Very recently someone called Daniel Gray has appeared online with a new blog filled with views that are strongly pro electronic voting.
Rather than attempt a rebuttal in the rather limited commenting system Blogger provides I'm posting in full here. I welcome the opportunity for debate, but I think it would be helpful if Mr Gray was completely open, as I have been, about what his background and affiliations are. It will help us all to be clearer about our biases.
In False Sense of Security Mr Gray points out an error in GNU.FREE, the Internet voting software I originally designed and wrote. He's correct that the code doesn't do what it was intended to do as well as it could have done. Not a surprise as nobody ever claimed the software was perfect!
The issue involves securing the logging process, a key part of the audit trail for any e-voting system. When working on this I found that the better the audit trail, the easier I was making it for someone to infer how someone could have voted – there's a strong oppositional tension between audit and the secret ballot.
Anyone has been able to view this code online since 2000, yet this is the first time this problem has been pointed out, which rather shows how few people have the expertise and willingness to audit code.
But discussing a system which has been discontinued since 2002 is not really the key issue here. Mr Gray strongly disagrees with the arguments being made against electronic voting methods. I'm going to tackle them head-on in this one post.
Mr Gray is conflicted about the role of voter trust. In one comment he writes:
As to the issue of voter trust, voters know that they aren't qualified to understand if something is trustworthy. They'll take the word of someone trustworthy who has inspected and certified the system.
Yet in an earlier post about the Single Transferrable Vote system Mr Gray argues that until the rather involved counting process can be made significantly easier for voters to understand STV is, in his view, unlikely to be adopted in the UK or trusted by voters.
Which is it? Voters need to understand a voting system themselves to trust it, or not? In my view voting is an important collective societal act which must be open for all to participate, understand and trust.
Mr Gray commented on the Wired News article I had previously noted. It's very interesting that I perceived the article as being pro-evoting whereas Mr Gray saw it as being about the problems with e-voting.
As a protection from client-end problems Mr Gray cites the old CESG e-voting model system from the 2002 CESG e-voting Security Study. I cannot see how voters will trust their vote to entering an apparently random number which is connected to their candidate choice somewhere. Indeed, because the candidate numbers are unique to that voter then voters will worry that their vote will be more easily traceable than before.
The CESG model also will create a tempting target where all the candidate numbers and voter identities are linked so that votes can be decoded for counting. Instead of changing individual digital ballots, why not attack this list?
I am glad that Mr Gray does see that vote selling and coercion are real risks with remote e-voting. However allowing multiple votes per voter with only the last vote counting is not the easy solution to this problem. Everyone will know about this feature so attackers will not just watch someone vote and be happy with it. They will force someone to vote and then remove or destroy their voting credentials to prevent them voting again.
Mr Gray rails against the argument that vote tallies are just a number in a database which can be changed. He can't understand why people use this argument when vote tallies could be better secured. I tried in the comments, let me try again. The reason this argument persists is that despite supplier guarantees this hack has been shown to work again and again (e.g. Hacking Democracy).
I'm surprised that Mr Gray thinks that “checking that the certificated code is the code on a system is relatively straight-forward”. Given thousands upon thousands of machines (with polling station e-voting) and tens if not hundreds of servers (for remote e-voting) it is not at all easy to verify, in a way that voters will trust, that every single byte on every bit of hard disk, ROM and flash memory is as was certified. And what if whatever method used can be fooled or if certification does not catch all potential problems?
Microsoft have a market capitalisation of $289.80 Billion and have not been able to convincingly resolve the security issues in their software after many years of work. The UK budget for certifying and checking e-voting will be a fraction of whatever Microsoft has to spend – what chance is there that the checks will even approach comprehensiveness?
Mr Gray has “faith and trust in our ability to pull together such systems.” I don't know who 'we' is in his case, but he assures us that “the very best brains and technology are being put behind this problem”. Judged by whom exactly?
Because I personally haven't written weapons guidance or banking software Mr Gray doesn't feel that I have the right to participate in the e-voting debate. Well the Minister responsible, Bridget Prentice, hasn't either – should she step aside also? GNU.FREE may be of poor quality in Mr Gray's opinion (though we don't know his qualifications or affiliations) but he's been open to contribute improvements to it. Award-winning GNU.FREE was reviewed by a number of people over the years whose comments were openly integrated into the documentation still available online.
