Sunday, June 29, 2008

The Rejection and Response To It

---------------------------- Original Message ------------
Subject: Re: EVT '08
From: "Marilyn Davis"
Date: Sun, June 29, 2008 11:19 am
To: "David Dill and Tadayoshi Kohno"

Dear EVT '08,

Thank you so much for taking the time to critique my paper.
I was hoping that either it would accepted, or that the
critique would convince me that I'm wrong.

I'm sorry if my lack of knowledge about academia offended
anyone, or my misuse of any technical language. I do
my meaning is always clear.

The big "danger" in Internet Voting is that a reliable
user-controlled identity database and appropriate software
would signify a democratic revolution, one in which the
citizens can overpower corporations and governments to
control pollution, research, and all social programs.

I work in a vacuum because the study of Internet voting is
vacuum. Following the Computer Professionals for Social
Responsibility links: "Voting Technology"->"Internet
only finds: "Right now, no new information". This
is what
they have said since before 2006 when ran
their annual election over the Internet
via email. Having
an Internet election caused a furor in
the organization, and
an attempt to suppress public
knowledge of the
email/Internet election. There were no
accuracy, technology
or privacy problems reported.

It doesn't appear that the reviewers of my paper had
anything factual to say about networks or the DNS. This
a very significant part of the plan; these and that,
whatever evil happens, the voters themselves can see and
repair their votes. This is the new opportunity that the
Internet affords and seems to have been ignored.

The reviewers did make technical complaints that equally
apply to vote-by-mail; they expressed fear that people
themselves are not capable of taking individual
responsibility for their OPIKs; and it seemed to escape
that each individual's degree of privacy is,
her/his own decision.

These new voter responsibilities, i.e., powers, have not
been possible before the Internet.

I believe people are hungry for responsibility and power,
given the state and direction of the earth, and the
of faulty elections which render our votes and
democracy meaningless. Certainly, it is not
academia's job
to hide the existence of the technical
possibilities of this
responsibility and power.

The CAPTCHA, i.e., wiggly character recognition to
if the respondent is human, as explained, is to
successful viruses, as explained. Yes, the
CAPTCHA race is
on. I don't believe reCAPTCHA has been

However, if a CAPTCHA is solved, and a bogus vote entered
via a virus, again, the voter can see this, report it, and
repair it. And, all the other voters can be warned of the
virus and the CAPTHCHA can be changed. Again, the
redundancy of checking, the continued correspondence with
voters, and possibility of fixing, both on-the-fly and
the election, seem to be completely ignored by the

Yes, government-sponsored computer-scientists repeatedly
paint a dismal picture of Internet Voting.

Academics, historically, provide faulty "science" to
the existing power structure: from protecting the
Church by
ignoring the roundness of the earth, to
protecting the
chemical companies by ignoring the dangers
of amalgams,
pheromone-spraying, etc.

It is human nature, not conspiracy, to mimic the status
and to try to please the existing powers. It is the
personal mechanism and is very short-sited, not
taking the
long-term picture into account.

I know that the original government-sponsored study in
"California Internet Voting Task Force", does not
email voting, although they knew that my group
ran the
online version of the Zapatistas' Consulta in
1998. Yet,
originally, (it has been changed) they
discussed retina
scanning, which is frightening to think
about and absolute
nonsense for home voting. The early
version was a very
biased account and the more recent
version only hides the
bias better.

Nowhere, that I can find, are the benefits of networked
voting, email voting, and user-controlled privacy

If there was reasonable academic discussion of these
subjects, being only a teacher and a practical engineer, I
would not have tried to put forward an academic paper.

Thank you again for your time and attention.

Marilyn Davis, Ph.D.

> On Tue, May 20, 2008 10:35 pm, David Dill and Tadayoshi
> Kohno wrote:
> Thank you for submitting the paper identified at the end
> of this email to the 2008 USENIX/ACCURATE Electronic
> Voting Technology Workshop. All papers underwent a
> thorough reviewing process. We regret to inform you that
> your paper was not one of those selected.
> Please find attached the reviewers' comments, which we
> hope is useful to you in your continuing research. Once
> again, thank you for submitting your paper to EVT '08,
> and
we hope that you will be able to attend the
> conference in
San Jose.
> Sincerely,
> David Dill and Tadayoshi Kohno
> EVT '08 Program Co-Chairs
> Title: A Specification for Absolutely Accurate and
> Perfectly Private Election Voting Via the Internet
> Authors: Marilyn Davis
> Email:
> Title: A Specification for Absolutely Accurate and
> Perfectly Private Election Voting Via The Internet
> This paper presents a scheme for voting over the Internet,
> with the possibility of canceling one's online vote and
> instead voting in person. Voter identities are kept
> private by pseudonymization with an "OPIK card", a token
> that allows the voter to vote. Voting is performed by
> email with a confirmation mailback including a CAPTCHA.
> The paper does not frame its problem well, nor does it
> frame its contributions within the existing literature at
> all. The solution presented has a significant number of
> weaknesses even if all assumptions are
> accepted. Furthermore, a number of the assumptions are
> dubious. In addition, the compromises made in the design
> are not justified, as much prior work has achieved the
> desired results without compromising the types of attacks
> this work is willing to accept.
> Thus, I recommend rejecting this paper.
> Even assuming all assumptions are correct, there are a
> number of serious design problems:
> 1) What happens when a voter loses her OPIK card? Since
> OPIK cards can be kept for a few years, and since the
> election administrators don't know which OPIK card to
> cancel, does that mean Alice can no longer vote for up to
> a few years? That is significantly problematic. On the
> other hand, if a voter *can* obtain a new OPIK, how does
> one invalidate the old one, since no one knows which it
> is? If we make the assumption that lost cards won't be
> used, then we open up the system to voter abuse: Alice
> can
falsely claim that she has "lost" her OPIK card and
> get a
new one, thus enabling two votes.
> No matter how this issue is addressed, there seems to be
> a
deep problem with the solution, which implies a
> significant design flaw with the OPIK.
> 2) How can election administrators really be prevented
> from knowing which OPIK card a voter takes? Most voting
> offices will not be overwhelmed with voters if voters
> have
weeks to register, which means it is trivial for a
> voting
administrator to look at the list of OPIK cards
> before
Alice registers, and after she registers, and
> deduce which
OPIK card she took. Devising an actually
> secure process
for OPIK card distribution seems quite
> difficult, and
again this appears to be an inherent
> design flaw.

> 3) If OPIKs are linked to email addresses chosen by the
> voter, it's fairly clear that most voters will choose an
> email address that easily identifies them and that
> election officials will thus know who the voter is.
> 4) Email is unencrypted, which means the contents of the
> vote are available to all of the servers on the path to
> email delivery. That's a serious security issue.
> Digging into the assumptions, there are significant
> problems:
> - The idea that a voter will come up with an anonymous,
> unforgeable scribble is hard to believe. Even signatures
> are relatively easily faked (see credit card fraud), and
> the ease of forging goes up if the scribble is not one
> the
voter is used to writing and thus will have to take
> time
in reproducing.
> - Relying on DNS is a very poor assumption, especially
> given the way DNS has been routinely attacked by
> phishers/farmers. The same attacks can be achieved to
> intercept email, and these attacks are particularly
> easily
done when the target (the community computer)
> is
known. The fact that email is unencrypted and
> unauthenticated makes this even worse, since even a
> pristine community computer would be vulnerable to
> network
spoofers and evil routers.
> - why a CAPTCHA? I don't see what this is trying to
> defend
against. A computer can easily man-in-the-middle
> a
CAPTCHA, and since the voter has the OPIK, a program
> on
its own can't initiate a vote. This seems like a
> conceptual misunderstanding of what CAPTCHAs are for.
> - the author is confused about the meaning of retail
> fraud
vs. wholesale fraud. These terms usually refer to
> the
ability to corrupt a single precinct vs. the entire
> election. Voter coercion does not fit into this pattern,
> as it can be done outside the precinct, especially when
> voting is done online.
> The author should be much more precise about the threat
> model. Not everything falls under "retail" or
> "wholesale."
Coercion and integrity protection are
> different issues.

