL http://www.usenix.
>> org/events/evtwote11/stream/benaloh_panel/index.html.
>>
>> The above quote on Helios was sent to me from Barbara Simons,
>> coauthor, with another computer scientists Doug Jones of an upcoming
>> very well-researched and well-written book: "Broken Ballots: Will Your
>> Vote Count?"  The book will be published by April 15th approx.
>>
>>
>>
>> Yes, I said that: "It is insecure against trojans on the voter's machine
> at the time of the initial vote, ... not something I'd trust for public
> elections...."
>
> This actually is not an insurmountable difficulty. There are two ways you
> could face it:
>
> 1. Still using the voter's home machine, you could combine the
> cryptography with captchas: the voter would have to match a picture next to
> the candidate with a list of pictures in different order in order to
> rate/rank that candidate. However, this is inconvenient, and to make it
> secure you would need time limits. It also does nothing to address the
> digital divide. This latter issue, not security, is the reason I find this
> solution unacceptable for political elections.
>
> 2. You could use secure machines, booted from CD with no hard drive, at
> polling stations.
>

Of course, if you're using polling stations anyway, you should be printing
hand-marked or at least voter-verified paper ballots and giving
cryptographically-verifiable receipts. That is to say, even if you can
build a context where Helios is 100% secure (less than one flaw expected in
the age of the known universe), there is no good reason not to add other
reasons for people to trust the result. The goal of an election is not just
to BE secure, but to APPEAR secure, even to people who don't understand or
trust mathematical and computational security measures.

Jameson


> But yes, I explicitly stated that helios as-is is NOT secure enough to use
> for a high-stakes election with more than around 10K voters.
>
> Jameson
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.electorama.com/pipermail/election-methods-electorama.com/attachments/20120223/ea9079e7/attachment-0004.htm>

More information about the Election-Methods mailing list