Mr Gray ignored one of my favourite quotes by Bruce Schneier the first time I used it in a comment, which was a shame considering that Bruce Schneier is linked to from his blogroll. But Bruce has a point and he knows far more about security than I ever will:
“Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.” (Source)
Verification scales significatly better in an electronic system, could you imagine if all the millions of voters demanded to check that their ballot was counted correctly? How much judicial and local authority time would be eaten by that?
Mr Gray confuses individual and group verifiability. With a truly secret ballot a voter cannot follow their particular vote all the way through the count. But collectively we can follow our ballots, scrutinise the telling process and make sure they are counted accurately.
Mr Gray also has a go at the arguments made by an Italian e-voting campaign website. He disagrees with the statement that “computer procedures are not verifiable by humans as we are not equipped for verifying operations occurring within an electronic machine.”
We cannot see electrons, thus we never can directly verify the operations of a computer. What we attempt to verify is what the computer reports to us. Verification tests are not done during elections but before or after. So we do not verify the actual election itself if it is electronicly voted and/or counted. It is fairly trivial to have a system do one thing during testing and another during a live election. Testing does not prove that a system is without flaws. All it shows is that during the tests, the system responds as expected. The system could behave differently during a live election because it is programmed to do so or because there are conditions and factors which have not been accounted for in the tests.
Mr Gray goes on to argue that e-voting systems aren't black boxes because you can see the source code. Well, with the exception of GNU.FREE and the source code leaks in the US, as an ordinary voter you can't see the code. As I covered in LinuxUser, the UK government appeared to offer open source code but then retracted this saying it was a mistake. So if we can't see the source how on earth can e-voting systems be claimed not to be black boxes?
Mr Gray continues:
People expect, in our technology based society, to be able to vote electronically.
I don't believe this statement to be true, my previous blog post addresses this. McGaley and Gibson's recent paper also shows how a little bit of informed debate changes people's views:
In the absence of controversy, surveys of voter attitudes usually reflect satisfaction and trust […] When concerns are raised by experts and in the media, however, public opinion can change dramatically. For example: in Ireland in 2003 a survey by Amarach Consulting found that a majority of Irish citizens were in favour of the introduction of e-voting. Less than a year later, after controversy over the system had led to the establishment of the Commission on Electronic Voting, a Red C survey found that 58% of respondents felt that “…the [e-voting] proposal should be scrapped until such time as a paper back-up is incorporated into the system…” and “one third of all voters were unconvinced that their choices will be registered properly”. (Source)
David Wilcox's recent video clip of my arguing against e-voting really didn't sit well with Mr Gray. My citing sunspots as a potential risk to e-voting systems was tough for Mr Gray to swallow. Yet the risks they pose are well known, some example problems include the Toronto Stock Exchange halting trading for 3 hours. Unsurprisingly Mr Gray wields the idea of backups, but as this ACM column argues, disaster/failure recovery is rather harder than we might sometimes imagine.
Mr Gray then takes two approaches in countering my views. Firstly he points out that there are flaws in the paper ballot system. This is a rather old distraction tactic, I have not once said that our current system is perfect or infallible – there are quite a few improvements I can think of. The difference between paper and electronic votes is that the scale of electronic votes can be much greater than ever before possible.
We're talking about e-voting, not paper voting, and in response to several of the risks I raise Mr Gray's answer is to repeat the undefined catch-all phrase 'secure hosting facility'. Any hosting facility has people working there to service the machines, so potentially they could be bribed or influenced. But even if, implausibly, the facility itself is utterly impregnable, these servers need to be accessible to the outside world so electronically attackers will have a way in. Of course a properly secured hosting facility would be important but it really doesn't address the fundamental issues with e-voting: secrecy of the vote, auditability and trust.
A clarification is needed as Mr Gray claims I'm opposed to postal votes. I am opposed to blanket all-postal elections. With a well-constructed application process and clear criteria for applicability, I support allowing postal votes on application.
It's important to remember the distributed nature of paper-based elections. Logistically it is very hard to undetectably change a significant number of paper votes in any one place let alone across the country. Electronic voting procedures offer remote access to voting systems and centralised sweet-spot targets. Indeed it was when all the votes came together to be electronically tabulated in the Ministery of Interior that manipulations are alleged to have occurred in the Italian general election.
I'm not the “be all and end all of knowledge in computing” as Mr Gray thinks I see myself. I hope I've never come across that way, I'm just trying to put forward my views and that of many academics, politicians, technologists and citizens.
“Well good luck Mr Kitcat, because neither the Government, the public nor Local Authorities are listening.”
There's nothing like a challenge, eh?