E-voting security: looking good on paper?

Voter receipt more 'security blanket' than 'security measure'

  • alert
  • submit to reddit

High performance access to file storage

A couple of weeks ago, the US League of Women Voters incurred the wrath of touch-screen ballot skeptics by indicating its acceptance of DRE (Direct Recording Electronic) ballot machines with no voter-verifiable paper trail.

On 14 June, following several days of bad press, the League revised its position and adopted a resolution saying that the machines should in fact be capable of printing out a summary of votes cast, as a protective measure against tampering and malfunctions. The decision was received with great praise from DRE skeptics.

Judging by the warm response, one might be tempted to think that the paper receipt is a security measure that will make e-voting safer from manipulation and fraud. Unfortunately, this is not the case, though it is widely believed.

Security illusion

The voter's paper receipt has become the security idée fixe of DRE skeptics, and a shibboleth identifying those who are on the 'right' side of the debate. This is because the paper trail is a concept easily understood and conveniently communicated. It also likely derives much appeal from the fact that it involves an object that one can hold in one's hand and examine, unlike the results of a strictly electronic process.

But it's far more security blanket than security measure. At the moment, there is so much wrong with DRE security that the paper record has become a harmful distraction.

Many things can go awry with a complex system like DRE, and a machine that spits out paper records can be every bit as insecure and prone to tampering as one that doesn't. But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing. It's proof only that the printer is recording their votes accurately.

There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.

Recounting what, exactly?

The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed. And there may be numerous false alarms from people who, after confronting myriad races and referendums, may well forget one or two of the votes they cast and imagine a discrepancy where none exists, creating considerable alarm and delay.

On the other hand, if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. A paper recount where perhaps thirty per cent of voters have actually bothered to verify their ballots is hardly the basis for confidence.

Furthermore, there is no guarantee that the paper record will be the one recounted. Many jurisdictions require that a recount be performed in the same manner as the original election, which might mean simply reading the machine's memory or storage devices again, unless specified by law. If local regulations don't require that the paper printouts be recounted, there is little reason to collect them - except to create an illusion of security.

And if, during a re-count, some discrepancy between the electronic and paper results should emerge, the paper record would have to be paramount according to law to be of any use. Otherwise, there will only be confusion. But as we noted, unless voters are scrupulous about reviewing the printouts, there is no logical reason why they ought to be paramount. In fact, they probably should not be.

The hanging chads of Florida

The printout will become a burden on everyone concerned, including voters, because in order to be valid for a recount, the paper receipt would have to be free from marks and corrections. This is necessary to avoid the difficulties with interpreting voter intent that the infamous hanging chads of Florida presented. With paper ballots, observer bias is a significant factor in determining voter intent. When confronting ambiguous results, such as pregnant chads and overvoting, Republican observers tend to conclude that the Republican candidate was chosen, and Democrats tend to believe that a Democrat was chosen. DRE terminals are designed to clarify voter intent, and, in theory, they can do this very well.

However, if the paper receipt is to be used in a recount, it would be necessary for each voter to review it before the next voter would be allowed to use the terminal. Thus, if there are discrepancies, the voter's results could be cleared from the terminal, and they would have another go. This would be necessary so that, in the end, the voter can submit a 'clean' receipt: one free of marks and corrections, to avoid a re-run of the chad debacle. A security protocol would have to be devised to ensure that the disputed receipt is disposed of properly and the voter-approved one substituted, without breaching voter privacy.

Furthermore, if it were possible for one person to clear any result from a DRE terminal, this would be a monumental security hole in itself. Thus it would be necessary for two election supervisors (preferably with different party affiliations) to perform the electronic equivalent of turning the keys needed to launch a nuclear missile, perhaps with different passwords, or with two smart cards, or some means of authentication along those lines.

Imagine the delays caused by careless voters puzzled by their own choices, needing perhaps two, perhaps three, turns at the terminal to get things right. And let's not forget that 'getting things right' in this context means only that the printout matches the voter's own recollection of what they did at the terminal. The paper receipts will add not one shred of security, but they will bring about confusion and delays and Florida-esque disputes.

But what of good e-voting security? Is it even possible? The short answer is yes, and the long answer follows in tomorrow's companion story: E-voting security: getting it right. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.