It’s extraordinary just how secret much of the processes surrounding voting in the USA are. Now the lid is beginning to come off with this AP story on Wired News.
Top quote from the ever quotable David Dill:
“Suppose you had a situation where ballots were handed to a private company that counted them behind a closed door and burned the results … Nobody but an idiot would accept a system like that. We’ve got something that is almost as bad with electronic voting.”
Wired News have a solid piece on the problems with standardising e-voting once the systems are already in the wild. In fact the article makes a good postscript to the paper I've written on standardisation in e-voting which is due out 'any time now' in Journal of Information, Communication and Ethics in Society.
The IEEE committee the Wired News article discusses is suffering from the same problems the IVTA and OASIS committees before it have had… the appearance of vendor control. Sometimes we don't care if a standard, such as Firewire, is being pushed by vendors. But for something like voting there's a very broad range of stakeholders that need to be engaged. One hopes that an institution like IEEE has strong measures in place to ensure that significant consultation is undertaken. But in fact it took concerted work by the EFF to help set the IEEE on the straight and narrow.
Software Improvements, who developed the original open sourced e-voting system for the Australian Capital Territory have decided to not provide future versions of the software under an open source license.
It seems like Software Improvements have woken up to the global market and don't want others profiting from their work. Once GPL'd is not always GPL'd in the future…
The BBC has reported on its site that more postal voting trials are 'possible' according to Local Government minister Nick Raynsford MP. The BBC article is essentially following up responses to a House of Commons report on the pilots.
The snappily titled 'Office of the Deputy Prime Minister: Housing, Planning, Local Government and the Regions Committee' published their seventh report specifically on the matter of all-postal votes. It's a good report which makes excellent recommendations to improve the security of postal ballots. In particular the report recommends the voter registration is tied to the individual and not the household in future. This would allow a pass code to be written onto identity slips and checked electronically during counting.
They also recognise the pressure for postal voting is due to desires to boost turnout. Yet they conclude that 'the Government must not rely on changes in the electoral system to increase voter turnout, they must also ensure engagement of electors in politics.' Good stuff.
Joe Kiniry from the Nijmegen Institute for Computing and Information Science has put a short paper online about the current status of e-voting in The Netherlands.
I got a quote in an e-voting article by the Wall Street Journal Europe this week. For this article I'm quoted as being a political scientist. Odd, I never told the journalist this and it says nothing of the kind on this site. I've been told that maybe I should have been a political scientist but those bits of paper my universities gave me show otherwise. Ah well 🙂
I can't link to the article as it's for subscribers only, but here are the details, it's a nice summary of the European situation:
“In Most of Europe, Electronic Voting Loses Out to Paper Ballots — Pilot Programs and Tests Are Run, but Reliability And Security Are Concerns”
By John Miller – Dow Jones Newswires
26 July 2004
The Wall Street Journal Europe
A naive little article shows how the Indians are trying to sell their e-voting system into the United States. But they're disappointed not to have had any buyers afters doing some demos. Folks, the purchase process for e-voting machines in the US is long, slow and involves many lunches! Still one of the Indian manufacturers is quoted as saying that their system is 'tamper-proof' so they've got their marketing right for the US market!
The Register recently published two articles by Thomas C Greene examining e-voting security. Unfortunately the pieces are rather flawed. The first, “E-voting security: looking good on paper?” examines paper based voter verifiable audit trails (VVAT). The article doesn’t start well:
The voter’s paper receipt has become the security idee fixe of DRE skeptics, and a shibboleth identifying those who are on the ‘right’ side of the debate.
This is not true in two ways… Firstly, the potentially paper token used in VVAT is not a receipt! A receipt is something you can take with you to prove a transaction occurred. If VVAT did mean using a receipt then we’d be allowing vote selling. But we don’t mean a receipt, we mean a paper ballot which is left in the polling station. Secondly, paper trails are not an ‘idée fixe’ for e-voting skeptics, both David Dill’s US resolution on VVAT and our European resolution are carefully worded to not imply paper. The resolutions support any form of voter verifiable audit trail that meets the requirements set out, it’s just that right now the best example uses paper.
