[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bruce Schneier endorses paper ballots
In his Dec. 15 Crypto-Gram newsletter, Bruce Schneier, one of the most
respected computer security experts, endorsed paper ballots. See
excerpt below.
Lou
** *** ***** ******* *********** *************
Computerized and Electronic Voting
There are dozens of stories about computerized voting machines producing
erroneous results. Votes mysteriously appear or disappear. Votes cast
for one person are credited to another. Here are two from the most
recent election: One candidate in Virginia found that the computerized
election machines failed to register votes for her, and in fact
subtracted a vote for her, in about "one out of a hundred tries." And
in Indiana, 5,352 voters in an district of 19,000 managed to cast
144,000 ballots on a computerized machine.
These problems were only caught because their effects were obvious--and
obviously wrong. Subtle problems remain undetected, and for every
problem we catch--even though their effects often can't be undone--there
are probably dozens that escape our notice.
Computers are fallible and software is unreliable; election machines are
no different than your home computer.
Even more frightening than software mistakes is the potential for fraud.
The companies producing voting machine software use poor
computer-security practices. They leave sensitive code unprotected on
networks. They install patches and updates without proper security
auditing. And they use the law to prohibit public scrutiny of their
practices. When damning memos from Diebold became public, the company
sued to suppress them. Given these shoddy security practices, what
confidence do we have that someone didn't break into the company's
network and modify the voting software?
And because elections happen all at once, there would be no means of
recovery. Imagine if, in the next presidential election, someone hacked
the vote in New York. Would we let New York vote again in a week?
Would we redo the entire national election? Would we tell New York that
their votes didn't count?
Any discussion of computerized voting necessarily leads to Internet
voting. Why not just do away with voting machines entirely, and let
everyone vote remotely?
Online voting schemes have even more potential for failure and abuse.
Internet systems are extremely difficult to secure, as evidenced by the
never-ending stream of computer vulnerabilities and the widespread
effect of Internet worms and viruses. It might be convenient to vote
from your home computer, but it would also open new opportunities for
people to play Hack the Vote.
And any remote voting scheme has its own problems. The voting booth
provides security against coercion. I may be bribed or threatened to
vote a certain way, but when I enter the privacy of the voting booth I
can vote the way I want. Remote voting, whether by mail or by Internet,
removes that security. The person buying my vote can be sure that he's
buying a vote by taking my blank ballot from me and completing it himself.
In the U.S., we believe that allowing absentees to vote is more
important than this added security, and that it is probably a good
trade-off. And people like the convenience. In California, for
example, over 25% vote by mail.
Voting is particularly difficult in the United States for two reasons.
One, we vote on dozens of different things at one time. And two, we
demand final results before going to sleep at night.
What we need are simple voting systems--paper ballots that can be
counted even in a blackout. We need technology to make voting easier,
but it has to be reliable and verifiable.
My suggestion is simple, and it's one echoed by many computer security
researchers. All computerized voting machines need a paper audit trail.
Build any computerized machine you want. Have it work any way you
want. The voter votes on it, and when he's done the machine prints out
a paper receipt, much like an ATM does. The receipt is the voter's real
ballot. He looks it over, and then drops it into a ballot box. The
ballot box contains the official votes, which are used for any recount.
The voting machine has the quick initial tally.
This system isn't perfect, and doesn't address many security issues
surrounding voting. It's still possible to deny individuals the right
to vote, stuff machines and ballot boxes with pre-cast votes, lose
machines and ballot boxes, intimidate voters, etc. Computerized
machines don't make voting completely secure, but machines with paper
audit trails prevent all sorts of new avenues of error and fraud.
CRS Report on Electronic Voting:
<http://www.epic.org/privacy/voting/crsreport.pdf>
Voting resource pages:
<http://www.epic.org/privacy/voting/>
<http://www.eff.org/Activism/E-voting/>
<http://www.verifiedvoting.org/>
<http://electioncentral.blog-city.com/index.cfm>
Bills in U.S. Congress to force auditable balloting:
<http://graham.senate.gov/pr120903.html>
<http://holt.house.gov/issues2.cfm?id=5996>
Virginia story:
<http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&content
Id=A6291-2003Nov5> or <http://tinyurl.com/z9uc>
Indiana story:
<http://www.indystar.com/articles/1/089939-1241-014.html>
Nevada story:
<http://www.lasvegassun.com/sunbin/stories/lv-gov/2003/dec/10/515999082.
html> or <http://tinyurl.com/z9ud>
California Secretary of State statement on e-voting paper trail requirement:
<http://www.ss.ca.gov/executive/press_releases/2003/03_106.pdf>
Maryland story:
<http://www.gazette.net/200350/montgomerycty/state/191617-1.html>
More opinions:
<http://www.pbs.org/cringely/pulpit/pulpit20031204.html>
<http://www.securityfocus.com/columnists/198>
<http://www.sacbee.com/content/opinion/story/7837475p-8778055c.html>
Voter Confidence and Increased Accessibility Act of 2003
<http://www.wired.com/news/print/0,1294,61298,00.html>
<http://www.theorator.com/bills108/hr2239.html>
My older essays on this topic:
<http://www.schneier.com./crypto-gram-0012.html#1>
<http://www.schneier.com./crypto-gram-0102.html#10>