Note of a Meeting with Dr. Rebecca Mercuri and others at Stockley House
17 October 2002

Rebecca Mercuri Paul Waller (OeE)
Ross Anderson (FIPR) Mark Rickard (OeE)
Ian Brown (FIPR) Thomas Barry (ODPM)
Chris Ketley (CESG)
Simon Johnson (CESG)
John Ross (OeE, consultant)

1. Mark Rickard welcomed Dr. Mercuri, and all participants introduced themselves.

2. MR established that Dr. Mercuri was familiar with the report written by CESG and published in August by the OeE. In view of the fact that the meeting was on the record, he said OeE would be delighted to treat Dr. Mercuriís input formally as a contribution to the public consultation about e-democracy, and e-voting security in particular. This was agreed, and Ross Anderson added that he anticipated that FIPR would be providing its own written contribution, too. MR welcomed this.

3. RM provided various published articles in support of her contribution.
These, and other salient materials are available via her website at:

4. Points she made were:

In summary, what defensive action could an electoral authority take to ensure trust in the voting process? Nothing satisfactory is avialable.

5. However. Assume for the sake of argument that these problems are solved and a valid vote cast via a computerized front end. Uncertainties about the security of back-end systems have yet to be addressed. Any such system could have undetectable back doors, or means to subvert election results.

6. Moving on, RM reviewed the problems arising from vendorsí self-interests. 7. RM emphasised that anyone wanting to subvert an election could do so by subtle action, difficult to detect. An election might be swung merely by interfering with ½% of votes in the most marginal wards. Even the last US presidential election was decided by a few votes in Florida. Introducing untrustworthy technology might therefore lead to huge loss of confidence in the electoral system, undermining it fatally.

8. In some cases, attempts had been made to set security criteria high. For example, New York city had launched a procurement for voting kiosks on that basis. No-one could meet the requirements, and the old mechanical machines are still in use (and had shown themselves to be encouragingly robust). Their utility was recovered much more quickly from 9/11 disruption than could have been expected by an electronic system.

9. Moving on, RM felt that a hopeful sign for the future of electronic voting was represented by the cryptographic work of Dr. David Chaum.

10. MR put questions for clarification:

a) Had the Oregon election been independently evaluated in the way that UK law requires the Electoral Commission to report on our experiments?
- RM said not. The Federal authorities in the US had advisory powers only at state level.

- She went on to mention the Voting Rights Act Bill, currently before the Senate, which would require states implementing electronic systems to build into them a paper audit trail by which votes cast could be physically checked. Such an approach might incorporate real time electronic detection of votes cast (e.g. by building an OCR capability into the ballot box).

- She emphasised that her objection was not to the idea of electronic support: but rather to that of a wholly electronic system in which no physical audit trail existed.

- Ross Anderson gave further examples of distrust of technology. E.g. at the ACSAC conference in December 2000, a major IT security conference, there was a debate on whether people trusted e-voting, which took place during the Florida recounts for the US presidential election. The consensus was that people did not trust e-voting, and a telling argument was that no-one in the audience knew how to go about clearing Internet Explorerís cache.

b) Where were the cases of vendor dishonesty/incompetence etc on the record?
- RM mentioned some cases. A Louisiana elections commissioner was convicted of taking an $8M bribe from Sequoia, there were cases involving Shoup in Philadelphia and ES&S in Florida.

- RA added from his recent experience. A bank had relied on the security of a tamper resistant module in current litigation. He had discovered and proved vulnerabilities in one vendorís offering: the vendor has demonstrably known about these vulnerabilities, but denied them for months. There is overlap between the security module vendors and the voting equipment vendors. Security equipment vendors in general have a poor record of dealing with protection claims that are contested in open court.

11. Chris Ketley observed that CESGís conclusions about the security of the Internet channel broadly aligned with RMís. He would not trust anyone who claimed that their system is invulnerable. Oon the other hand, the real question to be considered is whether security achievable is good enough for election purposes. CESGís view about that is on the record in their report published in August. 12. Simon Johnson asked whether there had been recorded instances of vote selling. RM quoted the case of, an Internet enterprise that invited people to put their votes up for sale. It had been prosecuted by New York and Chicago where vote-selling is a felony, but had then moved offshore where prosecution became more difficult due to international trade laws.

13. RM added that there were well known cases (in the non-electronic world) of managers of nursing homes collecting all the ballots and using them themselves. And dead people seem to vote all the time. In the US there is also the problem that people acquire votes in several states, and use them even though they no longer have the residency qualification to do so. And political activists are not above taking advantage of the apparent anomalies in the voting register if it seems to be in their favour.

14. RA said this underlined the general need for multi-party involvement in auditing the propriety of elections. Given the scarcity of technical talent in the political parties, systems had to be capable of effective audit by non-technical people.

15. Further points made in the discussion included:

16. Thomas Barry asked for RMís views on the UK voting pilots. Did she think they are a good idea or not? RM said that her analysis suggested that the integrity of any election involving an end-to-end electronic process must be suspect. We do not know clearly enough how to manage the risks down to an acceptable level. She would therefore not be in favour of risking the result of any real election for the sake of learning lessons. Instead, they should be gleaned from mock elections, probably run in parallel with the real ones. MR asked whether, if those mock elections suggested a scheme would be viable, she would then favour moving forward somehow into the ďrealĒ environment. If not, it seemed pointless to embark on mock exercises.

17. MR asked whether RM could see any merits at all in investing in electronic support for elections. The answer to this was clearly positive. For RM, the bottom line was that an end-to-end electronic process would always be opaque and unsafe. However, an electronically enhanced system having a physical, paper audit trail could actually be done, and might well be more secure than the traditional process. It would provide a quicker result. Errors in ballots (i.e. votes) could be detected at voting time, and perhaps put right. It would be possible to accommodate schemes amounting to allowing votes for ďnone of the aboveĒ. And it would be possible to explain quantitatively why there was an under-vote, that is, why the total of votes counted was less than the number cast.

18. Closing the meeting, MR and colleagues thanked Dr. Mercuri for a fascinating and informative session. It was agreed that follow-up questions could be routed to her via Dr. Brown at FIPR.

Mark Rickard
18 October 2002

(Another version of this transcript is posted at: