The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 67

Friday 7 December 1990


o Airline safety
Donald A Norman
o Voter identity and Dial-A-Vote
Lauren Weinstein
Glen Overby
Paul Peters
Andrew Klossner
Dan Sandin
Frank Kuiper
Adams Douglas
o "Little pitchers have big ears": yet another ATM RISK
o Billing software wastes money
Phil R.M.
o Info on RISKS (comp.risks)

Airline safety

Donald A Norman-UCSD Cog Sci Dept <danorman@UCSD.EDU>
Fri, 7 Dec 90 08:00:20 PST
I apologize in advance: this is a sermon.

The note in RISKS on the Economist's suggestions for aviation safety prompts
this note.  The problem is that the suggestions were all aimed at the pilots.
The myth of crashes caused by single individuals, usually the pilot, persists.

Accidents in aviation is a system problem.  Accidents occur because the system
is faulty.  Note that an accident almost never involves a single error: there
must be a chain of events, each of them usually unlikely by themselves, before
an accident happens.

The Economist's suggestions seem to me to be without merit, save for their last
-- that we should get more information from the cockpit.  I was pleased and
surprised to see the NTSB (the U.S. National Transportation Safety Board) just
recommend increasing the voice cockpit recorder tape to longer than 30 minutes
(now it is a repeating loop of tape of duration 30 minutes), increasing the
number of parameters measured by the black box that records airplane and engine
state, and hurrah!  adding video cameras and recorders so you could see if
critical controls were actually used.

Accidents will continue as long as people treat this as something that can be
cured by concentration on the pilots.  In my opinion, the flight-deck
instrumentation -- especially the automation, such as the "flight management
computer" and "mode control panels" are classic examples of poor design from
the human side of things, the maps and approach charts are unbelievably
cluttered and complex (a recent accident in which a landing aircraft clipped
the power lines, thus turning off the airport's landing lights (among other
things) was partially attributed to incorrect reading of the charts), and the
interactions with air traffic control (ATC) and the equipment and limitations
that ATC face add to the problem.

The new addition of "datalink" to the cockpit will only create new problems.
Datalink is digital transmission of ATC information to be received somewhere in
the cockpit on a CRT display.  This replaces some of the voice communication on
the now overcrowded channels.  In principle it has merits, but it is yet
another complex piece of equipment, yet another change in procedures, yet
another bandaid and ill-considered addition to cockpit clutter.  I used the
word "somewhere" because nobody yet knows quite where to fit the thing into the
already crowded cockpit, and all the current suggestions seem to lead to
foreseeable future problems.  The lack of positive confirmation form pilots
will also lead to other (foreseeable) problems.  Basically, one cannot fix a
system problem by adding local patches.  In fact, that tends to make things

These difficulties have been known for a long time.  The only surprise about
the recent runway collision in Detroit (where a plane taxiing on the runway
collided with a plane taking off on the same runway) is that it hasn't happened
frequently before.  The NTSB had warned about these problems.  Pilots know they
get lost on runways and taxiways, and the Tenerife crash that destroyed two
fully-loaded 747's some years ago was almost identical.  It is a system

As long as we try to solve the problem by arguing that pilots need better
decision rules or better warning systems, then we are going to continue to have
the problem.

Human error is almost always a result of system or design error, and unless you
attack that, you don't attack the causes.

The Economist urged the introduction of a new decision speed.  Sigh.  Loss of
an engine on takeoff is what every pilot practices and what almost never
happens, and the current decision speed of V1 should probably be degraded, but
it is NOT the main culprit.  The Economist said that the current ground
proximity warning systems (GPWS) are faulty.  The last thing a pilot needs is
yet another warning system in the cockpit.  And I don't recall any recent
incidents where a faulty GPWS was a contributors.

By the way, substitute "computer" or "ship or "oil refinery" or "chemical
plant" for "airplane" and substitute "operator" for "pilot" and you get the
same message.  Society tends to try to find single individuals to blame for
accidents.  Students of human error blame the system.  And unless we fix the
system, we will continue to have these accidents as a mater of course.  "Normal
accidents" is what Charles Perrow called them in his brilliant book by that

Credentials: I study aviation safety under a grant from NASA.  No, I am not
a pilot.

Don Norman, Department of Cognitive Science 0515, University of California,
San Diego    La Jolla, California 92093 USA        BITNET: dnorman@ucsd

Voter identity and Dial-A-Vote

Lauren Weinstein <>
Wed, 21 Nov 90 22:55:20 PST
One risk that I don't think I saw mentioned in the discussion of "Dial-A-Vote"
systems relates to the identity of voters.  Such a system, by definition, would
need to know the identity of each caller to check registration and avoid
duplications.  Caller-ID would require people's presence at particular phones
and is a can of worms for many other reasons.  Personal ID codes could also be
used, but, uh, I *wonder* what number would be most likely used for this
purpose?  Can you say "SS"?  I knew you could!

In any case, you'd have to identify yourself to the system, and then it would
be trivial for a file to be kept on how you voted.  Of course, we'd be told
that this wouldn't be done, that there would be adequate safeguards, and that
it was *impossible* to subvert the system.

This is a significant new risk.  With current voting techniques, picking out an
individual's vote is essentially impossible without a great deal of illicit
goings on at the polling place.  Paper ballots and punch card ballots have no
identifications, and are thrown into common bins.  Voting machines increment
internal counters that keep running totals only, not individual votes.  But
with Dial-A-Vote, all this low-tech privacy goes out the proverbial window.


Voting electronically from home

Glen Overby <>
Sun, 25 Nov 90 02:01:47 -0600
I have a few items to contribute to the vote-by-phone discussion.  First, how
do you identify legitimate voters?  While most states require voters to
register before an election, North Dakota does not, and I don't believe we're
alone in that aspect.  In fact, I have never been asked to show any type of
identification; I am merely asked my name and address (the first time I voted I
was asked to sign a form stating that I was using my real name, of voting age,
had not voted in another precinct, etc.).  Telephone voting could be possible
if you have voted in a previous election, and are thus in your precinct's
records.  This does not permit a complete transition over to automated voting,
but could allow it's addition as a convenience.

You will, nonetheless, have to identify yourself on the telephone with some
sort of number.  There will have to be laws passed insuring your privacy as
well as illegitimate use of someone else's voter-id number; imagine how some
phreak with an autodialer could wreak havoc with an election by voting "for"

The other thing missing from the vote-by-phone system is the provision for
write-in candidates.  I'm not certain if all states require a provision for
write-in candidates, but many years ago the mechanical voting machines here
were replaced with fill-in-the-dot forms that are optically scanned by a couple
of IBM scanners down at the courthouse.  I recall the issue of the switchover
was not one of mechanical reliability (those machines were OLD), but that there
was no way for you to write-in a candidate.

        Glen Overby <>
    uunet!plains!overby (UUCP)  overby@plains (Bitnet)

Voting from home electronically

Paul Peters <Peters@DOCKMASTER.NCSC.MIL>
Mon, 26 Nov 90 08:43 EST
The emphasis of RISKS 10.64 on telephonic voting taking rights away from the
population without telephones is misplaced.  Of all the problems with
telephonic voting, this is the least.  One could say that the current locations
of polling places takes rights away from those without automobiles, but we have
found ways to provide alternate transportation for those folks.  With some
creativity, we could find ways to provide voting capability to those without
telephones also.  Paul Peters

remote voting: the Oregon experience

Andrew Klossner <>
Thu, 29 Nov 90 10:59:07 PST
Experience in Oregon with remote voting may shed some light on
proposals for vote-by-telephone.  Oregon has used vote-by-mail for
special elections for a few years.

A few weeks before the election, each registered voter receives, by
mail, a perforated punch card and explanatory material.  To vote, we
punch the card appropriately (using a pencil to poke out perforated
holes), seal the card in a special envelope, sign the envelope, and
mail it.  We have to pay for the stamp.  Only one ballot per envelope.

During such elections, the usual polling places are not established.  Anybody
who objects to vote-by-mail must go to the county seat on election day to vote
in person.  Not only is this a potential hardship, but so few people do this
that they lose the anonymity of large numbers.

This system is subject to many of the potential pitfalls mentioned by other
contributors.  Perhaps the greatest of these is that the dominant member of the
household can punch all the cards, coerce signatures from other members, and
thus influence several votes.  Another is that we, the electorate, have no
guarantee of ballot secrecy other than the solemn promise of the bureacracy.

Reported public opinion is unanimously in favor of vote-by-mail because it
reduces the cost of an election (no polling place expenses) and because we get
much greater voter participation.

  -=- Andrew Klossner   (uunet!tektronix!frip.WV.TEK!andrew)    [UUCP]
                        (   [ARPA]

Re: Voting (Re: RISKS-10.61)

Dan Sandin <>
Thu, 29 Nov 90 22:45:46 GMT
OK, my response to what has gone down so far:

making election day a national holiday, or whatever, still would not make it
better for every person to get to the polls. I mean, think about all the people
who still have to work on national holidays, or even have to work MORE (liquor
store employees spring immediately to mind) or cases when unforeseen
circumstances prevent one from voting. A sick sister in another state, a boiler
explodes, whatever.

The point is simply to make legitimate voting EASIER.

As we know from working with computers, plenty of people would prefer to vote
the old-fashioned way, physically showing up at the polls, who don't trust,
don't understand, or just don't like the phone-in system, that's just fine.

Someone suggested it would make blackmail voting, etc, easier.  Remember,
though, that usually "stealing" one vote, or even a thousand votes will make
very little difference (depending on the size of the election) Ordering
hundreds of little old ladies to vote by gunpoint would be very difficult to
hide, and would only make a difference in a very small election. It is much
safer and cost-effective to use the tried and true method of getting votes -
getting the voters drunk.

Indeed, with this system, I would think that the regular polling places would
just be custom terminals with leased lines direct to the same polling computer
that one dials in with from home.

I would hope that one of the effects would be to encourage more voting,
and perhaps for our government to have regular referenda on issues,
rather than waiting for  regularly scheduled elections.
Just dial 1-800-PRO-CHOI or 1-800-PRO_ABRT

Some posters have suggested that a segment of the population would be favoured
by this, that poor people would find it harder to vote than rich. True.
However, I think you will find that the percentage of people who have
telephones is greater than the percentage of registered voters who vote, let
alone the percentage of the population as a whole who vote. I would guess that
telephone market penetration is over 90%, and I would further guess that,
considering payphones, work phones, a friend's phone, etc, >99.999 % of the
population has phone access. In fact, since voter registration requires an
address, I bet more people have access to phones than have legal residence

I think it is safe to say that if voting could be accomplished by phone as well
as in a polling place, voting attendance would go up.  And by definition with
the tenets of Democracy, this is a Good Thing.

stephan meyers c/o dan sandin

p.s. someone mentioned the problem of tying up the phone lines, as in
"I'm sorry, all voting lines are busy now, please try again later"
This is a real problem, and probably no cheap way out of it.

Re: Voting (Re: RISKS-10.61)

Frank Kuiper <>
30 Nov 90 11:15:16 GMT
In the Netherlands we have the following system, wich works quite well.
Everyone has a residents registration, no matter where in the Netherelands you
live. This registeres, amongst other things, your name, address, date and place
of birth.

With this information the councel (gemeente) knows who are eligible to vote.
Every voter, some weeks before an election, is send a voting-card, with details
on when and where (which polling station) to vote. The polling stations are
open from 7am until 7pm (always on a Wednesday; no disturbance of the "Sunday
peace" ;-), thereby giving everyone the opportunity to vote before, during or
after work.  It is possible to vote in another polling station, if you declare
to want that. You will have to do that well in advance.  Also, it is possible
to have someone else vote for you, in which case you can easily transfer the
received voting-card to the other voter, by mentiong his/her name on the card,
and signing it yourself.  One can only vote for two others (thereby making it
very difficult to just buy all the voting cards).

Unless you're out of the country, have no friends or relatives and are dying
somewhere, you always have the opportunity to have your vote cast. Residents
outside the Netherlands can vote (by mail) via the local Dutch embassy.

All I have to do is pass the polling station on my way to work, and vote.

Frank Kuiper    AppleLink: HOL0042

Re: Becoming over-sensitive to risks (vote by phone)

Adams Douglas <>
Wed Nov 21 22:57:14 1990
I was thinking about phone voting systems myself this last election.
Specifically, I thought about the idea of having a centralized polling system
which would allow you to enter your vote preferences during the campaign. This
information could be used as official pre-election polls are used now. On
election day, you would either call again and re-vote, or you could have
specified earlier that if you did not call on election day, the system should
use your last poll as your vote. This would solve a lot of absentee delays (and
I know people will say there are problems with it, but it's just an idea).

"Little pitchers have big ears": yet another ATM RISK

Sun, 25 Nov 90 00:32:54 PST
Today, I went with a friend into a local bank [Wells Fargo], to activate his
(newly-arrived) ATM card.  This ritual involves the selection of a password
[PIN] for for the account.  He gave his card to the clerk, who swiped it
through a magnetic reader and typed something on a keyboard.  Then my friend
typed his new PIN on a special, hooded keyboard out of view of the clerk
(and, hopefully, from other bank clients).

A speaker clicked on, and, to my surprise, we (me; my friend; the clerk; and,
in fact, nearly everyone in the building) were treated to the sounds of a dial
tone, some touch-tone dial sounds, a (surprise!) normal-sounding 300-baud
modem query and connection, and, in fact, the entire [300-baud] exchange,
complete with hangup sounds.

The RISKS of this audible broadcast should be clear:  anyone with a good
pocket microcassette recorder should be able to record the entire modem
transaction, simply by being near someone who is activating his ATM card.
With a little ingenuity (or, eg, a DSP such as that onboard a NeXT machine),
it would be trivial to decode the entire 'dialogue', which presumably
includes not only the person's account number and PIN, but also a password to
make changes to an arbitrary ATM card!

The information would be particularly easy to extract because of the robust
nature of the 300-baud Bell standard.

I spoke with several colleagues (including about the
broadcast of the computer dialogue:  it appears that many Wells Fargo branches
follow this practice, and have been for at least three years.

The moral of the story is perhaps that one should not shout out sensitive
information, even in supposedly unintelligible languages.


Billing software wastes money

Wed, 28 Nov 90 10:13:41 EST
Last year my wife and I bought a chair at Michael's Furniture, a store
here in West Lafayette.  We financed the chair, and Michael's promptly
sold the contract to Security Pacific Financial Corporation.

Everything went fine; no problems.

A month ago, we made our regular monthy payment, after which, our balance
was some small amount (like 20 or 30 dollars).  A week after we mailed our
original payment my wife suggested that we just pay off the acocunt.  I
agreed.  She wrote out a check for the balance due and mailed it off.

Fine, no problem.

A week ago, we got a bill from Security Pacific.  For four cents.  Apparently,
some interest and accrued on the account in the week or so between checks.

Clearly, it never occured to the people writing Security Pacific's billing
software that if the balance due was less than the cost of mailing a bill
then they should just write off the balance due.

Sigh.  We mailed them their four cents.                              Phil

Please report problems with the web pages to the maintainer