In late June a respected source published a non-peer-reviewed article: The case for election technology <read>. Which despite its title is actually a marketing piece disguised as science, not for election technology but for electronic voting, including Internet voting. The case actually made is for skepticism and peer-review.
That skepticism is well addressed in posts by Jeremy Epstein and E. John Sebes: How not to measure security <read> and A Hacked Case For Election Technology <read>
From Epstein:
But the most outrageous statement in the article is this:
The important thing is that, when all of these methods [for providing voting system security] are combined, it becomes possible to calculate with mathematical precision the probability of the system being hacked in the available time, because an election usually happens in a few hours or at the most over a few days. (For example, for one of our average customers, the probability was 1×10-19. That is a point followed by 19 [sic] zeros and then 1). The probability is lower than that of a meteor hitting the earth and wiping us all out in the next few years—approximately 1×10-7 (Chemical Industry Education Centre, Risk-Ed n.d.)—hence it seems reasonable to use the term ‘unhackable’, to the chagrin of the purists and to my pleasure.
As noted previously, we don’t know how to measure much of anything in security, and we’re even less capable of measuring the results of combining technologies together (which sometimes makes things more secure, and other times less secure). The claim that putting multiple security measures together gives risk probabilities with “mathematical precision” is ludicrous. And calling any system “unhackable” is just ridiculous, as Oracle discovered some years ago when the marketing department claimed their products were “unhackable”. (For the record, my colleagues in engineering at Oracle said they were aghast at the slogan.)
As Ron Rivest said at a CITP symposium, if voting vendors have “solved the Internet security and cybersecurity problem, what are they doing implementing voting systems? They should be working with the Department of Defense or financial industry. These are not solved problems there.” If Smartmatic has a method for obtaining and measuring security with “mathematical precision” at the level of 1019, they should be selling trillions of dollars in technology or expertise to every company on the planet, and putting everyone else out of business.
We would add that just because an election happens over a short period is not a reason to claim any increased level of security or reduced vulnerability:
- Programming election systems occurs months and weeks ahead of the election. Systems are vulnerable for their whole life up to and including each election. Its like saying air traffic control systems are not vulnerable to errors because directing each airplane occurs over a very short period of time in each control center. Of course that never happens.
- And the rush to provide results quickly, all including the work of tired, lightly trained, technically challenged, and often partisan officials increases the vulnerability.
- And the very suggestion of less vulnerability actually can have the effect of reducing vigilance, and increasing risk.
From Sebes:
I also disagree with most of Mugica’s comparisons between eVoting and paper voting because from a U.S. perspective (and I admit this review is all from a U.S.-centric viewpoint) it’s comparing the wrong two things: paperless eVoting verses hand-marked hand-counted paper ballots. It ignores the actual systems that are the most widely used for election integrity in the U.S.
Now, perhaps Mugica’s argument is for eVoting more broadly, without insisting on the paperless part. But in that case, most of America already has some form of eVoting, using voting machines and paper ballots or records, coupled with some form of paper ballot audit to detect malfunctioning machines. In that case, you don’t need to claim mythical security properties along with implied mythical perfect performance. If some equipment doesn’t work right – whether from hacks or good old fashioned software bugs – the audit can detect and correct the results.
1. The Article Misses the Point
This paper completely misses the point that it is not paper-voting vs. electronic-voting, but rather that each is insufficient. In reality, transparent (in technology and process), accurate, secure, and verifiable elections require a combination of people + paper + process + computers, each cross-checking the other. The majority of U.S. election officials now commonly understand this as the norm. Either that, or the author assumes that eVoting includes support for ballot audit (more below), and is arguing against paper-only hand-count elections—a practice that is no longer relevant in the U.S.
2. The Article Ignores Common U.S. Election Practices
“The security of a paper-based, manual vote with a manual count is extremely low. Single copies of each vote make them easy to tamper with or destroy.”
True, but only for the most procedurally simple methods of conducting hand counts or hand audits. Just last week, the state of Wisconsin conducted a public manual ballot audit that was a model of transparency and integrity.
Security is not the main issue for either hand count or machine count. Accuracy is.
We have long held that optical scan, including strong ballot security, sufficient audits and recounts is the best available system today.
