E-voting security: looking good on paper?
Voter receipt more 'security blanket' than 'security measure'
A couple of weeks ago, the US League of Women Voters incurred the wrath of touch-screen ballot skeptics by indicating its acceptance of DRE (Direct Recording Electronic) ballot machines with no voter-verifiable paper trail.
On 14 June, following several days of bad press, the League revised its position and adopted a resolution saying that the machines should in fact be capable of printing out a summary of votes cast, as a protective measure against tampering and malfunctions. The decision was received with great praise from DRE skeptics.
Judging by the warm response, one might be tempted to think that the paper receipt is a security measure that will make e-voting safer from manipulation and fraud. Unfortunately, this is not the case, though it is widely believed.
The voter's paper receipt has become the security idée fixe of DRE skeptics, and a shibboleth identifying those who are on the 'right' side of the debate. This is because the paper trail is a concept easily understood and conveniently communicated. It also likely derives much appeal from the fact that it involves an object that one can hold in one's hand and examine, unlike the results of a strictly electronic process.
But it's far more security blanket than security measure. At the moment, there is so much wrong with DRE security that the paper record has become a harmful distraction.
Many things can go awry with a complex system like DRE, and a machine that spits out paper records can be every bit as insecure and prone to tampering as one that doesn't. But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing. It's proof only that the printer is recording their votes accurately.
There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.
Recounting what, exactly?
The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed. And there may be numerous false alarms from people who, after confronting myriad races and referendums, may well forget one or two of the votes they cast and imagine a discrepancy where none exists, creating considerable alarm and delay.
On the other hand, if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. A paper recount where perhaps thirty per cent of voters have actually bothered to verify their ballots is hardly the basis for confidence.
Furthermore, there is no guarantee that the paper record will be the one recounted. Many jurisdictions require that a recount be performed in the same manner as the original election, which might mean simply reading the machine's memory or storage devices again, unless specified by law. If local regulations don't require that the paper printouts be recounted, there is little reason to collect them - except to create an illusion of security.
And if, during a re-count, some discrepancy between the electronic and paper results should emerge, the paper record would have to be paramount according to law to be of any use. Otherwise, there will only be confusion. But as we noted, unless voters are scrupulous about reviewing the printouts, there is no logical reason why they ought to be paramount. In fact, they probably should not be.
The hanging chads of Florida
The printout will become a burden on everyone concerned, including voters, because in order to be valid for a recount, the paper receipt would have to be free from marks and corrections. This is necessary to avoid the difficulties with interpreting voter intent that the infamous hanging chads of Florida presented. With paper ballots, observer bias is a significant factor in determining voter intent. When confronting ambiguous results, such as pregnant chads and overvoting, Republican observers tend to conclude that the Republican candidate was chosen, and Democrats tend to believe that a Democrat was chosen. DRE terminals are designed to clarify voter intent, and, in theory, they can do this very well.
However, if the paper receipt is to be used in a recount, it would be necessary for each voter to review it before the next voter would be allowed to use the terminal. Thus, if there are discrepancies, the voter's results could be cleared from the terminal, and they would have another go. This would be necessary so that, in the end, the voter can submit a 'clean' receipt: one free of marks and corrections, to avoid a re-run of the chad debacle. A security protocol would have to be devised to ensure that the disputed receipt is disposed of properly and the voter-approved one substituted, without breaching voter privacy.
Furthermore, if it were possible for one person to clear any result from a DRE terminal, this would be a monumental security hole in itself. Thus it would be necessary for two election supervisors (preferably with different party affiliations) to perform the electronic equivalent of turning the keys needed to launch a nuclear missile, perhaps with different passwords, or with two smart cards, or some means of authentication along those lines.
Imagine the delays caused by careless voters puzzled by their own choices, needing perhaps two, perhaps three, turns at the terminal to get things right. And let's not forget that 'getting things right' in this context means only that the printout matches the voter's own recollection of what they did at the terminal. The paper receipts will add not one shred of security, but they will bring about confusion and delays and Florida-esque disputes.
But what of good e-voting security? Is it even possible? The short answer is yes, and the long answer follows in tomorrow's companion story: E-voting security: getting it right. ®
Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.
Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting