Email contact for this page: ed@gerck.com
with subject prefix [EG]
Copyright © 1997-2007 by E. Gerck. All
rights
reserved, free copying and citation allowed with source and author
reference.
1. Short-form Biography
2. Papers
3. Statement on Electronic
and Internet Voting
Ed Gerck is a recognized leader in Internet security and cryptography. He received his doctorate in physics (Dr.rer.nat.) from the Ludwig -Maximilians-Universitaet and the Max-Planck-Institut fuer Quantenoptik in Munich, Germany, 1983, with maximum thesis grade ("sehr gut"). With a background in lasers and quantum mechanics, he has worked in cryptography since 1987. He has been involved in the development of software since 1972, in languages such as FORTRAN, ALGOL, BASIC, x86/x87 Assembler, Pascal, C, C++, Java, Perl, and PHP, using Windows, Unix, Mac OSX, and DOS platforms. His work has become a reference in laser physics, cryptography, digital certificates and voting.
Dr. Gerck’s work in information security gained worldwide momentum in 1997 when he began to use the Internet to publicly discuss a "bottom-up" approach to the entire subject of trust, PKI and Internet security. Understanding human trust brought him to that great IT question, in 1997: how can I trust a set of bytes? His answer, given first in a short email to the MCG list and immediately published in a book on digital certificates (ISBN 0-20-130980-7), has been useful in the field of information security worldwide. The answer provides a framework for understanding human trust (as expected fulfillment of behavior) and for bridging trust between humans and machines (as qualified information based on factors independent of that information). His work has received extensive worldwide press coverage from New York Times, Le Monde, O Globo, Forbes, CBS, CNN, Business Week, Wired, San Jose Mercury News, Aftonbladet and USA Today. In 1999 Dr. Gerck was a member of the Registry Advisory Board of Network Solutions, Inc. (NSI). Dr. Gerck is also the founder of the Meta-Certificate Group (MCG), chairman of the board of the Internet Voting Technology Alliance (IVTA), founder of NMA, Inc. and founder and CEO of Safevote, Inc.
My main interest is Internet-based services
where users (including their machines, operating
systems and software) are not initially trusted to any extent.
In
other words, I want to introduce trust as an explicit part of the
Internet design. I believe that convenience [1], even more than
ease-of-use, and security, is important to users.
Trust was implicit when the Internet (i.e., ARPANET, prior to commercial operation) was based on an honor system for the users and their machines. In particular, I believe that trusting user intervention (even to simply update software) is a very weak assumption. Thus, I am especially interested in solutions that can solve current security and network problems without trusting user intervention. I am currently working on the topics covered in the following papers. If you are interested in one or more of these topics you are welcome to send me your comments. If you want copies of other papers or papers not available online, please send me an email. Further references at http://gerck.com
VOTING SYSTEM REQUIREMENTS: A voting system requirements proposal evolved during public list discussions at the IVTA in September-November 2000, motivated by a technologically-neutral voting model I suggested to the group (see VOTING MODEL, below). The proposal recognizes the need for strict voting standards, with a set of 16 requirements that are technologically neutral and can be applied to paper, electronic and Internet voting. A main motivation for the proposal was to exceed the current requirements for paper-based ballots in the U.S., and also those used for electronic voting DRE (Direct Recording Electronic) machines. The proposal was presented in several conferences for further input. By invitation, it was also presented at the United Nations conference on e-government in Palermo, Italy, in April 2002. A copy of the latest version of the proposal is available at http://thebell.net/papers/vote-req.pdf
DRE - ELECTRONIC VOTING: On August 2-30, 2001, I presented an invited paper at the WOTE'01 conference in Tomales Bay, California. The conference was about trustworthiness in voting systems. My paper was on the Witness Voting System, a provable, reliable solution for voter-verified electronic voting (DRE), providing integrity and anonymity proofs, that does not use paper ballots. A copy is available in the conference proceedings at http://www.vote.caltech.edu/wote01/pdfs/gerck-witness.pdf
INTERNET VOTING: Published in 2002. Ed Gerck: Private, Secure and Auditable Internet Voting, chapter in "Secure Electronic Voting: Trends and Perspectives, Capabilities and Limitations", Edited by Prof. Dr. Dimitrios Gritzalis, Kluwer Academic Publishers, 2002, ISBN 1-4020-7301-1. See also http://www.wkap.nl/prod/b/1-4020-7301-1?a=1 This document presents a set of voting system requirements that are consistent, , can be applied to paper, electronic and network (Internet) voting, and exceed the current requirements for paper-based ballots and electronic voting DRE (Direct Recording Electronic) machines. The requirements are based on the principles of Information Theory and of trust as qualified reliance on information, favoring multiple, independent channels of information over one purportedly ``strong'' channel. However, adding multiple channels can also decrease reliance if the design principles laid out in these requirements are not followed.
