Feeds

E-voting security: looking good on paper?

Voter receipt more 'security blanket' than 'security measure'

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A couple of weeks ago, the US League of Women Voters incurred the wrath of touch-screen ballot skeptics by indicating its acceptance of DRE (Direct Recording Electronic) ballot machines with no voter-verifiable paper trail.

On 14 June, following several days of bad press, the League revised its position and adopted a resolution saying that the machines should in fact be capable of printing out a summary of votes cast, as a protective measure against tampering and malfunctions. The decision was received with great praise from DRE skeptics.

Judging by the warm response, one might be tempted to think that the paper receipt is a security measure that will make e-voting safer from manipulation and fraud. Unfortunately, this is not the case, though it is widely believed.

Security illusion

The voter's paper receipt has become the security idée fixe of DRE skeptics, and a shibboleth identifying those who are on the 'right' side of the debate. This is because the paper trail is a concept easily understood and conveniently communicated. It also likely derives much appeal from the fact that it involves an object that one can hold in one's hand and examine, unlike the results of a strictly electronic process.

But it's far more security blanket than security measure. At the moment, there is so much wrong with DRE security that the paper record has become a harmful distraction.

Many things can go awry with a complex system like DRE, and a machine that spits out paper records can be every bit as insecure and prone to tampering as one that doesn't. But the piece of paper creates an illusion of enhanced security, which is why so many people insist in it. People imagine that, so long as the printout matches their recollection of votes cast, it's proof that the DRE machine is recording their votes properly. In fact, it's no such thing. It's proof only that the printer is recording their votes accurately.

There is no logical reason for a voter to assume that the printout in his hand, and the electronic tabulation in the machine, are the same. Numerous types of attack could produce an accurate record of voter choice on paper, yet still tweak the electronic results. And if the two results should differ, there is no way for the voter to know it. The receipt has no immediate diagnostic value. It can only tell a voter whether the data sent to the printer is the same data he recalls entering at the touch screen. The machine could well be rigged for a miscount, only with voter choices printed accurately. This sort of discrepancy would not be discovered until the electronic results are tabulated, by which time the damage will have been done.

Recounting what, exactly?

The only useful purpose of the paper trail would be to enable a recount using a different medium when there is reason to suspect the electronic results. However, for the printouts to be of any value in a recount, voters would have to review them carefully and note any discrepancies before the receipts are collected. Many ballots are long and confusing, so the idea that even a majority of voters would bother to scrutinize theirs is hardly guaranteed. And there may be numerous false alarms from people who, after confronting myriad races and referendums, may well forget one or two of the votes they cast and imagine a discrepancy where none exists, creating considerable alarm and delay.

On the other hand, if voters neglect to examine their receipts carefully before submitting them, they're worthless - there's no basis for trusting them more than any other result. A paper recount where perhaps thirty per cent of voters have actually bothered to verify their ballots is hardly the basis for confidence.

Furthermore, there is no guarantee that the paper record will be the one recounted. Many jurisdictions require that a recount be performed in the same manner as the original election, which might mean simply reading the machine's memory or storage devices again, unless specified by law. If local regulations don't require that the paper printouts be recounted, there is little reason to collect them - except to create an illusion of security.

And if, during a re-count, some discrepancy between the electronic and paper results should emerge, the paper record would have to be paramount according to law to be of any use. Otherwise, there will only be confusion. But as we noted, unless voters are scrupulous about reviewing the printouts, there is no logical reason why they ought to be paramount. In fact, they probably should not be.

The hanging chads of Florida

The printout will become a burden on everyone concerned, including voters, because in order to be valid for a recount, the paper receipt would have to be free from marks and corrections. This is necessary to avoid the difficulties with interpreting voter intent that the infamous hanging chads of Florida presented. With paper ballots, observer bias is a significant factor in determining voter intent. When confronting ambiguous results, such as pregnant chads and overvoting, Republican observers tend to conclude that the Republican candidate was chosen, and Democrats tend to believe that a Democrat was chosen. DRE terminals are designed to clarify voter intent, and, in theory, they can do this very well.

However, if the paper receipt is to be used in a recount, it would be necessary for each voter to review it before the next voter would be allowed to use the terminal. Thus, if there are discrepancies, the voter's results could be cleared from the terminal, and they would have another go. This would be necessary so that, in the end, the voter can submit a 'clean' receipt: one free of marks and corrections, to avoid a re-run of the chad debacle. A security protocol would have to be devised to ensure that the disputed receipt is disposed of properly and the voter-approved one substituted, without breaching voter privacy.

Furthermore, if it were possible for one person to clear any result from a DRE terminal, this would be a monumental security hole in itself. Thus it would be necessary for two election supervisors (preferably with different party affiliations) to perform the electronic equivalent of turning the keys needed to launch a nuclear missile, perhaps with different passwords, or with two smart cards, or some means of authentication along those lines.

Imagine the delays caused by careless voters puzzled by their own choices, needing perhaps two, perhaps three, turns at the terminal to get things right. And let's not forget that 'getting things right' in this context means only that the printout matches the voter's own recollection of what they did at the terminal. The paper receipts will add not one shred of security, but they will bring about confusion and delays and Florida-esque disputes.

But what of good e-voting security? Is it even possible? The short answer is yes, and the long answer follows in tomorrow's companion story: E-voting security: getting it right. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories

Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

New hybrid storage solutions

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.