Electronic Voting: The Other Side of the Story

_randy_64 writes "We've all read about the perils of online voting. But in an article in MIT's Tech Review, noted technologist Simson Garfinkel looks at the other side of the story and comes away thinking that e-voting might not be so bad, if done properly. He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version."

Why not use digital cash-like protocols?

[astrashe]

I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.

To me it seems like it could be a special case of the digital cash problem that guys like David Chaum worked on. You give everyone a single vote that they can cast -- a blob of data with a blinded digital signature. Then you let them spend them (vote) however they want.

You could even let candidates set up their own sites to collect their own votes. So someone could give Dean or Bush their vote, and then Dean or Bush could turn them into the election commision. It wouldn't be necessary to do that -- a central site makes more sense -- but wouldn't it be secure enough to let the candidates collect their own votes, with a realtime online election commision protecting against double voting?

If DigiCash is secure (and although it's been dead for a long time, I think it was considered secure), it seems like this should be secure.

The article is right when it points out that we have a lot of election fraud now -- it ought to be possible to improve things substantially.

Re:Why not use digital cash-like protocols?

[Mr.+Darl+McBride]

I think you've hit the nail on the head. The problem is that the new election systems are trying to mimic the old systems. Votes are accumulated and summed locally, and nothing but a number is sent upstream.

This model should be put to rest and replaced by something more secure, and more tuned to the technology we have today that wasn't available thousands of years ago when paper ballots were first put to use.

If the vote is trackable through the system today, but only by the originating party, then fraud would be rapidly exposed. If the voter's ballot is a key countersigned by the party receiving the vote upon voting, then anonynimity is protected, and all votes are provable in both directions.

Re:Why not use digital cash-like protocols?

[Moridineas]

I think you've just pointed out the best reason NOT to go for online voting. Surely you're familiar with the voting corruption of Old America--the political machines and of the buying of immigrants (and others) votes. Do you have any idea how much corrupt people would LOVE a situation where you could buy someone's vote and there would be no way to prove this? Something like you advocate would usher in an unprecedented era of vote selling and corruption.

I'm all for technology when it helps, but my opinion is if you won't expand the effort to send in an absentee ballet (which itself is open to problems) or, god forbid, drive to a local polling place (where they SHOULD check ID's) and place your vote in person, I'd personally rather you didn't vote :)

Personally the ballets I like best are those recently adopted in my state--there is a candidates name, and a arrow drawn like:

President (PICK ONE)
== ===> George Bush
== ===> Al Gore

and you use a stirdy black marker to fill in the arrow. Very easy, very hard to mess up.

I wouldn't MIND 100% computer voting, but there absolutely has to be a paper trail. Think what would have happened in the Florida election--Gore would have lost by a couple hundred votes, there would have been a huge fuss, and then what? We never would have been able to go back and see that Bush indeed did the higher number of votes. This is a problem.

Re:Why not use digital cash-like protocols?

[Minna+Kirai]

Eh? How, exactly, is it easier to print big fonts on a screen than a piece of paper? I think the cost of paper varies less strongly with size than, say CRT and LCD technology.

There's a graphical trick an electronic screen can do called "scrolling". A single piece of equipment can show data in a series, not just one predetermined thing. One LCD screen, 640x400 pixels, can display 100s of candidates in succession- and in huge fonts (if the voter wishes).

To do that on paper would be expensive not just to print them all, but more importantly because it makes counting the votes that much harder. There's more paper to store, and collating from a stapled packet is much harder than just reading individual cards.

WTF? And computers are less buggy than paper?!?! Help me.

Ok. For data over a certain size, individual sheets of paper are more error-prone than computer files. As you saw in the Florida election, just having the votes in hand doesn't mean you know what the total is. For nations the size of the US, counting votes can be a monthlong procedure- and that's with a significant chance of error on each one (better form design can reduce it greatly- no butterfly+chad). The inabliity to count & recount quickly is itself a kind of buginess.

Many of the ways that a paper vote can be hacked are just allegations- but that's the problem. Because huge stacks of paper are so unwieldy to analyze, we can't be sure how many disputed votes might've really made a difference.

