Hacking the Papal Election

As the College of Cardinals prepares to elect a new pope, people like me wonder about the election process. How does it work, and just how hard is it to hack the vote?

Of course I'm not advocating voter fraud in the papal election. Nor am I insinuating that a cardinal might perpetrate fraud. But people who work in security can't look at a system without trying to figure out how to break it; it's an occupational hazard.

The rules for papal elections are steeped in tradition, and were last codified on 22 Feb 1996: "Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff." The document is well-thought-out, and filled with details.

The election takes place in the Sistine Chapel, directed by the Church Chamberlain. The ballot is entirely paper-based, and all ballot counting is done by hand. Votes are secret, but everything else is done in public.

First there's the "pre-scrutiny" phase. "At least two or three" paper ballots are given to each cardinal (115 will be voting), presumably so that a cardinal has extras in case he makes a mistake. Then nine election officials are randomly selected: three "Scrutineers" who count the votes, three "Revisers," who verify the results of the Scrutineers, and three "Infirmarii" who collect the votes from those too sick to be in the room. (These officials are chosen randomly for each ballot.)

Each cardinal writes his selection for Pope on a rectangular ballot paper "as far as possible in handwriting that cannot be identified as his." He then folds the paper lengthwise and holds it aloft for everyone to see.

When everyone is done voting, the "scrutiny" phase of the election begins. The cardinals proceed to the altar one by one. On the altar is a large chalice with a paten (the shallow metal plate used to hold communion wafers during mass) resting on top of it. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice.

If a cardinal cannot walk to the altar, one of the Scrutineers -- in full view of everyone -- does this for him. If any cardinals are too sick to be in the chapel, the Scrutineers give the Infirmarii a locked empty box with a slot, and the three Infirmarii together collect those votes. (If a cardinal is too sick to write, he asks one of the Infirmarii to do it for him) The box is opened and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first Scrutineer shakes it several times in order to mix them. Then the third Scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes, each ballot is opened and the vote is read by each Scrutineer in turn, the third one aloud. Each Scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals. The total number of votes cast for each person is written on a separate sheet of paper.

Then there's the "post-scrutiny" phase. The Scrutineers tally the votes and determine if there's a winner. Then the Revisers verify the entire process: ballots, tallies, everything. And then the ballots are burned. (That's where the smoke comes from: white if a Pope has been elected, black if not.)

How hard is this to hack? The first observation is that the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. The second observation is that the small group of voters -- all of whom know each other -- makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In effect, the voter verification process is about as perfect as you're ever going to find.

Eavesdropping on the process is certainly possible, although the rules explicitly state that the chapel is to be checked for recording and transmission devices "with the help of trustworthy individuals of proven technical ability." I read that the Vatican is worried about laser microphones, as there are windows near the chapel's roof.

That leaves us with insider attacks. Can a cardinal influence the election? Certainly the Scrutineers could potentially modify votes, but it's difficult. The counting is conducted in public, and there are multiple people checking every step. It's possible for the first Scrutineer, if he's good at sleight of hand, to swap one ballot paper for another before recording it. Or for the third Scrutineer to swap ballots during the counting process.

A cardinal can't stuff ballots when he votes. The complicated paten-and-chalice ritual ensures that each cardinal votes once -- his ballot is visible -- and also keeps his hand out of the chalice holding the other votes.

Making the ballots large would make these attacks harder. So would controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.

Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there's one wrinkle: "If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote." I assume that's done so there's only one plume of smoke for the two elections, but it would be more secure to burn each set of ballots before the next round of voting.

And lastly, the cardinals are in "choir dress" during the voting, which has translucent lace sleeves under a short red cape; much harder for sleight-of-hand tricks.

It's possible for one Scrutineer to misrecord the votes, but with three Scrutineers, the discrepancy would be quickly detected. I presume a recount would take place, and the correct tally would be verified. Two or three Scrutineers in cahoots with each other could do more mischief, but since the Scrutineers are chosen randomly, the probability of a cabal being selected is very low. And then the Revisers check everything.

More interesting is to try and attack the system of selecting Scrutineers, which isn't well-defined in the document. Influencing the selection of Scrutineers and Revisers seems a necessary first step towards influencing the election.

Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots with no name written on them (undervotes). Illegible or ambiguous ballots are much more likely, and I presume they are discarded. The rules do have a provision for multiple ballots by the same cardinal: "If during the opening of the ballots the Scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled." This surprises me, although I suppose it has happened by accident.

If there's a weak step, it's the counting of the ballots. There's no real reason to do a pre-count, and it gives the Scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. I like the idea of randomizing the ballots, but putting the ballots in a wire cage and spinning it around would accomplish the same thing more securely, albeit with less reverence.

And if I were improving the process, I would add some kind of white-glove treatment to prevent a Scrutineer from hiding a pencil lead or pen tip under his fingernails. Although the requirement to write out the candidate's name in full gives more resistance against this sort of attack.

The recent change in the process that lets the cardinals go back and forth from the chapel into their dorm rooms -- instead of being locked in the chapel the whole time as was done previously -- makes the process slightly less secure. But I'm sure it makes it a lot more comfortable.

Lastly, there's the potential for one of the Infirmarii to do what he wants when transcribing the vote of an infirm cardinal, but there's no way to prevent that. If the cardinal is concerned, he could ask all three Infirmarii to witness the ballot.

There's also enormous social -- religious, actually -- disincentives to hacking the vote. The election takes place in a chapel, and at an altar. They also swear an oath as they are casting their ballot -- further discouragement. And the Scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election under pain of excommunication: "The Cardinal electors shall further abstain from any form of pact, agreement, promise or other commitment of any kind which could oblige them to give or deny their vote to a person or persons."

I'm sure there are negotiations and deals and influencing -- cardinals are mortal men, after all, and such things are part of how humans come to agreement.

What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a Pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems work is through a pyramid-like scheme, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.

And a third and final lesson: when an election process is left to develop over the course of a couple thousand years, you end up with something surprisingly good.

Rules for a papal election

There's a picture of choir dress on this page

Edited to add: The stack of used ballots are pierced with a needle and thread and tied together, which 1) marks them as used, and 2) makes them harder to reuse.

Posted on April 14, 2005 at 9:59 AM • 33 Comments

Comments

TimApril 14, 2005 11:01 AM

"Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots [...] with two names on it (overvotes)."

Huh?

TimApril 14, 2005 11:06 AM

I wonder if it would be possible to imitate one of the cardinals, especially one of the ones who is perhaps near death? You'd need some good make-up, but its effectiveness could be increased by perhaps the need to wear an oxygen mask to help obscure your face...

DavidGApril 14, 2005 11:35 AM

The counted ballots, after all scrutiny, are pierced by a needle and threaded together into a single pile of votes.

The chance of getting a ballot off the thread without causing even more immediately obvious physical damage is very slight.

Not a perfect voting system, but better than most.

Clive RobinsonApril 14, 2005 11:44 AM

All though not perfect it does sound much more like a sensible voting system than the one currently in place in the UK (which is wide open to postal fraud, and members of the armed forces have been effectevly barred from voting by a mistake made by the Ministry of Defence...)

The question is how do you scale up a good voting system to be viable when several million people have to vote at the same time.

AndyApril 14, 2005 12:03 PM

Impersonate a cardinal? They know each other. And "Cardinals who celebrate their eightieth birthday before the day when the Apostolic See becomes vacant do not take part in the election"

Chris Hammond-ThrasherApril 14, 2005 12:10 PM

I do not want to put words into Bruce's mouth, but my reading of this post in light of numerous earlier postings in this blog, is that it is easier to hack the US presidential election than the papal election. That thought makes me smile.

Israel TorresApril 14, 2005 12:39 PM

The greatest papal hack is the antipope.

"Antipope: A pope whose election is not considered legal, and who claims the office in opposition to the pope who has been rightfully chosen. Many of these men are little known and count few people as followers. For instance, a handful of antipopes have challenged John Paul II’s papacy, but none seriously. However, the challenge of an antipope in the late 1300s led to the Great Western Schism, during which the Catholic Church was split for four decades."
ref: http://www.greeleytrib.com/article/20050403/NEWS/...

