ICTlogy

Notes from the the research seminar Citrizen security in electronic environments. The case of electornic voting, by Jordi Puiggalí, held at the Open University of Catalonia, Barcelona, Spain, on January 28th, 2010.

Citrizen security in electronic environments. The case of electornic voting

Jordi Puiggalí, Scytl

Electronic voting is the natural evolution of the electronic count in elections. Two main kinds:

• Face to face: people still go to polling stations, but vote in polling machines
• Remote voting: you vote from home

Advantages

• Count of votes is faster and exact
• Cost saving in paper and printing (though there are added costs, especially in face to face electronic voting)
• Increase of accessibility for disabled people. Also avoids identifying who was the voter (e.g. there’s only one blind voter in town: the ballot-paper in Braille is theirs)
• Flexibility to include last-minute changes
• Support for multiple languages. This, at its turn, avoids errors and avoids identifying who was the voter (e.g. there’s only one voter in town that speaks arabic: the ballot-paper in arabic is theirs)
• Prevents involuntary errors that can end up in spoiled ballot-papers
• Economies of scale (specific of remote voting)
• Eases citizen participation (specific of remote voting)
• Increases the mobility of the voter, as they can vote from anywhere (specific of remote voting)
• Eases access to the voting process thus increasing participation (specific of remote voting)

Security threats

In traditional polling, the voter has a direct relationship with their vote and the polling station, committee, etc. Electronic voting adds an infrastructure layer that implies that the relationship between voter and vote becomes indirect/mediated. This mediation poses 4 security risks

• The digital nature of the votes means that they can be easily added, erased, manipulated, and the privacy of the voter compromised at large scale;
• The complexity of the systems at use, with the possibility of hardware functioning errors, bugs in the software, etc.;
• Lack of transparency, as the technological infrastructures are more difficult to audit (e.g. how can you tell whether someone cracked the system?);
• The introduction of new actors with privileges in the voting process, like system and platform administrators that can have privileged access to the voting process.

Side note: these threats can be extrapolated to the case of health records and many other cases.

How to address risks?

Physical measures

• Avoid physical access to the protected device
• This cannot be done in remote voting, at least not in the whole process

Organizational measures

• Who has access to what
• They necessarily have to be accompanied by monitoring measures (intensive log recording)
• Intensive monitoring can lead to knowing who’s voting what

Logic measures

• Automatic security measures
• Easier to audit
• Logic measures can, at their turn, be attacked themselves
• Logic measures must not interfere (or even alter) the normal voting process

Security services

• Information privacy: guarantee that no one knows what you did (e.g. your vote)
• Information integrity: guarantee that information is not altered
• Non-repudiation: avoid that you cannot deny having done something that you actually did
• Authentication: ensure that the person that claims to have done something is that person
• Authorization: you can do what you are allowed to do
• Auditability: be able to track the system and assess its performance
• Availability:

One of the big differences between circumventing security in off-line voting and online voting is that scalability of the attack is much higher in online environments. E.g. identity theft in the offline world can be easy to do once, but not several times in the same polling station, but if done once in the online world, it is very likely that it can be done again, and very quickly, ad infinitum.

Electronic voting can identify which votes are valid and which ones not. You need not invalidate the whole polling station, but only the invalid votes.

For a paper I am preparing about Politics 2.0 in Spain — and that has already produced a definition of Politics 2.0 — I had to gather quite a good bunch of literature. There is quite some information about online politics, some about politics 2.0, but very few about Politics 2.0, especially academic literature about Politics 2.0 in Spain, which is scarce. Thus, writing that paper has required some interesting academic juggling.

Below I’ve listed the bibliography that so far I’m using to structure and back my paper. Beyond the bibliography that follows, three events helped much in collecting insights, ideas and find many interesting references. My gratitude to the speakers at these events:

• 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites
• Citizen Politics: Are the New Media Reshaping Political Engagement?
• 4th Internet, Law and Politics Congress: Towards citizenship 2.0?

Tag cloud of the bibliography

A bibliography on Spanish online politics and Politics 2.0

Notes from the research seminar Deliberative democracy: religion in the public sphere. Deliberative obligations of the democratic citizenry, by Cristina Lafont held at the Open University of Catalonia, Barcelona, Spain, on December 17th, 2009.

Deliberative democracy: religion in the public sphere. Deliberative obligations of the democratic citizenry
Cristina Lafont

Which has to be the role of Religion in the public sphere? Which one actually is? Which should it be?

Specially in a deliberative democracy, the fact that people have religious believes makes even more important exactly knowing what are the challenges for democracy of this issue.

