March 24, 2017

Archives for March 2007

My Supplemental E-Voting Testimony

Today I submitted supplemental written testimony, adding to my previous testimony from last week’s e-voting hearing before the House Administration Committee, Subcommittee on Elections. Today’s supplemental testimony is short, so I’ll just include it here. (The formatted version is available too.)

Thank you for the opportunity to submit this supplemental written testimony.

Some people have suggested that it might be possible to use an electronic verification system instead of the voter-verified paper ballot required by H.R. 811. For example, the verification system might be an electronic recording device developed separately from the voting machine. Congressman Ehlers mentioned this possibility during the hearing.

The idea behind such proposals is to use redundancy as a safeguard against fraud or malfunction, in the hope that a failure in one system will be redeemed by the correct behavior of the other.

Redundancy works best when the redundant systems fail independently. If System A fails whenever System B fails, then using A and B redundantly provides no benefit at all. On the other hand, if A always works perfectly when B fails, then redundancy can eliminate error entirely. Neither of these extreme cases will hold in practice. Instead we expect to see some correlation between failures of A and failures of B. Our goal is to minimize this correlation.

One way to avoid correlated failures is to make the two systems as different as possible. Common sense says that similar systems will tend to fail in similar ways and at similar times – exactly the kind of correlated failures that we want to avoid. Experience bears this out, which is why we generally want redundant systems to be as diverse as possible.

The desire for diversity is a strong argument for keeping a paper record alongside the electronic record of a voter’s ballot. Paper-plus-electronic redundancy offers much better diversity than electronic-plus-electronic redundancy would. Indeed, if we analyze the failure modes of electronic and paper systems, we see that they tend to fail in very different ways. To give just one example, in a well-designed paper ballot system the main risk of tampering is after the election, whereas in a well-designed electronic ballot system the main risk of tampering is before the election . A well-designed electronic-plus-paper system can in principle be more resistant to tampering than any system that uses either electronics or paper alone, because the paper component can resist pre-election tampering and the electronic component can resist post-election tampering.

[Footnote: In a well-designed paper system, the main tampering risk is that somebody will access the ballot box after the election and replace the real paper ballots with fraudulent ones. In a well-designed electronic system, the main tampering risk is that somebody will modify the system’s software before the election. Unfortunately, most if not all of today’s electronic voting systems are not “well-designed” in this sense – they are at significant risk of post-election tampering because they fail to use (or they use improperly) the advanced cryptographic methods that could greatly reduce the risk of post-election tampering.]

Another reason to be suspicious of electronic-plus-electronic redundancy is that claims of redundancy are often made for systems that are not at all independent. For example, most vendors of today’s paperless DRE voting machines claim to keep redundant electronic records of each ballot. In fact, what most of them do is keep two copies, in identical or similar memory chips, located in the same computer and controlled by a single software program. This is clearly inadequate, because the two copies lack diversity and will tend to fail at the same time.

Even assuming that other electronic-plus-electronic redundant systems can be suitably reliable and secure, we would need to trust that the certification process could tell the difference between adequate redundancy and the kind of pseudo-redundancy discussed in the previous paragraph. The certification process has historically had trouble making such judgments. Though there is evidence that the process is improving – and H.R. 811 would improve it further – much improvement is still necessary.

Requiring a paper ballot, on the other hand, is a bright-line rule that is easier to enforce. A bright-line rule will also inspire voter confidence, because compliance will be obvious to every voter.

FreeConference Suit: Neutrality Fight or Regulatory Squabble?

Last week FreeConference, a company that offers “free” teleconferencing services, sued AT&T for blocking access by AT&T/Cingular customers to FreeConference’s services. FreeConference’s complaint says the blocking is anticompetitive and violates the Communications Act.

FreeConference’s service sets up conference calls that connect a group of callers. Users are given an ordinary long-distance phone number to call. When they call the assigned number, they are connected to their conference call. Users pay nothing beyond the cost of the ordinary long-distance call they’re making.

As of last week, AT&T/Cingular started blocking access to FreeConference’s long-distance numbers from AT&T/Cingular mobile phones. Instead of getting connected to their conference calls, AT&T/Cingular users are getting an error message. AT&T/Cingular has reportedly admitted doing this.

At first glance, this looks like an unfair practice, with AT&T trying to shut down a cheaper competitor that is undercutting AT&T’s lucrative conference-call business. This is the kind of thing net neutrality advocates worry about – though strictly speaking this is happening on the phone network, not the Internet.

The full story is a bit more complicated, and it starts with FreeConference’s mysterious ability to provide conference calls for free. These days many companies provide free services, but they all have some way of generating revenue. FreeConference appears to generate revenue by exploiting the structure of telecom regulation.

