Electronic Voting's Fundamental Flaws

phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.

Humans involved

[kryonD]

Unfortunately, as long as their are humans involved, corruption will always be there. From the guys paid to write the software, to the DB admins, to our friends at M$ who will undoubtably provide a security-lacking OS to run the system on, voting will always be called into question when it gets as close as it did between Gore and Bush.

With All due respect...

[synx]

Michael I think you don't quite know what you're talking about. First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.

You have to remember that most open source software doesn't provide any degrees of assurance other than "it's been used by alot of people". This really isn't an option for vertically integrated solutions such as digital voting. Just how many hobbests are going to "hack on" the GNU Vote system ?

The track record on contribution by the general public to OSS projects is pretty poor. Look at Mozilla, emacs, linux kernel, etc. Most of the significant contribution has been done by a relatively small number of persons. While lots of useful bug reports and patches have been submitted, I think for electronic voting we need a bit more than "lots of people have submitted bug patches."

What she is talking about here is engineered assurance. OSS is a source code policy, not an engineering style.

Security not *that* important

[Skyshadow]

I think there's too much emphesis on preventing fraud, as if voting fraud is somehow a new phenomenon unique to electronic voting. While security is naturally important, I think it's equally vital to have a reliable, easy-to-audit and hard-to-break system.

With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.

The best part is that it uses no complex parts (which, according to Murphy's Law, are prone to failure on election day). Just a paper and pen -- beat that. Add a reasonable amount of physical security (deputies at each location, plus maybe a representative from each major party to observe) and you're good to go.

This is one of those situations where overthinking and overengineering comes back to bite you.

Re:Security not *that* important

[swillden]

With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.

Hear, hear. Paper and ink has huge advantages when it comes to ballots. Everyone can see exactly who they voted for, the votes can be recounted at will and, maybe most importantly, we know how to secure and audit the management of lockboxes of paper votes. Been doing it for a long time.

The one downside of hand-marked paper ballots is that they're hard to count electronically. If electronic counting is important, I think a hybrid system is the way to go: use a nice, easy-to-use touch screen to make your selections and then have a printer mark your votes on the paper ballot in both human and machine-readable formats. Then, at tally time, you can rapidly and accurately generate a file containing all of the numbered ballots (grouped by voting district) and the votes cast. This file can then be published and anyone who wants to can tally up the votes for themselves.

Further, you can take a random sample of the paper ballots and manually verify that the human-readable portion, the computer-readable portion and the tally file's summary of this ballot are all in perfect agreement. A relatively small sample can provide an extremely high level of confidence that the system is functioning correctly.

With this kind of method, there is no question about the correctness of the software, whether open or closed, because if it prints the wrong selections on the human-readable portion, the voter will catch it. If it prints the wrong selections in the computer-only portion or if the counting system makes errors, the random verification will catch it. If there are errors, you can always fall back on purely manual counting.

Electronic ballot-counting does have some advantages over manual counting: it's cheaper, faster, apolitical and the notion of a published "tally file" makes it more open and more widely verifiable.

But, given a choice between a purely paper-based system and a purely electronic system, I'll take paper. And I'll take just about anything over those punched cards.

suggested list

[Sebastopol]

I think her suggested list applies to a lot more than voting. She deserves a lot of credit, because work like hers is the dirty work no one ever wants to do... real nuts-and-bolts stuff that takes lots of thought.

I love it -- Take that all you kiddies who say "duh, how hard could it be? I could do it in perl in an afternoon, i'm so huge!" huge you are! ;)

Re:Ya know..

[sdavid]

We only really know how bad the Florida system was because the election was a statistical tie, leading to the recounts and a very close look at the process. I'd suspect that many states have very similar problems, for example Maryland in the current primary, and we simply aren't as aware of them.

Electronic voting completely open?

[rsteele19]

Michael's position that it is possible to create a fully verifiable electronic system seems to have one fundamental flaw: It is impossible to discern with certainty the processes that are occurring inside the machine.

Consider a computer supplier that is co-opted by an unscrupulous political party. They create some sort of hardware mod that allows the contents of memory to be arbitrarily modified. Perhaps it can be controlled wirelessly. Suddenly bootable serial numbered CD-ROMS aren't a solution.

The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon. When the vote is nothing but electrons inside a machine, this is much more difficult.

Re:Electronic voting completely open?

[wfrp01]

And I'd add, another aspect of discerning with certainty what's happening within the machine is that everyone has to understand it. Theoretically proveable to a handful of mathematicians and computer gurus doesn't cut it. Your grandma has to believe that the system is trustworthy. She has to comprehend how the system works. Counting holes punched in a piece of paper makes sense to people. Locking the paper up to prevent tampering, and having multiple independent auditing authorities in place makes sense to people. Cryptography does not.

Use computers to rapidly tally the votes, sure. But why use computers to do the actual voting? What's the point? What is gained? You can count the votes in real time rather than taking minutes or hours. So what? Sometimes simple is good.

My Brazilian experience

[mangu]

I was in charge of a voting section in Brazil in 1998, when electronic voting was used in the whole country. I think security is an important matter, and source code for the whole system should be available to all parties. Auditing is a major concern in a totally electronic system. When I was in charge of that ballot, it recorded votes in a flash card, but I suppose that could be tampered, since the system was closed source (the OS was based on MS-DOS, although the application source code was available to political parties).

As an improvement to that, in this year elections in Brazil a new system will be tried where the ballot prints the vote on a paper which will be shown to the voter through a transparent window, but will not be otherwise accessible before it's cut loose and drops into a sealed canvas bag. Votes will be counted electronically as before, but the canvas bag will provide a way of auditing the whole ballot, if needed.

Huh?

[autopr0n]

Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick.

Um, how exactly? (the most obvious question is why you need a hologram, or a CD rom for that matter)

Of course, since you didn't even provide a process to knock down, just some techno babble it would be impossible to tell you exactly why you're wrong.

Open Code Doesn't Guarantee Integrity

[ArdentCritic]

As it turns out, open code and "thoroughly examined hardware" do not a secure system make. The problem is that the code has to get compiled, and it has to run on an operating system, and that has to run on a computer. Even if the code and hardware (if one can examine the microcode) appears to be entirely pristine, Ken Thompson explained in his classic 1984 essay "Reflections on Trusting Trust" (available online, do a Google search) that the compiler that compiled all of that code can be rigged such that malicious code can be concealed. For example: Since the dates of US National Elections are fixed to infinity (they are always the 1st Tuesday in November) and since many voting systems (as well as computer systems) rely on real-time clocks, it is certainly plausible to create a hardware trap that only goes off on election day. And that trap doesn't have to be in the voting system either, there's tallying devices, reporting software, and so on. It's a nightmare. The only sane solution is to rely on a voter-verified physical audit trail that can be READ BY HUMANS in case of the necessity for a recount. There's a lot of ways this can be performed (including one by David Chaum that allows the voter to verify that their ballot actually was entered into the final tallies), and true improvements in voting systems will only occur when this is recognized and the "trust us" mentality (including one that says we should trust the people who will supposedly verify all the open code) is abandoned. Please read the extensive writings on Rebecca's website www.notablesoftware.com/evote.html as well as Peter Neumann's for more information on the subject. And for those of you who are convinced, PLEASE encourage all communities who happened to purchase fully-electronic voting systems to have them retrofitted with printers BEFORE the November general election. Brazil is doing just that, right now, with 3% of the 400,000 voting machines they purchased back in 2000 (more may follow).