The deliberative democracy is a fragile balance between the right to debate whatever subject under some few but strong coercive rules.

Jürgen Habermas: a process of deliberation has to be able to be justified and without coercion. Public deliberation has to include all information available; equality, symmetry and reciprocity to all contributions, independently of their source; absence of (external) coercion; communicative equality; and participants have to be sincere, critic, have no hidden goals, and be responsible for their own opinions.

But not only procedures have to be acceptable, but also the contents of the debate.

John Rawls tries to provide an answer this last question. Thus, contents have to be dealing with the public good (vs. the private). So, what happens with religion, normally out of the public sphere? According to Rawls, Religion has to be left outside, with some exceptions, e.g. values gathered in modern constitutions, basic justice, etc.

But some incompatibilities arise when some citizens might not accept coercive solutions that come from public values but not accepted in their own set of comprehensive beliefs. Indeed, the rawlsian thought could even exclude persons themselves from the public deliberation. Or ask them to forget about their beliefs when entering a deliberative process. Or give priority to public interests over personal beliefs.

Habermas “solves” this by dividing the agora in two: the informal deliberation, where citizens can bring in all kind of beliefs, and the institutional deliberation (parliaments, etc.) where these personal beliefs should be left aside or be translated into “secular” principles (e.g. the ones gathered in constitutions).

Habermas’s solution also has some problems, like treating secular citizens differently from religious ones, sometimes leaving them aside of this “translation” of their principles, for not being as explicit as the religious ones.

Lafont offers come comments. Instead of trying to translate them into general or public reasons, an interesting approach would be to take seriously religious proposals and assume they can be right. Thus, they should be debated as proposals of general or public reasons proposals. And hence be prepared to accept them or refute them, based on grounded arguments. The debate should, then, be more about the compatibility of specific beliefs with the common and acknowledged beliefs (again, e.g. the Constitution) and not whether these beliefs are right or wrong or better than others.

[a debate follows, too complex and rich to collect here]

Notes from the the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.

Politics Track Gather Up
Daithí Mac Sithigh

Two major questions today: what will we do? how will we stay safe?

Innovation come not by using specific technology or platforms but on the effective uses we put into them.

The safety issue seems not to be approachable by the Law alone, being self-regulation and self-commitment a good share of it, and collaboration and co-operation another good share of it.

In a time of crisis, the international community turns its attention to the Information Society. But this is not about hardware, but about organizational change, institutional change. A major planning has to take place to deal with focal issues like e-commerce, network safety or e-Administration.

We’d do well to learn from sub-national or even local successes in open data initiatives, or data sharing initiatives. And what a different it makes to move from the “e-” Government to the “o-” Government.

And open data might be a necessary step to change not only government but also democracy and politics, to enable citizen participation and engagement.

We’re seeing times where political crisis and financial crisis is accompanied by a demand for transparency, openness, open data, etc. And it looks like broadly demanded political reforms could move towards this direction.

This is, for instance, how Politics 2.0 evolve from Politicians 2.0 towards Political Spaces 2.0.

Politics 2.0 can be presented as a virtuous circle, where everybody is part of that circle, and where the sense of “small” (as in a small issue) can have a brand new meaning (and not be small or irrelevant at all).

Will, hence, the unconventional ways of doing politics become the conventional or mainstream ones? Do we want that?

What is the right agenda? Does a creative use of public information (initially well intended) have bad consequences?

Next steps?

• W3C Access to Government interest group
• Pulic Services 2.0 declaration
• From “come back tomorrow” to “come back next year”?
• Social networks and social questions

More Information

• IDP2009: Day 2 Report (slides), Daithí Mac Sithigh’s slides of his presentation
• IDP2009: Written Report of Day 2, by Daithí Mac Sithigh
• El twitter del V Congrés d’IDP, Joan-Baptista Gavaldà i Moran’s compilation of all twitts tagged #idp2009

Notes from the the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.

Political participation and Social Networking Sites
Chaired by Ana Sofía Cardenal

Marta Cantijoch, Assistant Professor at the Political Science Department of the Universitat Autonoma de Barcelona, PolNet research group.

The distinction amongst citizens is not only between people that participate and that do not participate, but also in how they participate when they do, distinguishing between conventional or unconventional political participation (Political Action Study, 1979), or representational and extra-representational participation (Teorell, Torcal and Montero, 2007): e.g. go to demonstrations, follow calls to boycott products or actions, etc. The latter group is acting outside institutions, thus his political action is not only about a specific position but forms also matter and are plenty of meaning.

