It’s a curious problem: how do you compare two completely unrelated voting systems and say that one is more or less secure than the other? How can you meaningfully compare the security of paper ballots tabulated by optical scan systems with DRE systems (with or without VVPAT attachments)?
There’s a clear disconnect on this issue. It shows up, among other places, in a recent blog post by political scientist Thad Hall:
The point here is that, when we think about paper ballots and absentee voting, we do not typically think about or evaluate them “naked” but within an implementation context yet we think nothing of evaluating e-voting “naked” and some almost think it “cheating” to think about e-voting security within the context of implementation. However, if we held both systems to the same standard, the people in California probably would not be voting using any voting system; given its long history, it is inconceivable that paper ballots would fail to meet the standards to which e-voting is held, absent evaluating its implementation context.
Hall then goes on to point to his recent book with Mike Alvarez, Electronic Elections, that beats on this particular issue at some length. What that book never offers, however, is a decent comparison between electronic voting and anything else.
I’ve been thinking about this issue for a while: there must be a decent, quantitative way to compare these things. Turns out, we can leverage a foundational technique from computer science theory: complexity analysis. CS theory is all about analyzing the “big-O” complexity of various algorithms. Can we analyze this same complexity for voting systems’ security flaws?
I took a crack at the problem for a forthcoming journal paper. I classified a wide variety of voting systems according to how much effort you need to do to influence all the votes: effort proportional to the total number of voters, effort proportional to the number of precincts, or constant effort; less effort implies less security. I also broke this down by different kinds of attacks: integrity attacks that try to change votes in a stealthy fashion, confidentiality attacks that try to learn how specific voters cast their votes, and denial of service attacks that don’t care about stealth but want to smash parts of the election. This was a fun paper to write, and it nicely responds to Hall and Alvarez’s criticisms. Have a look.
(Joe Hall also responded to Thad Hall’s post.)