eValg: Lyt til en expert

Første februar, klokken 15, på DTU holder Joe Kiniry tiltrædelsesforedrag med titlen "Saving Democracy from Technology", der er fri adgang.

Abstract:

For the past several decades governments around the world have been endangering their own democracies though the reckless use of computers in elections, or what is colloquially known as e-voting. Politicians, bureaucrats, and the general public have high expectations for e-voting. Unfortunately, voluminous evidence shows that e-voting makes elections more expensive, does not increase voter turnout, and removes public control from democracies. Consequently, virtually the entire computer science community is against the introduction of computers in elections. All hope is not lost though. Computer science does have a role in elections. We can improve the correctness and accuracy of elections—not by putting computers in voting booths, but in other, more subtle and surprising, ways.

Indkaldelse her.

Det lyder som en expert nogen burde lytte til...

phk

Kommentarer (70)
sortSortér kommentarer
  • Ældste først
  • Nyeste først
  • Bedste først
Søren Vind

Jeg kan kun anbefale at komme til forelæsningen. Joe har været med til at rådgive regeringerne i (vist) alle lande han har været ansat i til at undlade at indføre e-valg, og det er vist ikke lykkedes endnu. Det har selvfølgelig ført til alle mulige slags problemer for de regeringer efterfølgende. Jeg vil vædde på at han har nogen sjove/triste historier.

  • 10
  • 1
Helge Svendsen

Alle er vel godt klar over, at det bliver mere end svært at finde en model, der er bedre end den, vi allerede bruger i dag.

Også politikerne på Christiansborg - sådan inderst inde.

Det er slet ikke demokratiet, de handicappede eller optællings fejl, der er grunden til dette projekt.

Det bunder i politisk prestige, en blind tro på at IT pixie dust gør alt bedre og et ønske om at få sig et eftermæle. Så må man jo håbe for Vestager, at det bliver det eftermæle hun ønsker sig.

  • 15
  • 0
Lars Lundin

Det er utvivlsomt den samme. Måske er manden i de forløbne 18 måneder blevet klogere - eller i hvert fald mindre ambitiøs.

I så fald kan han være en god inspiration også til politikere.

  • 4
  • 1
Kim Jensen

Ifølge den anden Version2 artikel om om hr. Kiniry/Demtech's project, så vil han bla. ligge hele valghandlingen krypteret op i skyen, idet han bla. siger "...Men hvis stemmesedlerne er krypteret ordentligt, kan man i teorien godt putte dem op i skyen, for så opretholdes den offentlige sporbarhed..."

Men ifølge Whitfield Diffie, som er en af opfinderne af den asymetriske kryptering der bruges 'overalt' idag, så vil alt kendt kryptering snart kunne brydes af kvante computere, se evt. følgende link og læg mærke til spørgsmålet og svaret 1 time og 14 minuter inde i vidoen: http://www.youtube.com/watch?v=1BJuuUxCaaY

Faktisk kan man allerede købe en 128 qubit kvante computer: http://www.dwavesys.com/en/dw_homepage.html

  • 4
  • 2
Kim Jensen

I holland har de været kloge nok til droppe hans KOA e-valg system:

http://kindsoftware.com/products/opensource/KOA/

http://scholar.google.com/citations?view_op=view_citation&hl=da&user=D8a... (download PDF filen)

http://arstechnica.com/gadgets/2008/05/netherlands-says-nee-to-electroni...

EDIT: Jeg har skrevet til den Hollandske aktivist gruppe som fik stoppet e-valg bla. i Holland (http://wijvertrouwenstemcomputersniet.nl/English) og de er meget behjælpelige med at finde op og ned i det hele, og jeg kan anbefale andre at gøre det samme hvis man har tvivlspørgsmål (Chaos Computer Club http://wahlcomputer.ccc.de/ i tyskland har også stor viden om e-valg).

Efter en del research så viser det sig at KAO systemmet har været brugt til valg i Holland, og Joseph Kiniry har så ifølge sit eget udsagn udviklet KOA2 systemet for at påvise problemer med KOA systemt. Det kan ses mange steder at Joseph kritiserer andre e-valg systemer men samtidig også har visioner for opbygningen af et 'sikkert' e-valg system (jvf. f.eks. denne V2 artikel om emnet: http://www.version2.dk/artikel/itu-ekspert-e-valg-bliver-sikrere-end-pap...). Bla. er han her http://www.washingtonpost.com/wp-dyn/content/article/2007/04/17/AR200704... citeret for at sige at når staterne nu alligevel vil have e-valgt systemer så er det bedst at de så bruger hans system ! Det kan i følgende ses at han er igang med udviklingen af et dansk e-valg system som et 'forsknings projekt' (bemærk f.eks. "...Deployment of the technology in real-world elections:..."): http://www.demtech.dk/attachment/wiki/Research%20projects/planning.org

Personlig vil jeg mene at der aldrig kan laves sikre e-valg systemmer hvilket jeg har argumenteret for mange steder, og derfor mener jeg at man skal være meget på vagt overfor folk som kritiserer e-valg, men dog alligevel arbejder med deres egne e-valg projekter, som de mener er bedre end andres. Og uanset om man arbejder på et universitet eller for en konsulent virksomhed eller andet, så kan der selvfølgelig været ekstremt mange penge er at 'sælge sin sjæl til djævelen' og på en eller måde være involveret e-valg system udvikling, uanset om man er et firma eller ej. Derfor mener jeg at min kritik og skepsis er velbegrundet, også selv om Joseph Kiniry måske viser at være imod e-valg. Og jeg vil opfordrer alle til at holde et vågent øje med alle e-valg udviklere og forskere på området, inden nogen får solgt et eller andet system som værende sikkert.

  • 5
  • 1
Kim Jensen

Det viser sig at manden også har været med til at udvikle et e-valg system i Irland, hvilket de dog også har været kloge nok til at droppe. Hans KOA system bygger åbenbart på Java !!!

http://static.usenix.org/event/evt07/tech/full_papers/kiniry/kiniry_html/

http://en.wikipedia.org/wiki/Electronic_voting_in_Ireland

Det kostede dem dog lige 55 millioner € først:

http://www.irishtimes.com/newspaper/breaking/2012/0629/breaking2.html

  • 5
  • 2
Kim Jensen

@Søren Vind, Nikolaj Hansen, Kristian Sørensen

Prøv lige at forstå det rigtigt: Joe Kiniry er en mand som er imod mange typer af e-valg systemer, men som istedet arbejder på at udvikle et bedre system selv. Holland, Tyskland og Irland har heldigvis være kloge nok til at sige nej til e-valg.

Det er vel de lande som Joe Kiniry taler om i den anden Version2 artikel, og som han siger "har ødelagt det for dem selv" !!!

Helt præcist siger han:

"Danmark er det sidste sted i den vestlige verden, vi kan udføre dette eksperiment, fordi alle andre allerede har ødelagt det for dem selv. Men regeringen her har valgt at tilkalde alle eksperter for at få det gjort rigtigt første gang."

Det må vel betyde at den danske regering åbenbart vil have hans e-valg system som ingen andre vil have !

  • 5
  • 3
Kim Jensen

@Nikolaj Hansen

C++ bliver compileret til maskinkode, det gør Java normalt ikke da Java kører som bytecode i en Java Virtuel Maskine. Det ligger så endnu et lag ind der kan hackes og/eller hvor udviklerne af en e-valg maskine kan skjule en modifikation. Desuden så er KOA systemet et meget netværks baseret remote system (læs evt. de links jeg har vedhæftet tidligere) !

