Sunday, April 3, 2011

Internet Voting: Security, Networking, Politics and Some Heat

With social upheavals happening in countries across the middle east and northern Africa, the media and politicians have been talking a lot about democracy and the rights of individuals to freely express themselves politically. Although we are not in a similar situation here in the US - we are not risking civil war or overturning the government - we do have an issue that provokes heated debate and widely divergent perspectives among computer scientists: Internet Voting. The US Constitution guarantees the right to vote for its citizens. Most of us take this right for granted I suspect, whether we act on it or not. It amazes me when I hear how many people do not vote regularly, given that we can do so safely and without worrying about repercussions, but that is another issue.

For the past several years various groups and organizations have been debating, proposing legislation for, and running pilot projects using the Internet to vote. Why? A big motivator is to increase access. American citizens living overseas (civilian, military, government employees) often want to vote but if they have to rely on the postal services of several countries for ballot requests and return, or if they have to travel great distances to get to an approved polling place it can be a significant burden. State and county agencies in this country wonder if they can improve reliability and efficiency while reducing costs by implementing online voting. Given the current fiscal situation in this country that is a huge motivator. The problems of access, reliability and budgetary pressures just scream for consideration of a computing based solution. Maybe it will work, maybe it won't, but if it is going to happen it is going to be computer scientists who make it so (A Captain Picard reference in case you didn't pick up on it).

There are pros and cons and this is where opinions run hot. Let's take just one example: the need to guarantee the security and privacy of such sensitive data if it is sent over the Internet.

Why is a "guarantee" of correctness on the Internet so difficult? As many of you know, the Internet was originally designed by the US Department of Defense for use by a select number of trusted sites for the purpose of guaranteeing communications in the event of a national emergency such as a nuclear attack. Therefore, redundancy of data was the primary concern, not security of data. If Washington DC was attacked, multiple copies of sensitive data would be accessible in repositories across the country. This legacy lives on today, as the Internet has grown into a global network of diverse systems connected with everything from telephone lines to satellites, connecting state of the art computers and mobile devices to 25 year old legacy mainframes. As a result, it seems that we can communicate with almost anyone anywhere at anytime and because of built-in redundancy systems, data almost always gets through - unless someone intentionally interferes. And therein lies the problem. There will always be people who try to steal, or at least read and exploit, data that is not "theirs". Although not unique to electronic voting systems, the vulnerabilities of the Internet bring added attention to this old problem. We do *not* want anyone intercepting electronic ballots, or compromising a voting web site. How good is "good enough" when it comes to accountability and reliability?

How are these issues currently being tackled? I'm going to get technical for two paragraphs in order to provide a flavor of what computer scientists are currently doing in the realm of computer security for sensitive data.

The focus of much data security work is at the application and system levels. Onion routing is an interesting technique that supports anonymity across complex networks. As data is passed from an original source to a final destination it passes through many intermediate nodes (which may reach into the hundreds). Data that is “onion routed” has layers of encryption that are successively “peeled off” at each node, assuming the node in question has the correct cryptographic technique and knowledge to do so. Thus many successive security checks take place and a suspicious event at any node along the path will raise a warning flag. The action then taken is application dependent, and can include halting the process, rerouting the data or other customized response. Two other well known network level security technologies include strategic placement of firewalls and the use of Virtual Private Networks (VPNs). Various methods of authentication, encryption, verification, digital signature and hash functions find their way into this work. How well do state of the art data security efforts protect data and provide an audit trail?

Although the answer to that question invites a range of answers, computer security experts will generally agree that software alone will never be sufficient to detect or prevent tampering. Hardware level security checks are also needed. It is common practice in security intensive systems to include a Tamper Proof Module (TPM). This non-rewriteable chip contains check code to search for tampering. First the boot loader is checked, which then checks the Operating System, which then checks the application(s) for an integrity breach

There are high level issues to be addressed as well. Equally important requirements. An Internet voting system for US voters needs flexibility (to accommodate different state requirements), convenience for the user, training and education of both staff workers and voters. Particularly important is timeliness – the most flexible, friendly, convenient electronic voting system is pointless if the ballot arrives too late to be counted or has to be discarded due to suspicions of fraud.

There are always tricky issues when science and public policy intersect. Computing is particularly complicated because the field is so new, and technology changes so quickly. By the time consensus is reached on a contentious issue, the point may be moot. The technical issues alone for Internet voting are complex, but often come down to one issue: risk assessment. What degree of risk is tolerable in order to achieve a societal right guaranteed by the Constitution? In some cases entrenched opinion comes from holding a philosophical stance about whether or not the Internet can ever be an acceptable medium for any voting, overseas or otherwise.  Proponents argue that it is only a matter of time until Internet voting becomes reality, and also that the subject is a matter of morals, so we must address the problem directly. Critics counter that it is not possible with current technology to implement Internet voting at an acceptable level of security and privacy, so the risks of trying it outweigh the potential benefits.

If we can be successful, the payoffs are tangible: morally, ethically, fiscally. If we don't succeed the risks are serious: from disenfranchisement of citizens to interference with our democratic process in the worst case scenario.

What do we do? Move forward (how?), or sit it out and accept the current situation as good enough for now. What do you think?

1 comment:

  1. i want internet voting . I want it so much i'm going to make it one of my goals. I'm going to find a way to help the process along. Being a computer scientist sounds fun. And I'm a star trek fan too. my favorite line right now is from one of the episodes with Q in it. He says " they say I spread chaos through the Universe", funny to me. I'm a space painter too.
    lets make internet voting work in U.S.
    got any tips on how I can help that process along please advise.
    love and gratitude