Punchscan

Video Link December 27, 2007

Posted by Jeremy Clark in : Misc , add a comment

Check out this video of Ben Adida at Google giving an overview of cryptographic voting and read his afterthoughts.

Having given similar talks on Punchscan, I know how tricky it is to explain the concepts to a lay audience, especially the verification technique (the divide between individually verifying the inclusion of your ballot and collectively verifying the decryption and tallying of all ballots–this is in need of a good real-world analogy). He does an excellent job.

The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.

Airbags and the VVSG December 26, 2007

Posted by Jeremy Clark in : Economics of Voting , add a comment

I suspect most of the people reading this blog have at least a passing familiarity with the VVSG, but for those who don’t, here is the nutshell version: the VVSG is a set of government guidelines for the security, integrity, usability, etc. of voting technology. States can voluntarily choose to ratify the guidelines, meaning they will only buy new voting technology that is compliant with the requirements. This pushes a significant cost onto the producers of the technology to research and develop compliant technology and then have it certified (to the tune of millions for certification alone).

The VVSG is under revision, and the ITIF recently hosted an open workshop (FOW-VVSG) on the VVSG featuring various experts from the voting community (including Punchscan’s David Chaum and Stefan Popoveniuc).

What I want to do in this post is examine a recurring analogy that got a lot of wear over the discussion portions of the workshop, and was also featured in at least one talk (Rebecca Mercuri @ 7:50 of this MP3). The analogy is a comparison between the costs imposed by the VVSG on the voting machine vendors and the costs imposed on the auto industry by airbag regulation. Like all good analogies, there is a surface point and then a wealth of insights underneath. I am going to riff on three: cost bluffing, identifying the bootleggers, and moral hazard.

Calling the Bluff

The surface point of the analogy is that the auto industry claimed airbag regulation would impose a prohibitive cost on them. Of course, they have an incentive to present pessimistic, highball cost estimates to try and deter the regulation. This is countered by consumer interest groups that present optimistic, lowball figures. For the policy makers, an accurate projection is needed to nail the exact requirements–they don’t want to put automakers in serious peril but no one likes folding on a bluff either.

An ingenious solution to problems of this sort is illustrated in a similar case of regulation: acid rain scrubbers (as noted by Tim Harford in the The Undercover Economist). In 1970’s, the government wanted to clean up the air and in particular, the chemicals pouring out of utility company’s smoke stacks that caused acid rain. The regulator’s proposed solution, mandating that companies outfit scrubbers, promised to be quite expensive for the companies and industry protested that the costs were too prohibitive.

In response, the government auctioned off a small set of “get out of scrubbing free” vouchers. The theory is that the utility companies would bid for these vouchers as long as the asking price was cheaper than expected costs, and stop bidding precisely when it would be cheaper to simply go and implement the scrubbers. This gave the government valuable information about the company’s true cost projections, and in addition, the process eloquently allocates the vouchers to the companies most threatened by the imposed costs.

How does this relate to voting? Well, if States were seriously concerned about the imposed costs, they could slowly phase in the VVSG by first offering a small number of vouchers for non-compliant technology and then annually scale back the number of vouchers. This gives smaller companies a chance to catch-up, and gives the government good cost projections.

Bootleggers and Baptists

Bruce Yandle often speaks of an unholy alliance that was once forged between Baptists and bootleggers, both of which wanted alcohol sales restricted on the Lord’s day–Baptists because they thought they were doing the good Lord’s work, and bootleggers because they would gain monopolistic control of the alcohol market for at least one day a week. Politicians who enacted this regulation could line their pockets with campaign contributions from the bootleggers while paying lip service to morality and devotion.

Russell Roberts abstracts this story to a general regulatory phenomena: politicians claiming the public interest while covertly advancing private interests. Remember the acid rain scrubbers? The companies that made them lobbied alongside the environmentalists for the regulation, as did certain coal companies whose dirty coal was the ultimate cause of the sulfur dioxide (had the regulation imposed a tax instead, the utility companies could have solved the environmental problem by buying cleaner coal instead of scrubbers. Bootleggers and Baptists… Dirty Coal and Environmentalists.

While the auto industry may have resisted implementing airbags, this wasn’t exactly the case with reductions in automobile pollutants. The American auto industry actually pushed for requiring catalytic converters in cars. A pollution tax, the alternative, would have favoured foreign companies, like Honda, who already had emissions below what would be achieved with a converter. If a converter were required, Honda would have to put one on anyway and bear the same costs. Oh yeah, and guess who held the patent for the catalytic converter? GM.

At one time, tobacco companies were embroiled in a civil dispute over selling a product that increased health care costs. They agreed to a settlement that increased their taxes as compensation. This decrease in profit drove smaller companies out of the market, and Big Tobacco saw their profit margins actually increase due to less competition and their new, monopolistic ability to push increased costs onto the customer.

So what about the VVSG? I haven’t seen the evidence, and I would welcome insight here, but I cannot see any justification for strong opposition to the VVSG by the large voting technology vendors for these same reasons. Any increased development costs and fees can be passed right back to the buyer (who are, ultimately, tax payers) in the form of a price increase, and the higher barrier to entry costs work to eliminate new vendors from entering the market and driving prices down through competition. The hard question the EAC needs to ask itself is what is more valuable in the long run: fostering innovation through competition or through strong-arming an oligopoly.

Moral Hazard

While the example of the requiring airbags seems illustrative of a categorically “good” thing, it ignores the tricky issue of moral hazard. While airbag and (the must better studied) seatbelt legislation will decrease the probability of fatality due to an car accident, this positive effect can be offset by people driving faster and taking more risks as a result of feeling more safe. While the addition of a seatbelt or airbag will certainly not turn us into maniacs, marginal increases in risky behaviour aggregated across an entire population can add up quickly. We might see less accidents if car manufacturers mounted a spear to the steering wheel, aimed at the driver’s heart.

While I don’t think moral hazard replicates as nicely in voting, there is a risk that stronger voting standards could lead to less diligent voters, poll workers, and vendors. E2E systems, in particular, struggle with moral hazard because our pitch is almost paradoxical: our systems are most trustworthy when no one trusts them (and thus everyone independently verifies the result).

The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.

FOW-VVSG Recap December 10, 2007

Posted by Richard Carback in : Legislation, Voting Policy , add a comment

Last thursday I went to the First Open Workshop on the VVSG (FOW-VVSG). Audio of all the sessions are posted online, and I encourage anyone interested to check it out. It was a very interesting event, and I wanted to share some thoughts I had on two of the things that piqued my interest…

Verifiable vs. Verified

There was an interesting discussion of the meaning of the use of the word “Verified” vs. “Verifiable”. I have always thought verifiable was the proper term because it is optional if the voter actually does the verification and — even if they had done so — there still may be a chance that they did not succeed in verifying the printout, but it really depends on your perspective. Dr. Mercuri pointed out that, legally, when you press the OK button, you are certifying that what was printed is what you accept as the proper recording of your vote. In that sense, it is verified. It is unclear to me what term should be used in the VVSG. If your presentation is such that 1 in 5 voters will not catch a mistake on the record the machine makes, can you really call it verified?

Software Independence

Software Independence, or rather, the way it was presented in the proposed VVSG, turned out to be controversial, and I think it came up in discussion on a majority of the panels. Personally, while I think it is fine as a design approach, it was not appropriate to use the way it was used as part of the standard. In my opinion, it is similar to “build security in”, “default deny”, and “have many levels of security” — you want to do those things, but there’s no hard and fast way to check off in a box that someone did it. The way it is defined in the standard it should be called “Software Prohibition”, and not “Software Independence”. It prevents any software from acting in any meaningful way — and at the same time this definition is weak in some aspects.

Stefan pointed out that SI as defined in the VVSG was flawed on two levels. First, the definition was ambiguous, and second, the IVVR (the device they made up to say things were SI or not) does not meet the weakest definition of SI that he could come up with. His slides say it all, but I will elaborate. The VVSG defines SI as follows:

“…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.”

The definition of SI is ambiguous because it does not say who can check the election results or when they can be checked. The VVSG is also missing audit mandates, so even if an error might be detectable, there is no guarantee that the software will not undetectably change the result anyway.

His explanation for why IVVR does not meet SI is unclear to me, but I will point out that VVPAT, which is supposedly SI, does not meet the definition. The reason is because not all voters check, or can check (specifically the visually impaired), the paper printout. All the DRE must do is incorrectly print out the paper. The voter, if he checks, thinks he made a mistake, and goes back to change his vote, then he presses submit again, and the machine prints out the correct choices this time. If he doesn’t check, the machine succeeds at undetectably changing election results. Careful readers might point out that this kind of error can be detected, but my point is that it might not be, or it might be a deliberate flaw that could be introduced on a per machine basis the day of the election. If you did everything you needed to do to detect all instances of this error you might be doing enough checking that even if you didn’t have VVPAT you could catch any errors introduced by the system. Wether the system is SI in this case depends on procedures, that is, if you check and what you check and how often you check to find errors. Of course, if you know exactly what the error does, then you could likely prevent changes in election results.

