Archives for February 2003

Sunday’s Washington Post published an AP article by Joseph B. Verrengia, detailing plans by journal editors to “Excise Material That Could Be Used by Militants to Help Make Biological Weapons.” Many prominent journals will participate, including “Science, Nature, Proceedings of the National Academies of Science, the New England Journal of Medicine and The Lancet. ”

The article is surprisingly slanted, starting with the headline, “Science Journals to Join Fight Against Terrorists,” as if the journals had not already been doing their part by publishing articles that help scientists understand and protect against biological attacks. The downsides of censoring researchers are barely mentioned, except for the very last sentence of the article, which says, “Others worry that security measures could hamper breakthroughs in basic science and engineering.”

Careful reading makes the drawbacks of censorship more obvious. Here is an example from the article of why research might need to be censored:

Indeed, it has never been easier to … hijack aerosol technology meant for convenient spray vaccines to make anthrax spores float through the air.

The implication is that some research on vaccines should be suppressed because of possible misuse. This makes the underlying tradeoff clear – the research we would be censoring is often the same research that we would use to defend ourselves.

In the current climate, it’s not surprising that calls for censorship of research are resurfacing. Apparently we need to have a debate on this topic. What we don’t need are slanted arguments that ignore the very real costs of censorship.

Karl-Friedrich Lenz, in reply to my previous e-voting posting, sings the praises of old-fashioned paper ballots, citing a Glenn Reynolds column.

I agree with Lenz and Reynolds about the virtues of simple paper ballots that ask the voter to draw an X in the box next to their candidate’s name. Paper ballots are easy for the voter to understand, hard to forge in quantity, and easy to re-count if there are doubts about the result. Their security relies on procedures that any poll worker can understand. In short, they are more secure than many of the voting systems we use here in the U.S.

I disagree with Lenz and Reynolds, though, when they say that low-tech paper ballots are our best option. My favorite approach is a hybrid one in which voters use computerized displays to make their selections, and the machine then prints out a paper ballot that the voter verifies and drops into a traditional ballot box.

Such a system has several potential advantages over a paper-only system. First, a computerized system can greatly reduce the number of improperly cast ballots; for example, it can prevent the voter from mistakenly marking two candidates for the same office. Second, the computer can write cryptographically generated bar codes onto each ballot when it is printed, thereby making it much harder to stuff the ballot box with forged ballots later. Third, if desired the computers can provide a quick but unofficial estimate of the vote immediately when the polls close.

Lots of good security engineering is needed to make these advantages real. Used wisely and in moderation, technology can help to make voting processes more accurate and more secure.

Many computer scientists (including me) have endorsed a statement opposing the use of electronic voting machines that don’t provide a voter-verifiable audit trail.

What this means is that the voter should get some concrete indication, other than just a message on a computer screen, that his or her vote has been recorded correctly. There are many ways to do this. For example, a computerized voting system might offer a convenient user interface for selecting candidates, and then print out a paper ballot that the voter can inspect and drop into a ballot box. The paper ballots then provide an auditable record of the votes that were cast.

The alternative strategy, of building a voting machine as a sealed electronic “black box,” is risky. Without an independent check on the workings of the technology, there is no practical way to ensure that the technology is functioning correctly. Misrecording of votes, whether due to malice or to a technological snafu, is too difficult to detect without an auditable record.

Unfortunately, many localities are moving ahead with purchases of the risky voting machines. Computer scientists have mobilized to try to stop this in several places, most recently in the heart of silicon valley, Santa Clara County, California.

It is tempting, in light of the imprecision and rancor we saw in Florida’s 2000 election, to look to technology to make voting processes error-free. If we knew how to make highly trustworthy technology, a closed, high-tech system might be the answer. But we don’t know how to do that – we’re not even close. Some e-voting vendors won’t even let the public know how their technology works, claiming that their design is proprietary and public scrutiny isn’t needed.

All the black box voting systems can provide today is the illusion of certainty, and that’s not enough. Every voting technology will make errors. I would much prefer a system whose errors and drawbacks are out in the open for all to see.

===

If you’re a computer scientist, you can endorse the statement here. Thanks to Stanford professor David Dill for orchestrating this effort.