The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 64

Wednesday 21 November 1990

Contents

o Re: Voting from home electronically
Alan Jeffrey
Steve Bellovin
Brad Templeton
Henry Spencer
Peter da Silva
P.J. Karafiol
Barbara Simons
Joseph R. Beckenbach
Alan Marcum
K.M. Sandberg
Chris Maltby
R. Simkin
Flint Pellett
o Re: Election coverage software
Gregory G. Woodbury
o Info on RISKS (comp.risks)

Re: Voting from home electronically (revisited)

Alan Jeffrey <jeffrey@cs.chalmers.se>
Sat, 17 Nov 90 12:56:52 +0100
There is an additional risk associated with voting from home, not mentioned by
any of the posters.  By making it easier for people with phones to vote, you
are helping to disenfranchise those who can't afford phones.  I don't know
about the US, but in the UK telephone voting would (perhaps significantly)
boost the results of the ABC1 / over 35 / Conservative vote, with resultant
damage to the Labour party.

If we're going to claim to live in representative democracies, we're going to
have to make the technology for voting equally available to all.

Alan Jeffrey            031 721098            jeffrey@cs.chalmers.se
Computer Science Department, Chalmers University, Gothenburg, Sweden


Re: Voting electronically from home (revisited)

<smb@ulysses.att.com>
Fri, 16 Nov 90 13:40:30 EST
     From: li@diomedes.UUCP (Li Gong) ...
     I would like to add that the current system not only provides
     physical security of identification, but also physical
     security against harassment.  Nobody else is allowed to go
     into the booth when a voter, say Alice, is voting inside.

You overassume.  In *theory* no one else is allowed to go inside the voting
booth (subject to a few exceptions for illiterate or handicapped voters, btw);
practice is something else entirely.  I still recall my astonishment the first
time I witnessed the quaint local voting customs in Durham, North Carolina.  A
husband and a wife would enter the booth together, and cast a vote; the wife
would then exit, and the husband would vote (again?).

Then, of course, there's Chicago, a town that gives entirely new meaning to the
phrase ``voting machine''....  But I digress.
                                                   --Steve Bellovin


Becoming over-sensitive to risks (vote by phone)

Brad Templeton <brad@looking.on.ca>
Sun, 18 Nov 90 3:19:13 EST
While I appreciate people's concern over the sanctity of the vote,
consider what is used now.

I don't know about the U.S., but in Canada there's almost no security on
voting.  They come round to your house every election, and ask for the names of
every elector.  No ID is asked for.  You could name your children or pets and
they would get on the voters list.  (It's no doubt a crime of some sort to do
this, of course.)

Likewise all you have to do is go to the poll, and give the name of any person
who hasn't voted yet (normally yourself.)  As long as it isn't a small poll,
you could easily use any other name.  (The lists are posted on telephone polls
so people can check they're on.)  If you have good eyes and can read upside
down, you can even look at the RO's name sheet when you walk in.

Sounds ripe for fraud, but it just never happens.  When a seat is hotly
contested or close, the party scrutineers watch things closely, in addition
to the elections officials.  I have never heard of any accusations of abuse.

While using SSNs or other publicly available info isn't a good idea, I would
have no opposition to well designed phone voting -- particularly in an area
with ANI.  There are RISKS, but as long as we watch for them, they are no
greater than those of the current system.  The greatest RISK is not watching
for RISKS because we trust the computer too much.

On the other hand, there are other problems with phone voting -- the
largest being the elimination of the secret ballot.  The voting computer
will know who voted for whom.  We must trust the programmers and their
auditors to assure us the information is erased and never stored.
(On the other hand, doing this disallows one great method of verifying
phone voting, namely a mailed ACK.)

Brad Templeton, ClariNet Communications Corp. -- Waterloo, Ontario 519/884-7473


Re: Voting electronically from home (revisited)

<henry@zoo.toronto.edu>
Sat, 17 Nov 90 19:19:12 EST
>... in the most recent election, I found myself rushing
>to the polling place near my home... and arrived too late. If I could have
>voted at a location near my work, or by telephone, problem solved.

There are several simple non-technological fixes for this, notably the one
followed in a number of other countries:  hold elections on Sundays, when
most people have at least part of the day free.

