Hacking the Papal Election

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote?

The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The "Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff" is surprisingly detailed.

Every cardinal younger than 80 is eligible to vote. We expect 117 to be voting. The election takes place in the Sistine Chapel, directed by the church chamberlain. The ballot is entirely paper-based, and all ballot counting is done by hand. Votes are secret, but everything else is open.

First, there's the "pre-scrutiny" phase.

"At least two or three" paper ballots are given to each cardinal, presumably so that a cardinal has extras in case he makes a mistake. Then nine election officials are randomly selected from the cardinals: three "scrutineers" who count the votes; three "revisers" who verify the results of the scrutineers; and three "infirmarii" who collect the votes from those too sick to be in the chapel. Different sets of officials are chosen randomly for each ballot.

Each cardinal, including the nine officials, writes his selection for pope on a rectangular ballot paper "as far as possible in handwriting that cannot be identified as his." He then folds the paper lengthwise and holds it aloft for everyone to see.

When everyone has written his vote, the "scrutiny" phase of the election begins. The cardinals proceed to the altar one by one. On the altar is a large chalice with a paten -- the shallow metal plate used to hold communion wafers during Mass -- resting on top of it. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice.

If a cardinal cannot walk to the altar, one of the scrutineers -- in full view of everyone -- does this for him.

If any cardinals are too sick to be in the chapel, the scrutineers give the infirmarii a locked empty box with a slot, and the three infirmarii together collect those votes. If a cardinal is too sick to write, he asks one of the infirmarii to do it for him. The box is opened, and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first scrutineer shakes it several times to mix them. Then the third scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes, each ballot is opened, and the vote is read by each scrutineer in turn, the third one aloud. Each scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals.

The total number of votes cast for each person is written on a separate sheet of paper. Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots with no name written on them (undervotes). Illegible or ambiguous ballots are much more likely, and I presume they are discarded as well.

Then there's the "post-scrutiny" phase. The scrutineers tally the votes and determine whether there's a winner. We're not done yet, though.

The revisers verify the entire process: ballots, tallies, everything. And then the ballots are burned. That's where the smoke comes from: white if a pope has been elected, black if not -- the black smoke is created by adding water or a special chemical to the ballots.

Being elected pope requires a two-thirds plus one vote majority. This is where Pope Benedict made a change. Traditionally a two-thirds majority had been required for election. Pope John Paul II changed the rules so that after roughly 12 days of fruitless votes, a simple majority was enough to elect a pope. Benedict reversed this rule.

How hard would this be to hack?

First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky.

Second, the small group of voters -- all of whom know each other -- makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find.

A cardinal can't stuff ballots when he votes. The complicated paten-and-chalice ritual ensures that each cardinal votes once -- his ballot is visible -- and also keeps his hand out of the chalice holding the other votes. Not that they haven't thought about this: The cardinals are in "choir dress" during the voting, which has translucent lace sleeves under a short red cape, making sleight-of-hand tricks much harder. Additionally, the total would be wrong.

The rules anticipate this in another way: "If during the opening of the ballots the scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name, they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled." This surprises me, as if it seems more likely to happen by accident and result in two cardinals' votes not being counted.

Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there's one wrinkle: "If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote." I assume that's done so there's only one plume of smoke for the two elections, but it would be more secure to burn each set of ballots before the next round of voting.

The scrutineers are in the best position to modify votes, but it's difficult. The counting is conducted in public, and there are multiple people checking every step. It'd be possible for the first scrutineer, if he were good at sleight of hand, to swap one ballot paper for another before recording it. Or for the third scrutineer to swap ballots during the counting process. Making the ballots large would make these attacks harder. So would controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.

There's so much checking and rechecking that it's just not possible for a scrutineer to misrecord the votes. And since they're chosen randomly for each ballot, the probability of a cabal being selected is extremely low. More interesting would be to try to attack the system of selecting scrutineers, which isn't well-defined in the document. Influencing the selection of scrutineers and revisers seems a necessary first step toward influencing the election.

If there's a weak step, it's the counting of the ballots.

There's no real reason to do a precount, and it gives the scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. Shaking the chalice to randomize the ballots is smart, but putting the ballots in a wire cage and spinning it around would be more secure -- albeit less reverent.

I would also add some kind of white-glove treatment to prevent a scrutineer from hiding a pencil lead or pen tip under his fingernails. Although the requirement to write out the candidate's name in full provides some resistance against this sort of attack.

Probably the biggest risk is complacency. What might seem beautiful in its tradition and ritual during the first ballot could easily become cumbersome and annoying after the twentieth ballot, and there will be a temptation to cut corners to save time. If the Cardinals do that, the election process becomes more vulnerable.

A 1996 change in the process lets the cardinals go back and forth from the chapel to their dorm rooms, instead of being locked in the chapel the whole time, as was done previously. This makes the process slightly less secure but a lot more comfortable.

Of course, one of the infirmarii could do what he wanted when transcribing the vote of an infirm cardinal. There's no way to prevent that. If the infirm cardinal were concerned about that but not privacy, he could ask all three infirmarii to witness the ballot.

There are also enormous social -- religious, actually -- disincentives to hacking the vote. The election takes place in a chapel and at an altar. The cardinals swear an oath as they are casting their ballot -- further discouragement. The chalice and paten are the implements used to celebrate the Eucharist, the holiest act of the Catholic Church. And the scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election, under pain of excommunication.

The other major security risk in the process is eavesdropping from the outside world. The election is supposed to be a completely closed process, with nothing communicated to the world except a winner. In today's high-tech world, this is very difficult. The rules explicitly state that the chapel is to be checked for recording and transmission devices "with the help of trustworthy individuals of proven technical ability." That was a lot easier in 2005 than it will be in 2013.

What are the lessons here?

First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything.

Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.

And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good.

This essay previously appeared on CNN.com, and is an update of an essay I wrote for the previous papal election in 2005.

Posted on February 22, 2013 at 11:12 AM • 52 Comments

Comments

MarkHFebruary 22, 2013 11:29 AM

Just by chance, I saw two days ago the 1968 movie "The Shoes of the Fisherman," which portrays parts of the elaborate ritual of papal election in some detail -- so it was extra interesting for me to read about the rules.

For example, when watching the movie, I wasn't thinking about placing the ballot on the paten as a security measure :)

I certainly agree with Bruce's conclusion -- the thorough security built into the process no doubt stems from many bitter experiences of how tampering can be carried out.

Ross PattersonFebruary 22, 2013 11:49 AM

Shaking the chalice to randomize the ballots is smart, but putting the ballots in a wire cage and spinning it around would be more secure -- albeit less reverent.

Must ... not ... make ... BINGO ... joke.

Mike EFebruary 22, 2013 12:00 PM

I like the idea of attacking the scrutineer selection. It seems to me that the third scrutineer is especially well placed to effect things - couldn't he just fairly easily stuff one ballot in another while counting, forcing the count to be off, and thereby cause endless re-votes until the count is going the way they like? If you can influence the selection of this position, you might have an avenue.

This also reminded me of this HP White Paper analyzing the convoluted procedure for electing the Doge in Venice, and how it could be adapted for server elections.

wumpusFebruary 22, 2013 12:20 PM

The randomly selected roles for each cardinal is probably the strongest part that I can see. It would take a fairly large faction to assume they could get one of their own into the needed slot (scrutineers look best) and then each would have to be trained to pull off the caper. I don't know what it takes to teach stage magic to 70 year old cardinals and get them to do it under pressure, but I think the system is pretty safe.

Oddly enough, my introduction to "movie plot threats" was my old civics teacher saying that if the Mafia kidnapped the families of the electoral college, it would make a great movie.

@Ross Patterson:

And the ghostly figure cried out "A-8" and thus spake:


"do this in remembrance of me."
"I thought we were supposed to do the bread and wine in remembrance of you."
"not all are ready for the deeper mysteries, and they need something for their level. You, Mark, stop writing this down. This is one of the secret teachings"

Then someone shouted "BINGO" and I fled.

