His intemperate tone aside, Dan Geer is right about one thing: most
academic (and especially cryptographic) papers on voting miss some very
important threat models. On the other hand, the threats in the current
system are not always obvious, especially since they depend in many
cases on practice, as opposed to law. Let me give a few examples.
In North Carolina, in the early 1970's at least, it was quite common
for (probably married) couples to enter the voting booth together.
They'd cast one vote; the woman would the leave, and the man would cast
his vote. I saw this happen many times, despite laws against it. (For
the record, this seemed to be most common among older white couples.
Some of the couples, at least, appeared to be old enough that this pattern
might have started when women were first granted the right to vote in
the U.S. (1920).)
On the other hand, North Carolina absentee ballots at the time had to
be notarized, which deals with some of the threats. But I don't know
how this was carried out in practice.
Paper ballots? While they don't present as much of a threat to
privacy, the phrase "ballot-box stuffing" clearly doesn't refer to voting
machines. The counting process is also subject to many more abuses,
including injection of phony ballots, and the removal -- by legal means
or otherwise -- of "wrong" votes. (For legal means of removing
ballots, read the fine print in your local election laws, paying
attention to details such as how a vote has to be indicated, what
extraneous marks are allowed on a ballot, etc. Then ask yourself who
will be better at challenging ballots during the tabulation process:
operatives from the local political machine, student volunteers for an
upstart but nevertheless major candidate, or the workers for some
minor-party candidate who doesn't have enough people to cover all of
the polling places in the county, let alone the state.)
For that matter, in the time and place where I was involved in such
things, the local politicos wanted nothing to do with voting machines,
for completely honest reasons. They *loved* to look at the patterns of
votes on the paper ballots, since that gave them information on voter
preference groupings. That isn't a threat to individual privacy, but
it's in the same category as a lot of targeted marketing efforts.
But the easiest way to manipulate an election's results doesn't involve
vote fraud at all. Rather, you use and abuse the registration laws, to
ensure that your supporters are registered and will vote, while your
opponents' supporters will be discouraged. This is easiest, of course,
when your opponents' supporters are members of some marginalized group,
such as students in a college town (I was on the receiving end of this
one a few times), blacks, recent immigrants, etc. Mind you, I'm
speaking of people who are legally entitled to vote, but might be
easily intimidated, harassed by a challenge that would, ultimately, be
dismissed but is a nuisance to fight, etc.
If you asked me what the biggest risk was that is peculiar Internet voting,
I'd point to the security (physical, procedural, and software-related)
of the central site. Worms and other malware are probably less of a
threat than physical coercion at home; however, they scale better.
(The idea of letting folks vote multiple times, with the last vote
being the one that counts, is probably a bad idea, partly because it
requires that accountable votes be kept around the system for longer,
but also because it would leave traces that a subsequent infection with
malware could exploit. Currently, my computer knows nothing of what
voting precinct I reside in, which means that vote fraud software would
have a hard time. Nor are electronic spread patterns conducive to
election worms, since my correspondents probably don't live in my
precinct or even my country. If I can vote more than once, the
software knows to stick around and wait for me to revote.)
And yes, buggy or malicious central site software isn't unique to
Internet voting. But the latter is even more complex, and hence would
(note: note "could", "would") have more holes.
Bottom line: understand all of the relevant threats, and pick your
poison. No voting scheme is immune.
--Steve Bellovin
