Email contact for this page: ed@gerck.com with subject prefix [EG]
Copyright © 1997-2004 by E. Gerck. All rights reserved, free copying and citation allowed with source and author reference.

1. Short-form Biography
2. Papers
3. Statement on Electronic and Internet Voting

1. Short-form Biography

Ed Gerck is a recognized leader in Internet security and cryptography. He received his doctorate in physics (Dr.rer.nat.) from the Ludwig -Maximilians-Universitaet and the Max-Planck-Institut fuer Quantenoptik in Munich, Germany, 1983, with maximum thesis grade ("sehr gut").  With a background in lasers and quantum mechanics, he has worked in cryptography since 1987. He has been involved in the development of software since 1972, in languages such as FORTRAN, ALGOL, BASIC, x86/x87 Assembler, Pascal, C, C++, Java, Perl, and PHP for DOS, Windows and Unix platforms. His work has become a reference in laser physics, cryptography, digital certificates and voting.

Dr. Gerck’s work in information security gained worldwide momentum in 1997 when he began to use the Internet to publicly discuss his "bottom-up" approach to the entire subject of trust, PKI and Internet security. Understanding human trust brought him to that great IT question, in 1997: how can I trust a set of bytes? His answer, given first in a short email to the MCG list and immediately published in a book on digital certificates (ISBN 0-20-130980-7), has been useful in the field of information security worldwide. The answer provides a framework for understanding human trust (as expected fulfillment of behavior) and for bridging trust between humans and machines (as qualified information based on factors independent of that information). His work has received extensive worldwide press coverage from New York Times, Le Monde, O Globo, Forbes, CBS, CNN, Business Week, Wired, San Jose Mercury News, Aftonbladet and USA Today. In 1999 Dr. Gerck was a member of the Registry Advisory Board of Network Solutions, Inc. (NSI). Dr. Gerck is also the founder of the Meta-Certificate Group (MCG), chairman of the board of the Internet Voting Technology Alliance (IVTA), founder of NMA, Inc. and founder and CEO of Safevote, Inc.

2. Papers

I have been interested in the design and development of large-scale, secure and reliable Internet-based infrastructure services where users (including their machines, operating systems and software) are not initially trusted to any extent. In other words, to introduce trust as an explicit part of the Internet design, with least changes as possible, which trust was implicit when the Internet (prior to commercial operation) was based on an honor system for the users and their machines. In particular, I believe that trusting user intervention (even to simply update software) is a very weak assumption. Thus, I am especially interested in solutions that can solve current security and network problems without trusting user intervention. I am currently working on the topics covered in the following papers. If you are interested in one or more of these topics you are welcome to send me your comments. If you want copies of other papers or papers not available online, please send me an email.

VOTING SYSTEM REQUIREMENTS: A voting system requirements proposal evolved during public list discussions at the IVTA in September-November 2000, motivated by a technologically-neutral voting model I suggested to the group (see VOTING MODEL, below). The proposal recognizes the need for strict voting standards, with a set of 16 requirements that are technologically neutral and can be applied to paper, electronic and Internet voting. A main motivation for the proposal was to exceed the current requirements for paper-based ballots in the U.S., and also those used for electronic voting DRE (Direct Recording Electronic) machines. The proposal was presented in several conferences for further input. By invitation, it was also presented at the United Nations conference on e-government in Palermo, Italy, in April 2002. A copy of the latest version of the proposal is available at http://thebell.net/papers/vote-req.pdf

DRE - ELECTRONIC VOTING: On August 2-30, 2001, I presented an invited paper at the WOTE'01 conference in Tomales Bay, California. The conference was about trustworthiness in voting systems. My paper was on the Witness Voting System, a provable, reliable solution for voter-verified electronic voting (DRE), providing integrity and anonymity proofs, that does not use paper ballots. A copy is available in the conference proceedings at http://safevote.com/doc/gerck-witness.pdf