Now that I’ve cleared up those two points let us proceed to some of his other assertions in the first article…
People imagine that, so long as the printout matches their recollection of votes cast, it’s proof that the DRE machine is recording their votes properly. In fact, it’s no such thing. It’s proof only that the printer is recording their votes accurately.
I’ve never ever heard anyone claim that a printout proves that the DRE machine is accurately recording their vote. Greene presents an obvious statement as insight. The whole point of VVAT is that we can never be sure of what the DRE machines are doing with our votes, hence the need for a second channel.
The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.
Again statement of the obvious – of course the machine could show/print one thing to voters while store another. This is why VVAT is needed and electronic results cannot be trusted! Yet such arguments, logically correct whilst missing the point, get echoed by people such as VoteHere’s highly competent founder Jim Adler.
The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected.
Similarly in a blog post Jim Adler refers to his 64 year old mother wondering over what happens if she doesn’t check the paper ballot in a VVAT process. In other words he argues that VVAT doesn’t prove the accuracy of machine results or the accuracy of paper for recount as neither is checked if the voter doesn’t look at the paper. Furthermore Adler’s mother could testify in court that she didn’t look at paper so it can’t be trusted for a recount. But I say people could equally testify that they didn’t check electronic verification codes proposed by Adler’s company, thereby making the counting of electronic votes invalid.
Of course if all voters did not check their printouts then we could not have much confidence that the paper accurately recorded the voters’ intent. However, as Fergal Daly from Irish Citizens for Trustworthy E-voting writes in a letter to The Register (“Letters: We want our e-voting paper trail”), it would take only a small percentage of voters to check their printout to make the probability of fraud going undetected in an election vanishingly small. Of course some won’t check, but you can bet many will, particularly if it’s made clear that in a recount the paper result is the legally binding one.
Furthermore, there is no guarantee that the paper record will be the one recounted.
This is where legislation needs to be changed. Greene argues that under current legislation recounts would have to be done in the same manner as the original election and that there would be no mandate to hold the paper result over the electronic result. All VVAT campaigners are asking for changes in legislation and electoral procedures to accompany VVAT. In most countries, including the UK, legislative changes will be necessary before any form of e-voting can be used in a general election. Such legislation will need to give the paper trail (if used) primacy, procedures will need to be modified and it must be made clear that there will be a high chance of the VVAT being counted. Thus not only if there are doubts over a result or the result is particularly close, but a significant random number of constituencies must recount no matter what. This significantly increases the chances of fraud being detected.
In his second article, “E-voting security: getting it right”, Greene summarised his first piece with the following:
The much-celebrated voter verifiable paper trail is useless as a security measure for Direct Recording Electronic (DRE) election systems, and actually introduces far more problems than it solves.
A strong claim which I don’t believe he actually backs up in the article. Anyway let us proceed to his second piece. He begins by acknowledging the less than satisfactory approaches most e-voting vendors have taken to developing and testing their products. Yet when Greene comes to providing remedies he seems to be rather naive:
Guarding against post-certification tampering [of source code] would be a simple matter. First, as soon as certification is complete, checksums of all software components, compilers included, would be recorded, and then verified later, on election day before the machines are put to use. Any machine with the wrong checksums would be pulled.
There are several issues here but it is by no means ‘a simple matter’. Yes checksums can be generated, but will ordinary voters trust them? Checksums are not infallible and how can voters trust that they are properly verified? There is a significant amount of code on your average DRE… the voting system, the user interface (including audio files, device drivers for sound output & touchscreens) as well as the operating system (which can be a behemoth like Windows 2000). That’s a lot to checksum and keep tabs on. But what happens when there is an update to any one of those components, especially if it’s time critical? Are checksums going to protect the system integrity? No. The reality is that under the pressure of election day most polling workers will ignore a checksum which doesn’t verify.
Credit where credit us due though… Greene is right on the money when he recommends improving the physical security surrounding elections and e-voting hardware. His recommendations in this area are good but costly. Then things get worse again…
It is crucial that there be an independent testing and certification authority, and that it be in possession of all source code, compilers and firmware, to verify that the equipment works properly, and to guard against vendor backdoors and default admin passwords, etc.
While independent testing is crucial we cannot assume, as Greene seems to, that cerification always catches holes. As Chris Soghoian and Avi Rubin argue, who tests the testing authorities?
Later on in his article Greene suggests that terminals use ‘cryptographically protected’ hard disks to store votes as a backup for recounts. Not only would using hard disks for vote storage create logistical issues if the main storage is removable flash memory, but it misses the point. A hard disk would not be a second independent channel as VVAT could be. The hard disk would be a copy of the existing electronic channel which would still be counted with the same electronic algorithm. Thus recounts would only differ if a bug or hardware failure prevented the same electronic votes getting to all digital storage media used.
Greene also weighs in on the topic of logging:
Most importantly, all database activity should be logged, and the access logs and system logs should be audited before an election is certified.
…
The terminals must be capable of extensive access and system logging, and logs must be audited when a machine is suspect or malfunctions
Logs are an important part of catching attacks. They help prevent the worse case scenario of an undetected successful compromise of a system. But what about voter secrecy? The unique challenge with e-voting, a challenge Greene never acknowledges, is that votes must be secure, accurate and anonymous. This makes electronic voting unlike most other electronic transactions. Thus we cannot just apply the ‘usual’ techniques to e-voting without thought. Detailed logs, useful from a security and audit perspective, may well undermine the secrecy of a ballot and so must be implemented with great care.
Greene mentions an ‘elections database’in his second article without ever clarifying what this is, the electoral register, the place storing cast votes or what?
His checklist of 12 things that could be done to secure elections is not too bad. Though again it just doesn’t acknowledge the unique challenges e-voting presents.
Greene’s conclusion is worth repeating in full…
Quality elections don’t come cheap
It isn’t necessary for the vendors to re-design their equipment radically. Indeed, all that’s needed is for the public to demand that they do what they do, only the right way. “Good enough” simply isn’t good enough; the system has got to be right.
Basic security and common sense are all that’s required. The DRE systems offer many real advantages in terms of preventing overvoting, minimizing undervoting, clearly recording voter intent, and offering handicapped access. They can improve the accuracy of election results dramatically, and extend voter franchise, so long as they’re built right, certified right, and secured properly.
At the moment they’re not, but they can be.
Doing it right will not be difficult, though it will be expensive, and the vendors will whine at demands that they make their systems reasonably secure. However, we shouldn’t balk at a system that’s expensive and good, considering what’s at stake here. At the moment, the systems are expensive and lousy, which forms the basis of the vendors’ profits. Under a proper regulatory regime, they will have to earn their money; they will have to work for it. They won’t like it very much, but they’ll get over it in time.
Surely the public deserves to vote on equipment that’s at least as reliable as a video poker machine.
Yes the public deserve to vote on reliable, secure and accurate systems, if such systems must be used. But doing e-voting ‘right’ will be difficult AND expensive.
In his letter to The Register Fergal Daly, acknowledges the fact that us campaigners know that DRE+VVAT sucks, but it’s better than DRE. Greene attacks DRE+VVAT when we know it isn’t ideal. Still most of Greene’s arguments land wide of the mark. Whenever I make a presentation to promote VVAT I conclude by saying “If adding VVAT in the form of a paper trail to an e-voting system sounds expensive and complicated, that’s because it is. But it’s the best way to fix a broken system. Ideally we’ll never get these expensive systems that have few benefits yet many risks. My preferred system is pencil and paper, it works!”