  • 3
  • 8
Peter Johan Bruun

Prøv lige at forstå det rigtigt: Joe Kiniry er manden der har været med til, eller hovedmanden bag, udviklingen af de e-valg systemer som bla. Holland og Irland har valgt at droppe. (takket være bla. hacker og aktivist grupper)

Det er nogen meget interessante oplysninger der er kommet frem her, meen: har I læst oplægget til hans foredrag ?

Specielt de sidste linier er opsigtsvækkende:

All hope is not lost though. Computer science does have a role in elections. We can improve the correctness and accuracy of elections—not by putting computers in voting booths, but in other, more subtle and surprising, ways.

  • 6
  • 0
Jens Madsen

Ifølge den anden Version2 artikel om om hr. Kiniry/Demtech's project, så vil han bla. ligge hele valghandlingen krypteret op i skyen, idet han bla. siger "...Men hvis stemmesedlerne er krypteret ordentligt, kan man i teorien godt putte dem op i skyen, for så opretholdes den offentlige sporbarhed..."

Men ifølge Whitfield Diffie, som er en af opfinderne af den asymetriske kryptering der bruges 'overalt' idag, så vil alt kendt kryptering snart kunne brydes af kvante computere, se evt. følgende link og læg mærke til spørgsmålet og svaret 1 time og 14 minuter inde i vidoen: http://www.youtube.com/watch?v=1BJuuUxCaaY

Faktisk kan man allerede købe en 128 qubit kvante computer: http://www.dwavesys.com/en/dw_homepage.html

Han udtaler sig vist kun om den asymetriske kryptering.

  • 0
  • 0
Jens Madsen

@Søren Vind, Nikolaj Hansen, Kristian Sørensen

Prøv lige at forstå det rigtigt: Joe Kiniry er manden der har været med til, eller hovedmanden bag, udviklingen af de e-valg systemer som bla. Holland og Irland har valgt at droppe. (takket være bla. hacker og aktivist grupper)

Det er bla. de lande som Joe Kiniry taler om i den anden Version2 artikel, og som han siger "har ødelagt det for dem selv" !!!

Helt præcist siger han:

"Danmark er det sidste sted i den vestlige verden, vi kan udføre dette eksperiment, fordi alle andre allerede har ødelagt det for dem selv. Men regeringen her har valgt at tilkalde alle eksperter for at få det gjort rigtigt første gang."

Det må vel betyde at den danske regering åbenbart vil have hans e-valg system som ingen andre vil have !

Et e-valgs system. Bygget på Java. Krypteret i skyen... Og computerne tager selv deres beslutninger, på baggrund af kunstig intelligens? Ingen ved, hvilken computer, der har besluttet hvad. Og hvor.

For mig lyder det mest som fed humor, fra en science fiction!

  • 3
  • 1
Helge Svendsen

C++ bliver compileret til maskinkode, det gør Java normalt ikke da Java kører som bytecode i en Java Virtuel Maskine.

Hvad tror du java vm'en gør for at afvikle bytekoden? Bruger sort magi? :-D

Jeg er forresten udvikler indenfor java/c/c++ osv.

Men det er korrekt at bytekoden er et ekstra lag, som man eks kan sammenligne med en HW hypervisor.

Det er fuldstændig underordnet hvis du har et root exploit.

  • 5
  • 0
Kim Jensen

@Jens Madsen

Om hvorvidt symmetrisk kryptering kan brydes af kvante computere, så er svaret vidst noget nær med et 'våbenkapløb' om hvor store kvante computere man kan bygge i forhold til nøgle længden. Grover's algoritmen kørt på en kvante computer antages at være effektiv overfor symmetrisk kryptering, men kan modvirkes ved at tilføje længere nøgler. Desuden har symmetrisk kryptering det store problem at nogen skal besidde krypterings nøglen, og hvem skal det ? (det skal både 'Bob' og 'Alice', derfor opfandt man asymmetrisk kryptering). Det eneste man mener er sikkert imod kvante computere er kvante kryptering. Og det er så udfra hvad der lige p.t. er offentliggjort om emnet, men hvad så med alt det der evt. ikke er offentliggjort ? Og uanset hvad, så ved vi alm. mennesker nok ikke så meget hvad f.eks. militær og stater osv. kan ! Viden er magt og hemmelig viden er endnu mere magt ! Og i forhold til e-valg, så er det jo netop bla. staterne og magthaverne som folket skal beskyttes imod, og tror du f.eks. at NSA fortæller os alt om hvad de ved om f.eks. kryptering ?

Spørgsmålet er så om vi skal satse hele verdensmagten på en hel masse som vi ikke ved meget om med sikkerhed ?

Folk før os har i generationer og i millionvis gået i døden for at kæmpe for frihed og demokrati, og skal det hele så bare satses ved at indføre et e-valg system som muligvis ca. kan være sikkert måske ??? Når en Hitler type først har fået taget magten og landene, så er det for sent ! Så det er nu inden det sker at vi har muligheden for stoppe det ! Og det kan kun gøres ved at sige nej til e-valg, istedet for de her diskusioner om hvorvidt IT er sikkert nok til e-valg eller ej. Vi lever i en tid hvor vi er midt i et gigantisk våbenkapløb og hvor vi hører om hackninger hver dag, og det er typisk hackninger af systemer man kun har adgang til udefra, og skal vi så tro på et system som magthaverne har fuldt og helt adgang til, at det på nogen kan beskytte os imod magthaverne selv ? Folk er simpelhen for dumme hvis de hopper på den !!!

I Holland kunne de fatte at få stoppet e-valg:

http://wijvertrouwenstemcomputersniet.nl/English

Og den tyske Chaos Computer Club kunne fatte det:

http://wahlcomputer.ccc.de/

Hvornår kan Danmark så fatte det ???

  • 7
  • 1
Kim Jensen

@Nikolaj Hansen

Nu snakker vi her om en valg computer, noget hvor folket skal beskyttes imod evt. korrupte teknikere mv., og ikke et system der kun skal forsvares imod en udefrakommende hacker. Læser du hvad jeg skriver, inden du skriver ? Dels, så er KOA systemet et nætværks system. Og desuden så er JVM er et ekstra lag hvor modificeret kode kan gemmes (f.eks. af udvikleren). Jo, det har betydning. Flere lag øger jo ikke ligefrem sikkerheden, du har vel hørt om KISS, ikke rockgruppen, men princippet: Keep It Simple Stupid ! Og hvad er i det hele taget ideen i at lave tråden om til en diskusion om Java kontra C++ ? Og selv hvis han skrev alt i C++, så vil e-valg stadig være en trussel imod vores demokrati ! Selv hvis det blev skrevet i maskinkode vil det være en trussel.

  • 4
  • 8
Casper Thomsen

Trusting Trust hacket skal forhindres uanset hvilken compiler som producerer maskinkoden. Og hardwaren skal være trusted. Og maskinerne som laver hardwaren ... Kan vi så stoppe drømmeriet?

Og kan vi så få vores papirstemmesedler for-sorteret af noget maskineri, så vi kan få en nogenlunde præcis maskin-optælling (som de valginteresserede kan se et live kagediagram over på skærmen) efterfulgt af en håndoptælling (-sortering/-verifikation)? Et system hvor "nok" personer fra et ("forskelligt nok") andet parti har kigget "nok" af bunken igennem med stemmer på et givent parti (eller person) hiver formentlig fejlraten ned på noget negligérbart.

  • 5
  • 2
Kim Jensen

KOA systemet som er blevet brugt i Holland var Java og skulle betjenes via et web interface !

https://www.security.nl/article/15902/1 (brug Google translate)

En anden beskrivelse af systemet kan ses her:

http://www.academia.edu/451187/Formally_Counting_Electronic_Votes_but_St...

Det virker så som om at danske Demtech arbejder videre med udviklingen af et e-valg system:

http://www.demtech.dk/wiki/Electronic%20Voting%20Technology

http://www.demtech.dk/wiki/Research%20staff

  • 4
  • 4
Erik Cederstrand

Hej Kim

Kan vi skrue lidt ned for konspirationsteorierne? DemTech med Joseph Kiniry, Carsten Schürmann m.fl. er mig bekendt de eneste i Danmark, som forsker i eValgs-systemer, og har gjort det siden 2007, mener jeg, hvor jeg som studerende lavede et eValgs-projekt på ITU med Carsten Schürmann som vejleder. Hvis du har læst deres publikationer, så vil du vide, at de arbejder med formel verificering af både softwaren og den samlede optælling, noget som burde gøre enhver datalog våd i trussen. Jeg mener ikke, at man kan klandre dem for at være positive overfor forsøg med eValg, når nu det er deres forskningsfelt - dermed ikke sagt at de automatisk synes eValg er en god idé i sidste ende. Du kan i øvrigt læse deres høringssvar her: http://www.demtech.dk/chrome/site/papers/DemTech_Law_Response.pdf

Jeg er enig i, at eValg er en rigtig dårlig idé, men hvis nogen skal rådgive regeringen, så hellere DemTech end CSC eller Diebold.

  • 10
  • 3
Jan Christensen

Jeg synes der bliver talt vel meget om sikkerheden i det ene sprog frem for det andet og der er helt sikkert en masse vigtige hensyn at tage, men hvis hardwaren ikke er sikker er det lige meget hvor god kode man har skrevet.

Uden at blive alt for konspiratorisk så er faktum at det meste hardware vi bruger produceres i Kina og der har i den seneste tid i pressen været skrevet om flere tilfælde af f.eks. Amerikanske føderale organisationer som har været nødt til at stoppe brugen af kinesisk netværksudstyr pga. mistanker om kompromittering af sikkerheden.

Så hvis vi skal lave et e-valg kunne man stille som krav at hardwaren er produceret i Danmark under overvågning af staten.

Mere om sikker hardware der er til at stole på her: http://www.trustedcomputinggroup.org/

/Jan

  • 6
  • 2
Christian Nobel

Er det ikke fløjtende ligegyldigt om vi taler hardware eller software, for resultatet er det samme:

Vi ender med en black-box som borgerne ikke kan gennemskue funktionen af, og som borgerne dermed er nødt til at have blind tillid til.

Så ligegyldigt hvordan vi end vender og drejer den, så står valget enten mellem at diskutere en masse IT mumbo-jumbu voodoo, og dermed accepteres at transparensen i vort demokrati demonteres, eller indse at der er ting der ikke er grund til at hælde IT sovs ud over.

Og lad os så i stedet få en fornuftig debat om hvordan layoutet af stemmesedlerne kan forbedres, og hvordan vi på værdig vis kan hjælpe de medborgere den kan have et problem i forbindelse med selve valghandlingen.

  • 18
  • 0
Kim Jensen

@Erik Cederstrand

Det jeg siger er ikke konspirations teorier, det er konstateringer og/eller analyser vedr. nogle af de mange trusler som kan være forbundet med at indføre e-valg. Men jeg kan forstå at du lever i en eller anden IT jubel bobel hvor det fugter i trussen og hvor solen altid skinner. Men måske endag du finder at ikke alt som glitter er guld, og så begynder at forholde dig kritisk til tingene istedet for ! Og vedr. Joseph Kiniry, så har han i mange år arbejdet med at udvikle eller 'visionere' om et e-valg system bla. i både Holland og Irland, hvorefter Danmark (vidstnok omkring 2007) er blevet hans næste mål (hvilket han jo også selv siger). Men jeg vil virkelig håbe at du som dansker tænker dig meget grundigt om, inden du deltager i at sætte hele vores demokrati overstyr i vanvids e-valg teknologi, som nok skal blive hacket eller misbrugt enten indefra eller udefra før eller siden ! (det viser snart mange års IT erfaring). Og jeg mener ikke at man kan sige at Demtech eller andre e-valg udviklere er bedre end andre, for hvis regeringen accepterer noget af det, så er det slut med demokratiet !

Og vedr. det link du refererede til, så står der ingen steder at Demtech fraråder e-valg, men der kommes istedet med forslag hvad man bør tage hensyn til ved udviklingen af et e-valg system.

  • 4
  • 10
Helge Svendsen

Nu var det jo dig, der startede den store sprog udredning.

Jeg konstaterede bare, at det faktum at Java er "højniveau", som du siger, ikke gør det specielt mere usikkert end eks C++ som også er højniveau.

Ej heller er det specielt mere besværligt at modificere maskinkode lavet i eks c++ end det er, at modificere bytecode.

Og diskussionen er total urelevant, hvis der er et root exploit. Om det er en korrupt tekniker eller et udefra kommende hack, systemet er netværks enabled som du siger, er også stort set urelevant. Resultatet vil være det samme.

Læser du hvad jeg skriver ? Start med indlæg nr 2 i den her tråd.

  • 5
  • 0
Kim Jensen

@Nikolaj Hansen

Jeg synes at dit første indlæg i denne tråd er en 'smuk tale', såfremt du så også er enig med at ingen form for e-valg kan accepteres i et sandt demokrati.

Vedr. det med Java, så vil jeg foreslå at vi lader det ligge, da det alligevel ikke vil være meget bedre hvis et e-valg system blev skrevet i C/C++, maskinekode, mikrokode, VHDL, eller andet, da vi alligevel ender med at alt hardware kan manipuleres hvis man har penge og magt nok (og dermed den software der eksekveres på hardwaren). Dvs. at et e-valg system altid vil være uden for folkets kontrol, og en sag for eksperter og f.eks. industri der alligevel kan manipulere det hele hvis de har adgang til systemet, og for hardwarens vedkommende vil det være meget tæt på umuligt at bevise at der evt. er manipuleret med den.

  • 4
  • 1
Paw Hermansen

Helt enig.
For mig er det en forudsætning for demokrati at jeg tror på, vi har frie og ærlige valg. Vores nuværende valg-procedure er gennemskuelig og let forståelig hele vejen rundt. Selv de mulige fejlkilder er gennemskuelige og let forståelige.
Selv om den ene eller anden evalgs-procedure vil blive matematisk bevist korrekt og sikker, så tror jeg for det første ikke på at en sådan evalgs-procedure kan laves gennemskuelig og let forståelig, og for det andet vil jeg, selvom jeg er datalog, altid være i tvivl om sikkerheden når hele vejen rundt.

  • 5
  • 0
Kim Jensen

I forhold til Demtech's hørringssvar til folketinget (http://www.demtech.dk/chrome/site/papers/DemTech_Law_Response.pdf), så har jeg bla. andet følgende 2 kritik punkter:

  1. Der står at e-system artefakter skal være under offentlig kontrol, men det vil være absurd at antage at uafhængige eksperter f.eks. skal have adgang til at åbne IC'ere og analysere chip opbygningen (men påkrævet for at kunne garantere sikkerheden, bla. da hardwaren kan have inbygget funktionalitet til at påvirke eksekveringen af den software som eksekveres på den, og bruges til opsnappe og indsætte data ind i den kørende software både før, under, og efter en evt. kryptering som udføres af softwaren). Dels kan en chip idag indeholde milliarder af transistorer oma. Dels så vil en reverse engineering af en chip kræve et meget avanceret mikroskop, hvorved man så igennem et mønster genkendelses system vil kunne lave en reverse engineering, men dette vil være MEGET tidskrævende (og dyrt), og desuden så kan chips idag være 3D strukturer som ikke kan reverse engineeres uden at ødelægge chippen. Dels, så vil man, selv hvis man brugte milliarder på et sådant 'cirkus', ikke kunne vide om det så også er den chip der sidder i IC'en under valghandlingen. Dels, så kan f.eks. printplader indeholde skjult teknologi (f.eks. mikro, nano, eller polymer elektronik systemer), og selv ledere (f.eks. ledninger) kan f.eks. indeholde skjult polymer elektronik eller andet der kan manipulere systemet. Alt ovenstående vil dels kunne blandes med nano teknologi, hvilket vil øge mulighederne for mulige modifikationer væsentligt, og dels evt. også kunne tilsluttes f.eks. RFID lignende antenner skjult som skjulte ledere på chip eller print, og således kunne styres udefra, og f.eks. være lavet som et hook hvor funktioniteten (f.eks. lavet som et FPGA lignende programmerbart system) kan ændres efter behov. Envidere så kan både analog og digital elektronik idag blandes på samme chip, hvilket øger mulighederne for f.eks. at indbygge trådløst kommunikations udstyr osv. osv. osv. Alt ovenstående kan idag laves med kendt teknologi, og desuden vil der sikkert være mange andre modifikations muligheder som jeg ikke lige har tænkt på. Det vil derfor være en 'skruen ude ende process' at verificere systemet, hvilket vil sige at man aldrig vil kunne garantere for sikkerheden i et e-valg system.

  2. Ifølge lovforslaget, så skal der efter IT registreringen, som 'ekstra sikkerhed' maskinelt udskrives en stemme seddel som vælgeren så godkender, og ligger en boks eller lign. Men maskinelt manipulerede stemmesedler kan genudskrives og erstattes med de originale (hvilket beviseligt er sket ved lignende systemer i USA), og selv hvis de indeholder en krypteret ID så kan denne manipuleres af eksperter (som f.eks. har adgang til krypterings nøglerne, eller til kvante og/eller super computere mv.). Dvs. at det vil være bedre og mere sikkert at gøre som man gør idag, nemlig at sætte et 'analogt' kryds på et stykke papir som så evt. derefter kan læses af en maskine, hvorefter stemmesedlen lægges i en boks som idag. Ikke dermed sagt at jeg på nogen måde vil anbefale et sådant system (selv om det vil være meget bedre end det lovforslaget ligger op til), da den manuelle optælling så nok ikke vil blive gjort på selve valgaftenen hvilket væsentligt vil øge risikoen for manupilation af stemmesedlerne. Den model der bruges idag, hvor stemmesedlerne bliver manuelt optælt på valgaftenen af et bredt udsnit af den danske befolkning, giver befolkningen tryghed i forhold til at stemmerne er optælt forsvarligt, og at evt. senere fintællinger ikke afviger væsentligt fra det resultat man er kommet frem til på valgaftenen. Ved ikke længere at sikre at håndafkrydsede stemmesedler bliver optalt på valgaftenen, så fjerner man totalt denne tryghed. Og det er vel ikke planen at der skal afsættes resurser på at stemmesedlerne skal overvåges af et bredt udsnit af befolkningen 24/7 indtil stemmesedlerne bliver manuelt optalte ! I modsat fald, så åbnes der for at stemmesedlerne kan manipuleres efter valghandlingen, hvilket erfaringer fra USA tydeligt viser er et reelt problem. Og et e-valg system hvor vælgeren senere selv kan kontrollere sin stemme vha. af IT (som foreslået af Joseph Kiniry) kan på ingen anses for at være et annonymt valg (bla. pga. af muligheden for at bryde en evt. kryptering med kvante og/eller super computere evt. i udlandet). Konklusionen er derfor at det nuværende system er det eneste som er et sandt demokrati værdigt, og som giver befolkningen både tryghed og anonymitet i forhold til valghandlingen.

  • 4
  • 2
Ulrik Nyman

Glem ikke det vigtigste argument. Selv hvis vi i danmark kunne gøre det helt rigtigt (hvilket jeg ikke tror) så ville vores eksempel få andre til at indføre e-valg.

I mindst et andet land vil e-valg blive brugt til at lave valg fusk!

Vi sætter altså spirende demokratier over styr ved at sætte et dårligt eksempel.

  • 4
  • 0
Erik Cederstrand
  • 5
  • 3
Søren Vind

Du får lige et citat om KOA fra et af dine egne links (som forfatterne har skrevet selv):
"As mentioned previously, this software system is only meant to provide a very high-quality, extensible research platform for computer-based voting -- it is not meant to be used in any governmental elections."
Fra http://static.usenix.org/event/evt07/tech/full_papers/kiniry/kiniry_html/

Og her er om e-valg generelt af Joe Kiniry (i artiklen "Formally Counting Votes But Still Only Trusting Paper", hint-hint):
"In the end, physical (perhaps paper) ballots are the ballots. Digital ballots are only a “shadow” of the physical bal-lot. It is extremely difficult to ensure that digital artifacts are not copied, manipulated, and destroyed—exactly the kinds of manipulations we do not wish ballots to permit."
http://www.academia.edu/451187/Formally_Counting_Electronic_Votes_but_St...

Jeg har meget svært ved at se den ukritiske tilgang til e-valg du påstår. Joe har deltaget i den massive kritik af systemerne i både Irland og Holland, og KOA er et forsøg på at forske i hvordan det kan gøres anderledes. Jeg deler din store skepsis over for e-valg, men lad os lige være saglige her.

  • 5
  • 3
Kim Jensen

@Søren Vind

Hvis du læser Demtech's hørringsforslag til folketinget, så vil du se at Demtech's system i høj grad er planlagt til at blive brugt til virkelige valg. Når Joseph og taler om stemmesedler, så mener han vidst maskinelt udskrevne stemmesedler og ikke håndafkrydsede stemmesedler, hvilket som jeg har forklaret i min kritik på ingen måde kan anses som sikre i forhold manipulation. Og så prøv lige at tage med i dinne betragtninger, at Joseph Kiniry og Demtech vil levere et konkurrerende system til andre systemer, hvilket nok er årsagen til den meget meget 'fine snak' om hvad der er galt med andre systemer osv. Tænk på hvor ekstremt mange penge der i at kunne levere et valgsystem og have magten over det, hvilket vil sige at ingen systemudviklere kan betragtes som uvildige (bla. så vil industrien da betale enorme beløb for få del en af kagen) ! Det er jo nok ikke noget de laver for sikre demokratiet og retfærdigheden, da de jo så vil foreslå at fortsætte med det nuværende system. Hvilket er et system som befolkningen føler tryghed til, men som nogle IT folk, samt den industri der skal levere systemerne, og nogle politekere vil have fjernet, for så i stedet at krænge et e-valg system ned over hovederne på folket !

Edit: Desuden kan det ses bla. i følgende link at KOA er udviklet til den Hollandske regering og at systemt er tiltænkt e-valg (flere link kommer senere):

http://www.washingtonpost.com/wp-dyn/content/article/2007/04/17/AR200704...

https://docs.google.com/viewer?a=v&q=cache:u-LEIdms1yoJ:https://oss.itu....

Følgende dokument beviser helt klart at KOA enten har været tilladt til eller brugt i forbindelse valg i Holland:

http://www.cs.ru.nl/B.Jacobs/TALKS/amast04.pdf

Følgende dokumenter siger helt klart at KOA har været brugt til valg i Holland, samt planlagt til valg i Irland i samarbejde med Joseph Kiniry (desuden så har KOA i Holland været outsourced til konsulent firmaet LogicaCMG som har stået for realiseringen af systemet):

http://www.google.dk/url?sa=t&rct=j&q=LogicaCMG+%22joseph+kiniry%22&sour...

http://www.google.dk/url?sa=t&rct=j&q=%22LogicaCMG%22+%22joseph+kiniry%2...

Læs evt. LogicaCMG dokument vedr. KOA her (brug evt. Google translate):

https://docs.google.com/viewer?a=v&q=cache:JtFZVeM4cL4J:https://oss.itu....

