Readers may remember a previous rant on the subject of electronic voting. To refresh your memories (that is, to bore you again with details of a subject in which you may not be interested anyway) the flaw of most electronic voting systems is that the voter cannot be sure that their vote has been cast as they intended; it would be trivial to program an electronic voting machine to (say) record a vote for Dubya when the user clicks on `Gore', and there is no way for the voter to tell that this is what is going on. (This risk will be familiar to anyone who has used Microsoft `Word' and saved a document, only to load it up later and discover that half their work has been eaten by the machine.) The solution to this problem is simple but low-tech: the machine prints out a ballot paper, which the voter can inspect; if it has accurately recorded their vote, they place it in the ballot box; if not, they destroy the paper and have another go. If something goes wrong with the electronic count, the ballot boxes can be opened up and the votes counted in the normal way.
If -- as seems sensible, though others may disagree -- the accuracy of the electoral process is of paramount importance, this observation has two important consequences. Firstly, electronic voting can only be used to speed up counting votes; it can never replace the keeping of paper records. Secondly, electronic voting will still require the presence of voters at polling stations, or the use of postal voting forms. The fantasy of a population voting via interactive TV, SMS messages, email or whatever else must remain a fantasy so long as we are interested in maintaining honest and accurate elections.
Therefore it was with some alarm that I read the draft recommendation on standards for electronic voting which has been produced by the Council of Europe's e-voting project. (Thanks to John Pelan for drawing this to my attention.)
It is worth looking through the draft (it is not very long). In some ways it is an encouraging document; it addresses throughout the security and reliability issues to which electronic voting is susceptible. However, the Recommendation falls short of requiring paper `voter-verifiable receipts' (or, in English, ballot papers) to form part of the system, and the working group have assumed that electronic voting systems should permit remote voting:
(4) Unless channels of remote e-voting are universally accessible, they should be only an additional and optional means of voting.
This is bad news. They also allow for electronic voting systems to be built on secret, proprietary software: (emphasis mine)
(24) The components of the e-voting system should be disclosed, at least to the competent electoral authorities, as required for verification and accreditation purposes.
While a voting system cannot meet the accuracy requirement simply by being open to inspection, peer review of the system is the only obvious way to inspire confidence in the system -- which itself is requirement 20 in the Recommendations....
The document also contains some slightly strange language, for instance, (emphasis mine)
(6) Unique identification should be ensured for voters and candidates. User authentication should be identity-based for the voter or candidates.
I'm not sure what `unique identification' and `identity-based' mean, but I hope to god it's not bloody ID cards again.
The document also requires that
The e-voting system must not enable the voter to be in possession of a proof of the content of the vote cast.
The logic of this requirement is that, if you can prove that you voted in a particular way, you could be bribed or threatened into voting in that way.
Now, paper voting systems do not allow this, since the proof that you have voted -- the ballot paper -- must be put in the ballot box for your vote to count. Indeed, if you still have your ballot paper, what you have proven is that you have not voted.
(As an aside, there have been some stories of mobile phone cameras being used to document how voters have cast their votes in elections in Italy, though how seriously this should be taken I don't know, and obviously a photograph of a ballot paper does not constitute proof of a vote in any meaningful sense. The BBC story I link to there says that the Italian authorities ``have announced measures to prevent 3G phones being used in polling stations''; alternatively they could just provide each voter with two ballot papers; the first could be used to record the vote desired by the Mafia, photographed and then destroyed, while the second could be used for the actual vote....)
Ensuring that voters do not leave the polling station with proof of their votes is sometimes used as an argument against voter-verifiable receipts, on the grounds that the receipt (ballot paper) could constitute such proof. This shows a fundamental misunderstanding. In a securely-designed system, if the voter has removed the receipt, then they have not voted, just as in a paper system.
So, like the Australian system which prompted my previous rant, this one gets 3/10, nice try but could do better.
Now, recommendations from the Council of Europe are not binding on its members, but it is quite likely that the eventual product of their electronic voting activities will be adopted by member states (or form the basis for their own standards). It is therefore worrying that the Recommendations do not include the requirement for paper records which is necessary to make electronic voting systems safe.
It is not clear how we should raise these concerns; there does not seem to be a public consultation procedure relating to the Council of Europe's project. However, the participants in the working group include a number of civil servants from the Office of the Deputy Prime Minister; it therefore seems sensible to start by writing to John Prescott.
(Update: I should have linked to this piece in Bruce Schneier's Crypto-Gram:
In 2002, all the Congressional candidates together raised over $500M. As a result, one can conservatively conclude that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget.
