6 November, 2003: Information misadventures

[ Home page | Web log ]

So, Michael Howard has become leader of the Conservative Party, interest rates have gone up by 0.25 points, and the Cabinet has voted in favour of an ID card scheme, (but to be brought in so slowly that maybe nobody will notice; frighteningly enough, this might actually work...).

We haven't had this much bad news in one day in, oh, weeks.

Anyway, an idea which maybe someone wants to kick around:

Somebody should write a simple one-page leaflet about ID cards which explains,

(It might also want to mention

-- but these are subsidiary points.)

The leaflet should be written in the clearest possible language and for a general audience -- that is, it should not assume any knowledge of security engineering or the detailed issues -- and it should use a populist, Daily-Mail-ist tone (e.g. in the language used about `bogus' asylum seekers). It should probably take the position that ID cards are simply not useful, rather than taking any position on civil liberties, which can be conveyed through the design of the leaflet.

It must be sufficiently clear and interesting that it can spread `virally' even among those who would not have thought about the issue before, and persuasive to those who believe the spin about ID cards that is coming out of the government. It should carry URLs of organisations campaigning against ID cards, and also a suggestion that people use faxyourmp.com to contact their Members of Parliament.

It should be illustrated with pictures of, for instance, machine-gun toting French police, lines of people at security checkpoints at airports, CCTV cameras, and other images of the machinery of totalitarianism, but these photos should be reasonably subtle in their message.

Note that because of the intended Daily-Mail-esque tone of the piece, pictures of foreign people doing stupid and offensive things are probably a Good Thing, sadly. However, pictures of second-world-war era German soldiers and other Nazi types would probably make the leaflet look alarmist; pictures of checkpoints in Palestine manned by the IDF will probably convey the wrong message. Pictures of South Africans burning their passes, the Berlin Wall, etc., are probably OK, though.

The thing should be presented as an A4 or A5 PDF file which can be printed anywhere and will survive reproduction on a photocopier, for people to post up in their places of work and wherever else may be appropriate.

-- I don't have time to do this. Hopefully someone else does...?

In other news

This piece in Wired about an electronic voting system developed in Australia has attracted a lot of favourable comment, on the basis that this is one of the first such systems whose code is (a) available and (b) has been independently, publicly audited.

This is slightly troubling. Having publicly available, independently-audited source code is necessary but not sufficient, as a mathematician might say. To be usable, electronic voting systems must be transparently correct in the way that our current pencil-and-paper system is.

At present, when you vote, you know who you've voted for -- you know in whose box you wrote your `X' -- that your ballot paper has been put in a ballot box with all the others (in some countries, ballot boxes are made of clear perspex, adding literal to metaphorical transparency), and the observers at the count can ensure that all the votes in the ballot boxes are counted.

The same level of transparency, of obvious correctness, is impossible with an all-electronic system. Discussing digital signatures in his book Secrets and Lies, Bruce Schneier writes,

Can [a digital signature be trusted]? It doesn't depend on the mathematics; it depends on the circumstances.

The fundamental problem is that you have no idea what the computer is actually doing when you tell it to do something. When you tell the computer to save a document, or encrypt a file, or calculate the sum of a column of numbers, you really have no assurance that the computer did it correctly, or even at all. You're making a leap of faith. Just as it is hard to catch a thieving employee, it's hard to catch a malicious computer program. Actually, it's worse. Think of it as a malicious employee who works alone, with no one watching. All of the monitoring equipment you might install to catch the employee -- hidden cameras, hidden microphones -- are controlled by the malicious employee. All you can do is look at what inputs the employee accepts and what outputs he produces. And even then you can't be sure.

The situation with electronic voting is exactly analogous. You go to the polling booth, and you tell the computer (`voting machine') your vote. Inside the computer anything could happen, and if there's no way for its results to be independently verified and the code inside has been tampered with, you're screwed. No amount of auditing can fix this, because the individual voter obviously cannot audit the software inside the polling booth on election day -- even if she had the time and skill.

The solution to this problem is for the voting machine to produce a `voter-verifiable receipt': a piece of paper which says how you voted, and is stored and can be audited later to check the results of the machine count.

Such a voter-verifiable slip is completely analogous to a ballot paper. It is treated in the same way, and, if the results of the computer count are in doubt, it serves the same function as a ballot paper. The new Australian system lacks this feature: (emphasis mine)

The machine does not include a voter-verifiable receipt, something critics of U.S. systems want added to machines and voting machine makers have resisted.

A voter-verifiable receipt is a printout from the machine, allowing the voter to check the vote before depositing the receipt into a secure ballot box at the polling station. It can be used as a paper audit trail in case of a recount.

Green [the electoral commissioner] said the commission rejected the printout feature to keep expenses down. The system cost $125,000 to develop and implement. The printouts would have increased that cost significantly, primarily to pay for personnel to manage and secure the receipts and make sure voters didn't walk off with them.

This makes no sense. The electronic system is designed to replace a paper system. The electoral authority must already be equipped to handle ballot papers; voter-verifiable receipts should be treated the same way.

Why voters would `walk off with' the receipts is unclear. Presumably they didn't `walk off with' their ballot papers in conventional elections, on the basis that they wanted their votes to be recorded. Why should the new system be any different?

Most peculiar.

Anyway, the take home message here is that electronic voting is a convenience measure only. It cannot replace paper-based systems; it can only be used to save time when counting votes. Any system which purports completely to replace a paper system is not safe and should be rejected.

Copyright (c) 2003 Chris Lightfoot; available under a Creative Commons License.