November 20, 2017

My Supplemental E-Voting Testimony

Today I submitted supplemental written testimony, adding to my previous testimony from last week’s e-voting hearing before the House Administration Committee, Subcommittee on Elections. Today’s supplemental testimony is short, so I’ll just include it here. (The formatted version is available too.)

Thank you for the opportunity to submit this supplemental written testimony.

Some people have suggested that it might be possible to use an electronic verification system instead of the voter-verified paper ballot required by H.R. 811. For example, the verification system might be an electronic recording device developed separately from the voting machine. Congressman Ehlers mentioned this possibility during the hearing.

The idea behind such proposals is to use redundancy as a safeguard against fraud or malfunction, in the hope that a failure in one system will be redeemed by the correct behavior of the other.

Redundancy works best when the redundant systems fail independently. If System A fails whenever System B fails, then using A and B redundantly provides no benefit at all. On the other hand, if A always works perfectly when B fails, then redundancy can eliminate error entirely. Neither of these extreme cases will hold in practice. Instead we expect to see some correlation between failures of A and failures of B. Our goal is to minimize this correlation.

One way to avoid correlated failures is to make the two systems as different as possible. Common sense says that similar systems will tend to fail in similar ways and at similar times – exactly the kind of correlated failures that we want to avoid. Experience bears this out, which is why we generally want redundant systems to be as diverse as possible.

The desire for diversity is a strong argument for keeping a paper record alongside the electronic record of a voter’s ballot. Paper-plus-electronic redundancy offers much better diversity than electronic-plus-electronic redundancy would. Indeed, if we analyze the failure modes of electronic and paper systems, we see that they tend to fail in very different ways. To give just one example, in a well-designed paper ballot system the main risk of tampering is after the election, whereas in a well-designed electronic ballot system the main risk of tampering is before the election . A well-designed electronic-plus-paper system can in principle be more resistant to tampering than any system that uses either electronics or paper alone, because the paper component can resist pre-election tampering and the electronic component can resist post-election tampering.

[Footnote: In a well-designed paper system, the main tampering risk is that somebody will access the ballot box after the election and replace the real paper ballots with fraudulent ones. In a well-designed electronic system, the main tampering risk is that somebody will modify the system’s software before the election. Unfortunately, most if not all of today’s electronic voting systems are not “well-designed” in this sense – they are at significant risk of post-election tampering because they fail to use (or they use improperly) the advanced cryptographic methods that could greatly reduce the risk of post-election tampering.]

Another reason to be suspicious of electronic-plus-electronic redundancy is that claims of redundancy are often made for systems that are not at all independent. For example, most vendors of today’s paperless DRE voting machines claim to keep redundant electronic records of each ballot. In fact, what most of them do is keep two copies, in identical or similar memory chips, located in the same computer and controlled by a single software program. This is clearly inadequate, because the two copies lack diversity and will tend to fail at the same time.

Even assuming that other electronic-plus-electronic redundant systems can be suitably reliable and secure, we would need to trust that the certification process could tell the difference between adequate redundancy and the kind of pseudo-redundancy discussed in the previous paragraph. The certification process has historically had trouble making such judgments. Though there is evidence that the process is improving – and H.R. 811 would improve it further – much improvement is still necessary.

Requiring a paper ballot, on the other hand, is a bright-line rule that is easier to enforce. A bright-line rule will also inspire voter confidence, because compliance will be obvious to every voter.

Comments

  1. David Jefferson says:

    This is the clearest, simplest explanation of these points I have seen to date. I hope this post is widely read. Excellent.

  2. There’s still a fundamental ingredient missing from all this — voters need a system that THEY can understand and thus seen to be fair. 99% of voters do not understand cryptography and never will. The only thing well understood about software is how unreliable it is. When it does mess you get no warning and no one can explain why it happened. One black-box, two black-boxes or a wall of black-boxes — you might as well paint goggle-eyes on the side of a toaster, put a flashing police light on the top and sell it as an electronic scrutineer.

    Please think about appropriate technology, not about cool technology. Paper ballots — filled in with a pen by a human, counted by humans and plenty of independent human scrutineers.

  3. Tel: I disagree. Millions of people use cryptography every day to make purchases online without understanding the math and I’m sure most care more about their wallets than voting security.

    These systems should be evaluated on their actual security benefits, not simply benefits a layman can understand. And, even if the precise details cannot be explained, the general principles certainly can be.

  4. Ed-

    I wrote about the e-voting problems over two years ago, following the problems and issues in the 2004 Presidential elections. I updated the article back in February, following the announcement of Florida’s switch to e-voting machines with a paper audit trail. You can read my post on this subject at:

    I hope you find it of interest.

    Dan

  5. Ed-

    I wrote about the e-voting problems over two years ago, following the problems and issues in the 2004 Presidential elections. I updated the article back in February, following the announcement of Florida’s switch to e-voting machines with a paper audit trail. You can read my post on this subject at: LINK

    I hope you find it of interest.

    Dan

  6. Bill Zeller, you forgot one little thing. The Constitution does not mandate transparency of validating credit card transactions, but it does mandate transparency of the electoral processes. May be you have a wee problem there.