Risks Digest: Volume 2: Issue 23
Thursday, 6 Mar 1986
Computerized voting
Peter G. Neumann <Neumann@SRI-CSL.ARPA>Thu 6 Mar 86 17:33:34-PST
This is not a VOTIVE message; I have broken my vow to remain silent while
watching the schemes for voting integrity get wilder and less controllable.
DEVOTED as I am, I can no longer keep silent. My main point here is that as
more complex mechanisms are added to control or audit the integrity of the
voting process, the more vulnerabilities are likely to be introduced, and
the less controllable the whole process is likely to be. Nancy Leveson
makes a similar point in her survey paper on software safety: as complexity
is added to control safety, the more things get out of hand. I am prompted
to drag out my old Albert Einstein quote -- for our newer readers:
Everything should be made as simple as possible, but not simpler.
There is intrinsic complexity in the voting process. A voting scheme with
no controls is easy to misuse. A voting scheme with many controls can also
be misused, but in different ways -- perhaps requiring greater subtlety.
Furthermore, such a computerized system must be used and administered by
ordinary mortals; however, elaborate procedures tend to break down or be
vulnerable. Furthermore, remember that many of the programs controlling
elections are written by just a few software houses. The potential for
Trojan-horsing around is enormous. A gifted system programmer can pull off
all sorts of things. We have already seen cases of data changed on the fly
in computer-counted ballots, even with consistency checks and audit trails
(which themselves can be fudged). One can dream up all sorts of checks and
balances -- formal verification of the algorithms, crypto seals on the
stored code for integrity, encryption schemes to detect added ballots, and
so on, but there are always points of vulnerability.
So, in the discussions here, please let us try to be realistic!
Peter
-----
Computerized voting
Jeff Mogul <mogul@su-shasta.arpa>5 Mar 1986 2307-PST (Wednesday)
From: <T3B%PSUVM.BITNET@WISCVM.WISC.EDU> (Tom Benson)
Subject: Computerized Voting
After the election, a representative random sample of precinct boxes
would be counted by hand, and matched to the electronic tally, just to
audit accuracy.
I'm afraid of the seeming reasonableness of this "solution". If we are
using the audits to look for fraud in ballot-counting, then "who chooses the
`representative random sample'" becomes the interesting question; votes,
unlike decaying nuclei, are not uniformly distributed. People who tend to
vote for candidate X might live in certain precincts (i.e., black people);
might vote at certain times of day (9-to-5 working people); might vote by
absentee ballot (older people). If I had the ability to "cook" a voting
machine, I might just as easily have the opportunity to cook the "random
audit selector".
If we are using the audits to detect failures, rather than fraud, then we
must still check every machine and for all times of day, for the same
reason: to avoid disenfranchising a segment of the electorate, whether
inadvertently or intentionally. Every vote counts: recall the senatorial
race in NH decided by 1 or 2 votes a few years ago, or (closer to where I
now live) the East Palo Alto incorporation election, decided by 13 votes and
still being challenged in the courts.
Another thing: mikemcl@nrl-csr (Mike McLaughlin) suggests
The "receipt" would contain the date, time, machine number, serial
number of the vote, and name the candidates and issues for or
against whom/which I voted. It would NOT list my name.
No, but the poll watcher who saw you vote and wrote down the machine
number and time of day next to your name wouldn't have much trouble
matching the receipt, if you ever returned it.
I'm not saying that non-computerized systems are immune to error;
but be careful that a technology that appears value-neutral (such
as "representative random sampling") isn't ignoring political reality
or creative dishonesty.
-------------------------
Both articles above at:
http://catless.ncl.ac.uk/Risks/2.23.html#subj1.2-------------------------
I realize I'm off on a tangent here--it's not the Constitutional question--but it's fascinating! Scientists back in 1986--20 years ago!--back when the Internet was still the "ARPAnet"!--seeing all the ways that computer voting can become tyranny--including the tyranny of sheer COMPLICATION, and the opportunities that that presents for things to "go wrong."
------------------------
"Everything should be made as simple as possible, but not simpler." --Albert Einstein
"A voting scheme with no controls is easy to misuse. A voting scheme with many controls can also be misused..." --Peter G. Neumann (1986!)
"Remember that many of the programs controlling elections are written by just a few software houses. The potential for Trojan-horsing around is enormous. A gifted system programmer can pull off all sorts of things." --Peter G. Neumann (1986!)
-------------------------
Didn't find the New Yorker article on corporations destroying national governments yet, but DID find this:
Risks Digest: Volume 7: Issue 70
Thursday 3 November 1988
Annals of Democracy -- Counting Votes" in the New Yorker
Daniel B Dobkin <DAN%Irving@VX1.GBA.NYU.EDU>Thu 3 Nov 88 11:18:09-EDT
The current (7 November 88) issue of The New Yorker contains an article by
Ronnie Dugger on "Counting Votes" -- the spreading use of computerized vote
tabulation in jurisdictions around the country. It confirms what we all know,
or should know: the unprecedented potential for fraud, let alone the very real
possibilities for "computer error", make this a giant step backwards for
democracy and universal suffrage.
