March 26, 2017

Archives for December 2006

Voting, Secrecy, and Phonecams

Yesterday I wrote about the recent erosion of the secret ballot. One cause is the change in voting technology, especially voting by mail. But even if we don’t change our voting technology at all, changes in other technologies are still eroding the secret ballot.

Phonecams are a good example. You probably carry into the voting booth a silent camera, built into a mobile phone, that can transmit photos around the world within seconds. Many phones can shoot movies, making it even easier to document your vote. Here is an example shot in 2004.

Could such a video be faked? Probably. But if your employer or union boss threatens your job unless you deliver a video of yourself voting “correctly”, will you bet your job that your fake video won’t be detected? I doubt it.

This kind of video recording subverts the purpose of the voting booth. The booth is designed to ensure the secret ballot by protecting voters from being observed while voting. Now a voter can exploit the privacy of the voting booth to create evidence of his vote. It’s not an exact reversal – at least the phonecam attack requires the voter’s participation – but it’s close.

One oft-suggested approach to fighting this problem is to have a way to revise your vote later, or to vote more than once with only one of the votes being real. This approach sounds promising at first, but it seems to cause other problems.

For example, imagine that you can get as many absentee ballots as you want, but only one of them counts and the others will be ignored. Now if somebody sees you complete and mail in a ballot, they can’t tell whether they saw your real vote. But if this is going to work, there must be no way to tell, just by looking at a ballot, whether it is real. The Board of Elections can’t send you an official letter saying which ballot is the real one – if they did, you could show that letter to a third party. (They could send you multiple letters, but that wouldn’t help – how could you tell which letter was the real one?) They can notify you orally, in person, but that makes it harder to get a ballot and lets the clerk at the Board of Elections quietly disenfranchise you by lying about which ballot is real.

(I’m not saying this problem is impossible to solve, only that (a) it’s harder than you might expect, and (b) I don’t know a solution.)

Approaches where you can cancel or revise your vote later have similar problems. There can’t be a “this is my final answer” button, because you could record yourself pushing it. But if there is no way to rule out later revisions to your vote, then you have to worry about somebody else coming along later and changing your vote.

Perhaps the hardest problem in voting system design is how to reconcile the secret ballot with accuracy. Methods that protect secrecy tend to undermine accuracy, and vice versa. Clever design is needed to get enough secrecy and enough accuracy at the same time. Technology seems to be making this tradeoff even nastier.

Erosion of the Secret Ballot

Voting technology has changed greatly in recent years, leading to problems with accuracy and auditability. These are important, but another trend has gotten less attention: the gradual erosion of the secret ballot.

It’s useful to distinguish two separate conceptions of the secret ballot. Let’s define weak secrecy to mean that the voter has the option of keeping his ballot secret, and strong secrecy to mean that the voter is forced to keep his ballot secret. To put it another way, weak secrecy means the ballot is secret if the voter cooperates in maintaining its secrecy; strong secrecy means the ballot is secret even if the voter wants to reveal it.

The difference is important. No system can stop a voter from telling somebody how he voted. But strong secrecy prevents the voter from proving how he voted, whereas weak secrecy does not rule out such a proof. Strong secrecy therefore deters vote buying and coercion, by stopping a vote buyer from confirming that he is getting what he wants – a voter can take the payment, or pretend to knuckle under to the coercion, while still voting however he likes. With weak secrecy, the buyer or coercer can demand proof.

In theory, our electoral system is supposed to provide strong secrecy, as a corrective to an unfortunate history of vote buying and coercion. But in practice, our system provides only weak secrecy.

The main culprit is voting by mail. A mail-in absentee ballot is only weakly secret, the voter can mark and mail the ballot in front of a third party, or the voter can just give the blank ballot to the third party to be filled out. Any voter who wants to reveal his vote can request an absentee ballot. (Some states allow absentee voting only for specific reasons, but in practice people who are willing to sell their votes will also be willing to lie about their justification for absentee voting.)

Strong secrecy seems to require the voter to cast his ballot in a private booth, which can only be guaranteed at an officially run polling place.

The trend toward voting by mail is just one of the forces eroding the secret ballot. Some e-voting technologies fail to provide even weak secrecy, for example by recording ballots in the order they were cast, thereby allowing officials or pollwatchers who record the order of voters’ appearance (as happens in many places) to connect each recorded vote to a voter.

Worse yet, even if a complex voting technology does protect secrecy, this may do little good if voters aren’t confident that the system really protects them. If everybody “knows” that the party boss can tell who votes the wrong way, the value of secrecy will be lost no matter what the technology does. For this reason, the trend toward complex black-box technologies may neutralize the benefits of secrecy.

If secrecy is being eroded, we can respond by trying to restore it, or we can decide instead to give up on secrecy or fall back to weak secrecy. Merely pretending to enforce strong secrecy looks like a recipe for bad policy.

(Thanks to Alex Halderman and Harlan Yu for helpful conversations on this topic.)

Paper Trail Standard Advances

On Tuesday, the Technical Guidelines Development Committee (TGDC), the group drafting the next-generation Federal voting-machine standards, voted unanimously to have the standards require that new voting machines be software-independent, which in practice requires them to have some kind of paper trail.

(Officially, TGDC is drafting “guidelines”, but the states generally require compliance with the guidelines, so they are de facto standards. For brevity, I’ll call them standards.)

The first attempt to pass such a requirement failed on Monday, on a 6-6 vote; but a modified version passed unanimously on Tuesday. The most interesting modification was an exception for existing machines: new machines will have to be software-independent but already existing machines won’t. There’s no scientific or security rationale for treating new and old machines differently, so this is clearly a political compromise designed to lower the cost of compliance by sacrificing some security.

If you believe, as almost all computer scientists do, that paper trails are necessary today for security, you’ll be happy to see the requirement for new machines, but disappointed that existing paperless voting machines will be allowed to persist.

Whether you see the glass as half full or half empty depends on whether you see the quest for paper trails as mainly legal or mainly political, that is, whether you look to courts or legislatures for progress.

In court, the exception for existing machines will be strong, assuming it’s written clearly into the standard. It will be hard to get rid of the old machines by filing lawsuits, or at least the new standards won’t be useful in court. If anything, the new standards may be seen as ratifying the decision to stick with old, insecure machines.

In legislatures, on the other hand, the standard will be an official ratification of the fact that paper trails are preferable. The latest, greatest technology will use paper trails, and paperless designs will look old-fashioned. The exception for old machines will look like a money-saving compromise, and few legislators will want to be seen as risking democracy to save money.

As for me, I see legislatures more than courts, and politics more than lawyering, as driving the trend toward paper trails. Thirty-five states either have a paper trail statewide or require one to be adopted by 2008. The glass is already 70% full, and the new standards will help fill it the rest of the way.