Perspective On Election Processes by Peter Neumann

Reproduced under the Fair Use exception of 17 USC § 107 for noncommercial, nonprofit, and educational use.

Index

Florida vote counts

Perspective on election processes

Internet and electronic voting

Florida vote counts

Friday, November 10, 2000

The recount in Florida presents another interesting lesson in risks in the election process.

• The recount in Palm Beach County increased the totals for Gore (+751) and Bush (+108).

• An entire precinct had been left uncounted. The ballots had been run through the card reader, but the operator had pressed CLEAR instead of SET. (The recount gave Gore +368, Bush +23.)

• In Deland, Volusia County, a disk glitch caused 16,000 votes to be subtracted from Gore and hundreds added to Bush in the original totals. This was detected when 9,888 votes were noticed for the Socialist Workers Party candidate, and a new disk was created. (The corrected results were Gore 193, Bush 22, Harris 8.)

• The day after the election, an election worker discovered a sack of about 800 ballots in the back of his car that obviously had not been included in the official results.

• Voting cards failed to fit properly in the slots of some voting machines in Osceola County, giving 300 votes to the Libertarian candidate (where only 100 Libertarian voters are registered). Misaligned card machines have long been a source of errors.

• In Pinellas County, election workers were conducting a second recount after the first recount gave Gore more than 400 new votes. Some cards that were thought to have been counted were not.

[ Source: Democrats tell of problems at the polls across Florida, The New York Times, November 10, 2000, National Edition, p. A24]

Punched cards are inherently subject to differences on successive recounts. Hanging chad is clearly a problem, and successive mechanical recounts normally change the results each time. Human inspection is typically necessary to resolve conflicts.

Although electronic voting systems reduce the mechanical uncertainty that sometimes makes recounts necessary in punched-card elections, they also introduce different uncertainties in the integrity of the election process, and particularly in the integrity of the computer systems. Certainly, hanging chad problems, paper fatigue, and tampering with punch cards would disappear, and recounts would be unnecessary: votes could be tabulated only as originally entered. But many new problems are also introduced. The opportunities for accidents and fraud are transformed into different categories — such as tampering with software development and operation. And the desire for voter privacy is fundamentally in conflict with any requirements for accountability (e.g., audit trails).

In the Florida case, we still have to wait for the absentee ballots, and any possible further recounts in other states.

Peter G. Neumann

Perspective on election processes

Top

Sunday, December 3, 2000

We have long noted in this forum and before that in the ACM Software Engineering Notes (which I created in 1976 and edited for 19 years, until succeeded by Will Tracz — who has carried on the tradition) that there are very serious actual and potential problems in computer-related elections. The [December 4, 2000] issue of The New Yorker begins with The Talk of the Town section by considering the current mess:

But it is not as if we were without warning. The article notes the series of writings of David Burnham in The New York Times in 1985 and Ronnie Dugger's long article in The New Yorker issue dated November 7, 1988. The article notes that Dugger's 1988 article quotes Willis Ware, who has long been a wise observer:

There is probably a Chernobyl or a Three Mile Island waiting to happen in some election, just as a Richter 8 earthquake is waiting to happen in California.

Many people have been asleep at the wheel for too long. See the Election material on my Web site for pointers to some of the collected RISKS-historical material, especially the Illustrative Risks section on Election Problems, a document in which I have long cited Burnham's articles from The NY Times, July 29 and 30, August 4 and 21, and December 18, 1985. (I have already noted the 14% undervote for the Senate race in Florida in 1988.) What we are experiencing now is not a new problem. Unfortunately, it had not previously reached Chernobyl-like proportions or surfaced in a close presidential election. Nevertheless, the process that is currently before us is finally forcing an examination of many of the relevant issues. I hope that some of the more basic deeper issues will not be ignored in trying to resolve the immediate issues. The time has come for a serious reassessment of the entire process.

Apologies for the long gap since the appearance of RISKS-21.12 on November 11, 2000. We have received an enormous amount of e-mail on this topic, although some of it has been superseded by events, and some of it is too politically motivated to include here. There are so many issues at the moment, such as chad slots that have not been cleaned in many years, the causes of dimpled punched cards, absentee ballot irregularities, the desirability of manual recounts in Florida and New Mexico and elsewhere, etc., that we cannot begin to enumerate them here. On the other hand, objectivity would seem to be extremely desirable at this time.

Let me offer just a few suggestions:

• In the UK, Canada, France, Germany, and many other places, ballots for national elections consist of a single piece of paper with one candidate to be selected for one office. This is an extremely reliable process, is counted very quickly in a highly distributed fashion, and seldom challenged. Perhaps in the U.S., elections for the President should be considered a Federal function and conducted by a one-issue paper ballot, with all other election issues run by local jurisdiction in their own way, as is the case at present. Even in such a simple paper ballot, the challenges of avoiding fraud and accidents are significant, but by no means unsolvable. The reliability can indeed be greater than in all of the alternatives.

• If ballots are to be recorded and counted electronically, some sort of nonforgeable, nonalterable, and nonbypassable audit record must exist to make electronic tampering and accidents infeasible. Of course, voter privacy also needs to be honored. No existing electronic systems have anything close to what might be considered adequate, and the election system developers (with proprietary closed-source code) do not seem eager to take the extra miles needed for greater integrity. Claims of integrity are not backed up by standard practice of secure systems (which itself is extraordinarily weak), and no one seems to be applying even the relatively minimal standards of the Generally Accepted System Security Principles or reasonable certification processes.

• Voting by the Internet, even if only from well established polling places, is and will remain extraordinarily risky because of the inherent untrustworthiness of computer systems attached to the Internet and indeed the networking itself. It should not be recommended for use in the foreseeable future.