After a few days to re-synchronise I can now report some thoughts on the European Science Foundation’s E-Voting in Europe Workshop held in Bregenz, Austria.
There was an interesting mix of attendees ranging from academics, testing lab employees, civil servants, suppliers and electoral lawyers. The quality and openness of the debate was without a doubt the highest I have experienced at any e-voting event, other attendees commented to similar effect. Nevertheless I would say that the underlying assumption was still that implementation of e-voting is a matter of when and not if. But when for this group was further off (7-10 years) than others, such as the UK government, might hope.
The first day kicked off with Michael Remmert talking about the recently finalised Council of Europe standards on e-voting. I haven’t had a chance to look at the latest draft in detail but I find it interesting to note that they currently recommend Election Markup Language (EML) for encouraging vendor interoperability. I helped to write the first drafts of EML, my experiences forming part of a forthcoming paper. EML has its failings but it’s gratifying to see it still being referred to.
Most of the other presentations were pretty much as expected. Many speaking of e-voting improving turnout with no evidence to back such claims. Nadja Braun, a lawyer from the Federal Chancellry of Switzerland, accepted that in the short term cost savings wouldn’t be found in implementing e-voting. Her sensible presentation was unfortunately marred by a comment in response to a question where she claimed that Switzerland could take higher risks with voting systems because “it wasn’t Eastern Europe.”
Results from several surveys were presented which generally indicated a high level of confidence in the systems used by voters. Anne Marie Oostven, in an excellent presentation which won the best paper award, showed how important voter education is. She surveyed users of a system which was supposed to have had a voter verification process. The verification process never made it into the final software but by this time surveys had already been printed asking about the feature. Even without any voter verifiability voters reported a very high level of trust in the verification process! I loved this presentation for so many reasons – it was well put together, the results highlighted how we cannot assume voters will instinctively see the risks in e-voting and it was a finding emerging from an unintended sequence of events. The best of science!
Christopher Soghoian, a PhD student supervised by Avi Rubin at the John Hopkins Information Security Institute, also had a great little presentation. Chris and his colleagues asked a group of students to write ‘good’ software for DREs and also compromised software with hidden backdoors. Some backdoors were concealed in whitespace and others in image files – lots of creative approaches were tried. Then… here comes the fun part, each team of students was given three of their DRE programs. They had to find if there were any backdoors or exploits hidden in the code. The students knew that one program was ‘good’, one was ‘bad’ and one unknown.
It was found that those good at making backdoors were often poor at spotting backdoors in code, especially those that were hidden in methods not used by those examining the code. In other words code auditing requires different skills to writing clever code. Chris finished up his presentation with a proposal that security services such as NSA and GCHQ take a role in examining e-voting code. A good idea, I think, as it’s likely that our enemies’ services will be trying to examine our e-voting systems. Finally he mentioned that Avi wants to test how reliable the code certifying labs are by submitting the code of a real DRE system compromised with an exploit inserted by the John Hopkins crew. If the lab catches the exploit then so much the better, if not then we begin to worry even more. This is a superb idea, airport security regularly gets tested with government agents trying to smuggle guns or bomb-like apparatus past the security checks. Shouldn’t certification labs also be kept on their toes?
A presentation from Spanish e-voting supplier Scytl was interesting for how underwhelmed many felt once it was over. Scytl have made some very large claims about their system in papers and press coverage. In his presentation their founder Dr Andreu Riera said “The magic thing is that if that server is kept honest then the whole system is honest!” I begin to worry whenever magic is mentioned in the context of technology… There are several potential problems I can see with their system but the most surprising is the poor voter verification. Their system provides an electronic verification code which only proves (if you trust the system and it hasn’t been compromised) that your ballot has been decrypted. Why does a voter care about this? Verification of my vote being accurately recorded and (ideally) counted is what I care about. Verification of vote decryption is a procedural notification… imagine if Amazon would inform you when they had successfully encrypted your credit card details for sending to the bank for processing… I wouldn’t care. I want to know when I’m going to get my book. Scytl would have been much better served if they hadn’t burst into the e-voting community making such huge claims.