                         Henry Spencer at U of Toronto Zoology    utzoo!henry

   [An eminently reasonable suggestion, although we have drifted away from the
   computer relevance -- except that you have found a very simple nontechnical
   solution to the problem.  PGN]


Voting by phone

silva <peter@ficc.ferranti.com>
Sat Nov 17 08:42:17 1990
> [use Caller-ID to] foil attempts by people to cast large numbers of votes
> from one phone, even if the authentication system were compromised.

This would tend to disenfranchise people in poor neighborhoods where there
may only be a single public phone to serve an entire apartment block.

Also, it would be desirable to have the call to the election service be free
in areas with measured service or from a pay phone. And of course the dangers
of COCOTs (private pay phones) would be increased.

Another contributer noted:

> For example, in the most recent election, I found myself rushing
> to the polling place near my home (since you can only vote at
> the registered polling place) and arrived too late. If I could have
> voted at a location near my work, or by telephone, problem solved.

A simpler and less dangerous solution would be to allow you to vote at
any polling place, and have some form of real-time communication between
the polling places to prevent fraud.

Another negative effect I could imagine would be that this would enable
proxy voting: "You're a good Republican, and you just want to vote the
straight party ticket.
"Call 1-800-VOTE-GOP" or "1-800-VOTE-DEM" and have your election ID number
at hand...

Peter da Silva.      +1 713 274 5180.       peter@ferranti.com


Voting by phone

P.J. Karafiol <karafiol@husc8.harvard.edu>
Sun, 18 Nov 90 23:34:53 -0400
With all this talk about vote *fraud* I'm surprised no one mentioned a
serious, actual *infringement* on one's constitutional rights.  If voting
is done by phone, what happens to people who don't have one, either because
of location (yes, there are places in the continental US without regular
phone service, although all the ones I know of are reachable through some
kind of radio-phone system) or finances or personal choice?  Although poor
or phone-phobic people could conceivably use a public phone (the number
would presumably be toll-free) it still seems unfair to people who are in
category 1.  Questions, comments, discussion?

Caveat:  I didn't read the original (non-electronic) article on voting by
phone.  This concern may be addressed in that article.
                            == pj karafiol


Voting from home (Re: RISKS-10.61)

Barbara Simons <simons@IBM.com>
Sun, 18 Nov 90 22:59:34 PST
In discussing voting electronically from home,
Li Gong says (in RISKS DIGEST 10.61):

I would like to add that the current system not only provides physical security
of identification, but also physical security against harassment.  Nobody else
is allowed to go into the booth when a voter, say Alice, is voting inside.  On
the one hand, this gives Alice privacy; on the other, she can vote according to
her own will.  Moreover, since this individual vote is among maybe a billion
other votes, no ordinary person could find out for whom Alice has voted.  This
potentially discourage "buying" votes with money or menace, because it is
difficult (if not impossible) to "physically" influence a voter at voting time
and/or to verify a voter's vote afterwards.


He then goes on to mention that he and his former advisor had been
working on a zero-knowledge method for voting.
This is an interesting idea, but it assumes an outsider who wishes to
know about or influence Alice's vote.  Suppose, however, that her
husband has decided how he wants Alice to vote.  In most states,
he would not be allowed into the voting booth while she voted.
But he could easily watch her as she votes electronically at home.

The risk in this situation is that an obvious form of intimidation
has not been taken into account.

I said that in most states he would not be allowed into the voting
booth while she voted.  I recall hearing about some Southern
state in which a husband and wife are (were?) allowed into the voting
booth together.  Apparently, the theory was that the husband
would vote for them both.  Unfortunately, I don't recall the
state nor whether this unhappy situation still exists.

Barbara


Re: Voting electronically from home (revisited)

Joseph R. Beckenbach <jerbil@tybalt.caltech.edu>
Mon, 19 Nov 90 20:37:29 GMT
    Why am I still under the impression that this "vote-by-phone"
is a technical solution to a nontechnical problem?  True, a "vote-by-phone"
system would be useful for hospital patients and shut-ins of many sorts,
but absentee ballots were made for this, were they not?

    Why not simply declare Election Day a national holiday?  We celebrate
the Fourth of July in the USA because it reminds us of past efforts to keep
freedom.  Why not one to remind us of our duty to safeguard current freedoms?
    When I form a company, I intend on making Election Day a half-day or
full-day holiday with pay, with proof of vote.  Or some other scheme which
penalizes for not voting if the person is eligible.  [I'd rather not
reward for performance of a duty, but if such is necessary, I will.]

        Joseph Beckenbach


Re: Voting electronically from home

&lan_Marcum@NeXT.COM>
Tue, 20 Nov 90 17:05:49 PST
Imagine how much havoc a vote-by-phone system would wreak on dear
Ma Bell out here in California, the Land of the Ballot Proposition.
Millions of hour-long telephone calls as citizens try to register
their votes on the dozens (yes, literally) of propositions.

"We're sorry, your call did not go through.  All voting circuits
are busy now.  Please try again tomorrow..."

Alan M. Marcum                          NeXT Technical Support
Alan_Marcum@NeXT.COM                    +1-415-363-5153


Voting (Re: RISKS-10.61)

K. M. Sandberg <sandberg@ipla01.hac.com>
19 Nov 90 00:27:25 GMT
In regards to voting, it was mentioned that current voting is based on physical
security, but at least where I vote all I do is bring in the little booklet and
sign the book and I get to vote, no check of who I really am. If I had multiple
booklets I could vote several times, but since I must go to one place to vote
and sign in I could not vote multiple times based on my own name.

In another response it was said that having the phone system would help voting
since the person said that they missed getting to the poles, but absentee
ballots solve this if it is a normal problem.  The risk of influencing the
votes because of the current privacy, unless the absentee ballot is used, is
important. Other solutions would be to send the ballot, like the absentee
ballots, and allow people to drop them off, but this still has the risk of lack
of privacy. Personally it would be nice if you could vote at a common place,
possibly before election day, with the same privacy and security, maybe at your
local post office or at a pre-selected place to prevent multiple voting. Too
bad we can't trust people.

In this last risk posting, it mentioned that people could enter in their votes
for practice only so that they would get used to it, but a question that comes
up was this information used BEFORE the end of election day? If it was it could
have affected voting, as does the exit polls, east coast results before the
west coast polls close, etc.
                            Kemasa.


Re: Election coverage software

Chris Maltby <chris@softway.sw.oz.au>
Wed, 21 Nov 90 14:00:24 EST
>The News Election Service, the central clearing house for election
>information, has their systems set up to deliver vote percentages that
>show the major party candidates' votes adding up to 100%, even when
>the major party candidates don't capture 100% (as they usually don't).

I was certainly intrigued by this and other things as I watched the election
coverage in Boston. Having worked on the software for the Australian Electoral
Commission for the last federal election (March 1990) there I was surprised by
the (parochialism speaks) poor standard of the reporting.

First, the results of counting seemed to be very slow to arrive, leaving the
commentators to talk about nothing for long periods. Some districts still had
only 1% of precinct reporting at 11pm. In the Australian election, at least 80%
of the vote had been counted by 11pm.

Second, there seemed to be no analysis of swings and only minimal discussion of
trends in early vs. late figures. The commentators were predicting a win for
Weld although he trailed for most of the night. The information they based the
prediction on was not produced.

Given that the first-past-the-post system is significantly easier to count than
the preferential system in use in Australia, there seems to be little possible
excuse for the delay/inaccuracy of the result reporting.

To put things in perspective however, and to reveal the "risk" for this
posting, the Australian experience was not without problems. For the first time
the Electoral Commission attempted to make predictions based on preliminary
results from individual polling booths. That is, when figures for a booth came
in they were compared with previous figures from the same booth to yeild a
"swing" percentage. This swing would then be propagated over the booths for
which no result was yet known. This was expected to be able to give very
accurate predictions. The magic quantity is dubbed the "two-party-preferred"
vote.

The unknown factor turned out to be the unusually high vote for minor parties
and independents, with an even more unusual preference distribution pattern.
The preference system allows voters to protest their favourite major party's
policy/candidate but direct their second preference to that party ahead of the
other major party. This option was exercised in much higher numbers than ever
before, and especially among Labor voters. The commission's system made some
rather simple assumptions about minor party preferences.

As a result, for most of the night, the prediction was a landslide for the
Liberals based on an apparent swing above 10%. The actual result was a solid
win for Labor of 8 seats (as predicted by count scrutineers).  In two
electorates independents were able to beat one major party into second place
and win the seat on preference votes.

A better system for preference sampling is being implemented for the
next election...

Chris Maltby - Softway Pty Ltd  (chris@softway.sw.oz.au)
PHONE:  +61-2-698-2322      UUCP: uunet!softway.sw.oz.au!chris


Voter registration isn't always pre-registration

<rsimkin@dlogics.UUCP>
Mon Nov 19 09:31:07 1990
In Risks 10.61 "Re: Voting electronically from home (revisited)",
Stephan Meyers says:

> How does this sound: before each election, each voter is mailed a
> confirmation of registration (since, I believe, to vote one must be
> registered, and to register, one must have a permanent address)

This assumes that registration must be completed well in advance of election
day, which isn't always the case.  In the name of making the voting process
more accessible, Wisconsin law used to (and may still) allow voters to register
at the polling place on election day.  As a result many people would arrive at
the poll with proof of residence, register, and then vote.
                                                            --Rick Simkin


Re: Voting electronically from home (revisited)

Flint Pellett <flint@gistdev.gist.com>
19 Nov 90 22:49:15 GMT
li@diomedes.UUCP (Li Gong) writes:

>I would like to add that the current system not only provides physical security
>of identification, but also physical security against harassment.

This is what I think the biggest risk of vote-by-phone is: Al Capone decides he
wants to be mayor, and has his flunkies each call 100 kindly little old ladies
in the month before the election, telling them "Come to my house to cast your
vote or I'll ..." and then, the flunkies watch the little old ladies punch
their votes into the telephone, and make sure they vote the "right" way.

Anyone care to enlighten us on what types of security measure are planned to
deal with this type of problem?  Merely being able to recognize that you are
recording a vote from the proper person is not sufficient.  Any scheme with
authentication numbers suffers from the fact that it will never be any more
secure than the way in which those numbers are communicated to the voter, and
the way in which the voter remembers them.  (If you have to mail the numbers to
the voter, then that mail can fall into the wrong hands.  If the voter has to
write it down in order to remember it, which is quite likely for most people
given that they use it once every 6 months or less, it is also at risk.)

Flint Pellett, Global Information Systems Technology, Inc. 1800 Woodfield
Drive, Savoy, IL 61874                 (217) 352-1165 uunet!gistdev!flint


Re: Election coverage software

Gregory G. Woodbury <ggw%wolves@cs.duke.edu>
Mon, 19 Nov 90 17:52:18 GMT
Here in Durham NC, we had a rather interesing election :-)
It seems that nearly half of the voting machines in the county went
haywire and would not work correctly on election day!  This happened
early and we had a court ruling that the polls stay open to 10pm and
that paper ballots be made available in all precincts to those who
wanted them.

In my precinct (I am an assistant election official) only two of our 6
mahcines had problems and we (hopefully) caught them as soon as they
occurred.  Even so, our audit numbers were off by 4 at the end of the
night.  The particulars of the election seem to be that in the county
commissioners races, for the first time in xxx years (maybe the first
time ever) we had an INDEPENDENT candidate, not in conjunction with an
independent running for president.  The machines are set up so that one
can "split ticket" by pulling the straight party lever and then deselect
one candidate and select another.  The problem for all the machines that
I have been able to get exact information on seems to be that people
tried to split ticket and forgot to deselect a candidate before
selecting someone in the other parties lines.  This jammed the levers in
the county commissioners section and rendered the machine unuseable.

Considering that most voters do NOT understand the ways that machines
work, it happened in some precincts that the jammed machines where used
until someone complained or noticed the jam.  This is the RISK.  People
assumed that the technology would behave correctly.  When something did
go wrong, they ignored the errors cause they didn't know any better.  In
this city, however, we have a high ratio of advanced degrees (MS,PhD,etc)
in the population in certain precincts, and even there, the problems
occurred.

On a side note:  when the judge ordered the use of paper ballots AND
staying open til 10pm, he made it IMPOSSIBLE for Durham results to be
known before 2am!  The precincts are set up to deal with a small number
of paper ballots (for disabled voters unable to enter the polling
location but coming near by in a car - "curbside voters"), but extending
these paper ballots to anyone who wanted to use them placed an
unexpected load on the pricint officials when the polls closed!  I had
volunteered monday evening to count paper ballots (before the judge's
order) and instead of 25 or so ballots, we had nearly a hundred!  That
was so much FUN! *HA!*

By the time we finised counting and had the helms/gantt figures for NES it was
3am and they had the time to ask why we were the first precinct from Durham NC
to call in "official" results.  -- Gregory G. Woodbury

Durham NC UUCP: ...dukcds!wolves!ggw ...mcnc!wolves!ggw ggw%wolves@mcnc.mcnc.org

Please report problems with the web pages to the maintainer

Top