In the comments of my last post, bkwatch reminds me that paper ballots are from from perfect.
I totally agree.
I’m also not against e-voting just on principle. Or against all e-voting. I’m just against insecure electronic voting. Which, based on what I’ve seen, is true of many, if not most, current implementations.
Here’s what I said:
Here”s why I don’t think the risk is overblown. First of all there are only a few manufacturers of voting machines. The problems we see are systemic to those manufacturers and systems. Thus the potential exits for a single attack to potentially work on a massive scale- maybe a number of states. Second, the attacks can be much harder to detect and not require as much collusion as attacks on paper systems. A single technician, programmer, or hacker (for networked systems) can succeed. The normal physical controls we have to reduce election fraud are less effective, or even worthless. There are also availability issues- paper is much more resilient to power outages and system crashes. It’s a lot easier to lose a single memore chip with thousands (or more) votes than a big ballot box with equivalent numbers (which, on occasion, also happens). Thus the scope and scale of the problems is dramatically different. I actually think smart e-voting can improve the electoral process and reduce voter fraud. I”m not against e-voting itself, just many of the current implementations.
Electronic voting can be improved by:
- Requiring independent security lab certification. Not a weak certification like Common Criteria, but something more akin to the testing done on gambling machines.
- A voter verified paper trail- not something a voter takes home, but something they can visually certify and drop in a ballot box before walking out the door.
- Eliminating network connectivity. Except for maybe local networking over physical cabling, but even that might be too risky.
These won’t eliminate fraud, but they’ll reduce it. The potential is even there to build a system more secure than paper.
Reader interactions
2 Replies to “E-voting Can be More Secure When Done Right”
All other good suggestions aside, if you can build a voting machine that is tamper proof using principles of multilevel/trusted computing, deny-by-default, open source code, etc, then you do not have to throw out the network reporting aspect. This is where value is added to make the whole thing not a bad idea, because you glean new effiencies in remote administration and in vote tabulation.
Rich:
You might find this interesting:
http://nationaljournal.com/njcover.htm
Comments:
1. Certification—absolutely
2. Voter paper trail: good for restoring voter confidence in machines. But in reality the reason you want a paper trail is so if you do a recount you have something to do besides running the emachines again. Your proposal (a box where you can drop off your paper trail) is a disaster. First, your proposal of paper trails encourage recounts by reducing the “margin of litigation”. 2) in the event of a recount, how would you know the paper itself has not been compromised in some fashion. 3) how do you ensure that the voter will take his receipt and do something with it. Better paper trail proposals let you keep the paper in the same (secure?) box as the computer, and let the voter read it before voting. I like proposals where there is no paper trail but the voter can go check on his vote later. However, those proposals may violate voter secrecy laws (i.e. are you actually entitled under the law to see your ballot)
3. Network. OK. The real issue here is then how do you move the data from the individual machine to the central tabulator. Many areas already ban networks; they take the data card from the voting machine BY HAND to the central location. In my view, that is just as dangerous. there was one cool case (either in Mexico or in Georgia (cacucus)) where networks were used for that purpose and the government just went ahead and built a parrael computer network to dupe the results. There is horror story after horror story there (hand delivery of computer cards). Not sure a blanket network ban does anything but keep the e-voter nuts happy.
The real issues:
1) Cost— HAVA act money was not enough; voting machines are on a 20-25 year cycle, local boards don’‘t have the money to spend for new paper trail machines.
2) Access—we need more options to vote by telephone, mail, internet, whatever. Also mobile locations. Turning a precicent into a secure fortress does not help with that—and this helps to keep turnout low. Incumbents love to hear that—because it protects them. I can get my drivers license over the internet—why can’‘t I vote?
3) Monoculture. The reason our system is so bad is that it is so divided. But that is also the strength— you might be able to steal a local or county election, but for the elections that matter (House, Senate, President) it is impossible. Too much work to hack into 3000+ systems.
I’‘m pushing you on this because I know you have some better suggestions…..