Geekly Articles each Day
📜 ⬆️ ⬇️

Voting and Information Security

In this post, I will present my thoughts on voting from the point of view of information security ... First of all, the topic is aimed at IT specialists who want to have a coherent, understandable to them, picture of what fair voting is. The described applies to the election of a moderator, to the voting of the jury when awarding prizes, to referendums, to presidential “races”, etc. In such reasoning it is more correct to use the word “vote” everywhere, but for brevity and to combat tautology, I will sometimes write “elections”.
Below, we will look at the elections in an itish way, highlight the basic principles, goals, stages, and also talk about the vulnerabilities of the voting systems and attacks on them.
In other words, the election will be considered as a game with certain rules and roles. We will also consider a certain system (software-hardware-organizational complex) for conducting this game and consider protection from cheaters.
I note that the article is not about politics. Those who wish to discuss something political in the context of this article, I strongly recommend doing this not in the comments, but somewhere else.

Principles


  1. Goal balance

    Almost always in complex projects there are several goals and many requirements. And almost always they conflict with each other. , : « », , « », DOS .
    Ideally, we should achieve all the goals (, , ) . But it is not always possible to provide 100% on all items. In such cases, one cannot go to extremes; instead, one should analyze the situation, understand what is more important, and consciously lower the bar according to one of the criteria by making the appropriate public statement.

  2. Falsifiability (verifiability)

    The system must be built in such a way that it was possible to prove an error in its work, if such an error occurred. If this is not the case (that is, whatever happens, the organizers will declare a successful voting), then this is no longer an election, but a religious cult with constantly supplemented commandments. In other words, when announcing the results, the organizers should play a purely formal role: by the time the voting system ends, everyone should be able to unequivocally, based on all available data, to determine whether elections took place or not and what their result is.
    ')
  3. Presumption of “guilt”

    When designing or exploiting the voting system, it is necessary to adhere to the scientific method, that is, instead of continuously confirming the success of the voting organization, it is necessary to proceed from the reverse assumption and continuously verify the relevant hypotheses that “something went wrong”. That is, each hypothesis that “something went wrong” is considered true until the opposite is proved. It is the refutation of such hypotheses, one after another (but the most "dangerous" in the first place), and the organizers are engaged. , - root- , , « ».

  4. Transparency, openness and publicity

    I do not think that many words are needed here. Let me just say that, in a sense, this is laziness. It is difficult to check everything one by one or by a small group (of the organizers). And then - laid out all the data, and let people test hypotheses that they think are the most "dangerous." There should be enough information published to verify any stage of elections, but in general, the secrecy of the vote should be respected. There may also be restrictions related to the protection of personal data.

  5. "Think like a criminal"

    This principle means that when designing, modifying and using the system, you need to constantly ask yourself the questions: “And what can go wrong here?”, “Can I change the voting results so that no one will know about my interference?”, “There are Do I (or anyone) have the opportunity to add or remove a candidate without a formal procedure? ”, « ?» , etc.

  6. Continuous Vulnerability Removal

    Complete analogy with bug-trekking. Of course, if a vulnerability is found, it needs to be fixed, fix a bug. On the checks themselves, the search for bugs, you need to allocate enough time, do not rush to "lay out the release." Each complaint about the system (bug-report) must be registered (saved) and considered. A decision must be made on it, including an assessment of the impact of the found vulnerability on the course of the (current) voting. If a vulnerability is required to make changes to the system, these changes should be planned. Everything described refers not only to the program part, but to the full complex, which may include, say, training courses for data entry operators in the system.
    All complaints, together with the decisions taken on them, are as important a part of the final report as the voting results.


All these principles are closely related to each other. The refusal of one makes the rest meaningless.

Roles


  1. The organizers

    The organizers are those who administer the system. They can and should improve it. And only they have this right. They announce the beginning of the election campaign, make sure that everything happens within the framework of the announced rules, publish the results and reports. Theoretically, the role of the Organizers can be fully automated. In practice, in large polls, it is partially automated.
    Automation in the case of voting is not a panacea for deception. Moreover, cars can lie much better than people - they can show, print and publish on the sites any consistent data, but at the same time ignore some rules, play completely on the side of any interested person, including receiving commands from it via the Internet or radio module Even if the source code of the system is published, it is impossible to prove that this particular code was launched on an arbitrarily taken machine. It is almost impossible to prove the absence of hardware bookmarks.

  2. Nominated

    These are those who can become a candidate. , , , open-source — .

  3. Nominating

    Those who have the right to nominate candidates. These can be some representatives of the jury, themselves nominated (if they are people) or automatic.

