A Hacked Case For Election Technology
Catching up on piles of reading, I noticed a respectable digital journal—Springer Link recently (in June) published an article by Antonio Mugica of Smartmatic in London, UK, titled “The Case for Election Technology.”
I am going be bold here: IMHO, it is unfortunate to see a respectable journal publish this paper, or any that claims to describe a system that is “un-hackable”, completely secure, impenetrable, and/or impossible to compromise. It’s the computer systems equivalent of a perpetual motion machine. Impossible.
Bear in mind, I think Smartmatic has some fine technology. I know folks there, and I am confident that if they had been aware of this article going to press before it did, they would have done everything they could to put the brakes on it, until some revisions were made for basic credibility. But that cat is out of the bag, so to speak. And the article is being widely circulated.
I also disagree with most of Mugica’s comparisons between eVoting and paper voting because from a U.S. perspective (and I admit this review is all from a U.S.-centric viewpoint) it’s comparing the wrong two things: paperless eVoting verses hand-marked hand-counted paper ballots. It ignores the actual systems that are the most widely used for election integrity in the U.S.
Now, perhaps Mugica’s argument is for eVoting more broadly, without insisting on the paperless part. But in that case, most of America already has some form of eVoting, using voting machines and paper ballots or records, coupled with some form of paper ballot audit to detect malfunctioning machines. In that case, you don’t need to claim mythical security properties along with implied mythical perfect performance. If some equipment doesn’t work right – whether from hacks or good old fashioned software bugs – the audit can detect and correct the results.
That’s why I’d like to think that our entire TrustTheVote Project makes a better case for innovation in election technology—with plenty of appropriate focus on software quality and system integrity, but certainly without attempting sensational claims of a system being “un-hackable.” Since paper ballots and risk limiting audits are core part of the accepted approach to election integrity, part of the innovation is in excellence in enabling auditing, and getting full transparency on every aspect of elections operations.
That’s the gist of my differences with this article, but I’ve also spent some more cycles getting to specifics – itemized below for those with a wide election-geek streak. But first, I want to explain why – why it is important to shoot for a high degree of accuracy in discussions of election technology in the U.S. at present. That’s because right now election technology in this country needs to start what will be a 4-6 year forklift upgrade (assuming new alternative solutions arrive in time).
Accordingly, the quantity and quality of discussion about the state of voting technology in the U.S. is finally on the rise (thanks in major part to the many groups working hard on this issue including the Bipartisan Policy Center, the Democracy Fund, Pew Center for the States, the PCEA Report, NCSL, and of course, the TrustTheVote Project). But an inevitable issue of signal-to-noise ratio will impact this conversation. Sadly, articles like this can do an enormous disservice to sound-byte driven policy-makers, politicians, media, activists, and pundits.
There’s one more thing before the deep dive. We respect Smartmatic as one of the more customer-focused election technology vendors in the world. The U.S. market was unfortunately diminished in the post-HAVA era when Smartmatic exited the U.S. If they ever consider re-entering, then it would be helpful to see how Murgica’s view mismatches U.S. practice. To do so, the claims in this the article (which I encourage reading) should to be balanced with my thoughts here, which I break into 4 parts below.
1. The Article Misses the Point
This paper completely misses the point that it is not paper-voting vs. electronic-voting, but rather that each is insufficient. In reality, transparent (in technology and process), accurate, secure, and verifiable elections require a combination of people + paper + process + computers, each cross-checking the other. The majority of U.S. election officials now commonly understand this as the norm. Either that, or the author assumes that eVoting includes support for ballot audit (more below), and is arguing against paper-only hand-count elections—a practice that is no longer relevant in the U.S.
2. The Article Ignores Common U.S. Election Practices
"The security of a paper-based, manual vote with a manual count is extremely low. Single copies of each vote make them easy to tamper with or destroy."
True, but only for the most procedurally simple methods of conducting hand counts or hand audits. Just last week, the state of Wisconsin conducted a public manual ballot audit that was a model of transparency and integrity.
Security is not the main issue for either hand count or machine count. Accuracy is. People don't hand count complex ballots very well, and when each ballot has to be handled dozens of times—once for each of dozens of elections on a multi-page ballot—the scope of human error is high. But then software isn't better, just different. All software has bugs, so you can't trust software as the sole source of tallies. Rather, it is a combination of tally data from digital image processing of paper ballots, cross checked by a risk limiting audit—a manual paper process of comparing human interpretations with the software's interpretations, using sound statistical models to check just as many ballots as needed.
One can't trust people, and one can't trust computers, but one can create confidence in election results when each cross checks the other.
"The most vulnerable type of election is that which uses no technology at any stage."
Agreed! Yet, computer-only elections have also been discredited in the U.S., most recently computer-only voting systems given a resounding failing grade of "F" in a Virginia security evaluation.
3. Un-hackable Systems: Seriously?
Instead of a page of rhetoric on the topic of security, I'd stop at the author's beginning:
"So how do you make an un-hackable election system?"
You don't. All the author's words after that question fail to recognize that un-hackable is impossible, but that the now-typical American combination (computers + paper + audits) remove most of the technology risk of hacked elections.
The "completely un-hackable system" the author describes, is a fiction that any respectable computer scientist would recognize. I'm sad to these claims in a respectable journal, and sad to see an otherwise good product mis-characterized this way. Smartmatic has fine technology, and when used in combination with ballot audits, we believe that the combination is as strong as any election process in the world. But is it un-hackable? No.
4. Other Unfortunate Inaccuracies
"Well-designed, special-purpose systems reduce the possibility of results tampering and eliminate fraud."
Fraud from insider abuse cannot be prevented, but it can be made very difficult to conduct without detection, with machine count and ballot audit.
"Security is increased by 10 to 1,000 times, depending on the level of automation."
Without a specific threat model to define "security" in the context, and specific threat metrics that apply to both paper-only and computer-only ballot counting processes, these security-increase statistics are hard to fathom. The U.S. EAC sponsored a research project into voting systems risk assessment and modeling (VSRA) in 2009. As part of PI Alec Yasinsac's project team, we came up with “parameterizable” threat and risk metrics for a wide variety of voting methods.
The only approach that had notably better risk reduction benefit for modest cost/effort was machine-counted paper ballots. As for every other benefit the author claims for eVoting, the combination of machine count with paper ballot audit meets or exceeds the claims:
- Accuracy: A combination is better than computer-only because every machine algorithm for interpreting voter intent has limits.
- Speed: Just fine, that's what ballot marking devices are for (i.e., faster workflow than paper for some people), and that's what Opscan counters are used for.
- Privacy: Same as claimed.
- Auditability: "One of the biggest issues with manual voting is that it leaves a very weak audit trail, with very little or no redundancy of data." Wait a minute. Not at all. Machine counted paper ballots (hand marked or machine marked) do, in fact, have multiple records—that is the whole point.
- Accessibility and Turnout: Just fine: that's what ballot marking devices are for (greater accessibility than paper for some people), producing paper that's a durable record of the voter's intent, unlike DREs where the vote tallies can disappear in an instant if somebody walks by a large magnet or wearing golf shoes. (Really: these were failure modes collected in the VSRA survey).
- Integrity: just fine, that's what the paper ballot-audit audit is for—one doesn’t trust the integrity of computers (which can always fail in some way) but one does benefit from their accessibility and speed.
- Cost Reduction and Sustainability: paperless elections are fundamentally insecure. IMHO, it's worth cutting some trees to have a verifiable election.
- Maturity Model: We beg to differ here as well. It’s not a mature election if it is paperless unverifiable. That may be very digital-hipster appearing, but unverifiable nonetheless.
At the end of the day, the astute reader will write this off as at best a soft promotion for a vendor. Maybe so. But what cannot be written off is the unfortunate reality distortion field that sound bytes such as “un-hackable system” create to compromise the very important discussion underway about:
- Critical democracy infrastructure—what it is and why it needs as much preservation attention as any element of national infrastructure;
- Increasing confidence in elections and their outcomes, and
- Creating election technology that is verifiable, accurate, secure (to every extent possible), and transparent (in composition and operation).
And in closing, keeping our Outreach Team happy, even I just managed to squeeze in some important messaging (er, “write-bytes”), although we have nothing to sell.