SF ACM Wed. -- Prof. David L. Dill on "The Battle for Accountable Voting Systems"

jimd at starshine.org jimd at starshine.org
Wed Feb 18 18:51:58 PST 2004 

On Tue, Feb 17, 2004 at 03:09:30PM -0800, David Wolfskill wrote:
> Some of you may already have seen the blurb, and I'm rather reluctant to
> spam the list (for various reasons), but here's an excerpt for those who
> may not have seen/noted it.
 
> I believe it's relevant to sysadmins because reliability of the computer
> systems in question lies at (or very close to) the heart of the matter,
> and as sysadmins, we tend to be rather more familiar with such issues
> than most.  :-{

 Not just reliability but also security!  There's always been voting
 fraud and manipulation (including Jerry-mandering, and various forms
 of subtle polling place intimidation.

 However, computing technology in voting would be an irresistable target
 potentially allowing the attacker to swing any vote any way!  I will
 probably never trust a voting system that could be deployed by our
 bureaucracy!

 ...
 
> Touch-screen voting machines store records of cast votes in internal memory,
> where the voter cannot check them. Because of our system of secret ballots,
> once the voter leaves the polls there is no way anyone can determine whether
> the vote captured was what the voter intended. Why should voters trust these
> machines?

 This particular issue could easily be addressed, in theory.  Each voter
 should get a private (secret) numerically indexed receipt which uniquely
 identifies her or her vote.  All ballots, as recorded, should be published
 (electronically --- on a website) indexed by these votes.  Each voter
 can, at any time after they've voted, check their vote and contest any
 errors.

 Several measures would be taken to preserve their privacy.  The receipt
 numbers would not publicly identify the polling place (official
 electoral board aggregations of the data would be published as the are
 now) and a verification request would not be specific --- you'd round a
 couple digits off the end of the index number and get a batch of a
 hundred ballots in response.  You'd then pick yours out of the line-up
 and verify it.  
 
 Voters would have the option of anonymously registering a complaint
 (for cases where it would be unlikely to affect the outcome).  That
 would allow the electoral officials to do statistical analysis to
 uncover some forms of fraud and probably most cases of defective
 equipment.

 Voters would also have the option of officially contesting the
 record of their ballot.  In such a case the contents of the ballot
 would be removed from the official record (sorry, many copies might be
 lying in caches, etc) and a new ballot for them would be recorded.
 Measures would be taken to verify the person's ballot reciept, record
 that a contest had been filed, but UNDER NO CIRCUMSTANCE record the
 index number as part of the complaint.  (Basically a form of double
 blind procedure --- I can't give the details here as they would
 probably be a bit elaborate).

 Voters would also have the option of (anonymously) verifying that
 their ballot was recorded correctly.

 For those choosing not to use a computer (web browser) for verification
 (for whatever reason) they could go to any counter recorders office
 and view a printed copy.  Measures would be taken so they could view
 that one copy privately without any opportunity to tamper with it.

 The details are not germaine to this list --- but the basic idea is
 that it adds accountability to the process.  I suspect that even as
 few as 5 to 10 per cent of the electorate doing the verification
 follow-up would thwart most attempts at fraudulent ballot modification.
 A 10 to 20 percent target would be ideal.  Complaints and contests
 would be statistically analyzed (because, privately, the location and
 rough time of each record would be stored).  Thus if compromises were
 localized to given polling places, precincts, or individuals it would
 probably show up.

 Of course out right modification or censorship of ballots is only one
 form of voting fraud.  It's the least common.  The infamous "graveyard
 vote" or "ghost constituency" (insertion of fraudulent ballots for "ghosts"
 --- people who are deceased, moved, or completely fictitous people)
 is another big problem.  That's already addressed by a variety of
 techniques that are mostly unaffected by a proper electronic voting
 system.  (Each ballot is recorded with the location and *approximate*
 time of submission --- statistical analysis and the reports and
 affidavits of each polling place volunteer provide a cross-check;
 so massive insertion of ghost votes would have to somehow jive with
 those cross-check figures. Each voting tablet should have a mylar
 spool copy of the receipt tape --- like we have with cash registers.
 One copy is printed and spit out to the voter, the other is wound
 into a sealed spool! These would be electronically readable by
 elections officials after breaking the seal before witnesses, etc)
 (Thus the records of each machine could be audited --- but normal
 practice would dictate that these be done statistically and that
 the association between voter receipt indexes and actual voting machine
 (and time) never be published).

 I'm not an expert in this field.  I haven't even given the problem
 any formal analysis or research.  These are just the obvious ideas
 that come to mind.  Undoubtedly they'd need considerable refinement,
 adversial criticism, and probably some significant corrections before
 they could be trusted to deployment.

 However, I think that accountable systems are possible and I suspect
 that the primary mechanism would ultimately be similar to the one I've
 described here.

 My problems with that idea are:

 	* It's unlikely to be implemented correctly.  There are too many
	  political and economic factors to push for some sort of
	  'paperless' system (AHHHRRRGHHH!  NOOOOooooo!)

	* It's unlikely to get even 5% of the verification rate that I
	  suspect is the bare minimum to deter significant fraud.

    * It would facilitate "vote purchasing."  Existing systems prevent
	  that on any scale since you can purchase my vote but have no
	  way to confirm that I didn't simply take the money and vote
	  with my conscience.  Prevention of "vote purchasing" is why
	  you're generally not allowed to have someone in your ballot booth
	  with you as you vote.  (There are exceptions made for the infirm).

	  (Vote-by-postal mail schemes are also susceptible to this attack).

 If I spent some time in analysis of the problem I might also come up
 with more problem (and even some enhancements to mitigate them).  For
 instance, in the case of vote purchasing; as the attacker I could
 detect that the people I bribed scammed me --- but I could only contest
 one of those in any jurisdiction since the whole system would watch
 for contestation fraud!  (No individual should ever contest more than
 one ballot in the same election).  Since the whole transaction is
 illegal I have no legal recourse regarding the people who took my
 money.  I'm just like the loan shark who's been rooked.  Going out
 and breaking legs is likely to get me arrested on assault.  So, the
 vote purchasing exposure is a bit limited.  Additionally it might be
 deemed to be illegal to possess multiple receipts --- like counterfeit
 money.  I don't know the details.

 Anyway, I've thought (informally) about the issue before and have
 a wiki page up at: 
 
 	http://www.starshine.org/sysadmoin/VotingMachineSecurity

 ... for those who are interested.  I've ranted in more detail on the
 topic there.

-- 
Jim Dennis

More information about the Baylisa mailing list