VOTING MODEL: A voting model that is technologically neutral is postulated, allowing voting system requirements to be defined for any technology that is or may become available. The model is based on the principles of Information Theory and of trust (see TRUST, below) as qualified reliance on information, favoring multiple, independent channels of information over one purportedly "strong" channel (e.g., paper ballots). See "The Business of Electronic Voting", panel by Ed Gerck, C. Andrew Neff, Ronald L. Rivest, Aviel D. Rubin, Moti Yung. Financial Cryptography 2001: 243-268. Springer Verlag.
TRUST: how can I trust a set of bytes? Understanding human trust allowed me to answer this great IT question, in 1997, with a model useful for both human and machine dialogue. Trust is that which is essential to a communication channel, but cannot be transferred using that channel. This answer provides a framework for understanding human trust (as expected fulfillment of behavior) and for bridging trust between humans and machines (as qualified information based on factors independent of that information). The original reference is http://nma.com/mcg-mirror/trustdef.htm . Please google for "gerck trust" to find newer papers, applications and also comments by others. See also "Trust Points" by E. Gerck in "Digital Certificates: Applied Internet Security" by Jalal Feghhi, Jalil Feghhi and Peter Williams, Addison-Wesley, ISBN 0-20-130980-7, pages 194-195, 1998.
X.509, PKI, DIGITAL CERTIFICATES: http://thebell.net/papers/certover.pdf .This revised version was published in part in THE BELL, Vol. 1, No. 3, p. 8, July 2000. The original HTML version has been downloaded more than 1,000,000 times over the last three years. It was first published in the Meta-Certificate Group (MCG) website and was also presented by invitation at the '99 Black Hat Conference in Las Vegas, NV. The original reference is http://nma.com/mcg-mirror/cert.htm
INTERNET MODEL: The original, and current, Internet design is based on an honor system for the end points. The model being that the connection was less trusted than the end points. Access to the end points was granted under an honor system and usage rules were enforceable. Reality showed that the model was upside down for commercial operation. The end points are less trusted than the connection. In fact, even if usage rules are enforceable at some connection points, the end points cannot be controlled. Anyone can connect to the network. There is no honor system. Usage rules are in fact not enforceable, users can hide and change their end points. The solution is to introduce trust as an explicit part of the design, which trust was implicit when the Internet was based on an honor system. Of course, updating the Internet design to fit its current operating conditions is useful not only to stop spam. Social engineering and spoofing attacks also rely on the old honor system where users are trusted. "Trust no one" should be the initial state under the new Internet paradigm. The bottom line is that trust depends on corroboration with multiple channels (see Trust, above) while today we have neither (a) the multiple channels nor (b) the corroboration mechanisms. So, we lack trust because we can't communicate it. Current work includes proposals and tests to combat spam, spoofing, and denial of service, as well as information-theoretic secure authentication integrated with authorization for access control. A reference for the latter is http://nma.com/papers/e2e-security.htm
INFORMATION SECURITY ANALYSIS: Most security products profess to solve broad problems when enterprises really need specific solutions. As an IT consultant, I have performed several analysis of commercial services and products, identifying the specific solutions needed by enterprises. A reference paper is available at http://nma.com/papers/wcs_security.pdf , a case study of NCR, Inc. A summarized discussion is available in "IT Security: Dollar Decisions that Make Sense" at http://www.contingencyplanning.com/PastIssues/mar2003/2.asp
3. Statement on Electronic and Internet Voting
While correctly criticizing current problems in electronic voting,
some
abhor any kind of voting that is electronic, as if the only possible
outcome
of such an election would be a "government by magic". But magic,
endemic
fraud in paper ballots, for 200 years in the U.S., is exactly one of
the
reasons that is driving me to develop better solutions.
But, what would drive voters to abandon paper voting? Convenience. Paper
voting lacks
personal comfort, personal use of time. Lack of convenience (not lack
of security) will, eventually, play a larger role in killing paper
voting.
Regarding voting, our future is pretty obvious. Online
voting will be mainstream, and is already here in the public and
private sectors. But, to be secure, it should not happen with regular
email, e-commerce web sites, or current "trust me" e-voting machines
(DRE).
The socially responsible thing to do regarding voting is, thus, to
develop online voting so that it is secure and easy to use. It
already has the top quality that paper voting and e-voting machines
(DRE) cannot have: convenience.
But
the real-world voting security problem is very hard. Voting is an
open-loop process with an intrinsic "vote gap", such that no one may
know for sure what the vote cast actually was -- unless one is willing
to sacrifice the privacy of the vote.
Some argue that paper voting schemes generally inhibit large-scale
fraud (as distinct from prevent), whereas e-voting schemes can
enable it.
To that, we respond that, yes, a sufficiently secure voting system would have to inhibit and prevent large-scale fraud, where "large-scale" is any fraud that could change the outcome of the election. However, paper voting can't do it, and there are many examples of fraud changing the outcome of an election with paper voting. Online voting has a better chance, for reasons that I explain in [2,3]. So, the sitiation is actually reversed.
With public elections, usually requiring polling and tabulating millions of votes, we have no choice but to move from art to science. Votes need to be verified and voters are certainly one party that can do it. However, you never want to allow the voter to take any kind of "receipt" out of the voting station if that receipt can be used to determine how the voter voted, e.g. by matching a number or pattern on the ballot. No one should be able to prove how the voter voted, not even the voter. Otherwise, you have to worry about vote selling and coercion. I also think that there should be independent representations of the ballot data, witnesses of the ballot as cast by the voter, and that when these witnesses exist, they must all be audited for consistency. This can be done efficiently with a proper random sampling. Further, as it is already legal today in the U.S., voters should be able to cast their ballots at a poll precinct as well as at home, at work, and abroad.
I believe that all of this can be done using paper and/or computers and/or networks of computers, including cases where the network can be the phone network and/or the Internet. Further, I believe that using computers and networks, while there must be great caution and moderation, has the yet unrealized potential to reduce fraud, increase voter diversity, increase voter participation and reduce costs.
For additional comments, please see [1].
REFERENCES:
[1] http://www.gather.com/viewArticle.jsp?articleId=281474976901451
[2]
http://safevote.com/doc/VotingSystems_FromArtToScience.pdf
[3] http://www.vote.caltech.edu/wote01/pdfs/gerck-witness.pdf
BACKGROUND: My statement
above is based on a technologically-neutral
model for voting that applies to paper, electronic and network voting.
I derived this model by realizing that Claude Shannon's statement --and
solution-- of the "fundamental problem of communication" in
information-theory
could also be applied to voting. What I call the fundamental problem of
voting is that of reproducing at a point called the ballot box exactly
a message selected by the voter at another point, the voting station.
The
message is the ballot cast by the voter at the voting station. The
messages
have meaning; that is they refer to or are correlated according to some
system with certain physical (e.g., people, propositions) or conceptual
(e.g., offices) entities. These semantic aspects of voting are
irrelevant
to the engineering problem. The significant aspect is that the actual
message
(the ballot cast) is one selected by the voter from a set of possible
messages
(all the different ballots that can be cast for all possible
combinations
of vote choices). The system must be designed to operate for each
possible
selection (including blank votes), while excluding others that are not
possible (overvotes, for example). In this information-theoretic model,
the ballot cast is the message, the ballot box (at one point) is the
receiver
and the voter (at another point) is the sender. The message is a priori
unknown at the receiver, the ballot box. The model shows that there is
a gap between the voter and the ballot box, which gap prevents the
voter
from really knowing what ballot will be tallied -- this gap occurs in
all
voting systems where votes are cast privately, even if the ballots are
not anonymous (i.e.,
not anonymous means here that all ballots and
all voters are uniquely linkable). The information-theoretic solution,
described in my papers, includes noise channels that can delete,
change,
copy or insert messages (ballots) between the voter and the ballot box,
and vice versa. The effects of noise (human and machine created) can be
reduced to an arbitrarily low level, as close to zero as one desires,
by
using correction channels between the voter and the ballot box. This
result
is based on the 10-th Theorem by Claude Shannon in information-theory.
These correction channels are what I call "witnesses" in the Witness
Voting
System (see DRE - Electronic Voting).
Copyright © 1997-2006 by E. Gerck. All rights reserved, free copying and citation allowed with source and author reference.