Comments
Posted by Pete Stevens, Thursday, 22 April 2004 12:09 (link):
I've never understood postal voting[1] - with a postal vote it's perfectly possible to prove you've who you've voted for, but this apparently isn't a problem.
Anyone know why?
[1]Well, I've voted postally so I have at least some form of understanding.
Posted by Robin Grant, Thursday, 22 April 2004 12:58 (link):
Pete - it is a problem
Posted by Chris Lightfoot, Thursday, 22 April 2004 20:06 (link):
The simple answer is that in a British election, proof of who voted how is stored. Ballot papers are individually numbered and referenced against the electoral register. The idea is that, in case of fraud, the records can be opened and investigated (this requires the consent of the courts, but I'm not sure at what level). The ballot is secret only so long as the records remain sealed. So far this has been an OK compromise, I suppose; it at least means that electoral fraud can be investigated. I don't know how much such records have been abused.
Note in the meetings record from the COE working group discussion of preserving voter identity information -- initially they hadn't realised that this would be a requirement if the system were to be deployed in the UK.
Posted by Robin Grant, Thursday, 22 April 2004 12:24 (link):
Chris
Assuming an electronic voting system is open source (and it is generally accepted to be secure and verifiable electronically), why is that any worse for the voter than seeing a paper record go into a ballot box? Paper voting is regularly subject to election fraud in various ways. In fact, in most of the world, I'd assume that physical fraud is more likely than electronic (this seems to be the assumption the Indian Election Commission has made).
You need to trust the electoral process in both instances, to the same degree...
Posted by Pete Stevens, Thursday, 22 April 2004 13:28 (link):
With a paper ballot and trustworthy officials the votes will be recorded correctly.
With an electronic ballot, trustworthy officials, trustworthy hardware, trustworthy software and trustworthy communications are all required.
That's before you get to trustworthy compilers, operating system, chips etc. How do you secure the machine when *by definition* the only person with physical access to the machine at the point of voting is the voter?
Essentially it's extremely difficult to produce a completely trustworthy voting machine, and it's much more difficult to prove it trustworthy to the satisfaction of the majority of voters without appealing to argument by authority. In contrast a paper system is simple to explain and well understood by the majority of voters. The easiest way to confirm the trust of an electronic system, and the only way I can think of that an ordinary voter will understand, is to use it in parallel with a paper ballot system.
Posted by Chris Lightfoot, Friday, 23 April 2004 01:24 (link):
But as Pete says, in the electronic case you need to trust a whole lot of other people too.
It's obviously true that corrupt electoral authorities could alter the result of a paper election (and as you say, this happens all the time); but with electronic voting, the election could be rigged by a third party without the connivance of the electoral authorities, and with no audit trail to show what happened. With a system with no voter-verifiable paper-based records, someone with access to the voting machines could easily modify them to alter the results of the vote, without the knowledge or involvement of the voters or the electoral authorities. Here's how:
Posted by Andrew Duffin, Thursday, 22 April 2004 13:18 (link):
Can anyone explain in words on one syllable, why we need electronic voting systems at all?
Why does it matter if it takes two or three days to get a result?
To what problem is this a solution?
Posted by Chris Lightfoot, Thursday, 22 April 2004 20:57 (link):
The most obvious argument -- and one that's certainly important in (for instance) the United States -- is that as ballots become more complicated, the cost of tallying them by hand becomes forbidding. That's a problem if you're electing (say) a district attorney, a garbage collector, local councillors, a mayor, a state congressman, a senator and a president all at the same time, plus voting in some local referendums too. (A combination like that can easily occur in a US general election.) However, this is not so much of a problem if you're voting for (say) exactly one MP in a first-past-the-post election, and many countries with more complex electoral systems have managed fine with paper-based systems (though sometimes with electronic counting, which is not too much of a problem).
More generally, if you expect to conduct lots of elections, electronic voting would save you lots of money. All the major British parties seem to be suggesting that certain government functions are localised and made democratic, which would certainly mean lots more elections. I don't know what it costs to run a British election, but the cost probably isn't trivial. Multiply that by the number of police authorities, hospitals etc. which are going to be run by elected bodies in a shiny happy New Labour future, and the economies of electronic systems become important.
The other argument -- and this is one which motivates the COE's work and also much British government interest in electronic voting -- is that making voting easier will encourage people to vote, therefore increasing turnout and participation in general. This is much more controversial. Should we listen to people who will only vote if they can do it from their sofa through their television? I'm not sure, but it's a reasonable question.
Post a new comment.
Comments copyright (c) contributors and available under a Creative Commons License. See also the comments policy.