January 20, 2019

Archives for April 2008

Shamos on paper trails

In an interview today with CNet, Michael Shamos talks about paper trails.  Shamos is a professor at CMU who has served as a voting system analyst for the Pennsylvania Secretary of State. In this article, a transcript of an interview conducted by Declan McCullagh, he spends a fair bit of time trashing paper trails, and by that, he’s referring to the “toilet paper roll” thermal printer attachments that are sold by the major U.S. voting system vendors.

He’s correct, to a limited extent.  He discusses a “20%” failure rate, which he probably gets from some problems in Ohio.  It’s certainly the case that these things are poorly engineered.  The ostensible reason for the continuous paper roll, as opposed to cutting the sheets individually, is that you’d have better reliability.  However, having the votes recorded in the order they were cast is a clear violation of voter privacy.  A more serious concern with paper trails is that it’s unclear whether voters will bother to double-check them at all.  I’ve pointed Freedom to Tinker readers at Sarah Everett’s PhD thesis before and it’s worth doing it again.  The punchline is that roughly two thirds of the test subjects didn’t notice when our homebrew DRE system was lying on its summary screen.  In fact, they gave our machine exceptionally high marks.  They loved it.

Shamos criticizes the EFF, VerifiedVoting, the League of Women voters, and anybody else he can think of because they advocate for paper trails.  The preferred solution that they generally advocate is hand-marked optical scan ballots.  These appear to have better accuracy, and paper ballots are, inherently, paper trails that give us an unfiltered window into the voters’ original intent.  Don’t interpret Shamos’s criticism of toilet-paper rolls as a criticism of hand-marked paper ballots.

Shamos goes on to make a flip comparison between “ATM technology” and voting systems, saying we could have reliable paper trails if we only spent 10x the cost.  This is a very strange argument.  ATMs are expensive because they have a safe full of cash inside.  It’s important that you can’t steal the cash, even if you’ve got time and tools at your disposal.  Voting systems (at least anywhere I’ll ever be likely to vote) don’t dispense money.  Building a reliable printer doesn’t need to be expensive.

Then Shamos gets into the meat of the argument for paper trails.

I’m not advocating that we blindly trust machines. We have to have a way to make sure the (record is correct). If anything happens to that piece of paper, if it gets substituted or lost, there’s absolutely no way to reconstruct the election. that’s unlike an electronic system, which is if one memory fails you have the other.

The security on ballot boxes is much lower than the security on voting machines themselves. In order to do anything with those pieces of paper, they have to be handled by people. What do you think happens?

If I want to screw up an election, all I have to do is modify five votes. Then we have to do a manual recount (which is vulnerable to tampering and ballot-stuffing).

This is completely false.  Paper records are redundant with the electronic records, and that’s a huge feature.  That means that you can compare them, either statistically in aggregate, or even one-to-one (assuming there are serial numbers, which could cause some privacy concerns, but maybe you can obscure those in barcodes).  It’s certainly the case that missing paper votes can be reconstructed from electronic records.  When you have both, you reconcile.  If there’s ambiguity, then you need to resolve that ambiguity.  You then have a forensic problem.  If all the tamper-evident stickers and locks on the paper ballot box were disturbed, maybe you’re more likely to trust the electronic parts.  If the totals are radically divergent, you can’t tell which is more authentic, and the election is tight, then maybe the proper answer (from a scientific perspective) is to throw your hands up and say that you cannot legitimately state who won the election as a result of fraud.  This is defensible, scientifically, but it could lead to a political crisis.  Nobody ever said election administration was easy.

Doing away with the paper only does away evidence that might help you discover fraud.  Even if you cannot come up with the proper answer, it’s better to at least know you were under attack.

The fundamental difficulty with paper trails is that they’re ridiculously kludgey. The problem is that once you mandate paper trails, it cuts off research. There would be no reason to use anything else because it would be illegal.

Speaking as somebody who does research in electronic voting, I don’t feel that laws mandating paper trails would stop me from studying alternatives.  The 2007 VVSG standards process includes an “innovation class” for how vendors can get funky fresh technologies certified for use.  The trick is to make sure that the innovation class isn’t a loophole that vendors can use for the current crop of insecure equipment.

Does that mean you’re suggesting that we should be voting from insecure home computers even if they’re running Windows 98?
Shamos: I can point you to a mechanism (in a paper by Avi Rubin and Dan Wallach) that would allow secure voting on insecure terminals. The notion that the Internet is just not secure enough to do anything important is just wrong. It’s not insurmountable. The right people aren’t thinking about it because you gotta have a paper trail.

Really?  A recent paper that I just submitted to a workshop talked about how Internet voting might work, by virtue of having remote precincts set up in places like embassies and consulates, and using dedicated voting machines.  You could send the results home over the Internet.  Voting on dedicated voting machines with an Internet connection might be workable.  Voting on Windows 98 PCs would be an unmitigated disaster.  Botnets control literally millions of computers out there.  What if you’re voting from a botnet-infested computer?  Could the botnet modify your vote?  Why not?  For these sorts of reasons, the authors of the SERVE Report, including Avi Rubin, recommended strongly against voting on generic PCs.  Shamos says that Avi and I would support secure voting on insecure terminals?  Sure.  We’ll probably be beaten by the bioengineers working on flying pigs.

Update: in private email, Shamos states that he was citing our 2003 workshop paper, “Authentication for Remote Voting“.  That paper discusses how to do bidirectional remote authentication, which would certainly be applicable to an Internet-based remote voting system.  That paper, however, offers no technique that could allow for secure voting on insecure home computers.

I say, and the advocates are forced to admit it, that there’s never been any evidence that a DRE machine has been tampered with in an election. They say that doesn’t mean it never happened. I agree with that. But I believe deeply that if people were out there trying to hack elections we would see evidence of failed attempts.

Indeed, there’s no evidence to support a lack of tampering, but that’s meaningless.  A better way to look at this is that the incredibly poor security of modern paperless electronic voting systems makes it cheaper than it ever has been before to manipulate votes.  The cost per vote for electronic manipulation is almost nill, particularly if you allow for viral attacks, where one corrupt DRE can take out the entire tabulation system (a vulnerably shown to apply to Hart InterCivic and Diebold as part of the California Top to Bottom reports from last summer).  Regardless of whether somebody has attempted an attack like this, it’s dirt cheap – cheaper than with paper, because manipulating paper takes more time and more labor.  The economic incentives are clearly in play for electronic election fraud.  The big question is whether it’s more cost effective to manipulate voters through other means (e.g., dubious television advertising, robotic phone calls, etc.).

When a bridge collapses, do we outlaw bridges or do we inspect bridges of similar design? If the design itself is fundamentally flawed, then those bridges are going to have to be taken out of service and rebuilt. If there’s a fix, however, you can add a bracing member.

Excellent point.  DRE systems from all the major vendors have been conclusively shown to be fundamentally flawed in their design.  Even if and when the vendors patch their software, the time delay to push those patches through the certification process guarantees they won’t be ready for November.  Optically scanned paper ballots are available today and they work quite well (despite known security vulnerabilities in the tabulators).  Likewise, junky toilet-paper roll printers are available today, despite known problems with their ability to print and with voter’s ability to catch mistakes.

One last point:

Please don’t use the term “paperless.” It’s a construction of the advocates and it’s false and misleading. They’re not paperless. They just don’t produce a contemporaneous paper that the voter can view.

The word “paperless” is really insidious. The word “less” is meant to imply that they’re thereby missing something. Whoever decided to come up with the term “paperless” deserves a left-handed prize for their imagination. It’s wonderful for them. Paperless.

Yes, “paperless.”  It’s a fine word.  I’ve been using it for years.  It concisely captures the lack of redundancy, the reliance on poorly engineered software, and the risky nature of using paperless DRE voting systems for something as important as a national election.

Paperless electronic voting systems can be made better, using tricks like Benaloh’s challenge mechanism, which can catch a machine, in the act, while it might otherwise be trying to corrupt the vote.  We used a variant on his mechanism in our research prototype (paper to appear this summer at Usenix Security).  Nonetheless, I really like the term “paperless” when hooked to “electronic voting machine” because it creates a burden of proof for the system designer.  You want to go paperless?  Fine.  Prove to us that your system is secure.  Without paper, we’ll assume it’s insecure until proven otherwise.

How can we require ID for voters?

Recently, HR 5036 was shot down in Congress.  That bill was to provide “emergency” money to help election administrators who wished to replace paperless voting systems with optically scanned paper ballots (or to add paper-printing attachments to existing electronic voting systems).  While the bill initially received strong bipartisan support, it was opposed at the last minute by the White House.  To the extent that I understand the political subtext of this, the Republicans wanted to attach a Voter ID requirement to the bill, and that gummed up the works.  (HR 5036 isn’t strictly dead, since it still has strong support, but it was originally fast tracked as a “non-controversial” bill, and it is now unlikely to gain the necessary 2/3 majority.)

I’ve been thinking for a while about this whole voter ID problem, and I have to say that I don’t really see a big problem with requiring that voters present ID so they can vote.  This kind of requirement is used in other countries like Mexico and it seems to work just fine.  The real issue is making sure that all people who might want to vote actually have IDs, which is a real problem for the apparently non-trivial number of current voters who lack normal ID cards (and, who we are led to believe, tend to vote in favor of Democrats).

The question then becomes how to get IDs for everybody.  One answer is to put election authorities in charge of issuing special voting ID cards.  This works in other countries, but nobody would ever support such a thing in the U.S. because it would be fantastically expensive and the last thing we need is yet another ID card.  The “obvious” solution is to use driver’s licenses or official state IDs (for non-drivers).  But, what if you’ve never had a driver’s license?

As an example, here are Texas’s list of requirements to get a driver’s license.  Notice how they also require you have proof of a social security number?  If you’ve somehow managed to make it through life without getting one, and I imagine many poor people could live without one, then that becomes a significant prerequisite for getting a driver’s license.  And it’s pretty difficult to get a SSN if you’re unemployed and don’t have a driver’s license (see the Social Security Administration’s rules).

One way or another, you’re going to need your birth certificate.  Here’s how you get a copy of one in Texas.  If you don’t have any other form of ID, it’s pretty difficult to get your birth certificate as well.  You’ll either need an immediate relative with an ID to request your birth certificate on your behalf, or you’ll need utility bills in your name.  And if you’re older than 75, the state agency may not be able to help you, and who knows if the county where you were born has kept its older records properly.

It’s easy to see that somebody in this situation is going to find it difficult to navigate the bureaucratic maze.  If the only benefit they get, at the end of the day, is being allowed to vote, it’s pretty hard to justify the time and expense ($25 for the birth certificate, the social security card is free, and $15 plus hours waiting in line for the state ID card).  For potential voters who don’t have a permanent home address, this process seems even less reasonable.

The only way I could imagine a voter ID requirement being workable (i.e., having a neutral effect on partisan elections) is if there was a serious amount of money budgeted to help people without IDs to get them.  That boils down to an army of social workers digging around for historical birth records and whatever else, and that’s not going to be cheap.  However, I’m perfectly willing to accept a mandatory voter ID, as long as enough money is there to get one, for free, for anybody who wants one.  The government is willing to give you a $40 coupon to receive digital signals for an analog TV, as part of next year’s phase-out of analog broadcasts.  Why not help out with getting identification papers as part of phasing in an ID requirement?

[Sidebar: if you’re really concerned about people voting multiple times, the most effective solution has nothing to do with voter ID.  The simple, low-tech answer is to mark voters’ fingers with indelible ink.  It wears off after a while, it’s widely used throughout the world, and there’s no mistaking it for anything else.  I can’t wait for the day when I tune into my nightly newscast and see the anchor giving grief to the sportscaster because his thumb isn’t painted purple.]

May 14-15: Future of News workshop

We’re excited to announce a workshop on “The Future of News“, to be held May 14 and 15 in Princeton. It’s sponsored by the Center for InfoTech Policy at Princeton.

Confirmed speakers include Kevin Anderson, David Blei, Steve Borriss, Dan Gillmor, Matthew Hurst, Markus Prior, David Robinson, Clay Shirky, Paul Starr, and more to come.

The Internet—whose greatest promise is its ability to distribute and manipulate information—is transforming the news media. What’s on offer, how it gets made, and how end users relate to it are all in flux. New tools and services allow people to be better informed and more instantly up to date than ever before, opening the door to an enhanced public life. But the same factors that make these developments possible are also undermining the institutional rationale and economic viability of traditional news outlets, leaving profound uncertainty about how the possibilities will play out.

Our tentative topics for panels are:

  • Data mining, visualization, and interactivity: To what extent will new tools for visualizing and artfully presenting large data sets reduce the need for human intermediaries between facts and news consumers? How can news be presented via simulation and interactive tools? What new kinds of questions can professional journalists ask and answer using digital technologies?
  • Economics of news: How will technology-driven changes in advertising markets reshape the news media landscape? Can traditional, high-cost methods of newsgathering support themselves through other means? To what extent will action-guiding business intelligence and other “private journalism”, designed to create information asymmetries among news consumers, supplant or merge with globally accessible news?
  • The people formerly known as the audience: How effectively can users collectively create and filter the stream of news information? How much of journalism can or will be “devolved” from professionals to networks of amateurs? What new challenges do these collective modes of news production create? Could informal flows of information in online social networks challenge the idea of “news” as we know it?
  • The medium’s new message: What are the effects of changing news consumption on political behavior? What does a public life populated by social media “producers” look like? How will people cope with the new information glut?

Registration: Registration, which is free, carries two benefits: We’ll have a nametag waiting for you when you arrive, and — this is the important part — we’ll feed you lunch on both days. To register, please contact CITP’s program assistant, Laura Cummings-Abdo, at Include your name, affiliation and email address.