Why Singaporeans should oppose e-voting

The article below was written by Lee Demhart for the International Herald Tribune (29 April 2003) concerning e-voting in Britain. Singaporeans should pay heed because the PAP is going to introduce this at the next elections. Good luck to us all…

MORE than 1.5 million Britons will have a chance to vote on Thursday in 17 local elections using electronic-voting systems that computer security experts on both sides of the Atlantic say are fraught with danger and an invitation to fraud.

Britain’s pilot projects in computer voting – which include voting over the Internet – are the latest examples of the move to electronic voting by several European countries in the interest of efficiency, speed and increasing voter turnout by making it easier to vote. Although Thursday is election day in Britain, the electronic polls are already open in some of the pilot districts.

Elections by computer have previously been conducted in Sweden, Switzerland and France, as well as in Britain. The Netherlands, Italy, Germany, Estonia and the European Union have announced their intention to try them.

Electronic voting has also been conducted in several American states, spurred at least in part by the fiasco in Florida in the presidential election in 2000.

In all electronic elections in Europe and most of the United States so far, security experts say, the systems used were vulnerable to attack and could have been manipulated in undetectable ways that would have made it impossible to determine that the results of an election had been changed, either by accident or design.

Specifically, the experts say, Internet voting could be crippled by a ‘denial of service’ attack against the computer servers recording the vote, for which there is no known defence, and could disenfranchise large numbers of voters. In addition, they say, since voters use their own computers, election officials have no control over what software is installed on those machines or what viruses might be lurking in it that are activated only during an election to change votes.

Voting over the Internet, is ‘an election that a teenager could circumvent’, said Associate Professor Avi Rubin of Johns Hopkins University.

Assistant Professor Rebecca Mercuri of Bryn Mawr College near Philadelphia, one of the world’s leading specialists in electronic-voting security, said of the voting systems now being used in Britain: ‘It’s horrifically scary. This is an abomination, and I fear for democracy as a result.’

Senior scientist David Jefferson at the Lawrence Livermore National Laboratory in California, who headed the technical committee of the California Internet Voting Task Force three years ago, said: ‘All remote Internet voting from private PCs, no matter how you structure it, is seriously dangerous.’

In London, director Ian Brown of the Foundation for Information Policy Research, an independent organisation that studies the interaction between information technology and society, said: ‘We are worried about the security of electronic-voting systems, especially remote ones, where people can vote from home using their PC or a mobile phone, which is the kind of technology the British government has been keen on. No matter what the twists and turns of the scheme that they use, we don’t think that home PCs are a secure enough platform for something as truly vital to democracy as the voting system.’

Computer science professor David Dill of Stanford University agreed, saying: ‘These systems are open to wholesale vote fraud.’

The basic problem in current electronic-voting systems, the security experts say, is the lack of an audit trail that would enable all voters to verify for themselves in real time that their vote was recorded as they intended and was counted as they intended.

In addition, they say, there needs to be a publicly available electronic ballot box that can verify that the announced vote total is an accurate tabulation of all the votes cast. This must all be done in a way that maintains the secrecy of each individual’s ballot.

About 500 computer technologists in the US have signed a resolution put forward by Prof Dill warning that no electronic-voting system should be adopted that does not have these protections.

But none of the voting systems that are being used in Britain or elsewhere meet these requirements, Prof Dill said, though it is technically possible to have a system that does by using advanced cryptographic techniques.

Mr Jim Adler, president of Vote-Here, a company in Seattle that has provided the software for six of the local elections now under way in Britain, acknowledged that the security protections did not meet the highest standards. ‘Governments often make usability-security trade-offs,’ he said, ‘and you can see that in Britain’.

In a separate e-mail, he elaborated: ‘There is no requirement for voters to be able to verify that their vote was ‘cast as intended’ or for election observers to verify that all ballots were ‘counted as cast’. The technology exists, but Britain, so far, has not required it.’

In London, the Office of the Deputy Prime Minister, which runs British elections and oversees them, responded to questions by e-mail. ‘There is a range of measures in place to guard against abuse in the e-voting pilots,’ according to the statement by a spokesman for the Office of the Deputy Prime Minister.

The statement said the votes were encrypted and the security requirements were ‘devised in consultation with the government’s security experts’. ‘When a voter casts a vote,’ the statement said, ‘they will receive confirmation from the voting channel that the vote has been recorded.’ It added that the confirmation would be ‘along the lines of ‘thank you, your vote has been accepted’ ‘.

But computer security experts said this was no guarantee that the vote had not been tampered with, either on the machine where it was cast or in transmission to the counting place or in the tabulation itself. ‘You know your vote has been counted because you get an ‘I voted’ sticker back,’ Prof Dill said. ‘But that doesn’t say it was going to be counted correctly. It doesn’t say it’s counted as cast or counted as intended. How is it that the voter knows that the vote that went into the electronic ballot box is the vote he intended?’

The Office of the Deputy Prime Minister also said: ‘All e-voting pilots will be subject to pre-election independent security checks and post-election surveys and evaluation, the results of which will be made available to participating authorities and the public.’

But principal scientist Peter Neumann at the Computer Science Laboratory of SRI International in California said: ‘The pre- and post-testing stuff doesn’t prove anything at all. I can build a system that will show you that your vote went in correctly and still did not record it correctly.

‘What you do is build a shadow system that lurks underneath and that demonstrates that everything is perfect, except that the actual results are coming from the other system. There are a lot of ways that you can skin the cat without any evidence whatsoever.’

The Office of the Deputy Prime Minister also pointed to e-voting pilots conducted in Britain in 2000 and last year and said analysis ‘showed that the arrangements put in place did not enhance the opportunity for fraud or undermine the secrecy and security of the poll’.

To which Prof Rubin responds: ‘Everything in security is predicated on paranoia. The question is, ‘Is there an existing vulnerability?’ Not, ‘has it ever been exploited?’ ‘

Several experts noted that if people intended to rig an electronic election, they would not waste their time and effort on a minor local election with little consequence, thereby tipping off the authorities to the vulnerability of their election system. Such people would ignore small, pilot-project elections, such as those currently under way, in order to increase the authorities’ confidence in the system. They would wait until a big election, such as a national one, before attacking.

Prof Mercuri said: ‘It’s only a matter of time before somebody’s going to target one of these elections.’

She and others spent a week in London last autumn explaining all of the dangers to Cabinet officials and the election authorities, without persuading them to implement stricter controls, according to her and Mr Brown, the London researcher, who was also at the meeting.

‘These are basic underlying computer technology facts,’ Prof Mercuri said, ‘but no one wants to listen to this. They want to operate under, ‘it’s not going to happen to us’, or, ‘this is just gloom and doom’ or, ‘you’re a bunch of Luddites’ ‘.

‘But that’s not the case. The virus problems and the auditability problems strike at the underpinnings of major computer-science concepts that we have not been able to solve. The people are just shunning this and flying in the face of this,’ she added.

Mr Brown recalled: ‘They just said, ‘We’re convinced it’s secure. All we need is that it’s at least as secure as the existing system, and paper ballots aren’t perfect’. My response to that is, yes, there are opportunities for fraud, but it’s on a much smaller scale. You can’t invisibly, quietly manipulate the vote across the entire country, which would be possible with an electronic system.’

Prof Rubin said: ‘You hear the famous line, ‘Why are we using 18th century technology to vote in the 21st century?’ And the answer is because it works, and 21st century technology is not well-suited to elections.’