Vote Selling: Harder Than You Would Think July 4, 2008
Posted by Richard Carback and in : Voting Policy , 3 commentsAccording to one Minnesota voter’s story:
A college student claimed it was all a joke when he put his vote in this fall’s presidential election up for sale on the Web auction site eBay. But prosecutors didn’t see the humor.
Back in 2000 there was a website specifically for selling votes, but that was taken down fairly quickly, too. Surely, a widespread black market off-shore shop might be possible, but succeeding with this sort of thing usually requires a confidential and limited approach.
The vote selling issue has always been interesting to me. Obviously, it should not possible to make a proof of sale, because that opens the system up to other forms of coercion. However, if you can’t confirm compliance, is there anything to worry about?
My opinion is that these laws should still exist, for two reasons. First, privacy is really hard to guarantee with a voting system, and you can still get lesser forms of “proof” (e.g. cellphone picture of ballot–can be faked but still might be enough). Second, I (weakly) disagree with the major argument that I have heard for vote selling, which is that candidates are buying votes with their positions and promises anyway. Otherwise non-voting voters affect the process for more interested voters. I think that anything that makes a voter change his vote other than the opinion of the candidate is probably wrong.
I am still writing part 3 of the secret ballot series, and I should be finished soon. Have a happy 4th of July!
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Semiprime Time
Posted by Aleks Essex in : Voting Goals, Voting Policy , add a commentComputer scientist and election technology analyst Avi Rubin touched on some familiar themes in an interview yesterday:
There are cryptographic techniques that can be used to achieve software independence so that even if there’s a bug in the software, you’ll detect if there’s a problem. But those are not ready for prime time in my opinion.
Though I’m generally more optimistic about this, it’s a fair statement, especially since there hasn’t yet been any definitive event to have changed many minds. The question I put to you, fair reader, is how do we recognize when the time has come? It would seem, as in Rubin’s case, a conservative assessment of the situation would best allow one to avoid taking a premature position on the matter.
I suppose there are only two factors to take into account. One is a stable convergence of the technology with a consistent, set of security ideals. However this by itself may be too abstract to be appreciated by the general public.
Naturally for me as an engineer, the defining characteristic of a technology entering “prime time” is its first successful deployment in the field.
But perhaps we can never say for certain the time has come, only that now is as good a time as any.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Rivest announces Scantegrity collaboration in RSA08 keynote May 2, 2008
Posted by Aleks Essex and Richard Carback in : Voting Events, Voting Policy , add a commentIn the cryptographer’s panel discussion last month at RSA 2008, Ron Rivest took the opportunity to relate his recent work in voting and announced his collaboration with David Chaum and the Punchscan team in an upcoming paper presenting Scantegrity II (invisible ink). Rivest goes on to discuss the ongoing EAC VVSG comment period as well as the notion of ’software independence’ in voting machines.
Watch the video of his discussion of voting HERE beginning at 17′:00″. This video also contains excellent discussion from crypto all-stars Diffie, Hellman and Shamir.
In related news you’ll be able to read about Scantegrity (aka “Scantegrity I”) in the upcoming May/June edition of IEEE Security and Privacy Magazine
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
When internet voting ruled the Earth March 13, 2008
Posted by Aleks Essex and Richard Carback in : Voting Goals, Voting Policy , 3 commentsThinking about remote voting options such as mail-in and internet voting (by which I mean voting remotely via the internet) , a quote from Jurassic Park comes to mind:
“Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should. ”
This comes back to the question of priorities for a country’s democratic process. Given two seemingly rivalrous options, universal accessibility and universal ballot secrecy, which is the priority?
If, as in Canada’s case, you allow everyone the option of using remote voting then at least in theory you cannot guarantee protection from undue influence. It could therefore be said accessibility is given precedence.
It may be that a plausible middle ground is, as has been suggested, that voters are afforded remote voting as an option only if they can demonstrate an accessibility need. Therefore everyone gets access to the election, and ballot secrecy is still maintained for the majority of voters who are (presumably) able to attend the polling place.
So how do you demonstrate and accessibility need? I suppose you cannot directly. But in Canada many aspects of the voting process rely heavily on the use of statutory declarations to get around various unprovable situations. So the scheme would work like this: you get to vote remotely only if you’re absent or otherwise unable to attend the polling place which you affirm in a statutory declaration made as a pre-condition for remote voting.
But again we come back to priorities. In this case there’s a third priority beyond accessibility and secrecy: convenience. So what’s the priority? Should remote voting be about convenience for all voters, or accessibility for special needs voters?
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Eesti VOTEariik March 11, 2008
Posted by Aleks Essex in : Voting Goals, Voting Policy , 3 commentsVoting through the tubes was a topic came up at the ITIF Future of Voting forum: is internet voting really how we see our future?
According to a Government Computer News article my position is that “the jury is out” on the fundamental acceptability of internet voting and I that go on to point that we should be doing our best to develop secure solutions because with respect to adoption in certain countries “it’s here.” I do not believe these were precise quotes of mine–perhaps taken out of a greater context. So allow me to disagree with “myself.”
Consider Estonia, the first country to offer internet voting. My grandmother–herself Estonian–fled to Canada during WWII to escape the Soviets. Fifty years passed. There were no elections. But when the iron curtain fell, she got to vote in the Estonian national elections–like many there–for the first time in her life. I still remember going with her to a church basement (in small-town Canada) to cast her vote. What would she think about internet voting if she were here today? To be honest, I think she would say, “Estonia’s voting, that’s what I care about.”
But think about it. They’re an internet savvy country, they have a national PKI, and (pursuant to the little history lesson) they have a relatively clean slate in terms of equipment, precedent and procedure (unlike the US). So it really seems they had all the ‘right stuff.’ I admit to even feeling a little 2nd-generation pride that they pulled it off.
But how far does this model extend with respect to other countries? Well, allow me stick to what I can legitimately editorialize on; my own country. The Canadian federal government has been moving toward internetizing services for several years now. I did my taxes yesterday (that is to say, my wife collected my T4’s from me) and we filed our return online. In ‘06 for the first time we were given the option to complete our census questions online. I actually (at the time) got into a protracted clash with the ministry responsible because they absolutely refused to tell me anything about the security of the software they wanted *ME* to use–but that’s another story all together.
But with respect to voting, we’re Austrlian ballot all the way. At least federally and provincially. And what’s more, there seems to be no desire to change. But could we do it? Yes, actually I think so. We have the underlying organizational infrastructure (though no national id smart-cards). The credential-issuing solution would be paper-based and could parallel the existing government e-services. (Except they would likely contract a 3rd party to write the software and then not allow voters to ask how their vote is secured.)
But I see two problems:
- Voting ain’t like taxes or census. Your vote (individually) is not factual information that government is entitled to know.
- The internet voting model doesn’t (or rather hasn’t yet) satisfactorily addressed the issue of vote-buying.
But as Paul DeGregorio pointed out to me, with mail-in voting you can show people how you vote, yet it is an acceptable method, so how is internet voting fundamentally different? I guess I don’t know. But if you spend as much time worrying about voter-privacy as I do, your reaction may be that mail-in voting should not be a valid option for the majority of the voting population.
In the 2006, Elections Canada announced that the mail-in option was made available to every voter. Yet in a different document they say “the security of the ballot is paramount, and the system makes it impossible to discover for whom a specific voter has voted … to ensure that no electors are intimidated or bribed into voting in a particular way.” That would seem to be a contradiction.
Is there not a tipping point where when enough voters use the mail-in option (or by extension the internet option) that the outcome of an election itself is malleable by intimidation or bribery?
I think it comes down to this: what is important? If ballot secrecy is important, then perhaps internet voting is not the correct avenue to pursue (unless you’re trying to include this in the design, which turns out to be pretty difficult–so far). If perhaps you think “well, privacy is dead anyway” then the convenience it offers is attractive. We really should set our priorities straight before we talk about internet voting system design.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
NPR misses the mark on ITIF “Future of Voting” coverage March 7, 2008
Posted by Richard Carback and Aleks Essex in : Voting Policy , 2 commentsAfter the success of the ITIF’s Future of Voting panel, we were surprised by the nature of NPR’s radio coverage. From our perspective the report greatly distorted the tone and focus of the event in an apparent effort to concoct a sense of controversy.
Aspects of the coverage we felt were misleading:
- The title of the report does not reflect the focus. Why would people who oppose paper ballots present a system with…. a paper ballot? The summary of the report is tangential to the event. This event was about new voting research and presented a range of solutions; internet, opscan and DRE based.
