A rule of thumb for assessing electronic voting systems

Electronic voting systems are now getting used more and more, and we are expected to be happy and see this fact as a sign of modernity, devoid of any danger. Supporters of electronic voting say we should trust these devices, because they they have been approved by experts.

But it's a huge error of assessment: in the case of high stakes elections, like the political elections, a voting system is acceptable not when an expert tells you, but when you, the voter, are able to convince the experts that it is safe to use it.

I had the pleasure to meet Barbara Simons last week in California, a great lady that is wholeheartedly committed to make sure unreliable voting machines are not deployed.

She told me that this important argument was not well known in the anglo-saxon world, and encouraged me to share it widely. That's why I'm now posting this translated (and enhanced) version of my 2006 post on the subject.

Old and new continents

A few years ago, it was my petty pleasure to tease my colleagues who teach at prestigious universities in the United States: electronic voting machines were being deployed all around just under their nose. Yes, those big boxes black, expensive and unreliable, that did not allow at all the electors to verify that their vote is well taken into account.

Home, I used to say them, in the old Europe, we had lived the horrors of the war, of totalitarianism, and dictatorships. These memories were still very present in the spirits of the old generations.

We knew all too well why it was fundamental to have transparent ballot boxes, voting booths, and the possibility for any citizen of forming his own belief that his vote will be properly counted and that his choice will remain anonymous: nobody would accept to vote with such opaque instruments... those were gadgets for the "average American", as we love to caricature him here on the old continent, not for us.

From educating the e-citizen...

However, I was not so sure that the memory of the past was strong enough to preserve us on the long term: since electronic voting machines are a juicy business, and their aura of modernity is quite seductive, one should not underestimate the effectiveness of marketers... After all, the internal elections of a major french party had already been held http://www.01net.com/article/197478.html online in 2002!

This is the reason why in 2004 I published an article adressed to my fellow teachers and researchers in Computer Science, to draw their attention on the importance of better "educating" our fellow citizens, so that the new generations can develop the necessary critical sense, and refuse such aberrations by themselves.

In this article, I called for introducing in the K-12 curriculum the fundamental results that are at the heart of Computer Science, and not just the mere mastery of elementary technical skills.

Unfortunately, I had greatly overestimated the capacity of our politicians to resist both the marketing ability of the vendors of these devices, and to their own fascination for everything that is 'new technology' and media friendly: with the bill of November 27, 2003, and the regulation Annex, our Ministry of the Interior had introduced computers to vote in France!

As there was no general election in the wake, this measure passed largely unnoticed, but its discovery has forced us all to change agenda: before worrying about future generations, which remains well obviously my primary goal, it was becoming urgent to educate present generations.

... to the rule of thumb for voting devices ...

Here we come to the main point of this article: I want to contribute a small stone to the main building of knowledge that should be conveyed to our citizens so that they can really understand why voting for political elections using electronic voting machines, or, worse, over the Internet or on a phone, is totally unacceptable today, and must be refused without hesitation.

Don't worry, I won't overwhelm you with theorems, demonstrations, or long technical arguments: they are of course necessary, but many prestigious computer scientists already spent considerable energy to unveil the weaknesses of electronic voting machines (see for example the campaign verifiedvoting.org led by David Dill, Professor at Stanford University, the action of Andrew Appel, Professor at Princeton University, among others); also, the french site ordinaterus-de-vote. org has amassed a huge amount of information on the subject.

What I would like to provide here is a simple rule of thumb: an elementary test accessible to everybody, allowing each of us to check by himself whether a voting mechanism or device may be considered acceptable or not.

Let's start by setting out some of the essential criteria for any political voting system: the stakes are high, given that we do not choose the winner of American Idol, but elected officials to whom we delegate an enormous power for a long time. A long history of fraud, in all countries of the world, and in all times, showed we need to be sure that

  • the voter is free to vote according to his own inner belief: nobody must be able to exert on him any kind of pressure at the time of the vote;
  • the voter can verify for himself that his vote is properly taken into account;
  • any citizen may verify that the votes are counted in accordance with the voting rules (which specifies who can vote, how many times, what vote is valid, etc.);
  • in case of doubt on the results, it is possible to conduct a public audit;

We can of course ask more than that, but we cannot ask less. We will therefore call these properties the "common core" of a voting system.

But that is not all: it is also necessary that each voter be able to form alone a deep conviction that the common core is respected by the system: he cannot delegate to others the care of this audit, as this would amount to delegating to others his own vote.

Now the time has come to present our rule of thumb, that can be cast as follows:

Acceptability test for a voting mechanism

A voting mechanism is "acceptable" if any person authorized to use it (the voter), without any special knowledge, can convince recognized security experts, historians and sociologists of the fact that the voting mechanism meets the essential criteria of a voting system (the "core").

... or the weaker rule of thumb

If you do not immediately have a panel of experts in security willing to spend the afternoon with you for the test, you can still use the next version, a bit weaker, of the rule of thumb

Weak acceptability test for a voting mechanism

A voting mechanism is "almost acceptable" if any person authorized to use it (the voter), without any special knowledge, can convince themselves alone, "without trusting anyone else", of the fact that the voting mechanism will meet the essential criteria of a voting system (the "core").

Without trusting anyone else?

Let's spend a few minutes on an important point: why do we ask that a voter's confidence in the system must not rely on trusting anyone else?

You see, the point is, if I need to trust somebody, this makes this somebody a weak link in the chain of trust. It is well known in the security experts community that the term "trusted third party", so often used by marketers to inspire confidence in a system, actually designates an entity that __can betray__ those who trust it (see more details on the Wikipedia article).

So, if a voter needs to trust a third party when assessing the core properties of a system, this simply means that the third party has the power to deceive him.

We all know that a judge needs not only be impartial, he must also look impartial.

Well for voting systems, it's the same: a voting system must not only satisfy the core properties, it must also reliably look like it satisfies them.

Otherwise, an elector can be easily coerced by entities that make him believe that they can overrule the system and discover what he voted, even if they actually cannot.

Paper voting and electronic voting under the weak rule of thumb

It is quite evident that with the transparent ballot boxes, paper ballots and the booths originally used in France, any voter that whishes to do so can, at the price of spending his day at the polling station, check the properties in the test, without any particular knowledge: it just boils down to settling comfortably somewhere near the ballot box at the beginning of the voting operations, check that the (transparent) box is empty, then follow the remainder of the operations, and report any anomaly (this is also what the representatives of the parties are supposed to do, by the way, but wary citizen can also do it). One just needs to clean his glasses, be polite with assessors, and have a little bit of patience.

On the other hand, it is also quite evident (just take the time to think it out a bit), that the electronic voting systems that have been introduced in France and elsewhere do not pass even the weak test: the ballot is transformed into immaterial electronic information, and the voter (call him John) cannot even check by himself that his vote is taken into account, as John loses all traces of it the very moment he presses the button, or touches the screen.

This is very different from what happens when John uses a teller machine: there, to get 20 dollars, he also touches a screen, but he can check immediately that what he gets is 20 dollars, and in the rare case of a mismatch, he can call the bank, and at the end of the day the physical money in the teller machine is recounted, and any difference quickly settled.

John also gets a paper receipt the he can keep: when he checks his monthly statement, if he was charged more than the 20 dollars, he has a proof to present to the bank to get the mistake corrected.

In the case of the vote, though, the requirement of anonymity forbids to publish the list of voters with their choices: John cannot check on any public statement if the vote which is recorded for him is really the one that he had cast.

It is for this reason, since the seminal work of Rebecca Mercuri, all the experts strongly recommend to dismiss all voting machine that do not keep a paper tail: the idea of the paper trail is to provide a tangible and understandable object for a human being witnessing the choice of the voter after its digitalization, and that also allows to recount the votes (not only in case of doubt, but systematically, on a significant sample to check the system). Remark that the requirement of non coercibility forbids to give John any kind of proof of what he voted that he could use to complain in case of a miscount, because the same proof exposes him to the risk of bribery or coercion. So this paper trail must be kept by the machine, and that adds some complexity to the systems.

However, paper trail or not, as soon as there is a machine in the process there is no guarantee that the vote is truly anonymous: at the time when John presses a key or a button on a screen, a lot of things can happen ... the machine can record the exact time of the vote, issue an ultrasonic signal or send a radio message to another room and this even unbeknownst to its vendor .

Conclusion

A political election is of the highest importance, and one cannot allow the slightest trace of doubt hover over it. You may find it unconvenient, but the truth is that you cannot build your confidence in a voting system based on third party expert opinions, no matter how powerful, renowned or trusted these experts may be (yes, me included).

You need to form your own opinion on all this, and the fact that you are not a security expert is not an excuse, on the contrary: the weak rule of thumb set out in this article is sufficient for you to decide to refuse, and rightly so, a large set of systems.

Once we overcome the emergency, we will have time to put in place the strong rule of thumb, and that will uncover many other issues in voting systems, electronic or not. But that one is another story.

Post Scriptum: Free and Open Source Software

Over the past years, I have seen a recent trend that advocates Free and Open Source Software as a solution for building trust in an electronic voting system. Well, I am a long term advocate of Free and Open Source software, and went public on this since 1998, but let me state clearly that I do not subscribe to this point of view.

Advocating the availability of source code as an element of trust for a voting system is just adding another "trusted third party" weak link in the chain of trust. When a voter goes to the booth, he obviously cannot say to the officials there "Hey, you know, I'm not really sure of the software running on this machine... may you please give me the source code? I need to take a couple of weeks reading each line of it to make sure it has no trapdoors, then I'll recompile it and run on the machine before actually casting my vote".

The voter is actually forced to trust a third party for having read the code, and checked that the binary installed on that particular voting machine in that particular moment actually performs exactly as the source code describes. And this is very very tricky to get right, as Ken Thompson's Turing award lecture taught us decades ago.

So, yes, open source electronic voting systems are very useful to help researchers study the subject and collaborate on advancing our knowledge.

But no, open source electronic voting systems do not pass the rule of thumb test any better than closed source ones.

Post Post Scriptum: when the paper trail fails

In fall 2016, in Argentina, professors and researchers from several computer science and engineering departments opposed the introduction of voting ... and succeeded in convincing the elected representatives to refuse it.

Particularly enjoyable is the demonstration performed in the Senate on how to expose the voter's choices by hacking ... the printer that produces the paper trail! This is a brilliant attack I had not seen before, and confirms again that a trust chain is only as strong as the weakest link in it!