Friday, October 03, 2008
electronic voting means trusting a stranger with your vote
UPDATE: I should check my stats for this blog more often - I see that there is an item specifically about this in the Spark blog
Would you vote over the internet in a Canadian federal election? - Posted by Dan Misener on October 01 
There are some good comments on the blog posting.
I think I conveyed my three major points:
* a key element of the voting system is trust
* a voting machine (or Internet voting) is no different than telling your vote to a stranger
* a computer can lie
Or in other words, electronic voting means that in a system based on trust, you're giving your vote to a stranger who can lie.
There is one thing I regret saying, I said something like "not everyone is a computer scientist or a mathematician, the average Canadian can't comprehend web voting" - my actual intent was something more like "the average Canadian doesn't have the technical training to understand exactly how web voting works and all the associated risks".
I did then wrap up with what I think was a strong point: Internet/web/electronic voting introduces uncertainty and complexity into what should be the most certain and least complex process in our democracy.
If you look at the specific example of the Referendum, which was so incredibly close - imagine what would have happened if the next day people had started saying "I think my computer didn't record my vote correctly" - we'd never be able to resolve it - we'd still be arguing about it.
If I was giving this as a prepared presentation (which is more my area of communication strength), rather than as an interview, it would go something like...
Voting is about policies, but also about trust. In yesterday's leaders debate, we saw five people around a table that most of us will never meet, five strangers. We have to determine, in part, whether we trust them. Similarly most of us only talk to our MPs for a few minutes when they show up at the door before the election; they are also strangers.
It's quite a remarkable transfer of trust, from millions of people to a few hundred, transferring the authority to declare war and to spend billions of taxpayer dollars.
The process to transfer this trust is voting, which also involves trusting strangers - you probably don't know the poll workers or the scrutineers.
But the good news is that in the physical world, we are really good at reasoning about how to manage the risks of trusting strangers. If a stranger asks for directions on the street, you will probably help them, but if they ask for a $100 loan and your name and address and promise to return the money to you later, you probably won't help them.
Our existing paper-based, human-counted system is based on our understanding of the balancing of motivations and self-interest, along with a clear physical evidence chain. You mark the ballot yourself in secret, you drop it in the box in front of everyone, and you trust that the competing interests of the scrutineers from the different parties will ensure that the open counting of the paper ballots is done properly.
If there's an issue, you can just count the ballots again.
And you know that if something does go wrong, all of those people live in your community and have to deal with the consequences.
You literally could have an elementary school class run a classic Canadian Federal election scenario and they could identify all of the possible risks, because reasoning about physical evidence and human behavior is one of our strengths.
Now imagine instead that when you walk into the polling station, they say to you "for improved efficiency, just tell this stranger how you want to vote, and he will go and handle the rest". So you tell him "I want to vote for the red party" and he goes and marks a ballot in secret and drops it in the ballot box. Now you have to trust that stranger totally. You can ask him, "did you vote for red?" and he can assure you over and over, but you can never actually know, for certain, how he voted on your behalf.
In effect, his report of your vote is now testimony, or even hearsay.
We understand this quite well in our criminal justice system. Physical evidence (e.g. a marked ballot that you can see) has the highest degree of credibility. Testimony much less so, because humans can lie. Hearsay least of all, because humans can really lie a lot about other people.
You go from e.g. seeing an X in a circle on a piece of paper, to having someone say "I definitely marked an X by the red candidate", to someone saying "I think I thought I saw someone mark an X by the red candidate".
So now we just need to replace one step and I think you'll see the problem: replace "tell your vote to a stranger" to "enter a your vote on a computer".
How is that like telling a stranger? Well when you think about it, computers don't program themselves. Every computer program, and even every computer chip, was designed by someone - by a stranger. Actually by many many strangers. The computer is not some cold objective logic machine, incapable of error, the computer is the embodiment of the human intentions that went into its code and hardware - the computer is a human, in silico.
That means all of the things a person can do, a computer might do - a computer might fail, because of an error, or a computer might behave maliciously, because of malicious intent.
That is to say, the computer can lie. We often don't think about this, because for commercial reasons most people write code intended to behave well and to present information correctly. But there's no reason your code can't say
if input = "vote blue" then
record +1 blue vote
display "voted for blue"
else if input = "vote red" then
record +1 blue vote
display "voted for red"
THE COMPUTER CAN LIE.
You can see very real examples of this in sophisticated virus social engineering - the virus presents a window that says "you need to update your antivirus software immediately [ok] [cancel]" and when you press [ok], it actually fills you computer with viruses.
Beyond that, even without malicious intent, the computer can fail in a million bazillion ways - bugs in the code, hardware error, network error, power failure, overloaded by too much network traffic (as happened with Do Not Call List), and on and on. Whereas a paper voting system can continue without power, and short of burning the paper or killing the people, it has limited ways that it can fail.
And this is an important point: people already attack physical voting systems, which is very high risk. (See e.g. Zimbabwe.) The reason they take this risk is the rewards are enormous - wealth beyond any other criminal scheme, power, privilege...
Consider that spammers have already constructed networks of hijacked machines ("botnets") - millions of machines in some cases - just to take advantage of the few thousand or at most few million dollars they can earn by ripping people off. Now just think - if there's Internet voting they can use the exact same technology to control who gets access to BILLIONS OF DOLLARS.
So think about it - you would never vote by telling a stranger your intent and letting them vote for you - why would you vote by telling a strange machine your intent and letting it vote for you?