E-voting security: looking good on paper?

Voter receipt more 'security blanket' than 'security measure'

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A couple of weeks ago, the US League of Women Voters incurred the wrath of touch-screen ballot skeptics by indicating its acceptance of DRE (Direct Recording Electronic) ballot machines with no voter-verifiable paper trail.

On 14 June, following several days of bad press, the League revised its position and adopted a resolution saying that the machines should in fact be capable of printing out a summary of votes cast, as a protective measure against tampering and malfunctions. The decision was received with great praise from DRE skeptics.

Judging by the warm response, one might be tempted to think that the paper receipt is a security measure that will make e-voting safer from manipulation and fraud. Unfortunately, this is not the case, though it is widely believed.

Security illusion

The voter's paper receipt has become the security idée fixe of DRE skeptics, and a shibboleth identifying those who are on the 'right' side of the debate. This is because the paper trail is a concept easily understood and conveniently communicated. It also likely derives much appeal from the fact that it involves an object that one can hold in one's hand and examine, unlike the results of a strictly electronic process.

But it's far more security blanket than security measure. At the moment, there is so much wrong with DRE security that the paper record has become a harmful distraction.

Many things can go awry with a complex system like DRE, and a machine that spits out paper records can be every bit as insecure and prone to tampering as one that doesn't. But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing. It's proof only that the printer is recording their votes accurately.

There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.

Recounting what, exactly?

The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed. And there may be numerous false alarms from people who, after confronting myriad races and referendums, may well forget one or two of the votes they cast and imagine a discrepancy where none exists, creating considerable alarm and delay.

On the other hand, if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. A paper recount where perhaps thirty per cent of voters have actually bothered to verify their ballots is hardly the basis for confidence.

Furthermore, there is no guarantee that the paper record will be the one recounted. Many jurisdictions require that a recount be performed in the same manner as the original election, which might mean simply reading the machine's memory or storage devices again, unless specified by law. If local regulations don't require that the paper printouts be recounted, there is little reason to collect them - except to create an illusion of security.

And if, during a re-count, some discrepancy between the electronic and paper results should emerge, the paper record would have to be paramount according to law to be of any use. Otherwise, there will only be confusion. But as we noted, unless voters are scrupulous about reviewing the printouts, there is no logical reason why they ought to be paramount. In fact, they probably should not be.

The hanging chads of Florida

The printout will become a burden on everyone concerned, including voters, because in order to be valid for a recount, the paper receipt would have to be free from marks and corrections. This is necessary to avoid the difficulties with interpreting voter intent that the infamous hanging chads of Florida presented. With paper ballots, observer bias is a significant factor in determining voter intent. When confronting ambiguous results, such as pregnant chads and overvoting, Republican observers tend to conclude that the Republican candidate was chosen, and Democrats tend to believe that a Democrat was chosen. DRE terminals are designed to clarify voter intent, and, in theory, they can do this very well.

However, if the paper receipt is to be used in a recount, it would be necessary for each voter to review it before the next voter would be allowed to use the terminal. Thus, if there are discrepancies, the voter's results could be cleared from the terminal, and they would have another go. This would be necessary so that, in the end, the voter can submit a 'clean' receipt: one free of marks and corrections, to avoid a re-run of the chad debacle. A security protocol would have to be devised to ensure that the disputed receipt is disposed of properly and the voter-approved one substituted, without breaching voter privacy.

Furthermore, if it were possible for one person to clear any result from a DRE terminal, this would be a monumental security hole in itself. Thus it would be necessary for two election supervisors (preferably with different party affiliations) to perform the electronic equivalent of turning the keys needed to launch a nuclear missile, perhaps with different passwords, or with two smart cards, or some means of authentication along those lines.

Imagine the delays caused by careless voters puzzled by their own choices, needing perhaps two, perhaps three, turns at the terminal to get things right. And let's not forget that 'getting things right' in this context means only that the printout matches the voter's own recollection of what they did at the terminal. The paper receipts will add not one shred of security, but they will bring about confusion and delays and Florida-esque disputes.

But what of good e-voting security? Is it even possible? The short answer is yes, and the long answer follows in tomorrow's companion story: E-voting security: getting it right. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.