In general, we’re seeing a change of attitude where conventional engagement is decreasing (i.e. less people being partisans in a political party) while unconventional politics are increasing. One of the reasons being dissatisfaction towards performance of representative democracy.

Combination of attitudes:

• Disaffected citizens: dissatisfaction + low involvement = apathy, non, participation
• Critical citizens: dissatisfaction + involvement = unconventional participation
• Institutionalized citizens: satisfaction + involvement = conventional participation

Social networking sites provide both a qualitative and a quantitative change: higher amount of available information combined with a higher diversity of discourses; contacts and exchanges in horizontals processes (citizen to citizen) made possible while the control of communication stays in the users’ hands; interactivity.

Social networking sites also represent an open gate towards unsolicited, though relevant, information that affects your peers, or your weak ties, but that (positively) reshapes one’s own context.

Consequences:

• Tools for citizen empowerment: processes of communication are citizen-initiated (vs. elite directed)
• Reinforcement / promotion of attitudinal change: non-hierarchical communication processes
• Impact on critical citizens but also on institutionalized profiles

Internet use fosters unconventional forms of participation, a hypothesis verified for the Spanish case.

New opportunity for formal institutions to reconnect to the public, to try and bring them back to the representative democracy arena. This will of course require an adaptation to web 2.0 technologies in the exchanges with the citizens: abandoning the top-down logic, certain degree of decentralization, and higher granularity of participation.

Nobody knows more than everyone together
José Antonio Donaire, Member of the Catalan Parliament, Catalan Socialist Party.

Politics 2.0 is not ICT-enhanced politics, or e-Politics. It’s a change of paradigm enabled by a technological change.

Change of paradigm:

• The crisis of the autoritas, in the case of representative democracy, the crisis of parties, where a minority sets the general agenda in contradiction with a supposed representative democracy. The change should be towards deliberative democracy, the collective intelligence, collaborative work. The more people debate on a subject, the lower the margin of error. But not only to decrease errors: the deliberative process is a goal in itself. Deliberative democracy negates the autoritas and brings the wisdom back to the collective.
• Adaptation from politics to policies, from the big politics to the policies of shades and the small details.
• The appearance of complexity, where the same person can have different opinions that not necessarily match the traditional division of left-wing, right-wing or a specific ideology. Multiple identities have to be acknowledged and hence spaces for contact need to be enabled.

How to put this into practice? Different models that can be understood as progressive stages:

• Politicians 2.0: the members of the Parliament, etc. have twitter or Facebook accounts, write on their blogs, etc. This provides transparency, interaction, a first person communication (despite the vertical discourse of the party), proximity. Politicians 2.0 are, nevertheless, a necessary but not sufficient step towards Politics 2.0
• Political means 2.0, that enable participation, the collective intelligence, managing the complex, rewarding or recognising meritocracy. A wiki, for instance, can allow most of these aspects. The network also generates autoritas, but it is a well deserved autoritas. The Catalan Parlament 2.0 could be an example of this.
• Politicized means 2.0, that enable the exchange of ideas, community building and creation of communities, cyberactivism, against particracy. The pros is that people debate seriously, the cons is that they might lead to quasi-parties.
• Political spaces 2.0: gathering spaces, dialogue and exchange, complex identities, against particracy.

A distinction between direct democracy and deliberative democracy. The Net to directly decide can lead to dangerous outcomes or problems as the NIMBY, lobbying or even taking the whole system as a joke (e.g. the Spanish “efecto Chikilicuatre”, where Spaniards chose a stand-up comedy actor to represent Spain at Eurovision).

But politics will be 2.0 or won’t be.

Ricard Espelt, Copons Town Councillor, in charge of Economic Promotion, New Technologies and Communication.

In a small town like Copons, problems are small but real ones, and the traditional solution would be that the citizen would shift the problem towards the city council, which might or might not solve the problem, given their limited resources.

Copons 2.0 aims at bringing the citizen back in the equation.

Problems should be able to be rephrased as alternatives, opportunities, requirements… In any case, a problem should be an excuse for a debate, for an encounter within the town and within citizens themselves.

The Administration is seen as a resource, but its limits are properly framed and known by everyone.

And the citizen is, again, no more a “whiner” but someone who can also contribute with solutions, or contributing to “the” solution.

Social networking sites put all these things together, making possible sharing, deliberation, participation, etc.

Far from corporativism, Copons opted for universal and socialized tools, in the cloud, for free: Wordpress, Facebook, Flickr, etc. and everything licensed with Creative Commons. Notwithstanding, opinions were only accepted if backed with a real digital profile, even if they were popular or widely accepted.

Surprisingly, online administrative processes have been the less popular, being participative tools the most used. The major: There’s no opposition: it is the citizens who are watching us. Working on the net and in such a framework, the administration has to be transparent and the citizens ask for highest degrees of accountability, responsibility, etc.

What happens with the digital divide? Wifi areas and digital literacy workshops were created to help the laggards catch up with the rest. Training is made on a peer-to-peer basis, where initiated volunteers help their neighbours. Now, more people have digital profiles, there’s more broadband penetration, offline debate has been enriched and enhanced by online debate, people self-organize. A good pro: everybody knows who their representatives are and viceversa.

The Copons 2.0 project has been able to deal with quite complex problems, problems that came from a long tail of approaches, that gathered all the relevant agents (known and unknown) affected by the problem, etc. And sometimes, the identified solutions belonged not to the Government sphere, but to a shared set of responsibilities/responsibles. But, as monitoring is constant, solutions are temporal and they quickly enter a process of constant improvement… as in a permanent beta.

Q&A

Franck Dumortier: Where are the limits of conventional and unconventional? How is your digital identity affected by you participation conventionally or unconventionally? (e.g. a demonstration that ends up with you on jail because of some uncontrolled riots)

Ismael Peña-López: the impact of SNS on critical and institutionalized citizens, is it the same one? Is it more “2.0″ in the case of critical/grassroots and more “1.0″ in the case of institutionalized/top-down? José Antonio Donaire: we’ll most probably be seeing Politics 2.0 made up of the 4 stages mentioned below. On the other hand, it not about web 2.0 tools, or web 2.0 tools used the 1.0 or the 2.0 way, but whether there is a deliberative process, however it takes place. Marta Cantijoch: Agreed, it’s not about technology but processes and philosophy, a participatory one, despite whether it is made with web 1.0 or 2.0 applications.

Ismael Peña-López: does Politics 2.0 require a lot more effort/work or can it be mainstreamed in every day’s politics? Ricard Espelt: more than a matter of workload, is a matter of attitude, whether one wants to engage with the citizenry or wants to be pro-active in politics, or just sit on the City Council.

Q: How does participatory politics fit with a party system, closed, not really representative, power centred, top-down managed, etc.? Why should I speak with a politician, interact with them, if they are wired to/by the party? José Antonio Donaire: I’m absolutely for open lists in elections. But, but this radically change the scenario? It might make the individual politician more responsible, but the change of paradigm goes way beyond that. A representative system is efficient, but it does not necessarily require that it is the party/government who decides both the agenda and the results of the agenda setting. There is an urgent need to recover the debate, the collective finding of the truth, the enlightenment.

Albert Batlle: What happens with the profile of satisfied citizen but not active/engaged? Marta Cantijoch: this profile perfectly fits within the Institutionalized group.

Albert Batlle: How do we scale up the Copons 2.0 model? For instance, from the local to the national or the international level. How do we reach consensus there? Ricard Espelt: We have a low sense of the common good and of the community. The problem of scalability is most probably not a matter of size, but of consensus. Big participatory projects do not work not because they are big, but because they are top-down. José Antonio Donaire: Maybe what works is common interest. If Copons 2.0 works it might be because the small town is thematically coherent. We thus can build bigger communities that, notwithstanding, have a common thematic core. And the politician should have channels so that they can practice an active hearing, a way to gather knowledge in which to base their decisions.

Q: (to José Antonio Donaire) Why should a politician want to end up politics? What does it mean ending up conventional politics? How would you then become a Member of Parliament? A: I am aware that representative politics works, but it is a fragile one, and there’s evidence of disaffection and of loss of sense of community. When talking about politics outside politics, this means not without politics, but outside of (or without) conventional politics. The idea is not throwing politicians away, but working with the citizens to set up the agenda, to decide what’s to be decided, etc.

Mònica Vilasau: How do we connect engagement and a call for participation with results? How not to deceive people? Is it easier in smaller places? Are outcomes easier to achieve at smaller scales? José Antonio Donaire: It’s better a citizen association building up a website and imagining what they’d like, than the City Council asking for ideas. A good example could be Las 1001 Ideas.

Ana Sofía Cardenal: For a deliberative democracy, we need a genuine motivation. But there are demagogues that want to manipulate the public arena. What to do with them? José Antonio Donaire: On the Net, reputation is very transparent. In a network of people it is more difficult to be cynical.

