David A. Wheeler's Blog

Thu, 16 Aug 2018

Verified voting still necessary, paperless voting still untrustworthy

In 2006 I wrote “Direct Recording Electronic (DRE) Voting: Why Your Vote Doesn’t Matter”. Over a decade later, voting systems are still being used that are fundamentally insecure - though things are better in some places.

First, the basics. If a voting system uses anything other than voter-verified paper to vote, then that voting system is not secure. Paper does not automatically make a voting system secure, but a system that does not use voter-verified paper cannot be secure. Verified voting using paper ballots is a minimum requirement for a trustworthy voting system. Direct recording equipment (DRE) and mobile phone voting systems cannot be adequately secure for elections of government positions. These insecure systems are simply invitations for vote tampering.

The article “Why US elections remain ‘dangerously vulnerable’ to cyber-attacks” discusses some of the reasons why many of the US voting systems are fundamentally untrustworthy. One quote: “Georgia’s election officials continue to defend the state’s electronic voting system that is demonstrably unreliable and insecure, and have repeatedly refused to take administrative, regulatory or legislative action to address the election security failures.” Another quote: “there is little mystery about the safest available voting technology - optically scanned paper ballots, now used by about 80% of US voters. Some of the states that don’t have this technology, like Louisiana, would like it but don’t have the funds to switch. Others, like Georgia and South Carolina, simply aren’t interested in ditching their all-electronic systems despite the compelling reasons to do so.”

“West Virginia to introduce mobile phone voting for midterm elections” by Donie O’Sullivan discusses West Virginia’s introduction of mobile phone voting. Does this require a paper ballot? No. Therefore, West Virginia’s proposed voting system is horrifically insecure, and its results will be completely untrustworthy if implemented.

XKCD’s “Voting Software” is a funny summary. In short: experts on computer security agree that computers must not be directly used for voting when there are important stakes (such as a vote for a political office). When experts say “you cannot adequately trust the systems we build” you should believe the experts.

As I noted earlier, “I used to do magic tricks, and all magic tricks work the same way - misdirect the viewer, so that what they think they see is not the same as reality. Many magic tricks depend on rigged props, where what you see is NOT the whole story. DREs are the ultimate illusion - the naive think they know what’s happening, but in fact they have no way to know what’s really going on.”

I am sure that some election officials will bristle when told that we cannot trust the legitimacy of their results. Too bad. If your election system uses technology that is widely known to be easily subverted, such as voting machines that do not use voter-verified paper ballots, then your results should be viewed with deep suspicion. Without voter-verified paper ballots there is no way to independently verify vote counts, so there is no reason to trust the results. This is old information; those who have not replaced insecure systems are those who have failed to act. Some states certify or approve the use of voting machines without voter-verified paper ballots, but that just shows that their certification or approval processes fail to provide even a minimum level of security.

There is more to protecting the legitimacy of votes, of course. For example, it is critical to ensure that only eligible voters can vote, that voters can vote at most once, and that paper votes cannot be added or removed. But currently many districts are not doing the minimum necessary to have trustworthy election results, and we need to get systems up to minimal standards.

There is an old phrase: “It’s not the people who vote that count. It’s the people who count the votes.” Stalin did not say that exactly, but he did say something like it. The point is that if we do not adequately protect the process of counting votes, then the vote counts are vulnerable to manipulation.

The Voting system principles from Verified Voting provides a useful starting list of requirements; there are other guides too. Voting systems that fail to meet those principles are untrustworthy toys that should not be used for real elections. It is fine to use direct recording equipment, mobile phone voting, or other insecure systems when you are voting for homecoming queen or deciding where to go to lunch. But it is time to stop using fundamentally flawed voting systems like these for elections that matter.

path: /security | Current Weblog | permanent link to this entry