Israel Torres

alessandro bianchiniApril 14, 2005 4:42 PM

laser eavesdropping wont change the outcome anyway ;)

dont worry, the vatican knows what its doing and it's got the best TLAs working with them. If they were _really_ worried about being hacked they could do it in their antiatomic bunker....

Consensus building through iterative votations -- not a bad idea isnt it?

salutes from the mothership

giovanni hermanin de reichenfeldApril 14, 2005 4:45 PM

ON THE OTHER HAND, hacking regional elections in italy is soooooooo easy......... eheh

(long story)

TimApril 14, 2005 5:01 PM

Here's a question: how is it determined whether there's a winner? I.e., does a candidate need the absolute majority of the votes, or just the relative majority, or...?

keyedApril 14, 2005 5:18 PM

oh and by the way, the Cardinals have been asking any interested parties to interfere and influence the election by praying to the holy spirit ... so feel free to hack in neuronically :)

AnonymousApril 14, 2005 5:22 PM

Tim, you need 2/3rds of the votes for the first 33 "rounds". After that I believe only the two most voted "candidates" are on the ballot, at whih point you only need 50% + 1

im italian, but im praying for a foreigner... even though...

aleApril 14, 2005 5:36 PM

by the way, if they'd asked me how to defeat the laser eavesdropping i would have had them buy a bunch of olympia soundbugs.... but i think they just went for very heavy curtains, at least thats what they told the press.

Michael GiagnocavoApril 14, 2005 11:31 PM

Well, technological hacks won't work today since our technology is not sufficiently advanced. I imagine that some day, the ballot paper itself could be hacked.

I wonder what a potential attacker's budget would be?

Holy See!April 14, 2005 11:47 PM

Wish they had handled the Florida election in Bush v. Gore. Of course, some might suggest they did.

Fazal MajidApril 15, 2005 12:38 AM

The process is vulnerable to other forms of attack. Like Alexander VI Borgia's tactic of wholesale bribery and assassination of opponents...

1April 15, 2005 8:12 AM

...not to mention cardinal reputation soiling with made up sexual allegations and economic settlements....

Jon SolworthApril 15, 2005 8:56 AM

Bruce writes "Nor am I insinuating that a cardinal might perpetuate fraud."

Bruce may not be insinuating it, but the elaborate rules would not be necessary if the cardinals (and others) were truly trusted. It appears infallibilty only enters in after one becomes pope.

Bruce wrote about the integrity of the voting mechanism. There is another mechanism which also is traditional in such votes, and that is the secrecy of the vote. And since if a vote is not secret, coercion can be used to influence votes, this too is a property that must be analyzed in the voting procedure.

AnonymousApril 15, 2005 4:12 PM

The only way manual systems work is through a pyramid-like scheme, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.
Like happens in Canadian elections. The ohter advantage our elections have in simplicity over American elections is that we are only voting for one position ... which makes everything so much easier.

pigletApril 15, 2005 5:15 PM

You can bet that such an elaborate voting system wouldn't be in place if there hadn't been, over the centuries, attempts to manipulate. Voting isn't a new invention, and neitehr is election fraud. Of course, as Fazal mentioned, bribery, assassination and other proven methods have also been employed.

Davi OttenheimerApril 17, 2005 9:53 PM

@piglet
Yes, but you don't need to manipulate the voting system when you fundamentally (or fundamentalistly) alter the voting itself. "Faith-based" voting schemes are a very simple and effective means to seize power, as they mobilize extremists. They demonize opponents and quietly install key people into positions where they can claim "broad-based" support for an agenda. It worked for Bush:
http://www.prospect.org/web/...
http://www.alternet.org/story/18259
http://www.tennessean.com/local/archives/05/01/...
http://www.seattleweekly.com/features/0449/...

It's also worked beautifully in Kansas, where a well organized ultra-fanatic conservative Christian network (also known as the Topeka Taliban) has completely obliterated the opposition by characterizing them as devil worshipers and sinners. When Kansans vote, they are up against the radical factions who follow the instructions of a "faith leader". This is just an example of how voter control, through faith manipulation, obviates the need to hack the voting system.