• Fraud and accidents must be anticipated throughout the election process. Election systems must be designed, implemented, and operated as systems in the large, and the human interfaces (for voters, administrators, maintenance personnel, etc.) must be considered as integral parts of the system. Any system should have live checking for invalid ballots. This existed decades ago in lever machines, and is common in electronic systems. If punched cards survive after 2000, card systems could easily include a single precinct display device that checks for overvoted or otherwise invalid ballots and for undervoted ballots before they are deposited.

• I previously noted the doctoral thesis work of Rebecca Mercuri. She has devoted an entire dissertation to the topic of election system integrity, and particularly the conflicts inherent with process integrity and voter ballot privacy. The thesis takes a broad system approach to voting security/integrity/reliability, and is in fact relevant in a much broader context. Highly recommended. For information, see her Web site. Rebecca also considers a proposal for an auditable paper trail of each electronic ballot that is verified by each voter before leaving and automatically deposited in a tamperproof receptacle. This is still not enough, but is worth considering as one more integrity measure. (For example, voters should not be allowed to photograph that record, because of the requirement that votes must not be salable, for example based on paper evidence of how you voted!)

Many wags have cited the aphorism that perfection is the enemy of the good. In election systems, there will never be perfection. But the existing state of the art is the enemy of sanity, and a rush to all-electronic voting is utter madness — even though it may appeal to advocates of conceptual simplicity. It is by no means an easy path, if all of the desired requirements of the voting process are to be satisfied. And there is an enormous gap between the concept and an implementation that provides any real assurances.

Peter G. Neumann

Internet and electronic voting

Top

Tuesday, December 12, 2000

A recurring mantra heard from some entities involved in the development and promotion of Internet-based voting systems is that they have conducted "public tests" and thus their systems are secure. If hackers don't break into such systems, the tests are declared a success.

This is of course illogical on its face, because it seems unlikely that people (both U.S. and internationally based) with an interest in subverting the U.S. election process would care to tip their hands by participating in what are essentially publicity stunts. These might attract your average 12-year old hacker, but not the pros who wait for production systems for their carefully mounted attacks.

In fact, using such "tests" as any sort of validation technique runs contrary to long-established computer and engineering verification practices, and makes a mockery of the rigorous design and testing that is required of systems that are to be deemed secure through extensive and methodical processes (e.g., to gain certification under the ISO Common Criteria or its predecessors TCSEC/ITSEC). "I left my Porsche out in the parking lot with the doors unlocked and the key in the ignition and since it doesn't appear to have been stolen this must be a safe neighborhood," would be an equally nonsensical statement of supposed validation. All proposed voting systems should be subjected to rigorous evaluation, public inspection, and open-source code license agreements. Some applicable methodologies do exist, but have not been required. For example, Level 4 Common Criteria should be a minimum standard, although even that is not enough.

Security is only as strong as its weakest links. Internet voting (I-voting) will always be limited in its integrity by factors beyond the I-voting algorithms. For example, encryption can be an important part of an overall election system. However, although we have strong cryptographic algorithms, we do not have systems with adequate security into which the cryptography can be embedded. Furthermore, voter authentication, vote integrity, voter anonymity, auditability, accountability, recountability, and so on, are all involved, and many of these requirements operate at cross-purposes with one another. The massive vulnerabilities of standard personal-computer operating systems represent very serious concerns, in terms of hidden viruses, worms, Trojan horses, and further surprises unknowingly downloaded by the user with other packages, and waiting to pounce on election day. One proposed solution would be to boot a fresh system from external media in order to vote, but even such an approach does not adequately address these potential vulnerabilities.

Deficient network protocols and the opportunities for insider fraud and accidental misuse abound. In addition to the issues noted above are the weaknesses that result from inadequate operational environments. Neither the client nor the server systems will be adequately secure under foreseeable technology — including Internet Service Providers and Web servers. For example, proposals such as the use of rotating IP numbers and multiple systems to try to defend against denial of service attacks can be rendered impotent by similar attacks on network concentration points.

As always in any election environment, there are many opportunities for fraud, mischief, and manipulation — despite ostensible checks and balances. These problems are exacerbated with electronic and Internet voting, where the lack of any physical ballots makes such manipulations impossible to detect and correct — because there is no meaningful recount capability. Extraordinary vigilance is necessary, but never sufficient.

In the wake of the recent Presidential election problems, the knee-jerk reaction of "Gee, can't we modernize and solve all this with electronic and/or Internet voting?" is predictable, but still wrongheaded. The shining lure of these "hype-tech" voting schemes is only a technological fool's gold that will create new problems far more intractable than those they claim to solve.

Peter G. Neumann, Rebecca Mercuri, and Lauren Weinstein

Peter Neumann moderates the ACM Risks Forum, Chairs the ACM Committee on Computers and Public Policy, and is a cofounder of PFIR — People For Internet Responsibility.

Rebecca Mercuri is a Professor of Computer Science at Bryn Mawr College. She has provided expert testimony on voting systems throughout the past decade. For information on her Penn doctoral thesis and other writings on this subject, see Notable Software.

Lauren Weinstein and moderates the Privacy Forum <http://www.vortex.com/ and is a cofounder of PFIR — People For Internet Responsibility, and member of the ACM Committee on Computers and Public Policy.

Top

| Chapter 2 — Essays On Voting Problems |

| Next — Thoughts On Computers In Voting by Douglas Jones, Ph.D. |

| Back — Statement By Don A. Dillman On Palm Beach County Florida Ballot |

Last modified 6/14/09