Online Voting - Island of Sanity

Island of Sanity



Campaigns & Elections

Online Voting


There are many proposals out there to allow people to vote over the Internet. People advocating this will often say, Hey, millions of people order merchandise over the Internet every day and it's processed smoothly and efficiently. There's no reason why we can't do the same with voting.

There's a big reason why it's not that simple. Ordering merchandise and voting differ in two very important ways.

One, if a company processes your order incorrectly, if they send you the wrong merchandise or ship to the wrong address, you will know. You will see that you didn't get what you ordered. But with voting, you cannot know for sure if your vote was counted correctly. It is, of course, quite possible that the candidate you voted for will lose, so just because the "wrong person" is declared the winner doesn't mean your vote was not counted.

Two, an Internet ordering company has every incentive to process your order correctly. If they ship you the wrong item, you are presumably going to call and complain, and they will have to pay people to handle your complaint, they will have to pay for the wrong item to be shipped back, and they will have to at least inspect the item before reselling it. They might end up having to scrap it as not resellable. People counting votes have no incentive to be accurate except their own sense of integrity. They might be lazy or sloppy and lose or miscount your vote. Or worse, they could be actively dishonest and deliberately miscount votes to make their preferred candidate win. You wouldn't even know.

That's why voting systems generally require some means of conducting a recount. There must be some kind of audit trail that can be used to verify that votes were counted correctly. Having paper ballots is one obvious way to do this.

Suppose that an incompetent programmer wrote a web voting system that lost 20% of the votes, or awarded them to the wrong candidate. How would anyone even know?

A dishonest programmer could deliberately miscount votes. Probably not count ALL votes as being for his party. If the vote came out 100% for party X and 0% for party Y, people would get suspicious. But what if he slanted it so that some small percentage of the votes for the party he didn't like were thrown away or counted as being for his party? If there was no paper trail, how would anyone know?

I'm a software developer myself. Years ago I was on a forum where someone brought up the possibility of a vote-counting program that deliberately miscounted. Several people chimed in that this could easily be caught by reviewing the code. After all, several of them said, all the program should do is look at each vote, see if it's a vote for Smith or for Jones or whomever, and update the correct total.

That was hopelessly naive. A real voting program would be much more complicated than that. In a real election, there isn't just one office and two candidates. There can be many offices and many candidates. In some races you can only vote for one candidate while in other races you can vote for several. (Like city council elections are often "vote for no more than 5" or whatever number.) Different voters can vote for different sets of candidates, like in a given state, everyone can vote for governor and senator but only people in a given city can vote for mayor of that city. A good program would give the voter a way to fix a mistake or change his mind. Etc. With all the complexity, a skillful programmer could slip in dishonest code.

Indeed, I once saw a contest where they challenged programmers to write a program that would deliberately miscount votes, but in a way that was subtle so that someone reviewing the program would be unlikely to see it. They got many entries. The winning program relied on a buffer overflow: it stored data in an area of memory that was deliberately made not big enough, so that when it was read back, it would run off the end of the buffer and read other, ostensibly unrelated data. If this is too technical and you don't get it, don't worry about it. The point is just that programmers found many ways to write a program that LOOKED like it was counting votes fairly, but really was biased. And that was biased in a way that another programmer studying the code might well not notice. Or if someone did notice, the programmer could play stupid and pretend it was an honest mistake.

For what it's worth, here's my suggestion of how we could have verifiable Internet voting:

When someone registers to vote, they also pick a card with a voter ID number. The cards are in a big basket and they stick their hand in and pull one out at random, so there's no way anyone could know which ID number any given voter has. Then when they go to vote on-line, they enter their ID number and fill out their ballot.

There's a scheme to the ID numbers so that you can't just make up a random number. Perhaps a check digit, like they use on credit cards: There's some formula they run the number through to generate the last digit or two, so that a random number won't be valid. It has to satisfy the formula.

If the same ID number is voted twice, alarms go off and there's an investigation. This means either that someone voted twice, or someone voted using another person's ID number.

When the votes are in, the web site makes a list that anyone can access showing voter ID numbers and how they voted. So you can check that your vote was counted and was counted correctly. The voting administration people and other interested people, like the political parties or reporters, can verify that there were not more votes than there are registered voters, and that the totals match the individual votes.

As no one knows the number on your card except you, you still have a secret ballot. If there's a problem, they'd ask everyone who voted with that ID number to come forward. If only one person comes forward and he's legally entitled to vote, they delete all the votes with that ID number and let the person vote again. If two people come forward claiming the same ID number, perhaps one misread the number. They delete the votes and let those people vote again. If two people really have cards with the same ID number, either one is a counterfeit or the state made a mistake when printing cards. If there's evidence that one card is a deliberate counterfeit, the person holding it is arrested for vote fraud. Otherwise, we delete the votes, give the people involved new cards, and they vote again.

Okay, seeing the new totals after a revote might take away someone's secret ballot. I mean, if the vote was 10,000 for Smith and 9,000 for Jones and one vote with a given ID was for Smith and another was for Jones, we reverse those, and now the total is 9,999 to 8,999. Now (say) two people get to vote again. We see the total is now 10,001 to 8,999. Well apparently both of them voted for Smith. But in real life, it's likely there would be at least a few problem votes every election, and we wouldn't know exactly when any given person was voting -- remember they're voting at home on the Internet, not at the board of elections with the entire staff watching. And note I say that we give all the people involved new cards so even the people at the board of elections don't know what your new number is.

By giving out cards at the board of elections, we can verify that each person is legally allowed to vote before giving them a card -- they have to show an ID or whatever. At the same time we record that this person was given a card. But there's no connection between their ID and the number on the card. You might think it would be easier to have them upload their ID to the website and then assign them a number. But then the computer would know what number went with what ID. You could swear up and down that the computer won't save this information, but it would create a huge potential hole in the secret ballot.

Need I say it? You can't just let people vote on-line without giving any sort of ID. That would make it super easy for someone to vote 100 times. Sooner or later a candidate would get someone to write a program that would log in to the voting web site and vote for him, over and over. I suppose that if there are 10,000 registered voters in town and we see that there are 6,000 votes for Smith and 10,000,000 votes for Jones, it would be obvious that Jones had cheated. And there probably would be candidates who would be that lame about their cheating. But there would also be some who were smarter, who forged just enough votes to win without being obvously ridiculous. Like if the candidate expects to lose 5,000 to 4,500, he generates 600 or so fake votes.

I suppose if the number of disputed votes is not enough to change the outcome, we could just say forget it and ignore all the disputed votes. The main reason to pursue it would be to catch the frauds.

Do you see any holes in my scheme? I'm sure a sufficiently clever hacker could find some.

© 2024 by Jay Johansen


Comments

No comments yet.

Add Comment

Name
E-mail
Comment