Wolter Pieters

Provable anonymity

This paper provides a formal framework for the analysis of information hiding properties of anonymous communication protocols in terms of epistemic logic.The key ingredient is our notion of observational equivalence, which is based on the cryptographic structure of messages and relations between otherwise random looking messages. Two runs are considered observationally equivalent if a spy cannot discover any meaningful distinction between them.We illustrate our approach by proving sender anonymity and unlinkability for two anonymizing protocols, Onion Routing and Crowds. Moreover, we consider a version of Onion Routing in which we inject a subtle error and show how our framework is capable of capturing this flaw.

Security Implications of Virtualization: A Literature Study

Server virtualization is a key technology for todays data centers, allowing dedicated hardware to be turned into resources that can be used on demand.However, in spite of its important role, the overall security impact of virtualization is not well understood.To remedy this situation, we have performed a systematic literature review on the security effects of virtualization. Our study shows that, given adequate management, the core virtualization technology has a clear positive effect on availability, but that the effect on confidentiality and integrity is less positive.Virtualized systems tend to lose the properties of location-boundedness, uniqueness and monotonicity.In order to ensure corporate and private data security, we propose to either remove or tightly manage non-essential features such as introspection, rollback and transfer.

RIES - Internet voting in action

RIES stands for Rijnland Internet Election System. It is an online voting system that has been used twice in the fall of 2004 for in total over two million potential voters. In this paper we describe how this system works. Furthermore we describe how the system allowed us to independently verify the outcome of the elections - a key feature of RIES. To conclude the paper we evaluate possible threats to this system and describe some possible points for improvement.

Acceptance of voting technology: between confidence and trust

Social aspects of security of information systems are often discussed in terms of “actual security” and “perceived security”. This may lead to the hypothesis that e-voting is controversial because in paper voting, actual and perceived security coincide, whereas they do not in electronic systems. In this paper, we argue that the distinction between actual and perceived security is problematic from a philosophical perspective, and we develop an alternative approach, based on the notion of trust. We investigate the different meanings of this notion in computer science, and link these to the philosophical work of Luhmann, who distinguishes between familiarity, confidence and trust. This analysis yields several useful distinctions for discussing trust relations with respect to information technology. We apply our framework to electronic voting, and propose some hypotheses that can possibly explain the smooth introduction of electronic voting machines in the Netherlands in the early nineties.

Explanation and trust: what to tell the user in security and AI?

There is a common problem in artificial intelligence (AI) and information security. In AI, an expert system needs to be able to justify and explain a decision to the user. In information security, experts need to be able to explain to the public why a system is secure. In both cases, an important goal of explanation is to acquire or maintain the users’ trust. In this paper, I investigate the relation between explanation and trust in the context of computing science. This analysis draws on literature study and concept analysis, using elements from system theory as well as actor-network theory. I apply the conceptual framework to both AI and information security, and show the benefit of the framework for both fields by means of examples. The main focus is on expert systems (AI) and electronic voting systems (security). Finally, I discuss consequences of the analysis for ethics in terms of (un)informed consent and dissent, and the associated division of responsibilities.

The Precautionary Principle in a World of Digital Dependencies

As organizations become deperimeterized, a new paradigm in software engineering ethics becomes necessary. We can no longer rely on an ethics of consequences, but might instead rely on the precautionary principle, which lets software engineers focus on creating a more extensive moral framework.

Security Policy Alignment: A Formal Approach

Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical and human. For example, the policy that sales data should not leave an organization is refined into policies on door locks, firewalls and employee behavior, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in the literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Wherever formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. Therefore, we aim at formalizing security policy alignment for complex socio-technical systems in this paper, and our formalization is based on predicates over sequences of actions. We discuss how this formalization provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems.

Statically checking confidentiality via dynamic labels

This paper presents a new approach for verifying confidentiality for programs, based on abstract interpretation. The framework is formally developed and proved correct in the theorem prover PVS. We use dynamic labeling functions to abstractly interpret a simple programming language via modification of security levels of variables. Our approach is sound and compositional and results in an algorithm for statically checking confidentiality.

Electronic Voting in the Netherlands: From Early Adoption to Early Abolishment

This paper discusses how electronic voting was implemented in practice in the Netherlands, which choices were made and how electronic voting was finally abolished. This history is presented in the context of the requirements of the election process, as well as the technical options that are available to increase the reliability and security of electronic voting.

Temptations of turnout and modernisation: e-voting discourses in the UK and the Netherlands

Purpose – The aim of the research described was to identify reasons for differences between discourses on electronic voting in the UK and The Netherlands, from a qualitative point of view. Design/methodology/approach – From both countries, eight e-voting experts were interviewed on their expectations, risk estimations, cooperation and learning experiences. The design was based on the theory of strategic niche management. A qualitative analysis of the data was performed to refine the main variables and identify connections. Findings – The results show that differences in these variables can partly explain the variations in the embedding of e-voting in the two countries, from a qualitative point of view. Key differences include the goals of introducing e-voting, concerns in relation to verifiability and authenticity, the role of the Electoral Commissions and a focus on learning versus a focus on phased introduction. Research limitations/implications – The current study was limited to two countries. More empirical data can reveal other relevant subvariables, and contribute to a framework that can improve our understanding of the challenges of electronic voting. Originality/value – This study shows the context-dependent character of discussions on information security. It can be informative for actors involved in e-voting in the UK and The Netherlands, and other countries using or considering electronic voting.