>b's weblog

News. Journal. Whatever.

Aus aktuellem Anlass nochmal: Weshalb E-Voting keine gute Idee ist, und vermutlich auch nie eine sein wirdTwitter führt “off-platform”-Überwachung seiner Nutzer und Zensur ein

Why evoting is not a good idea and probably never will be

Actually there is ongoing discussion about finding out how to implement evoting in a sensible way. Therefore, I want to comment on why this never can be a good idea.

Some are believing evoting is difficult because it's not tamper-proof. But this isn't the main issue with evoting. You may be surprised that it is a CCC activist pointing this out, but so be it ;-) Counting ballot paper isn't fail-safe, too, and therefore it's susceptible to manipulation. The main problems are:

1) Legitimateness, Security and Trust

One of the essential parts of democracy is the possiblity for any voter to fully understand and see through procedures. This is what is creating confidence in the legitimateness of voting results.

In other words: even if evoting could be tamper-proof it would still be infeasable for implementing democracy, because nobody, even not the experts are understanding completely what is happening while executing it. The last sentence may sound offensive, but I'm giving reasons for it. Try to name the expert who's understanding completely:

  • how current computer hardware is functioning regarding each single wiring, additionally:

  • how the Microcode inside the CPU is working including all details

  • how the operating system kernel in place is working, including each single line of code

  • how all used library dependencies and frameworks are functioning in each single line of code

  • how the evoting software is constructed and what each line of code of it is doing exactly

I'm pointing to the very fact that we all exactly know how to print names on pieces of paper, how to make a cross next to one of them, how to collect pieces of paper in boxes, and how to take them out again and count the crosses. And not only experts know that, but all voters are knowing all of it exactly (if they want to), including all details. Because all of it is not only publicly documented, but it all is such easy that actually anyone is capable of understanding the full process completely. And this is, too, where legitimateness is coming from.

2) Scalability of attacks on evoting systems

Tampering with many paper ballots is requiring linear more effort than what is required to tamper with a single ballot. Who is wanting to have a chance of forging decisively for the outcome of an election is needing access to and has to invest the effort for forging thousands or even millions of ballots (depending on numbers of voters and on how close the election decision is), without being caught. However, the risk of the cover being blown is not rising linearly with the number of people being part of a complot. It's Gaussian sum formula with which communication between people is scaling squarishly.

So we have linear effort, linear number of necessary attackers and disproportionately high risk of trusting the wrong person and losing cover. There is a couple of corner cases left (not many voters, election decision is very close so a very small amount of forgery is enough for wanted results etc.), but the results of the majority of conventionally implemented elections are either trustworthy or corruption was detected.

If we compare that to evoting then we'll end up with the problem of

  • computers being manufactured by volume production

  • microcode is being copied in large volumes

  • software of all kinds is copied in volumes

Hence it is enough to find a single possibility for a backdoor in any part of any production process and inject it just once for being able to manipulate any election decisively, which is being executed on tampered evoting infrastructure. On the other hand no methods at all are known how to manipulate all boxes and pieces of paper together with one single task in a similar way, so that copying them (paper and boxes are coming out of volume production, too) will provide the power to manipulate all election results ever being implemented with these.

But even if production processes of computers and software could be completely reliable, attacks on exploits of evoting systems will still scale, because all forms of attacks can (and will) be automated, and with automation the effort for a single tampered election result will not only drop linearly with numbers of cases of forgery, but because of the market for attack tools such attacks will provide anyone a cheap way of scalable forgery of elections who's wanting to manipulate. Not only the costs for such attacks will drop to the floor, but this is maximizing the number of people, who can successfully implement election forgery, because this will provide the needed accessability.

Welcome to the security nightmare we're calling “IT security” ;-)

I'm explaining these things explicitely, because I'm used to the situation that many people do not understand how susceptible to manipulation and therefore insecure anything is – compulsory -, which is implemented using computers, while nearly no-one seems to be aware of the fact how incredibly secure elections with pen, paper and bullet box are compared to that.

As said above, this will only be relevant if someone can convince all voters to trust in an election result they do not understand at all how it was produced.

Actually, the legitimacy of democracy is at stake and therefore its peaceful effect – the effect, which itself is an essential part of democracy.