07:17 PM
Sara Peters
Sara Peters
Connect Directly

Cutting Through E-Voting Debate Semantics

The United Kingdom's government said unequivocably that the U.K. will not now, nor in the foreseeable future, adopt electronic voting.

The United Kingdom's government said unequivocably that the U.K. will not now, nor in the foreseeable future, adopt electronic voting.According to today's story at The Register:

    Michael Wills, a Minister of State at the Ministry of Justice, was asked if the government planned to introduce e-voting before the local and European elections in 2009. He said last week: "The Government do not plan to introduce e-voting for the 2009 European or local elections ... The Government have no plans for further e-voting pilots in statutory elections at this stage."

I did a story about e-voting a few years ago, and found it quite a vexing, exhausting process, because one had to viciously hack through a thicket of semantics to find out what e-voting proponents and e-voting opponents were really arguing about so vociferously.

So I'll now attempt to save you (and your machete) the effort, and give you the gist of the semantic debate. If you want a much more thorough, minutiae-rich account (and you're a member of the Computer Security Institute), you can read that here.

First off: not all e-voting machines are created equal. "Optical scan" voting machines are technically e-voting machines, but are actually heartily recommended by many people who are often lumped into the category of "e-voting opponents." What we most often think of as "e-voting machines" are DREs (Direct Recording Electronic machines). In essence the debate is all about whether or not meaningful audits of the voting machines' accuracy and integrity can be conducted. Meaningful.

After the polls close, a voting machine spits out a summary report of how many votes were cast for each candidate. There should be a way to verify that a) the machine's count is accurate (like if 500 voters cast votes for Candidate A, the summary report will actually say that 500 voters cast votes for Candidate A), b) the machine recorded each individual vote accurately, and c) the machine/votes have not been tampered with.

Most e-voting opponents say that the only way to conduct meaningful audits is for the voting system to create a "Voter-Verified Paper Trail," or VVPAT. In a basic DRE system, a voter presses a button (or types in a write-in ballot) to cast their vote, and then the DRE system pops up a little message on the screen saying, "You voted for 'Upstanding Citizen' for 'Senate.' Is that OK?" and then the voter will press either "OK" or "decline." The voter simply has to trust that when they pressed "Upstanding Citizen" the machine did not record "Evil Mastermind."

In a DRE-with-VVPAT scenario, the voter doesn't see the "Is that OK?" thing just on screen. The machine, rather, prints the voter's votes on a slip of paper, which appears behind a glass window. If the printout has it right, you hit OK, and the slip of paper is then dropped into a secured box.

If for some reason -- either because there's a call for a recount, or because the polling place has been randomly chosen for a manual audit mandated by the state -- the votes need to be verified, the human count of the little slips of paper can be verified against the machine's count. (And presumably, in the event of an incongruity, the paper count will be considered the official number.)

Here's where we really get into semantics. Here's an excerpt I've lifted directly from my November 2006 Alert story:

    Some supporters of DREs-without-VVPATs claim -- either out of snarkiness or ignorance -- that a voter can verify their vote on a regular DRE, because it has an OK/change screen. But this misses the intent of a voter verification mechanism -- it is not meant to verify that the voter cast their vote correctly, but that the machine recorded their vote correctly...

    So, technically speaking, a DRE can provide the necessary elements of a recount. The individual votes can be printed from the machine's internal memory and hand-counted. The DRE even goes one step further, because the votes could also be printed from the removable memory card in case the internal memory was destroyed or corrupted. These devices are encrypted to make them resistant to tampering of stored data.

    However, there is still no way to assure the integrity of any of the data. If some error or fraud happened between the time that a voter cast their vote and the time the vote was stored, then a recount would simply retabulate the same erroneous or fraudulent data.

    Some say a VVPAT (or other form of voter verification) captures the intent of the voter, but, once again, this isn't exactly true. Paper doesn't magically divine a voter's will. If it did, there wouldn't be questions like "Does this dimpled chad indicate a vote for this candidate or that the voter abstained from casting a vote in that race?" "If the voter filled in equally dark circles for two candidates in the same race, which one did they actually want?"

    What a VVPAT does capture is what vote the voter actually cast. If the voter leans on the keyboard, types in ""Aa;KJF" for governor and clicks "OK," it's their error, not the machine's, so it's still a valid vote.

There's a lot more to be said on this topic, but in general it's about transparency and citizens having trust in the system.

As Avi Rubin, author of Brave New Ballot, told the Associated Press in 2006, "The problem is not that elections have been rigged, necessarily; it's that you can't say for sure that they weren't."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.