2. Vanity slide
• Still a developer
• http://blog.bozho.net
• http://techblog.bozho.net
• http://twitter.com/bozhobg
• E-government adviser to the deputy prime
minister of Bulgaria
4. Complicated task
• uncontrolled environment
• single vote AND vote secrecy
• coercion prevention
• verifiability
• independent observers
• results should not be replaceable
• defence against attacks and viruses
5. Before technology
A fundamental question:
• Is it required that every voter understands
the whole voting process?
• Does every voter understand fully the
current process?
7. Who would develop it?
• companies with e-voting expertise
• Cybernetica AS (Estonia)
• Scytle (Switzerland, France, Norway)
• ...
• it’s “how” that’s important
8. How
• open source from day 1
• peer-reviewed
• audited
• with pilots
• in-person at first
• 7 days before paper election day
9. Wait, wait...
There are unanswered questions.
There are problems to be solved.
There is a lot of noise...
10. Invalid arguments “for”
• if e-banking works, then e-voting should
also work
• breaches and fraud
• different task
• if anyone can hack voting, why doesn’t he
hack banks instead?
• why not both?
11. Invalid arguments “for”
• “what can happen”
• everything
• we have many good software specialists
• the task is complicated and niche
• it will solve the problems of our democracy
• no, it won’t (bit it can help)
12. Invalid arguments “against”
• someone will buy your IP
• it’s a devil’s creation
• it must be 100% secure
• paper voting is not 100% secure
• someone can change something
• there is no guarnatee for ballot secrecy
• there is no guarantee for one voter-one vote
13. Invalid arguments “against”
• “It’s not being used in big countries”
• “Germany banned it”
• “The Estonian system doesn’t work”
• mainly OpSec problems
• client malware
• Press-conference a week prior to the elections
saying “it doesn’t work”?
• “It will be developed by incompetent people”
14. Questions
• vote secrecy and one voter = one vote
• verifiability of the validity of the result
• access for observers
• coercion prevention
• usability
15. Vote secrecy
• double-envelope method
• identity is separated from the vote before counting
• votes are encrypted with the public key of the
counting server
• anonymized votes are sent to the counting server
on a CD
• the private key is activated by multiple owners
16. Vote secrect
• blind signature
• e.g. carbon paper envelope with your name used
for blind stamping
• confirms the vote without knowledge of it
• requires trust in the client software
17. Vote secrecy
• Mixnets
• layers of decryption
• receiver doesn’t know who the sender is
• Tor-like
18. Revoting
• е-voting before the paper voting
• manual removal of the e-vote
• automatically guarantees 1 man = 1 vote
• with double envelope
• the unanonymized (encrypted) ballot is replaced
• with blind signature and mixnet
• using a receipt code?
19. Verifiability
• E2E verifiable
• “stored as cast”, “counted as stored”
• receipt, incl. a mobile phone
• checking the vote for a limited period of time (risks
the secrecy)
• checking if receipt codes are matching
20. Validity of the result
• individual checks
• independent counting
• public bulletin board
• public ledger (blockchain, votecoin?)
• push to registered observers?
22. Coercion prevention
• panic/tamper PIN
• PIN written backwards :)
• hard to implement
• webcam with face recognition
• partial guarantee that nobody else is in front of the
monitor
• cooldown period
• against multiple voting from a single machine
23. Usability
• if paper voting is removed from polling
stations as well
• touch-screen is very intuitive
• everyone can use it, even uneducated voters
• UX-tests
27. DDoS attacks
• DDoS prevention:
• preparedness and adequate procedures
• tier 1 providers, telecoms
• blocking of command & control servers
• scrubbing centers
• cutting external traffic
28. Network attacks
• packet analysis => dropping the vote
• solutions:
• retry
• detectable (no receipt/confirmation sent)
• Tor / mixnets
• paper voting if e-voting doesn’t work for you
29. OpSec
• operational security
• passwords
• DMZ
• HSM
• intrusion detection, netflow anaylsis
• audit trail
• main criticism against Estonia
• verifiability of results exposes intrusions
30. Insider attacks
• OpSec, audit trail
• verifiable using “virtual paper trail” (e.g.
blockchain)
• Security agencies should catch it
31. 0-day vulnerabilities
• ...well, crap
• general procedures for cancelling or postponing
elections
• if intrusions are detectable => patch
32. General procedures
• annulling online results
• notification of online voters
• postponing the eleciton
(not as hard and expensive as they are in
paper voting)
33. Paper voting?
• some of the problems above are valid for
paper voting as well
• results of paper voting are ultimately
aggregated on a computer
• with checks and paper trail
• …but what if it doesn’t match?
34. We must be paranoid
• everything can go wrong
• viruses are real
• state-level attacks are real
• manipulation attempts are real
• “it just works” doesn’t work
• “election security is national security”
35. The way forward?
• not all problems are addressed 100%
• there is no 100% secure solution
• we are looking for a solution that doesn’t
allow large-scale manipulations
• looks like such a solution is possible
• need for more R&D
• dynamic/direct democracy
• we are obligated to do it, sooner or later