[E-voting] Thomas Greene still doesn't get it.
Colm MacCarthaigh
colm at stdlib.net
Wed Oct 25 08:46:19 IST 2006
On Tue, Oct 24, 2006 at 08:32:08PM -0400, Aengus Lawlor wrote:
> Some of you may remember a long thread triggered by an article on The
> Register by one of it's regular columnists, Thomas Greene.
> http://lists.stdlib.net./pipermail/e-voting/2004-July/thread.html#3946
>
> Mr Greene has recently moved to Dublin, and has a new article about Bertie,
> and his stupid auld pencils.
>
> http://www.theregister.co.uk/2006/10/24/irish_elections_in_a_box/
>
> He still doesn't get it. The concept of a democracy based on a secret
> ballot counted in public still eludes him.
I sent him a mail yesterday, and am considering blogging it. Here's
my response;
The important debate surround E-voting is not aided by ill-informed and
poorly-researched bluster.
Contrary to what you say, it makes a very great deal of difference
whether or not "one uses electronic gadgets, paper ballots, or a
combination", there are different and fundamental problems inherent to
each.
According to the Commission on Electronic Voting reports on the
system the hardware is not acceptable as-is. The CEV itself strained
to point out that many of the modifications needed are minor, but
some are not. Part 8 of the second report outlines 5
recommendations which affect the hardware directly (R5, R6, R7, R9,
R10) and many of the others are likely to also.
It is also important that in part 5.2, the report skirts around the
central issue - a voter verified audit trail - and points out (in
C10) that the system is not subject to any meaningful audit - in the
absense of voter verified paper audit trail - and that the paper
system is superior in this respect. That too would appear to be a
killer blow, and itself requires hardware changes.
Taken together, I can not agree with your assertion that the reports
indicate that the hardware is acceptable. Certainly not as-is, at
the very least. Nedap, the machines manufacturers, pointed out last
July that the neccessary modifications would be costly.
An Taoiseach is correct to say that ballot boxes may be attacked
physically. It's possible, for example, to drop in a lit match.
However there are important security differences. A ballot box is
vulnerable to attack only for a short period of time, in a
relatively secure environment with a Garda presence. Additionally
tampering with ballot boxes is vastly more evident to all
concerned, and the risks are much higher for a tamperer. Voting
machines lay in storage for years at a time and are constantly
vulnerable to attack - at any time from manufacture to use. It is
the height of ignorance to suggest that the situations are in any
respect comparible.
You are wrong to suggest that an electronic system can be secure if
designed right. It fundamentally cannot; people cannot see
electrons, and so it is not open to human-level validation. Any
tampering or mis-recording which occurs electronically simply is not
practicably open to physical inspection; it takes destructive
laboratory analysis to compare and affirm an electronic device
component by component. In the business world this problem is solved
through paralell testing, however voting is one of the few
applications where this is not possible. As the input (the vote)
must remain a secret and cannot be indepently put into a second
system for testing.
Having been involved in the E-voting debate, as an "activist" for 4
years now, I certainly don't agree that the combination of a paper
and an electronic system has been an obsession. In my extensive
experience, internationally and in Ireland, the overwhelming
majority of e-voting campaigners favour a paper-only system. ICTE,
the Irish e-voting activism group is somewhat atypical in supporting
any form of electronic voting at all, and even that support is
limited.
Campaigns for a dual system are generally a pragmatic realisation
that writing off the costs of investments is an enourmous political
hurdle and that many do appreciate the benefits of electronic
systems (less vote spoilation, aids for the disabled, speedier
returns). It is also very important to realise that a paper-only
count satisfies the VVAT requirement, a paper ballot is a
voter-verified audit-trail.
Having hardware validated by an independent agency will do nothing
to boost confidence in any system. It still would not be possible to
detect whether the hardware in use on the day is the hardware that
has been validated. That it would be a waste of time and money
should be self-evident. How could a voter have confidence that the
machine or software has not been switched?
The notion that seals could play a role in assuring that the
hardware has not been modified post-validation is very dangerous.
Chapter 12 of Ross Anderson's excellent book "Security Engineering"
deals with the various effecacies of seals, and it is not promising
(it's available for free online,
http://www.cl.cam.ac.uk/~rja14/Papers/SE-12.pdf).
Even if such seals were perfect, we still have to eliminate the
possibility of fraud within the validation agency (why should I
trust them?) and somehow fix the problems and procedures which led
to the existing seals on the machines being regularly broken and
ignored in the course of the trials. (for routine maintainence, or
problems during transport). Also since the machines have to opened
to insert the ballot modules, there is still plenty of opportunity
for tampering on the part of elections officials. Although we place
great faith and trust in our officials (and who are generally
deserving of it), nevertheless we must defend against any and all
plausible threats.
I'm not certain what new inventive field of cryptography you are
refering to, but there is none that I know of that would somehow
allow me to verify that the software running on a system should be
trustworthy.
What fundamental difference you believe there is between leased
lines and remote IP or modems I don't really know, but my career as
a network engineer and network architect give me no cause to
consider a leased line particularly trustworthy.
Although you throw around the requirement that "There also needs to
be a validated auditing mechanism to show every instance of access
to the machines and the database." What does this even mean? If we
possessed near-omniscient ever-present auditing procedures we
probably would be able to simply divine voter intent and could
dispense with elections altogether. Now that would be a solution.
In short, hand-wavy solution-du-jours are of no use. It isn't even
remotely as simple as laid out in the piece, and niave buzz-laden
(validation + cryptography = secure, please treat your readers with some
respect) attempt is a good example of very confusion in the debate that
you decry.
Electronic voting is a very very hard problem, and may be intractable.
It's a subtle and technical field of study, and noone has all of the
answers. It involves information theory, sociology, politicial science
and engineering challenges, and at times it can very tempting to think
of it merely as a technical problem to be conquered.
But standing back from that it is easy to see that every hacked-on
glued-together additional piece of complexity does real damage; it
distances the process from the voter and increases the democratic
defecit. When a voting process starts being characterised by
ever-escalating tradition of obfuscation and complexity, there is
something wrong with our democracy, and it is certainly less transparent
and less worthy of trust - no matter how complicated you make it.
--
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
More information about the E-voting
mailing list