Posts tagged e-voting

Page Content

E-voting rears its head. Again.

Over the last few years, I have been involved in issues related to the use of computerization in voting. This has come about because of my concerns about computer security, privacy and reliability, and from my role as chair of the ACM U.S. Public Policy Committee (USACM). USACM has taken a strong position as regards use of computers as voting stations and voting over the internet.

Two recent items address the issue of voting over the Internet.

The first is a study released by NIST about the threats posed by internet voting. This is a well-written document describing problems that would be encountered with any online voting system. Their conclusion is that, for public elections, distribution of blank ballots (on paper) is the only reasonable improvement that we can make with current technology.

The second is a note from my colleague, Yvo Desmedt, one of the senior leaders in information security He has asked that I circulate this to a wider audience:

  IACR (the International Association for Cryptologic Research) has changed its bylaws to allow e-voting over the internet to elect its board members and other purposes. IACR will likely move towards internet e-voting. The IACR Board of Directors subcommittee on internet e-voting has published a list of requirements for such a system at: This is evidently a first step and the question remains whether the system the International Association for Cryptologic Research will choose will be easy to hack or not. So, security experts should follow this development.

The problems that need to be addressed by any voting technology are mostly obvious: impersonation of the voter, impersonation of the voting system, disclosure of the ballot, multiple voting, loss of votes, denial of access, and a number of other issues. The problems are complicated by the requirements of a fair voting system, one of which is that of vote deniability—that the voter is able to deny (or claim) that her/his vote was cast a particular way. This is important to prevent vote buying, or more importantly, retribution against voters who do not cast ballots in a particular way. It isn’t difficult to find stories where voters have been beaten or killed because of how they voted (or were presumed to have intended to vote). Thus, the tried-and-true concept of providing a receipt (ala ATM machines) is not a workable solution.

My intent in making this post isn’t to discuss all the issues behind e-voting—that is well beyond the scope of a single posting, and is covered well many other places. My main goal is to give some wider circulation to Yvo’s statement. However, in light of the recent problem with certificate issuance, it is also worth noting that schemes requiring encryption to secure voting may have hidden vulnerabilities that could lead to compromise and/or failures in the future.   

In the end, it comes down to a tradeoff of risk/reward (as do all security choices): can we accurately quantify the risks with a particular approach, and are we willing to assume them? Do we have appropriate mechanisms to eliminate, mitigate or shift the risks? Are we willing to accept the risks associated with adopting a particular form of e-voting in return for the potential benefit of better access for remote voters? Or are accurate (fair) results all the time more important than complete results?

Note that one objection often raised to USACM as we argue these points is “There is no evidence there has ever been a failure or tampering with a vote.” In addition to being incorrect (there are numerous cases of computer-based voting failures), this misses two key issues:

  • How do you tell if there is tampering if there are no safeguards that definitively disclose such tampering? That you have not detected something does not mean it has not occurred.
  • The past does not predict the future in such a case. That no failure (accidental or otherwise) has occurred does not mean it will not occur in the future. Worse, a string of occurrences without a failure may help cloud a future discovered discrepancy!

In the case of IACR, it is obvious why this group of cryptography professionals would wish to adopt techniques that show confidence in cryptography. However, the example they set could be very damaging for other groups—and populations—if their confidence is misplaced. Given the long history of spectacular failures in cryptography—often going unannounced while being exploited—it is somewhat surprising that the IACR is not more explicit in their statement about the risks of technological failures.


On Opinion, Jihad, and E-voting

[tags]Florida recount, e-voting, voting machines, Yasinsac, scientific bias[/tags]

As many of us were enjoying Thanksgiving with our families, we heard news of the largest single-day casualties of sectarian violence in Iraq. The UN reports a growing number of kidnappings and executions, often with bodies left unidentified.  As a result of the bombings on November 23rd, reprisals included executing people in front of their families, and individuals being doused in kerosene and immolated.