- badly remembered from one of the Robert Anton Wilson Illuminati books.

Karl SFebruary 22, 2013 12:58 PM

Where are the paper and pens sourced from, and what scrutiny/protection do they receive? Imagine writing the names in advance on all ballots, in an ink that only becomes visible after exposure to some gas. Then providing pens that write in ink only visible until exposure to that gas. Then, the person performing the initial count exposes each ballot to the gas somehow. Heavier than air gas could be placed in the paten with each ballot, then slid into the container on each ballot deposit.

I'm no chemical engineer, so I can't comment on the feasibility of this proposal.

Carlo GrazianiFebruary 22, 2013 1:47 PM

You left out the method actually used by Pope Benny to get elected in the first place: Run the Congregation on Doctrine and Faith for a quarter-century or so, and stack the College of Cardinals in your favor by turning it into a Politburo of yes-men. Then win the Papacy on the fourth ballot. Much more efficient that way.

IkFebruary 22, 2013 1:53 PM

Not the same kind of method or the same goal, but the easiest 'attack' on the procedure sounds like tainting the ballots/fire materials beforehand so that they always burn black.

ZG February 22, 2013 1:56 PM

The best attack is outside the actual voting system, coercing the voters in various and sundry ways as mentioned above.

MarkHFebruary 22, 2013 2:36 PM

@Ross Patterson:

Already been done ... back in 1978, in the election of John Paul (that guy from Poland), there was TV news coverage with a camera high up in the chapel where the vote is taken (a first for television, I guess).

It was awesomely dull -- the ancient cardinals, mostly sitting like statues, with perhaps a few small groups in conversation (I don't recall there being any microphone). After my brother and I beheld this spectacle for a couple of minutes, he provided a soundtrack by yelling "BINGO!"

DavidTCFebruary 22, 2013 2:42 PM

Discarding any paper ballots folded together if different, or having it as one vote if the same, is not that odd. IIRC, it's exactly the same rule as prescribed in Roberts' Rules of Order. In fact, I might go track down my copy of that and compare the two processes, because a lot of it sounds familiar.

It does actually seem like it would be easiest to just know how many people voted and work off that. If you don't get _exactly_ the right amount of papers in total, revote.

CaptainBananasFebruary 22, 2013 3:06 PM

"There are also enormous social -- religious, actually -- disincentives to hacking the vote."

That statement is contradicted not only by historical record, but inductively when you look at the evolution of the system's security protocol. If the social disincentives were truly "enormous," this article's descriptive section would be much shorter.

BilateralropeFebruary 22, 2013 3:13 PM

>Not the same kind of method or the same goal, but the easiest 'attack' on the procedure sounds like tainting the ballots/fire materials beforehand so that they always burn black.

Tainting the ballots so they always burn black does seem like an easy step. However it also seems like a pointless step when the color of the smoke is only there to tell the outside world that the election is done.

Also, the instant they cardinals start burning the final ballots, they will see the smoke being the wrong color so they will know something has gone wrong.

I can only see that attack doing two things:
- Trapping the cardinals inside. But only if they have no way to open the doors from inside or communicate with the outside world. But they are communicating via smoke, should the smoke come out at the wrong time, or not come out when it should, someone will open the door to ask why.
- Convincing the cardinals that god disapproves of their current selection. Difficult if you are trying to get someone specific elected as you'd have to somehow get untainted ballots in when they vote for your guy. It's only good as a general attack to hurt them.

John PentaFebruary 22, 2013 3:29 PM

The other major security risk in the process is eavesdropping from the outside world. The election is supposed to be a completely closed process, with nothing communicated to the world except a winner. In today's high-tech world, this is very difficult. The rules explicitly state that the chapel is to be checked for recording and transmission devices "with the help of trustworthy individuals of proven technical ability." That was a lot easier in 2005 than it will be in 2013.

Actually? Maybe not so hard. Reasons:

1. Everybody involved with the process is Catholic. (Naturally.) Everybody who might possibly be in a position to do that is threatened with automatic excommunication should they do anything like that. A fairly significant socio-religious disincentive, especially when many of the personnel (including, I suspect, the sweepers for surveillance devices) live in Vatican-provided quarters (The Holy See owns several apartment buildings for clerical and lay employees - all Vatican territory and all monitored closely), and if they lose the job, they lose those quarters. Adds at least something of an economic disincentive, too, as housing in Rome is extremely expensive.

2. The counter-surveillance teams have essentially unlimited time to do the job between when the sede vacante ("vacant see") begins and when the conclave begins, and after the conclave begins, the task becomes much simpler indeed.

3. Besides the Cardinals, there are actually very few people who are allowed access to the conclave. My math says maybe 20 to 30 people.

lance hassanFebruary 22, 2013 4:52 PM

@ZG...given the rumored reasons for the retirement this might already be in motion...

DerpmasterFebruary 22, 2013 5:19 PM

I've always assumed that the next pope is pre agreed upon, and the election is a big sham with all cardinals voting for the same guy. I just don't see them leaving the position of running the entire worldwide church and it's billions, if not trillions in land value and non taxable income up to random democracy. Not like you can vote out the pope later if he doesn't work out.

KephasFebruary 22, 2013 5:35 PM

To the secular world voter fraud does appear to be a big concern, and it is very various reasons in the Church. However, the faithful also believe that God plays the key role in the selection of the next Pope and will protect the Office of Bishop of Rome from destroying the Church ("The gates of Hell will not prevail [against the Church].")

The Catholic Church is the longest running human formal *institution*...ever. Man, by himself has shown his inability to create such an institution and have it not fail (no longer exist) for reasons of corruption outside of the Church. Only the Catholic Church can claim such a long standing existence.

For this reason the faithful see God at work keeping His promise to the Church, and have no reason to worry lest their faith in God has weakened.

Again though, there are many reasons to secure the vote to keep the sin of suspicion and scandal minimized.

jimFebruary 22, 2013 6:14 PM

@KTC: yes, as Bruce himself points out in the final paragraph.

@Michael Brady: unfortunately, John Paul II abolished election by acclamation, and Benedict XVI didn't reinstate it. I do think, though, that Bruce should offer his services as a "trustworthy individual of proven technical ability". Since he surely is, and it would benefit all concerned.

mitch wrightFebruary 22, 2013 7:34 PM

While not a direct influence, the first scrutineer, could, with slight of hand and an extra ballot make the count off invalidating the vote. He could do so until the candidate he wants looks to be the clear winner.

BearFebruary 22, 2013 8:05 PM

Well... I don't want to give away anything in advance, but when you hear that the new pontiff is Pope Ursus the First, remember you heard it here.

Expect a doctrinal shift emphasizing the miraculous transformation of water into wine.

Lots of wine.

gFebruary 22, 2013 8:14 PM

"Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense."

Extra blank ballots could be an attempt to prevent vote buying or coercion. If you have only one ballot blank then it's easier for the buyer / coercer to force you vote for the desired candidate. If you have multiple ballot blanks then it's easier for you to show one ballot to the buyer / coercer and place a different ballot in the box.

MagicFebruary 22, 2013 8:15 PM


I would attack:

- the ballot box itself, unless it were totally transparent.

I'm betting the boxes aren't under very good security before the election, or during manufacturing, and any cardinal probably has access to it. Even better if they are special 'ceremonial' boxes they use for every election, then you can get at them and switch them yourself after taking months or years to develop your attack box. A malicious cardinal, or scrutineer (or both) could adjust the box in some way to trap the real ballots, and dump the stuffed ballots. Plant say 5-10 stuffed ballots in the fake wall of the box, then the bottom of the box opens and is on a timer or senses that ballots have been dropped somehow then closes the fake bottom, drops the stuffed ballots and proceeds with normal election. Or design it to be activated by remote.

- the scrutineer position by using common card tricks and slight of hand as you unfold the votes to switch them with stuffed ballots. After checking the choir dress, it would be easy to use for smuggling in ballots. I bet the scrutineers are pat down and searched but nobody touches the cardinals. A cardinal could pass off the fake ballots to the scrutineer(s) he's in cahoots with to rig the election after they are security checked and using slight of hand pass the rigged folded ballots afterwards. Then the scrutineer swaps real ballots for fake one's, using literally magic 101 card tricks you can buy online where magicians teach you to open up folded cards or envelopes and switch them with your card or whatever before exposing them to the crowd and voila zomg it's different. Since magicians usually do this in front of a group of people, in public, who are all watching their hands closely and still fool them don't see how ballots would be any different in a room full of cardinals watching, unless they were gigantic ballots.

- the ballot box paper or ballots. Find where they are kept before hand, and swap them with your own prop ballots, so you can somehow unfold them to your own choice using slight of hand and hide the original vote. Maybe you can somehow peel back the top paper layer into a thin roll while flattening out the ballot, revealing your stuffed vote. These kinds of props already exist.

- the cardinals through social engineering. Meet with each one privately and lie to their face that you will implement their wishes if they make you pope, then after winning do it, or don't do it. What can they do, nothing you're the pope for life and there's the true flaw in the system.

VanceFebruary 23, 2013 12:44 AM

@DavidTC

Not exactly the same procedure as Robert's Rules: "If in unfolding the ballots it is found that two or more filled-out ballots are folded together, they are recorded as illegal votes - that is, each set of ballots folded together is reported as one illegal vote on each question, and is not credited. On the other hand, a blank ballot folded in with one that is properly filled out is ignored, but it does not cause rejection of the ballot with which it was folded." Robert's Rules of Order Newly Revised, 10th edition, p. 401.

Vatican RagFebruary 23, 2013 3:33 AM

Or the Church could become irrelevant, and then it wouldn't matter.

"The election takes place in a chapel and at an altar. The cardinals swear an oath as they are casting their ballot..."

Yes, no one ordained by the Catholic Church has ever violated his oath of office, certainly not in a chapel or at an altar. Nor has any higher authority ever covered up any such violation.


@ Kephas:

The history of humanity suggests that this longevity indicates that the Catholic Church has been the most brutal institution of mankind, and for the longest time. The history of the Church proves this to be true, from murders resulting from the Arian Controversy (cf. Gibbon's classic on the fall of the Roman Empire) to the Spanish Inquisition, etc., ad nauseam.

EricaFebruary 23, 2013 6:31 AM

Bribes, sexual favors, even cardinals have a price.

If you can't game the system, own the electorate.

Ollie JonesFebruary 23, 2013 3:52 PM

I have participated in two similarly run elections of bishops. In my case these were synodical (district) Lutheran bishops in the USA. Our electors are delegates to a synod assembly. We don't use chalices or patens, and we're clearly a lot less diligent with the tracking of blank ballots than our brothers who elect the Bishop of Rome. And we don't burn any paper, we recycle it after each count is certified.

We do write our choice's full name on a slip of paper and fold it the way Bruce described. We do have two of teams of counters, who are, like the electors themselves, partly clergy people and partly lay delegates elected by congregations. Ballots that are illegible, or ambiguous are called "spoiled."

The ballots are secret. Assembly delegates are just that: they're not representatives. They're elected not to do the bidding of their congregations, but follow their consciences and the Holy Spirit.

What keeps these elections from being stolen? Trust, honesty, and transparency. Anybody may observe the counters. Bruce is right that there are powerful social and religious incentives to maintaining the integrity of the process.The idea that somebody might try to steal a synodical election is a little amusing.

And, honestly, the material stakes are just a bit lower than they are when choosing the next Bishop of Rome.

joequantFebruary 24, 2013 1:20 AM

I think the biggest deterrent against hacking the ballot boxes is that the people involved happen to believe that God will make them suffer eternal damnation and hell fire if they do it.

If you have enough cardinals that *don't* believe that they will suffer eternal damnation by stuffing ballot boxes then the Catholic church has more to worry about than ballot boxes (and I think there were periods in Catholic history when this was the situation.)


Henry Corrigan-GibbsFebruary 24, 2013 11:44 AM

You mention in the post that the handling of folded ballots (e..g, one ballot folded inside another) surprises you:


The rules anticipate this in another way: "If during the opening of the ballots the scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name, they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled." This surprises me, as if it seems more likely to happen by accident and result in two cardinals' votes not being counted.

If folded ballots annulled the vote, any cardinal could unilaterally and anonymously disrupt the vote forever. A cardinal could simply submit a folded ballot in every round of voting, which would force a new round of voting. A cardinal could repeat this process many times, thereby stalling the voting process indefinitely. I imagine that it is for this reason that the cardinals do not annul the vote when they find folded ballots.

A quick fix to the folded ballot problem would be to weigh every ballot (to make sure it's not a pair of folded ballots) before it's put in the chalice.

Peter A.February 25, 2013 3:43 AM

@magic:

There's no box it's a ceremonial chalice that's normally used during the Eucharist. Look up some photos. I don't see any way to contrive a fake one that will have some double bottom or side, that wouldn't be immediately evident by looking into it, especially if the chalice was previously seen or even handled personally many times before by many of the cardinals present.

Also there's simple no place in the structure to trap the true ballots within, especially since they are small pieces of folded paper simply free-falling into the chalice by gravity. Drop some folded pieces of paper into a bowl or cup and see how much volume they occupy.

JFebruary 25, 2013 4:22 AM

There's another avenue of attack that I haven't seen anyone mention yet.

They claim the doors to the chapel are closed and locked after a 'clearing'. Presumably, after 1500 years, they're pretty good at chasing down the hiding places therein, but getting in afterwards is an attack vector (especially when the people who get in are carrying firearms...)

J.

ChrisJFebruary 25, 2013 9:42 AM

I thought that they use the needle and thread to pierce each ballot as it is counted...

M WelinderFebruary 25, 2013 10:54 AM

I can think of a technical attack, just on the edge of being feasible.

If you can control the paper somehow to make the writing disappear at will, you have an attack vector. A trigger chemical could be supplied on one of the ballots making the disappearance happen in the ballot box.

SDGFebruary 25, 2013 12:14 PM

Carlo Graziani:

1. The CDF doesn't appoint Cardinals. The pope does.

2. Not only did Ratzinger never want to be pope, he didn't even want to be Prefect of the CDF. He submitted his resignation at least four times, but JP2 kept rejecting it.

Tony H.February 25, 2013 3:55 PM

"This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities."

Which is pretty much exactly the way national and regional/local elections work today in many countries e.g. Canada, the UK, etc. In most elections, we are voting for exactly one position from a list of perhaps ten candidates. The US has problems because of the large number of positions/propositions on a typical ballot.

Of course we don't burn the ballots until all possibilities of a recount are exhausted...

Blaise PascalFebruary 25, 2013 5:10 PM

A cabal of 40 Cardinals could steal a papal election. It would take some time, perhaps, but it could be done.

Say 40 Cardinals (out of the expected 117) wanted to elect Cardinal Bob as Pope. They would proceed as follows:

1. Always vote for Cardinal Bob, on every balloting. Because all 40 are voting for Cardinal Bob, no other candidate can get the 2/3 vote necessary to win. (this does not violate their oath, since they are voting for whom they think is best, anyway)

2. Wait until all the Scrutineers and Revisers are chosen from the cabal. This may take a while, since it should happen on average once a year or so (two selections/day for 365 days is 730 selections, and there's a 1/729 chance all six will be from the cabal).

3. Once all the scrutineers and revisers are from the cabal, the scrutineers proceed as follows: Upon the first time a candidates name is found on a ballot, record that candidates name on all three scrutineers lists, as well as announce that candidates name. Upon all subsequent appearances of a candidates name on a ballot, record and announce Cardinal Bob.

At the end of this step, all three scrutineers' lists will be identical, and the lists made by any witnessing elector will match. All electors will also have heard their choice announced, and cannot declare fraud based on his candidate being missing.

4. The cabal Revisers examine the ballots and the scrutineers notes, verifying that the Scrutineers have followed the procedure in step 3 and not the normal, legal, procedure.

5. Once the Revisors confirm the election of Cardinal Bob as Pope, the ballots and all notes are burned, so no evidence remains to gainsay the election.

Of course, once could claim that once one has 40 backers willing to wait a year for you to get elected, it's hardly stealing the election anymore.

Richard BraakmanFebruary 26, 2013 3:24 AM

@g:

"Extra blank ballots could be an attempt to prevent vote buying or coercion."

That's an excellent point, and it also explains one thing that was puzzling me: why "two or three" blank ballots? Why is the exact amount not specified? The vagueness here is another defense against coercion. If the coercer demands to see three ballots all filled in for the desired candidate, the cardinal can say "sorry, I only got two".

This does assume that the number of ballots is somehow randomized per cardinal.

XxBodyThiefxXMarch 1, 2013 2:35 PM

Why bother rigging the vote part of the Papal election, when there's lobbying already in the backstage...? Or would it be too damning to think that such low, base behavior could NOT happen in the Vatican, during a Papal Conclave...? Why bother rigging a VERY elaborate election, when you can rig the VOTERS instead...?

EsamMarch 1, 2013 3:20 PM

The process seems quite secure. As mentioned in the article, the biggest security measure is the small number of cardinals.

I wonder if a similar article can be written analyzing the vote for the Egyptian Orthodox Pope. They basically narrow down the choice to three candidates, and then a blindfolded child picks a name. It seems like that would be much easier to hack.

JackMarch 3, 2013 6:52 PM

Another important aspect not mentioned is "who runs the voting". The entire Papal transition is run by the Vatican's civil engineering/groundskeepers/etc. organization on the presumption that they are a neutral party.

R.C.March 10, 2013 8:18 PM

One very strong disincentive for a man to try to dishonestly arrange for his own election to the Papacy through ballot fraud or something similar -- presumably with the purpose of changing the teachings of the Church in a direction more to his own liking -- is the sheer reality of what that office is and does, and the limitations God puts on it.

People don't often seem to follow the logic of Papal infallibility. The idea is that God will arrange it so that the Pope will never, when teaching ex cathedra on a matter of faith and morals to be held by everyone throughout the Church universal, teach a falsehood.

(A pretty limited guarantee, actually: The bare minimum required to make Magisterial teaching reliable over centuries.)

Anyway, "God will arrange it so that...." Arrange how?

Well, it seems pretty clear that if prompting from the Holy Spirit is insufficient, and a Pope is on the verge of teaching an error ex cathedra, God will simply arrange that he doesn't live long enough to do it.

Yes, that's right folks: Arrange a corrupt election, get yourself a seat on the chair of St. Peter, get ready to proclaim the innovation in teaching for which you engineered the whole thing, and BAM, get an interview with St. Peter himself.

RigMarch 13, 2013 4:49 PM

Who knowns whether Jean-Louis Tauran named the elected cardinal ? He could have named any cardinal, and the cardinals would have likely backed down that name for sake of church cohesion.

A cardinal with only relative majority could have forced his way by releasing white smoke (with an accomplice driving a small special drone) before end of next vote. The cardinal would have then likely settled to the decision of covering up, naming that cardinal, instead of deceiving the public with incredible excuses.

RichMarch 15, 2013 9:06 AM

Rather than hacking the vote, how about leaking the votes? Could the smoke signal be pulsed to encode an Id/and count for each cardinal, without being obvious? -- "smoke steganography"

JR BatsonMarch 17, 2013 4:53 PM

A physical attack on the chapel would be a suicide move. The Swiss Guard are ranked among the world's elite forces, and are heavily armed and well-trained to respond to such an attempt. Not to mention the sheer number of Italian local and state law enforcement personnel present. Add in the huge crowds of worshippers and you would be dead before you got to the doors.

How large an army would you need and how many would you be prepared to lose?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..