BRUCE SCHNEIER ON ELECTRONIC VOTING The following articles are from Bruce Scheier's on-line Crypto-Gram newsletters (available at http://www.schneier.com) ******************************************************************************** From December 15, 2000 Crypto-Gram Newsletter (http://www.schneier.com./crypto-gram-0012.html#1) Voting and Technology In the wake of last November's election, pundits have called for more accurate voting and vote counting. To most people, this obviously means more technology. But before jumping to conclusions, let's look at the security and reliability issues surrounding voting technology. The goal of any voting system is to establish the intent of the voter, and transfer that intent to the vote counter. Amongst a circle of friends, a show of hands can easily decide which movie to attend. The vote is open and everyone can monitor it. But what if Alice wants _Charlie's Angels_ and Bob wants _102 Dalmatians_? Will Alice vote in front of his friends? Will Bob? What if the circle of friends is two hundred; how long will it take to count the votes? Will the theater still be showing the movie? Because the scale changes, our voting methods have to change. Anonymity requires a secret ballot. Scaling and speed requirements lead to mechanical and computerized voting systems. The ideal voting technology would have these five attributes: anonymity, scalability, speed, audit, and accuracy -- direct mapping from intent to counted vote. Through the centuries, different technologies have done their best. Stones and pot shards dropped in Greek vases led to paper ballots dropped in sealed boxes. Mechanical voting booths and punch cards replaced paper ballots for faster counting. New computerized voting machines promise even more efficiency, and Internet voting even more convenience. But in the rush to improve the first four attributes, accuracy has been sacrificed. The way I see it, all of these technologies involve translating the voter's intent in some way; some of them involve multiple translations. And at each translation step, errors accumulate. This is an important concept, and one worth restating. Accuracy is not how well the ballots are counted by, for example, the optical scanner; it's how well the process translates voter intent into properly counted votes. Most of Florida's voting irregularities are a direct result of these translation errors. The Palm Beach system had several translation steps: voter to ballot to punch card to card reader to vote tabulator to centralized total. Some voters were confused by the layout of the ballot, and mistakenly voted for someone else. Others didn't punch their ballots so that the tabulating machines could read them. Ballots were lost and not counted. Machines broke down, and they counted ballots improperly. Subtotals were lost and not counted in the final total. Certainly Florida's antiquated voting technology is partially to blame, but newer technology wouldn't magically make the problems go away. It could even make things worse, by adding more translation layers between the voters and the vote counters and preventing recounts. That's my primary concern about computer voting: There is no paper ballot to fall back on. Computerized voting machines, whether they have keyboard and screen or a touch screen ATM-like interface, could easily make things worse. You have to trust the computer to record the votes properly, tabulate the votes properly, and keep accurate records. You can't go back to the paper ballots and try to figure out what the voter wanted to do. And computers are fallible; some of the computer voting machines in this election failed mysteriously and irrecoverably. Online voting schemes have even more potential for failure and abuse. We know we can't protect Internet computers from viruses and worms, and that all the operating systems are vulnerable to attack. What recourse is there if the voting system is hacked, or simply gets overloaded and fails? There would be no means of recovery, no way to do a recount. Imagine if someone hacked the vote in Florida; redoing the election would be the only possible solution. A secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers. There are other, less serious, problems with online voting. First, the privacy of the voting booth cannot be imitated online. Second, in any system where the voter is not present, the ballot must be delivered tagged in some unique way so that people know it comes from a registered voter who has not voted before. Remote authentication is something we've not gotten right yet. (And no, biometrics don't solve this problem.) These problems also exist in absentee ballots and mail-in elections, and many states have decided that the increased voter participation is more than worth the risks. But because online systems have a central point to attack, the risks are greater. The ideal voting system would minimize the number of translation steps, and make those remaining as simple as possible. My suggestion is an ATM-style computer voting machine, but one that also prints out a paper ballot. The voter checks the paper ballot for accuracy, and then drops it into a sealed ballot box. The paper ballots are the "official" votes and can be used for recounts, and the computer provides a quick initial tally. Even this system is not as easy to design and implement as it sounds. The computer would need to be treated like safety- and mission-critical systems: fault tolerant, redundant, carefully analyzed code. Adding the printer adds problems; it's yet another part to fail. And these machines will only be used once a year, making it even harder to get right. But in theory, this could work. It would rely on computer software, with all those associated risks, but the paper ballots would provide the ability to recount by hand if necessary. Even with a system like this, we need to realize that the risk of errors and fraud cannot be brought down to zero. Cambridge Professor Roger Needham once described automation as replacing what works with something that almost works, but is faster and cheaper. We need to decide what's more important, and what tradeoffs we're willing to make. This is *the* Web site on electronic voting. Rebecca Mercuri wrote her PhD thesis on the topic, and it is well worth reading. Good balanced essays: Pro-computer and Internet voting essays: Problems with New Mexico computerized vote-counting software: ******************************************************************************** From February 15, 2001 Crypto-Gram Newsletter (http://www.schneier.com./crypto-gram-0102.html#10) Internet Voting vs. Large-Value e-Commerce One of the odder comments I've heard