> - The author implies that it will be tedious to coerce a
> lot of voters, which is untrue: selling votes is trivial
> when the entire voting process can be done online by
> sending your credentials to a coercer. Significant
> evidence exists to show that coercion was rampant before
> the secret ballot was introduced in the late 1800s. There
> is also evidence from Chile in the 1950s that introducing
> the secret ballot radically changed the political
> landscape. The author provides no evidence, only an
> opinion, that coercion is "prohibitively expensive,"
> when
many experts agree it would not be so expensive to
> coerce
enough votes to swing an election.
> - the author is confused about the term "encryption," in
> Appendix D, where the term is used where "cryptography"
> is
probably the intention. The three bullets respectively
> concern authentication, integrity protection, and
> confidentiality. Encryption is only about
> confidentiality.

> - the trade-off between coercion and verification is a
> false one. Much work, specifically in the area of
> open-audit voting and universal verifiability has shown
> how both can be achieved. The author is certainly free to
> dislike those approaches and document the reasons for the
> dislike, but the claim that the trade-off is necessary is
> factually incorrect.
> - there is zero framing of the problem within the
> existing
literature. How does this compare to blind-
> signature based
online voting, e.g. the FOO protocol?
> What about
pre-voting (Rivest), which seems to have some
> important
similarities regarding canceling one's online
> vote?

> - the discussion of network topology and protocols is
> very
haphazard and references no existing work in robust
> network design.
> - bold claims are made without any evidence or even a
> proof sketch. For example: "Internet voting in an open
> vote, open source network offers unprecedented
> opportunity
for election security". How so, when most
> experts believe
Internet voting is highly insecure?
> =======================================================================
> This paper describes a remote voting system which offers
> a
physical analogy to the well-known blind signature
> approach. While it's quite clear that the author has
> put
a lot of time and careful thought into this design,
> it
seems to offer nothing that can't be achieved via
> simpler
and less expensive means while introducing
> additional
assumptions and vulnerabilities.
> The primary drawback of the blind signature approach is
> that it enables election administrators to substitute
> votes of their own choosing for any voters who do not
> cast
votes. Although this threat is briefly discussed
> (appendix c.1.2.2), the mitigations suggested are far
> from
> The entire issue of remote voting is quite controversial,
> and the author creates a false dichotomy by suggesting
> that there is a trade-off between an open-auditing
> approach and an approach that prevents retail coercion.
> While it is very difficult and probably impractical to
> prevent retail coersion in a remote voting system, it is
> certainly possible to have both open-auditability and
> protection from coercion in poll-station voting systems.
> In comparing retail and wholesale fraud, the author makes
> the incredible claim that "... retail fraud is much less
> likely to happen, ..." This is absurd as some retail
> fraud is virtually certain to happen in any election that
> admits more than a small number of remote votes.
> Coercion
is a real problem in elections, and the attempt
> to dismiss
it so easily is misguided. One can certainly
> argue that
the consequences of wholesale fraud are more
> severe, but
to claim that it is more likely than retail
> fraud is
> Claims made about the use of CAPTCHAs are also naive.
> The
idea that needing to recognize a small amount of
> obscured
text will provide security ignores the facts
> that it is
inexpensive for humans to perform these tasks
> and that
machines have generally become quite good at
> this without
> human intervention. Indeed, the entire
> notion of
wholesale attacks that could be inflicted by
> the use of
viruses or exploitation of other
> software/hardware
vulnerabilities seems to be given
> minimal treatment.

> The author should be commended for the care, thought,
> and
effort put into this work, but it is a mistake to
> work in
a vacuum. As is clear from both the text and
> the meager
list of references, the author is not well-
> versed in
related literature on this subject. Any
> credible work on
this subject needs to include a
> thorough comparison to
related work and demonstrate
> clear benefits to all such
related work. This simply
> hasn't benn done here.