Another paper problem is its fragility- a single saboteur could destroy 10000s of paper votes by fire, but digital votes can be distributed to multiple remote sites immediately as they're cast. Historically, what happens if some ballots are "lost"? Do the authorities redo the whole election? Not on your life.

This, the last paragraph, is the only one worth reading, and interestingly it contradicts some of the earlier statements with which I took issue

The whole point of the article was to support electronic voting. It just laid out the typical objections first- but the subtitle of the page clearly telegraphed what the conclusion would be. How the last paragraph contradicts (or even addresses) much else in the article escapes me.

PS. I generally do not approve of this guy's reportage.

Re:Why not use digital cash-like protocols?

[Hettinga]

I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.

It's real simple.

The paradox of internet voting is that you can't vote on the net without being able to sell your vote.

That's because blind signatures -- certainly the most secure, and probably the cheapest way to do things, especially since the patent expires in a year -- create bearer financial instruments.

Can you say, "equity", boys and girls? I knew you could... :-)

In other words, blind signatures, right out of the box, create a secure anonymous vote, but it is, by definition, a vote you can buy or sell. In bearer form. For the most part, anonymously. For cash, in bearer form. That is, anonymous cash. :-).

In fact, without a mondo-draconian is-a-person, gimmie-a-sperm-sample biometric identity scheme (say, voting in meatspace like we do now), you can't vote on the net. The paradox again.

For us anarcho-capitalists, buying and selling votes is a feature, not a bug. It's even a god-given right. But for you *statists*, on the other hand, that's a problem, yes? ;-).

Seriously. At the 2001 Financial Cryptography conference in (where else? :-)) Grand Cayman, there was this panel session where various famous, and mostly liberal, academic cryptographers were beside themselves, in front of an audience of people mostly of the same mind -- pissed off and liberal, not famous -- about how to do a cryptographic voting protocol in light of Bush "stealing" the election in Florida.

They started this panel at 10-ish, and one "yeah, what he said" lead to another, and they fulminated all the way through lunch before they finally took questions from the floor.

I was first in line. :-). I noted that not once in the entire three hours had they talked about financial voting (equity, remember?) at the world's only financial cryptography conference. If, say, the conference was your idea, or something, it might even make you want to terminate the academic discount, or something... :-).

One of the reasons that this got up my nose is, as you might have guessed by my .sig, below, I define cryptography into two kinds. (There are two kinds of people, those who think in dichotomies, and -- well, you get the idea...) The first kind of cryptography is political cryptography. That is, these days, at least, cryptography used for and against nation states, since empires mostly don't exist, feudal ones, anyway. Political cryptography is the stuff involved in, say, your "rights" (see, "rights" below), online.

All the rest, for lack of a better term, is financial cryptography. I mean, sooner or later it all boils down to money, right? I'd even shoehorn Schneier's "your kid sister" in here too, just to be ornery, except that sibling rivalry is politics, if there ever was any.

And, I would say, even after USElection2K -- and 9/11, especially after 9/11, where the stock market was almost taken out, if they'd waited an hour or two for a few hundred million shares in un-cleared and un-settled trades to build up, because *that* would have caused more pure hell and hardship than even 3000 deaths could cause-- financial cryptography is *still* the only cryptography that matters.

Finally, that paradox, that the only secure vote on the net is voting a share of mostly anonymous digital bearer equity in exchange for mostly anonymous cash is probably proof of my political/financial crypto dichotomy if there ever was one. Why? Because it points, some day, to efficient, competitive markets for force and the collapse of force monopoly, which is the very foundation of what the average statist would call "government". All cops and soldiers become rent-a-cops, in other words, reporting to their shareholders and customers like everyone else in the economy.

Secure voting, indeed. Efficient markets are the most secure, anonymous votes there are.

"When the hares made speeches in the assembly and demanded that all should have equality, the lions replied, "Where are your claws and teeth?" -- attributed to Antisthenes in Aristotle, 'Politics', 3.7.2

Paper ballot problems

[Mr.+Darl+McBride]

It's not something that gets widely publicized, but it's pretty much the rule that paper elections have their problems -- S. Garfield could have spoken a bit more about this. Political analysts like to quote that for any election within 10% of a tie, it's a coin toss as to who really won.