Many of us no doubt spent a few moments wondering how it was possible for presumably civilized, well-educated people to have such deep-seated hatred that they would attack someone simply because he or she had a Sunni-like name, or lived in a Shiite neighborhood.  We have wondered the same thing when hearing stories of Tutsi massacres in Rwanda in 1994, of the millions killed by the Khmer Rouge in Cambodia in the 1970s, the “ethnic cleansing” in the former Yugoslavia, and on and on (including the current problems in Darfur).  Of course, the ignorant fear of differences continues to show up in the news, whether it is genocide around the world, or an angry rant by an out-of-control comedian.

So, it comes as an unpleasant surprise to see prejudice based on appearance of legitimate opinion directed against a friend and colleague, and on the pages and WWW site of the NY Times, no less.  On November 24th, an editorial by Paul Krugman described some of the problems with the count of the votes cast in Sarasota, Florida in the most recent elections.  There appears to be a clear instance of some sort of failure, most likely with the electronic voting machines used in the race.  The result is an undervote (no votes cast) of about 18,000 in the race for US House—a race decided by under 400 votes.  The candidates and some voter groups are challenging the election decision through the courts, and the State of Florida is conducting an independent study to determine the causes of what happened.  Mr. Krugman implied that Professor Alec Yasinsac, of Florida State, chosen to lead the independent study, would not provide a valid report because of his apparent support for some Republican candidates for office in recent elections.

I’ve known Alec for nearly a decade.  I have never had any doubt about his integrity as a scientist or as a person.  Those who know Alec and have worked with him generally hold him in high regard (cf. Avi Rubin’s comments).  Alec has built his academic career pursing scientific truths.  He knows all too well that producing a biased report would end that career, as if the idea of providing a cover-up would even cross his mind.  In fact, Alec has reached out to many of us, privately, in the CS/security community, for advice and counsel as he prepares his group at SAIT (and it is a university group—not simply Alec) to do this task.  He’s doing all this for the right reasons—he’s concerned about the accuracy and fairness of electronic voting machines, and he sees this as a chance to rend the veil of secrecy that vendors and state agencies have traditionally drawn around these methods.  As with many of us, he is deeply concerned about the impact on our Republic unless we can regain and keep public confidence in the fairness of our voting technologies.

(Note added 11/27:  I am not implying that criticism by Mr. Krugman is in any senses equivalent to genocide practiced by others.  Instead, I am trying to illustrate that they are both based on the same underlying premise, that of denigrating others because of their beliefs without actually considering them as individuals.  That is the point of similarity, and one that seemed quite clear to me as I considered both news items—Iraq and Krugman’s editorial—at the same time.)

Having Opinions vs. Bias

First of all, it is important to understand that having opinions does not mean that one is unalterably biased, or cannot produce valid results.  In fact, everyone has opinions of some sort, although possibly not on any particular topic.  It may be possible to find people who really have no opinions of any kind about voting equipment as well as who won the elections in question, but those people are likely to be uneducated or poorly motivated to perform an evaluation of the technology.  That would not be a good result.

Why is it wrong for someone to have expressed support for a particular candidate?  That is one of the freedoms we cherish in this country—to have freedom of expression.  Why should anyone be less capable or trustworthy because of what may be an expression of support for a particular candidate, or even a particular political party?  Does that mean that Mr. Krugman and others believe that we can’t get a fair trial if we didn’t support a particular judge?  That we can’t expect equal treatment from a doctor who suspects that we voted for someone she didn’t?  That the police and firefighters we call to our aid shouldn’t help us because of the signs in our front yard supporting someone of a different political party?  Mr. Krugman’s (and others) accusation of bias isn’t conceptually any different than these examples ... or burning the home of someone who happens to go to a different mosque or church. If someone is incapable of carrying out his or her professional duties because of expressions of opinion, then only the most ignorant and apathetic would still be employed.

I have consulted with government officials in both the Clinton and Bush administrations.  I am not registered with any political party, and I have never voted a straight party ticket in any election during the 32 years I’ve been voting.  Does that mean I have no opinion?  Hardly—I’ve had an opinion about every candidate I voted for, and usually I had a definite opinion about those I didn’t vote for.  But having an opinion is very different from allowing bias to color one’s professional conduct, for me or for anyone else working in information assurance.  As you can infer, I find it personally offensive to impugn someone’s professional honesty simply because of exercise of freedom of expression.
Bias is when one is unable or unwilling to consider all the alternatives when formulating a theory, and when experiments to validate or refute that theory are arbitrarily manipulated and selectively disclosed.  If that were to happen in this study of the Florida voting machines, then it would require that all the study participants collaborate in that deception.  Furthermore, it would require that the presentation of the results be done in a way that obfuscates the deception.  Given the professional and personal credentials of some of the people involved, this seems extraordinarily unlikely—and they know how closely their report will be scrutinized.  Instead, it is likely that this effort will provide us all with additional ammunition in our efforts to get more reliable voting technology.  I know Alec is seeking as much transparency and peer review as he can get for this effort—and those are the methods by which all of science is judged for accuracy.  True bias would more likely to be present if the study was conducted by the vendor of the systems in question, or funded and conducted by staff of one of the campaigns.  The SAIT personnel making up the study team are neither of these.

Alec has a Constitutional right to vote for—and support—whomever he wishes. There is no reason he should stifle what he believes so long as he keeps it separate from his professional efforts, as he as done to date:  His academic career has underscored his integrity and ability as a scientist.  His prior 20 years as a decorated Marine officer attest to his patriotism and self-sacrifice. He is a concerned professional, a talented scholar, a resident of Florida, a veteran who has sworn a solemn oath to uphold and protect the US Constitution against all enemies foreign and domestic, and someone who votes. Alec is very qualified to lead this examination for the citizens of the state of Florida.  We should all be thankful to have someone with his qualifications taking the lead.

As a closing thought on this topic, let me question whether Mr. Krugman and others would be equally vocal if the person chosen as the lead scientist for this effort was supportive of candidates aligned with the Democratic Party, or the Green Party, or the LIbertarians?  Or is it possible that these people’s own biases—believing that apparent supporters of Republicans (or perhaps only Florida Republicans) are intrinsically untrustworthy—are producing clearly questionable conclusions?

A Comment about Paper

I have seen reference to a comment (that I can no longer find for a link) that another reason Alec is unsuitable for this review task is because he believes that paperless voting machines can be used in a fair vote.  I have no idea if Alec has stated this or believes precisely this.  However, anyone applying rigorous logic would have to agree that it IS possible to have a fair vote using paperless voting machines.  It IS also possible to corrupt a vote using paper ballots.  However, what is possible is not necessarily something that is feasible to apply on a national scale on a recurring basis.

Key to voting technology is to minimize error and the potential of fraud while also meeting other constraints such as ensuring voter confidence, allowing independent voting access for the disabled, supporting transparency, and doing all this with reasonably affordable, fault-tolerant procedures that can be carried out by average citizens.

The majority of scientists and technologists who have looked at the problem, and who understand all the constraints, view a combination of some computing technology coupled with voter-verified paper audit trails (VVPAT) as a reasonable approach to satisfying all the variables.  A totally paperless approach would be too costly (because the extraordinary engineering required for assurance), and would be unlikely to be believed as fair by the overwhelming majority of voters (because cryptographic methods are too difficult for the lay person to understand).  Meanwhile, a completely paper-based system is prone to errors in counting, spoiled ballots from voters who don’t understand or who make mistakes, and not independently accessible to all disabled voters.  As with any engineering problem, there is no perfect solution.  Instead, we need to fully understand the risks and tradeoffs, and seek to optimize the solution given the constraints.

Closing Thoughts

The ACM has adopted a position that endorses the use of VVPAT or equivalent technologies, and has been actively involved in voting machine technology issues for many years.  As chair of the USACM, ACM’s US Public Policy committee, that doesn’t make me biased, but it definitely means I have a basis for having professional opinions.

Let’s all seek the truth with open minds,  and strive to see each other as fellow citizens with valid opinions rather than as enemies whose ideology makes them targets for vilification.  It is our diversity and tolerance that make us strong, and we should celebrate that rather than use it as an excuse to attack others.

Good luck, Alec.

[posted with ecto]