Some interesting new legal issues were raised by several speakers. In particular Niels Meißner, Volker Hartmann and Dieter Richter from Physikalisch-Technische Bundesanstalt, Germany raised the problem of “intermediate storage”. This problem is concerned over what the legal status is of a vote between a voter clicking ‘send’ and a server recording the vote. Does the vote count as being cast or is it still technically in the voter’s hand? This is particularly important when considering what happens when an election closes with votes still in transit.
The final day of presentations began with a presentation by Alexandros Xenakis from the International Teledemocracy Centre at the University of Napier. Essentially his presentation regurgitated portions of Electoral Commission reports on the e-voting pilots 2002-2003 conducted in Sheffield and St.Albans. When asked why he had omitted the cost of £75 per vote cast that Sheffield incurred in 2003 and costs in general, Xenakis responded that as a Greek citizen he didn’t care how the UK government spent their money! Ok… but still for those in other countries trying similar experiments costs would be of interest, I imagine.
I’m a big fan of public disclosure. Tell people your interests and let them decide your motivations. So I couldn’t help but raise an issue with Xenakis during his Q&A period. The International Teledemocracy Centre is funded by British Telecom (BT) and in fact all the pilots Xenakis examined were run by BT. I don’t think there’s a conspiracy there but I do know that this BT connection at least got Xenakis access to what were otherwise closed pilot activities. It would be professional to raise these facts and let fellow academics draw their own conclusions. It’s also courteous and sensible as it prevents accusations of impropriety at a later date. Xenakis claimed his paper was a comparative analysis of publicly available documents – not publishing cost figures or the fact that BT was the main supplier seems a little odd. Xenakis didn’t take kindly to my interjections but my day was going to get even more antagonistic…
But first Margaret McGaley gave a fun and clear presentation on the mess that has been e-voting in the Republic of Ireland. It was incredible to hear that her co-author had spent thousands of Euros on freedom of information requests on the e-voting system due to repeated government attempts to block his access. This resulted in Margaret’s supervisor going to appeal which he invariable won. Freedom of Information should not be costing interested citizens thousands… crazy!
I hadn’t submitted a paper to this workshop as I’d thought I’d be at another conference which didn’t work out in the end. But as the workshop progressed I felt that I could contribute something on the European push for voter verifiability][fp_vv]. I asked Robert Krimmer, one of the conference organisers, if I could have ten minutes to speak and he very kindly agreed. Unfortunately the session chair hadn’t been briefed and was ready to run to coffee before Robert managed to reign in the brewing caffeine stampede to let me do my bit. It didn’t start well with everyone wanting their cup of joe but I pushed onwards with a very short presentation I call “Voter Verifiability: The Elevator Pitch” which is a micro version of something I presented at the University of Bournemouth to a very positive response.
Perhaps I didn’t judge my crowd so well but I went for it (as I normally do) with lovely Keynote slides, Salling Clicker enabled Bluetooth phone controlling my Powerbook and yours truly walking around the whole conference room. When compared to people stuck behind a podium with 30-odd Powerpoint slides apiece I probably wasn’t fitting in.
Anyways I did my piece, at the end of which the session chair promptly pushed everyone to coffee with no time at all for Q&A. At this point Thomas Buschbaum, from the Federal Ministry for Foreign Affairs came up to me. He said that I had not been sufficiently subdued or academic. He felt that I had been campaigning and should have been thrown out – I would have been if I was a supplier, he felt. He challenged my credentials and academic standing in a rather abrupt manner. I replied that I did not feel he was adressing me in an appropriate way. I continued stating that he did not have to agree with me but listening to the varying viewpoints was key to government gaining legitimacy for introducing a change such as e-voting. He responded saying that just because I couldn’t build a workable e-voting system didn’t mean one wasn’t possible. As I began to respond he lifted his hand in front of my face and blocked me from his view. He would not acknowledge me from that point onwards.
