-
Bugs in our Pockets: The Risks of Client-Side Scanning
Authors:
Hal Abelson,
Ross Anderson,
Steven M. Bellovin,
Josh Benaloh,
Matt Blaze,
Jon Callas,
Whitfield Diffie,
Susan Landau,
Peter G. Neumann,
Ronald L. Rivest,
Jeffrey I. Schiller,
Bruce Schneier,
Vanessa Teague,
Carmela Troncoso
Abstract:
Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hinde…
▽ More
Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source, would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy -- in the sense of unimpeded end-to-end encryption -- and the ability to successfully investigate serious crime. In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.
△ Less
Submitted 14 October, 2021;
originally announced October 2021.
-
Public Evidence from Secret Ballots
Authors:
Matthew Bernhard,
Josh Benaloh,
J. Alex Halderman,
Ronald L. Rivest,
Peter Y. A. Ryan,
Philip B. Stark,
Vanessa Teague,
Poorvi L. Vora,
Dan S. Wallach
Abstract:
Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordabl…
▽ More
Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.
△ Less
Submitted 4 August, 2017; v1 submitted 26 July, 2017;
originally announced July 2017.
-
End-to-end verifiability
Authors:
Josh Benaloh,
Ronald Rivest,
Peter Y. A. Ryan,
Philip Stark,
Vanessa Teague,
Poorvi Vora
Abstract:
This pamphlet describes end-to-end election verifiability (E2E-V) for a nontechnical audience: election officials, public policymakers, and anyone else interested in secure, transparent, evidence-based electronic elections.
This work is part of the Overseas Vote Foundation's End-to-End Verifiable Internet Voting: Specification and Feasibility Assessment Study (E2E VIV Project), funded by the Dem…
▽ More
This pamphlet describes end-to-end election verifiability (E2E-V) for a nontechnical audience: election officials, public policymakers, and anyone else interested in secure, transparent, evidence-based electronic elections.
This work is part of the Overseas Vote Foundation's End-to-End Verifiable Internet Voting: Specification and Feasibility Assessment Study (E2E VIV Project), funded by the Democracy Fund.
△ Less
Submitted 14 April, 2015;
originally announced April 2015.
-
STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System
Authors:
Josh Benaloh,
Mike Byrne,
Philip Kortum,
Neal McBurnett,
Olivier Pereira,
Philip B. Stark,
Dan S. Wallach
Abstract:
In her 2011 EVT/WOTE keynote, Travis County, Texas County Clerk Dana DeBeauvoir described the qualities she wanted in her ideal election system to replace their existing DREs. In response, in April of 2012, the authors, working with DeBeauvoir and her staff, jointly architected STAR-Vote, a voting system with a DRE-style human interface and a "belt and suspenders" approach to verifiability. It pro…
▽ More
In her 2011 EVT/WOTE keynote, Travis County, Texas County Clerk Dana DeBeauvoir described the qualities she wanted in her ideal election system to replace their existing DREs. In response, in April of 2012, the authors, working with DeBeauvoir and her staff, jointly architected STAR-Vote, a voting system with a DRE-style human interface and a "belt and suspenders" approach to verifiability. It provides both a paper trail and end-to-end cryptography using COTS hardware. It is designed to support both ballot-level risk-limiting audits, and auditing by individual voters and observers. The human interface and process flow is based on modern usability research. This paper describes the STAR-Vote architecture, which could well be the next-generation voting system for Travis County and perhaps elsewhere.
△ Less
Submitted 8 November, 2012;
originally announced November 2012.
-
SOBA: Secrecy-preserving Observable Ballot-level Audit
Authors:
Josh Benaloh,
Douglas Jones,
Eric Lazarus,
Mark Lindeman,
Philip B. Stark
Abstract:
SOBA is an approach to election verification that provides observers with justifiably high confidence that the reported results of an election are consistent with an audit trail ("ballots"), which can be paper or electronic. SOBA combines three ideas: (1) publishing cast vote records (CVRs) separately for each contest, so that anyone can verify that each reported contest outcome is correct, if the…
▽ More
SOBA is an approach to election verification that provides observers with justifiably high confidence that the reported results of an election are consistent with an audit trail ("ballots"), which can be paper or electronic. SOBA combines three ideas: (1) publishing cast vote records (CVRs) separately for each contest, so that anyone can verify that each reported contest outcome is correct, if the CVRs reflect voters' intentions with sufficient accuracy; (2) shrouding a map** between ballots and the CVRs for those ballots to prevent the loss of privacy that could occur otherwise; (3) assessing the accuracy with which the CVRs reflect voters' intentions for a collection of contests while simultaneously assessing the integrity of the shrouded map** between ballots and CVRs by comparing randomly selected ballots to the CVRs that purport to represent them. Step (1) is related to work by the Humboldt County Election Transparency Project, but publishing CVRs separately for individual contests rather than images of entire ballots preserves privacy. Step (2) requires a cryptographic commitment from elections officials. Observers participate in step (3), which relies on the "super-simple simultaneous single-ballot risk-limiting audit." Step (3) is designed to reveal relatively few ballots if the shrouded map** is proper and the CVRs accurately reflect voter intent. But if the reported outcomes of the contests differ from the outcomes that a full hand count would show, step (3) is guaranteed to have a large chance of requiring all the ballots to be counted by hand, thereby limiting the risk that an incorrect outcome will become official and final.
△ Less
Submitted 2 July, 2011; v1 submitted 29 May, 2011;
originally announced May 2011.