  • 2
  • 2
Joseph Kiniry

Thanks very much to Poul-Henning and Version2 for publicizing my talk! I encourage all interested readers to come and hear what I have to say, what the live online broadcast, or watch the recorded lecture afterwards.

To correct a few statements made by readers here:

  • I am a Scientist/Activist that has always fought against the introduction of computers in elections. It has been, in part due to my activism and my group's research, that The Netherlands and Ireland have banned computers in elections. See the aforementioned "Formally Counting Votes (But Still Only Trusting Paper") paper for the backstory.

  • The KOA system is not out development, as stated plainly on our website. It was developed by contractors for the Dutch government and we were the ones that hacked their system, performed a security analysis of it, criticized it, and eventually convinced them to give up the whole endeavor and then Open Source the system. We then took that system, which was incomplete and just "thrown over the wall", and analyzed it for correctness and security problems. Thus, the KOA system on my website is a critical evaluation of how not to do remote voting, and we only maintain it as a research vehicle for others.

I have never tried to sell any system to any government or company, so the above misrepresentation about such is simply a complete fiction. Everything we do is completely Open Source and is Free. Just read the top-level page of any of our evoting verification experiments to learn more.

  • The verified tally software that we have developed for the Netherlands, Ireland, and Denmark's electoral schemes are done to show how that kind of software---"stuff that counts"---must be developed if you are going to use it for national elections. We are trying to embarrass governments and commercial firms that product evoting software, since the stuff they do produce, which we analyze and criticize, in general, is horrifically bad.

While the Open Source tally system developed for the Dutch was used in one EU election, we then advocated that they shouldn't use even our verified software. I.e., Even if you develop something to the highest quality standards, you should still not use it, but instead run your elections as you have always done.

Thus none of my software has even been improperly used, rejected, or banned by others---it has been rejected by me as a political argument about elections, not a technological one about software correctness or security.

Finally, in general, if governments are going to march forward and try out election software of any kind, despite our advice to the contrary (as witnessed in DemTech's feedback covered in Version2 a few weeks ago), then it is our job as experts and public employees to try to help them to do the Right Thing and not be swayed by politics, vendors, or conspiracy theorists. Thus, if the Danish government is going to move forward with supervised voting with computers, it is my duty to help them do so in the best possible way, despite the fact that I do not think it is the right decision.

Come to my talk to learn more.

  • 18
  • 1
Kim Jensen

@Joseph Kiniry

You cannot both say that you are against IT for voting and at the same time develop an IT system to be used for voting. To me it is obvious that you want your system to be used instead of the other systems. And of course there is a of lot money in developing e-voting machines. We are not stupid! If you really were an activist fighting for democracy then you would agree to ban all sorts of e-voting machines as there are no such things as secure e-voting machines. Almost all IT experts and electronics engineers who are not themselves developing e-voting machines agrees on that.

  • 2
  • 9
Casper Kvan Clausen

Thus, if the Danish government is going to move forward with supervised voting with computers, it is my duty to help them do so in the best possible way, despite the fact that I do not think it is the right decision.


This is where I believe you are wrong, perhaps dangerously so. Anything other than unequivocal rejection will be taken advantage of by politicians and bureaucrats. Quotes will be taken out of context, and they will create a narrative where experts support the endeavor.

I remain convinced the best bet is to withhold any and all assistance, and hope that any implementation which does materialize is a horrific failure (ideally of career ending proportions).

  • 3
  • 0
Flemming Madsen

Hi Joseph

Thank you for commenting here. Always easier when we can talk directly to the parties involved.

Couple of questions:
1) You say that you were involved in hacking the Dutch systems. Was that what we see in this video: https://www.youtube.com/watch?v=sSsyYKgwnVk ?
Rop Gonggrijp is the speaker.

2)Will the DTU lecture be streamed or recorded? I can not attend :o(

3)What do you say to the people (like me and Kim Jensen) who believe that we should not help the government with creating a eVoting system, because then they can say "look, IT people created this and therefore it is safe to use"?

  • 3
  • 0
Erik Cederstrand

3)What do you say to the people (like me and Kim Jensen) who believe that we should not help the government with creating a eVoting system, because then they can say "look, IT people created this and therefore it is safe to use"?

What about "If the government going to disregard everyone's advice and proceed anyhow, then they should at least use this free, open-source, formally verified system instead of the one supplied by Diebold"?

But since you (or at least Kim) are saying something similar to your own quote ("look, IT people created this and therefore they should be tarred and feathered"), then maybe you can help. Would facts and arguments work? If not, then all hope is lost anyhow :-)

  • 0
  • 2
Kim Jensen

@Erik Cederstrand

But the fact is that Demtech according to the document you have linked to previously is recommending to shift to e-voting (and Joseph Kiniry works for Demtech). They do in no way recommend the government to stay away from e-voting. As the Chaos Computer Club and many other experts have stated many times, then there are no such things as secure e-voting machines. Please wake up from your dream before you destroy democracy! And just the fact that Joseph Kiniry is recommending some sort of e-voting system to be used shows that he is speaking with two tongues (as he is not saying that we should ban all sorts of e-voting systems no matter what but instead he has his own e-voting system that he is recommending).

  • 2
  • 6
Erik Cederstrand

But the fact is that Demtech according to the document you have linked to previously is recommending to shift to e-voting

Just because you say it's a fact doesn't necessarily mean it is. Where's that recommendation? Quotes? I see a long list of warnings on losing public control, previously failed experiments abroad, suggestions for amendments to the legislation to make sure any possible, future system is at least as secure as paper-voting, plus lots of requirements for a possible experiment. But no recommendation that it's actually a good idea in the end.

there are no such things as secure e-voting machines.

That's a bold statement. A machine that simply prints out a paper ballot to be counted manually can be perfectly secure. It also doesn't provide much value.

  • 2
  • 3
Kim Jensen

@Erik Cederstrand

It is in no way a bold statement to say that e-voting systems can never be secure (unless you define bold as clear, definite, and bright). As you can read here http://www.version2.dk/blog/evalg-lyt-til-en-expert-49983#comment-226586 then there are a lot of reasons why there are no such things as secure e-voting machines.

If you think otherwise then in my opinion (and many others) you are supporting the destroyment of democracy.

  • 3
  • 4
Peter Johan Bruun

Dear Mr. Kiniry

First of all: congratulations to your new title as a professor. Hopefully I will be able to follow your inaugural speech, either in real life or via the webcast.

I have given your longer statement above thumbs up, because you have stated clearly that your approach is that of a professional towards the subject. This gives credibilty and makes people listen.

However I find your statements final phrase a downside, and feel the need to clarify my thoughts on that:

Finally, in general, if governments are going to march forward and try out election software of any kind, despite our advice to the contrary (as witnessed in DemTech's feedback covered in Version2 a few weeks ago), then it is our job as experts and public employees to try to help them to do the Right Thing and not be swayed by politics, vendors, or conspiracy theorists. Thus, if the Danish government is going to move forward with supervised voting with computers, it is my duty to help them do so in the best possible way, despite the fact that I do not think it is the right decision.

In an IT company I worked for, we had a saying: "<put in company name>, we will do (almost) anything for money :) ". The statement never wen't public, though, however that statement is very true when it comes down to simple money and business operations.

But, in this case we are on the other side of the line for that statement: In relation to e-voting, using that statement, the situation will develop into a matter of selling the soul to the devil. Should we help in implementing electronic voting we will help in prostituting our democracy for something that holds no equal value. In fact democracy is one of the rare things that you can not give a price tag, alongside with trust and other moral feelings.

In my view, with the debate on e-voting, our profession has reached a border which priests and doctors had reached before us: we are now in the area where ethical standards no longer can be ignored as an issue.