Indeed from that point on, until the workshop ended that afternoon most people seemed to steer clear from me. Some ‘friendlies’ suggested that I could have taken a softer approach and spoken less loudly. I was very much surprised, my presentation had been short and uncontroversial merely summarising the arguments for and against e-voting, highlighting Florida 2000 as an example of where voters’ intentions were not accurately recorded before explaining voter verifiable audit trails and showing the web address for the European campaign for voter verifiable e-voting. I did ask people to support the resolution on voter verifiability, so what? A resolution for e-voting would surely have been accepted with grace.
It was a shame that such an excellent workshop was marred, for me at least, by the events of the final day. But still it was wonderfully organised and an excellent range of people attended the event. Yes, they seem mostly optimistic about e-voting in the long term, but many could also see most of the problems. That’s step one, I just hope that they will give people like me a chance to explain why vendor assurances aren’t enough to say that the key challenges in e-voting have been successfully overcome. That will be step two.
Comments copied from the previous version of my blog:
Never mind. The Minister is a far-right womanoid lifeform of depressing nature, much given to poor imitations of Thatcher, and it’s no surprise that the ogre’s character will filter down to her dwarves. Congrats on pissing off a dull and dishonest little government!
http://yorkshire-ranter.blogspot.com
12:03:21 GMT 15-07-2004 Alex
I cannot understand why this workshop has been marred for you, just because you met one person of the austrian foreign ministry who is not as diplomatically skilled as one might have assumed. There was only one coffee break left after your lecture, so your perception that most people would have steemed clear from you cannot be based on sufficient data ;-), I think.
The form of your presentation has been absoutely adequate to the content. There was no doubt that you were rallying for your resolution. This campaigning was absoutely profesionally and adequately done – a perfect show! I agree with you that a pro e-voting resolution campaign would also have fitted perfectly into the workshop. I don’t think that it would have been ok to include a corresponding paper to your lecture into the proceedings volume as the style would not have been similar to that of the other papers. But the lecture you gave was just great and had a very appropriate style.
And nobody but one person assumed that just because you did a very good campaign show and you didn’t tried too hard to show off with your academic regalia, that you do not have a perfect academic standing.
07:43:53 GMT 28-07-2004 Peter Wilm
Kind words
Thank you for your kind words Peter, perhaps it seemed worse at the time then it does now 🙂
15:08:07 GMT 28-07-2004 Jason Kitcat
Reading Ron Rivest's own notes of his talk at the Kennedy School of Government's Digital Voting Symposium reminded me how easy it is for technologists to be seduced by technical solutions.
In his talk he likens the e-voting machines of today to cars built without any roof. Paper trails he likens to an umbrella for owners of such roofless cars when, he argues, owners would be better off waiting for new designs resistant to rain. New car designs in his analogy are like the new ideas for e-voting systems centred on cryptography (as opposed to those that just use crypto to secure communications). Such new systems, as proposed by David Chaum and Andy Neff, are based on some very clever mathematics. This maths theoretically proves elections to be accurate and secure.
Rivest is a technologist and cryptographer and so it's not surprising that he's seduced by these proposed systems. But he forgets human nature… candidates, election agents and voters want to be able to trust votes that they can see and not fancy mathematics or cryptography. This isn't an anti-science perspective… I'm not arguing that voters are ignorant and so we can't use technology. I'm arguing that democracy is precious and complex technical systems create too many opportunities for abuse to be worth it.
In the final analysis Rivest is with the majority who fail to even stop and ask… why do we need electronic voting systems?
Thanks to Ian Brown for pointing me to Ron Rivest's notes
Jason Kitcat 