FROM RISKS 31.97:

Date: Tue, 9 Jun 2020 10:29:39 PDT
From: "Peter G. Neumann" <neumann@CSL.SRI.COM>
Subject: Democracy Live Internet voting: unsurprisingly insecure, and
surprisingly insecure (Specter and Halderman, with Andrew Appel's
comments via PGN)

A new report by Michael Specter (MIT) and Alex Halderman (U. of Michigan)
<https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf>
demonstrates that the OmniBallot Internet voting system from Democracy Live
<https://democracylive.com/> is fatally insecure. That by itself is not
surprising, as *no known technology* could make it secure. What is
surprising is all the /unexpected/ insecurities that Democracy Live crammed
into OmniBallot -- and the way that Democracy Live skims so much of the
voter's private information.

https://freedom-to-tinker.com/2020/06/08/democracy-live-internet-voting-unsurprisingly-insecure-and-surprisingly-insecure/

Andrew Appel <appel@princeton.edu> has posted an extremely relevant article
in Freedom-to-Tinker: https://freedom-to-tinker.com/author/appel/

The OmniBallot Internet voting system from Democracy Live finds surprising
new ways to be insecure, in addition to the usual (severe, fatal)
insecurities common to all Internet voting systems.

There's a very clear scientific consensus that ``the Internet should not
be used for the return of marked ballots'' because ``no known technology
guarantees the secrecy, security, and verifiability of a marked ballot
transmitted over the Internet.'' That's from the National Academies 2018
consensus study report <https://doi.org/10.17226/25120>, consistent with
the May 2020 recommendations from the U.S. EAC/NIST/FBI/CISA.
<http://s3.amazonaws.com/ftt-uploads/wp-content/uploads/2020/06/07210015/Final_-Risk_Management_for_Electronic-Ballot_05082020-1.pdf>

[Please read the entire paper and Andrew's commentary. They are very
revealing, and devastating for those persons who believe that Internet
voting can be made secure. Every known attempt seems to have been easily
defeated: Washington DC 2010, Estonia 2014, Australia 2015, Scytl in
Switzerland 2019, Voatz in West Virginia 2020, OmniBallot now. Insiders
at any of four private companies (Democracy Live, Google, Amazon,
Cloudflare), or any hackers who manage to hack into these companies, can
steal votes: Democracy Live doesn't run its own servers. PGN-excerpted]

FROM the US Government Accountability Office:

Facial Recognition Technology:

Privacy and Accuracy Issues Related to Commercial Uses

GAO-20-522: Published: Jul 13, 2020. Publicly Released: Aug 11, 2020.

https://www.gao.gov/products/GAO-20-522?utm_campaign=usgao_email&utm_content=topic_scienceandtech&utm_medium=email&utm_source=govdelivery

Facial Recognition:

CBP and TSA are Taking Steps to Implement Programs, but CBP Should Address Privacy and System Performance Issues

GAO-20-568: Published: Sep 2, 2020. Publicly Released: Sep 2, 2020.

https://www.gao.gov/products/GAO-20-568?utm_campaign=usgao_email&utm_content=topic_scienceandtech&utm_medium=email&utm_source=govdelivery

Dott. Diego Latella - Senior Researcher CNR-ISTI, Via Moruzzi 1, 56124 Pisa, Italy (http:www.isti.cnr.it)
FM&&T Lab. (http://fmt.isti.cnr.it)
http://www.isti.cnr.it/People/D.Latella - ph: +390506212982, mob: +39 348 8283101, fax: +390506212040
===================
The quest for a war-free world has a basic purpose: survival. But if in the process we learn how to achieve it by love rather than by fear, by kindness rather than compulsion; if in the process we learn how to combine the essential with the enjoyable, the expedient with the benevolent, the practical with the beautiful, this will be an extra incentive to embark on this great task.
Above all, remember your humanity.
-- Sir Joseph Rotblat