- The report begins with a shot directed at the ITIF for AV “technical difficulties.” How is this newsworthy, really? Maybe the reporter could have interviewed the House Administration Committee room’s AV guy and ask him why he didn’t show up to give us access to the equipment. To the ITIF’s credit, they had a backup screen and projector.
- David Dill is interviewed and purported by NPR as providing the “controversy” component, yet was not present at the event. He hasn’t seen the systems nor did he offer any directed criticism about them.
- His comments seemed to be included out of context. Every system presented had a paper ballot capability.1 One focused on overseas voting, and another on usability issues. Our system is an opscan add-on, improving the type of system that David is known to prefer.
- Arguably these technologies are not “on the horizon.” Each group demoed working prototypes at the event and are working with counties to use these systems in public elections.
Stay tuned for more details about the forum. Tomorrow, we will be posting a longer recap with pictures.
1 - Prime III prefers a “video audit trail” that they use in a special way AND have empirical evidence indicating it is faster to audit. Our understanding is that they have a paper trail option built-in already, but if not there’s nothing preventing it and they do not oppose it.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Event on the hill: The Future of Voting March 3, 2008
Posted by Aleks Essex in : Voting Policy , add a commentThe Punchscan team will be in D.C. on Thursday March 6th to present at the ITIF’s Future of Voting forum.
We are pleased to announce we will be unveiling our latest development–Scantegrity II– at this event.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
The VVSG Open Forum January 31, 2008
Posted by Richard Carback and in : Voting Policy , 1 comment so farThis week I started disseminating news of my latest project, the VVSG-OF. The idea is to provide a discussion board-like setting for discussing the latest VVSG Draft. The hope is that, through open discussion, a few new ideas might come up that would not otherwise happen in the short times available in conferences on the document.
This is not to be confused with EAC’s own comment tool, which is a convenient, albeit mostly one-way, avenue to express your opinions on the document. When the comment period is over in early March, I will print out all the comments and mail them to the EAC (by me on behalf of each commenter).
If you are at all interesting in the voting process and where that will be heading in the coming years, I urge you to take a look!
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
FOW-VVSG Recap December 10, 2007
Posted by Richard Carback in : Legislation, Voting Policy , add a commentLast thursday I went to the First Open Workshop on the VVSG (FOW-VVSG). Audio of all the sessions are posted online, and I encourage anyone interested to check it out. It was a very interesting event, and I wanted to share some thoughts I had on two of the things that piqued my interest…
Verifiable vs. Verified
There was an interesting discussion of the meaning of the use of the word “Verified” vs. “Verifiable”. I have always thought verifiable was the proper term because it is optional if the voter actually does the verification and — even if they had done so — there still may be a chance that they did not succeed in verifying the printout, but it really depends on your perspective. Dr. Mercuri pointed out that, legally, when you press the OK button, you are certifying that what was printed is what you accept as the proper recording of your vote. In that sense, it is verified. It is unclear to me what term should be used in the VVSG. If your presentation is such that 1 in 5 voters will not catch a mistake on the record the machine makes, can you really call it verified?
Software Independence
Software Independence, or rather, the way it was presented in the proposed VVSG, turned out to be controversial, and I think it came up in discussion on a majority of the panels. Personally, while I think it is fine as a design approach, it was not appropriate to use the way it was used as part of the standard. In my opinion, it is similar to “build security in”, “default deny”, and “have many levels of security” — you want to do those things, but there’s no hard and fast way to check off in a box that someone did it. The way it is defined in the standard it should be called “Software Prohibition”, and not “Software Independence”. It prevents any software from acting in any meaningful way — and at the same time this definition is weak in some aspects.
Stefan pointed out that SI as defined in the VVSG was flawed on two levels. First, the definition was ambiguous, and second, the IVVR (the device they made up to say things were SI or not) does not meet the weakest definition of SI that he could come up with. His slides say it all, but I will elaborate. The VVSG defines SI as follows:
“…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.”
The definition of SI is ambiguous because it does not say who can check the election results or when they can be checked. The VVSG is also missing audit mandates, so even if an error might be detectable, there is no guarantee that the software will not undetectably change the result anyway.
