Risk
10/27/2008
07:17 PM
Sara Peters
Sara Peters
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cutting Through E-Voting Debate Semantics

The United Kingdom's government said unequivocably that the U.K. will not now, nor in the foreseeable future, adopt electronic voting.

The United Kingdom's government said unequivocably that the U.K. will not now, nor in the foreseeable future, adopt electronic voting.According to today's story at The Register:

    Michael Wills, a Minister of State at the Ministry of Justice, was asked if the government planned to introduce e-voting before the local and European elections in 2009. He said last week: "The Government do not plan to introduce e-voting for the 2009 European or local elections ... The Government have no plans for further e-voting pilots in statutory elections at this stage."

I did a story about e-voting a few years ago, and found it quite a vexing, exhausting process, because one had to viciously hack through a thicket of semantics to find out what e-voting proponents and e-voting opponents were really arguing about so vociferously.

So I'll now attempt to save you (and your machete) the effort, and give you the gist of the semantic debate. If you want a much more thorough, minutiae-rich account (and you're a member of the Computer Security Institute), you can read that here.

First off: not all e-voting machines are created equal. "Optical scan" voting machines are technically e-voting machines, but are actually heartily recommended by many people who are often lumped into the category of "e-voting opponents." What we most often think of as "e-voting machines" are DREs (Direct Recording Electronic machines). In essence the debate is all about whether or not meaningful audits of the voting machines' accuracy and integrity can be conducted. Meaningful.

After the polls close, a voting machine spits out a summary report of how many votes were cast for each candidate. There should be a way to verify that a) the machine's count is accurate (like if 500 voters cast votes for Candidate A, the summary report will actually say that 500 voters cast votes for Candidate A), b) the machine recorded each individual vote accurately, and c) the machine/votes have not been tampered with.

Most e-voting opponents say that the only way to conduct meaningful audits is for the voting system to create a "Voter-Verified Paper Trail," or VVPAT. In a basic DRE system, a voter presses a button (or types in a write-in ballot) to cast their vote, and then the DRE system pops up a little message on the screen saying, "You voted for 'Upstanding Citizen' for 'Senate.' Is that OK?" and then the voter will press either "OK" or "decline." The voter simply has to trust that when they pressed "Upstanding Citizen" the machine did not record "Evil Mastermind."

In a DRE-with-VVPAT scenario, the voter doesn't see the "Is that OK?" thing just on screen. The machine, rather, prints the voter's votes on a slip of paper, which appears behind a glass window. If the printout has it right, you hit OK, and the slip of paper is then dropped into a secured box.

If for some reason -- either because there's a call for a recount, or because the polling place has been randomly chosen for a manual audit mandated by the state -- the votes need to be verified, the human count of the little slips of paper can be verified against the machine's count. (And presumably, in the event of an incongruity, the paper count will be considered the official number.)

Here's where we really get into semantics. Here's an excerpt I've lifted directly from my November 2006 Alert story:

    Some supporters of DREs-without-VVPATs claim -- either out of snarkiness or ignorance -- that a voter can verify their vote on a regular DRE, because it has an OK/change screen. But this misses the intent of a voter verification mechanism -- it is not meant to verify that the voter cast their vote correctly, but that the machine recorded their vote correctly...

    So, technically speaking, a DRE can provide the necessary elements of a recount. The individual votes can be printed from the machine's internal memory and hand-counted. The DRE even goes one step further, because the votes could also be printed from the removable memory card in case the internal memory was destroyed or corrupted. These devices are encrypted to make them resistant to tampering of stored data.

    However, there is still no way to assure the integrity of any of the data. If some error or fraud happened between the time that a voter cast their vote and the time the vote was stored, then a recount would simply retabulate the same erroneous or fraudulent data.

    Some say a VVPAT (or other form of voter verification) captures the intent of the voter, but, once again, this isn't exactly true. Paper doesn't magically divine a voter's will. If it did, there wouldn't be questions like "Does this dimpled chad indicate a vote for this candidate or that the voter abstained from casting a vote in that race?" "If the voter filled in equally dark circles for two candidates in the same race, which one did they actually want?"

    What a VVPAT does capture is what vote the voter actually cast. If the voter leans on the keyboard, types in ""Aa;KJF" for governor and clicks "OK," it's their error, not the machine's, so it's still a valid vote.

There's a lot more to be said on this topic, but in general it's about transparency and citizens having trust in the system.

As Avi Rubin, author of Brave New Ballot, told the Associated Press in 2006, "The problem is not that elections have been rigged, necessarily; it's that you can't say for sure that they weren't."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.