Not to beat a dead horse, but this was very much the issue with the 2000 presidential election. When it became clear that Florida needed to be counted more carefully, it was discovered that boxes of ballots had been damaged, left in insecure locations, lost, or in one case even stolen. The large delays weren't on account of time needed to actually recount, but to establish how to compensate for the above, and for the fact that many boxes were discovered to never have been counted in the first place!

Election engineers constantly vow to correct these problems, but for 200 years, we've been having the same problems over and over. At times it almost seems like some parties simply don't want the problems solved!

Re:Paper ballot problems

[plalonde2]

The key to paper ballot accuracy is *local* counting. Here in Canada, ballots are counted at the polling station at the close of voting, by a multi-partisan committee - I believe each candidate is allowed to provide someone for each station.

That helps in a number of ways:

1. There are relatively few votes at a polling station to count - several thousand, max.

2. There are *many* eyes supervising a *short* counting session, allowing counters and verifiers to remain focused.

In any system where the ballots (in boxes or not) are moved before counting (which I understand is common in the US) fraud is much easier: ballot boxes can disappear or be replaced in transit, centralized counting require much longer attention spans, non-partisan counters are almost certainly not, and so on.

Regarding electronic voting, sure, use a machine, but make the machine generate a voter-verifiable paper ballot. Insist that ballots be counted at the polling station *immediately* at the close of the polls, confirming the electronic result.

Anything else and I'm not sure your votes mean anything.

The need for open source

[SargeZT]

Nevertheless, most computer professionals are opposed to the DRE machines. One reason is that there is fundamentally no way to audit them: If 600 people vote at a DRE on Election Day and the machine says that 310 voted for the Democratic candidate, who is to say that the number 310 is true? Perhaps only 280 voted Democratic, but the machine was programmed to randomly flip 5 percent of the Republican votes to Democrat before recording them on the computer's hard drive. To make this sort of programmatic tampering harder to detect, perhaps the program was devised so that the flipping would only happen on the first Tuesday in November. On other days--presumably the days when election officials tested the voting machine--no vote flipping would take place. To make it even harder to detect, perhaps the flipping occurs only when the machine discerns that the vote is close; this would avoid the embarrassment of having polls predict one outcome, and having the machines tally another.

This only shows the need for open-source software in the governement. If the source for the voting machines was available to all programmers world-wide, then there would not be this concern! If you used closed source software, then who knows what backdoor's the programmers could put in?

False Choice! VerifiedVoting needs physical record

[ClarkEvans]

The article starts out with a False Choice logical fallacy. The reporter asserts early on that we either have touch screens or paper -- to create tension and proport to show "another side" of the argument. But it is really a misrepresentation of the facts. The Verified Voting people went way out of their way to make sure that they wern't against paper ballots. What VerifiedVoting is For is a PHYSICAL verification of electronic voting.

Redundancy, anyone?

[Empiric]

He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version.

Though, naturally, the distinction between manual ballot stuffing and computer ballot-stuffing (and the like) has similar differences as between bank robbery and embezzlement... the former usually leaves a lot more physical signature and is usually more easily traceable as to the "who's" and "how's".

update nationalvotes set candidatechosen = "Bush" where name like "%e%" ... could be hard to detect or trace, if there was a security lapse.

As an idea, how about having in effect two buttons for a given candidate, each of which hooks up to a completely different network run by a different company, then comparing the results between the two? It seems like this could go a long way to verifying accuracy and providing a traceback method for voting fraud.

Just a thought.

Author of the article has a good reputation...

[beacher]

Just did a basic search on Simson Garfinkel I didn't know who he was... He's a writer for O'Reilly and has penned/contributed to some of their books "Practical Unix & Internet Security, 3rd Edition","Web Security, Privacy & Commerce, 2nd Edition","Database Nation (Paperback) "... damn he's been writing Unix security books since '91...

voting customs make voting insecure

[commrade]

The mechanism of voting must be ethically secure from all forms of fraud. Currently, there is no standard voting mechanism. Paper voting machines, long the standard, are cumbersome and inefficient. Electronic voting mechanisms are prone to fraud from outside interestes or from internal corruption.

To solve the problem of voting fraud at a mechanical level, many would seek to improve the mechanism. These voting machines are, at their core, computers. From touchscreens to punchcards to beans in a hat, voting machines are all computational devices. There are limits to the security/infallibility of any secret voting machine. The mechanism can be tampered with at too many levels. Any mechanism installed to monitor another anti-fraud mechanism could be tampered with as well.

The only solution that comes to mind is public voting. Public voting would be the case that you let your vote be associated with you. No more voting anonymously. This may seem like a great loss of freedom, but consider the increased power it gives the public. Votes could be counted and recounted by several independant parties after and during the vote. Being responsible and accountable for the vote that you make might seem like a liablity, but it may be a small price to pay for equal and accurate representation.

Psych vs Reality

[Erick+the+Red]

While both systems have their flaws, I suspect that more people will try to exploit the e-voting system than the current physical system. Currently, you either have to be present at the voting station, or in contact with a box of ballets to mess with the results. With the internet, there's less evidence to leave behind, and you can scam the system from the comfort of your home (or a public comp if you want less of a trail).

Missing the point?

[carsont]

The article points out many problems with the traditional voting system, but few of them would be eliminated by the adoption of electronic voting machines. No matter what sort of device is used to record the votes, corrupt officials can still disenfranchise or intimidate voters, poll workers can still be ignorant, and so on.

Just because the current system is broken doesn't mean it's okay to go ahead and adopt one that will introduce even more vulnerabilities. Setting up roadblocks is one thing, arbitrarily altering votes remotely with no audit trail is another.

I don't think it's necessarily impossible for a sufficiently secure electronic voting machine to be built, but the Diebold system sure ain't it; such a dangerously insecure system deservers nothing less than the stiff opposition Garfinkel pokes fun at.

Hackable...

[PRickard]

Are the old paper ballot systems easy to commit fraud with? Certainly. Any group of people who supervise a traditional voting station could conspire to fudge some voting results. At one precinct. One vote at a time.

Electronic voting systems allow massive tampering across multiple precincts - from thousands of miles away. And you can't narrow the suspects down to two or three people who supervised voting in one precinct - anyone with a modem and technical know-how can be a suspect when electronic voting goes sour.

There is a reason we have 3 branches of government

[StillNeedMoreCoffee]

Our forefathers didn't trust each other. They knew that opposing interests and herd behavior were dangerous things and devised a three part government that allowed things to go slowly enough and within sight of all (for the most part) as checks and balances to loosing our freedoms (current government take note).

One of the most successful business technologies in the past few centuries, that made business possible, was the creation of double entry bookkeeping, with its built in checks and balances. But even that is not enough, companies are audited by independent auditors (we usually independent, see what happens when they are not).

Without these transparancies of process and independent oversight we would have many more, Savings and Loan scandals, or Enron's or WorldComs. Even with those in place, greedy people will be constantly trying and finding ways around those controls.

So let's have a non-transparent centralized computer tally of votes. Lets require that citizens understand and or have the electronic technology to vote. We don't need to maintain our freedoms that badly do we?

Today they annouced another round of hackable exploits to Microsoft Office software. Also, today Taiwan is being attacked digitally from China.

Electronic technology itself isn't the answer. Encryption does not protect against attack, it only slows it down. Case in point, I have heard it said that the DES standard was adjusted to be fewer bits so only the large NSA computers could crack it. The government is nervous about any technology that prevents them the ability to spy on information or individuals. So then only the holders of the most computer resources could crack your vote. Do you trust who is in control of policy there now? Or more importanly do you trust who is going to be in control of those resources in the future. That is the fundemental pessimism that was built into our three branches of government for good reason. Any solution to the voting problem, and we do have a serious voting problem as exhibited by the last presidential election, needs to include transparent checks and balances, needs to be simple and non-technological for the voter, and needs to have the eyes of many people of differing views watching the process like a hawk. Our very future is at stake and we can't let it be controlled out of sight or hackable, by anyone.