A number of the "experts" interviewed admitted that the potential for fraud --
or outright stealing the election -- exists, but brushed it off with a
perfunctory, "I don't know of any cases yet where that has happened." To my
mind, that is exactly the point: the fact that you don't know about it can just
as easily be cited to indicate that it HAS happened; after all, you aren't
SUPPOSED to know about it.
Other highlights of the article include interviews with Michael Shamos,
formerly of UniLogic (now Scribe Systems); and Peter Neumann, of SRI
International, the moderator of the RISKS digest.
http://catless.ncl.ac.uk/Risks/7.70.html#subj6.1------------------------
Peter G. Neumann replies to the above, and doesn't seem to take such a dim view of e-voting as Ronnie Dugger did, and mentions some recommendations that COULD make e-voting more secure in the FUTURE--"(e.g., complete enchipment, no software
, privacy, integrity, separation of duties, extensive redundancy and cross checking, reproducibility of results, physical and electronic isolation, procedural controls, ...)."
I don't know about "complete enchipment," but every one of these others have been violated, or never implemented.
However, Neumann (who runs the Risks Digest site) later wrote the following--in 2002:
With respect to those of you who voted last week using an all-electronic
voting machine, is there any meaningful assurance that the vote you cast
was correctly recorded -- that is, any assurance that there were no
misconfigured systems, accidents, internal fraud, etc.? For almost all of
the existing electronic systems (with the exception of one that actually
incorporates the Mercuri Mechanism -- namely, Avante), the answer is an
UNEQUIVOCAL NO. This is an untenable situation if you believe in election
integrity, IRRESPECTIVE of your party affiliations. PGN
Risks Digest: Volume 22: Issue 38
Weds 13 November 2002Volume 22: Issue 38
http://catless.ncl.ac.uk/Risks/22.38.html#subj11.1
------------------------------
The Risks Digest archives on electronic voting show increasingly alarm over the years, from 1986 to the present, with the increasing failures of the electronic voting machines and ever more suspicious results. It includes wide-ranging articles, comments and info on this subject, mostly from experts--including items such as Ireland's rejection of electronic voting, and some comments on paper systems such as in Sweden (no glitches, no "breakdowns" of machines, no long lines, no ambiguity in the results, no fuss, no bother, no experts needed, no professionals at all involved, all volunteer citizens, all in total open view of anybody who wants to watch). (Sigh.) This resource is, as I said, a gold mine--for background on the insecurity of electronic voting, for case studies, and even for law citations. I found one for international law, as follows:
E-voting and international law
"Lucas B. Kruijswijk" <L.B.Kruijswijk@inter.NL.net>Mon, 3 Dec 2001 00:18:25 +0100
Risks Digest: Volume 21: Issue 81
Friday 7 December 2001
http://catless.ncl.ac.uk/Risks/21.81.html#subj11.1
First of all, there is article 21.3 of the Universal Declaration of Human
Rights:
"The will of the people shall be the basis of the authority of government;
this shall be expressed in periodic and genuine elections which shall be
by universal and equal suffrage and shall be held by secret vote or by
equivalent free voting procedures."
But more precise and more important is article 25.b of the International
Covenant on Civil and Political Rights:
"To vote and to be elected at genuine periodic elections which shall be by
universal and equal suffrage and shall be held by secret ballot,
guaranteeing the free expression of the will of the electors."
(snip)
The Human Rights Committee made comments on this article. The Committee is
allowed to make such comments under article 40 of the same Covenant. If a
State did also sign the first optional protocols, then individuals (and they
are admissible in this case) can ask the Committee for a judgment when
domestic remedies are exhausted. So, the Committee is the highest court.
On paragraph 20 of the comments, the Committee says:
"States should take measures to guarantee the requirement of the secrecy
of the vote during elections including absentee voting, where such a
system exists."
----
The writer, Lucas B. Kruijswijk, is writing about a Dutch proposal in '01 for "Voting Pillars" (randomly placed outdoors around cities), so his citations of international law have to do with the secret ballot and how to protect voters from undue influence of others. But these citations may be usable (or may point to other citations) for a tiered legal argument starting with the largest jurisdictions (and highest authority?)--the Universal Declaration of Human Rights, and International Covenant on Civil and Political Rights.
Since our government recently exempted itself from the Geneva Conventions (and never joined the World Court), I'm not sure of technical legalities, but as moral authority and accepted principles of democracy, all over the world, these sources might be good ones. And, who knows, maybe this matter will end up before an international body?