  4. Candidates (applicants)

    Accordingly, those who received the nomination. Of them will choose one or several. In some cases, information is not published (sometimes before determining the results, and sometimes completely) about who exactly the Candidates are: only information about achievements, number of blame lines of code, income, characteristics, parameters are available (cross out the extra).

  5. Eligible to vote

    All citizens of a country or a city may have the right to vote. Organizers, Nominators, Candidates may or may not be included in many users with this role. - - .

  6. Voters

    Voters are voting system users who decide to exercise this right. This is not about the very fact of the will, but about the principle consent to become a Voter, that is, to study the profiles of the Candidates and, if you are worthy, give your vote (or votes). Often the fact of agreement in principle is not recorded and is not required, that is, all Voters = all Having the right to vote.
    A voter may have one vote, several (, ) or even a fractional number of votes. You can even come up with such “elections”, where some voters will have a positive number of votes, while others will have a negative one.

  7. Voted

    These are Voters who cast their vote. As a rule, after that they can no longer vote in the current vote. , , .

  8. The watchers

    In principle, this role may not be required. This is true if any stage can be watched by anyone at all (sometimes this is the most correct approach). Establishment of a separate role in the system may be required if Observers are given additional rights, such as the right of access to the lists of Eligible Voters. Another option is if the Observers (or their part) are professional auditors who have veto power over the voting results and are responsible for the incorrect use of this right.


When it comes to roles, authentication and authorization tasks naturally arise. Those. the system should take care not to let in anybody too much and not to let anyone do anything extra.

Goals


  1. Elections must take place

    This may seem too obvious, but this goal cannot be indicated. Otherwise, it is possible to “tighten the screws” so much for other purposes, that it will be simply impossible to hold elections.

  2. The Nominating Party should form the intention to nominate candidates.

    Organizers must:
    • notify all Nominating about the upcoming elections;
    • explain nominating their rights;
    • submit all Nominated Nominators (not necessarily everyone to each. — , );
    • provide the Nominator with the possibility of independent objective judgment without pressure from outside.

  3. Those who have this right should have an intention to vote.

    Organizers must:
    • to inform all Eligible Voters about upcoming elections;
    • explain to potential voters their rights;
    • to provide (potential) Voters with the possibility of independent objective judgment without pressure from outside (both about the need to become a Voter, and about which Candidate to vote for).

  4. Every wishing voter must vote

    In other words, the intention to vote must “turn” into a registered voice. (And nothing else in the voice “to turn” should not!) This really applies to all Voters, even if they are in space, cannot walk, cannot see or are ill.

  5. The secret of voting must be ensured.

    This goal is not always, and sometimes it is only partially present. , -. , (-) , , , .
    There are two types of voting secrets - strong and weak. The weak leaves the voter the opportunity to prove if he wants to, that he voted anyway. (, .) Strong does not allow.

  6. Voices must be correctly counted.

    This means that the system must recognize each voice correctly and take it into account. , « » ( ) () , .

  7. The correct results should be announced.

    Despite the open data and independent verification of the Observers, the majority of those who are interested in the current elections will get the results from the Organizers. Therefore, it is very important that the final report fully reflects the results. Such a report should contain both short answers (who won, how much money was spent, what the reliability of the results was), and more detailed data (for whom how many votes were given, what exactly the money was spent for, where did the money come from, what goals were achieved, how many were reflected attacks, whether the control ratios converged, which errors were found and how they were processed).

  8. The cost of organizing elections must be in the budget.

    These are harsh realities. Budgets are always limited, and pedantry and high reliability are very expensive. , , (, ). A good way to reduce costs - cooperation with other organizers, the use of joint development.


Stages


  1. Situation analysis and system update

    At this stage, the organizers must understand whether they are able to vote with the current version of the system - whether the goals will be achieved. It is possible that the system requires revision, and then this revision should occur before the registration stage.

  2. Preliminary agitation

    The organizers announce the dates and time of the voting, they inform for what / who the voting will be. Publish the rules (clarified principles, goals, stages), reports (which has changed since the last vote). They spread information about roles and their rights, take measures to protect these rights. , , «» , , , .

  3. check in

    First, the Organizers themselves register, then the Nominators and Voters, then the Nominated.

  4. Nomination

    Nominating candidates are nominated. , , . . This stage can be combined with the registration stage.

  5. Candidate Announcement

    The organizers announce to all participants the list of Candidates, provide the main official reliable information about these Candidates, publish a preliminary report.

