A requirements spec for voting
In software development, we start with a “requirements specification” defining what the software is supposed to do. Voting machine security is often in the news, with suspicion the Russians are trying to subvert our elections. Would blockchain or mobile phone voting work? I don’t know. These things have tradeoffs that may or may not work, depending upon what the requirements are. I haven’t seen the requirements written down anywhere. So I thought I’d write some.
One requirement is that the results of an election must seem legitimate. That’s why responsible candidates have a “concession speech” when they lose. When John McCain lost the election to Barack Obama, he started his speech with:
“My friends, we have come to the end of a long journey. The American people have spoken, and they have spoken clearly. A little while ago, I had the honor of calling Sen. Barack Obama — to congratulate him on being elected the next president of the country that we both love.”
This was important. Many of his supporters were pointing out irregularities in various states, wanting to continue the fight. But there are always irregularities, or things that look like irregularities. In every election, if a candidate really wanted to, they could drag out an election indefinitely investigating these irregularities. Responsible candidates therefore concede with such speeches, telling their supporters to stop fighting.
It’s one of the problematic things in our current election system. Even before his likely loss to Hillary, Trump was already stirring up his voters to continue to the fight after the election. He actually won that election, so the fight never occurred, but it was likely to occur. It’s hard to imagine Trump ever conceding a fairly won election. I hate to single out Trump here (though he deserves criticism on this issue) because it seems these days both sides are convinced now that the other side is cheating.
The goal of adversaries like Putin’s Russia isn’t necessarily to get favored candidates elected, but to delegitimize the candidates who do get elected. As long as the opponents of the winner believe they have been cheated, then Russia wins.
Is the actual requirement of election security that the elections are actually secure? Or is the requirement instead that they appear secure? After all, when two candidates have nearly 50% of the real vote, then it doesn’t really matter which one has mathematical legitimacy. It matters more which has political legitimacy.
Another requirement is that the rules be fixed ahead of time. This was the big problem in the Florida recounts in the 2000 Bush election. Votes had ambiguities, like hanging chad. The legislature come up with rules how to resolve the ambiguities, how to count the votes, after the votes had been cast. Naturally, the party in power who comes up with the rules will choose those that favor the party.
The state of Georgia recently pass a law on election systems. Computer scientists in election security criticized the law because it didn’t have their favorite approach, voter verifiable paper ballots. Instead, the ballot printed a bar code.
But the bigger problem with the law is that it left open what happens if tampering is discovered. If an audit of the paper ballots finds discrepancies, what happens then? The answer is the legislature comes up with more rules. You don’t need to secretly tamper with votes, you can instead do so publicly, so that everyone knows the vote was tampered with. This then throws the problem to the state legislature to decide the victor.
Even the most perfectly secured voting system proposed by academics doesn’t solve the problem. It’ll detect voter tampering, but doesn’t resolve when tampering is detected. What do you do with tampered votes? If you throw them out, it means one candidate wins. If you somehow fix them, it means the other candidate wins. Or, you try to rerun the election, in which case a third candidate wins.
Usability is a requirement. A large part of the population cannot read simple directions. By this I don’t mean “the dumb people”, I mean everyone who has struggled to assemble Ikea furniture or a child’s toy.
That’s one of the purposes of voting machines: to help people who would otherwise be confused by paper ballots. It’s why the massive move to electronic machines after the Bush 2000 Florida election, because they were more usable (less confusing).
This has long been a struggle in cybersecurity, as “secure” wars against “usable”. A secure solution that confuses 10% of the population is not a solution. A solution that the entire population find is easy, but which has security flaws, is still preferable.
Election security isn’t purely about the ballot on election day. It includes the process months or years before hand, such as registering the voters or devising what goes into the ballot. It includes the process afterwards when counting/tabulating the votes.
A perfectly secure ballot therefore doesn’t mean a secure election.
Much of the suspected Russian hacking actually involved the voter registration rolls. Tampering with those lists, adding supporters (or fake people) to your own side, or removing supporters of the opponents side, can swing the election.
This leads to one of the biggest problems: voter turnout and disenfranchisement, preventing people from voting. Perfect election security doesn’t solve this.
It’s hard to measure exactly how big the problem is. Both sides are convinced the other side is disenfranchising their own voters. In many cases, it’s a conspiracy theory.
But we do know that voter turnout in the United States is abysmally low versus other countries. In U.S. presidential elections, roughly 50% of eligible voters vote. In other democracies, the percentage is closer to 90%.
This distorts the elections toward extremes. As a candidate, you can choose either the “moderate” position, trying to win some votes from the other side, or you can choose the “extreme” positions, hoping to excite voters to get out and actually vote. Getting 10% more of your voters in the voting booths is better than luring 5% from the other side.
One solution proposed by many is to make election day a national holiday, so that voters don’t have to choose between voting and work. Obviously, this would mean voting on Wednesdays — they may be willing to skip work to vote, but not a three day vacation if voting day were Mondays.
Voting apps on mobile phones have horrible security problems that make us cybersecurity types run screaming away from the solution. On the other hand, mobile phones have the best chance of solving this participation issue, increasing turnout from 50% to 90%. Is cybersecurity risks acceptable if it has such dramatic improvements in participation rates? Conversely, can we describe any system as broken that fails to achieve such rates? Is 90% participation one of our “requirements” that we are failing to meet?
By the way, by “90%” I mean “of people 18 or over”, not “eligible voters”. Obviously, you can improve participation among eligible voters by playing with who is eligible. Many states forbid convicted felons from voting, which sounds like a good idea on its surface, but which is problematic in a democracy that jails 10 times more of its population than other democracies. Whatever legitimate reasons for removing eligibility has to therefore fit within that 90% number.
The best way we have to make voting secure is to make it completely transparent, so that everybody knows how you voted. This is obviously not a viable strategy, because of course that then allows people to coerce/bribe you into voting a certain way. So we want anonymity.
But is perfect anonymity necessary? Many voters don’t care if their vote is public, and indeed, want to proclaim very publicly who they voted for.
Imagine that to secure the mobile voting app, it randomly chooses 1% of votes and makes them public. It would be a risk voters would accept when using the app versus some other voting mechanism.
I mean this as a thought experiment. I choose 1% random selection because it prevent obvious coercion and bribery. But this naive implementation still has flaws. More work needs to be done to stop coercion, and you have to secure the system from hackers who only reveal the votes they haven’t tampered with. But I work with a lot of cryptographic protocols that are able to preserve things in strange ways, so while a naive protocol may be flawed, I’m not sure all are.
In other words, the requirement of the system is not that votes are anonymous, but that votes cannot be coerced or bribed. This is a common problem in software development: the requirements aren’t the actual requirements, but written in a way prejudicial toward a preferred solution. This excludes viable solutions.
This blogpost is about questions not answers. As a software developer, I know that we start with listing the requirements the system is designed to solve. I want to know what those requirements are for “voting in a democracy”. I’m unsuccessful googling for such a list; what I do find fails to include the above ideas, for example. I know that blockchain is a stupid answer to most any question, but on the other hand, I don’t know exactly what this question is, so how can I explicitly call blockchain a stupid solution? Mobile devices have laughable security for voting, but at the same time, our voting has major problems they would solve, so I can’t rule them out either.
*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2020/03/a-requirements-spec-for-voting.html