His explanation for why IVVR does not meet SI is unclear to me, but I will point out that VVPAT, which is supposedly SI, does not meet the definition. The reason is because not all voters check, or can check (specifically the visually impaired), the paper printout. All the DRE must do is incorrectly print out the paper. The voter, if he checks, thinks he made a mistake, and goes back to change his vote, then he presses submit again, and the machine prints out the correct choices this time. If he doesn’t check, the machine succeeds at undetectably changing election results. Careful readers might point out that this kind of error can be detected, but my point is that it might not be, or it might be a deliberate flaw that could be introduced on a per machine basis the day of the election. If you did everything you needed to do to detect all instances of this error you might be doing enough checking that even if you didn’t have VVPAT you could catch any errors introduced by the system. Wether the system is SI in this case depends on procedures, that is, if you check and what you check and how often you check to find errors. Of course, if you know exactly what the error does, then you could likely prevent changes in election results.
Dr. Yasinsac from SAIT also had some damning things to say. Among them being that anything that uses software can’t use it in a meaningful way and be software independent. He also popped the question “what are the security properties of paper?”, pointing out that the VVSG is asking for design and not performance requirements in this respect.
Later, Jim Dickson pointed out that the IVVR is not accessible to voters with disabilities. That it requires a “human readable” record I think makes it so that anything that is not printed paper cannot be an IVVR, even though the claim was tossed around that it not necessarily be a paper trail. I also don’t think OpScan or VVPAT meet SI requirements because if you don’t check 100% of the record, you can’t find the problems, and there’s no requirement that you do that kind of checking like there is in Scantegrity or Punchscan.
Other
There was much more that went on at the conference than what I’ve talked about here but unfortunately I don’t have the time to detail them here. The OVC, AADP, and EPIC all gave interesting talks that I encourage you to download and check out.
There was no consensus from the workshop. If you could say anything, the consensus was that all “schools of thought” represented at the meeting had problems with the document. The paper-trail people didn’t like it because of gaps in the document and things that it doesn’t address or define (e.g. “What is a ballot?”). The industry didn’t like it because it would make things too expensive (in particular, it requires use of a TPM-like chip that doesn’t exist). Crypto voting AND security people didn’t like it because SI was ambiguously defined. The disabilities folks didn’t like it because paper wasn’t accessible, and they didn’t like the layout of the accessibility requirements.
The NIST folks involved in the creation of the document and the EAC were both represented at the conference. They seemed to be taking the criticism well, and answered lots of questions. Overall, it was much more productive than I thought it would be. I will leave you with a choice quote from Jim Dickson (As best as I can remember it):
“We take people who are an average of 72 years old. We sleep deprive them for 2 days, and then we say ‘Now do the most important thing, be involved in counting the ballots!’. It’s a system that we know doesn’t work.”
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
The Importance of Usability October 17, 2007
Posted by Richard Carback and in : Voting Policy , 2 commentsI came across this story from the seminal today. It is the first segment of a multi-part piece interviewing the election reform activist Dan McCrea, and he had some interesting things to say.
He points out the conflicts of interest in Florida in 2000 and Ohio in 2004, talks about how HAVA made things worse, and points out some other interesting things. However, this caught my eye:
While Florida, and to a greater extent Ohio, remain electoral mysteries, election issues in Sarasota, Florida in 2006 seemed to offer election activists the best chance they had yet had of using the legal process to obtain greater transparency in elections.
While I understand that the premise is that seeing the code might reveal something interesting I am not sure how it could ever achieve any level of election transparency. On the other hand I do think that they should have just shown the code. There might have been some unrelated problems in the code, and it would have been a minor problem to fix flaws found in the software compared to the PR disaster of not revealing the code. From what I have seen there is clear evidence that the problem was a ballot design problem, and revealing the code would have put the flawed software idea to rest.
The Herald Tribune did do an analysis for which I am unaware of a good refutation. Michael Shamos also gave a talk at UMBC about the analysis that he and a team performed on the system. While he admitted that there were some flaws none of them could have caused that particular error, and he also indicated that it was a ballot design problem. At WOTE 2007 I had the chance to meet with Ted Selker and he basically said that it was clearly a case of bad ballot design.
What I have not seen, however, are the results of a real-world test of this idea. Ted indicated to me that he was, at least, planning on it, but I’ve not seen or heard about anything since. To me it seems like a highly plausible hypothesis and it would be interesting to see the results of such a test.
If it turns out to be true it would underscore the importance of usability in a voting system — Just because it is on a computer doesn’t mean it is automatically easier to use. There should be some minimal requirements for testing each ballot design before it can be used in an election.
I look forward to reading the next segment of the interview.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.