Saturday, August 23, 2014

How Political Scientists Can Test Internet Voting Security



A public policy debate is brewing in the United States concerning whether or not our election technology should include Internet voting. While there are many dimensions to this debate, generally people are asking “if I can bank online and shop online, why can’t I vote online?”

Also, the inconvenience of our 19th Century practice of trekking to polling places to cast a vote is being questioned across the nation. After news reports about long waits in line at poling places during the 2012 election, President Obama said “we’ve got to fix that.”

To study the problem, in March, 2013, President Obama issued an Executive Order convening his Presidential Commission on ElectionAdministration.  The Commission was chaired by two Washington lawyers – Robert F. Bauer, a Democrat, and Benjamin L. Ginsberg, a Republican.

I submitted my research paper on Internet voting, and other comments, to the Commission in favor of encouraging states and local jurisdictions to implement online voting trials, especially for overseas military.

The Commission released its Report on election administration in January, 2014. The Report made some recommendations for trying to make polling place voting more efficient and convenient. It also praised the move by several states to implement online voter registration. More than 25 states now have online voter registration.  While recognizing the convenience and efficiency of registering to vote via the Internet, the Commission stated, without evidence or further comment, that “the internet is not yet secure enough for voting” (p 60).

What I find so interesting, even amazing, is that not only does a Presidential Commission on Election Administration simply assume, with no scientific evidence, that the Internet is too insecure for voting, but so do nearly all the key participants in this important public policy problem.  I also find it amazing, and regrettable, that the political science profession in the US is so quiet on the issue of Internet voting security.  Other than my paper, now being presented to the American Political Science Association, I know of no other studies testing the hypothesis of Internet voting insecurity.

Hypothesis Testing
The well known philosopher of science, Karl Popper, has argued that an essential function of any science is that of conjecture and refutation.  Since voting and elections are central to the domain of the political science profession, shouldn’t political scientists be engaged in the effort at least to test, if not refute, the hypothesis of Internet voting insecurity?

It appears to me that out of an excess of deference for computer scientists, political scientists are not using their expertise and methods to make any sort of contribution to this very consequential public policy debate.

Therefore, one of the primary aims of my paper is to show political scientists how they can test the widely accepted, but untested, hypothesis that the Internet is too insecure for voting.  I want political scientists to see that they can use their own methods of study – especially case studies – to test the hypothesis of Internet voting insecurity, and do so independently of whatever claims activist computer scientists assert.

I take two well known approaches to testing the hypothesis of Internet voting insecurity. First, I look carefully at the language used by its proponents to assert and to support it. Second, I examine the actual experience of Internet voting trials, as case studies, to see if these facts support or undermine the validity of the hypothesis.

Assertions that Internet voting cannot be done securely are presented in the form of factual statements.  Karl Popper has set the standard for assessing the scientific quality of statements about matters of fact. Statements that purport to be factual, but that cannot be disproven under any circumstances cannot be considered scientific statements, says Popper, but must be consider folk tales or myths. In other words, to be scientific a statement of fact must be falsifiable, that is, capable of disproof. If it can’t be tested, then it can’t be factual.

One example of an unfalsifiable argument is the ancient admonition, “The End is Nigh.”  This supposedly factual claim has never been disproven. Indeed, one discussion of false Armageddon predictions has it that the first warning on record is found on an Assyrian clay tablet from 2800 BC.

Because this fear mongering Armageddon claim is impervious to both logical criticism and empirical disproof, it creates the illusion of Indubitable Truth for its adherents.  By logic, just because the End has not yet occurred, does not mean it will not occur – and soon. Empirically, it is unfalsifiable because with each failure today the prediction can simply be moved to tomorrow.

In the paper, I discuss numerous unfalsifiable claims made by an avant-garde of activist computer scientists in support of their hypothesis of Internet voting insecurity.  I think it important to note that none of the computer scientists in this avant-garde have any experience building Internet voting systems that were actually used in elections for public office. I should also point out that the computer scientists who have set up such systems are confident that security threats can be adequately protected against.

Self-Erasing Bugs
One of the many unfalsifiable claims made against Internet voting is that malicious code can be installed in a computer that tallies votes, and can change the results of an election, and can then erase itself and never be detected.

If this is true, then the integrity of no election that relies on a computer to count the vote can be trusted. Every such election result could be the product of undetected, self-erasing malicious code.

I argue in the paper that very scary stories, such as this, are part of a strategy activist computer scientists have followed to put themselves in charge of election administration in the United States. I argue further that they have succeeded!

In my view, activist computer scientists have executed a coup d'├ętat over the election administration function of government in this country.  Among other things, they have had laws passed in several states requiring what they call a “Voter Verified Paper Audit Trail” for every vote cast.  Having a paper record, they say, is the only way to be sure upon audit that the vote tally matches the votes actually cast, and that the count is not the product of undetected, self-erasing malicious code.

This coup d'├ętat includes the conquest of territory that political scientists have traditionally thought to be a core element of their professional field of study. Since this conquest, it seems that political scientists can say nothing about implementing technological reforms in election administration for fear of attracting the public disapproval of activist computer scientists. Indeed, I show how this actually happened in 2004, when political scientists Thad Hall and Michael Alvarez, who favored Internet voting, were completely overruled by just a few very vocal doom predicting anti-Internet voting computer scientists – who also had a lot of help from the New York Times.

In their defense, political scientists can use the Popperian standard that says unfalsifiable claims are mythical and not scientific.  The charge that an election could have been the result of undetected, self-erasing malicious code does seem to be an unfalsifiable claim, and therefore not scientific.  But this argument, by itself, is not likely to assure a frightened public or the legislators who must answer to that public.

In my view, the only effective way to nullify, or falsify, this scary claim is through the use of case studies of actual Internet voting trials.

Case Studies as Tests
If political scientists produced study after study of elections involving online voting in which there were no doubts about the integrity of the results, then the conclusion may be fairly drawn that the integrity of the results can reasonably be trusted.

Case studies can describe the security measures taken in a given election. Then the study can state the results of interviews of key people, and of polling. Key people would include relevant elections experts, elections officials and administrators, the computer scientists involved, journalists, winning and losing candidates, party leaders and political activists, as well as voters. Opinions may vary, and the reasons for those opinions can be included. If the research shows that in the minds of these folks there is confidence in the legitimacy of the vote, then claims of doubt could be seen as just more baseless cries of “wolf.”

If activist computer scientists continue to dogmatically insist that “you can never know for certain whether a disappearing bug changed the outcome,” they can reasonably be dismissed as myth-makers and fear mongers.  Indeed, I have done some preliminary case studies of Internet voting trials for elections to public office.  These include West Virginia in 2010, and Norway in 2011 and 2013.  Here, only the same few activist computer scientists insisted on such notions as there could have been a disappearing bug at work, but the officials, experts, candidates, and public felt confidence in the results.

In Canada, about 50 different cities have conducted Internet voting trials, all without doubts about the legitimacy of the results --  except for anti-Internet voting activists. Case studies of these elections are being done by Canadian political scientist, Nicole Goodman.

My paper also closely examines a report issued by the Elections Division at NIST. Unfortunately, that report merely repeats all the unfalsifiable claims of the activist computer scientists, without any social scientific case studies, or any other kind of science.

Conclusion
In conclusion, political science has the methodology it needs to undo the coup in US election administration and its own ouster from the public policy debate over election technology reform. Our profession only needs to apply these methods and to assert itself.

******************************
William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Twitter: wjkno1

Author of Internet Voting Now! 
Kindle edition: http://tinyurl.com/IntV-Now

6 comments:

Anonymous said...

Check bauer and ginsberg's pol psrties- i think they are backwards -- ginzberg is a repub and bauer worked for obsma --Ted

William J. Kelleher, Ph.D. said...

You're right! I knew I should have checked that, and not left it to memory!

Krystof Zigorski said...

The problems with internet voting and security are not so much technical issues, but human issues.

The concern, I think, is the deliberate misuse of a massive, consolidated election system to force the results to a desired candidate. The hesitation, then, is not that intrinsic insecurity of the system, but the complexity of the technology (relative to the average citizen's understanding computer science and engineering), the a concern over a design that massively centralizes (nationalizes) voting from the current State/County shared authorities, and a general distrust of people (that is, there is a belief today that voting fraud requires conspiracy, and with Internet voting it requires an enterprising individual).

An example of this distrust stems from the revaluation that a certain design of some voting machines allowed the memory card inserted into the machine read, write and execute authority. Of course, unquestionably, a secure design would have had write permissions from the voting machines to the card, read permissions from tabulators to the card, and under no circumstance should anything be executable from the card. This design flaw -- once understood by the public, as it requires educating many Americans about how and why it is a problem -- is so basic as to lead people to speculate that it was intentional.

Finally, there is also a fear of the interference of foreign governments in the election process. We know that one we allow voting to be exposed to the Internet, we would need to take rigor steps to prevent access from government organizations with means and personnel dedicated to breaching and violating the integrity of that system. Recent revelations illustrate that this is not only common place, but that our trading markets and banking systems have been targets of foreign criminal and government exploits and attacks.

I say all of this not to prove that computer systems are by design so insecure that they could not be used for voting, but rather to point out that I think testing the security of these systems would have address these social and psychological beliefs of the community more than the intrinsic security of the computer systems.

