A recent post at VoteTrustUSA, entitled Electronic Verification for E-voting: A Dead End for Voter Confidence, contains misleading and false information. While such pieces are commonplace in the blogosphere, this particular piece is notable because it has enough references to seem plausible. The author also references our work, which makes a response inevitable.

In an effort to be brief, I will address the systemic errors in roughly the order they appear and avoid getting into unnecessary analysis and discussion. This is by no means a comprehensive refutation of everything wrong with the post, just the higher level ideas.

Invalid comparison. From the title, we are lead to believe that the post will discuss the topic of “electronic verification.” That term means E2E based on the link to our work and discussion of cryptographic voting protocols. However, the topic is inconsistent with the very first sentence of the post:

Paperless electronic voting is in retreat, its popularity done in by disturbing security reviews of current e-voting systems and significant voter concern about the integrity of elections.

This sentence is equating the existing paperless DRE voting systems with E2E, but clearly they cannot be the same. E2E, or electronic verification, is a set of methods that guarantee certain properties. In other words, E2E is technology neutral and not specific to paperless DREs.

The idea to compare and contrast E2E with specific technology is flawed. Systems based on E2E methods derive their properties from the underlying protocols and not the specific hardware. Since they do not correspond, it is not possible to usefully compare them unless you are comparing a specific implementation using such technology, which the article fails to do.

My guess is that the author mistakenly believes that an E2E based system is simply a piece of software put on a DRE. The word “paperless” supports this conclusion, because every proposed E2E based system for poll site voting that I have seen uses paper (or transparency sheets) in some way.

Confusion between use of a cryptographic protocol designed for voting and one for secure key exchange. The “bullet proof system” story referenced is about the use of quantum cryptography. This is not an E2E based system, so the comparison does not apply here either outside of the notion that it could have security problems. This is about as useful as saying “elections can have fraud.”

The effect of security problems are in the details, and E2E based systems show pretty graceful failure in the face of unforeseen flaws. What we have found is that the concepts in E2E are somewhat independent of the cryptographic algorithms used, and some newer E2E systems do not use cryptography.

E-commerce misconception. The post states that “it is necessary to compare electronic voting to electronic commerce.” Unfortunately, the post provides a rather narrow view of e-commerce, equating it only with non-anonymous transactions and glossing over many topics like anonymous digital cash. It is also not very clear why such a comparison is necessary or what it proves outside of the problem being difficult.

Improper assertion of the motivation behind Scantegrity. The 6th paragraph cites our work on Scantegrity, which adds E2E security properties to optical scan systems. Unfortunately, it is depicted as a descendant of a paperless system, but this is false as Punchscan uses a paper ballot. Apparently the author’s definition of paper ballot is not “a piece of paper the voter uses to vote” but “a hand readable piece of paper available after the voter votes.”

Regardless of the definition of paper ballot, the implication is that the paper ballot is necessary for some sort of security property. The reality of the situation is that we really, really care about having secure elections as soon as possible. An add-on is, in my view, the best way to meet that goal because it will work with existing election equipment without modification and allows us to add security properties to systems that are already in use. Certification becomes clear and simple, and a voting system does not have to be created around it. The path to adoption is substantially cleaner and cheaper.

An unintended consequence of this choice is that the people who think paper provides certain security features find it less objectionable. The irony is that Scantegrity is a great example of what E2E can do better than paper, and in that sense it is particularly damning to someone saying that paper must be used, especially if his argument is against the use of E2E. Paper certainly can be useful, but it is more a matter of convenience than security.

Confusion between properties of a method and certification of an implementation. The post asks “Is the certification process for voting equipment up to the challenge of ensuring that electronic verification can secure an election?” Again, E2E is a method, and not a piece of equipment. E2E based systems are created to be secure assuming the public has full knowledge of their inner workings. They can be reviewed by any interested party, and not simply through a closed certification process. E2E methods are also designed to resist equipment failure. Whether a particular E2E method works is something you could verify once. After that you simply verify that the implementation adheres to the prescribed method and addresses the other certification requirements.

Ignorance of E2E requirements on voters. The post states:

Cryptographic verification requires that voters use a code to avoid compromising the secrecy of the ballot, and understanding the mathematics of the coding system would require substantial training on the part of voters.

This is simply false. While the privacy preserving receipt that the voter receives might have a code on it, this is not always the case and there is no requirement for the voter to understand it. In some cases the E2E parts can be ignored by many of the voters if they are uninterested in using it. There is no training involved outside of pointing out what it is and maybe how to check if there are no clear directions on the receipt. Anything more than a poster and maybe a handout would probably be overkill.

The post also seems to ignore the feature that the privacy preserving receipts let each voter check that his or her ballot was actually counted and represented in the final tally. Even if voters understood only how to use this receipt, this is much more feedback than what they currently receive.

The author also fails to understand that it is possible for anyone to take the receipt data and verify that the receipts were correctly counted. This capability is in stark contrast to what we have now, where you have to stay the whole day and watch the counting afterward. Instead, you are only limited by your knowledge. If you couldn’t do it on your own, you could get someone you trust to do it for you. You, by yourself—sitting in your jammies the next morning—could do it for the whole state, or even the whole country, in no time at all. This is a lot different than taking several days off work and having a limited ability to check the goings on of one polling place.

The end of the article is a quote from Bruce Schneier that doesn’t make a whole lot of sense in the context the author uses it:

Building a secure cryptographic system is easy to do badly, and very difficult to do well. Unfortunately, most people can’t tell the difference.

The use of the quote seems to imply that since it is hard to make cryptographic systems, we should not try. I find the implication absurd—think of all the other things we shouldn’t be doing since they’re hard…What ever happened to that “can-do” american attitude? JFK once said:

We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.

Voting is a far cry from going to the moon, but it is an important and difficult problem.

This entry was posted on Thursday, June 5th, 2008 at 1:19 pm and is filed under Misc. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.