On electronic voting

2006-10-07

in Geek stuff, Politics, Security

There is some controversy in The Netherlands right now about electronic voting. A group has gotten hold of a voting machine, discovered that the physical and software security therein is very weak, and otherwise established the possibility that determined individuals could significantly impact election results through electronic tinkering.

The advantages of electronic voting are fairly numerous. Firstly, it could be made to happen more quickly. This may advantage the media more than anyone else, but it may as well be listed. Secondly, electronic devices could be made easier to use for people with physical disabilities and the like. Another advantage the system should have is increasing standardization between voting districts. Skullduggery involving dated or problematic machines in districts likely to vote in a certain way has been noted in a number of recent elections. Also, having an electronic record in addition to a paper one could allow for cross-verification in disputed districts. In cases where the results very starkly do not match, it should be possible to repeat the vote, with greater scrutiny.

The answer to the whole issue is exceptionally simple:

  1. You are presented with a screen where you select from among clearly labeled candidates, with an option to write in a name if that is part of your electoral system.
  2. The vote is then registered electronically, by whatever means, and a piece of paper is printed with the person’s choice of candidate, ideally in large bold letters.
  3. For an election involving multiple choices, each is likewise spelled out clearly. For instance, “I vote NO on Proposition X (flags for orphans).”
  4. The voter then checks the slip to make sure it is correct, before dropping it in a ballot box.
  5. These are treated in the standard fashion: locked, tracked, and observed before counting.
  6. The votes are tallied electronically, with a decent proportion (say, 20%) automatically verified by hand.
  7. If there is any serious discrepancy between the paper and electronic votes, all the paper ballots should be counted. Likewise, if there is a court ordered recount on the basis of other allegations of electoral irregularity.

Electronic systems have vulnerabilities including hacked polling stations; transmission interception and modification; as well as server side attacks where the data is being amalgamated. Paper systems have vulnerabilities relating to physical tampering. Maintaining both systems, as independently as possible, helps to mitigate the risks of each separately and improve the credibility of the process. It is like having both your bank and your credit card company keep separate records of your transactions. If they do not match, you have a good leg to stand on when alleging some kind of wrongdoing.

This system could use relatively simple electronic machines, and may therefore actually cost less in the long run than all paper balloting. Critically, it would maintain an unambiguous paper trail for the verification of people’s voting intentions. Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position.

[Update: 14 October 2006] The Economist has a leader on electronic voting machines and the US midterm elections. They assert, in part:

The solutions are not hard to find: a wholesale switch to paper ballots and optical scanners; more training for election officials; and open access to machine software. But it is too late for any of that this time—and that is a scandal.

Quite right.

Report a typo or inaccuracy

{ 15 comments… read them below or add one }

Milan October 8, 2006 at 2:23 am

Not encouraging at all. When I said “Companies that deny the importance of such a trail are either not thinking seriously about the integrity of the voting process or have self interested reasons for holding such a position,” I was basically talking about Diebold.

The Princeton study demonstrates, again, that an independent paper trail is essential.

R.K. October 8, 2006 at 2:13 am
Mark October 8, 2006 at 4:08 pm

Electronic voting, as currently implemented, seems like a pretty negative development to me. Any cost saving is far outweighed by the loss of the transparency.
It’s a pity, because a sensibly implemented electronic voting scheme that incorporates a little cryptography could actually revolutionize voting and make elections much more transparent. There are excellent published schemes that generate an encrypted receipt that allow a voter to verify that their ballot is included in the final count, without revealing how they voted. Wouldn’t it be extremely cool to have a cryptographic proof that your ballot actually influenced the election?

Ron Rivest has an overview of methods here

There’s a description of one scheme here (PDF).

And another (somewhat confusing) scheme that attempts to obtain the same effect without any cryptography.

Failing that, a paper trail is a reasonable if imprefect safety measure.

Milan October 8, 2006 at 4:14 pm

Mark,

I see a paper trail (alongside electronic data) is a superior safety measure to any form of cryptography. As many real life cases have shown, it is rarely the crypto algorithm that gets broken. More often, some unanticipated side channel attack takes place. As such, fancy encryption systems often make security seem more robust than it actually is.

Mark October 9, 2006 at 1:24 am

Milan,

The word “cryptography” is perhaps a bit misleading here. It’s not about encrypting votes, but rather about applying ideas developed in cryptography to voting protocols. So, in the way that a hash (aka digital signature) can prove that a message has not been tampered with and can be verified by anyone, you could generate a kind of “vote hash” with which any voter could verify that the election was carried out correctly.
That is surely superior to a paper trail, because while a paper trail can only be verified by the election officers, and only if the courts system allows a recount, the proposed hash-like system can be verified by any voter.
All systems might be subject to attacks, direct or otherwise, but a stack of paper ballots is hardly the most secure thing in the world. Entire boxes of votes can and regularly do go missing, etc.
So, I think there is a very strong case that a system designed along cryptographic principles would be much superior than a simple paper trail.

Milan October 9, 2006 at 1:31 am

Mark,

Given the choice of one over the other, I would always go for the paper. Sure, it can be tampered with and destroyed, but it is a comprehensible system well understood by everyone. If we can protect $100 bills, we can protect ballots.

That said, a backup system involving cyptographic verification could certainly add to the rigour of the process. If you are wondering about the kind of side channel attacks I am worried about, have a look at this (PDF).

Any crypto based election system must involve trusted people. The mechanisms of certification and verification for those people may well be the weak point, especially in a system with as many overlapping jurisdictions as voting in the US.

Milan October 10, 2006 at 11:04 am
Milan October 25, 2006 at 4:36 pm

Quebec bans electronic voting

Probably a good move. (Direct link)

Anon January 5, 2007 at 9:38 am

A laboratory that has tested most of the nation’s electronic voting systems has been temporarily barred from approving new machines after federal officials found that it was not following its quality-control procedures and could not document that it was conducting all the required tests.

That company is Ciber Inc.

http://www.schneier.com/blog/archives/2007/01/ensuring_the_ac.html

Milan December 25, 2007 at 11:10 pm

From Schneier:

More Voting Machine News

. January 21, 2008 at 6:05 pm

Maryland Scraps Diebold Voting System

By ScuttleMonkey on long-overdue

beadfulthings writes “After eight years and some $65 million, the state of Maryland is taking its first steps to return to an accountable, paper-ballot based voting system. Governor Martin O’Malley has announced an initial outlay of $6.5 million towards the $20 million cost of an optical system which will scan and tally the votes while the paper ballots are retained as a backup. The new (or old) system is expected to be in place by 2010 — or four years before the state finishes paying off the bill for the touch-screen system.”

. December 9, 2008 at 4:25 pm

A really secret ballot

Dec 4th 2008
From The Economist print edition
Security: A variety of schemes to encrypt ballot papers should reassure voters and help to make elections more secure

. August 13, 2009 at 10:27 am

Voting Machine Attacks Proven To Be Practical

“Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren’t realistic, that attackers won’t have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week’s USENIX EVT.”

. November 5, 2009 at 12:32 pm

Maryland Town Tests New Cryptographic Voting System

“In Tuesday’s election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter.”

. January 8, 2015 at 5:48 pm

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

{ 4 trackbacks }

Previous post:

Next post: