Bruce Schneier is generally right on when it comes to security, and his explanations are usually extremely crisp and to the point. Plus, it’s hard to argue with a man whose online reputation precedes him. That said, when it comes to voting, I’m a little worried by some of Bruce’s latest posts. On November 13th, 2006:
I am increasingly of the opinion that an all mail-in election — like Oregon has — is the right answer. Yes, there are authentication issues with mail-in ballots, but these are issues we have to solve anyway, as long as we allow absentee ballots. And yes, there are vote-buying issues, but almost everyone considers them to be secondary. The combined benefits of 1) a paper ballot, 2) no worries about long lines due to malfunctioning or insufficient machines, 3) increased voter turnout, and 4) a dampening of the last-minute campaign frenzy make Oregon’s election process very appealing.
Oh no Bruce, say it ain’t so! Mail-in ballots? Almost everyone considers coercion to be secondary? Who’s everyone? Election officials? Maybe, but not security experts. In 1956, when Chile introduced the secret ballot, a massive change in the composition of the government ensued. When the secret ballot was introduced in the US originally (only 120 years ago), it was to stem massive vote selling. Coercion is a big issue. Sure, it wouldn’t happen overnight, but if the possibility is there, coercion will happen and make a significant difference.
Then there’s the not-quite-right argument that, if we allow for absentee voting, then we might as well have a free-for-all mail-in. Not so. Absentee ballots are a tiny minority when you actually enforce absentee balloting rules like “you must have a reason to vote absentee.” There’s no reason why we all have to vote using the same method. It’s okay to have one central method that is coercion resistant, and make some small exceptions under the right conditions.
In a separate post on the same day, Bruce says something wonderful:
We shouldn’t — and don’t — have to accept voting machines that might someday be secure only if a long list of operational procedures are followed precisely. We need voting machines that are secure regardless of how they’re programmed, handled and used, and that can be trusted even if they’re sold by a partisan company, or a company with possible ties to Venezuela.
Indeed! We cannot depend on a chain of custody, we need *proof*. So what’s the answer?
paper ballots are the key
Paper ballots help, but they’re not the key. Significant voter fraud is still quite possible with paper ballots, as history has shown time and time again. How do you know if the paper is properly collected? How do you know if there isn’t extra paper stuffed in the box, or destroyed? We have significant evidence of paper ballot tampering throughout history, and if you watch Bev Harris’s HBO documentary, you’ll see that paper trails are regularly destroyed.
What we need is a verifiable election protocol, one with proof that things happened correctly. Cryptography can play a significant role here, but first we need to stop this obsession with paper, as if paper will solve all of our woes and nothing else will do.
And here’s where it gets interesting:
Voting is as much a perception issue as it is a technological issue. It’s not enough for the result to be mathematically accurate; every citizen must also be confident that it is correct. […] In the U.S., we’re losing the perception battle.
This is true, but does that mean that perception should trump real security? Paper would help the perception of security, but not nearly as much the real security of the system. So is that good? Do we want a placebo solution?
I continue to believe we can do better with open-audit election protocols, and it’s too bad that Bruce isn’t using his significant clout to make people aware that there are other, vastly more promising methods. The secret ballot is only 120 years old in this country. We’ve got plenty to learn, and we need to be open-minded about new solutions. Paper helps, but it’s not the answer.
Benlog 
Comments
4 responses to “Bruce Almighty”
Glad you wrote that. When I read Schneier’s piece, my blood pressure went up, but I was too lazy and inarticulate to respond. Thanks.
Glad you wrote that. When I read Schneier’s piece, my blood pressure went up, but I was too lazy and inarticulate to respond. Thanks.
Here’s the thing I see… open-audit election protocols might be a better solution, but I think the big hurdle is that ordinary people (who need more faith that their vote will be counted) don’t understand them in their gut. Mail-in voting, on the other hand, is dead-simple to explain. Coercion (and losing the secret ballot) is a big deal, but dealing with it might just be a necessary step in our evolving election infrastructure.
I’ll also wonder if there aren’t ways to preserve the secret ballot with mail-in voting. Maybe you can mail in multiple ballots and “last one wins” or only ballots with a certifying token get counted (so you can send in a ballot that looks real, but doesn’t count). Or maybe I’m just making things too complicated – perhaps stiffer laws against vote coercion (coupled with aggressive enforcement) are good enough. I don’t know.
But my read is that perception is as important as reality here (since elections only work if people trust them). So a purely technical solution isn’t good enough – it has to be a social one as well. And right now we have the worst of both worlds – infrastructure that (generally) isn’t secure and isn’t perceived that way either.
Here’s the thing I see… open-audit election protocols might be a better solution, but I think the big hurdle is that ordinary people (who need more faith that their vote will be counted) don’t understand them in their gut. Mail-in voting, on the other hand, is dead-simple to explain. Coercion (and losing the secret ballot) is a big deal, but dealing with it might just be a necessary step in our evolving election infrastructure.
I’ll also wonder if there aren’t ways to preserve the secret ballot with mail-in voting. Maybe you can mail in multiple ballots and “last one wins” or only ballots with a certifying token get counted (so you can send in a ballot that looks real, but doesn’t count). Or maybe I’m just making things too complicated – perhaps stiffer laws against vote coercion (coupled with aggressive enforcement) are good enough. I don’t know.
But my read is that perception is as important as reality here (since elections only work if people trust them). So a purely technical solution isn’t good enough – it has to be a social one as well. And right now we have the worst of both worlds – infrastructure that (generally) isn’t secure and isn’t perceived that way either.