21 April, 2004: Suffering a technological calamity

[ Home page | Web log ]

Readers may remember a previous rant on the subject of electronic voting. To refresh your memories (that is, to bore you again with details of a subject in which you may not be interested anyway) the flaw of most electronic voting systems is that the voter cannot be sure that their vote has been cast as they intended; it would be trivial to program an electronic voting machine to (say) record a vote for Dubya when the user clicks on `Gore', and there is no way for the voter to tell that this is what is going on. (This risk will be familiar to anyone who has used Microsoft `Word' and saved a document, only to load it up later and discover that half their work has been eaten by the machine.) The solution to this problem is simple but low-tech: the machine prints out a ballot paper, which the voter can inspect; if it has accurately recorded their vote, they place it in the ballot box; if not, they destroy the paper and have another go. If something goes wrong with the electronic count, the ballot boxes can be opened up and the votes counted in the normal way.

If -- as seems sensible, though others may disagree -- the accuracy of the electoral process is of paramount importance, this observation has two important consequences. Firstly, electronic voting can only be used to speed up counting votes; it can never replace the keeping of paper records. Secondly, electronic voting will still require the presence of voters at polling stations, or the use of postal voting forms. The fantasy of a population voting via interactive TV, SMS messages, email or whatever else must remain a fantasy so long as we are interested in maintaining honest and accurate elections.

Therefore it was with some alarm that I read the draft recommendation on standards for electronic voting which has been produced by the Council of Europe's e-voting project. (Thanks to John Pelan for drawing this to my attention.)

It is worth looking through the draft (it is not very long). In some ways it is an encouraging document; it addresses throughout the security and reliability issues to which electronic voting is susceptible. However, the Recommendation falls short of requiring paper `voter-verifiable receipts' (or, in English, ballot papers) to form part of the system, and the working group have assumed that electronic voting systems should permit remote voting:

(4) Unless channels of remote e-voting are universally accessible, they should be only an additional and optional means of voting.

This is bad news. They also allow for electronic voting systems to be built on secret, proprietary software: (emphasis mine)

(24) The components of the e-voting system should be disclosed, at least to the competent electoral authorities, as required for verification and accreditation purposes.

While a voting system cannot meet the accuracy requirement simply by being open to inspection, peer review of the system is the only obvious way to inspire confidence in the system -- which itself is requirement 20 in the Recommendations....

The document also contains some slightly strange language, for instance, (emphasis mine)

(6) Unique identification should be ensured for voters and candidates. User authentication should be identity-based for the voter or candidates.

I'm not sure what `unique identification' and `identity-based' mean, but I hope to god it's not bloody ID cards again.

The document also requires that

The e-voting system must not enable the voter to be in possession of a proof of the content of the vote cast.

The logic of this requirement is that, if you can prove that you voted in a particular way, you could be bribed or threatened into voting in that way.

Now, paper voting systems do not allow this, since the proof that you have voted -- the ballot paper -- must be put in the ballot box for your vote to count. Indeed, if you still have your ballot paper, what you have proven is that you have not voted.

(As an aside, there have been some stories of mobile phone cameras being used to document how voters have cast their votes in elections in Italy, though how seriously this should be taken I don't know, and obviously a photograph of a ballot paper does not constitute proof of a vote in any meaningful sense. The BBC story I link to there says that the Italian authorities ``have announced measures to prevent 3G phones being used in polling stations''; alternatively they could just provide each voter with two ballot papers; the first could be used to record the vote desired by the Mafia, photographed and then destroyed, while the second could be used for the actual vote....)

Ensuring that voters do not leave the polling station with proof of their votes is sometimes used as an argument against voter-verifiable receipts, on the grounds that the receipt (ballot paper) could constitute such proof. This shows a fundamental misunderstanding. In a securely-designed system, if the voter has removed the receipt, then they have not voted, just as in a paper system.

So, like the Australian system which prompted my previous rant, this one gets 3/10, nice try but could do better.

Now, recommendations from the Council of Europe are not binding on its members, but it is quite likely that the eventual product of their electronic voting activities will be adopted by member states (or form the basis for their own standards). It is therefore worrying that the Recommendations do not include the requirement for paper records which is necessary to make electronic voting systems safe.

It is not clear how we should raise these concerns; there does not seem to be a public consultation procedure relating to the Council of Europe's project. However, the participants in the working group include a number of civil servants from the Office of the Deputy Prime Minister; it therefore seems sensible to start by writing to John Prescott.

(Update: I should have linked to this piece in Bruce Schneier's Crypto-Gram:

In 2002, all the Congressional candidates together raised over $500M. As a result, one can conservatively conclude that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget.

-- any comments from the cost/benefit enthusiasts?)

Copyright (c) 2004 Chris Lightfoot; available under a Creative Commons License.