Of course, having said that, I am disinclined to favor such a system because there is a social aspect of democracy and a social aspect of voting that cannot be reproduced with Internet voting. There is an individuating and isolating quality to our advances with information technology that can be, if not paid close attention to, injurious to the social dimensions of neighborhoods and communities (or, at least, so I believe).

However, I do agree that we should test Internet voting and see not only if it is secure, but how it might change voting attitudes, voting behavior, and whether it influences decisions in voting reforms as a tool to improve district, direct, or other forms voting counting / aggregation. I write this from the state of North Carolina, where I would maintain the current majority in the State General Assembly has gerrymandered the voting districts in a distinctly non-Democratic way. Perhaps Internet voting addresses this challenge to voting districts that followed Warren court rulings on voting, and the following readjustments from the Burger and Roberts courts.

Let's set up a lab and fire up some tests.

William J. Kelleher, Ph.D. said...

Thanks for the comment, Krystof. First, re centralization. I suggest that each of the 3000+ voting jurisdictions in the US implement its own online voting system, at first to supplement paper ballots, and only as the voters demand online voting. These system should always by UNconnected to each other. Each system can send its totals to the state, and the state report to Congress – as our Const says.
Second, I totally agree that the social and psychological beliefs of the community have to be respected. That is why I call for political scientists to play a role. After several case studies show that there is no reason to doubt the legitimacy of the vote, popular fears will subside.
Third, I don’t see any loss of community w/ online voting. The community discussions can still be held in online forums. People can interact personally at public meetings, just as they do now.
Finally, glad to see that you are willing to experiment w/ it. One of your neighbors has used it – WV 2010, and everyone liked it.

If NC is having gerrymandering problems, take a look at my state, California. It has solved the redistricting problem. The state constitution gives the entire job to an independent Citizens Redistricting Commission (CRC). Its technicians publish their redistricting data for everyone to see on California’s Statewide Database (SWDB). The legislature can't change what the CRC does. If your state gerrymanders, study what CA is doing, and get that implemented!

C Ferguson said...

I am a computer scientist (25 yrs experience), and software developer. I have known the solution to online voting for some time now and have not yet published it. The solution to security is this. Have the government computers be required to publish Key/Value store in the form of simple XML or even HTML online. They Key represents a person's identity and the value represents who you voted for. Now, here is the trick, to maintain anonymous voting. The Key in the system is a "Hash/Checksum" that is a function of your social security number plus birthday, and several other factors. So everyone in the world can verify the tally (by checking the data) AND also check that YOUR own identity value is mapped to the correct person you voted for. This algorithm is not only fool-proof, but I can prove it is the ONLY foolproof system. So it's impossible to rig this system by the computers, because there is a perfectly auditable trail that is 100% transparent to the public and 100% testable AFTER the election.

Anonymous said...

Your lack of computer knowledge is evident in every post you write on this ridiculous self-promoting biased blog. You dismiss legitimate claims put forth by computer science experts about the use of internet voting as mere fear-mongering when these are actual warnings which the public should pay attention to.

When I take my car to my mechanic and he tells me to fix something because there is a good chance it's going to break, I listen to him because he is an expert. I don't waste my time getting another opinion from the librarian! I would much rather hear from computer scientists about the risks of internet voting because they are the experts! They know what computers can be programmed to do, what their vulnerabilities are, as well as the risks of the internet.

Computer software can be coded to do anything. If someone wants to write a computer program to say 2+2=5, it can be done. Just as if someone wants to write a code to say 51% of votes goes to Candidate A instead of Candidate B, it can be done, and the code can be hidden from scrutinizers. This is FACT, not some unsubstantiated claim.

Banks, governments, and corporations have all been and continue to get hacked into. Vulnerabilities like the Heartbleed and other bugs or viruses make the news all the time. These are FACTS! You really must be a nutcase if you think internet voting has some secret technology which makes them unhackable!!

Companies that make online voting systems don't allow public tests of their systems. They know that if they did allow a public test, that insecurities would be found just as they were found in the Washington D.C. voting trial. These companies don't allow inspection of their source code either.

You keep repeating this mantra that internet voting has been done numerous times around the world without problems, but you are deliberately lying. It's not hard to do a simple Google search to find the serious flaws which have been reported in Estonia's internet voting system, France's internet voting system, Norway's, Kenya's, Malaysia's, Ontario, Canada's voting systems, and the list goes on and on.

The hacks, the flaws, the glitches, they're all out there ready to be tailored and used against internet voting. All the facts and proof are out there. You really must have your head stuck way up something if you really think internet voting won't be corrupted by politicians, foreign interests, or the wealthy. Get your head out of the sand, dude!