It's November 15. A full week has passed since the national elections, and we still aren't certain who'll be the next US president. Why? Discrepancy and trust: Two issues at the roots of security—and our national election process, it now seems. Could a more computerized election process help avoid a similar scenario in the future? Probably not. I base that comment on two sources: a recent survey conducted by Cybersource and a conversation I had with a leading computer security vendor.
On November 6, Cybersource, an e-commerce transaction company, released the results of its second annual Fraud 2000 survey " conducted among some of the world's largest online retailers. Eighty-three percent of responding merchants consider fraud a very serious concern. That figure is up from 75 percent in 1999. Respondents also indicated that 4 percent of their total transactions were fraudulent. Although 4 percent doesn't seem like a lot when it comes to money, 4 percent is everything when it comes to elections, as this latest controversy over Florida ballots shows.
It's reasonable to assume that if 83 percent of the world's largest e-merchants consider electronic fraud to be a major concern, that concern would directly cross over to any computerized election process. But apparently some voters see things differently. Washington State ran trials during the November 7 elections using a proprietary Internet-based technology to conduct a shadow election. Voters were asked at polling centers if they'd like to try the technology to cast nonbinding votes. According to Washington's Thurston County Auditor Sam S. Reed, after the tests, 91.5 percent of the trial voters said they'd use online voting if it were offered, and a whopping 93 percent said they felt comfortable with the security of the online voting results! This leaves me thinking those Washington voters are incredibly naïve—after all, the system they used during the trial is admittedly proprietary, so voters aren't privileged to know its inner workings. How can people possibly trust such mission-critical technology when it hasn't been publicly scrutinized? It just doesn't make sense to me.
Could less proprietary and more accepted public key infrastructure (PKI) technology help secure such a fully electronic voting process? I asked Rob Clyde, vice president of security at Axent Technologies (a prominent vendor of security solutions), his opinion on that question. Clyde said that although his company could make a bundle of money selling PKI solutions to voting precincts around the nation, the technology isn't ready for that type of prime-time use. Clyde also said that PKI could help raise the bar against fraud and help mitigate many problems (e.g., a recount process, guaranteeing a person votes only once, or guaranteeing deceased people's credentials aren't used to cast votes), but the technology is still a relatively new, unproven solution that can't solve all the existing problems at this time.
Electronic elections alone won't solve our voting problems. No matter how we approach computerizing and securing a national election system, one huge problem always remains: anonymity. The citizens of this nation are guaranteed an anonymous vote. And although that guarantee helps thwart any potential retaliation against voters, it leaves us exactly where we left off: facing the issue of trust. And that's a very tough issue indeed.
So it seems that Americans still have the same two mutually exclusive choices that we've always had: trust whatever system is adopted and accept any inherent discrepancies, or give up our anonymity in exchange for guaranteed accuracy. Would you trust and use Internet-based voting? Should such technology be subject to public scrutiny? Be sure to visit our home page and take our latest poll. I'll post the results in a future edition of this newsletter.
Before I sign off, I'd like to introduce our new security product review columnist, Shawn Porter. Each month Shawn offers a hands-on review of a new security-related product in his Ultimate Security Toolkit column on our home page. This week, Shawn reviews Hewlett-Packard's (HP's) Praesidium WebEnforcer. Be sure to read the review. Until next time, have a great week!