Bruce Schneier is generally right on when it comes to security, and his explanations are usually extremely crisp and to the point. Plus, it’s hard to argue with a man whose online reputation precedes him. That said, when it comes to voting, I’m a little worried by some of Bruce’s latest posts. On November 13th, 2006:
I am increasingly of the opinion that an all mail-in election — like Oregon has — is the right answer. Yes, there are authentication issues with mail-in ballots, but these are issues we have to solve anyway, as long as we allow absentee ballots. And yes, there are vote-buying issues, but almost everyone considers them to be secondary. The combined benefits of 1) a paper ballot, 2) no worries about long lines due to malfunctioning or insufficient machines, 3) increased voter turnout, and 4) a dampening of the last-minute campaign frenzy make Oregon’s election process very appealing.
Oh no Bruce, say it ain’t so! Mail-in ballots? Almost everyone considers coercion to be secondary? Who’s everyone? Election officials? Maybe, but not security experts. In 1956, when Chile introduced the secret ballot, a massive change in the composition of the government ensued. When the secret ballot was introduced in the US originally (only 120 years ago), it was to stem massive vote selling. Coercion is a big issue. Sure, it wouldn’t happen overnight, but if the possibility is there, coercion will happen and make a significant difference.
Then there’s the not-quite-right argument that, if we allow for absentee voting, then we might as well have a free-for-all mail-in. Not so. Absentee ballots are a tiny minority when you actually enforce absentee balloting rules like “you must have a reason to vote absentee.” There’s no reason why we all have to vote using the same method. It’s okay to have one central method that is coercion resistant, and make some small exceptions under the right conditions.
In a separate post on the same day, Bruce says something wonderful:
We shouldn’t — and don’t — have to accept voting machines that might someday be secure only if a long list of operational procedures are followed precisely. We need voting machines that are secure regardless of how they’re programmed, handled and used, and that can be trusted even if they’re sold by a partisan company, or a company with possible ties to Venezuela.
Indeed! We cannot depend on a chain of custody, we need *proof*. So what’s the answer?
paper ballots are the key
Paper ballots help, but they’re not the key. Significant voter fraud is still quite possible with paper ballots, as history has shown time and time again. How do you know if the paper is properly collected? How do you know if there isn’t extra paper stuffed in the box, or destroyed? We have significant evidence of paper ballot tampering throughout history, and if you watch Bev Harris’s HBO documentary, you’ll see that paper trails are regularly destroyed.
What we need is a verifiable election protocol, one with proof that things happened correctly. Cryptography can play a significant role here, but first we need to stop this obsession with paper, as if paper will solve all of our woes and nothing else will do.
And here’s where it gets interesting:
Voting is as much a perception issue as it is a technological issue. It’s not enough for the result to be mathematically accurate; every citizen must also be confident that it is correct. [...] In the U.S., we’re losing the perception battle.
This is true, but does that mean that perception should trump real security? Paper would help the perception of security, but not nearly as much the real security of the system. So is that good? Do we want a placebo solution?
I continue to believe we can do better with open-audit election protocols, and it’s too bad that Bruce isn’t using his significant clout to make people aware that there are other, vastly more promising methods. The secret ballot is only 120 years old in this country. We’ve got plenty to learn, and we need to be open-minded about new solutions. Paper helps, but it’s not the answer.