Friday, October 03, 2008
paper voting isn't broken
If it ain't broke don't fix it - May 13, 2008
When officials come away from observing an electronic vote-counting system used in Monday's New Brunswick municipal election, I hope the lesson they take with them is this: Citizens do not need a machine to vote, nor to count those votes. And I hope for the health of our democracy that they will see that the application of technology to replace humans in this area is wholly inappropriate.
Homer vs. the voting machine
electronic voting means trusting a stranger with your vote
UPDATE: I should check my stats for this blog more often - I see that there is an item specifically about this in the Spark blog
Would you vote over the internet in a Canadian federal election? - Posted by Dan Misener on October 01 
There are some good comments on the blog posting.
I think I conveyed my three major points:
* a key element of the voting system is trust
* a voting machine (or Internet voting) is no different than telling your vote to a stranger
* a computer can lie
Or in other words, electronic voting means that in a system based on trust, you're giving your vote to a stranger who can lie.
There is one thing I regret saying, I said something like "not everyone is a computer scientist or a mathematician, the average Canadian can't comprehend web voting" - my actual intent was something more like "the average Canadian doesn't have the technical training to understand exactly how web voting works and all the associated risks".
I did then wrap up with what I think was a strong point: Internet/web/electronic voting introduces uncertainty and complexity into what should be the most certain and least complex process in our democracy.
If you look at the specific example of the Referendum, which was so incredibly close - imagine what would have happened if the next day people had started saying "I think my computer didn't record my vote correctly" - we'd never be able to resolve it - we'd still be arguing about it.
If I was giving this as a prepared presentation (which is more my area of communication strength), rather than as an interview, it would go something like...
Voting is about policies, but also about trust. In yesterday's leaders debate, we saw five people around a table that most of us will never meet, five strangers. We have to determine, in part, whether we trust them. Similarly most of us only talk to our MPs for a few minutes when they show up at the door before the election; they are also strangers.
It's quite a remarkable transfer of trust, from millions of people to a few hundred, transferring the authority to declare war and to spend billions of taxpayer dollars.
The process to transfer this trust is voting, which also involves trusting strangers - you probably don't know the poll workers or the scrutineers.
But the good news is that in the physical world, we are really good at reasoning about how to manage the risks of trusting strangers. If a stranger asks for directions on the street, you will probably help them, but if they ask for a $100 loan and your name and address and promise to return the money to you later, you probably won't help them.
Our existing paper-based, human-counted system is based on our understanding of the balancing of motivations and self-interest, along with a clear physical evidence chain. You mark the ballot yourself in secret, you drop it in the box in front of everyone, and you trust that the competing interests of the scrutineers from the different parties will ensure that the open counting of the paper ballots is done properly.
If there's an issue, you can just count the ballots again.
And you know that if something does go wrong, all of those people live in your community and have to deal with the consequences.
You literally could have an elementary school class run a classic Canadian Federal election scenario and they could identify all of the possible risks, because reasoning about physical evidence and human behavior is one of our strengths.
Now imagine instead that when you walk into the polling station, they say to you "for improved efficiency, just tell this stranger how you want to vote, and he will go and handle the rest". So you tell him "I want to vote for the red party" and he goes and marks a ballot in secret and drops it in the ballot box. Now you have to trust that stranger totally. You can ask him, "did you vote for red?" and he can assure you over and over, but you can never actually know, for certain, how he voted on your behalf.
In effect, his report of your vote is now testimony, or even hearsay.
We understand this quite well in our criminal justice system. Physical evidence (e.g. a marked ballot that you can see) has the highest degree of credibility. Testimony much less so, because humans can lie. Hearsay least of all, because humans can really lie a lot about other people.
You go from e.g. seeing an X in a circle on a piece of paper, to having someone say "I definitely marked an X by the red candidate", to someone saying "I think I thought I saw someone mark an X by the red candidate".
So now we just need to replace one step and I think you'll see the problem: replace "tell your vote to a stranger" to "enter a your vote on a computer".
How is that like telling a stranger? Well when you think about it, computers don't program themselves. Every computer program, and even every computer chip, was designed by someone - by a stranger. Actually by many many strangers. The computer is not some cold objective logic machine, incapable of error, the computer is the embodiment of the human intentions that went into its code and hardware - the computer is a human, in silico.
That means all of the things a person can do, a computer might do - a computer might fail, because of an error, or a computer might behave maliciously, because of malicious intent.
That is to say, the computer can lie. We often don't think about this, because for commercial reasons most people write code intended to behave well and to present information correctly. But there's no reason your code can't say
if input = "vote blue" then
record +1 blue vote
display "voted for blue"
else if input = "vote red" then
record +1 blue vote
display "voted for red"
THE COMPUTER CAN LIE.
You can see very real examples of this in sophisticated virus social engineering - the virus presents a window that says "you need to update your antivirus software immediately [ok] [cancel]" and when you press [ok], it actually fills you computer with viruses.
Beyond that, even without malicious intent, the computer can fail in a million bazillion ways - bugs in the code, hardware error, network error, power failure, overloaded by too much network traffic (as happened with Do Not Call List), and on and on. Whereas a paper voting system can continue without power, and short of burning the paper or killing the people, it has limited ways that it can fail.
And this is an important point: people already attack physical voting systems, which is very high risk. (See e.g. Zimbabwe.) The reason they take this risk is the rewards are enormous - wealth beyond any other criminal scheme, power, privilege...
Consider that spammers have already constructed networks of hijacked machines ("botnets") - millions of machines in some cases - just to take advantage of the few thousand or at most few million dollars they can earn by ripping people off. Now just think - if there's Internet voting they can use the exact same technology to control who gets access to BILLIONS OF DOLLARS.
So think about it - you would never vote by telling a stranger your intent and letting them vote for you - why would you vote by telling a strange machine your intent and letting it vote for you?
Tuesday, September 30, 2008
Elections Canada and the Very Bad Online Idea
If you want to increase turnout, have a campaign to increase turnout.
Have ballot boxes at workplaces, or make the entire day a holiday.
There are lots and lots of ways to increase turnout.
Supporting Internet voting is asking for catastrophe in many different ways:
* it turns the solemn act of voting, one of the few acts of citizenship, into something no different than adding an item to your Amazon.ca shopping cart
* it means that you're using inherently unsafe, unsecured machines to provide the infrastructure for the most critical process of our democracy
* it means that someone can stand with a gun to my head and force me to vote the way they want while they watch (which, incidentally, also applies to voting by mail)
If you seriously think online voting will engage "the youth", then why not just go all the way and let them vote on their cellphones and called it "Greatest Canadian Idol"? (The sad part is that their cellphones are almost all much more secure than their computers.)
Here's what prompts this latest concern:
Elections Canada hopes it has the answers.
The federal agency has adopted a five-year strategy to boost turnout, with a focus on youth engagement.
Key planks in the plan are to communicate more frequently with voters between elections, via education programs, and to make voting more accessible to all Canadians.
Elections Canada is hoping to adopt online voter registration in two years, a tool already available in some provinces like Alberta.
Perhaps more importantly, the agency hopes to test web voting within five years, beginning with a byelection.
"The general philosophy is to take the ballot box to the voter," says Mayrand, Canada's chief electoral officer.
If the Internet gamble proves successful and security concerns can be addressed, Elections Canada would ask Parliament to amend legislation to include e-voting for general elections.
"Youth are quite familiar with technology. They expect to be able to use it for most of their life activities," Mayrand adds.
Black Mark - Calgary Herald - September 6, 2008
The problem being, voting is not like "most of their life activities".
Voting is not banking, voting is not surfing the net, voting is not listening to music, voting is not texting a friend.
Banking is an example that is often used, or online taxes, but these are completely false examples. The bank knows exactly how much money you have, as does the government, and every transaction has an audit trail and can be reversed.
Voting must not have an audit trail, and cannot be reversed (if you are going to retain a system of private, secret ballots).
Voting, since it provides the transfer of power from the very many to the very few, is a very attractive attack point for malicious actors, and I mean "attack point" quite literally - people die for their vote already today, can you imagine how much more tempting for all of the negative forces in our society to take advantage of the vast computer networks that already exist for spam and attacks ("botnets") and use them to throw the election or to write a targetted virus to compromise the election?
That's not even to touch the issues of just running the election assuming everything actually goes right. The Do Not Call List site just went down because of high demand after it was launched. The Tax servers routinely get overloaded when millions of Canadians use the online systems near filing day. That's not a problem, because those transactions are repeatable.
What happens when the election servers go down from heavy demand on election day?
People resubmit their vote? We have the vote again another day?
A human-run, human-counted paper voting system has a very small number of failure modes, all of which anyone who understands the physical world can easily work out (people can steal the ballot boxes, etc.)
Computer-run, computer-counted voting systems have almost unlimited failure modes, which almost no one except computer and network security experts can fathom.
A paper voting system must work during the voting, and during the counting, and then it just disappears.
An electronic voting system requires servers that must be secured both physically and electronically 365 days of the year, every year, in case a vote is called.
The whole idea that you would get any benefits from online voting is patently ridiculous. The only way you can make it appear to work is to ignore all of the security issues, ignore all of the ongoing cost issues, treat it as if it were a banking or other repeatable and auditable transaction, as if voting is something that should somehow be made "efficient", and make a bunch of claims about turnout.
It is a Very Bad Idea.
November 28, 2006 let's have a discussion
November 15, 2006 Geist on e-voting