Attendees:
 

Rebecca Mercuri	Paul Waller (OeE)
Ross Anderson (FIPR)	Mark Rickard (OeE)
Ian Brown (FIPR)	Thomas Barry (ODPM)
	Chris Ketley (CESG)
	Simon Johnson (CESG)
	John Ross (OeE, consultant)

1. Mark Rickard welcomed Dr. Mercuri, and all participants introduced themselves.

2. MR established that Dr. Mercuri was familiar with the report written by CESG and published in August by the OeE. In view of the fact that the meeting was on the record, he said OeE would be delighted to treat Dr. Mercuri’s input formally as a contribution to the public consultation about e-democracy, and e-voting security in particular. This was agreed, and Ross Anderson added that he anticipated that FIPR would be providing its own written contribution, too. MR welcomed this.

3. RM provided various published articles in support of her contribution.
These, and other salient materials are available via her website at: http://www.notablesoftware.com/evote.html

4. Points she made were:

• for Internet voting the context in the UK is somewhat different from that in the US. In the US, voting is truly anonymous. In the UK, vote (ballot) and voter can be connected after the event, albeit only with a court order. An audit trail is therefore required in the UK, although an individual voter does not have the power to check that the vote counted as being from him actually matched the vote he cast.
• one concern with Internet voting is that the voter has absolutely no control over the vote cast once it leaves his own computer system, and he cannot check whether it has been subverted on the way to the count.
• problems with all forms of remote voting include the dangers of coercion, vote selling etc, and personation. The Internet introduces additional authentication issues.
• in some places in the US, the voter is required to produce identification before being allowed to vote. Authentication is needed not least because some people may have been struck from the voter register e.g. convicted felons are barred from voting for a period of years in some states.
• if voting is to be allowed from remote sites, some other method of authentication would have to be in place. Various approaches have been tried - none very successfully. RM mentioned primaries/elections in which Internet balloting was used on a trial basis, in Alaska; ballots involving military personnel; and a primary in Colorado.
• In Oregon, a postal (paper) ballot had been held entirely remotely (no polling stations). The local secretary of state claimed it was a great success. Others had expressed the belief that there had been widespread undetected fraud.
• One method often suggested involves the use of passcodes. This begged the question of how the person possessing the code could be demonstrated to be the person entitled to it. Bio-identification might work - but raises other concerns about personal privacy and the potential for misuse of such data by government. There would be other sociological objections to such techniques.
• Assuming, for the sake of argument, that these problems could be solved, how could anyone be confident that a valid vote had actually been cast via a computer connected to an Internet website? Experience is that websites are easy to spoof so that the user is misled about the fact that he is interacting with the official site. For example, democratic and republican sites had both been spoofed in the last US presidential elections.
• Personal computers attached to the Internet routinely have to be protected, by firewalls, virus protection software etc, because the dangers of attack are ever-present. However these tools are continually being undermined by evolving methods of attack, and have to be upgraded. There is also the risk of middleperson attacks by sites that pretend to be genuine election sites but rather harvest votes, alter some, and pass them on.
• The vulnerability of PC software is highlighted by the admission by Microsoft that its code is vulnerable, with about 50 security briefings having been issued in the past year or so - one a week. In any case, viruses could be embedded in the computer chips themselves.

5. However. Assume for the sake of argument that these problems are solved and a valid vote cast via a computerized front end. Uncertainties about the security of back-end systems have yet to be addressed. Any such system could have undetectable back doors, or means to subvert election results.

• Open source code is insufficient as it too can harbour undetectable flaws.
• Defective software may not be the result of malicious design. RM gave the example of a touch-screen system in which, if the user pressed for two candidates simultaneously, the software (erroneously) averaged the screen coordinates - and recorded a vote for the candidate represented by that average coordinate.
• Further examples were available. In Union County Florida, during the September 10 primary election, it was discovered that all democratic votes, including those for gubernatorial candidate Janet Reno, using the mark-sense system were recorded for republicans by the optical scanning computer system.  Since the ballots were cast on paper, a hand-recount was possible.  This might not have been noticed or corrected in a fully-computerized balloting system.
• Provisions for failure recovery are generally inadequate. When machines break down, vendor staff have to come in to do data extraction, a process that apparently can’t be independently audited.
• Configuration management is often slack, with poor control over the loading of programs and data for new elections.

