[My thanks to to election and tech expert David Jefferson for contributing this excellent, pithy, and though-provoking reflection on the day’s top tech/policy news story. — EJS]

Google recently announced in an important change of policy that it will stop censoring search results for queries coming from China.  That is interesting in its own right, but is not why I am writing this article.

According to their corporate blog post, what prompted this change of policy was the discovery of “a highly sophisticated and targeted attack on [Google’s] corporate infrastructure originating from China”.  They found similar attacks on “at least twenty other large companies from a wide range of businesses”.

Google further said that they “have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists”.  We are not likely to hear more detail in public about the attacks, but this is extraordinary news.

As you can imagine, Google has one of the strongest IT staffs, with among the broadest and deepest security expertise of any company in the world, and presumably the other twenty plus large companies are generally well protected as well.  Yet they were all apparently compromised remotely, by agents of a foreign power, and for political purposes!

Is there anyone out there who still believes that some small company that has run a few election pilots and now wants to run infrastructure for Internet voting has any chance of locking down its vote servers so tightly that it can withstand a similar “highly sophisticated and targeted attack” against a U.S. election when Google and these other big companies cannot?

— David Jefferson

8 responses to What Google’s New China Policy Tells Us About Internet Voting

  1. Harry Seldon

    What you say is true and interesting. But, I understand you say “Even large companies cannot guarantee computer security”. I guess you don’t think neither that OSDV could guarantee such a thing.
    So it looks like OSDV is for digital voting but not internet voting. Is this an official position?

    @fractalharry
    PS Disclosure, I am personnally pro digital voting and internet voting. “If banks can be online, elections can be online.”
    The problem in an internet voting is not to have 0 fraud. It is to have limited fraud. Just like in ebanking or in paper voting. Nobody says there are no frauds in ebanking or in paper elections.

    • E. John Sebes Post Author

      The comparison between online banking/buying and online voting is deceptive. Banks are legally allowed to tolerate fraud and indeed to estimate fraud (as in credit card merchant fraud) and set up cost recovery (points paid by merchants and passed on to consumers in prices) to be profitable. Election officials are not legally allowed to tolerate fraud in elections. Personal financial transactions are attributed to persons, are reversable, and have the bank holding the liability for most of the fraud (e.g., $50 limit on consumer responsibility for fraudulent credit card transactions). Vote are very definitely not attributed to persons (or not supposed to be) and can’t be reversed by recourse to anyone. Election officials cannot “give back” to a voter a vote that was stolen from them. Once the ballot is in the box, legitimate or not, it looks the same as all the rest.

      That’s why election officials go to extra-ordinary lengths to look for cases where the margin of victory in a contest is small enough to be about the same as the uncertainty about the legitimacy of some ballots. Just look at the months of effort in the recent Minnesota Senate recount to get to the point where the residuum of debatable ballots was definitely smaller than the margin of victory.

      But with that as an example, you’re right that the goal is not to get 100% prefect accuracy. Where I differ is in the parallel notion to financial transactions that some particular amount of fraud is OK. In elections you just can’t say that 0.1% fraud is OK, because some elections will be close enough that 0.1% of the vote would swing the election either way. And this is not a rare occurrence! In a study of NJ elections, a very large percentage were “close” — just because they were very small-scale local elections doesn’t change the fact it is not acceptable for very small rates of fraud to change the outcome of an election in the US.

      Keep those comments coming!

      EJS

      • Harry Seldon

        Thx for this interesting clarification about the comparison between ebanking and evoting.

        You say “Votes are very definitely not attributed to persons (or not supposed to be) and can’t be reversed by recourse to anyone.”
        A quick comment is that some work should probably be done right here to ensure that anonymity is preserved while keeping a record of the bijection between voters and their ballot. This might be done with encrypted numbers…

        Another quick comment is about the amount of tolerable fraud. “In elections you just can’t say that 0.1% fraud is OK” Honestly, I am not sure I can’t say that. We are in the margin of error. So, whatever you do, a close election is a random election. If you are close to 50/50, it just means you can flip a coin to get your result. Which is basically what happened in presidential 2000…
        There is a paradox here because a good election is a close election. If results are 80/20, it means the candidates are not representative…
        Unfortunately, when you study the voting systems themselves (1 or 2 rounds, proportional results or with a sole winner, etc.) you notice that changing the system changes the results. It changes them all the more that the results are close to the equilibrium.
        (See again the presidential 2000, you were so close to the tie that changing from universal vote to a vote by States representative changed the result !!) This tie is a sign of a healthy democracy. But it also means that a second round should have been held as far as accuracy and fairness is concerned.
        “because some elections will be close enough that 0.1% of the vote would swing the election either way.” This is a problem that would be worth that someone considers it… This sensitivity to a small change has a name: chaos. This chaotical behaviour is typical of a non linear dynamic created by the threshold effect…
        As a summary, qualitatively, the result of an election should be between, let’s say for example, 52/48 and 60/40 else it is either too close and then chaotic (random) or too large and then biased.
        The chaotic case in itself is not significant as far as the election itself is concerned (either way is fair because it is 50/50). But it brings the trouble that the elected person won’t have a majority to do anything (the next election for the senate or whatever can give the opposite result with the same probability).

        This finally brings us back to the question “what is the error margin that can be tolerated in an election?”.
        Notice that Digital/Internet voting would make it easy to rerun an election in case of “tie” or other problem (hacking suspicion, etc.). That is a major advantage in my opinion. Btw, another similar advantage is that it allows for higher frequency elections.

  2. Preston L. Bannister

    Do smaller outfits have a chance of fielding reasonably secure voting systems? Sure. Voting machines are simple. Google infrastructure and the web presence of large companies are complex. Complexity and constant change means more chance of error, and occasional error is pretty much guaranteed. For any vote collecting system there is still the need for careful design and analysis, of whatever process is used, but the base problem is much simpler.

    Also, I think the current base error rate in vote collection is much higher than you expect.

    About 12 years back I started volunteering to work the polls (in part to get a better look at the process). For the last several years I have hosted and run the local polling place. The first few years were with punched-paper ballots, the last several years with computer-based voting machines. According to the folk from the county’s Registrar of Voters (ROV), I had one of the smoothest-running polling places (and in the last Presidential election, one of the busiest).

    Errors occur in the vote collecting process. Voters forget to register, forget to re-register after moving, or for some reason a registration sent to the ROV is lost. Mail-in ballots are not delivered, or misplaced. Voters make mistakes when voting. Poll workers make mistakes. There may be error in the upstream process (though I have no direct experience with this).

    If all the errors were random, then there would be no net effect on the outcome of an election. But the errors are not random. Older folk differ from younger folk. More educated folk differ from less educated folk. (This applies both to the voters and to the folk working the local polling place.) There are likely other dimensions where the pattern of error is not random, relative to the subject of the vote.

    From my experience I would guess that in election where the outcome differs by a percent or so, flipping a coin is as or more accurate in determining the correct outcome – and a lot more efficient – than any more elaborate process. In fact, I suspect that judging any outcome on less than a 3% difference is dubious.

    Add to this the opportunities for subversion and introduced error. Existing error rates many be a lot higher than a mere 3%.

    When designing a new vote collection system, you want something as good or better than what we used in the past. Aiming for 0.1% error rates is probably a waste of time. I suspect that we could get “good enough” results even with (carefully designed) Internet voting.

    The goal of the game is to make the base error rate low, and cost of introduced error sufficiently high. No process is going to be perfect, but we could do a lot better than what was used in the past.

    • Harry Seldon

      100% agreed. I should have read it before answering the previous comment. Indeed, what you say brings some interesting insights to the question “what is the error margin that can be tolerated in an election?”.

  3. Greg Miller

    Preston-
    A fine comment offered, and we appreciate your thoughtful contribution. Some good, cogent points in there, indeed.
    Cheers
    Gregory Miller
    Chief Foundation Development Officer
    Open Source Digital Voting Foundation

  4. Tom Courbat

    “Margin of error” is not the issue here. Who wins or loses the election is the issue, and more importantly HOW he or she wins or loses the election. To make the claim that it would be easier to hack a complex system than a “simple” system b/c the complex system has so many more points of weakness is preposterous. Does anyone really think it would be easier to hack the Pentagon than a local voting system? In many cases, the local voting jurisdiction depends significantly or completely on a vendor, and that vendor has open access to the system at all times.

    How easy is it for the vendor (a number of them employ convicted felons) to then insert a few lines of code to “flip” the election 51.3% to 48.7%, just enough to make it look legitimate, and escape any further scrutiny? This could also be done by an insider within the Elections department. 95% of all corporate fraud is the work of insiders (including vendors who are given inside access).

    And who is going to review 200,000 lines of code to see if they can find the three lines that cause the “flip”, especially when another line or two of code can direct the erasure of such instructions following execution. Just b/c open source “allows” for review of the programming by the public, doesn’t mean the public can conduct any kind of meaningful review. It would take the hiring of experts at the expense of the individuals in the public who wish to review the programming to understand what is coded in.

    And of course, the programming can be changed at ANY time, well into the Election process. The change only needs to go on one voting machine out of say 5,000 in a given jurisdiction to propagate a virus or Trojan horse that will change the entire Election outcome at the central tabulator level. And who would know which one of the 5,000 voting machines was the one with the altered programming? Checking every machine would be impossible, and therein lies the problem. Inability to verify security of the system.

    The German High Court held that if the common citizen cannot view and understand the method in which the votes are counted, then the system is unconstitutional since it violates their right to see the ballots counted in public. No system should be so obtuse than only a few, highly trained individuals even understand it and have the ability to alter it. Votes should NEVER be counted in secret, and when they are run through “black boxes”, they are being counted in secret.

    To further expose an already security-compromised voting and vote-counting system by putting it on the Internet is just begging the hundreds of thousands of Chinese hack-club members to take their best shot. And if they’re good, and they are very, very good, we would never even know we’ve been hacked. Let’s not expose our Election system to “wild west” of the Internet. It’s compromised enough already. Doing something just because we can often leads to some very negative consequences.