Interesting People mailing list archives
IP: Perspective on election processes Risks Digest 21.13
From: Dave Farber <farber () cis upenn edu>
Date: Sat, 09 Dec 2000 13:31:57 -0800
Date: Sun, 3 Dec 2000 9:59:37 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Perspective on election processes We have long noted in this forum and before that in the ACM Software Engineering Notes (which I created in 1976 and edited for 19 years, until succeeded by Will Tracz -- who has carried on the tradition) that there are very serious actual and potential problems in computer-related elections. The current issue of *The New Yorker* (4 Dec 2000) begins with The Talk of the Town section by considering the current mess: ``But it is not as if we were without warning.'' The article notes the series of writings of David Burnham in *The New York Times* in 1985 and Ronnie Dugger's long article in *The New Yorker* issue dated 7 Nov 1988. The article notes that Dugger's 1988 article quotes Willis Ware, who has long been a wise observer: There is probably a Chernobyl or a Three Mile Island waiting to happen in some election, just as a Richter 8 earthquake is waiting to happen in California. Many people have been asleep at the wheel for too long. See the Election material on my Web site http://www.csl.sri.com/neumann for pointers to some of the collected RISKS-historical material, especially the Illustrative Risks section on Election Problems, a document in which I have long cited Burnham's articles from *The NY Times*, 29 and 30 Jul, 4 and 21 Aug, and 18 Dec 1985. (I have already noted the 14% undervote for the Senate race in Florida in 1988.) What we are experiencing now is not a new problem. Unfortunately, it had not previously reached Chernobyl-like proportions or surfaced in a close presidential election. Nevertheless, the process that is currently before us is finally forcing an examination of many of the relevant issues. I hope that some of the more basic deeper issues will not be ignored in trying to resolve the immediate issues. The time has come for a serious reassessment of the entire process. Apologies for the long gap since the appearance of RISKS-21.12 on 11 Nov 2000. We have received an enormous amount of e-mail on this topic, although some of it has been superseded by events, and some of it is too politically motivated to include here. There are so many issues at the moment, such as chad slots that have not been cleaned in many years, the causes of dimpled punched cards, absentee ballot irregularities, the desirability of manual recounts in Florida and New Mexico and elsewhere, etc., that we cannot begin to enumerate them here. On the other hand, objectivity would seem to be extremely desirable at this time. Let me offer just a few suggestions: * In the UK, Canada, France, Germany, and many other places, ballots for national elections consist of a single piece of paper with one candidate to be selected for one office. This is an extremely reliable process, is counted very quickly in a highly distributed fashion, and seldom challenged. Perhaps in the U.S., elections for the President should be considered a Federal function and conducted by a one-issue paper ballot, with all other election issues run by local jurisdiction in their own way, as is the case at present. Even in such a simple paper ballot, the challenges of avoiding fraud and accidents are significant, but by no means unsolvable. The reliability can indeed be greater than in all of the alternatives. * If ballots are to be recorded and counted electronically, some sort of nonforgeable, nonalterable, and nonbypassable audit record must exist to make electronic tampering and accidents infeasible. Of course, voter privacy also needs to be honored. No existing electronic systems have anything close to what might be considered adequate, and the election system developers (with proprietary closed-source code) do not seem eager to take the extra miles needed for greater integrity. Claims of integrity are not backed up by standard practice of secure systems (which itself is extraordinarily week), and no one seems to be applying even the relatively minimal standards of the Generally Accepted System Security Principles http://web.mit.edu/security/www/gassp1.html or reasonable certification processes. * Voting by the Internet, even if only from well established polling places, is and will remain extraordinarily risky because of the inherent untrustworthiness of computer systems attached to the Internet and indeed the networking itself. It should not be recommended for use in the foreseeable future. * Fraud and accidents must be anticipated throughout the election process. Election systems must be designed, implemented, and operated as systems in the large, and the human interfaces (for voters, administrators, maintenance personnel, etc.) must be considered as integral parts of the system. Any system should have live checking for invalid ballots. This existed decades ago in lever machines, and is common in electronic systems. If punched cards survive after 2000, card systems could easily include a single precinct display device that checks for overvoted or otherwise invalid ballots and for undervoted ballots before they are deposited. * I previously noted the doctoral thesis work of Rebecca Mercuri. She has devoted an entire dissertation to the topic of election system integrity, and particularly the conflicts inherent with process integrity and voter ballot privacy. The thesis takes a broad system approach to voting security/integrity/reliability, and is in fact relevant in a much broader context. Highly recommended. For information, see her Web site: http://www.seas.upenn.edu/~mercuri/evote.html Rebecca also considers a proposal for an auditable paper trail of each electronic ballot that is verified by each voter before leaving and automatically deposited in a tamperproof receptacle. This is still not enough, but is worth considering as one more integrity measure. (For example, voters should not be allowed to photograph that record, because of the requirement that votes must not be salable, for example based on paper evidence of how you voted!) Many wags have cited the aphorism that perfection is the enemy of the good. In election systems, there will never be perfection. But the existing state of the art is the enemy of sanity, and a rush to all-electronic voting is utter madness -- even though it may appeal to advocates of conceptual simplicity. It is by no means an easy path, if all of the desired requirements of the voting process are to be satisfied. And there is an enormous gap between the concept and an implementation that provides any real assurances.
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Perspective on election processes Risks Digest 21.13 Dave Farber (Dec 09)