Why it is hard to verify e-voting

I thought this was a very helpful explanation of the problems associated with e-voting. It is pretty clear that the American system used on 2/11 is several bricks short of a full load. It came up on the Monbiot discussion list.

The context is a discussion of the electronic voting machines in the 2/11 assault on democracy.

Pavlos Papageorgiou responds to this message:

Ø The only evidence I have seen to say that ballot rigging took place is
> in the exit polls. Exit polls are not reliable indicators. One could
> equally say that every pre election opinion poll of the population
> gave a narrow lead to Bush, and that was exactly the result of the
> election, therefore electronic voting is accurate.

Pavlos Papageorgiou : Maybe. I'm not arguing that there is strong evidence of rigging, but some evidence + lack of verification = legitimacy problem. As the saying goes: "It's not enough for the Ceasar's wife to be faithful, she must also be seen to be faithful"

> I agree that there must be some way to verify the electronic vote.
> [...] Maybe there could be the possibility to have a voting "account"
> like a bank account. The voter could access their account with a PIN
> number to register their vote. The votes could be counted by an
> independent body with "read only" authority. The voter could also
> recheck their account on a "read only" basis to see that their votes
> are as they were cast. The system could be accessed both via ATM style
> voting machines and via the internet.

Pavlos Papageorgiou : No, no, no! It is not a simple technical issue!

As it happens I'm an expert in a different area of computing from
this one, so I'm not qualified to make any kind of expert statements
about whether or not it is practical to build a verifiable voting
machine. However, I do know enough to know that it's not simple. You
can't take your understanding of a superficially similar area of
computing, such as e-banking, and assume you can apply it to e-voting.
E-voting is a very difficult theoretical problem, and that much is
acknowledged by several experts in computer security and cryptography,
which are the appropriate disciplines.

Some aspects of e-voting and e-banking are indeed similar:

- The system should keep accurate lists of registered users.
- The system should require the user to provide a PIN, or equivalent.
- The system should tally votes accurately and reliably.
- The system should keep voting information confidential.
- the system should be immune to tampering by outsiders.

So far so good. You can hire e-banking experts and expect them to
achieve all of the above. But then there is another set of requirements
that the e-banking people don't know how to solve:

- The system should track votes anonymously.
- The system should be immune to tampering by an insider.
- The system should be verifiable by anyone who doubts its integrity.
- The system should not issue receipts to the voters themselves.

It's a really difficult technical problem, even in principle, to
satisfy all of those requirements together. Any three, it's easy. All
four at once is very hard. For those who are still interested, here's
an explanation of why that is:

- The system should track votes anonymously to prevent any kind of
pressure, retaliation, or recrimination against those who have cast
unpopular votes. That might mean ordinary Republicans, or it might mean
looney supremacists. Either way the currently accepted standard is that
voting is provably anonymous, in other words you can be sure that not
even the election officials know how you voted. Obviously it would be
very easy to write a computer program that tallies votes anonymously,
but it would be equally easy to write one that keeps tabs on who voted
what behind the scenes. I don't see why you should lose the reassurance
of anonymity quietly because voting goes electronic. By contrast, a
bank account is not anonymous, it's just confidential. Leaks happen.

- The system should be immune to tampering by an insider so that people
within the voting machine company cannot compromise the outcome or
anonymity of the election. By "compromise" I don't mean take a working
bona-fide system and break into it. I mean bribe the programmers who
write the vote tallying program to bias the count slightly (all it
takes is typing a little "+1" here or there) or store the voter's name
quietly in a file. When banking records went digital in the 70s, this
sort of insider attack was a huge problem (it hadn't occurred to
management that it was possible) and it was solved by cross-checking
the final sums. In e-voting, there is nothing to verify, so it's like
having millions of transactions flow into some online account with no
audit trail whatsoever (no customer receipts, no goods shipped, no
credit card companies to cross-check) and then at the end of the month
the e-bank gives you your supposed earnings. Do you trust the bank to
give you all your money? Well, maybe you do maybe you don't. It's a
matter of trust. Technology doesn't give you any guarantees.

- The system should be verifiable by anyone who doubts its integrity so
that Doubting Thomases can be convinced that everything has been done
in a way that's good and proper. This is rather important to guarantee
that a Democracy stays fair and democratic and is not overcome by
corruption. Or at least some people feel quite strongly that the burden
of proof lies with the election administrators. The e-voting system may
in fact be totally fair, and the company may impose strict controls to
prevent tampering by its own people, but how do we know that? Believe
the reassurances of the company? I think it should be better than that:
It should be possible to "open the hood" of the machine and allow
anyone with suitable technical qualifications to inspect it and verify
that it is working fairly. That's what the party observers do with the
paper system - they sit there to ensure that no-one plays hat tricks
with the ballot papers. It's possible to inspect a computer and verify
its operation, but to do it properly is quite a complicated task that
involves dismantling the computer, designing it along very limiting
constraints, and other impractical things.

- The system should not issue receipts to the voters themselves so that
voters cannot be subjected to intimidation or vote-buying. This issue
isn't obvious at first. When you first think of how to make a voting
system verifiable, you think "Ah, simple, issue each voter with a
receipt bearing a code number and what they voted, and then conduct the
tallying of votes (identifiable only by code number) publicly. Then
each voter can check their receipt against the public vote lists to be
sure their vote was counted". Great idea. But then the voter's spouse,
parent, pimp, boss, or other intimidating figure can say "You'd better
show me your voting receipt so I can check that you voted X, or
else...". Again it's up to your sensitivities whether you find this a
realistic problem, but anyway the status quo is that exploitable voters
are protected from it. That safety measure should not disappear quietly
just for technical reasons.

So, sorry if this diatribe is of no interest to anyone. I am, in fact,
not a luddite, I'm very much in favour of electronic voting in
principle and a while ago I've made my own technical proposals for a
more representative electoral system based on frequent e-voting.
However, I soon had it explained by the real experts that it's
currently something that stretches the state of the art, for subtle
reasons that I probably failed to explain adequately. The challenges
are probably surmountable, and we should have e-voting done right, but
it's not the straightforward banking-like application that the public
is led to believe.


Pavlos Papageorgiou <pavlos.politics@geekhost.org>

To: <monbiot@talk.torchbox.com>
Message-ID: <F13C10A7-38EA-11D9-B1FD-000A95A86222@geekhost.org>

© 2001 R. Lawson This page was last updated on 13.11.04