I
thought this was a very helpful explanation of the problems associated
with e-voting. It is pretty clear that the American system used
on 2/11 is several bricks short of a full load. It came up on the
Monbiot discussion list.
The context is a discussion of the electronic
voting machines in the 2/11 assault on democracy.
Pavlos Papageorgiou responds to this message:
Ø The only evidence I have seen to say
that ballot rigging took place is
> in the exit polls. Exit polls are not reliable indicators.
One could
> equally say that every pre election opinion poll of the population
> gave a narrow lead to Bush, and that was exactly the result
of the
> election, therefore electronic voting is accurate.
Pavlos Papageorgiou : Maybe. I'm not arguing
that there is strong evidence of rigging, but some evidence +
lack of verification = legitimacy problem. As the saying goes:
"It's not enough for the Ceasar's wife to be faithful, she
must also be seen to be faithful"
> I agree that there must be some way to verify
the electronic vote.
> [...] Maybe there could be the possibility to have a voting
"account"
> like a bank account. The voter could access their account
with a PIN
> number to register their vote. The votes could be counted
by an
> independent body with "read only" authority. The
voter could also
> recheck their account on a "read only" basis to
see that their votes
> are as they were cast. The system could be accessed both
via ATM style
> voting machines and via the internet.
Pavlos Papageorgiou : No, no, no! It is
not a simple technical issue!
As it happens I'm an expert in a different area
of computing from
this one, so I'm not qualified to make any kind of expert statements
about whether or not it is practical to build a verifiable voting
machine. However, I do know enough to know that it's not simple.
You
can't take your understanding of a superficially similar area
of
computing, such as e-banking, and assume you can apply it to e-voting.
E-voting is a very difficult theoretical problem, and that much
is
acknowledged by several experts in computer security and cryptography,
which are the appropriate disciplines.
Some aspects of e-voting and e-banking are indeed
similar:
- The system should keep accurate lists of registered
users.
- The system should require the user to provide a PIN, or equivalent.
- The system should tally votes accurately and reliably.
- The system should keep voting information confidential.
- the system should be immune to tampering by outsiders.
So far so good. You can hire e-banking experts
and expect them to
achieve all of the above. But then there is another set of requirements
that the e-banking people don't know how to solve:
- The system should track votes anonymously.
- The system should be immune to tampering by an insider.
- The system should be verifiable by anyone who doubts its integrity.
- The system should not issue receipts to the voters themselves.
It's a really difficult technical problem, even
in principle, to
satisfy all of those requirements together. Any three, it's easy.
All
four at once is very hard. For those who are still interested,
here's
an explanation of why that is:
- The system should track votes anonymously to
prevent any kind of
pressure, retaliation, or recrimination against those who have
cast
unpopular votes. That might mean ordinary Republicans, or it might
mean
looney supremacists. Either way the currently accepted standard
is that
voting is provably anonymous, in other words you can be sure that
not
even the election officials know how you voted. Obviously it would
be
very easy to write a computer program that tallies votes anonymously,
but it would be equally easy to write one that keeps tabs on who
voted
what behind the scenes. I don't see why you should lose the reassurance
of anonymity quietly because voting goes electronic. By contrast,
a
bank account is not anonymous, it's just confidential. Leaks happen.
- The system should be immune to tampering by
an insider so that people
within the voting machine company cannot compromise the outcome
or
anonymity of the election. By "compromise" I don't mean
take a working
bona-fide system and break into it. I mean bribe the programmers
who
write the vote tallying program to bias the count slightly (all
it
takes is typing a little "+1" here or there) or store
the voter's name
quietly in a file. When banking records went digital in the 70s,
this
sort of insider attack was a huge problem (it hadn't occurred
to
management that it was possible) and it was solved by cross-checking
the final sums. In e-voting, there is nothing to verify, so it's
like
having millions of transactions flow into some online account
with no
audit trail whatsoever (no customer receipts, no goods shipped,
no
credit card companies to cross-check) and then at the end of the
month
the e-bank gives you your supposed earnings. Do you trust the
bank to
give you all your money? Well, maybe you do maybe you don't. It's
a
matter of trust. Technology doesn't give you any guarantees.
- The system should be verifiable by anyone who
doubts its integrity so
that Doubting Thomases can be convinced that everything has been
done
in a way that's good and proper. This is rather important to guarantee
that a Democracy stays fair and democratic and is not overcome
by
corruption. Or at least some people feel quite strongly that the
burden
of proof lies with the election administrators. The e-voting system
may
in fact be totally fair, and the company may impose strict controls
to
prevent tampering by its own people, but how do we know that?
Believe
the reassurances of the company? I think it should be better than
that:
It should be possible to "open the hood" of the machine
and allow
anyone with suitable technical qualifications to inspect it and
verify
that it is working fairly. That's what the party observers do
with the
paper system - they sit there to ensure that no-one plays hat
tricks
with the ballot papers. It's possible to inspect a computer and
verify
its operation, but to do it properly is quite a complicated task
that
involves dismantling the computer, designing it along very limiting
constraints, and other impractical things.
- The system should not issue receipts to the
voters themselves so that
voters cannot be subjected to intimidation or vote-buying. This
issue
isn't obvious at first. When you first think of how to make a
voting
system verifiable, you think "Ah, simple, issue each voter
with a
receipt bearing a code number and what they voted, and then conduct
the
tallying of votes (identifiable only by code number) publicly.
Then
each voter can check their receipt against the public vote lists
to be
sure their vote was counted". Great idea. But then the voter's
spouse,
parent, pimp, boss, or other intimidating figure can say "You'd
better
show me your voting receipt so I can check that you voted X, or
else...". Again it's up to your sensitivities whether you
find this a
realistic problem, but anyway the status quo is that exploitable
voters
are protected from it. That safety measure should not disappear
quietly
just for technical reasons.
So, sorry if this diatribe is of no interest to
anyone. I am, in fact,
not a luddite, I'm very much in favour of electronic voting in
principle and a while ago I've made my own technical proposals
for a
more representative electoral system based on frequent e-voting.
However, I soon had it explained by the real experts that it's
currently something that stretches the state of the art, for subtle
reasons that I probably failed to explain adequately. The challenges
are probably surmountable, and we should have e-voting done right,
but
it's not the straightforward banking-like application that the
public
is led to believe.
Thanks,
Pavlos Papageorgiou <pavlos.politics@geekhost.org>
To: <monbiot@talk.torchbox.com>
Message-ID: <F13C10A7-38EA-11D9-B1FD-000A95A86222@geekhost.org>
|
