The Looming UOCAVA Internet Voting Debate
This is the last long post about the UOCAVA Summit underway in Munich, but in an unannounced move, below I am disclosing all of the topics and questions in tomorrow’s (apparently) much anticipated Internet Voting Debate.
I apologize to those looking for a quick (more typical) blog post on the matter. But there is (I think) interesting stuff below.
Fact: Silly though I think it is, controversy is swirling around this event; I’ve received more “hate mail” than necessary as moderator, and I believe its important to layout what exactly my line of questioning will be, so that you, the readers, can judge for yourself if I am trying to manipulate the discourse for or against the use of public packet-switched networks for transacting ballot data from public elections. Think of this as our continuing effort to be transparent – one of our Foundation’s driving principles
So, less than 9 hours remain before we sit down to have what I intend to be a fair and balanced discussion about the challenges and opportunities, the fears, uncertainties, and doubts, and the real and present risks of using public packet switched networks for transacting public ballot data – the so-called Internet Voting debate.
And for me, I am more than ready to put this episode of a long running debate behind me.
Its not that I am no longer interested, nothing could be further from the truth. But I look forward to slipping back into the mix of many discussing the topic without the klieg lights and responsibility of moderating the participants of a specific debate instance.
The problem is the vitriol nature of unsolicited feedback I’ve received in the past 3 days regarding this event – which is apparently getting far more attention than we anticipated.
Hate mail – its that simple. And it’s coming from both sides of the debate. And that’s surprising. Activists on both sides are convinced that the OSDV Foundation, the Overseas Vote Foundation, and I are all out to railroad the other side in a debate that appears to be tilted against their interest.
Reality distortion fields – its that apparent. They are being cast, but only I can tell you what is absolutely in my mind and what my intentions are. And either people can choose to believe me or not.
So with one final effort on the eve of yet another intellectual wrestling match on this, let me try to set the record clear on our intention. And to do so, in this post I am going to disclose to all interested – in advance – the questions of the Debate planned for 0900 CET tomorrow (about 2200 EDT/0100A Pacific).
First, let me share here the participant line-up:
Moderator: myself, Gregory Miller, Chief Development Officer, OSDV Foundation
Introduction: Dr. Andrew Appel, Professor Computer Science, Princeton University
Harri Hursti, Author: Hacking Democracy
Constanze Kurz, Engineer/Dipl. Inf., Humboldt University Berlin
Pamela Smith, President, Verified Voting
E. John Sebes, Chief Technology Officer, Open Source Digital Voting Foundation [*]
Alexander Trechsel, Professor of Political Science and Swiss Chair in Federalism and Democracy at the European University Institute (EUI) in Florence, Italy
Christian Bull, Senior Advisor, The Ministry of Local Government and Regional Development, Norway
Thad Hall, Associate Professor of Political Science and Research Fellow, University of Utah, USA
Tarvi Martens, Development Director at SK, Demographic Info, Computer & Network Security, Estonia
Closing Remarks: Honorable Debra Bowen, California Secretary of State
About that [*] after John’s name.
Before moving to the questions, I want to comment on one of the many controversies that have bubbled up over this event. In the 11th hour, Chantel Enguehard, Researcher and Teacher, Laboratoire d’Informatique de Nantes Atlantique rescinded her agreement to participate for this event on the “opposing side” of the argument for Internet Voting (after previously committing to do so and allowing the Conference to finance her attendance). Ms. Enguehard has determined that it is not in her best professional (or apparently political) interest to be on any record as speaking against the use of the Internet for elections. It is her choice, of course, but not the most courteous move to make on the eve of the debate, IMHO.
Let me be clear: I do not believe that just because someone takes a role in a debate staged for a conference as an information exercise, that such necessarily should label that participant as permanently having the opinions of that side of the argument. And I would’ve been glad to go on record that she is participating in this capacity simply for the academic exercise of explaining the issues to the audience, but that her participation as an opponent does not necessarily reflect her otherwise neutral position on the topic.
Ms. Enguehard argues vigorously that we failed to understand the language nuances relegating the term “debate” in French to mean a discussion of many view points, including neutrals. Sure. And she had several weeks to inquire as to whether this was a potential language faux pas on our part (or hers). She did not.
So, unable to reach an agreement, we’ve dismissed her (at this writing 2350 CET, Thursday) from the Debate, primarily at her insistence of modifying how we run the debate to accommodate her neutrality (you really cannot have a meaningful debate with “neutral” parties.) The TrustTheVote Project Chief Technology Officer, John Sebes has agreed to stand in her place, although John, in fact, is trying to remain neutral himself on this controversial subject (he is against using the Internet for at least remote – home based – voting in public elections, but open to future possibilities of kiosk-based solutions provided certain issues in the client-server model can be addressed).
