Monday, 27 November 2006

Just happened up this site (linky) that makes some arguments against the use of electronic voting, and how it threatens the fundamental nature of democracy (insert special FX noises).

The argument is made that a completely anonymous election can only be assumed to be correct if the electoral processes are open to verifiability by the electorate. Whilst the generalised process may be open to verification by everyone, it is not practical for every stage of the process to be witnessed by everyone (which is what is required for everyone to have confidence in the correctness of the vote). This then assumes that the majority of the people place trust in those who are witnessing every stage of the election. It also assumes that there is a witness present at all times, at all points in the election. This quite simply is not the case. In the UK there are not individuals present at every stage in the electoral process, do people accompany the election workers picking up the ballot boxes from the distribution centers, staying at the polling station for the whole time the polls are open? Accompanying them back to the counting station with the ballot box? No, they're not. So there are plenty of points at which electoral fraud can be committed that won't be witnessed, all the transperancy in the world does you no good if no-one is there to witness it!

Specific counterpoints:

"because computer procedures are not verifiable by humans as we are not equipped for verifying operations occurring within an electronic machine" - the writer of this may not be able to verify the operation of compuer procedures but I'm surrounded by 30 odd people that CAN. To be honest this claim is like saying : "Computers, if it's too hard, I can't understand it!". Sure not everyone can, but enough can. Probably more people than bother to witness a paper ballot anyway.

"Thus, for people who did not program them, computers act just like black boxes and their operations can truly be verified only by knowing the input and comparing the expected output with the actual output (see Reflections on Trusting Trust, by Ken Thompson).
Unfortunately, due to the secrecy of vote, elections have no known input nor any expected output with which to compare electoral results, thus electronic electoral procedures cannot be verified by humans! This applies to electronic elections independently of any technical solution that could ever be implemented." - I don't know if it's because it's Monday, but I'm having troubling parsing this. Is the writer saying that you can't produce a set of data to plug into a system to check it does what it's supposed to? I hope not, since I can pull a set of test data out of thin air, feed it into a system and verify the results against what I expected. We do it all the time, it's called testing! Or is he saying that since the inputs to an election are not knowable before or after the election (ummmmm, yes they are, we captured the inputs, search for pre-encrypted ballots and you can find out how to capture a voters intention without exposing who they voted for) and therefore you can't create an exact set of test inputs? Bzzzt - can't do that in a real election either (I know the counter will be that you don't need to, since the process is verified, see above). And since we did capture the inputs we can retest the election, in fact any decent election system would involve rerunning the count and comparing results to ensure a correct result (just in case a sun-spot disrupts things). And besides, eVoting systems are not "black boxes" to anyone other than the original programmer, there's this thing called "source-code" that when examined makes the system what we call a "white box". Basically - you can see inside the system and verify it's operation.

"To accept electronic electoral result ordinary people need to have an absolute faith in the accuracy, honesty and security of the whole electoral apparatus (people, software, hardware and networks)." - How, do tell, is this different to having absolute faith in the accuracy, honesty and security of the whole electoral apparatus for a paper ballot? As was mentioned above, if not everyone is present to witness all the stages in the vote, then they must have faith in those that were present to witness the system! And since we've allowed a chain of trust in a paper ballot why can't we allow it in an electionic ballot?

"In fact let's imagine to have a perfect electronic voting system with all the security, auditing, accountability, meaningful public standards and public evaluations we like. Even in such a very optimistic case in the end all the votes would be stored in anonymous records and this unverifiable data, processed by unverifiable electronic procedures, would decide the (unverifiable) winner of the election." - See above please, its not unverifiable.

"Ballot paper elections are very robust and have no single point of failure: there is NOT a single place which abnormal functioning could lead to the impossibility to declare the winner. Paper elections can be held despite of black outs and interruptions of computer networks. Infact paper elections have properly worked also when electricity and computer did not even exist!" - See previous post, no eVoting system would having a single point of failure.

I'm sure there's more but I've not got time for it right now. Breaking down these points seems to break the illogical chain put forward on site, so hopefully this demonstrates just how wrong it is.


Anonymous said...

You write: "there's this thing called "source-code" that when examined makes the system what we call a "white box"".
Ken Thompson writes: "No amount of source-level verification or scrutiny will protect you from using untrusted code". I think that you need to read Reflections on Trusting Trust more closely.