Schneier on Security
A blog covering security and security technology.
« Mail-in Ballot Attack |
| Clever Virus Attack »
October 31, 2004
Getting Out the Vote: Why is it so hard to run an honest election?
Four years after the Florida debacle of 2000 and two years after Congress passed the Help America Vote Act, voting problems are again in the news: confusing ballots, malfunctioning voting machines, problems over who's registered and who isn't. All this brings up a basic question: Why is it so hard to run an election?
A fundamental requirement for a democratic election is a secret ballot, and that's the first reason. Computers regularly handle multimillion-dollar financial transactions, but much of their security comes from the ability to audit the transactions after the fact and correct problems that arise. Much of what they do can be done the next day if the system is down. Neither of these solutions works for elections.
American elections are particularly difficult because they're so complicated. One ballot might have 50 different things to vote on, all but one different in each state and many different in each district. It's much easier to hold national elections in India, where everyone casts a single vote, than in the United States. Additionally, American election systems need to be able to handle 100 million voters in a single day -- an immense undertaking in the best of circumstances.
Speed is another factor. Americans demand election results before they go to sleep; we won't stand for waiting more than two weeks before knowing who won, as happened in India and Afghanistan this year.
To make matters worse, voting systems are used infrequently, at most a few times a year. Systems that are used every day improve because people familiarize themselves with them, discover mistakes and figure out improvements. It seems as if we all have to relearn how to vote every time we do it.
It should be no surprise that there are problems with voting. What's surprising is that there aren't more problems. So how to make the system work better?
-- Simplicity: This is the key to making voting better. Registration should be as simple as possible. The voting process should be as simple as possible. Ballot designs should be simple, and they should be tested. The computer industry understands the science of user-interface -- that knowledge should be applied to ballot design.
-- Uniformity: Simplicity leads to uniformity. The United States doesn't have one set of voting rules or one voting system. It has 51 different sets of voting rules -- one for every state and the District of Columbia -- and even more systems. The more systems are standardized around the country, the more we can learn from each other's mistakes.
-- Verifiability: Computerized voting machines might have a simple user interface, but complexity hides behind the screen and keyboard. To avoid even more problems, these machines should have a voter-verifiable paper ballot. This isn't a receipt; it's not something you take home with you. It's a paper "ballot" with your votes -- one that you verify for accuracy and then put in a ballot box. The machine provides quick tallies, but the paper is the basis for any recounts.
-- Transparency: All computer code used in voting machines should be public. This allows interested parties to examine the code and point out errors, resulting in continually improving security. Any voting-machine company that claims its code must remain secret for security reasons is lying. Security in computer systems comes from transparency -- open systems that pass public scrutiny -- and not secrecy.
But those are all solutions for the future. If you're a voter this year, your options are fewer. My advice is to vote carefully. Read the instructions carefully, and ask questions if you are confused. Follow the instructions carefully, checking every step as you go. Remember that it might be impossible to correct a problem once you've finished voting. In many states -- including California -- you can request a paper ballot if you have any worries about the voting machine.
And be sure to vote. This year, thousands of people are watching and waiting at the polls to help voters make sure their vote counts.
This essay originally appeared in the San Francisco Chronicle.
Also read Avi Rubin's op-ed on the subject.
Posted on October 31, 2004 at 9:13 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Also, if you live in an "interesting" area (or even if you don't) expect trouble. When you go to vote, take ID, preferrably two forms of photo ID. This is especially true if you're a new voter; you're in the class that will be getting the most challenges. If there are problems, the ACLU has a hotline at 1-877-523-2792. MoveOn PAC also has a number of lines to call to report irregularities; they have an "election protection card" with local phone numbers (warning -- link is to a PDF file).
We definately need reforms. An election system, remember, has to convince the sorest loser that the election was fair. The most obvious is to have the Commissioner of Elections be a nonpartisan post. There also need to be strict guidelines on voter registration, voter intimidation, spreading of vote- related disinformation, etc. -- and those laws must have teeth and they must be enforced.
The point of all the alarmism and all the worry about various forms of fraud is to "turn the lights on" in an area that has the reputation of being complex, boring, and a sewer of corruption. To anybody trying to steal the election, we're saying "you are being watched!"
"Security in computer systems comes from transparency -- open systems that pass public scrutiny -- and not secrecy."
While normally I agree with this blanket statement, I think you have to be practical about the economics of the situation.
Security of open-source systems relies on having it eyeballed, not just by anybody, but by security experts. Simply making the software open-source doesn't guarantee that, but you can increase the chances of it happening. For example, an open-source crypto library will get a good deal of review as it is interesting to security reviewers, but the keyword highlighting code in office may not get the same scrutiny.
Obviously the longer the source is out in the public domain the higher the chance that it will be reviewed in a meaningful way, after all I'm sure even Bruce Almighty has to find something to do on a rainy Friday afternoon.
But to release the source for voting software today? With so little time to go? That would surely throw the balance in favour of an attacker as the motive of attack, wether malicious or financial, is likely to be far stronger than a volunteer's incentive to ensure a fair election.
I can easily imagine that both sides of the race would have the code profesionally and confidentially reviewed but would only raise issues and disclose flaws in the event that the result was not in their favour, claiming the election void.
Admittedly in the case of the US election, finding the flaws and getting the resulting 15 minutes of fame may be enough to balance the equation, but in lower profile software I would not be so sure.
Imagine that your bank writes to you to say they are open-sourcing their internet banking application. I would close my account immediately as the first people to review the code and find holes will be those with the most incentive. I have no incentive to review the entire application as I can protect my money more effectively by moving it to a different bank. Of course, in a few years time if the open-source bank survived I might consider moving it back again...
... perhaps we should all be voting at our local ATMs? This election year Absentee Voting is the way to go. An important factor with voting is accountablity. Software assists the world in creating a paperless office, unfortunately without paper artifacts accountability (the way we are used to it) goes out the window. Not only does external fraud (as it currently stands) need to be monitored but with software voting internal fraud will also have to be kept in check. This adds layers of checks and balances to something that is supposed to be simple. No one trusts anyone and why should they?
Four More Years!
funny enough, voting over here in Germany works like a charm. I am sure it has a lot to do with the fact that for some things it just makes more sense to do it manually. Over here, people mark the paper ballot with a large X in the appropriate circle and that's it. The ballot is put into a ballot box and afterwards, people count them by hand. Nevertheless, at most four hours after closing of the elections the counts so far are very very close to the final result.
Of course, as you say, it helps a lot if you have only one ballot per electable item. It helps, too, if you have a standardized voting process and a standardized ballot.
I've never understood the US obsession with technology by all means. I simply see no sense in using computer technology to conduct voting. I didn't understand the need for the former voting machines, either.
One thing you pass over briefly but don't explain is why computer voting systems don't/can't give you a receipt to take away with you that documents the way you voted. At first glance, this seems like it would be a reasonable way to give voters confidence in the tabulation process.
The reason is that such receipts can be used as the basis for vote-buying schemes.
If there's no way for you yourself to prove to anyone how you voted, then this particular abuse of the voting process is impossible. However, it also puts yet another constraint on the whole mechanism.
Randall, that's why (as Bruce said) your "receipt" should be a ballot that you put in the box after checking to make sure it's right. You don't get to take it home but you do get to eyeball it for accuracy before turning it in. That way you can be sure that your votes were counted correctly by the machine, but you can't engage in vote buying schemes.
Although it seems like vote buying of old worked just fine without receipts or anything of the sort, just by knowing that a large enough percentage of the people that you buy will vote for your that the few that don't really won't make a difference.
Here in Australia we use the traditional paper ballot. Usually we know the overall result within 4 to 6 hours.
Given the problems that the high-tech systems have caused in America, maybe it is time to consider the boring but reliable paper ballot.
Being in Italy, I can just agree with Axel Eble above: in the Old World we just have a simpler method for voting and some things are just done better manually. The American way of casting a ballot just left me amazed and confused. I recently wrote about it in my blog http://giuliomotta.com/blog/post.cgi?id=218
I take small issue with:
"The computer industry understands the science of user-interface -- that knowledge should be applied to ballot design."
The folks that really understand communication through 2D visual presentation are graphic designers. This knowledge is independant of platform - good graphic design is as relevant to web pages as it is to printed train timetables, as important to a street sign as a ballot. The computer industry is a johnny-come-lately to the idea that good graphic design is more than just eye-candy, it is effective communication. I have strong suspicions that a graphic designer had nothing to do with Florida's horrendous butterfly ballot design, and everything to do with Google's elegant interface.
The Australian Capital Territory publishes the code for its electronic voting system. Australian elections typically involve a ballot for each house and we do use STV which is the most complex voting system on the planet. It goes on paper and the results are usually known within 2 hours of the polls closing.
I think your real problem is the lack of a neutral, professional election administration and the multiplicity of rules and practices that vary by state and county. An Australian can walk into any electoral office, polling booth or diplomatic mission and cast a provisional ballot. It gets mailed to your district, checked, and counted.
Voting should be that simple.
Japan uses paper ballots for voting as other countries mentioned above, but counting is increasingly mechanized by OCR. Japanese voters vote either by putting a circle on the list of candidates, or writing names of candidates/parties on their ballots, depending on the type of election. The use of OCR is widespread for the first type of election, while the use for the second type is now increasing.
