Thursday, December 18, 2008

Cutting Through E-Voting Semantics

The United Kingdom’s government said unequivacobly that UK will not now, nor in the forseeable future, adopt electronic voting. According to today’s story at The Register:

    Michael Wills, a Minister of State at the Ministry of Justice, was asked if the government planned to introduce e-voting before the local and European elections in 2009. He said last week: “The Government do not plan to introduce e-voting for the 2009 European or local elections … The Government have no plans for further e-voting pilots in statutory elections at this stage.”

I did a story about e-voting a few years ago, and found it quite a vexing, exhausting process, because one had to viciously hack through a thicket of semantics to find out what e-voting proponents and e-voting opponents were really arguing about so vociferously.

So I’ll now attempt to save you (and your machete) the effort, and give you the gist of the semantic debate. If you want a much more thorough minutiae-rich account (and you’re a member of the Computer Security Institute) you can read that here.

First off: not all e-voting machines are created equal. “Optical scan” voting machines are technically e-voting machines, but are actually heartily recommended by many people who are often lumped into the category of “e-voting opponents.” What we most often think of as “e-voting machines” are DREs (Direct Recording Electronic machines).

In essence the debate is all about whether or not meaningful audits of the voting machines’ accuracy and integrity can be conducted. Meaningful.

After the polls close, a voting machine spits out a summary report of how many votes were cast for each candidate. There should be a way to verify that a) the machine’s count is accurate (like if 500 voters cast votes for Candidate A, the summary report will actually say that 500 voters cast votes for Candidate A), b) the machine recorded each individual vote accurately, and c) the machine/votes have not been tampered with.

Most e-voting opponents say that the only way to conduct meaningful audits is for the voting system to create a “Voter-Verified Paper Trail” or VVPAT. In a basic DRE system, a voter presses a button (or types in a write-in ballot) to cast their vote, and then the DRE system pops up a little message on the screen saying “You voted for ‘Upstanding Citizen’ for ‘Senate.’ Is that okay?” and then the voter will press either “okay” or “decline.” The voter simply has to trust that when they pressed “Upstanding Citizen” the machine did not record “Evil Mastermind.”

In a DRE-with-VVPAT scenario, the voter doesn’t see the “Is that okay?” thing just on screen. The machine, rather, prints the voter’s votes on a slip of paper, which appears behind a glass window. If the printout has it right, you hit okay, and the slip of paper is then dropped into a secured box.

If for some reason–either because there’s a call for a recount, or because the polling place has been randomly chosen for a manual audit mandated by the state–the votes need to be verified, the human-count of the little slips of paper can be verified against the machine’s count. (And presumably, in the event of an incongruity, the paper count will be considered the official number.)

Here’s where we really get into semantics. Here’s an excerpt I’ve lifted directly from my November 2006 Alert story:

    Some supporters of DREs-without-VVPATs claim–either out of snarkiness or ignorance–that a voter can verify their vote on a regular DRE, because it has an okay/change screen. But this misses the intent of a voter verification mechanism–it is not meant to verify that the voter cast their vote correctly, but that the machine recorded their vote correctly…

    So, technically speaking, a DRE can provide the necessary elements of a recount. The individual votes can be printed from the machine’s internal memory and hand-counted. The DRE even goes one step further, because the votes could also be printed from the removable memory card in case the internal memory was destroyed or corrupted. These devices are encrypted to make them resistant to tampering of stored data.

    However, there is still no way to assure the integrity of any of the data. If some error or fraud happened between the time that a voter cast their vote and the time the vote was stored, then a recount would simply retabulate the same erroneous or fraudulent data.

    Some say a VVPAT (or other form of voter verification) captures the intent of the voter, but once again, this isn’t exactly true. Paper doesn’t magically divine a voter’s will. If it did, there wouldn’t be questions like “Does this dimpled chad indicate a vote for this candidate or that the voter abstained from casting a vote in that race?” “If the voter filled in equally dark circles for two candidates in the same race, which one did they actually want?”

    What a VVPAT does capture is what vote the voter actually cast. If the voter leans on the keyboard, types in “”Aa;KJF” for governor and clicks “OK” it’s their error, not the machine’s, so it’s still a valid vote.

As Avi Rubin, author of Brave New Ballot, told the Associated Press in 2006, “The problem is not that elections have been rigged, necessarily; it’s that you can’t say for sure that they weren’t.”

Sara Peters, senior editor at the Computer Security Institute, is a well-rounded geek-at-large with particular enthusiasm for Web 2.0 security, Web vulnerability disclosure law, virtualization, and cartoons about ninjas.

Designed By Seo Blogger Templates