The Importance of Recounting Votes
Source ListMeister
Date 03/11/29/10:33


MICHAEL STANTON, NOVEMBER 2000 - A list of security requirements for
electronic voting was published as long ago as 1993 by Peter G. Neumann,
a scientist at Stanford Research International.
His findings give cause for concern, for they point out the extreme
difficulty of building a purely electronic system, which is
simultaneously reliable and free from adulteration, without compromising
the secrecy of the voter's choice. The basic problem lies in the
reliability of the software installed in the electronic voting machines,
which needs to be bug-free, and also immune to improper modification by
ill-intentioned specialists with access privileges. Some years ago, it
was thought that software could be validated merely by the inspection of
its source code by external auditors, but, in a famous article published
in 1984, Ken Thompson, already famous as one of the inventors of the
Unix operating system, explained how the security of a software
component could be undermined by the installation of a Trojan horse,
without any modification of the source code. . .

[Amilcar Brunazo Filho] splits the voting process into four phases:
voter identification, the casting of a secret ballot, the tallying of
the votes of a single ballot box, and the totaling of votes from
different ballot boxes. In traditional (non mechanical) voting, each of
these phases is conducted separately, and is subject to external
controls: the voter is adequately identified; he next checks that the
ballot paper is blank, and cannot identify him, thus guaranteeing the
secrecy of his vote; the tallying of votes is done in the presence of
observers representing the candidates; and the results of each ballot
box are made public, permitting the independent totaling of the votes.
In the current model of electronic voting machine used in Brazil, the
first three of these four phases have been lumped together in one. The
voter's ID number is used as a key to ready the voting machine for this
voter's use, potentially threatening the secrecy of the ballot. Then,
the voter chooses his candidates, and confirms this choice on the
screen. Finally, his vote is added to the others cast in the same voting
machine, there being maintained only the total numbers of votes at the
end of the session.

The basic problem is the question of the correctness of the voting
machine's software, since there is no redundancy in the system which can
be used to check this correctness experimentally. For instance, if
someone had installed a Trojan horse in the voting machine software,
which systematically and wrongly transferred to an opponent the votes
cast for a given candidate, there would be no proof that such a fraud
had been perpetrated. The voting machine could indicate to a voter that
his choice was confirmed, and then register the vote for another
candidate. Such behavior could also result from a software bug. We
simply would know nothing about it. . . It is essential to have a
transparent system, where processes can be satisfactorily audited by
both voters and candidates.

Brunazo's proposal to restore trust in electronic voting involves two
changes to the current voting machines. Firstly, voter identification
should be carried out in the traditional fashion, by checking the
voter's ID with a list of voters. The machine should be readied for
voter use, without use of his ID information, and, after the voter has
made his choice, the voting machine should print out a ballot paper,
with the details of his vote. After checking that the printed ballot
really corresponds to his choice, it can be deposited in a traditional
ballot box. Should the voter perceive that the printed vote does not
coincide with his choice, both printed and electronic votes would be
cancelled, and the voting repeated. Note that we will now have two
independent records of the votes cast, and, in case of doubts about the
tally of electronic votes, the printed votes may be counted, either
manually, or by use of an appropriate optical reader. . . Senator
Requião's bill includes a provision for the manual recounting of 3% of
the ballot boxes, chosen at random. The remaining ballot boxes would
have a similar function to an aircraft flight recorder, which is used
only in the event of an accident. . . Recounting of votes is not an
out-dated nuisance, but a fundamental part of the democratic process,

[Michael Stanton is professor of computer networking at the Computing
Institute of the Universidade Federal Fluminense, in Niterói, Rio de
Janeiro state, Brazil.]


[View the list]

InternetBoard v1.0
Copyright (c) 1998, Joongpil Cho