We want our e-voting paper trail
El Reg is 'beyond obtuse'
Letter Reader Fergal Daly is one of many who were deeply disappointed by our recent items on electronic voting and security, here and here, claiming that proper election auditing can be done without paper, so long as the right protocols are developed, and the right systems of regulation and outside supervision are established. Many of you, however, believe that computers can never be trusted (a bias that we find understandable, considering the ubiquity of Microsoft Windows in our daily computing lives). ®
Thomas Greene's articles used to annoy me, so I stopped reading them a long time ago. However, as an active campaigner against bad voting technology (I'm a member of Irish Citizens for Trustworthy Evoting), I felt obliged to read his critique of VVAT (Voter Verified Audit Trail).
He characterises VVAT as simply bolting a printer onto existing DRE machines with no other modification to the machines, the law, or electoral procedure.
Either he has done no research at all or this is a cynical attempt to squeeze two articles out of deliberate misunderstanding. VVAT covers a large range of systems from DRE plus print to old fashioned paper and pen voting (the ballot itself being voter verified and auditable).
Round one of Greene vs The Straw Man mainly consists of non-points:
"If local regulations don't require that the paper printouts be recounted, there is little reason to collect them."
This is beyond obtuse. Obviously those campaigning for VVAT want suitable legislation to accompany it.
"A machine that spits out paper records can be every bit as insecure and prone to tampering as one that doesn't."
The important point here is the ability to detect malfunctions and tampering. The paper says what the paper says and the paper will not change even if your electronically recorded vote is fiddled later on. So now you have an audit trail which allows you detect this fiddling and also to correct it. If the machine prints the wrong thing on paper then you've found a bug or a hacked machine, in which case the machine should be replaced. If all machines contain the the same bug then you have to call off the election. A daunting prospect, but it's better to find the bug early and take remedial action ASAP than to find it afterwards - or not find it at all.
"And there may be numerous false alarms from people who, after confronting myriad races and referendums, may well forget one or two of the votes they cast and imagine a discrepancy where none exists, creating considerable alarm and delay."
The votes are on the computer. There is no reason why the system cannot allow the voter to scroll back and forward through his choices. If the voter is not capable of comparing the video/audio version with the printed/braille record then he should probably not be voting!
"A paper recount where perhaps thirty per cent of voters have actually bothered to verify their ballots is hardly the basis for confidence."
Actually, if thirty per cent of voters check then the chances of successfully interfering with the election are minuscule. If you want to try to swing 100 votes out 10,000 then the chances that you won't tamper with a "checker"'s vote are less than 1 in a billion, billion. Even if only 1 in 200 people check their ballots there'd still be a greater than 99% chance of problems being discovered.
To avoid detection you'd have to distribute the 100 rigged votes among the 7000 who do not check. Assuming the computer cannot tell in advance who will check, the chances of it avoiding all the checking voters are 7000/10000 * 6999/9999 * 6998/9998* ... * 6901/9901 = .00000000000000026.
(Thanks for the arithmetic, but we meant 'hardly the basis for confidence in staging a reliable re-count,' not 'hardly the basis for confidence in detecting a snafu.' - Ed.)
Voting systems that use DRE suck. Mr Greene rightly points out that adding VVAT to a system that sucks gives you a system that still sucks. This is not a revelation to those campaigning for VVAT. We know that DRE+VVAT sucks but it sucks considerably less than DRE on its own. It may cause logistical problems but at least it is possible to trust the results of a well designed DRE+VVAT system.
Many people are campaigning for DRE+VVAT simply because the DRE systems have already been bought and adding VVAT is seen as an easier goal than scrapping the DRE systems entirely and replacing them with something better.
In round two Mr Greene takes on the task of securing DRE. I must admit that after the first section I stopped reading and just scrolled down to try find something interesting. Nothing caught my eye - not because Mr Greene has no new ideas (maybe he has), but because he is trying to solve the wrong problem.
The task of securing DRE is doomed to failure. Take for example an attack involving a trojanned version of the count software loaded onto a custom chip. It looks like a standard EEPROM, it gives the correct checksums, it even contains the correct program but it also contains a hacked copy of the program. One hour into the election, when it receives the signal (via the RFID tag hidden in the chip package), the trojanned code is swapped in and proceeds to steal votes. At the end of the day, the original code is swapped into view again. The only way to detect this beforehand is to break open the chips that make up your machine. Of course you now have to replace those broken chips with new untested chips. It's also possible to detect after the election but by then you have no way of knowing what the real votes were.
The attack above would be expensive, maybe a couple of hundred thousand dollars, but compared to the money that goes into American politics, it's peanuts.
Rather than securing the unsecurable, there is a much simpler solution. The problem Mr Greene tries to solve arises because DRE puts the computer entirely in control of our votes without any human supervision (adding adequate human supervision is not an option if you want secrecy). There's no good reason to do this, and it's not done in other critical systems.
Computers work best when helping humans to achieve their goal. Computers help pilots to fly their plane but pilots have the final say; computers help technicians to keep nuclear reactors running but the technicians have the final say; similarly for bankers, railway signallers and (sometimes) Patriot missile technicians.
If the computer is never in control then it's not a target for attack and so securing it becomes a non-issue.
We should get computers to help voters prepare a pristine ballot paper (whether it's by printing out their selections or by scanning their written ballot to ensure that it is valid). If the computer prints out the wrong vote, no harm is done, just get it to print another (you may have to return to the officer to get a new ballot paper, just as if you'd messed up your vote by hand). At the other end, you get computers to help the counters to count the votes.
A nicer system would allow you to fill out your paper by hand, then you insert it in the checker which reads your ballot. It then displays on the screen what it thinks your ballot says. If you're happy then put your ballot in the box. If you're not happy, just get a new ballot paper and start again. A machine like that would cost about $100 rather than the thousands spent on DRE machines, so you could have lots of them, which would solve the queuing problems that e-voting has caused in some places.
The same machines can be used by the counting staff and as long as a reasonable level of manual checking is done, they can be trusted. If there's a problem a full manual recount is still an option.
Simple, cheap, secure, quick, auditable, fool-proof. This is VVAT done right. A system like this is use in Tallahassee. It's mentioned here.
I'm not sure how they count the votes at the other end but I'd imagine it's something similar to what I've described above.
Please, Mr Greene, do a bit of research before writing your next article, and please, Team Register, in future, hold Mr Greene to the same high standards as your other writers.