Friday, March 8, 2013

Has NIST Lied about Internet Voting Insecurity?



Article 1, section 8, of the US Constitution enumerates the specific powers of Congress.
Among these are: “The Congress shall have power … To regulate Commerce … To coin money … and fix the standard of weights and measures.” The Framers had learned from unhappy experiences under the Articles of Confederation that without uniform standards for money, the new nation’s economy had little chance of thriving. They had also learned that without uniform “weights and measures,” the growth of science and technology, industry, and commerce would be crippled by chaos.

Out of its continuing efforts to exercise these powers responsibly, in 1988 Congress created the National Institute of Standards and Technology (NIST), which is currently a non-regulatory agency within the Department of Commerce.

NIST has such a vital role in the progress of science that it can aptly be understood as the Voice of Science in the USA.

When Congress established the Election Assistance Commission (EAC), in 2002, in a display of foresight, it required NIST to provide the EAC technical support on the research and development of, among other things, “remote access voting, including voting through the Internet.”

Yes, Congress is thinking about Internet voting for all US elections!

So, what did NIST do in response to its mandate from Congress? NIST put its name on a copy of the old 2004 SERVE Security Report by Avi Rubin, David Jefferson, David Wagner, and Barbara Simons.

That Report is where all the scary stories about supposed Internet voting insecurity got started. Like, “a teenage hacker in Iran could change all the votes in a presidential election!”

Great scary story, but where’s the science?  Where’s the facts?

Internet voting has been tried in public elections nearly 100 times around the world w/o any security problems. (The 2010 DC hack occurred because it wasn’t built by pros, see DC Hack Fiasco and DC Hack Conspiracy ) Shamefully, NIST has done NO scientific research, but only reproduced a bunch of scary stories, and presented that to Congress.

Common Cause – that saintly source of democratic ideals – has also helped to promote scary stories about Internet voting w/o any facts or science. (See Common Cause )

So now there is a careful study of the BAD SCIENCE that has the whole country shaking in its boots whenever somebody says “I hate standing in lines! Why can’t we have voting online?”

The paper is being presented at a panel at the Western Political Science Association this month. Its ready for the most critical scrutiny a scholar can give it. It shows that the anti-Internet voting extremists have NO intellectual foundation for crying “wolf!”

Its time for an intelligent, informed, Reason-based debate on Internet voting!
 
Download my paper, in pdf form, for free at


William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Twitter: wjkno1

Author of Internet Voting Now! 

6 comments:

Chris Cates said...

Oh Bill, it never ceases to amaze at how quick you are to make blind assumptions about everything and everyone. Just like your paper, which is filled with inconsistencies, errors and broad assumptions. This paper only serves as further proof that your knowledge of computers, internet, and security is VERY LIMITED. I found your section related to phishing absolutely laughable. If a hacker wants your e-mail address, it will be very easy for them to get. E-mail addresses are stored in countless databases that can easily be penetrated (like LinkedIn(http://tinyurl.com/6qpt7xh) or the US Government (http://tinyurl.com/7j7cr2a)).

I also enjoyed how you downplay the NDP Denial of Service (DoS) attack by making the false claim that it may not have even taken place! This despite NUMEROUS news reports about the DoS attack and NOT ONE report from the internet voting company, Scytl, or the NDP ever denying the attack. You also deliberately left out that Scytl and the NDP were never able to determine who was behind the attacks! No one has ever been identified, caught, and prosecuted! They're still out there waiting for the next election to do it all over again! Your report neglects to mention how legitimate voters couldn't cast their ballots and the only way for Scytl to fix the problem was to cut off all outside access so only those inside the conference center were able to vote! This isn't internet voting any more because they pulled the plug on the internet!! Nor does it talk about how two voters received messages from the voting system saying they already voted, and this was never investigated!

BTW, the NDP leadership election you refer to, took place in March 2012, not 2003!