  6. Agitation

    This is the most difficult to formalize stage (and therefore the most frequently and successfully attacked).
    In the simplest case, campaigning can be purely virtual, that is, it can only occur in the heads or the operational memory of the Voters using official information.
    But more often than not, this is not enough for objective judgments and fair voting. In this case, the organizers are still trying to formalize the process of agitation: the easiest way to do this is to control the resources used by the Candidates or their representatives for agitation. , , , . Initially, resources may belong to anyone: Organizers, Voters, Candidates, their representatives. Candidate representatives can even be those who do not have any role in the system. The distribution of resources does not necessarily have to be even - some candidate can get more, and some less, if the Organizers consider (and can prove) that such distribution will make the campaign more honest. The main thing is that all this was reflected in the final report.

  7. Gathering votes

    The most picture stage of any vote. Classification of the collection of votes can be carried out according to two criteria:

    • Full-time and correspondence

      In the case of full-time voting, the voter casts a vote, being in a certain territory for voting. In contrast, there is an absentee vote, including via the Internet and by mail.

    • With and without evidence

      In the case of voting without proof, the voter's vote immediately increases a certain counter, while it is impossible, for example, a recount. In the case of voting with evidence after the voter’s will, in his hands and / or the organizers, there is evidence, , - ( ), , )
      Relevant evidence must be well protected. However, you should not forget about all the goals, including the secrecy of the vote and the optimal cost. , , , , . , . , .


    In a specific vote, one or more methods of collecting votes may be used. Emergency measures such as early voting may also be applied. Naturally, relevant statistics should be included in the report.

  8. Counting votes

    Counting of votes can be done manually, after collecting votes and / or automatically, including during the collection. As noted above, in general, machines cannot be trusted. On the other hand, manual counting is always more expensive, and people often make mistakes. So a good compromise at this stage is extremely important. .( , .) . — , . , , . , , (, ). , . , (, ) .

  9. Analysis

    At this stage, the main checks on the collected data, the analysis of logs. People who have been engaged in direct observation should now have time to think and fix their observations. At the end of the stage a final report is compiled.

  10. Announcement of results

    The final report is published, voting is considered completed.

  11. System improvement

    During the voting, especially during the analysis stage, many confirmed vulnerabilities could have accumulated. At this stage, which gradually goes into stage 1, the Organizers are changing the system to protect against relevant attacks. Some temporary solutions can become permanent, some rejected in favor of more general, etc.


Human factor


People are not cars. We do not always act logically, skip important text in small print, we are afraid that our judgments are easily influenced. If Voters, Organizers or Observers are people, then when organizing elections, the human factor should be minimized.

  1. Usability

    A poorly compiled bulletin or the official website of the Organizers, campaign material can lead to massive errors of voters. In general, if there were no human psychology, fear of expressing one's position openly, then there would be no such thing as the secret of voting.

  2. Pressure

    Even if the defense of the secrecy of voting is at a height, the threatened voter may not come to the polls or come and vote against his will. Particularly difficult is the situation with remote voting.

  3. Propaganda

    A large amount of one-sided information in the media is guaranteed to affect the opinions of voters, making them less objective.

  4. Data perception

    It is difficult for a person to draw correct conclusions if the source information for them is submitted too quickly or if two or more sources of information broadcast something simultaneously. Therefore, in manual operations, such as counting votes, the sequence of actions and regularity are important (parallelism and haste are inadmissible if they can lead to something that someone does not understand).

  5. Laziness

    The organizers sometimes make mistakes not because of their interest, but just the opposite - it is quite possible, they are just too lazy to be meticulous and check everything. If the organization of elections for a person is an ordinary (and even overtime) work, then all he wants is to get rid of it quickly and go home.


Attacker targets


Of course, we do not know the true motives of the attacker, but we can assume that his actions are aimed at disrupting our goals, that is:

  1. Disruption of the elections themselves

    - , ? - , .


  2. , , . , , .


  3. , , , () .


  4. — . , .

    — : . , «» — .


  5. , , , , . , ( ), .

    — , (1, 2, 1). (1, 2, 3), « » (1-1, 2-2, 3-1).


  6. , , , .


  7. , , . , , - .


  8. — -, . , . , .




  1. . . , , . ( , ). . — . , .


  2. , , . ? ? ( ), . ( ) , .


  3. , . , . , — . , .

  4. «»

    , , , — «». , .


  5. () ( , , ) , . ( ) , .


  6. - . , , . , , , .


Obviously, cheap anonymous undetectable irreversible global attacks from the inside represent the greatest danger.


PhewA lot of things happened. Of course, it is impossible to list all variants of events, surely many terms, classifications and examples that I used here are unsuccessful. But in general, I hope that I conveyed the idea and everyone who read the article can now relate differently to such a seemingly simple and far from IT thing, such as voting.

Source: https://habr.com/ru/post/214023/

More articles:


All Articles