On Sun, Jul 18, 1999 at 10:22:24AM -0400, Ben Edelman wrote:
> Joop wrote:
>
> > I still believe that dishonesty of the voters is not the central problem
> > and that web based voting can easily be audited after an election in case
> > the results are challenged.
>
> I'm no expert on membership -- was only peripherally involved in Berkman's
> Representation in Cyberspace Study (see
> <http://cyber.law.harvard.edu/icann/rcs>) and the work of the MAC. But, in
> my mind, "fraud" can occur at any of several levels of the process. It
> could occur with fraudulent registrations -- me registering Benjamin A.
> Edelman, Benjamin B. Edelman, and so on. It could occur with non-fraudulent
> but still "not representative" messages -- like if I signed up as members of
> ICANN everyone I knew (or all the employees of my corporation) and had them
> all vote for me. And it could occur if I simply hacked into the voting
> tabulation system, added a lot of seemingly-legitimate members who voted the
> way I wanted them to vote, and covered my tracks.
>
> Preventing the first seems tricky to me, especially since, for privacy
> reasons, ICANN is understandably hesitant to require identification like a
> photocopy of a driver's license, and in any case there's no international
> standard for identifying documents of that sort. But an outside auditing
> firm -- the kind of thing I understand KPMG to be able to do, for a fee --
> could potentially watch for that sort of problem and let the world know if
> they see what they suspect to be "fraud." Same with the second kind of
> fraud, I suppose, though I'll admit that it'll be harder to know this kind
> of fraud if we are unlucky enough to see it.
Personally, I find the second kind of fraud the most worrisome. In
my opinion we see warning signs every day, and it will be an
immediate, serious problem, because it is very difficult to detect,
and, even worse, is difficult to even define, as it gets to the very
heart of what is meant by "representative". If a whole bunch of
like-minded people join an organization, and vote as a block, there
isn't any clear-cut way to distinguish where fraud steps in. If they
all work for the same corporation, their membership fees are paid by
that corp, they have exhibit no knowledge or apparent interest in the
issues, but only show up to vote, then we suspect fraud. But what
could we do about it? And of course, most of those conditions could
be easily concealed.
Other kinds of organizations could be essentially invisible -- a
religious group, for example, or a government, could field a large
number of voters with no obvious connection.
The MAC concluded that the only real guard against such capture is a
very large membership, but it's not clear that ICANN will *ever* have
a really large membership. And besides, a large uninformed
membership ignorant of technical, legal, or other constraints could
do a lot of damage innocently.
> The third kind of fraud is perhaps the most worrisome of all -- if it were
> possible, it would seem to be the "easiest" way to rig an election, and the
> way most certain to have the desired result from the defrauder's
> perspective. But, in my experience with software development, it seems like
> something we should be able to prevent, primarily through careful review of
> the code and infrastructure that make up the online voting system. I'm
> thinking of a sort of peer review -- a group of talented programmers,
> security experts, professionals who do exactly this kind of thing all the
> time -- who would examine the system, perhaps try to hack in (anyone see the
> movie _Sneakers_?), and report their findings. This would of course require
> the permission of the author and administrator of the software, which makes
> me ask...
>
> Joop, would you be willing to submit your code for peer review? By a small
> group of professionals, or by the entire community? I can understand good
> reasons why you might not be -- despite the growing respect given by the
> programmer community to open source, there are those, including myself I'll
> admit, who have our doubts. But I can easily imagine a credible argument
> being made for why any voting software used by ICANN has to be open, at the
> least, to a select panel of software security experts, and perhaps to the
> world at large.
>
> Thoughts from others?
Peer review of the code doesn't do the job at all, unfortunately.
How do you know that the reviewed code is in fact the code being
used? How do you know that Joop doesn't go in and manually change the
logs and the results? Or an employee of his?
A review of the system could build *some* confidence that a hacker
couldn't break in and change things. That is actually pretty far
down on my list of concerns, though.
The basic problem is this: barring complex and totally unrealistic
cryptographic protocols, there is no way to do a secret ballot
election without a Trusted Third Party. How do you find a TTP for
the highly contentious international arena we are playing in?
Ideally the TTP should *actually* be trusted, and neutral to all
concerned, but this is very tricky. There was, for example, some
discussion of the American Arbitration Association managing the
election, and we were assured that the AAA is highly respected etc.
But the fact remains that the AAA is an unknown to most of the human
race, and hence, on the face of it, not trusted. In some circles,
the word "American" automatically makes it suspect.
To summarize a potentially lengthy argument, international secret
ballots over the Internet are, IMO, quite problematic.
[An obvious counter-example is the share-holder elections that are
being held via email these days. However, there are substantive
differences: shareholder elections involve a very large voting
population, the issues are not important to most shareholders, and
the large shareholders who care and are decisive votes, probably
don't use the Internet for voting.]
However, if you drop the secret ballot requirement, and go to the
Internet equivalent of open roll call voting, such as is used in
Congress or other deliberative bodies (and that people demand of
ICANN), these problems are greatly reduced, and some are effectively
eliminated.
--
Kent Crispin "Do good, and you'll be
[EMAIL PROTECTED] lonesome." -- Mark Twain