Chris Cates
Computer Expert, activist, speaker
Website: http://www.countingthevote.ca
Facebook Page: http://www.facebook.com/pages/Counting-The-Vote/327385727376942
Twitter: countingthevote

Anonymous said...

I read your paper. It is an excellent piece of work outlining how scurrilously a minority report has been broadcast so widely by the The New York Times.

This single source is reminiscent of the campaign to sell the Iraq War when Judith Miller was the implant at The New York Times to do the dirty work.

The Campaign against Internet Voting has all the same fingerprints over it. Paul Wolfowitz, The New York Times, an insider reporter and its megaphone effect on secondary publications picking up the same story.

The central fallacy is that it is possible to make generalizations of this sort. There is no single thing as Internet Voting. Every implementation is different.

Canceling a project because it might have the possibility of a vulnerability is not the way to develop a project. It is necessary to identify the particular risks so that it is possible to identify the means to counter them. Crucially the critics did not bother to do this

If the anti-internet voting case had any merit no E-Commerce could exist.

Every implementation is different and most threats can be anticipated and contained.

The key to designing an Electronic Voting System is to use the system generated evidence to make any error or intrusion evident and detectable, reversible and correctable. MOST VOTING SYSTEMS FAIL TO MEET THIS SIMPLE STANDARD

How to design a voting system which relies on evidence, transparency and the voters' own ability to verify his or her vote is the more important issue---NOT A PARTICULAR PIECE OF TECHNOLOGY..

Tom said...

Congratulations Admin! Thank you so much for taking the time to share this exciting information.
hosting

wjk said...

RE: Chris Cates

1) Suppose cheaters want to steal voting credentials so they can impersonate voters and cast multiple votes. They will need the email addresses of registered voters in the districts where they want to try and influence an election. They would have to obtain this info from the state SOS, which is difficult and unlikely, or buy it.

What Chris is referring to would only yield a generalized list. You wouldn’t know which email address was for a registered voter, or where they were registered to vote.

2) As to FIRST NDP incident – From Wired magazine (2004): “Last January, voting at Canada's New Democratic Party convention in Toronto was interrupted by a denial-of-service attack aimed at shutting down the election. … It took Election.com only 45 minutes to fix the problem.”
http://www.wired.com/politics/security/news/2004/01/62041?currentPage=all

3) As tow SECOND NDP incident – Was NDP hit by a DDoS again in 2012?
NDP leadership: Officials mum about source of cyber-attack meant to disrupt online voting “Barbara Simons …called on the NDP to conduct a public review of the fiasco.”
http://www.thestar.com/news/canada/article/1151754--ndp-leadership-officials-mum-about-source-of-cyber-attack-meant-to-disrupt-online-voting

4) “They're still out there waiting for the next election to do it all over again!”
Opps! The “next NDP election” has come and gone w/o incident.

Saskatchewan New Democratic Party Conducts Successful, Audited Election
http://www.businesswire.com/news/home/20130320005602/en/Saskatchewan-Democratic-Party-Conducts-Successful-Audited-Election March 20, 2013

46% of all voters cast ballots online during March 9th election.
The Saskatchewan New Democratic Party … online election was audited by Mintz & Wallace Chartered Accountants LLP. They said, "Our examination revealed a system that ensures accurate results, a rigorous approach to voter and voting system security with documented protocols in place to check the process from start to finish.” Indeed, the “program management also considered unanticipated but possible contingencies and took steps to make sure these were never obstacles to a successful vote."

Americans who have had to stand in line, read this and weep!
The average time for a voter to cast a ballot was 1.5 minutes.

Chuck said...

And how about a secured online system where our senators and congress can vote too? We could have them stay in their own states instead of all gathering in DC where they're a prime target for one big bomb. Also, this would remove them from the gun sights of corporate lobbyists where they are wined and dined in mass. Keep them at home where the voters have better access to them. Could also lower their wages because they live in one place, not two.

William J. Kelleher, Ph.D. said...

Excellent, Chuck!