There seems some issues on the reliability of OCR for handwritten characters, but I do not aware of a major controversy caused by OCR.
One advantage of OCR is that paper ballots are available after counting, so if there is a doubt, we can simply recount by hand.
It's fun to read the "old world" comments. No offense, but it seems that when American experts talk about problems, they always assume that their problems are universal. It seems they never ever care to look at how other nations might handle the same thing, and to check out whether there are already workable solutions. Sure, Americans don't like to take lessons in democracy (they "invented" it, I know)... Sure, Americans have a lot of different things to vote on that are even different in each state, but that's true for Switzerland, too, and they manage very well (they, too, claim to have invented democracy; they don't vote for President but for about everything else). The population size shouldn't really make a difference; to count more votes, you need more counters. Where's the problem?
You only talk about technical problems without mentioning the real, political issues. Most democratic countries have elections run and overseen by independant authorities and not by the very politicians who seek election. And if the US presidential election were a real national (one citizen, one vote) rather than state by state election, voting rules would have to be uniform.
This doesn't really belong here but the blog reminds me of the September cryptogram when Bruce wrote more or less that internet banking cannot be made secure effectively and practically ("But issuing hardware to millions of electronic banking customers is prohibitively expensive, both in initial cost and in customer support. And customers hate these systems. (...) Unsolved, this type of security problem can change the way people interact with the Internet. It'll prove that the naysayers were right all along, that the Internet isn't safe for electronic commerce."). But there is a simple and effective mechanism that dramatically increases security and beats password phishing attacks. Transaction codes (TANs) are used by many banks in Europe and probably elsewhere, but surprisingly not in North America.
This is really disappointing: "It's much easier to hold national elections in India, where everyone casts a single vote". Dear Bruce, India is a federal union where each state has its own government elected, just as in the USA, and, by the way, in Mexico, Brazil, Germany, Austria and many more countries. The US isn't the only place with a "complicated" political system, thank you very much Mr Yankee ;-) I think there is hardly one democratic country in the world where only a single entity is elected.
"It should be no surprise that there are problems with voting. What's surprising is that there aren't more problems." No, what's really surprising is that one of the richest nations and one of the oldest democratic has so many problems with voting.
One final remark: conventional wisdom seems to be that yesterday's election results are credible because they were not close. This isn't exactly true as there is simply no way to know whether results reported by machines without paper trail are correct or not. I'm not suggesting that anything irregular has happened but it is simply beyond me how anybody can confide the fate of the nation to machines instead of insisting that every ballot be counted by at least four eyes. As always, the best security is human control and interaction.
You're missing the one overriding factor.
Politicians don't want simple, standard, veriable, transparent systems.
People have to demand these things, or they will never happen.
"Transparency: All computer code used in voting machines should be public. "
I don't understand this obsession with making the source code public - making the code public is just a PR gimmick if I can't be sure that the code I read (or trusted some geek to read for me) is actually the code that's running on election day. It's not as if they give each voter the opportunity to download the source themselves, compile it themselves, and then run it on their own hardware.
While I have no problem with the contention that, in theory, many eyeballs might spot potential problems in the source code, I'm not convinced that it would make a big difference in practice, and I am concerned that it acts as a distraction from the real issue - auditability. I'm sure that there will be some jurisdictions where officials will use the availability of public source code to argue that paper trails aren't needed any more, because they've already conceded to the source code to the "anti-evoting" crowd.
I just checked the November Cryptogram newsletter and found that Bruce has reprinted the same mistakes he had made in his blog, although they already had been corrected by his readers. Particularly this one is highly embarassing:
"It's much easier to hold national elections in India, where everyone casts a single vote, than in the United States." Which is plain wrong and looks a lot like Yankee attitude. Even those simple-minded Indians are able to cast votes but only because they have a much simpler system than the USA. India is a federal union, like the United States and dozens of other countries. But neither India nor Brazil seem to have the problems for which the US now have become famous. Please, Americans, stop to blame the laws of nature for your particular voting problems. You are responsable for that mess, nobody else.
India used electronic voting machines for the first time in this year's general elections and the results were known the evening of the day that polls closed all over the country. Voting was actually staggered over a period of almost a month simply because of the huge logistical problems in dealing with a country with around 600 million voters. But once the the last vote was cast and counting began, broad trends were available within an hour or so and final results (except for a few seats) were known by the evening.
The EVMs were extremely low tech. They were built to work in all sorts of conditions (they could run on car batteries in case of power cuts for example).
Before the EVMs, counting used to take upto a week. Not anymore. And there was no controversy at all over the use of EVMs. everyone accepted the result.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.