thought this was a very helpful explanation of the problems associated
with e-voting. It is pretty clear that the American system used
on 2/11 is several bricks short of a full load. It came up on the
Monbiot discussion list.
The context is a discussion of the electronic
voting machines in the 2/11 assault on democracy.
Pavlos Papageorgiou responds to this message:
Ø The only evidence I have seen to say
that ballot rigging took place is
> in the exit polls. Exit polls are not reliable indicators.
> equally say that every pre election opinion poll of the population
> gave a narrow lead to Bush, and that was exactly the result
> election, therefore electronic voting is accurate.
Pavlos Papageorgiou : Maybe. I'm not arguing
that there is strong evidence of rigging, but some evidence +
lack of verification = legitimacy problem. As the saying goes:
"It's not enough for the Ceasar's wife to be faithful, she
must also be seen to be faithful"
> I agree that there must be some way to verify
the electronic vote.
> [...] Maybe there could be the possibility to have a voting
> like a bank account. The voter could access their account
with a PIN
> number to register their vote. The votes could be counted
> independent body with "read only" authority. The
voter could also
> recheck their account on a "read only" basis to
see that their votes
> are as they were cast. The system could be accessed both
via ATM style
> voting machines and via the internet.
Pavlos Papageorgiou : No, no, no! It is
not a simple technical issue!
As it happens I'm an expert in a different area
of computing from
this one, so I'm not qualified to make any kind of expert statements
about whether or not it is practical to build a verifiable voting
machine. However, I do know enough to know that it's not simple.
can't take your understanding of a superficially similar area
computing, such as e-banking, and assume you can apply it to e-voting.
E-voting is a very difficult theoretical problem, and that much
acknowledged by several experts in computer security and cryptography,
which are the appropriate disciplines.
Some aspects of e-voting and e-banking are indeed
- The system should keep accurate lists of registered
- The system should require the user to provide a PIN, or equivalent.
- The system should tally votes accurately and reliably.
- The system should keep voting information confidential.
- the system should be immune to tampering by outsiders.
So far so good. You can hire e-banking experts
and expect them to
achieve all of the above. But then there is another set of requirements
that the e-banking people don't know how to solve:
- The system should track votes anonymously.
- The system should be immune to tampering by an insider.
- The system should be verifiable by anyone who doubts its integrity.
- The system should not issue receipts to the voters themselves.
It's a really difficult technical problem, even
in principle, to
satisfy all of those requirements together. Any three, it's easy.
four at once is very hard. For those who are still interested,
an explanation of why that is:
- The system should track votes anonymously to
prevent any kind of
pressure, retaliation, or recrimination against those who have
unpopular votes. That might mean ordinary Republicans, or it might
looney supremacists. Either way the currently accepted standard
voting is provably anonymous, in other words you can be sure that
even the election officials know how you voted. Obviously it would
very easy to write a computer program that tallies votes anonymously,
but it would be equally easy to write one that keeps tabs on who
what behind the scenes. I don't see why you should lose the reassurance
of anonymity quietly because voting goes electronic. By contrast,
bank account is not anonymous, it's just confidential. Leaks happen.
- The system should be immune to tampering by
an insider so that people
within the voting machine company cannot compromise the outcome
anonymity of the election. By "compromise" I don't mean
take a working
bona-fide system and break into it. I mean bribe the programmers
write the vote tallying program to bias the count slightly (all
takes is typing a little "+1" here or there) or store
the voter's name
quietly in a file. When banking records went digital in the 70s,
sort of insider attack was a huge problem (it hadn't occurred
management that it was possible) and it was solved by cross-checking
the final sums. In e-voting, there is nothing to verify, so it's
having millions of transactions flow into some online account
audit trail whatsoever (no customer receipts, no goods shipped,
credit card companies to cross-check) and then at the end of the
the e-bank gives you your supposed earnings. Do you trust the
give you all your money? Well, maybe you do maybe you don't. It's
matter of trust. Technology doesn't give you any guarantees.
- The system should be verifiable by anyone who
doubts its integrity so
that Doubting Thomases can be convinced that everything has been
in a way that's good and proper. This is rather important to guarantee
that a Democracy stays fair and democratic and is not overcome
corruption. Or at least some people feel quite strongly that the
of proof lies with the election administrators. The e-voting system
in fact be totally fair, and the company may impose strict controls
prevent tampering by its own people, but how do we know that?
the reassurances of the company? I think it should be better than
It should be possible to "open the hood" of the machine
anyone with suitable technical qualifications to inspect it and
that it is working fairly. That's what the party observers do
paper system - they sit there to ensure that no-one plays hat
with the ballot papers. It's possible to inspect a computer and
its operation, but to do it properly is quite a complicated task
involves dismantling the computer, designing it along very limiting
constraints, and other impractical things.
- The system should not issue receipts to the
voters themselves so that
voters cannot be subjected to intimidation or vote-buying. This
isn't obvious at first. When you first think of how to make a
system verifiable, you think "Ah, simple, issue each voter
receipt bearing a code number and what they voted, and then conduct
tallying of votes (identifiable only by code number) publicly.
each voter can check their receipt against the public vote lists
sure their vote was counted". Great idea. But then the voter's
parent, pimp, boss, or other intimidating figure can say "You'd
show me your voting receipt so I can check that you voted X, or
else...". Again it's up to your sensitivities whether you
find this a
realistic problem, but anyway the status quo is that exploitable
are protected from it. That safety measure should not disappear
just for technical reasons.
So, sorry if this diatribe is of no interest to
anyone. I am, in fact,
not a luddite, I'm very much in favour of electronic voting in
principle and a while ago I've made my own technical proposals
more representative electoral system based on frequent e-voting.
However, I soon had it explained by the real experts that it's
currently something that stretches the state of the art, for subtle
reasons that I probably failed to explain adequately. The challenges
are probably surmountable, and we should have e-voting done right,
it's not the straightforward banking-like application that the
is led to believe.
Pavlos Papageorgiou <email@example.com>