There is some controversy in The Netherlands right now about electronic voting. A group has gotten hold of a voting machine, discovered that the physical and software security therein is very weak, and otherwise established the possibility that determined individuals could significantly impact election results through electronic tinkering.
The advantages of electronic voting are fairly numerous. Firstly, it could be made to happen more quickly. This may advantage the media more than anyone else, but it may as well be listed. Secondly, electronic devices could be made easier to use for people with physical disabilities and the like. Another advantage the system should have is increasing standardization between voting districts. Skullduggery involving dated or problematic machines in districts likely to vote in a certain way has been noted in a number of recent elections. Also, having an electronic record in addition to a paper one could allow for cross-verification in disputed districts. In cases where the results very starkly do not match, it should be possible to repeat the vote, with greater scrutiny.
The answer to the whole issue is exceptionally simple:
- You are presented with a screen where you select from among clearly labeled candidates, with an option to write in a name if that is part of your electoral system.
- The vote is then registered electronically, by whatever means, and a piece of paper is printed with the person’s choice of candidate, ideally in large bold letters.
- For an election involving multiple choices, each is likewise spelled out clearly. For instance, “I vote NO on Proposition X (flags for orphans).”
- The voter then checks the slip to make sure it is correct, before dropping it in a ballot box.
- These are treated in the standard fashion: locked, tracked, and observed before counting.
- The votes are tallied electronically, with a decent proportion (say, 20%) automatically verified by hand.
- If there is any serious discrepancy between the paper and electronic votes, all the paper ballots should be counted. Likewise, if there is a court ordered recount on the basis of other allegations of electoral irregularity.
Electronic systems have vulnerabilities including hacked polling stations; transmission interception and modification; as well as server side attacks where the data is being amalgamated. Paper systems have vulnerabilities relating to physical tampering. Maintaining both systems, as independently as possible, helps to mitigate the risks of each separately and improve the credibility of the process. It is like having both your bank and your credit card company keep separate records of your transactions. If they do not match, you have a good leg to stand on when alleging some kind of wrongdoing.
This system could use relatively simple electronic machines, and may therefore actually cost less in the long run than all paper balloting. Critically, it would maintain an unambiguous paper trail for the verification of people’s voting intentions. Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position.
[Update: 14 October 2006] The Economist has a leader on electronic voting machines and the US midterm elections. They assert, in part:
The solutions are not hard to find: a wholesale switch to paper ballots and optical scanners; more training for election officials; and open access to machine software. But it is too late for any of that this time—and that is a scandal.
Quite right.
Not encouraging at all. When I said “Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position,” I was basically talking about Diebold.
The Princeton study demonstrates, again, that an independent paper trail is essential.
Security Analysis of the Diebold AccuVote-TS Voting Machine
Not encouraging.
Electronic voting, as currently implemented, seems like a pretty negative development to me. Any cost saving is far outweighed by the loss of the transparency.
It’s a pity, because a sensibly implemented electronic voting scheme that incorporates a little cryptography could actually revolutionize voting and make elections much more transparent. There are excellent published schemes that generate an encrypted receipt that allow a voter to verify that their ballot is included in the final count, without revealing how they voted. Wouldn’t it be extremely cool to have a cryptographic proof that your ballot actually influenced the election?
Ron Rivest has an overview of methods here
There’s a description of one scheme here (PDF).
And another (somewhat confusing) scheme that attempts to obtain the same effect without any cryptography.
Failing that, a paper trail is a reasonable if imprefect safety measure.
Mark,
I see a paper trail (alongside electronic data) is a superior safety measure to any form of cryptography. As many real life cases have shown, it is rarely the crypto algorithm that gets broken. More often, some unanticipated side channel attack takes place. As such, fancy encryption systems often make security seem more robust than it actually is.
Milan,
The word “cryptography” is perhaps a bit misleading here. It’s not about encrypting votes, but rather about applying ideas developed in cryptography to voting protocols. So, in the way that a hash (aka digital signature) can prove that a message has not been tampered with and can be verified by anyone, you could generate a kind of “vote hash” with which any voter could verify that the election was carried out correctly.
That is surely superior to a paper trail, because while a paper trail can only be verified by the election officers, and only if the courts system allows a recount, the proposed hash-like system can be verified by any voter.
All systems might be subject to attacks, direct or otherwise, but a stack of paper ballots is hardly the most secure thing in the world. Entire boxes of votes can and regularly do go missing, etc.
So, I think there is a very strong case that a system designed along cryptographic principles would be much superior than a simple paper trail.
Mark,
Given the choice of one over the other, I would always go for the paper. Sure, it can be tampered with and destroyed, but it is a comprehensible system well understood by everyone. If we can protect $100 bills, we can protect ballots.
That said, a backup system involving cyptographic verification could certainly add to the rigour of the process. If you are wondering about the kind of side channel attacks I am worried about, have a look at this (PDF).
Any crypto based election system must involve trusted people. The mechanisms of certification and verification for those people may well be the weak point, especially in a system with as many overlapping jurisdictions as voting in the US.
Video testimony of vote machine whistleblower
Direct YouTube link
Quebec bans electronic voting
Probably a good move. (Direct link)
A laboratory that has tested most of the nation’s electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests.
That company is Ciber Inc.
http://www.schneier.com/blog/archives/2007/01/ensuring_the_ac.html
From Schneier:
More Voting Machine News
Maryland Scraps Diebold Voting System
By ScuttleMonkey on long-overdue
beadfulthings writes “After eight years and some $65 million, the state of Maryland is taking its first steps to return to an accountable, paper-ballot based voting system. Governor Martin O’Malley has announced an initial outlay of $6.5 million towards the $20 million cost of an optical system which will scan and tally the votes while the paper ballots are retained as a backup. The new (or old) system is expected to be in place by 2010 — or four years before the state finishes paying off the bill for the touch-screen system.”
A really secret ballot
Dec 4th 2008
From The Economist print edition
Security: A variety of schemes to encrypt ballot papers should reassure voters and help to make elections more secure
Voting Machine Attacks Proven To Be Practical
“Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren’t realistic, that attackers won’t have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week’s USENIX EVT.”
Maryland Town Tests New Cryptographic Voting System
“In Tuesday’s election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter.”
Why Electronic Voting is a BAD Idea – Computerphile
XKCD on the untrustworthiness of voting software
Voting machines are terrible in every way: the companies that make them lie like crazy about their security, insist on insecure designs, and produce machines that are so insecure that it’s easier to hack a voting machine than it is to use it to vote.
https://www.schneier.com/blog/archives/2018/11/buying_used_vot.html