John R. Levine writes, quoting others:
> > >Did any of you see this
> > >http://www.votehere.net/content/Products.asp#InternetVotingSystems
> > >
> > >that proposes to authenticate the voter by asking for his/her/its SSN#?
> >
> > It looked like the idea for this part was to prevent double voting,
> > plus make sure that only authorized people could vote. It wasn't
> > necessarily SSN, it could be name/address/date of birth or whatever.
> > Similar to what is done when you go and vote in person.
>
> It's not similar at all. Here in New York, for example, where I used to be
> an election inspector, the voter list includes your signature, age, sex, and
> usually (if you gave them when you registered) your height and eye and hair
> color. Each voter has to sign, and if the signature isn't similar enough or
> the other items looked wrong, we'd ask for better ID. Each polling place has
> both Democrat and Republican inspectors, the inspectors for one party have an
> incentive to challenge dubious voters of the other party.
There is a wide variation in the amount of validation done at polling
places. In the local region none of this is done; you are asked to sign,
bug your signature is not checked. No ID is required, and observers
from political parties are not present.
> The SSN has become a pseudo-secret identifier. That is, the reality is that
> your SSN is widely available, but many organizations pretend that it's secret
> and will believe that anyone who presents your SSN is you. Given that the
> SSN is not secret, the lack of biometric data, and the reality that it's a
> whole lot easier to fake network transactions than to fake voting in person,
> this scheme screams "defraud me".
Note that the original scheme did not refer to the SSL as being especially
secret. It was used in parallel with date of birth as an example of
something which would not be widely known about a person. Obviously
date of birth is not particularly secret, but it merely adds an extra
amount of security to the protocol. Here is how they describe the
authentication process:
: Each registered voter is sent a VERN (Voter Encrypted Registration Number)
: to serve as something the voter "is given." The VERN can be sent by
: email or traditional postal mail. The VERN is often accompanied by a web
: site address where the voter can log-on to the Internet to vote. Once at
: the voting web site, the voter enters the VERN and additional pieces of
: information known only to the voter and election officials (e.g., DOB,
: SSN#) to serve as something the voter "knows."
The main authentication is this VERN which is sent directly to the
registered voters. The additional DOB/SSN adds extra security, it is
not the basis for the whole authentication.
> Any security system needs a threat model. I can't figure out what the threat
> model for this system is other than "whip up something quick and easy".
It seems clear that the system is primarily oriented towards preventing
fraud by election officials and those involved in setting up the
electronic voting. Historically, this is the greater danger in
election fraud. Stuffing the ballot box is much easier if you are
the one in charge of delivering the ballots or counting the ballots.
If you actually have to get a bunch of people to try to vote under false
names it is a huge undertaking and unlikely to be kept secret. Fraud by
corrupting officials is much more cost effective and hence more dangerous.
In this case, the point of the system is to allow everyone to verify that
the counting and recording of the ballots was done honestly. This insures
that the officials and operators of the election are doing their jobs
correctly. It therefore addresses the primary form of election fraud.