When you make a long-distance call, you pay your long-distance provider for the call. The long-distance provider is required to pay connection fees to the local phone companies (or mobile companies) at both ends of the call, to offset the cost of connecting the call to the endpoints. This regulatory framework is a legacy of the AT&T breakup and was justified by the desire to have a competitive long-distance market coexist with local phone carriers that were near-monopolies.

FreeConference gets revenue from these connection fees. It has apparently cut a deal with a local phone carrier under which the carrier accepts calls for FreeConference, and FreeConference gets a cut of the carrier’s connection fees from those calls. If the connection fees are large enough – and apparently they are – this can be a win-win deal for FreeConference and the local carrier.

But of course somebody has to pay the fees. When an AT&T/Cingular customer calls FreeConference, AT&T/Cingular has to pay. They can pass on these fees to their customers, but this hardly seems fair. If I were an AT&T/Cingular customer, I wouldn’t be happy about paying more to subsidize the conference calls of other users.

To add another layer of complexity, it turns out that connection fees vary widely from place to place, ranging roughly from one cent to seven cents per minute. FreeConnection, predictably, has allied itself with a local carrier that gets a high connection fee. By routing its calls to this local carrier, FreeConnection is able to extract more revenue from AT&T/Cingular.

For me, this story illustrates everything that is frustrating about telecom. We start with intricately structured regulation, leading companies to adopt business models shaped by regulation rather than the needs of customers. The result is bewildering to consumers, who end up not knowing which services will work, or having to pay higher prices for mysterious reasons. This leads a techno-legal battle between companies that would, in an ideal world, be spending their time and effort developing better, cheaper products. And ultimately we end up in court, or creating more regulation.

We know a better end state is possible. But how do we get there from here?

[Clarification (2:20 PM): Added the “To add another layer …” paragraph. Thanks to Nathan Williams for pointing out my initial failure to mention the variation in connection fees.]

Judge Strikes Down COPA

Last week a Federal judge struck down COPA, a law requiring adult websites to use age verification technology. The ruling by Senior Judge Lowell A. Reed Jr. held COPA unconstitutional because it is more restrictive of speech (but no more effective) than the alternative of allowing private parties to use filtering software.

This is the end of a long legal process that started with the passage of COPA in 1999. The ACLU, along with various authors and publishers, immediately filed suit challenging COPA, and Judge Reed struck down the law. The case was appealed up to the Supreme Court, which generally supported Judge Reed’s ruling but remanded the case back to him for further proceedings because enough time had passed that the technological facts might have changed. Judge Reed held another trial last fall, at which I testified. Now he has ruled, again, that COPA is unconstitutional.

The policy issue behind COPA is how to keep kids from seeing harmful-to-minors (HTM) material. Some speech is legally obscene, which means it is so icky that it does not qualify for First Amendment free speech protection. HTM material is not obscene – adults have a legally protected right to read it – but is icky enough that kids don’t have a right to see it. In other words, there is a First Amendment right to transmit HTM material to adults but not to kids.

Congress has tried more than once to pass laws keeping kids away from HTM material online. The first attempt, the Communications Decency Act (CDA), was struck down by the Supreme Court in 1997. When Congress responded by passing COPA in 1999, it used the Court’s CDA ruling as a roadmap in writing the new law, in the hope that doing so would make COPA consistent with free speech.

Unlike the previous CDA ruling, Judge Reed’s new COPA ruling doesn’t seem to give Congress a roadmap for creating a new statute that would pass constitutional muster. COPA required sites publishing HTM material to use age screening technology to try to keep kids out. The judge compared COPA’s approach to an alternative in which individual computer owners had the option of using content filtering software. He found that COPA’s approach was more restrictive of protected speech and less effective in keeping kids away from HTM material. That was enough to make COPA, as a content-based restriction on speech, unconstitutional.

Two things make the judge’s ruling relatively roadmap-free. First, it is based heavily on factual findings that Congress cannot change – things like the relative effectiveness of filtering and the amount of HTM material that originates overseas beyond the effective reach of U.S. law. (Filtering operates on all material, while COPA’s requirements could have been ignored by many overseas sites.) Second, the alternative it offers requires only voluntary private action, not legislation.

Congress has already passed laws requiring schools and libraries to use content filters, as a condition of getting Federal funding and with certain safeguards that are supposed to protect adult access. The courts have upheld such laws. It’s not clear what more Congress can do. Judge Reed’s filtering alternative is less restrictive because it is voluntary, so that computers that aren’t used by kids, or on which parents have other ways of protecting kids against HTM material, can get unfiltered access. An adult who wants to get HTM material will be able to get it.

Doubtless Congress will make noise about this issue in the upcoming election year. Protecting kids from the nasty Internet is too attractive politically to pass up. Expect hearings to be held and bills to be introduced; but the odds that we’ll get a new law that makes much difference seem pretty low.