Tuesday, July 13, 2010

THE AUDIT PROBLEM FOR INTERNET VOTING AND DEMOCRACY

Unlike business transactions, the name of the voter cannot be linked to the vote, if voting is to be secret. So, auditing votes cannot be done in the same way that business auditing can be done. The voter can never be asked "is this your vote?" But there are ways to provide assurances that the vote count was done right. For example, if the number of ballots equals the number of voters, then one aspect of accuracy is shown.

No one can know for sure if votes have been changed within the number cast, but there are ways to monitor that. For example, each module in the secure Internet voting server can be tested to be sure its operating code is exactly as specified for the work the module is to do. This can be done both before and after an election. In addition, computer scientist Ed Gerck has shown that "electronic witnesses" can be put on each module in the process to monitor the operation of the module. If the module does something off course, the witness can record the event, or set off an alarm to get the attention of a human operator. This can be done for every step, from authenticating the voter to counting the votes.

Political parties can install their own electronic witnesses on the government’s secure server. If those witnesses do not report any missteps, then the integrity of the election would seem to be fully verified.

There are some informal ways of auditing an election based on Internet voting. One informal audit procedure would be that if people who follow elections closely are satisfied that the results are within the realm of reasonableness, then the process was very likely done right.

Of course, there would be no exit polls for Internet voting. But scientific samples of voters could be taken by phone. This could be another informal test of an election’s integrity. But there are problems with polling voters that makes it only a suggestive tool, and not definitive. When people are asked how they voted, there is a higher likelihood of misreporting than with ordinary opinion surveys.

Ultimately, any vote that is too large for a hand count will require some trust in the people who count the vote. The term “verified” contains a large element of psychology. There are folks so possessed by fear that unless they can see all the hands raised in a room, they will not trust the results of an election. For them, even paper ballots are no security blanket. At the worst extreme would be people who disbelieved the report from the hand count in the next room, but only accepted the hand count he or she could make.

Larger scale democracies must have some element of trust in the integrity of people one does not know personally, if they are to succeed.

5 comments:

Anonymous said...

As a former computer programmer, your statements are simply uninformed. That the tally of votes match means nothing. I would of course program the count to match.

That the vote seems to be running approved code means nothing. I have ways to hide my code that you know nothing about.

You think you can prevent hacking? A friend runs IT for a bank and they deal with hacking attempts so sophisticated it would boggle the mind. And that's from amateurs. The professionals get in and out all the time, undetected.

And you cannot audit an Internet vote unless you give up something. If each voter got a ballot number, they could then check their ballot number online to see if it matched their vote. But that paves the way for matching a voter to a vote, and opens the door for vote buying and selling.

Any legitimate computer security expert will be honest and tell you the only secure system is one that is off.

The reason conservatives like Internet voting and liberals don't is that liberals tend to be more educated and understand the issues.

William J. Kelleher, Ph.D. said...

Hi Anonymous!

Thanks for your comments. In the following, you will be “A,” and I’ll be “B” (for Bill).

A) “I have ways to hide my code that you know nothing about.”

B) Am I supposed to take the word of an anonymous writer as the Ultimate Truth? Gerck’s electronic witnesses, and other tests (e.g. “hash tests”), can find any “hidden” code.

A) “The professionals get in and out [of your friend’s bank] all the time, undetected.”

B) Here’s another laughable scary story that can’t pass the commonsense test. First, if they can get in and out “undetected,” then how do you know they were there? Second, if getting in is so easy: a) how does that bank stay in business; and, b) how does your friend keep that job?

A) “… the only secure system is one that is off.”

B) Scary stories about Internet voting rely heavily on the standard of perfection. Every voting system will have imperfections. So, scary stories can claim some truth by embellishing actual imperfections and turning them in to reasons for not going ahead. Yes, it is true that the perfectly secure system is the one that’s off, but so what?

By that standard, we would all stay in bed all day, or maybe stay under the bed all day!

A) “Any legitimate computer security expert will be honest and tell you …”

B) Of course, none of the scores of computer security experts around the world who work on Internet voting systems are “legitimate,” because “legitimate” means agreeing with you.

Finally, those “liberals” who would accept your statements as gospel (and there are some) may be more gullible than those “conservatives” who would examine your claims with a dose of healthy skepticism. Education is no guarantee of independent thinking.

BTW the “ballot number” has been proposed as another way of giving voter’s a sense of security. They vote, and then get a number without their name on it from the second module. Later, they check back on the website to see if their number shows up on a list of counted votes. This could be used as a redundant auditing tool.

But I don’t support using it, for two reasons. One is that it is a borderline deception of the voter. A well done system isn’t going to be more accurate and reliable because of that extra function, so why put it in the process? Secondly, studies of VVPAT use show that most voters do not check the paper ballot for accuracy, but leave the voting booth right after voting. Having voters come back online after the vote tally to search for a long number on a long list is more work, and probably even fewer voters would bother.

wjk

RealRepresentation said...

Just wanted to point out that Gerck was mainly talking about mechanisms for increasing the security of precinct-based electronic voting, not internet voting (pg 33 of "The Witness Voting System", date not on paper): "The Witness-Voting System can also be applied to existing electronic voting machines (e.g., DRE), including “black box” voting machines (with closed-source software), to verify their accuracy and reliability before, after, and during an election. Paper based voting systems, including optical scan ballots, may also benefit by using the Witness-Voting System as a verification enhancement and in providing multiple correction channels."

Gerck's WVS relies on independently-installed 'witness' hardware, which is impractical for use in highly distributed situations such as internet voting - how do you install a witness device in each voter's household?

William J. Kelleher, Ph.D. said...

Thanks for that clarification, Real! Gerck's WVS is well worth a close look. Its an excellent way for opposing political parties to check each other in an election based on Internet voting.

But there is a problem w/ the assumption in your last paragraph. The WVS isn't put on the PC or cell phone of the voters -- its put on the government secure servers! The servers host the voting website, check registration, present the ballots, and store and count the votes. Each of these modules can have electronic witnesses placed on them by competing parties. That way, the government is checked, and each of the parties is checked. Its a great invention!

William J. Kelleher, Ph.D.
Internetvoting@gmail.com
Blog: http://tinyurl.com/IV4All
Face Book: http://tinyurl.com/BillonFB
Twitter: wjkno1
Internet Voting Explained on
YouTube: http://www.youtube.com/user/WJKPhD

VoteBoat said...

You say "scientific samples of voters could be taken by phone" but giving a phone number is not required when registering to vote. And it's unwise, unless you like campaign calls at election time! And how would "scientists" "sample" military voters?