So we move forward with the Panelists as introduced above, and now in a move that I am taking on my own, and without advance notice to others, but to clear the air, below you will find a detail of the topics and the questions we will address in tomorrow’s debate, T-9 hours from this writing.
Before the debate begins, Dr. Andrew Appel of Princeton University will present this talk and slides. We asked Dr. Appel, not (I repeat, not) because of his personal views, but because in looking at various knowledgeable individuals who could present a brief overview of the issues, we found Andrew’s presentation to be simple, straight forward, fair and balanced. This has been a point of contention from the attack dogs for those in favor of iVoting, contending that we’re setting the debate up with a taint and favoritism towards the opponents by engaging Dr. Appel. For the final time: nonsense.
Panelist’s Rules of Engagement
- I will address a question to either side, and a specific individual and they shall have a 2-minute answer.
- The opposing side shall have a 1-minute response.
- The original respondent may have an optional 30-second rebuttal at my discretion.
- We recognize that reducing this to an hour or so of “sound bites” would be a disservice to the important topic, so there are some situations, where I may engage a respondent or rebuttal in a 1-minute follow-up. But in order to offer the audience a treatment – potentially not as comprehensive as we would like – on each topic below, “follow-up” opportunities will be allowed in limited circumstances, again at my discretion.
- I will do my best to rotate through each Panelist with questions; the fun part of this, any Panelist on either side may be asked to respond to any one of these questions.
- It is not our intention to overly control the discussion but it would be a failure to allow the discussion to dissolve into a disorderly argument, so I will respectfully as possible require adherence to this process. And here is the enforcement clause: if a Panelist fails to yield when time is called more than once during the Debate, I will refrain from any further questions directed to that Panelist. And I do not wish to have that happen, so I look forward to everyone’s cooperation.
- The goal is to have an enjoyable, lively, yet informative debate. Intellectually honest professionals can agree to disagree, and on this topic reasonable minds can and do differ. So, remember, this is intended to be a “fun” showcase part of the Summit.
- Finally, in closing I will ask for a 5-minute closing statement from each side of the debate.
Debate Topics and Questions
A. eMail as a Comparator
You, Panelists, are in consensus that eMail is not an appropriate way to return vote data (for example, sending an image attachment or a PDF of a marked absentee ballot). That noted, in comparison with other home-based voting schemes, these questions:
1. What does eMail voting lack that a client-server iVoting solution provides, in the scheme of voting from a home-based or remotely located PC using a World Wide Web interface?
2. What does eMail voting lack that ordinary vote-by-mail also lacks?
3. Do these answers help us identify some requirements for iVoting?
B. Data Center Management
Both kiosk and home iVoting share the feature of a data center to host the various parts of an iVoting solution, including store vote data, etc. That data center operation is a very important component of the entire iVoting operation, which gives rise to a series of questions we turn our attention to now.
Depending on time I may ask some or all of these questions:
1. Internet banking seems to work well, and is widely adopted without objection. Does this provide a model for and lessons for iVoting? Why or why not?
2. A bank must have a trust delegation model. Which parts of that model would work for iVoting?
3. Are there applicable models for data center transaction audits in the banking world that provide an appropriate model for iVoting?
4. What technological expertise is required to assess the continuing reliability/trustworthiness of an iVoting solution? Is this level of expertise accessible to the public officials who select such systems and/or who manage such systems?
5. How can election officials assess the “total cost of ownership” of an iVoting solution, beyond software license fees? How does this compare with alternative solutions such as vote-by-mail?
6. If any of the proponents are proposing to use iVoting only for UOCAVA settings, what is the rationale for restricting the application of iVoting to this context?
C. Home vs. Kiosk iVoting
Some experts draw a distinction between the use of voting kiosks or polling places with iVoting based ballot casting devices, and the use of home or office-based or otherwise remotely located computing devices to access such a ballot casting service. Let’s ignore that particular distinction. One thing we can stipulate is that Kiosk-based iVoting has different costs and logistics than home or remote iVoting solutions. Let’s not explore those issues. I will ask each of the Proponents to state simply whether they’re proposing home-only, kiosk-only, or both models for iVoting systems. Then we’ll address these questions:
1. What are the comparative risks and advantages of both models?
2. What are the costs/benefits of these differing models?
3. How do these costs compare to those of traditional non-iVoting polling places?
4. How do the benefits of home or remote voting compare with Kiosk or polling place models?
D. The Paper Ballot Issue
Some iVoting pilots have included the generation of a ballot-like paper that is retained by election officials. Others do not. Let us examine two points.
1. What can these paper facsimiles best be used for; for example, should they be construed as ballots of record, a paper trail, a receipt, or something else?
2. Are there chain of custody issues in the handling of these paper records that would be different for an overseas voting setting compared to a domestic voting setting?
E. Original Hand-Made Signatures
Most industrialized democracies use some sort of method to authenticate the voter before they may cast a ballot. It may be by hand written signature, voter identification card, or some other means.
1. What methods are appropriate for iVoting systems?
2. What is the likely leading objection to these authentication methods and how can it best be addressed?
F. Client Platform Integrity
Assuming a traditional client-server model using a public packet-switched network for discussion purposes, the home/remote iVoting has a particular issue with the security risks of the remote PC being used as a voting terminal, including the integrity of the iVoting software executing on the PC, and the integrity of the vote data along the way from the voter across the network to the server. Some of this has already been discussed, so I want to focus now on one particular aspect of integrity: data security means. One of our Panelists mitigates these risks by using an “end-to-end” cryptographic method that allows election officials to detect large-scale client-side attacks for election fraud. This is an interesting model, but raises these questions.
Depending on time I may ask some or all of these questions:
1. Special end-to-end crypto protocols have been proposed in order to mitigate against the possibility against insider attacks against the servers.
1.1. Are these methods workable, and are they practical?
1.2. Are they ready for near term adoption and can their principles be understood sufficiently by elections officials and the public to gain wide acceptance?
2. Is “detection” sufficient? That is, are the risks acceptable if attacks can be detected at scale?
3. Is this acceptable-risk concept different depending on whether iVoting is for UOCAVA (overseas absentee) voters only, or for any and all eligible remote voters?
4. Each Panelist can surely expound on whether client integrity issues must be resolved as a prerequisite for home/remote iVoting. But let’s keep a tight focus on this for the benefit of our audiences.
4.1. Please pick one reason why or why not client integrity issues must be first resolved, and explain it briefly.
4.2. What about integrity of the Kiosk systems? Is it sufficient to have a degree of integrity comparable to those of voting devices in state side polling places?
Finally, I may have a bonus question, I am reserving from here, but it will be a follow-up from the above topical agenda.
OK, I leave it up to you, after reading the information above to make a call on whether I am intending to taint this debate or provide for a fair and balanced intellectually honest discussion on the issues, challenges, (and yes) opportunities in the use of the Internet in public elections.
Off to post-dinner gatherings; Sure its 23:55 CET. It’s Munich and the night is young, although we start in 9 hours. 🙂
7 responses to “The Looming UOCAVA Internet Voting Debate”
Great post and debate. I am all for internet voting from home and believe that the naysayers won’t have a valid arguement once the proper security controls are in place. If we can issue PKI cards similiar to Estonia and DoD, we could ensure our identity (similar to driver’s license numbers). All you would need from home is a card reader and secure system to cast your vote. Paper ballots should be an option for those that don’t have computers period.
Setting aside the network security issues that cannot be solved with current Internet engineering, seems Pinkston fails to recognize the very real problem of household coercion that can deprive persons of their votes. Inside the home, with domestic violence and other abuses of power well documented, a substantial number of household members will face coercion to yield their voting rights to a more financially or physically powerful member.
When Pinkston says, “All you would need from home is a card reader and secure system,” it does not attend to the coercion risks but also reflects an assumption that pervasively lax home security measures regarding one’s own passwords and other security practices will vanish with adoption of Internet voting. It misjudges reality inside the home, which includes vote selling and other coercion.
Polling places protect the vote by restricting opportunities for vote selling and other coercion, and vitally protect the vote’s integrity by preventing historic and foreseeable abuses. Any who want added convenience of remote Internet voting need to consider not only their own homes but the evidence regarding other households’ power structures, the history of vote selling, and other practices that eviscerate honest elections that reflect the voters’ own choices.
A couple of responses back to these two appreciated comments.
First, on the coercion element; that certainly exists, but also exists in nearly any absentee setting, especially vote-by-mail. So, while I am NOT suggesting that makes the issue disappear, it does recognize that this issue is faced in other settings outside a polling place.
Second, the real missed point, IMHO, on the security card “ID” solution is that I can say with direct working experience from Netscape and the legal profession the Public Key Infrastructure (PKI) element is a non-trivial matter. Setting up a PKI (CAs and the rest) is expensive, complicated, and America is no where near ready or capable of standing up a PKI on a state or national level, let alone a jurisdiction-by-jurisdiction basis. It is a sexy technical solution, but as the Panelists conceded yesterday, while Europe is ahead of the game on that point, America lags severely. And if we want to fix that, we first need to solve the cultural/political impediments to any notion of a national ID card.
To keep the post short, I didn’t mention the absolutely correct point you make about the coercion element; “that certainly exists, but also exists in nearly any absentee setting, especially vote-by-mail.”
Coercion is one primary reason why I counsel against adoption of broad, no-excuse vote-by-mail programs. The other major concern? greatly expanded opportunities for election fraud. I take the position that because elections control a vast amount of wealth, power, jobs, and other valuables, we need to be very cautious about assuming that the risks of fraud and coercion are minimal.
Very nice read, some valid points were made. (This isn’t some dumb spam reply either, I’m a true follower.)