[E-voting] Minimum requirement to juge voting "technology"

Michael McMahon michael at hexmedia.com
Tue Sep 28 11:02:59 IST 2004 

Sorry, I meant to reply to this ages ago. Here goes now.

Fergal Daly wrote:

> 
> If you don't keep a paper copy of the ballot then you can only detect but
> not correct the result of electronic failure or tampering. This means that
> tampering would result in reruns of parts of the election which in turn
> leads to some groups getting to vote with some extra knowledge of how the
> election is going - which is exactly the problem being discussed in this
> thread.
> 

Right, but ... (climbing on to soap-box) I've come to
the view that we are expecting too much from e-voting systems. IMO it's enough to
be able to detect a problem. To argue otherwise is to say that reliable computers cannot
be built.

Take the old airplane analogy again. I have argued in the past, that computers
aren't ultimately in control of aircraft, pilots are. This isn't always true.
The fact is that there may be a computer in between the pilot and the controls,
and if this computer fails, it's likely that the pilot would lose control of the plane.
In fact, on some (Airbus) planes the computer does not allow the pilot to make
manouvers which are beyond the design limits of the plane. This shows that in fact the
computer is ultimately in control of the plane. We trust these computers for two reasons.

1) They have a track record. Fly by wire systems have been successfully used for
    many years now, and there is an obvious and indisputable measure of success.

2) Chain of accountability. Everyone involved in designing, building, mantaining and flying
    aircraft know they are accountable for what they do, with the possibility of legal liability
    if something goes wrong.

If you apply the same criteria to e-voting then the people responsible
(the officials of the DoE, the suppliers etc.) can't just glibly say they tested the system
and regardless of how good or bad the testing was, we have to trust them.
Instead, their asses are really on the line. If they are sure they will be
found out if the system makes a mistake, then they are going to put
*serious* effort into testing it, not just once-off, but
before every election.

So really your question boils down to, how hard would it be to build
an e-voting system which won't fail undetectably in practice?

If a real end to end test is done the days before an election, that will
prove beyond reasonable doubt that the system is working (at that time).
There are still two possible threats to consider.

1. Tampering which takes place during the period between the test & real election.

2. A programmed attack which behaves correctly during the test run, but
    misbehaves during the real election.

Ultimately, both threats are countered by making the supplier of the system
accountable and responsible for its correct functioning.

The risk of physical tampering can be reduced by putting locks
on the voting machines. Only the supplier would have the keys to the locks.

Say the supplier has to provide an indemnity of 100,000 euros for any machine
failure which is not detected until the ballot module is read at the count centre.
[Note, this would mean failure of both the primary and backup ballot modules].
The prospect of having to fork out a lot of money should be enough to concentrate
minds on getting it right. Some kinds of open-source model might help with this,
because it would help the supplier to be sure that their software is correct.
Building sufficient levels of redundancy into the ballot modules (which they
allegedly do already) should be sufficient to deal with hardware problems.

Ultimately though, you have to compare the threats with the equivalent in the old system.
Currently, ballot boxes have to be transported around the country between
polling stations and count centres. What if whoever is transporting
a set of ballot boxes decides to destroy them for the hell of it, or someone
hires a gang of thugs to intercept a delivery and does the same. This could
happen and could result in voters having to come back another day to vote again.
The fact that it has never happened (afaik) means that the level of security
is set at an appropriate level (whatever it is). I've never heard anyone make
the argument, that ballot boxes must have an armed escort, because they *could be*
intercepted and destroyed, regardless of what the actual risk is.

> So Chaum's system is secure in the sense that it detects tampering but
> voting requires a higher level of security.
> 
> Chaum's system is clever and does solve a real problem. Is there any reason
> not to combine VVAT and Chaum?
> 

Personally, I don't think it's practical. It makes life too complicated for the
voter. You now have three bits of paper, and three different things to do with them.
Murphys law would surely result in many people doing the wrong thing.
The big problem would be people putting the receipt instead of the ballot in to the ballot box.
If it came to a paper recount, those votes could not be counted.
With Chaums system (on its own) voters may mistakenly hold on to the wrong part of the
receipt but that is easily corrected, and even if they leave with the wrong receipt
it just means they can't verify their own vote. It doesn't affect the overall
integrity of the process. Their vote will still be counted.

I'm not arguing that there's anything wrong with VVAT. I just think that this
system is better in theory, and even though there are some practical problems
still to be solved, sooner or later IMO, systems like this will replace voter-verified
paper ballots.

Michael.

More information about the E-voting mailing list