Computer Scientists Fear Voting Via Computer
When the experts raise an alarm, we should listen. And as reported by by the San Jose Mercury News, the experts are weighing in.

More than 100 computer scientists and experts have signed a petition asking that any electronic voting system include a way for voters to receive a paper copy that will verify the vote they recorded electronically.

With the proposed Sequoia system, ``there's no assurance that the vote that appears on the screen is the one that's recorded,'' said Peter Neumann, principal scientist at SRI International in Menlo Park.

David Dill, a professor of computer science at Stanford University, originated the petition. His statement is simple:

This statement is intended be a message from technologists to the rest of the public, the gist of which is: Do not be seduced by the apparent convenience of "touch-screen voting" machines, or the "gee whiz" factor that accompanies flashy new technology. Using these machines is tantamount to handing complete control of vote counting to a private company, with no independent checks or audits. These machines represent a serious threat to democracy. Much better alternatives are available for upgrading voting equipment.

If you are interested in this issue, you should take a look at Cal Tech-MIT Electronic Voting Project.

However, David's critique reminds me of another computer scientist's critique of the security system in airports. Bruce Schneier, author of the classic book Applied Cryptopgraphy, points out a major flaw in security thinking in an Atlantic Article entitled Homeland Insecurity by Charles C. Mann :

The way people think about security, especially security on computer networks, is almost always wrong. All too often planners seek technological cure-alls, when such security measures at best limit risks to acceptable levels. In particular, the consequences of going wrong—and all these systems go wrong sometimes—are rarely considered. For these reasons Schneier believes that most of the security measures envisioned after September 11 will be ineffective, and that some will make Americans less safe.

Bruce Scheier gives an illustrative example of this when he encounters security troubles at the local airport:

A couple of months after September 11, I flew from Seattle to Los Angeles to meet Schneier. As I was checking in at Sea-Tac Airport, someone ran through the metal detector and disappeared onto the little subway that runs among the terminals. Although the authorities quickly identified the miscreant, a concession stand worker, they still had to empty all the terminals and re-screen everyone in the airport, including passengers who had already boarded planes. Masses of unhappy passengers stretched back hundreds of feet from the checkpoints. Planes by the dozen sat waiting at the gates. I called Schneier on a cell phone to report my delay. I had to shout over the noise of all the other people on their cell phones making similar calls. "What a mess," Schneier said. "The problem with airport security, you know, is that it fails badly."

For a moment I couldn't make sense of this gnomic utterance. Then I realized he meant that when something goes wrong with security, the system should recover well. In Seattle a single slip-up shut down the entire airport, which delayed flights across the nation. Sea-Tac, Schneier told me on the phone, had no adequate way to contain the damage from a breakdown—such as a button installed near the x-ray machines to stop the subway, so that idiots who bolt from checkpoints cannot disappear into another terminal. The shutdown would inconvenience subway riders, but not as much as being forced to go through security again after a wait of several hours. An even better idea would be to place the x-ray machines at the departure gates, as some are in Europe, in order to scan each group of passengers closely and minimize inconvenience to the whole airport if a risk is detected—or if a machine or a guard fails.

Similarly any electronic voting scheme must "fail smartly." If after election day, fraud is suspected at a polling place, there must be a way for human beings to first, verify that there was fraud, and, more importantly, verify the true count.

A system that only stores votes in a single, proprietary, computer-readable format would have no way to verify the count. A system that stored votes in a variety of formats, including a human readable one, would not only have checks and balances, it would have an easy to verify and official way of hand-counting votes, should a manual recount be necessary.

My idea of an ideal voting system would be one that looks like the following:

• People would use a touch-screen (a la ATM) to be easily prompted through a ballot. This touch screen could handle different types of elections (Instant Run-Off, etc.), and could tabulate votes electronically as a check.
  
• The machine would then print out a ballot on heavy card stock. On one side of the ballot would be a citizen's vote in an easy to read format. On the other side would be a vote that could be read by an optical scanning machine. Like optical scanning ballots today, the optical scanning format should be easy to verify by the voter.
  
• A human being could then verify that their vote is correct.
  
• The paper ballot would be fed into an optical reading machine. This machine would tabulate the first official count.
  
• At the end of the election day, the optical reading machine would spit out a report on the votes and its tabulation. This could be compared against the check count in the elctronic machine. If an error exceeded a certain amount, an automatic manual recount could be ordered.
  

At least this would fail better than say, a system that has no accountability and may allow a candidate with strong ties to the manufactor of voting machines to stuff an electronic ballot box and fradulently win an election.

- posted by Anonymous @ 7:00 AM