April 17, 2014

avatar

Internet Voting in Union Elections?

The U.S. Department of Labor (DOL) recently asked for public comment on a fascinating issue: what kind of guidelines should they give unions that want to use “electronic voting” to elect their officers? (Curiously, they defined electronic voting broadly to include computerized (DRE) voting systems, vote-by-phone systems and internet voting systems.)

As a technology policy researcher with the NSF ACCURATE e-voting center, I figured we should have good advice for DOL.

(If you need a quick primer on security issues in e-voting, GMU’s Jerry Brito has just posted an episode of his Surprisingly Free podcast where he and I work through a number of basic issues in e-voting and security. I’d suggest you check out Jerry’s podcast regularly as he gets great guests (like a podcast with CITP’s own Tim Lee) and really digs deep into the issues while keeping it at an understandable level.)

The DOL issued a Request for Information (PDF) that asked a series of questions, beginning with the very basic, “Should we issue e-voting guidelines at all?” The questions go on to ask about the necessity of voter-verified paper audit trails (VVPATs), observability, meaningful recounts, ballot secrecy, preventing flawed and/or malicious software, logging, insider threats, voter intimidation, phishing, spoofing, denial-of-service and recovering from malfunctions.

Whew. The DOL clearly wanted a “brain dump” from computer security and the voting technology communities!

It turns out that labor elections and government elections aren’t as different as I originally thought. The controlling statute for union elections (the LMRDA) and caselaw* that has developed over the years require strict ballot secrecy–such that any technology that could link a voter and their ballot is not allowed–both during voting and in any post-election process. The one major difference is that there isn’t a body of election law and regulation on top of which unions and the DOL can run their elections; for example, election laws frequently disallow campaigning or photography within a certain distance of an official polling place while that would be hard to prohibit in union elections.

After a considerable amount of wrangling and writing, ACCURATE submitted a comment, find it here in PDF. The essential points we make are pretty straightforward: 1) don’t allow internet voting from unsupervised, uncontrolled computing devices for any election that requires high integrity; and, 2) only elections that use voter-verified paper records (VVPRs) subject to an audit process that uses those records to audit the reported election outcome can avoid the various types of threats that DOL is concerned with. The idea is simple: VVPRs are independent of the software and hardware of the voting system, so it doesn’t matter how bad those aspects are as long as there is a robust parallel process that can check the result. Of course, VVPRs are no panacea: they must be carefully stored, secured and transported and ACCURATE’s HCI researchers have shown that it’s very hard to get voters to consistently check them for accuracy. However, those problems are much more tractable than, say, removing all the malware and spyware from hundreds of thousands of voter PCs and mobile devices.

I must say I was a bit surprised to see the other sets of comments submitted, mostly by voting system vendors and union organizations, but also the Electronic Privacy Information Center (EPIC). ACCURATE and EPIC seem to be lone voices in this process “porting” what we’ve learned about the difficulties of running secure civic elections to the labor sphere. Many of the unions talked about how they must have forms of electronic, phone and internet voting as their constituencies are spread far and wide, can’t make it to polling places and are concerned with environmental impacts of paper and more traditional voting methods. Of course, we would counter that accommodations can be made for most of these concerns and still not fundamentally undermine the integrity of union elections.

Both unions and vendors used an unfortunate rhetorical tactic when talking about security properties of these systems: “We’ve run x hundreds of elections using this kind of technology and have never had a problem/no one has ever complained about fraud.” Unfortunately, that’s not how security works. Akin to adversarial processes like financial audits, security isn’t something that you can base predictions of future performance on past results. That is, the SEC doesn’t say to companies that their past 10 years of financials have been in order, so take a few years off. No, security requires careful design, affirmative effort and active auditing to assure that a system doe not violate the properties it claims.

There’s a lot more in our comment, and I’d be more than happy to respond to comments if you have questions.

* Check out the “Court Cases” section of the Federal Register notice linked to above.

Comments

  1. Bryan Feir says:

    The issue of ‘can’t make it to polling places’ is a significant one; take, for example, a transit union in a large city, where drivers can be in any of several districts, and don’t necessarily go anywhere near the downtown core. You can put a polling station in every garage, but even that doesn’t always work, as sometimes drivers will switch off out on the city’s edge because that’s where they live.

    Unions don’t have the ability to requisition buildings such as schools to use for polling stations, the way governments do.

    Of course, this can also be used for political purposes… one transit union election here several years back had a split in the union membership, with the maintenance workers downtown wanting a strike and the drivers scattered across the city not wanting one. And the union brass, in defiance of decades of previous handling of votes, decided to have one polling place in the downtown maintenance bay and none in the rest of the city, disenfranchising half the drivers.

  2. rp says:

    may even have single units that extend across several states or the whole country. In those cases, voting by mail (which doesn’t address many of the threat DOL claims to be concerned about either) may take weeks or even months (if the issue in the election has to be sent out separately from ballots). The result of that is to make it effectively impossible for such unions to take action on certain kinds of issues, even if the desires of the membership are thoroughly known informally.

  3. Anonymous says:

    may even have single units that extend across several states or the whole country. In those cases, voting by mail (which doesn’t address many of the threat DOL claims to be concerned about either) may take weeks or even months (if the issue in the election has to be sent out separately from ballots). The result of that is to make it effectively impossible for such unions to take action on certain kinds of issues, even if the desires of the membership are thoroughly known informally.

  4. joehall says:

    Hi!

    I guess the question that the DOL and unions have to ask themselves is whether or not they can trade off convenience of voting methods with properties like security, reliability, privacy, etc. That is, are they satisfied with fundamentally vulnerable election methods and systems as long as voting is more accessible (not just in the disability sense)? Are there ways to increase convenience at low cost without significantly impacting these kinds of properties? The DOL seems to be operating under a statutory and jurisprudential (read: caselaw relevant to those statutes) environment that doesn’t seem to bend much in terms of convenience.

    Make no mistake, as I say on the linked podcast, we will have to solve these problems… someday will may have significant populations in environments were ferrying physical artifacts back and forth just wont work. But, damn, we have a long way to go before we can accommodate that.