INTERNET VOTING: Published in 2002. Ed Gerck: Private, Secure and Auditable Internet Voting, chapter in "Secure Electronic Voting: Trends and Perspectives, Capabilities and Limitations", Edited by Prof. Dr. Dimitrios Gritzalis, Kluwer Academic Publishers, 2002, ISBN 1-4020-7301-1. See also http://www.wkap.nl/prod/b/1-4020-7301-1?a=1 This document presents a set of voting system requirements that are consistent, , can be applied to paper, electronic and network (Internet) voting, and exceed the current requirements for paper-based ballots and electronic voting DRE (Direct Recording Electronic) machines. The requirements are based on the principles of Information Theory and of trust as qualified reliance on information, favoring multiple, independent channels of information over one purportedly ``strong'' channel. However, adding multiple channels can also decrease reliance if the design principles laid out in these requirements are not followed.

VOTING MODEL: A voting model that is technologically neutral is postulated, allowing voting system requirements to be defined for any technology that is or may become available. The model is based on the principles of Information Theory and of trust (see TRUST, below) as qualified reliance on information, favoring multiple, independent channels of information over one purportedly "strong" channel (e.g., paper ballots). See "The Business of Electronic Voting", panel by Ed Gerck, C. Andrew Neff, Ronald L. Rivest, Aviel D. Rubin, Moti Yung. Financial Cryptography 2001: 243-268. Springer Verlag.

TRUST: how can I trust a set of bytes? Understanding human trust allowed me to answer this great IT question, in 1997, with a model useful for both human and machine dialogue. Trust is that which is essential to a communication channel, but cannot be transferred using that channel. This answer provides a framework for understanding human trust (as expected fulfillment of behavior) and for bridging trust between humans and machines (as qualified information based on factors independent of that information). The original reference is http://nma.com/mcg-mirror/trustdef.htm . Please google for "gerck trust" to find newer papers, applications and also comments by others. See also "Trust Points" by E. Gerck in "Digital Certificates: Applied Internet Security" by Jalal Feghhi, Jalil Feghhi and Peter Williams, Addison-Wesley, ISBN 0-20-130980-7, pages 194-195, 1998.

X.509, PKI, DIGITAL CERTIFICATES: http://thebell.net/papers/certover.pdf .This revised version was published in part in THE BELL, Vol. 1, No. 3, p. 8, July 2000. The original HTML version has been downloaded more than 1,000,000 times over the last three years. It was first published in the Meta-Certificate Group (MCG) website and was also presented by invitation at the '99 Black Hat Conference in Las Vegas, NV. The original reference is http://nma.com/mcg-mirror/cert.htm

INTERNET MODEL: The original, and current, Internet design is based on an honor system for the end points. The model being that the connection was less trusted than the end points. Access to the end points was granted under an honor system and usage rules were enforceable. Reality showed that the model was upside down for commercial operation. The end points are less trusted than the connection. In fact, even if usage rules are enforceable at some connection points, the end points cannot be controlled. Anyone can connect to the network. There is no honor system. Usage rules are in fact not enforceable, users can hide and change their end points. The solution is to introduce trust as an explicit part of the design, which trust was implicit when the Internet was based on an honor system. Of course, updating the Internet design to fit its current operating conditions is useful not only to stop spam. Social engineering and spoofing attacks also rely on the old honor system where users are trusted. "Trust no one" should be the initial state under the new Internet paradigm.  The bottom line is that trust depends on corroboration with multiple channels (see Trust, above) while today we have neither (a) the multiple channels nor (b) the corroboration mechanisms. So, we lack trust because we can't communicate it. Current work includes proposals and tests to combat spam, spoofing, and denial of service, as well as information-theoretic secure authentication integrated with authorization for access control. A reference for the latter is http://nma.com/papers/e2e-security.htm

INFORMATION SECURITY ANALYSIS: Most security products profess to solve broad problems when enterprises really need specific solutions. As an IT consultant, I have performed several analysis of commercial services and products, identifying the specific solutions needed by enterprises. A reference paper is available at http://nma.com/papers/wcs_security.pdf , a case study of NCR, Inc. A summarized discussion is available in "IT Security: Dollar Decisions that Make Sense"  at http://www.contingencyplanning.com/PastIssues/mar2003/2.asp

