|
I've talked to computer security experts on Internet voting and while you can do some things, IN THEORY, at a particular POINT in the program, the whole of the thing just doesn't hold up.
It is VERY susceptible to insider fraud. Can we completely eliminate fraud? No, that's unrealisitic. What we can do it mitigate it. Of the three scenarios- paper, paperless DRE's, and Internet, the one that is the least likely to perpetrate fraud on a massive scale is paper. It's just too hard to do the kind of damage that can be done with DRE's and Internet.
((There is no reason why you cannot observe Internet voting, keep it anonymous, keep it auditable, and honest.))
Almost anything can be traced on the Internet, if someone wants to. You cannot use a system to audit itself. If you can observe internet voting, you are violating one of the principles of voting in a democracy- the right to cast a secret ballot. What is not supposed to be secret, is vote counting. Counting is not transparent to anyone in DRE or Internet voting. Every citizen should be capable of witnessing vote counting. With DRE and Internet, only a very few who understand the system can possibly "witness" the count in any meaningful way. When you have a set of "very few," you have great potential for corruption. Even if the original, let's say, ten people, are upstanding and honest, they get fired or reassigned and another ten take their place, hand chosen for that position. The selectivity that can be employed doesn't work for democracy.
((Combine aspects of current absentee votes, a paper token system, and an escrow system and it'll be secure than a swapable ballot box.))
So, if you're still going to use paper, but subject massive amounts of paper ballots to the vagarities of people who may or may not send in their ballots, what have you accomplished? Why have you created an enormously expensive system to justify Internet voting? Now you have a situation where just the the audit of the number of votes cast vs the number of voters who registered, is never going to match up. And yes, you have to conduct that basic audit, because supposedly you can then catch ballot box stuffing, either on paper or vapor. Yes, you can maybe swap ONE ballot box. The amount of votes that can be swapped via a closed, unobservable system, the Internet, is far beyond what a ballot box can hold.
((Real brief example:
Mail to each registered voter a "ballot" (aka paper token). On this ballot is a 32 digit code. This code is unique, but not tied to any person..Its a token.
The voter logs onto his voting place web site. Enter your token digit code. Enter your candidate vote. Your selection is sent to the polling place, and to an escrow system (i.e. server) ran by a different entity.))
As with the WiFi scenario with DRE's, you really don't know where your vote went on it's journey to be counted. It can be rerouted and reconfigured numerous ways. But even if nothing nefarious happens, what about a power outage or sun flare that takes out a satellite? Could happen. What can be lost via the Internet vs what can be lost with paper ballots just simply isn't in the same ball park. And what IF someone wanted to tamper with US elections from outside? You just gave them one heck of a venue.
((Optionally, the voter records his vote on the paper token and drops it into the mail. This is sent to 3rd party.
At the end of the election cycle count up the votes. The polling place counts them. The Escrow agent counts them...they must match.))
Again, if the number of votes cast via Internet don't match the number of votes at the polling place and in Escrow, which do you believe? There is no real way in your system to determine which theoretical box you have created is the actual vote. Well, in theory, it will be the paper token, but then, that would behave just like a mail in vote scenario, so why jump through the hoops and headaches of Internet? The legal ballot in this case is going to be the most verifiable one, and that is the paper ballot. It is the LEAST likely to be tampered with. And you can code paper these days, and some voter-verified paper ballot producing DRE's do, to verify that paper as a valid vote.
((Once all the paper tokens are received, they are compared to the actual results. You compare the token code on the ballot, with the vote recorded for that ballot at both the escrow place and the polling place. Obviously you will not receive all the paper token back, but the subset will give you an audit and should match within an acceptable percentage the actual results.))
You will never get all the paper tokens back. And an acceptable percentage is enough to win elections. And what if, say, all the votes cast totals match, but all three systems produce different results? First Internet guys say their system checks out, escrow guys say their system checks out, and all of the ballots check out as valid, coded ballots. Well, it's going to be the paper, isn't it, because that was the witnessed vote.
((I just described a skeleton of a secure, anonymous, auditable system.))
The only aspect of this system that can be audited are the paper tokens. Democracy does not rest on systems that every person cannot understand and cannot witness. That's the current problem with paperless DRE's and more so with the Internet. Votes can be intecepted at any time on the Internet, tampered with, and sent on their way. Votes can be altered BEFORE encryption, so that the so-called mathematical proof looks just fine because it thinks it's dealing with the real vote. Votes can be altered AFTER encryption, because you go back to the system and what it sees looks OK, but can't safely audit what happens to the vote after it leaves.
And any and all closed systems, which is what DRE and Internet voting are, are susceptible to insider fraud. That fraud can be perpretrated on a scale that is off the chart compared to paper ballots. Paper ballots present a physical impediment to tampering. Bits and bytes, because they make up simulations and representations, can be altered quite easily.
They are trying to sell us on ease and speed. Watch the PR. When they market "accuracy," it's about the voter's ability to accurately vote, not so much an accurate count. And by the way, one of the problems in the last Calfornia election, I believe, was a confusing "butterly-type" ballot on the screen. No, eliminating punch cards does not eliminate the potential for confusing ballots.
We can certainly use technology. But using a tool wisely is very important. The Internet is not a tool for mission critical voting.
|