• There have been examples where contractual agreements have incorporated provisions to protect the vendor’s trade secrets. This has effectively prevented people from assuring themselves, by inspection, that the systems are trustworthy. There is therefore a high-priority need to assess both vending agreements, and vendors.
• There have been instances where vendors have turned out not to be US citizens (in one case RM recited, the company was British). And even cases where the officers and key employees of voting system vendor firms were convicted felons, in matters involving bribery of election officials.  Indeed there have been cases where election officials in the US have been convicted of corruptly awarding contracts (although, not of thereby subverting elections as well).

8. In some cases, attempts had been made to set security criteria high. For example, New York city had launched a procurement for voting kiosks on that basis. No-one could meet the requirements, and the old mechanical machines are still in use (and had shown themselves to be encouragingly robust). Their utility was recovered much more quickly from 9/11 disruption than could have been expected by an electronic system.

9. Moving on, RM felt that a hopeful sign for the future of electronic voting was represented by the cryptographic work of Dr. David Chaum.

10. MR put questions for clarification:

a) Had the Oregon election been independently evaluated in the way that UK law requires the Electoral Commission to report on our experiments?

- RM said not. The Federal authorities in the US had advisory powers only at state level.

- She went on to mention the Voting Rights Act Bill, currently before the Senate, which would require states implementing electronic systems to build into them a paper audit trail by which votes cast could be physically checked. Such an approach might incorporate real time electronic detection of votes cast (e.g. by building an OCR capability into the ballot box).

- She emphasised that her objection was not to the idea of electronic support: but rather to that of a wholly electronic system in which no physical audit trail existed.

- Ross Anderson gave further examples of distrust of technology. E.g. at the ACSAC conference in December 2000, a major IT security conference, there was a debate on whether people trusted e-voting, which took place during the Florida recounts for the US presidential election. The consensus was that people did not trust e-voting, and a telling argument was that no-one in the audience knew how to go about clearing Internet Explorer’s cache.

b) Where were the cases of vendor dishonesty/incompetence etc on the record?

- RM mentioned some cases. A Louisiana elections commissioner was convicted of taking an $8M bribe from Sequoia, there were cases involving Shoup in Philadelphia and ES&S in Florida.

- RA added from his recent experience. A bank had relied on the security of a tamper resistant module in current litigation. He had discovered and proved vulnerabilities in one vendor’s offering: the vendor has demonstrably known about these vulnerabilities, but denied them for months. There is overlap between the security module vendors and the voting equipment vendors. Security equipment vendors in general have a poor record of dealing with protection claims that are contested in open court.

• RA supported RM’s view that a physical ballot in which votes can inspected could help establish trust. He added that he recognised CESG had, on the one hand, to press people to use equipment conforming with security standards, which provided an incentive to talk up the threats; and yet, on the other hand, they wanted people to trust the Internet as an environment for e-business and e-government, which meant talking down the threats. Conflicts could arise.
• RM remarked that putting in facilities to detect intrusion would be little practical help. What should a returning officer do when told - at the point in time when the result is to be declared - that there was a 70% probability that intrusion had occurred. He would be “damned if he did, and damned if he didn’t”.

13. RM added that there were well known cases (in the non-electronic world) of managers of nursing homes collecting all the ballots and using them themselves. And dead people seem to vote all the time. In the US there is also the problem that people acquire votes in several states, and use them even though they no longer have the residency qualification to do so. And political activists are not above taking advantage of the apparent anomalies in the voting register if it seems to be in their favour.

14. RA said this underlined the general need for multi-party involvement in auditing the propriety of elections. Given the scarcity of technical talent in the political parties, systems had to be capable of effective audit by non-technical people.

15. Further points made in the discussion included:

• people tend to place too much faith in cryptographic methods.
• elections lack the accounting checks and balances available in the financial world. They need the physical paper trail instead.
• In the US, there  is little support for Internet voting - only in the military context. Indeed there is little support for any other form of electronic ballot casting.

17. MR asked whether RM could see any merits at all in investing in electronic support for elections. The answer to this was clearly positive. For RM, the bottom line was that an end-to-end electronic process would always be opaque and unsafe. However, an electronically enhanced system having a physical, paper audit trail could actually be done, and might well be more secure than the traditional process. It would provide a quicker result. Errors in ballots (i.e. votes) could be detected at voting time, and perhaps put right. It would be possible to accommodate schemes amounting to allowing votes for “none of the above”. And it would be possible to explain quantitatively why there was an under-vote, that is, why the total of votes counted was less than the number cast.

18. Closing the meeting, MR and colleagues thanked Dr. Mercuri for a fascinating and informative session. It was agreed that follow-up questions could be routed to her via Dr. Brown at FIPR.

Mark Rickard
18 October 2002

(Another version of this transcript is posted at: http://www.edemocracy.gov.uk/)