Have you not already done so, I would therefore urge you to give the following question your deepest thoughts: Whom do you serve, governments or your profession? With the title as a professor, combined with your knowledge, this will not be an easy question.

None the less that is what you are opting for - you have my deepest respect for taking on that challenge :o)

Best Regards

Peter Johan Bruun

  • 2
  • 0
Erik Cederstrand

It is in no way a bold statement to say that e-voting systems can never be secure (unless you define bold as clear, definite, and bright).

You forgot to reply to my following sentence: "A machine that simply prints out a paper ballot to be counted manually can be perfectly secure" to which I can add the implicit "just as secure as today". Which means it is vulnerable to e.g. ballot stuffing, corrupt officials and all the other weaknesses you mention in your previous post, and which also apply to the pen-and-paper system we have today. Despite your claims, I'm still not advocating e-voting and still think we shouldn't implement it. But as long as you keep making such undifferentiated statements, I'm going to play the Devil's advocate :-)

If you think otherwise then in my opinion (and many others) you are supporting the destroyment of democracy.

And I also kill kittens in my spare time. You should try it, it's fun.

  • 4
  • 2
Joseph Kiniry

Hi Joseph

Thank you for commenting here. Always easier when we can talk directly to the parties involved.

Couple of questions:
1) You say that you were involved in hacking the Dutch systems. Was that what we see in this video: https://www.youtube.com/watch?v=sSsyYKgwnVk ?
Rop Gonggrijp is the speaker.

2)Will the DTU lecture be streamed or recorded? I can not attend :o(

3)What do you say to the people (like me and Kim Jensen) who believe that we should not help the government with creating a eVoting system, because then they can say "look, IT people created this and therefore it is safe to use"?

Hi Flemming,

Thanks for your question.

1) Rop is a friend and likely to be a member of DemTech's Scientific Advisory Panel in the future. Currently our "technical" member is J. Alex Halderman.

Rop and his colleagues work on hacking the Nedap machines took place a couple of years after my research group's work on defeating the proposed remote voting system "KOA". He was uninvolved in that effort; it was only pro bono work I did with two colleagues at Radboud University Nijmegen. The aforementioned paper describes what we did and what we could do under the constraints we were under (i.e., we could not modify election data, even during the testing, as it would violate national law and potentially get me kicked out of the country).

2) The DTU talk will be streamed for up to 60 viewers and will be recorded and available henceforth.

3) The decision about whether or not I should do something was really difficult one for me that I made back in 2003.

On the one hand, I completely understand the thinking behind saying "this is a bad idea and I refuse to participate".

On the other hand, as we have witnessed for fifteen years now, someone is going to build systems, and those systems are, in general, simply stated, terrible. They witness horrid software engineering and they are proprietary and closed-source. So if a system is going to get built for how one might digitize a part of the election process, then I think that it is a good idea that a team that is internationally-recognized experts in rigorous software engineering, formal verification of safety- and mission-critical systems, and information security is exactly the right people to experiment and advise governments.

Note that the systems we have built in the past are not full-blown evoting systems. I have completely stayed away from kiosk-based voting systems and focused entirely on counting votes correctly. Please do not give me credit to problems I have not tried to solve!

Another nice data point is that, while I can build verified, Open Source demonstration election subsystems (like tallying), I can continue to advise governments that it is a Bad Idea to charge down the patch of digital elections. I think history shows that this can work. After all, my team has built demonstration verified software for election subsystems while performed security analyses on existing commercial systems purchased by governments and while being an expert advisor to the government in a transparent fashion and those governments (Holland and Ireland) have consequently decided to do the right thing and shut down their evoting experiments and ban evoting by law. Come to my talk to hear more about this.

Many of my colleagues do take the position that you should only criticize and not propose any alternatives. Many researchers only propose theoretical systems, new cryptographic schemes, etc. but avoid writing any software or building any systems, either because they do not have the skills or think it is bad idea to make such systems available at all. Of those that do build systems (e.g., systems like Punchscan, Scantegrity, Helios, Prime III, Prêt-à-Voter, Wroclaw's work, ourselves and others), only my group makes guarantees about the correctness and security of our systems. Everyone else says "we make no promise that our system does anything right at all".

Finally, to help discount any conspiracy theorists out their wrt DemTech, everything that our project does is in the public view. All of our software, papers, and communications are transparent and open. Any member of the public can join, look around, look at the minutes for every meeting we have, and even ask for a snapshot of all of my DemTech email messages, and the messages of every member of DemTech.

  • 3
  • 0
Joseph Kiniry

@Kim Jensen

You'll note that no where do I or DemTech suggest that evoting should be used for national elections. Instead, we ask whether or not this makes sense at all by posing a hypothesis.

The point of a scientific project is to propose a hypothesis and then objectively, rationally, test that hypothesis and accept or refute it. DemTech's hypothesis in a nutshell is that "It is possible to modernize the Danish electoral process without loosing the trust of the voters." A completely acceptable outcome of DemTech is to say, "No, it is not possible to modernize the Danish electoral process using computing technology." I'm cool with that, and I might even have an opinion about where I think the analysis will lead, but as a scientist, I'm going to look at the evidence, not speculative subjective fiction.

If you listen to my talk next week you'll learn about my personal perspective on the topic, rather than the position of the DemTech project as a whole. DemTech represents for voice of over a dozen researchers, many of which are not computer scientists, but instead ethnographers, political scientists, experts in democracy and elections, anthopologists, etc. Only a few of us are computer scientists and logicians.

  • 4
  • 0
Kim Jensen

@Erik Cederstrand

So why are you not reading what I have written instead of toying around. A ballot written out by a machine and verified by the voter will probably not get counted by real people at the election night. And no matter what then a machine written ballot can then be manipulated afterwards. Experiences from the USA shows that manipulations of machine written ballots have been done by the government or others who wished to manipulate the election. And don't tell me about cryptography as it can be broken with quantum and/or super computers. And we don't even now how big quantum and super computers there really are as it might be for example military secrets (and if symmetric cryptography is used then someone needs to know the key(s) and who should be trusted with such power?).

Do you really understand how powerful it is to be able to manipulate an election an then what people with power and big money are able to do to e-voting machines or machine written ballots/votes. If experts have access to advanced equipment then it can all be manipulated on the chip and hardware level and since chips today can contain billions of transistors then it will be almost impossible to detect (if not completely impossible). And with the forthcoming 3D chip technology and nano technology then it will be even worse in the future. So there are no ways that the people will be able to verify e-voting machines. Therefore say 100% no to e-voting before it is to late.

And also I have explained very clearly in my previous post why handwritten votes counted on the election night is the only way to maintain a real democracy (try reading it again, and if it doesn't help then try once more. Maybe you will end up getting it or maybe you just don't care)

  • 3
  • 5
Kim Jensen

@Joseph Kiniry

The problem is that even if it might be possible to convince the voters that e-voting is secure, then the fact is that e-voting machines can always be manipulated by someone with money and power, and therefore e-voting should never be trusted. That's all I have to say about it. And I see no in between as either you work for real democracy and then will be against all e-voting systems or you somehow support e-voting and thereby support the fall of democracy. And as a scientist then you should rather be telling the truth that electronics and computers can always be manipulated and should never be trusted for e-voting because you cannot both have anonymity and security (and there is no way to trust encryption these days with quantum and super computers).

Edit: To the above then someone might argue that it might be possible to protect an e-voting system with post-quantum cryptology, but according to all books I have read about post-quantum cryptology, then it is a new and unproved science and it cannot be guarantied that post-quantum cryptosystems such as MKPC, lattice-based cryptography, or cryptographic hash functions are secure as there already exist a lot of attack vectors that might be used to break them as for example using the rank attack, the invariant subspace attack, the differential attack, the extension field structure attack, the low degree inverse attack, Gröbner method based attack, amd Zhuang-Zi algorithm based attack, Grover's algorithm, Sor's algorithm, and many others. And with the monomorphic cryptosystems I have seen proposed for e-voting then anonymity cannot be guarantied (because of hacking from the hardware level (or the near hardware level) in the e-voting system, or by other sorts of hacking afterwards etc. and also the people will have no way to verify that the overall result of the election has not been manipulated, and also completely homomorphic encryption is a very new science and it is currently unknown whether or not it can broken with large quantum and/or super computers).

  • 2
  • 0
Erik Cederstrand

A ballot written out by a machine and verified by the voter will probably not get counted by real people at the election night. And no matter what then a machine written ballot can then be manipulated afterwards. Experiences from the USA shows that manipulations of machine written ballots has been done by the government or others who wished to manipulate the election.

A ballot written with a pen and verified by the voter will probably not get counted by real people at the election night. And no matter what then a hand written ballot can then be manipulated afterwards. Experiences from the USSR shows that manipulations of hand written ballots has been done by the government or others who wished to manipulate the election.

I'm finished here. Over and out.

  • 1
  • 3
Kim Jensen

A ballot written with a pen and verified by the voter will probably not get counted by real people at the election night. And no matter what then a hand written ballot can then be manipulated afterwards. Experiences from the USSR shows that manipulations of hand written ballots has been done by the government or others who wished to manipulate the election.

Your statement makes no sense! Denmark is not the USSR and today all ballots/votes gets counted on the election night by real people.

  • 3
  • 3
Peter Johan Bruun

Jeg ved ikke helt hvor jeg skal stille spørgsmålet. Det er stillet to gange på Simon Kollerups Facebook profil, jeg har forgæves søgt på folketingets hjemmeside....spørgsmålet er stillet her på sitet også i forskellge sammenhænge.

Det er rigtigt skønt med en professor indsættelse der handler om hvorfor eValg ikke er demokratiets kop te....men:

HVOR OG HVORNÅR KOMMER DEN HØRING SIMON KOLLERUP FRA SOCIALDEMOKRATIET HAR LOVET OS FØR JUL ????

Pyyyyh, det lettede :O))) god dag til alle.

mvh. peter bruun

  • 6
  • 0
Mads Vanggaard

easy easy now Kim, don't have a heart attack. Anything can be manipulated, it is only a matter of effort, time and money. So a scientific study is not about up-front rejecting different forms for computer involvement and then criticising anyone that doesn't accept your conclusion as of such. In this case it could be attempting to prove the hypothesis that risk of manipulation is bigger for computer involvement scenarios compared to the pen-paper scenario. If you live by how it must be then we might as well live in the 14th century

  • 3
  • 3
Kim Jensen

@Mads Vanggaard

But for me as a member of the danish population then it is not interesting to know if the danish people can be manipulated into believing that e-voting is secure or not (for that is what the Demtech hypothesis is about isn't it!). For as you say yourself then of course e-voting will never be secure. And also Demtech and Joseph Kiniry are not just 'philosophers' as they are actually developing e-voting machines to be tried next year in a REAL election (which can easily be seen from Kiniry's plans here: http://www.demtech.dk/attachment/wiki/Research%20projects/planning.org). Notice the word "prototype" and the sentence "Deployment of the technology in real-world elections, e.g. municipal elections or parliamentary elections." Then Demtech can say that it is all just research but I will then say that we can use the tax payers money a lot better than to develop e-voting systems that we already know will never be secure. And in my opinion then it would be a lot better if Demtech just says the same as "IT-Politisk Forening" who says that e-voting is far to risky and recommends the government to drop it, instead of telling the government what security measures to include in an e-voting system etc. As I see it then if they don't say no then they sort of say yes!

Interesting science for the people would be if it is possible to prove that an e-voting machine can be built that in no way can be manipulated? But since there are no ways to prove that not any group of atoms in an e-voting system have been manipulated then such a study will turn out to be a conclusion that it is not possible to build such a system (and that is all we need to know). But maybe sometimes in the future then with quantum technology it might be possible to make a system where we can measure if any group of atoms have been manipulated, but then lets reconsider e-voting then! And since the execution of software can be manipulated from the hardware level (or the near hardware level), then to prove that a voting system is secure then you either have to prove that the hardware level (or the near hardware level) cannot be manipulated, or that manipulation of the hardware level (or the near hardware level) will not influence the calculations of the software and/or the execution of the software and that the hardware (or the near hardware level) cannot be used to extract important information from the executing software (such as for example encryption and decryption keys). And with the technology we have today then we are no ways near to be able to build such a system.

And about whether or not an e-voting system is more or less secure than votes counted by real people on the election night as we now do here in Denmark. Then with the system we now have where people with different political views sits together in large groups and count the votes, then it is obvious that the system we have now is A LOT more secure. Because with e-voting machines then a few people or a single person will be able to manipulate many or all of the votes. And because there is extremely much power in the act of being able to manipulate an election on a large scale, then we should in no way open for that possibility and in my opinion then the country should not try to build e-voting machines at all because as you say yourself then of course e-voting machines can be manipulated. And why build e-voting machines at all that are not meant to be used!

And about me getting a heart attack then don't worry as I am in good health and have a strong heart. But thanks for your concern. :-)

  • 4
  • 1
Peter Johan Bruun

easy easy now Kim, don't have a heart attack. Anything can be manipulated, it is only a matter of effort, time and money. So a scientific study is not about up-front rejecting different forms for computer involvement and then criticising anyone that doesn't accept your conclusion as of such. In this case it could be attempting to prove the hypothesis that risk of manipulation is bigger for computer involvement scenarios compared to the pen-paper scenario. If you live by how it must be then we might as well live in the 14th century

Mads, your historic knowledge does not hold any promise for the future.

With your current position as a leader combined with your understanding of this matter, you will now be assisting in a degrade of democracy. Your statements leaves me with worry, that you will not linger until we have reached a ruling system much like the ones we had in the 14th century.

The only hope I have, is that once we have reached that point, we can start all over again, having a new "age of enlightenment", accompanied with a "french revolution", resulting in truly democratic elections - using paper and pencils !

Hopefully this can be carried out, this time, in less than 6 centuries :o))

/Peter

  • 3
  • 0
Mads Vanggaard

:) I wrote 'anything' because I really mean anything - your pen-paper solution as well, it only takes enough effort, time and money to do it. The point I am making, is that it is a perfect research study to evaluate and compare the risk of manipulations with a pen-paper, weight based (I personally would prefer) or different approaches where computers or printers are involved. You might come up with a conclusion that supports your view, most likely, but you still need the scientific approach as I guess we are not debating religion?

  • 2
  • 1
Kim Jensen

"It's not that they can't see the solution. They can't see the problem." - G.K. Chesterton

And you are right that e-voting should not be treated as a religion and whether or not it is possible to get people believing in it. Instead it should be treated as something where it must be proved beyond any doubt that the system cannot be manipulated in any way. And that must include proofing that the software cannot be manipulated from the hardware level (or the near hardware level). That's the right question to ask.

And to find that answer then another important question to ask is if anyone can write open source e-voting software that for testing can be run on a FPGA board with a softcore CPU running Linux (running Linux because FPGA boards that can run MS Windows are to expensive for private hackers), and then if it is possible to manipulate the function of the software by altering the FPGA (or to read the encryption and/or decryption keys or read/write other important data). But still in a way so that the system appears to work properly. Then if all hackers in the world will have to give up and admit that they cannot manipulate the function of the software, then and only then is it secure. That is real science and security and not religion, psychology, or philosophy!

The reason that the above test is important is that people with power and money and access to advanced equipment will be able to manipulate/redesign and/or exchange the IC chips etc. in an e-voting system.

