In the latest Cryptogram newsletter,
December 16, 2000 5:46 PM   Subscribe

In the latest Cryptogram newsletter, security expert Bruce Schneier makes some interesting points about voting, voting machines and computers. The web version of this article won't be up for a few weeks so I have reproduced it here. Read more...
posted by lagado (2 comments total)
In the wake of last November's election, pundits have called for more
accurate voting and vote counting. To most people, this obviously means
more technology. But before jumping to conclusions, let's look at the
security and reliability issues surrounding voting technology.

The goal of any voting system is to establish the intent of the voter, and
transfer that intent to the vote counter. Amongst a circle of friends, a
show of hands can easily decide which movie to attend. The vote is open
and everyone can monitor it. But what if Alice wants _Charlie's Angels_
and Bob wants _102 Dalmatians_? Will Alice vote in front of his
friends? Will Bob? What if the circle of friends is two hundred; how long
will it take to count the votes? Will the theater still be showing the
movie? Because the scale changes, our voting methods have to change.

Anonymity requires a secret ballot. Scaling and speed requirements lead to
mechanical and computerized voting systems. The ideal voting technology
would have these five attributes: anonymity, scalability, speed, audit,
and accuracy -- direct mapping from intent to counted vote.

Through the centuries, different technologies have done their best. Stones
and pot shards dropped in Greek vases led to paper ballots dropped in
sealed boxes. Mechanical voting booths and punch cards replaced paper
ballots for faster counting. New computerized voting machines promise even
more efficiency, and Internet voting even more convenience.

But in the rush to improve the first four attributes, accuracy has been
sacrificed. The way I see it, all of these technologies involve
translating the voter's intent in some way; some of them involve multiple
translations. And at each translation step, errors accumulate.

This is an important concept, and one worth restating. Accuracy is not how
well the ballots are counted by, for example, the optical scanner; it's how
well the process translates voter intent into properly counted votes.

Most of Florida's voting irregularities are a direct result of these
translation errors. The Palm Beach system had several translation steps:
voter to ballot to punch card to card reader to vote tabulator to
centralized total. Some voters were confused by the layout of the ballot,
and mistakenly voted for someone else. Others didn't punch their ballots
so that the tabulating machines could read them. Ballots were lost and not
counted. Machines broke down, and they counted ballots
improperly. Subtotals were lost and not counted in the final total.

Certainly Florida's antiquated voting technology is partially to blame, but
newer technology wouldn't magically make the problems go away. It could
even make things worse, by adding more translation layers between the
voters and the vote counters and preventing recounts.

That's my primary concern about computer voting: There is no paper ballot
to fall back on. Computerized voting machines, whether they have keyboard
and screen or a touch screen ATM-like interface, could easily make things
worse. You have to trust the computer to record the votes properly,
tabulate the votes properly, and keep accurate records. You can't go back
to the paper ballots and try to figure out what the voter wanted to
do. And computers are fallible; some of the computer voting machines in
this election failed mysteriously and irrecoverably.

Online voting schemes have even more potential for failure and abuse. We
know we can't protect Internet computers from viruses and worms, and that
all the operating systems are vulnerable to attack. What recourse is there
if the voting system is hacked, or simply gets overloaded and fails? There
would be no means of recovery, no way to do a recount. Imagine if someone
hacked the vote in Florida; redoing the election would be the only possible
solution. A secure Internet voting system is theoretically possible, but
it would be the first secure networked application *ever created* in the
history of computers.

There are other, less serious, problems with online voting. First, the
privacy of the voting booth cannot be imitated online. Second, in any
system where the voter is not present, the ballot must be delivered tagged
in some unique way so that people know it comes from a registered voter who
has not voted before. Remote authentication is something we've not gotten
right yet. (And no, biometrics don't solve this problem.) These problems
also exist in absentee ballots and mail-in elections, and many states have
decided that the increased voter participation is more than worth the
risks. But because online systems have a central point to attack, the
risks are greater.

The ideal voting system would minimize the number of translation steps, and
make those remaining as simple as possible. My suggestion is an ATM-style
computer voting machine, but one that also prints out a paper ballot. The
voter checks the paper ballot for accuracy, and then drops it into a sealed
ballot box. The paper ballots are the "official" votes and can be used for
recounts, and the computer provides a quick initial tally.

Even this system is not as easy to design and implement as it sounds. The
computer would need to be treated like safety- and mission-critical
systems: fault tolerant, redundant, carefully analyzed code. Adding the
printer adds problems; it's yet another part to fail. And these machines
will only be used once a year, making it even harder to get right.

But in theory, this could work. It would rely on computer software, with
all those associated risks, but the paper ballots would provide the ability
to recount by hand if necessary.

Even with a system like this, we need to realize that the risk of errors
and fraud cannot be brought down to zero. Cambridge Professor Roger
Needham once described automation as replacing what works with something
that almost works, but is faster and cheaper. We need to decide what's
more important, and what tradeoffs we're willing to make.

This is *the* Web site on electronic voting. Rebecca Mercuri wrote her PhD
thesis on the topic, and it is well worth reading.

Good balanced essays:

Pro-computer and Internet voting essays:

Problems with New Mexico computerized vote-counting software:

posted by lagado at 5:47 PM on December 16, 2000

« Older ConceptPC @ Intel   |   The Missyplicity Project Newer »

This thread has been archived and is closed to new comments