[E-voting] Thomas Greene still doesn't get it.

Colm MacCarthaigh colm at stdlib.net
Wed Oct 25 08:46:19 IST 2006


On Tue, Oct 24, 2006 at 08:32:08PM -0400, Aengus Lawlor wrote:
> Some of you may remember a long thread triggered by an article on The 
> Register by one of it's regular columnists, Thomas Greene.
> http://lists.stdlib.net./pipermail/e-voting/2004-July/thread.html#3946
> 
> Mr Greene has recently moved to Dublin, and has a new article about Bertie, 
> and his stupid auld pencils.
> 
> http://www.theregister.co.uk/2006/10/24/irish_elections_in_a_box/
> 
> He still doesn't get it. The concept of a democracy based on a secret 
> ballot counted in public still eludes him.

I sent him a mail yesterday, and am considering blogging it. Here's
my response;

The important debate surround E-voting is not aided by ill-informed and
poorly-researched bluster.

Contrary to what you say, it makes a very great deal of difference
whether or not  "one uses electronic gadgets, paper ballots, or a
combination", there are different and fundamental problems inherent to
each.

    According to the Commission on Electronic Voting reports on the
    system the hardware is not acceptable as-is. The CEV itself strained
    to point out that many of the modifications needed are minor, but
    some are not.  Part 8 of the second report outlines 5
    recommendations which affect the hardware directly (R5, R6, R7, R9,
    R10) and many of the others are likely to also. 

    It is also important that in part 5.2, the report skirts around the
    central issue - a voter verified audit trail - and points out (in
    C10) that the system is not subject to any meaningful audit - in the
    absense of voter verified paper audit trail - and that the paper
    system is superior in this respect. That too would appear to be a
    killer blow, and itself requires hardware changes.

    Taken together, I can not agree with your assertion that the reports
    indicate that the hardware is acceptable. Certainly not as-is, at
    the very least. Nedap, the machines manufacturers, pointed out last
    July that the neccessary modifications would be costly.

    An Taoiseach is correct to say that ballot boxes may be attacked
    physically.  It's possible, for example, to drop in a lit match.
    However there are important security differences. A ballot box is
    vulnerable to attack only for a short period of time, in a
    relatively secure environment with a Garda presence.  Additionally
    tampering with ballot boxes is vastly more  evident to all
    concerned, and the risks are much higher for a tamperer.  Voting
    machines lay in storage for years at a time and are constantly
    vulnerable to attack - at any time from  manufacture to use. It is
    the height of ignorance to suggest that the situations are in any
    respect comparible.

    You are wrong to suggest that an electronic system can be secure if
    designed right. It fundamentally cannot; people cannot see
    electrons, and so it is not open to human-level validation.  Any
    tampering or mis-recording which occurs electronically simply is not
    practicably open to physical inspection; it takes destructive
    laboratory analysis to compare and affirm an electronic device
    component by component. In the business world this problem is solved
    through paralell testing, however voting is one of the few
    applications where this is not possible. As the input (the vote)
    must remain a secret and cannot be indepently put into a second
    system for testing.

    Having been involved in the E-voting debate, as an "activist" for 4
    years now, I certainly don't agree that the combination of a paper
    and an electronic system has been an obsession. In my extensive
    experience, internationally and in Ireland, the overwhelming
    majority of e-voting campaigners favour a paper-only system. ICTE,
    the Irish e-voting activism group is somewhat atypical in supporting
    any form of electronic voting at all, and even that support is
    limited.

    Campaigns for a dual system are generally a pragmatic realisation
    that writing off the costs of investments is an enourmous political
    hurdle and that many do appreciate the benefits of electronic
    systems (less vote spoilation, aids for the disabled, speedier
    returns). It is also very important to realise that a paper-only
    count satisfies the VVAT requirement, a paper ballot is a
    voter-verified audit-trail.

    Having hardware validated by an independent agency will do nothing
    to boost confidence in any system. It still would not be possible to
    detect whether the hardware in use on the day is the hardware that
    has been validated. That it would be a waste of time and money
    should be self-evident. How could a voter have confidence that the
    machine or software has not been switched?

    The notion that seals could play a role in assuring that the
    hardware has not been modified post-validation is very dangerous.
    Chapter 12 of Ross Anderson's excellent book "Security Engineering"
    deals with the various effecacies of seals, and it is not promising
    (it's available for free online,
    http://www.cl.cam.ac.uk/~rja14/Papers/SE-12.pdf).
 
    Even if such seals were perfect, we still have to eliminate the
    possibility of fraud within the validation agency (why should I
    trust them?) and somehow fix the problems and procedures which led
    to the existing seals on the machines being regularly broken and
    ignored in the course of the trials. (for routine maintainence, or
    problems during transport). Also since the machines have to opened
    to insert the ballot modules, there is still plenty of opportunity
    for tampering on the part of elections officials. Although we place
    great faith and trust in our officials (and who are generally
    deserving of it), nevertheless we must defend against any and all
    plausible threats.

    I'm not certain what new inventive field of cryptography you are
    refering to, but there is none that I know of that would somehow
    allow me to verify that the software running on a system should be
    trustworthy. 

    What fundamental difference you believe there is between leased
    lines and remote IP or modems I don't really know, but my career as
    a network engineer and network architect give me no cause to
    consider a leased line particularly trustworthy. 

    Although you throw around the requirement that "There also needs to
    be a validated auditing mechanism to show every instance of access
    to the machines and the database." What does this even mean? If we
    possessed near-omniscient ever-present auditing procedures we
    probably would be able to simply divine voter intent and could
    dispense with elections altogether. Now that would be a solution.

In short, hand-wavy solution-du-jours are of no use. It isn't even
remotely as simple as laid out in the piece, and niave buzz-laden
(validation + cryptography = secure, please treat your readers with some
respect) attempt is a good example of very confusion in the debate that
you decry.

Electronic voting is a very very hard problem, and may be intractable.
It's a subtle and technical field of study, and noone has all of the
answers. It involves information theory, sociology, politicial science
and engineering challenges, and at times it can very tempting to think
of it merely as a technical problem to be conquered.

But standing back from that it is easy to see that every hacked-on
glued-together additional piece of complexity does real damage; it
distances the process from the voter and increases the democratic
defecit. When a voting process starts being characterised by
ever-escalating tradition of obfuscation and complexity, there is
something wrong with our democracy, and it is certainly less transparent
and less worthy of trust - no matter how complicated you make it.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net



More information about the E-voting mailing list