IP: Perspective on election processes Risks Digest 21.13

[Dave Farber <farber () cis upenn edu>]

> Date: Sun, 3 Dec 2000 9:59:37 PST
> From: "Peter G. Neumann" <neumann () csl sri com>
> Subject: Perspective on election processes
>
> We have long noted in this forum and before that in the ACM Software
> Engineering Notes (which I created in 1976 and edited for 19 years, until
> succeeded by Will Tracz -- who has carried on the tradition) that there are
> very serious actual and potential problems in computer-related elections.
> The current issue of *The New Yorker* (4 Dec 2000) begins with The Talk of
> the Town section by considering the current mess: ``But it is not as if we
> were without warning.''  The article notes the series of writings of David
> Burnham in *The New York Times* in 1985 and Ronnie Dugger's long article in
> *The New Yorker* issue dated 7 Nov 1988.  The article notes that Dugger's
> 1988 article quotes Willis Ware, who has long been a wise observer:
>
>   There is probably a Chernobyl or a Three Mile Island waiting to happen
>   in some election, just as a Richter 8 earthquake is waiting to happen
>   in California.
>
> Many people have been asleep at the wheel for too long.  See the Election
> material on my Web site
>   http://www.csl.sri.com/neumann
> for pointers to some of the collected RISKS-historical material, especially
> the Illustrative Risks section on Election Problems, a document in which
> I have long cited Burnham's articles from *The NY Times*, 29 and 30 Jul, 4
> and 21 Aug, and 18 Dec 1985.  (I have already noted the 14% undervote for
> the Senate race in Florida in 1988.)  What we are experiencing now is not a
> new problem.  Unfortunately, it had not previously reached Chernobyl-like
> proportions or surfaced in a close presidential election.  Nevertheless, the
> process that is currently before us is finally forcing an examination of
> many of the relevant issues.  I hope that some of the more basic deeper
> issues will not be ignored in trying to resolve the immediate issues.  The
> time has come for a serious reassessment of the entire process.
>
> Apologies for the long gap since the appearance of RISKS-21.12 on 11 Nov
> 2000.  We have received an enormous amount of e-mail on this topic, although
> some of it has been superseded by events, and some of it is too politically
> motivated to include here.  There are so many issues at the moment, such as
> chad slots that have not been cleaned in many years, the causes of dimpled
> punched cards, absentee ballot irregularities, the desirability of manual
> recounts in Florida and New Mexico and elsewhere, etc., that we cannot begin
> to enumerate them here.  On the other hand, objectivity would seem to be
> extremely desirable at this time.
>
> Let me offer just a few suggestions:
>
>  * In the UK, Canada, France, Germany, and many other places, ballots for
>    national elections consist of a single piece of paper with one candidate
>    to be selected for one office.  This is an extremely reliable process, is
>    counted very quickly in a highly distributed fashion, and seldom
>    challenged.  Perhaps in the U.S., elections for the President should be
>    considered a Federal function and conducted by a one-issue paper ballot,
>    with all other election issues run by local jurisdiction in their own
>    way, as is the case at present.  Even in such a simple paper ballot, the
>    challenges of avoiding fraud and accidents are significant, but by no
>    means unsolvable.  The reliability can indeed be greater than in all of
>    the alternatives.
>
>  * If ballots are to be recorded and counted electronically, some sort of
>    nonforgeable, nonalterable, and nonbypassable audit record must exist to
>    make electronic tampering and accidents infeasible.  Of course, voter
>    privacy also needs to be honored.  No existing electronic systems have
>    anything close to what might be considered adequate, and the election
>    system developers (with proprietary closed-source code) do not seem eager
>    to take the extra miles needed for greater integrity.  Claims of
>    integrity are not backed up by standard practice of secure systems
>    (which itself is extraordinarily week), and no one seems to be applying
>    even the relatively minimal standards of the Generally Accepted System
>    Security Principles
>      http://web.mit.edu/security/www/gassp1.html
>    or reasonable certification processes.
>
>  * Voting by the Internet, even if only from well established polling
>    places, is and will remain extraordinarily risky because of the inherent
>    untrustworthiness of computer systems attached to the Internet and
>    indeed the networking itself.  It should not be recommended for use
>    in the foreseeable future.
>
>  * Fraud and accidents must be anticipated throughout the election process.
>    Election systems must be designed, implemented, and operated as systems
>    in the large, and the human interfaces (for voters, administrators,
>    maintenance personnel, etc.) must be considered as integral parts of
>    the system.  Any system should have live checking for invalid ballots.
>    This existed decades ago in lever machines, and is common in electronic
>    systems.  If punched cards survive after 2000, card systems could easily
>    include a single precinct display device that checks for overvoted or
>    otherwise invalid ballots and for undervoted ballots before they are
>    deposited.
>
>  * I previously noted the doctoral thesis work of Rebecca Mercuri.  She has
>    devoted an entire dissertation to the topic of election system integrity,
>    and particularly the conflicts inherent with process integrity and voter
>    ballot privacy.  The thesis takes a broad system approach to voting
>    security/integrity/reliability, and is in fact relevant in a much broader
>    context.  Highly recommended.  For information, see her Web site:
>      http://www.seas.upenn.edu/~mercuri/evote.html
>    Rebecca also considers a proposal for an auditable paper trail of each
>    electronic ballot that is verified by each voter before leaving and
>    automatically deposited in a tamperproof receptacle.  This is still not
>    enough, but is worth considering as one more integrity measure.  (For
>    example, voters should not be allowed to photograph that record, because
>    of the requirement that votes must not be salable, for example based on
>    paper evidence of how you voted!)
>
> Many wags have cited the aphorism that perfection is the enemy of the good.
> In election systems, there will never be perfection.  But the existing state
> of the art is the enemy of sanity, and a rush to all-electronic voting is
> utter madness -- even though it may appeal to advocates of conceptual
> simplicity.  It is by no means an easy path, if all of the desired
> requirements of the voting process are to be satisfied.  And there is an
> enormous gap between the concept and an implementation that provides any
> real assurances.



For archives see: http://www.interesting-people.org/