Note of a Meeting with Dr. Rebecca Mercuri and others at Stockley
17 October 2002
||Paul Waller (OeE)
|Ross Anderson (FIPR)
||Mark Rickard (OeE)
|Ian Brown (FIPR)
||Thomas Barry (ODPM)
||Chris Ketley (CESG)
||Simon Johnson (CESG)
||John Ross (OeE, consultant)
1. Mark Rickard welcomed Dr. Mercuri, and all participants introduced
2. MR established that Dr. Mercuri was familiar with the report written
by CESG and published in August by the OeE. In view of the fact that the
meeting was on the record, he said OeE would be delighted to treat Dr.
Mercuriís input formally as a contribution to the public consultation about
e-democracy, and e-voting security in particular. This was agreed, and
Ross Anderson added that he anticipated that FIPR would be providing its
own written contribution, too. MR welcomed this.
3. RM provided various published articles in support of her contribution.
These, and other salient materials are available via her website at:
4. Points she made were:
In summary, what defensive action could an electoral authority take to
ensure trust in the voting process? Nothing satisfactory is avialable.
for Internet voting the context in the UK is somewhat different from that
in the US. In the US, voting is truly anonymous. In the UK, vote (ballot)
and voter can be connected after the event, albeit only with a court order.
An audit trail is therefore required in the UK, although an individual
voter does not have the power to check that the vote counted as being from
him actually matched the vote he cast.
one concern with Internet voting is that the voter has absolutely no control
over the vote cast once it leaves his own computer system, and he cannot
check whether it has been subverted on the way to the count.
problems with all forms of remote voting include the dangers of coercion,
vote selling etc, and personation. The Internet introduces additional authentication
in some places in the US, the voter is required to produce identification
before being allowed to vote. Authentication is needed not least because
some people may have been struck from the voter register e.g. convicted
felons are barred from voting for a period of years in some states.
if voting is to be allowed from remote sites, some other method of authentication
would have to be in place. Various approaches have been tried - none very
successfully. RM mentioned primaries/elections in which Internet balloting
was used on a trial basis, in Alaska; ballots involving military personnel;
and a primary in Colorado.
In Oregon, a postal (paper) ballot had been held entirely remotely (no
polling stations). The local secretary of state claimed it was a great
success. Others had expressed the belief that there had been widespread
One method often suggested involves the use of passcodes. This begged the
question of how the person possessing the code could be demonstrated to
be the person entitled to it. Bio-identification might work - but raises
other concerns about personal privacy and the potential for misuse of such
data by government. There would be other sociological objections to such
Assuming, for the sake of argument, that these problems could be solved,
how could anyone be confident that a valid vote had actually been cast
via a computer connected to an Internet website? Experience is that websites
are easy to spoof so that the user is misled about the fact that he is
interacting with the official site. For example, democratic and republican
sites had both been spoofed in the last US presidential elections.
Personal computers attached to the Internet routinely have to be protected,
by firewalls, virus protection software etc, because the dangers of attack
are ever-present. However these tools are continually being undermined
by evolving methods of attack, and have to be upgraded. There is also the
risk of middleperson attacks by sites that pretend to be genuine election
sites but rather harvest votes, alter some, and pass them on.
The vulnerability of PC software is highlighted by the admission by Microsoft
that its code is vulnerable, with about 50 security briefings having been
issued in the past year or so - one a week. In any case, viruses could
be embedded in the computer chips themselves.
5. However. Assume for the sake of argument that these problems are
solved and a valid vote cast via a computerized front end. Uncertainties
about the security of back-end systems have yet to be addressed. Any such
system could have undetectable back doors, or means to subvert election
6. Moving on, RM reviewed the problems arising from vendorsí self-interests.
Open source code is insufficient as it too can harbour undetectable flaws.
Defective software may not be the result of malicious design. RM gave the
example of a touch-screen system in which, if the user pressed for two
candidates simultaneously, the software (erroneously) averaged the screen
coordinates - and recorded a vote for the candidate represented by that
Further examples were available. In Union County Florida, during the September
10 primary election, it was discovered that all democratic votes, including
those for gubernatorial candidate Janet Reno, using the mark-sense system
were recorded for republicans by the optical scanning computer system.
Since the ballots were cast on paper, a hand-recount was possible.
This might not have been noticed or corrected in a fully-computerized balloting
Provisions for failure recovery are generally inadequate. When machines
break down, vendor staff have to come in to do data extraction, a process
that apparently canít be independently audited.
Configuration management is often slack, with poor control over the loading
of programs and data for new elections.
7. RM emphasised that anyone wanting to subvert an election could do so
by subtle action, difficult to detect. An election might be swung merely
by interfering with ½% of votes in the most marginal wards. Even
the last US presidential election was decided by a few votes in Florida.
Introducing untrustworthy technology might therefore lead to huge loss
of confidence in the electoral system, undermining it fatally.
There have been examples where contractual agreements have incorporated
provisions to protect the vendorís trade secrets. This has effectively
prevented people from assuring themselves, by inspection, that the systems
are trustworthy. There is therefore a high-priority need to assess both
vending agreements, and vendors.
There have been instances where vendors have turned out not to be US citizens
(in one case RM recited, the company was British). And even cases where
the officers and key employees of voting system vendor firms were convicted
felons, in matters involving bribery of election officials. Indeed
there have been cases where election officials in the US have been convicted
of corruptly awarding contracts (although, not of thereby subverting elections
8. In some cases, attempts had been made to set security criteria high.
For example, New York city had launched a procurement for voting kiosks
on that basis. No-one could meet the requirements, and the old mechanical
machines are still in use (and had shown themselves to be encouragingly
robust). Their utility was recovered much more quickly from 9/11 disruption
than could have been expected by an electronic system.
9. Moving on, RM felt that a hopeful sign for the future of electronic
voting was represented by the cryptographic work of Dr. David Chaum.
10. MR put questions for clarification:
a) Had the Oregon election been independently evaluated in
the way that UK law requires the Electoral Commission to report on our
- RM said not. The Federal authorities in the US had advisory
powers only at state level.
b) Where were the cases of vendor dishonesty/incompetence etc on the record?
- She went on to mention the Voting Rights Act Bill, currently before
the Senate, which would require states implementing electronic systems
to build into them a paper audit trail by which votes cast could be physically
checked. Such an approach might incorporate real time electronic detection
of votes cast (e.g. by building an OCR capability into the ballot box).
- She emphasised that her objection was not to the idea of electronic
support: but rather to that of a wholly electronic system in which no physical
audit trail existed.
- Ross Anderson gave further examples of distrust of technology. E.g.
at the ACSAC conference in December 2000, a major IT security conference,
there was a debate on whether people trusted e-voting, which took place
during the Florida recounts for the US presidential election. The consensus
was that people did not trust e-voting, and a telling argument was that
no-one in the audience knew how to go about clearing Internet Explorerís
11. Chris Ketley observed that CESGís conclusions about the security of
the Internet channel broadly aligned with RMís. He would not trust anyone
who claimed that their system is invulnerable. Oon the other hand, the
real question to be considered is whether security achievable is good enough
for election purposes. CESGís view about that is on the record in their
report published in August.
- RM mentioned some cases. A Louisiana elections commissioner
was convicted of taking an $8M bribe from Sequoia, there were cases involving
Shoup in Philadelphia and ES&S in Florida.
- RA added from his recent experience. A bank had relied on the security
of a tamper resistant module in current litigation. He had discovered and
proved vulnerabilities in one vendorís offering: the vendor has demonstrably
known about these vulnerabilities, but denied them for months. There is
overlap between the security module vendors and the voting equipment vendors.
Security equipment vendors in general have a poor record of dealing with
protection claims that are contested in open court.
12. Simon Johnson asked whether there had been recorded instances of vote
selling. RM quoted the case of VoteAuction.com, an Internet enterprise
that invited people to put their votes up for sale. It had been prosecuted
by New York and Chicago where vote-selling is a felony, but had then moved
offshore where prosecution became more difficult due to international trade
RA supported RMís view that a physical ballot in which votes can inspected
could help establish trust. He added that he recognised CESG had, on the
one hand, to press people to use equipment conforming with security standards,
which provided an incentive to talk up the threats; and yet, on the other
hand, they wanted people to trust the Internet as an environment for e-business
and e-government, which meant talking down the threats. Conflicts could
RM remarked that putting in facilities to detect intrusion would be little
practical help. What should a returning officer do when told - at the point
in time when the result is to be declared - that there was a 70% probability
that intrusion had occurred. He would be ďdamned if he did, and damned
if he didnítĒ.
13. RM added that there were well known cases (in the non-electronic
world) of managers of nursing homes collecting all the ballots and using
them themselves. And dead people seem to vote all the time. In the US there
is also the problem that people acquire votes in several states, and use
them even though they no longer have the residency qualification to do
so. And political activists are not above taking advantage of the apparent
anomalies in the voting register if it seems to be in their favour.
14. RA said this underlined the general need for multi-party involvement
in auditing the propriety of elections. Given the scarcity of technical
talent in the political parties, systems had to be capable of effective
audit by non-technical people.
15. Further points made in the discussion included:
16. Thomas Barry asked for RMís views on the UK voting pilots. Did she
think they are a good idea or not? RM said that her analysis suggested
that the integrity of any election involving an end-to-end electronic process
must be suspect. We do not know clearly enough how to manage the risks
down to an acceptable level. She would therefore not be in favour of risking
the result of any real election for the sake of learning lessons. Instead,
they should be gleaned from mock elections, probably run in parallel with
the real ones. MR asked whether, if those mock elections suggested a scheme
would be viable, she would then favour moving forward somehow into the
ďrealĒ environment. If not, it seemed pointless to embark on mock exercises.
people tend to place too much faith in cryptographic methods.
elections lack the accounting checks and balances available in the financial
world. They need the physical paper trail instead.
In the US, there is little support for Internet voting - only in
the military context. Indeed there is little support for any other form
of electronic ballot casting.
17. MR asked whether RM could see any merits at all in investing in
electronic support for elections. The answer to this was clearly positive.
For RM, the bottom line was that an end-to-end electronic process would
always be opaque and unsafe. However, an electronically enhanced system
having a physical, paper audit trail could actually be done, and might
well be more secure than the traditional process. It would provide a quicker
result. Errors in ballots (i.e. votes) could be detected at voting time,
and perhaps put right. It would be possible to accommodate schemes amounting
to allowing votes for ďnone of the aboveĒ. And it would be possible to
explain quantitatively why there was an under-vote, that is, why the total
of votes counted was less than the number cast.
18. Closing the meeting, MR and colleagues thanked Dr. Mercuri for a
fascinating and informative session. It was agreed that follow-up questions
could be routed to her via Dr. Brown at FIPR.
18 October 2002
(Another version of this transcript is posted at: http://www.edemocracy.gov.uk/)