Dr. Yasinsac from SAIT also had some damning things to say. Among them being that anything that uses software can’t use it in a meaningful way and be software independent. He also popped the question “what are the security properties of paper?”, pointing out that the VVSG is asking for design and not performance requirements in this respect.

Later, Jim Dickson pointed out that the IVVR is not accessible to voters with disabilities. That it requires a “human readable” record I think makes it so that anything that is not printed paper cannot be an IVVR, even though the claim was tossed around that it not necessarily be a paper trail. I also don’t think OpScan or VVPAT meet SI requirements because if you don’t check 100% of the record, you can’t find the problems, and there’s no requirement that you do that kind of checking like there is in Scantegrity or Punchscan.

Other

There was much more that went on at the conference than what I’ve talked about here but unfortunately I don’t have the time to detail them here. The OVC, AADP, and EPIC all gave interesting talks that I encourage you to download and check out.

There was no consensus from the workshop. If you could say anything, the consensus was that all “schools of thought” represented at the meeting had problems with the document. The paper-trail people didn’t like it because of gaps in the document and things that it doesn’t address or define (e.g. “What is a ballot?”). The industry didn’t like it because it would make things too expensive (in particular, it requires use of a TPM-like chip that doesn’t exist). Crypto voting AND security people didn’t like it because SI was ambiguously defined. The disabilities folks didn’t like it because paper wasn’t accessible, and they didn’t like the layout of the accessibility requirements.

The NIST folks involved in the creation of the document and the EAC were both represented at the conference. They seemed to be taking the criticism well, and answered lots of questions. Overall, it was much more productive than I thought it would be. I will leave you with a choice quote from Jim Dickson (As best as I can remember it):

“We take people who are an average of 72 years old. We sleep deprive them for 2 days, and then we say ‘Now do the most important thing, be involved in counting the ballots!’. It’s a system that we know doesn’t work.”

The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.

VVPAT, “nothing else is secure.” December 5, 2007

Posted by Aleks Essex, Richard Carback and in : Uncategorized , 2 comments

Here is an excerpt from the NY Times Freakonomics blog of an interview with Bruce Schneier in which he had this to say:

Q: What is the future of electronic voting?

A: I’ve written a lot about this issue (see here and here as well). Basically, the problem is that the secret ballot means that most of the security tricks we use in things like electronic funds transfers don’t work in voting machines. The only workable solution against hacking the voting machines, or — more commonly — innocent programming errors, is something called a voter-verifiable paper trail. Vote on whatever touch-screen machine you want in whatever way you want. Then, that machine must spit out a printed piece of paper with your vote on it, which you have the option of reviewing for accuracy. The machine collects the votes electronically for a quick tally, and the paper is the actual vote in case of recounts. Nothing else is secure.

Let me repeat that last part: “nothing else is secure.” For an individual made famous assailing cut and dry security assertions, I’m surprised he had that to say. VVPAT is by no means above security criticism. But as much as the idea has advanced the discussion on verifiable elections, it is at its heart, a band-aid security solution. Of all people I would have expected this author to advocate security design simultaneous with system design, and not just slapped on top.

I think sometimes when people live with an idea for long enough, they stop thinking critically about it. But when you’re outside looking in, things jump out at you. The Europeans say, for example, `why do the Americans switch their fork into their knife hand after cutting their food–it makes more sense to have one hand for one utensil.’ Well, some things just emerge through time and are not the product of an original design. The Americans abandoned the hand counted paper ballot in favour of DRE’s because they were faster, but made the election outcome vulnerable to fraud and error in so doing. VVPAT was added on after the fact, yet for it to provide the security of a paper ballot system, you have to do the work of a paper ballot system.

Try to think about this from the perspective of someone who’s never heard the terms DRE or VVPAT. The kind of reaction you get is something like “so you’re giving up paper-based hand counting to switch to an electronic system that you make secure through paper-based hand counting?” Someone told me recently that’s like building a wind turbine to go green, and then powering it with a diesel engine… a self defeating solution.

So are VVPATs the wave of the future? I say yes, if by `wave’ you mean the “na na na na, good-bye” variety. The DRE-VVPAT combo is an awkward mismatch of technological epochs. Though it may be enjoying its day in the sun, there is change on the horizon, and Punchscan, Pret-a-Voter, Scantegrity point to this.

More tangibly however I would draw peoples’ attention to the new innovation class outlined in the 2007 draft VVSG, which has opened the door to new possibilities.

As my voting research colleagues meet in Washington D.C. tomorrow for the First Open Workshop on the “Voluntary Voting System Guidelines” to discuss the aspects of certification of new systems under this innovation class, I’m left thinking Schneier’s vision for the future of electronic voting is in the same league as “640kb of memory should be enough for everybody.”

The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.