Thomas C Greene on e-voting

The Register recently published two articles by Thomas C Greene examining e-voting security. Unfortunately the pieces are rather flawed. The first, “E-voting security: looking good on paper?” examines paper based voter verifiable audit trails (VVAT). The article doesn’t start well:

The voter’s paper receipt has become the security idee fixe of DRE skeptics, and a shibboleth identifying those who are on the ‘right’ side of the debate.

This is not true in two ways… Firstly, the potentially paper token used in VVAT is not a receipt! A receipt is something you can take with you to prove a transaction occurred. If VVAT did mean using a receipt then we’d be allowing vote selling. But we don’t mean a receipt, we mean a paper ballot which is left in the polling station. Secondly, paper trails are not an ‘idée fixe’ for e-voting skeptics, both David Dill’s US resolution on VVAT and our European resolution are carefully worded to not imply paper. The resolutions support any form of voter verifiable audit trail that meets the requirements set out, it’s just that right now the best example uses paper.

Now that I’ve cleared up those two points let us proceed to some of his other assertions in the first article…

People imagine that, so long as the printout matches their recollection of votes cast, it’s proof that the DRE machine is recording their votes properly. In fact, it’s no such thing. It’s proof only that the printer is recording their votes accurately.

I’ve never ever heard anyone claim that a printout proves that the DRE machine is accurately recording their vote. Greene presents an obvious statement as insight. The whole point of VVAT is that we can never be sure of what the DRE machines are doing with our votes, hence the need for a second channel.

The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.

Again statement of the obvious – of course the machine could show/print one thing to voters while store another. This is why VVAT is needed and electronic results cannot be trusted! Yet such arguments, logically correct whilst missing the point, get echoed by people such as VoteHere’s highly competent founder Jim Adler.

The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected.

Similarly in a blog post Jim Adler refers to his 64 year old mother wondering over what happens if she doesn’t check the paper ballot in a VVAT process. In other words he argues that VVAT doesn’t prove the accuracy of machine results or the accuracy of paper for recount as neither is checked if the voter doesn’t look at the paper. Furthermore Adler’s mother could testify in court that she didn’t look at paper so it can’t be trusted for a recount. But I say people could equally testify that they didn’t check electronic verification codes proposed by Adler’s company, thereby making the counting of electronic votes invalid.

Of course if all voters did not check their printouts then we could not have much confidence that the paper accurately recorded the voters’ intent. However, as Fergal Daly from Irish Citizens for Trustworthy E-voting writes in a letter to The Register (“Letters: We want our e-voting paper trail”), it would take only a small percentage of voters to check their printout to make the probability of fraud going undetected in an election vanishingly small. Of course some won’t check, but you can bet many will, particularly if it’s made clear that in a recount the paper result is the legally binding one.

Furthermore, there is no guarantee that the paper record will be the one recounted.

This is where legislation needs to be changed. Greene argues that under current legislation recounts would have to be done in the same manner as the original election and that there would be no mandate to hold the paper result over the electronic result. All VVAT campaigners are asking for changes in legislation and electoral procedures to accompany VVAT. In most countries, including the UK, legislative changes will be necessary before any form of e-voting can be used in a general election. Such legislation will need to give the paper trail (if used) primacy, procedures will need to be modified and it must be made clear that there will be a high chance of the VVAT being counted. Thus not only if there are doubts over a result or the result is particularly close, but a significant random number of constituencies must recount no matter what. This significantly increases the chances of fraud being detected.

In his second article, “E-voting security: getting it right”, Greene summarised his first piece with the following:

The much-celebrated voter verifiable paper trail is useless as a security measure for Direct Recording Electronic (DRE) election systems, and actually introduces far more problems than it solves.

A strong claim which I don’t believe he actually backs up in the article. Anyway let us proceed to his second piece. He begins by acknowledging the less than satisfactory approaches most e-voting vendors have taken to developing and testing their products. Yet when Greene comes to providing remedies he seems to be rather naive:

Guarding against post-certification tampering [of source code] would be a simple matter. First, as soon as certification is complete, checksums of all software components, compilers included, would be recorded, and then verified later, on election day before the machines are put to use. Any machine with the wrong checksums would be pulled.

There are several issues here but it is by no means ‘a simple matter’. Yes checksums can be generated, but will ordinary voters trust them? Checksums are not infallible and how can voters trust that they are properly verified? There is a significant amount of code on your average DRE… the voting system, the user interface (including audio files, device drivers for sound output & touchscreens) as well as the operating system (which can be a behemoth like Windows 2000). That’s a lot to checksum and keep tabs on. But what happens when there is an update to any one of those components, especially if it’s time critical? Are checksums going to protect the system integrity? No. The reality is that under the pressure of election day most polling workers will ignore a checksum which doesn’t verify.

Credit where credit us due though… Greene is right on the money when he recommends improving the physical security surrounding elections and e-voting hardware. His recommendations in this area are good but costly. Then things get worse again…

It is crucial that there be an independent testing and certification authority, and that it be in possession of all source code, compilers and firmware, to verify that the equipment works properly, and to guard against vendor backdoors and default admin passwords, etc.

While independent testing is crucial we cannot assume, as Greene seems to, that cerification always catches holes. As Chris Soghoian and Avi Rubin argue, who tests the testing authorities?

Later on in his article Greene suggests that terminals use ‘cryptographically protected’ hard disks to store votes as a backup for recounts. Not only would using hard disks for vote storage create logistical issues if the main storage is removable flash memory, but it misses the point. A hard disk would not be a second independent channel as VVAT could be. The hard disk would be a copy of the existing electronic channel which would still be counted with the same electronic algorithm. Thus recounts would only differ if a bug or hardware failure prevented the same electronic votes getting to all digital storage media used.

Greene also weighs in on the topic of logging:

Most importantly, all database activity should be logged, and the access logs and system logs should be audited before an election is certified.

The terminals must be capable of extensive access and system logging, and logs must be audited when a machine is suspect or malfunctions

Logs are an important part of catching attacks. They help prevent the worse case scenario of an undetected successful compromise of a system. But what about voter secrecy? The unique challenge with e-voting, a challenge Greene never acknowledges, is that votes must be secure, accurate and anonymous. This makes electronic voting unlike most other electronic transactions. Thus we cannot just apply the ‘usual’ techniques to e-voting without thought. Detailed logs, useful from a security and audit perspective, may well undermine the secrecy of a ballot and so must be implemented with great care.

Greene mentions an ‘elections database’in his second article without ever clarifying what this is, the electoral register, the place storing cast votes or what?

His checklist of 12 things that could be done to secure elections is not too bad. Though again it just doesn’t acknowledge the unique challenges e-voting presents.

Greene’s conclusion is worth repeating in full…

Quality elections don’t come cheap

It isn’t necessary for the vendors to re-design their equipment radically. Indeed, all that’s needed is for the public to demand that they do what they do, only the right way. “Good enough” simply isn’t good enough; the system has got to be right.

Basic security and common sense are all that’s required. The DRE systems offer many real advantages in terms of preventing overvoting, minimizing undervoting, clearly recording voter intent, and offering handicapped access. They can improve the accuracy of election results dramatically, and extend voter franchise, so long as they’re built right, certified right, and secured properly.

At the moment they’re not, but they can be.

Doing it right will not be difficult, though it will be expensive, and the vendors will whine at demands that they make their systems reasonably secure. However, we shouldn’t balk at a system that’s expensive and good, considering what’s at stake here. At the moment, the systems are expensive and lousy, which forms the basis of the vendors’ profits. Under a proper regulatory regime, they will have to earn their money; they will have to work for it. They won’t like it very much, but they’ll get over it in time.

Surely the public deserves to vote on equipment that’s at least as reliable as a video poker machine.

Yes the public deserve to vote on reliable, secure and accurate systems, if such systems must be used. But doing e-voting ‘right’ will be difficult AND expensive.

In his letter to The Register Fergal Daly, acknowledges the fact that us campaigners know that DRE+VVAT sucks, but it’s better than DRE. Greene attacks DRE+VVAT when we know it isn’t ideal. Still most of Greene’s arguments land wide of the mark. Whenever I make a presentation to promote VVAT I conclude by saying “If adding VVAT in the form of a paper trail to an e-voting system sounds expensive and complicated, that’s because it is. But it’s the best way to fix a broken system. Ideally we’ll never get these expensive systems that have few benefits yet many risks. My preferred system is pencil and paper, it works!”