Eduardo DiazApril 18, 2005 3:03 AM

In the "The Accursed Kings" book series, by Maurice Druon, a Hack is described, and the origin of the "Conclave".
Great lecture.

MichaelApril 18, 2005 4:18 PM

Ahh, but who supplies the pens and paper?

I could imagine a hack that involves filling the pens with ink that's temporarily visible but fades between insertion in the box and the counting. The ceremony is elaborate enough that enough time passes to allow this hack. Since empty ballots don't invalidate the vote, this would be sufficient to wipe out some of the votes and affect the outcome.

Even if empty ballots invalidated the vote, you could prepare the paper with the desired outcome written in ink that's temporarily invisible, and perhaps becomes visible only with a trigger such as vigorous shaking or the folding of the paper. Then the prepared answers could appear just as the actual votes disappear. Voila, a hacked papal election.

Also, how is the container that receives the votes secured? I could imagine filling it beforehand with prepared votes (a false bottom perhaps) so that the randomization step exchanges the votes cast with votes prepared ahead of time.

another_bruceApril 19, 2005 3:14 AM

you would need to turn several cardinals. Vito Corleone would have done it by either kidnapping somebody close to them or obtaining evidence of sexual indiscretion, i would be more interested in post-hypnotic suggestions possibly augmented with drugs. you only need several because presumably the desired papal candidate already has a bloc of legitimate supporters. the air gap between the sistine chapel interior and the outside world could be made to work in your favor, because the undecided cardinals are actually more suggestible than the average man on the street, alert for signs from the "holy ghost", which the turned cardinals would supply, nothing as overt as a holographic jesus projected for a second next to the desired pope, a faint shimmering radiance would be enough, because catholicism is halfway to psychosis anyway, you just need to take them by the hand and lead them one or two more steps. do i look good in this halo?

Jeff CarusoApril 24, 2005 8:42 PM

John Solworth writes:

> There is another mechanism which also is traditional in such votes, and that is the secrecy of the vote.

They thought of that, too. In paragraph 65 of Universi Domenici Gregis:

"... (2) the completion of the ballot must be done in secret by each Cardinal elector, who will write down legibly, as far as possible in handwriting that cannot be identified as his, the name of the person he chooses, taking care not to write other names as well, since this would make the ballot null; he will then fold the ballot twice; ..."

J.J. BustamanteApril 22, 2006 1:00 AM

This is a little inaccurate. For the Conclave of 2005, a Paten and Chalice weren't used. Instead, they used an urn that was specially designed by Archbishop Piero Marini, the Papal Liturgical emcee.

Also, the author could have mentioned that the ballots are all sewn together with a needle and red thread so that the ballot can't accidentally be counted more than once.

J.J. BustamanteApril 22, 2006 1:01 AM

In response to Mr Solworth's posting on 15 April 2005, you are right, these rules aren't actually necessary. But, they are in place not because of distrust for the Cardinals, but because human events often take a weird course. Odd things happen. And history has shown us how some bad people from past times tried to influence the election to go their way. So, even though the Cardinals all know each other, and there are mutual trusting friendships in the Sistine Chapel, for the sake of the faithful we just really have to make sure that no one can steal the election. Trust is there, but we just need to make all of these obsessive regulations to protect the Church. That's all.

But again, you are right -- all of this is unecessary. Today's College of Cardinals is full of holy and good men, and it's been that way for centuries now. But we just take all of these precautions just in case.

Plus there's one more incentive for having all of these regulations. See, outsiders might allege that the ballots were forged. These outsiders would then claim that the election was invalid. It could potentially cause a huge disaster. That's what the Western Schism was all about.

This can happen still happen today, and these allegations have happened as recently as the papacy of John XXIII, forty years ago. The allegations of course are totally insane, and thankfully only a handfull of people actually believe that, but we need to have the procedures in place so we have justification to show why there cannot be fraud.

So, you can see, it's really what's best for all.

The Catholic Church is 2000 years old. We've seen virtually every possible scenario throughout that time. We learnt from the past that we need to be prepared for the future. The Conclave procedures are nothing more and nothing less than tactful preparation to keep problems away.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..