in the debate on Internet voting is the following: "If we can protect multi-billion-dollar e-commerce transactions on the Internet, certainly we can protect elections" (or words to that effect). I've heard it so often that I feel the need to explain why it isn't true. There are two important differences between large financial transactions and voting that make the former much more suitable for networked implementation: anonymity and recovery. In _Secrets and Lies_, I made the point that electronic financial systems based on identity (electronic credit cards, electronic checks, PayPal, etc.) are much more likely to be implemented than electronic cash because the former is much easier to secure. Large financial transactions all have names attached: who gets the money, who loses the money. Votes only have the names of the recipients attached; the whole point of a secret ballot is to remove the name of the voter. This makes is much harder to protect the system from fraud, much harder to detect fraud if it happens, and much harder to identify the perpetrator and arrest him. Another difference between large financial transactions and voting is that you can unwind a financial transaction. This is important. If someone manages to steal a billion dollars from a financial system, you can freeze the transaction, try to figure out what happened, and hopefully return the money. If someone manages to hack the vote, there's nothing you can do. This is the lesson from Florida: even in the face of a confusing ballot, manipulation of absentee ballot applications, widespread voter irregularities, and voting technology that disproportionally disenfranchised minorities, there was nothing that could be done. The vote was taken on Election Day, and that's that. Revoting would have been even more unfair, because it is impossible to recreate the conditions at the time of the original vote. Our voting system doesn't allow for the same ability to redo transactions that our financial systems do. There's another, less important, difference between large financial transactions and voting: in the latter, appearances matter. If someone claims to have stolen a billion dollars and no one seems to have lost it, you can safely ignore his boast. On the other hand, if some political group claims, on election night, to have hacked the vote...what do you do? You can't disprove the claim. You can't redo the vote to make sure it is accurate. Building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democracy are too great to attempt it. Quotes: Phil Noble, director of politicsonline.com, said "...if the largest banks in the world transfer billions of dollars every day electronically we can use the same technology to ensure secure voting." From "Analysis of Internet Voting Protocols," by Andre M. Chernay: "Currently existing software is adequate to protect the integrity of the ballot once the ballot gets into the Internet pipeline. Transactions currently performed over the Internet include e-commerce, the transferring of funds around the world, and the purchasing and selling of stocks. For example, 100 million Americans will go online this year and spend almost $12 billion in online purchases." This same argument was made on an All Things Considered radio segment "Allow People to Register to Vote Online" on 10 Aug 1999. "'Vote Integrity on the Internet Is No Different From Billion Dollar Transactions,' Says Chris Kenber, President and CEO of Hifn." From an article called "About (tele)democracy": "First, we experience voter fraud now and always have lived with it. Today claims about voting irregularities are heard at nearly every election. Second, if there is an incentive to commit electronic fraud, surely money is the prime motivation. Yet, every day, hundreds of billions of dollars move through the banking system with good security. Fraud exists, but it has been policed and prosecuted." ******************************************************************************** From December 15, 2003 Crypto-Gram Newsletter (http://www.schneier.com/crypto-gram-0312.html#9) Computerized and Electronic Voting There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine. These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice. Computers are fallible and software is unreliable; election machines are no different than your home computer. Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software? And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count? Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely? Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote. And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by mail or by Internet, removes that security. The person buying my vote can be sure that he's buying a vote by taking my blank ballot from me and completing it himself. In the U.S., we believe that allowing absentees to vote is more important than this added security, and that it is probably a good trade-off. And people like the convenience. In California, for example, over 25% vote by mail. Voting is particularly difficult in the United States for two reasons. One, we vote on dozens of different things at one time. And two, we demand final results before going to sleep at night. What we need are simple voting systems--paper ballots that can be counted even in a blackout. We need technology to make voting easier, but it has to be reliable and verifiable. My suggestion is simple, and it's one echoed by many computer security researchers. All computerized voting machines need a paper audit trail. Build any computerized machine you want. Have it work any way you want. The voter votes on it, and when he's done the machine prints out a paper receipt, much like an ATM does. The receipt is the voter's real ballot. He looks it over, and then drops it into a ballot box. The ballot box contains the official votes, which are used for any recount. The voting machine has the quick initial tally. This system isn't perfect, and doesn't address many security issues surrounding voting. It's still possible to deny individuals the right to vote, stuff machines and ballot boxes with pre-cast votes, lose machines and ballot boxes, intimidate voters, etc. Computerized machines don't make voting completely secure, but machines with paper audit trails prevent all sorts of new avenues of error and fraud. CRS Report on Electronic Voting: Voting resource pages: Bills in U.S. Congress to force auditable balloting: Virginia story: Indiana story: Nevada story: California Secretary of State statement on e-voting paper trail requirement: Maryland story: More opinions: Voter Confidence and Increased Accessibility Act of 2003 My older essays on this topic: