councilor.org
| Source | ListMeister |
| Date | 03/11/29/10:33 |
| THE IMPORTANCE OF RECOUNTING VOTES
MICHAEL STANTON, NOVEMBER 2000 - A list of security requirements for electronic voting was published as long ago as 1993 by Peter G. Neumann, a scientist at Stanford Research International. His findings give cause for concern, for they point out the extreme difficulty of building a purely electronic system, which is simultaneously reliable and free from adulteration, without compromising the secrecy of the voter's choice. The basic problem lies in the reliability of the software installed in the electronic voting machines, which needs to be bug-free, and also immune to improper modification by ill-intentioned specialists with access privileges. Some years ago, it was thought that software could be validated merely by the inspection of its source code by external auditors, but, in a famous article published in 1984, Ken Thompson, already famous as one of the inventors of the Unix operating system, explained how the security of a software component could be undermined by the installation of a Trojan horse, without any modification of the source code. . . [Amilcar Brunazo Filho] splits the voting process into four phases: voter identification, the casting of a secret ballot, the tallying of the votes of a single ballot box, and the totaling of votes from different ballot boxes. In traditional (non mechanical) voting, each of these phases is conducted separately, and is subject to external controls: the voter is adequately identified; he next checks that the ballot paper is blank, and cannot identify him, thus guaranteeing the secrecy of his vote; the tallying of votes is done in the presence of observers representing the candidates; and the results of each ballot box are made public, permitting the independent totaling of the votes. In the current model of electronic voting machine used in Brazil, the first three of these four phases have been lumped together in one. The voter's ID number is used as a key to ready the voting machine for this voter's use, potentially threatening the secrecy of the ballot. Then, the voter chooses his candidates, and confirms this choice on the screen. Finally, his vote is added to the others cast in the same voting machine, there being maintained only the total numbers of votes at the end of the session. The basic problem is the question of the correctness of the voting machine's software, since there is no redundancy in the system which can be used to check this correctness experimentally. For instance, if someone had installed a Trojan horse in the voting machine software, which systematically and wrongly transferred to an opponent the votes cast for a given candidate, there would be no proof that such a fraud had been perpetrated. The voting machine could indicate to a voter that his choice was confirmed, and then register the vote for another candidate. Such behavior could also result from a software bug. We simply would know nothing about it. . . It is essential to have a transparent system, where processes can be satisfactorily audited by both voters and candidates. Brunazo's proposal to restore trust in electronic voting involves two changes to the current voting machines. Firstly, voter identification should be carried out in the traditional fashion, by checking the voter's ID with a list of voters. The machine should be readied for voter use, without use of his ID information, and, after the voter has made his choice, the voting machine should print out a ballot paper, with the details of his vote. After checking that the printed ballot really corresponds to his choice, it can be deposited in a traditional ballot box. Should the voter perceive that the printed vote does not coincide with his choice, both printed and electronic votes would be cancelled, and the voting repeated. Note that we will now have two independent records of the votes cast, and, in case of doubts about the tally of electronic votes, the printed votes may be counted, either manually, or by use of an appropriate optical reader. . . Senator Requião's bill includes a provision for the manual recounting of 3% of the ballot boxes, chosen at random. The remaining ballot boxes would have a similar function to an aircraft flight recorder, which is used only in the event of an accident. . . Recounting of votes is not an out-dated nuisance, but a fundamental part of the democratic process, [Michael Stanton is professor of computer networking at the Computing Institute of the Universidade Federal Fluminense, in Niterói, Rio de Janeiro state, Brazil.] MICHAEL STANTON http://www.ic.uff.br/~michael |
Copyright (c) 1998, Joongpil Cho