Subject: RISKS DIGEST 10.64 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Wednesday 21 November 1990 Volume 10 : Issue 64 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Voting from home electronically (Alan Jeffrey, Steve Bellovin, Brad Templeton, Henry Spencer, Peter da Silva, P.J. Karafiol, Barbara Simons, Joseph R. Beckenbach, Alan Marcum, K.M. Sandberg, Chris Maltby, R. Simkin, Flint Pellett) Re: Election coverage software (Gregory G. Woodbury) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gives directory; bye logs out. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Sat, 17 Nov 90 12:56:52 +0100 From: Alan Jeffrey Subject: Re: Voting from home electronically (revisited) There is an additional risk associated with voting from home, not mentioned by any of the posters. By making it easier for people with phones to vote, you are helping to disenfranchise those who can't afford phones. I don't know about the US, but in the UK telephone voting would (perhaps significantly) boost the results of the ABC1 / over 35 / Conservative vote, with resultant damage to the Labour party. If we're going to claim to live in representative democracies, we're going to have to make the technology for voting equally available to all. Alan Jeffrey 031 721098 jeffrey@cs.chalmers.se Computer Science Department, Chalmers University, Gothenburg, Sweden ------------------------------ Date: Fri, 16 Nov 90 13:40:30 EST From: smb@ulysses.att.com Subject: Re: Voting electronically from home (revisited) From: li@diomedes.UUCP (Li Gong) ... I would like to add that the current system not only provides physical security of identification, but also physical security against harassment. Nobody else is allowed to go into the booth when a voter, say Alice, is voting inside. You overassume. In *theory* no one else is allowed to go inside the voting booth (subject to a few exceptions for illiterate or handicapped voters, btw); practice is something else entirely. I still recall my astonishment the first time I witnessed the quaint local voting customs in Durham, North Carolina. A husband and a wife would enter the booth together, and cast a vote; the wife would then exit, and the husband would vote (again?). Then, of course, there's Chicago, a town that gives entirely new meaning to the phrase ``voting machine''.... But I digress. --Steve Bellovin ------------------------------ Date: Sun, 18 Nov 90 3:19:13 EST From: brad@looking.on.ca (Brad Templeton) Subject: Becoming over-sensitive to risks (vote by phone) While I appreciate people's concern over the sanctity of the vote, consider what is used now. I don't know about the U.S., but in Canada there's almost no security on voting. They come round to your house every election, and ask for the names of every elector. No ID is asked for. You could name your children or pets and they would get on the voters list. (It's no doubt a crime of some sort to do this, of course.) Likewise all you have to do is go to the poll, and give the name of any person who hasn't voted yet (normally yourself.) As long as it isn't a small poll, you could easily use any other name. (The lists are posted on telephone polls so people can check they're on.) If you have good eyes and can read upside down, you can even look at the RO's name sheet when you walk in. Sounds ripe for fraud, but it just never happens. When a seat is hotly contested or close, the party scrutineers watch things closely, in addition to the elections officials. I have never heard of any accusations of abuse. While using SSNs or other publicly available info isn't a good idea, I would have no opposition to well designed phone voting -- particularly in an area with ANI. There are RISKS, but as long as we watch for them, they are no greater than those of the current system. The greatest RISK is not watching for RISKS because we trust the computer too much. On the other hand, there are other problems with phone voting -- the largest being the elimination of the secret ballot. The voting computer will know who voted for whom. We must trust the programmers and their auditors to assure us the information is erased and never stored. (On the other hand, doing this disallows one great method of verifying phone voting, namely a mailed ACK.) Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473 ------------------------------ Date: Sat, 17 Nov 90 19:19:12 EST From: henry@zoo.toronto.edu Subject: Re: Voting electronically from home (revisited) >... in the most recent election, I found myself rushing >to the polling place near my home... and arrived too late. If I could have >voted at a location near my work, or by telephone, problem solved. There are several simple non-technological fixes for this, notably the one followed in a number of other countries: hold elections on Sundays, when most people have at least part of the day free. Henry Spencer at U of Toronto Zoology utzoo!henry [An eminently reasonable suggestion, although we have drifted away from the computer relevance -- except that you have found a very simple nontechnical solution to the problem. PGN] ------------------------------ Date: Sat Nov 17 08:42:17 1990 From: silva Subject: Voting by phone > [use Caller-ID to] foil attempts by people to cast large numbers of votes > from one phone, even if the authentication system were compromised. This would tend to disenfranchise people in poor neighborhoods where there may only be a single public phone to serve an entire apartment block. Also, it would be desirable to have the call to the election service be free in areas with measured service or from a pay phone. And of course the dangers of COCOTs (private pay phones) would be increased. Another contributer noted: > For example, in the most recent election, I found myself rushing > to the polling place near my home (since you can only vote at > the registered polling place) and arrived too late. If I could have > voted at a location near my work, or by telephone, problem solved. A simpler and less dangerous solution would be to allow you to vote at any polling place, and have some form of real-time communication between the polling places to prevent fraud. Another negative effect I could imagine would be that this would enable proxy voting: "You're a good Republican, and you just want to vote the straight party ticket. "Call 1-800-VOTE-GOP" or "1-800-VOTE-DEM" and have your election ID number at hand... Peter da Silva. +1 713 274 5180. peter@ferranti.com ------------------------------ Date: Sun, 18 Nov 90 23:34:53 -0400 From: karafiol@husc8.harvard.edu (P.J. Karafiol) Subject: Voting by phone With all this talk about vote *fraud* I'm surprised no one mentioned a serious, actual *infringement* on one's constitutional rights. If voting is done by phone, what happens to people who don't have one, either because of location (yes, there are places in the continental US without regular phone service, although all the ones I know of are reachable through some kind of radio-phone system) or finances or personal choice? Although poor or phone-phobic people could conceivably use a public phone (the number would presumably be toll-free) it still seems unfair to people who are in category 1. Questions, comments, discussion? Caveat: I didn't read the original (non-electronic) article on voting by phone. This concern may be addressed in that article. == pj karafiol ------------------------------ Date: Sun, 18 Nov 90 22:59:34 PST From: Barbara Simons Subject: Voting from home (Re: RISKS-10.61) In discussing voting electronically from home, Li Gong says (in RISKS DIGEST 10.61): I would like to add that the current system not only provides physical security of identification, but also physical security against harassment. Nobody else is allowed to go into the booth when a voter, say Alice, is voting inside. On the one hand, this gives Alice privacy; on the other, she can vote according to her own will. Moreover, since this individual vote is among maybe a billion other votes, no ordinary person could find out for whom Alice has voted. This potentially discourage "buying" votes with money or menace, because it is difficult (if not impossible) to "physically" influence a voter at voting time and/or to verify a voter's vote afterwards. He then goes on to mention that he and his former advisor had been working on a zero-knowledge method for voting. This is an interesting idea, but it assumes an outsider who wishes to know about or influence Alice's vote. Suppose, however, that her husband has decided how he wants Alice to vote. In most states, he would not be allowed into the voting booth while she voted. But he could easily watch her as she votes electronically at home. The risk in this situation is that an obvious form of intimidation has not been taken into account. I said that in most states he would not be allowed into the voting booth while she voted. I recall hearing about some Southern state in which a husband and wife are (were?) allowed into the voting booth together. Apparently, the theory was that the husband would vote for them both. Unfortunately, I don't recall the state nor whether this unhappy situation still exists. Barbara ------------------------------ Date: Mon, 19 Nov 90 20:37:29 GMT From: jerbil@tybalt.caltech.edu (Joseph R. Beckenbach) Subject: Re: Voting electronically from home (revisited) Why am I still under the impression that this "vote-by-phone" is a technical solution to a nontechnical problem? True, a "vote-by-phone" system would be useful for hospital patients and shut-ins of many sorts, but absentee ballots were made for this, were they not? Why not simply declare Election Day a national holiday? We celebrate the Fourth of July in the USA because it reminds us of past efforts to keep freedom. Why not one to remind us of our duty to safeguard current freedoms? When I form a company, I intend on making Election Day a half-day or full-day holiday with pay, with proof of vote. Or some other scheme which penalizes for not voting if the person is eligible. [I'd rather not reward for performance of a duty, but if such is necessary, I will.] Joseph Beckenbach ------------------------------ Date: Tue, 20 Nov 90 17:05:49 PST From: Alan_Marcum@NeXT.COM Subject: Re: Voting electronically from home Imagine how much havoc a vote-by-phone system would wreak on dear Ma Bell out here in California, the Land of the Ballot Proposition. Millions of hour-long telephone calls as citizens try to register their votes on the dozens (yes, literally) of propositions. "We're sorry, your call did not go through. All voting circuits are busy now. Please try again tomorrow..." Alan M. Marcum NeXT Technical Support Alan_Marcum@NeXT.COM +1-415-363-5153 ------------------------------ Date: 19 Nov 90 00:27:25 GMT From: sandberg@ipla01.hac.com (K. M. Sandberg) Subject: Voting (Re: RISKS-10.61) In regards to voting, it was mentioned that current voting is based on physical security, but at least where I vote all I do is bring in the little booklet and sign the book and I get to vote, no check of who I really am. If I had multiple booklets I could vote several times, but since I must go to one place to vote and sign in I could not vote multiple times based on my own name. In another response it was said that having the phone system would help voting since the person said that they missed getting to the poles, but absentee ballots solve this if it is a normal problem. The risk of influencing the votes because of the current privacy, unless the absentee ballot is used, is important. Other solutions would be to send the ballot, like the absentee ballots, and allow people to drop them off, but this still has the risk of lack of privacy. Personally it would be nice if you could vote at a common place, possibly before election day, with the same privacy and security, maybe at your local post office or at a pre-selected place to prevent multiple voting. Too bad we can't trust people. In this last risk posting, it mentioned that people could enter in their votes for practice only so that they would get used to it, but a question that comes up was this information used BEFORE the end of election day? If it was it could have affected voting, as does the exit polls, east coast results before the west coast polls close, etc. Kemasa. ------------------------------ Date: Wed, 21 Nov 90 14:00:24 EST From: chris@softway.sw.oz.au (Chris Maltby) Subject: Re: Election coverage software >The News Election Service, the central clearing house for election >information, has their systems set up to deliver vote percentages that >show the major party candidates' votes adding up to 100%, even when >the major party candidates don't capture 100% (as they usually don't). I was certainly intrigued by this and other things as I watched the election coverage in Boston. Having worked on the software for the Australian Electoral Commission for the last federal election (March 1990) there I was surprised by the (parochialism speaks) poor standard of the reporting. First, the results of counting seemed to be very slow to arrive, leaving the commentators to talk about nothing for long periods. Some districts still had only 1% of precinct reporting at 11pm. In the Australian election, at least 80% of the vote had been counted by 11pm. Second, there seemed to be no analysis of swings and only minimal discussion of trends in early vs. late figures. The commentators were predicting a win for Weld although he trailed for most of the night. The information they based the prediction on was not produced. Given that the first-past-the-post system is significantly easier to count than the preferential system in use in Australia, there seems to be little possible excuse for the delay/inaccuracy of the result reporting. To put things in perspective however, and to reveal the "risk" for this posting, the Australian experience was not without problems. For the first time the Electoral Commission attempted to make predictions based on preliminary results from individual polling booths. That is, when figures for a booth came in they were compared with previous figures from the same booth to yeild a "swing" percentage. This swing would then be propagated over the booths for which no result was yet known. This was expected to be able to give very accurate predictions. The magic quantity is dubbed the "two-party-preferred" vote. The unknown factor turned out to be the unusually high vote for minor parties and independents, with an even more unusual preference distribution pattern. The preference system allows voters to protest their favourite major party's policy/candidate but direct their second preference to that party ahead of the other major party. This option was exercised in much higher numbers than ever before, and especially among Labor voters. The commission's system made some rather simple assumptions about minor party preferences. As a result, for most of the night, the prediction was a landslide for the Liberals based on an apparent swing above 10%. The actual result was a solid win for Labor of 8 seats (as predicted by count scrutineers). In two electorates independents were able to beat one major party into second place and win the seat on preference votes. A better system for preference sampling is being implemented for the next election... Chris Maltby - Softway Pty Ltd (chris@softway.sw.oz.au) PHONE: +61-2-698-2322 UUCP: uunet!softway.sw.oz.au!chris ------------------------------ Date: Mon Nov 19 09:31:07 1990 From: rsimkin@dlogics.UUCP Subject: Voter registration isn't always pre-registration In Risks 10.61 "Re: Voting electronically from home (revisited)", Stephan Meyers says: > How does this sound: before each election, each voter is mailed a > confirmation of registration (since, I believe, to vote one must be > registered, and to register, one must have a permanent address) This assumes that registration must be completed well in advance of election day, which isn't always the case. In the name of making the voting process more accessible, Wisconsin law used to (and may still) allow voters to register at the polling place on election day. As a result many people would arrive at the poll with proof of residence, register, and then vote. --Rick Simkin ------------------------------ Date: 19 Nov 90 22:49:15 GMT From: flint@gistdev.gist.com (Flint Pellett) Subject: Re: Voting electronically from home (revisited) li@diomedes.UUCP (Li Gong) writes: >I would like to add that the current system not only provides physical security >of identification, but also physical security against harassment. This is what I think the biggest risk of vote-by-phone is: Al Capone decides he wants to be mayor, and has his flunkies each call 100 kindly little old ladies in the month before the election, telling them "Come to my house to cast your vote or I'll ..." and then, the flunkies watch the little old ladies punch their votes into the telephone, and make sure they vote the "right" way. Anyone care to enlighten us on what types of security measure are planned to deal with this type of problem? Merely being able to recognize that you are recording a vote from the proper person is not sufficient. Any scheme with authentication numbers suffers from the fact that it will never be any more secure than the way in which those numbers are communicated to the voter, and the way in which the voter remembers them. (If you have to mail the numbers to the voter, then that mail can fall into the wrong hands. If the voter has to write it down in order to remember it, which is quite likely for most people given that they use it once every 6 months or less, it is also at risk.) Flint Pellett, Global Information Systems Technology, Inc. 1800 Woodfield Drive, Savoy, IL 61874 (217) 352-1165 uunet!gistdev!flint ------------------------------ Date: Mon, 19 Nov 90 17:52:18 GMT From: ggw%wolves@cs.duke.edu (Gregory G. Woodbury) Subject: Re: Election coverage software Here in Durham NC, we had a rather interesing election :-) It seems that nearly half of the voting machines in the county went haywire and would not work correctly on election day! This happened early and we had a court ruling that the polls stay open to 10pm and that paper ballots be made available in all precincts to those who wanted them. In my precinct (I am an assistant election official) only two of our 6 mahcines had problems and we (hopefully) caught them as soon as they occurred. Even so, our audit numbers were off by 4 at the end of the night. The particulars of the election seem to be that in the county commissioners races, for the first time in xxx years (maybe the first time ever) we had an INDEPENDENT candidate, not in conjunction with an independent running for president. The machines are set up so that one can "split ticket" by pulling the straight party lever and then deselect one candidate and select another. The problem for all the machines that I have been able to get exact information on seems to be that people tried to split ticket and forgot to deselect a candidate before selecting someone in the other parties lines. This jammed the levers in the county commissioners section and rendered the machine unuseable. Considering that most voters do NOT understand the ways that machines work, it happened in some precincts that the jammed machines where used until someone complained or noticed the jam. This is the RISK. People assumed that the technology would behave correctly. When something did go wrong, they ignored the errors cause they didn't know any better. In this city, however, we have a high ratio of advanced degrees (MS,PhD,etc) in the population in certain precincts, and even there, the problems occurred. On a side note: when the judge ordered the use of paper ballots AND staying open til 10pm, he made it IMPOSSIBLE for Durham results to be known before 2am! The precincts are set up to deal with a small number of paper ballots (for disabled voters unable to enter the polling location but coming near by in a car - "curbside voters"), but extending these paper ballots to anyone who wanted to use them placed an unexpected load on the pricint officials when the polls closed! I had volunteered monday evening to count paper ballots (before the judge's order) and instead of 25 or so ballots, we had nearly a hundred! That was so much FUN! *HA!* By the time we finised counting and had the helms/gantt figures for NES it was 3am and they had the time to ask why we were the first precinct from Durham NC to call in "official" results. -- Gregory G. Woodbury Durham NC UUCP: ...dukcds!wolves!ggw ...mcnc!wolves!ggw ggw%wolves@mcnc.mcnc.org ------------------------------ End of RISKS-FORUM Digest 10.64 ************************