More Information

• IDP2009: Political Participation, by Daithí Mac Sithigh
• #IDP_UOC: V Congrés Internet, Dret i Política: Participació política i xarxes socials, by Ricard Espelt
• II Congrés d’Internet, Política i Dret de la UOC (2na part), by Gemma Urgell
• La participación representativa y la extrarepresentativa, by Xavier Peytibí
• Ningú sap mes que tots plegats, by Xavier Peytibí
• Copons 2.0, by Xavier Peytibí
• Nadie sabe más que todos juntos, by Xavier Peytibí
• Usnownc en el V Congreso Internacional IDP de la Uoc: Cara y cruz de las redes sociales, 2a jornada, by Idoia Llano

Notes from the the 5th Internet, Law and Politics Conference: The Pros and Cons of Social Networking Sites, organized by the Open University of Catalonia, School of Law and Political Science, and held in Barcelona, Spain, on July 6th and 7th, 2009. More notes on this event: idp2009.

Policies for a safer Internet
Chaired by Agustí Cerrillo

Óscar Martínez de la Torrre, Spanish Ministry of Industry, Tourism and Trade.

The Plan Avanza [the Spanish plan to foster the Information Society] had an important part in raising awareness on the risks of the Internet, but also on providing confidence to newcomers.

The Spanish Law for the Access to Electronic Public Services also included strong measures to provide these services with high levels of confidence, e.g. so that people felt equally secure e-invoicing as invoicing.

The Spanish government has issued several other initiatives to promote confidence and security on the Internet as accompanying measures to major stratetegies like the promotion of Internet in the classroom, G2B and B2B projects, etc.

One of the drawbacks that we usually find in security measures is that humans are the weakest link: technology can be prepared to face difficult challenges or strong security attacks, but humans — because of ignorance, lack of digital literacy or just because they forget to — quite often perform actions in most insecure ways.

Robustness of infrastructures, collaboration platforms or emergent IT models are strategic issues to develop safer Internet strategies at the telecoms level.

The ITU has developed a set of procedures on Internet security available at http://www.itu.int/ITU-D/cyb/cybersecurity/.

Catalonia National Information Security Plan
Nacho Alamillo, Director General Astrea La Infopista Jurídica S.L.

Surprisingly, there are few attacks in comparison to how poorly prepared are the Administrations, firms and citizens in matters of Internet security. And one of the problems of cybercrime is not only cybercrime itself, but that it is normally tied to other illegal actions such as laundry money, (forced) prostitution, etc.

Reasons why people and institutions are poorly protected: lack of awareness, bad code/software, speed of technological changes (e.g. anti-virus being obsolete in 10′), lack of resources (e.g. small towns with -500 inhabitants but holding their data).

Main drivers of safer Internet policies: Privacity, e-Administration and secure infrastructures.

Strategic goals of the Catalonia National Information Security Plan:

• Establishment of a nation-wide safety strategy: research, awareness, collaboration within Administrations, fostering existing initiatives, etc.
• Backing the protection of critical infrastructures, especially those obsolete (“old is easier to attack”): electronic communications, electronic systems for industry control (SCADA), priority lines, etc.
• Fostering of a business network that provides secure IT: industrial policy to promote secure IT, creation of a private sector that provides social benefits, community based on free software.
• Increasing confidence in the Information Society: fight against cybercrime, help lines to risk-prone collectives

Q&A

Ramon Codina: IPv6, which is known to be more secure, is going to be implemented in the short run at the Spanish level? Óscar Martínez: There are already “islands” that have implemented this protocol, but interoperability with other protocols is still a barrier. On the other hand, and as usual, the chain is as strong as its weaker link, which means that the implementation of the IPv6 should be made at the international level or, at least, at a European level. And this is still a far horizon.

Ismael Peña-López: After a first wave to put up content and handbooks and guidelines about security on a push-strategies basis, are we seeing a shift towards pull-strategies? Nacho Alamillo: We are trying to embed security procedures in each and every daily procedure in education, retail selling, etc. so that it becomes invisible and “normal” in everyone’s life. Óscar Martínez: We are trying too to create self-learning content instead of top-down training plans, so to give answers to people when they have the questions, and not the other way round. On the other hand, we’d rather focus on toolkits (again, answering specific questions) rather than generic handbooks, more how-to’s or what for’s instead of theoretical approaches.

Marc Tarrés: What’s the state of standards? Are they converging towards consensus? Nacho Alamillo: So far, there’s many of them and this poses a real coordination problem, though many efforts are being put in this subject.

More information

• IDP2009: A Safe Internet, by Daithí Mac Sithigh