And then after have performed the above test then it is needed to do a similar testing to all of the hardware.

The above test is important for elections with e-voting machines as we need the highest possible level of security because that one person or a small group of persons would be able to manipulate many or all of the votes. It cannot be compared with the paper and pen/pencil solution as today in Denmark there are far to many people with different political views involved in manually counting of the votes. And that protect against manipulation on a large scale (with the way we do it in Denmark), and therefore it will not affect the election very much if some of the vote counters get away with counting some of the votes incorrectly (and also it would be extremely unlikely that anyone would get away with cheating at the counting tables). And also with manual counting then we normally also do a recount of all the votes afterwards which make the current system very secure because then the same vote will probably get counted by two different persons. So we can conclude that manual counting protects against large scale manipulation of the votes. Therefore in a ideal situation where the e-voting system is doing what it is expected to then e-voting is more precise than manual counting, but as soon as someone manipulate and gain control over the e-voting system then the whole election can be manipulated (as seen for example in the USA). And therefore it makes no sense to compare how precise e-voting is compared with manual counting as you have two completely different degrees of how efficient a manipulation would be on the whole election.

Therefore the only important question is if e-voting can be proved beyond any doubt that it cannot be manipulated in any way. We do not need the same degree of prove with manual counting.

  • 2
  • 2
Flemming Madsen

People against eVoting are not saying that pen and paper voting is perfect. You can do vote fraud in normal elections, we have seen that in Russia, Iraq and so on. But it takes a lot of people and if you try to do it hidden, the conspiracy becomes hard to hide.

However, this is not the case with eVoting. Here one person could possible sabotage or steal the election single-handedly. This is the advantage of computers, you can do something in a big scale that would require lots of people before.

So if we go ahead with eVoting, we are setting ourselves up for vote fraud in a industrial level. That will be a "No thanks" from me.

  • 5
  • 0
Mads Vanggaard

by the love of God - Kim, you conclude based on your point of view, not on some well tested hypothesis. You are not open op for this test even. How can you believe your point of view is the ultimate truth and then to refuse any comparison of it? You draw up the only alternative as to be some complex software based on some highly complex operating system running on some extreemly complex CPU architecture. Why would any software company that has to write the system supporting a UI and some sort of memory (be that in RAM, paper, external server's database, or any other form)? that would be like using Java Swing for UI...

Anyway, +1 to Joseph Kiniry for taking the debate one step up from the gutter

  • 2
  • 4
Hans Schou

You can do vote fraud in normal elections, we have seen that in Russia, Iraq and so on.


I Danmark havde vi for få år siden et kommunalvalg i Ringsted, hvor en kvindelig politiker talte nogle blanke stemmer op, og så satte kryds ud for sig selv - med kuglepen (det skal være en blyant). Det blev naturligvis opdaget, og hun blev straffet. Så det forekommer altså også i Danmark.

  • 0
  • 0
Kim Jensen

@Mads Vanggaard

I talk about the only important thing and that is whether or not a voting machine (or voting system) can be manipulated, and as long as the software can be manipulated from the hardware (or the near hardware level) then it is not secure. That's the only important thing to discuss. And anything else is just manipulation of the people no matter how fancy words used for it!

  • 3
  • 2
Flemming Madsen

Anyway, +1 to Joseph Kiniry for taking the debate one step up from the gutter

Mads, I need this comment clarified. Do you mean to say that Joseph Kiniry is the only one who is debating out of the gutter?

I also applaud Joseph for participating in an actual debate (instead of doing as politicians who only want to hear themselves talk), but I do feel that many of us here try to bring valid arguments to the discussion.

I know that Kim Jensen often bring very complicated scenarios into the discussion, but that is one of the main arguments; that computers are complicated, even more so for the normal user, and I am still waiting for a person to present me with a eVoting system that is so simple that I can explain it to my mother.

As for going ahead with the test of a eVoting system. Why would we want that?
If we (IT people against eVoting) can shoot down almost every argument for a eVoting system, why do we need to use Denmark as a testing facility for eVoting?
What is it that you can only do in real life, that you can not explain to me in text? Will I suddenly become convinced of the greatness of eVoting when I standing in front of the touch-screen?

  • 3
  • 0
Peter Johan Bruun

by the love of God - Kim, you conclude based on your point of view, not on some well tested hypothesis. You are not open op for this test even. How can you believe your point of view is the ultimate truth and then to refuse any comparison of it? You draw up the only alternative as to be some complex software based on some highly complex operating system running on some extreemly complex CPU architecture. Why would any software company that has to write the system supporting a UI and some sort of memory (be that in RAM, paper, external server's database, or any other form)? that would be like using Java Swing for UI...

Anyway, +1 to Joseph Kiniry for taking the debate one step up from the gutter

I think I will drag you into the scientific arena: One can not go on forever debating something that has been proven long ago....in mathematics the agronym QED often is used at the bottom of the proof of a postulate. It is used because it makes your scientific life soo much easier. It appears to me that the phrase QED could have been used numerous numerous times in this debate, and yet you still tend to cling to the hope that maybe you can downgrade somebody that is against eVoting in this debate. Having the thrill of conspiracy theories I start wondering what your motives are !

And referring to your last statement in the quote above: does that mean that if Mr. Kiniry theoretically and practically, proves that eVoting can never be safe and secret at the same time, then we will not have this debate again with you as a participant ?

  • 2
  • 0
Mads Vanggaard

I talk about the only important thing and that is whether or not a voting machine (or voting system) can be manipulated, and as long as the software can be manipulated from the hardware (or the near hardware level) then it is not secure. That's the only important thing to discuss. And anything else is just manipulation of the people no matter how fancy words used for it!

The only important thing to discuss is the matters that leads to a system that is secure enough that the effort required to manipulate in large scale is too huge to make it viable, cheap to operate and that produces the required result as quick as needed. To conclude what the system must be without a scientific approach to risk evaluation or similar that is just preaching to the version2 choir.

Anyway Kim, I know we will not agree about whether research in this area can bring us forward or not, but even if I personally am not in favour of eValg then I look forward to some more research in this area.

  • 0
  • 2
Attila Sukosd

I think some people are missing the point with the research.

If all you do is criticize without proof, but the government still wants to go through with it, they will.

Except the millions of kr. tax money won't be going towards constructive research into the field of e-voting, but instead billions of kr. to either existing, crappy solutions or some new vendor locked-in, proprietary solutions that are no better. Your choice.

Please note that I am not saying that I am either pro or contra e-voting, just my personal preference on what my taxes are being spent on if (or when) we go down this road.

  • 0
  • 0
Jesper Lund

Here is the recording:

Thanks Joe. Are there any plans for making this available in a more open format than Adobe connect? With Firefox and Chromium on my Linux system there were constant audio dropouts, and I only managed to hear/see this great presentation because I switched to IE 8 in a VM'ed WinXP.

Back to e-voting..

One thing from the presentation that really struck me (and surprised me a bit) was the comments about certification standards (in essence that none exist). The Danish government seems to think that all problems can be solved by requiring from vendors that their systems are properly certified. But if things are as bad as you point out with respect to certification, this doesn't really solve anything, except perhaps give politicians an excuse when the Danish supreme court, one day, has to decide the outcome of an election because the system malfunctioned, and hundreds of millions of taxpayer money have been wasted.

The hearing responses point to numerous problems with e-voting in other countries, and even by the government's own account of other countries' experiences with e-voting (that they finally produced when presenting L 132) there are far more failures than successes. Yet the Danish government argues that this is because the other countries used direct voting systems without paper trail and that their systems weren't properly certified. No they probably weren't, but they couldn't be.

  • 0
  • 0
Log ind eller Opret konto for at kommentere