3. Statement on Electronic and Internet Voting

While correctly criticizing current problems in electronic voting, some abhor any kind of voting that is electronic, as if the only possible outcome of such an election would be a "government by magic". But magic, endemic fraud in paper ballots, for 200 years in the U.S., is exactly one of the reasons that is driving this society to develop better solutions. In the same way that we found a way for using the Internet to file Income Tax Returns, to buy a book, to reliably read stock quotes and trade them, we will find ways to use the Internet to make our vote count, with less hassle, less fraud and less cost than today. With moderation and caution, 101 years ago a contraption heavier than air did fly.

With public elections, usually requiring polling and tabulating millions of votes, we have no choice but to move from art to science. Votes need to be verified and voters are certainly one party that can do it. However, you never want to allow the voter to take any kind of "receipt" out of the voting station if that receipt can be used to determine how the voter voted, e.g. by matching a number or pattern on the ballot. No one should be able to prove how the voter voted, not even the voter. Otherwise, vote selling and coercion cannot be prevented. I also think that there should be independent representations of the ballot data, as witnesses of the ballot as cast by the voter. When these witnesses exist, they must all be audited for consistency. This can be done efficiently with a proper random sampling. Further, as it is already legal today in the U.S., voters should be able to cast their ballots at a poll precinct as well as at home, at work, and abroad.

I believe that all of this can be done using paper and/or computers and/or networks of computers, including cases where the network can be the phone network and/or the Internet. Further, I believe that using computers and networks, while there must be great caution and moderation, has the yet unrealized potential to reduce fraud, increase voter diversity, increase voter participation and reduce costs.

Moreover, election systems need to eliminate all physical connections between production system (the election) and development (the vendor). This is a security lesson from the banking sector. Vendors must not be allowed to operate their machines during an election, as it is routinely done today in the US. This current, bad security practice also contains a potential conflict of interest, as the vendor has an interest in selling a machine that is difficult to operate.

Finally, all aspects of an election need to be secure, auditable and verifiable according to these principles. There's certainly room for progress in voting.

Background: My statement above is based on a technologically-neutral model for voting that applies to paper, electronic and network voting. I derived this model by realizing that Claude Shannon's statement --and solution-- of the "fundamental problem of communication" in information-theory could also be applied to voting. What I call the fundamental problem of voting is that of reproducing at a point called the ballot box exactly a message selected by the voter at another point, the voting station. The message is the ballot cast by the voter at the voting station. The messages have meaning; that is they refer to or are correlated according to some system with certain physical (e.g., people, propositions) or conceptual (e.g., offices) entities. These semantic aspects of voting are irrelevant to the engineering problem. The significant aspect is that the actual message (the ballot cast) is one selected by the voter from a set of possible messages (all the different ballots that can be cast for all possible combinations of vote choices). The system must be designed to operate for each possible selection (including blank votes), while excluding others that are not possible (overvotes, for example). In this information-theoretic model, the ballot cast is the message, the ballot box (at one point) is the receiver and the voter (at another point) is the sender. The message is a priori unknown at the receiver, the ballot box. The model shows that there is a gap between the voter and the ballot box, which gap prevents the voter from really knowing what ballot will be tallied -- this gap occurs in all voting systems where votes are cast privately, even if the ballots are not anonymous (i.e., not anonymous means here that all ballots and all voters are uniquely linkable). The information-theoretic solution, described in my papers, includes noise channels that can delete, change, copy or insert messages (ballots) between the voter and the ballot box, and vice versa. The effects of noise (human and machine created) can be reduced to an arbitrarily low level, as close to zero as one desires, by using correction channels between the voter and the ballot box. This result is based on the 10-th Theorem by Claude Shannon in information-theory. These correction channels are what I call "witnesses" in the Witness Voting System (see DRE - Electronic Voting).

Copyright © 1997-2004 by E. Gerck. All rights reserved, free copying and citation allowed with source and author reference.