My TED Global talk
2010-07-21 11 Comments
At TED Global 2010 I got a wonderful six minutes to talk about four years’ of research. I thought I would use that opportunity not only to give people a taste of the interesting results that the verifiable electronic voting research community has had in recent years, but also to end with a strong call to action. The ideas I wanted to convey were:
- Elections should be transparent and verifiable.
- Elections are fundamental to our democracy.
- Elections are by the people, for the people.
The response from the TED community who attended the conference has been absolutely fantastic. I could not have guessed or asked for anything similar and I am hoping to follow up on all the threads shortly.
I do believe that we need to talk about elections in a new way; we need to talk about transparency and verifiability. We live our lives dependent on the democracy of our respective countries so elections, the fundamental underpinning of democracy, have to be correct. Many of us live in countries with universal suffrage so now we need to take a step further. My vision is of election systems that are transparent (so that the people can see that the outcome is based on their will) and verifiable (so that the people can check that the announced result is the correct one). These systems should not only be impossible to cheat (because they are not run by God, they are run by humans so they have to be immune to human intervention) but they should tally the election correctly and prove that the tally is correct.
There is a plethora of Verifiable Electronic Voting systems in the research community and now I want to connect those interested in implementing these notions in real elections with the relevant science and scientists. Please do contact me and I will do everything I can to provide access to not only my own knowledge on the subject but also that of other researchers. (I have a PhD in Verifiable Electronic Voting.)
As far as I am aware, my talk is due to be published on ted.com in November, as there are US midterm elections then.
About David Bismark
David Bismark on Verifiable Electronic Voting 
good read, post more!
Dear David,
I posted a comment on the TED website. here is a longer version of it. I think that much more discussion is needed of there thorny issues.
——-
The TED conferences have gained widespread recognition and acclaim for the high quality of their speakers. This means that their well deserved reputation has a huge potential to condition debates about vital societal issues.
This is the reason of my letter. David Bismark’s presentation of a “verifiable” voting system is a case in point. Bismark introduces and defends an ingenuous type of ballot which allegedly allows people to anonymously keep track of their vote cast in a suitably designed electronic voting system.
However, as further analysis of Bismark’s work reveals, the system only allows voters to anonymously verify that their vote has been counted, not that it has been counted correctly. This further verification is not in the hands of the voter, who must not only trust a large number of bodies (political delegates, government officers, UN observers, etc. as in any old fashioned election), but also a large body of “experts”, as the accuracy and confidentiality of the electronic counting system, its resistance to tampering and manipulation, the robustness of encryption are all things that are well beyond the standard competencies of the standard voter.
The issue of informed trust is a major one in the discussion about the introduction of electronic voting systems. The standard hand count is, sure enough, open to fraud, but at least its functioning is perfectly understandable by anyone who understands sums, and who trusts a party delegate who supervises the scrutiny, a delegate who, in turn, is not an expert herself, but is only supposed to understand sums. EVS counts require trust in experts who must understand technical issues (encryption, robustness, etc.). In the latter case, trust is not informed. Resistance to EVS is motivated by the necessity to preserve informed trust.
The system presented by Bismark not only massively requires uninformed trust as any other EVS, it also justifies this request under a completely irrelevant improvement which, in the end, has the only consequence of lowering the sensitivity to the main informed trust issue. It is as if when one has a sort of paper guarantee that their vote has been counted (and not, to repeat, that it has been counted correctly), the rest of the system can be accepted wholesale.
The TED presentation was completely focused on the ingenuous ballot, presented as a solution to verifiability. All the important issues behind the adoption of electronic voting were completely silenced. One can easily predict that, given TED’s reputation, a lot of discussions to come will make a link to this video so as to take a lot of things for granted. It shouldn’t be so.
Most cordially
Roberto Casati
I repost my response from the ted.com website:
Roberto, I am afraid your further analysis is incorrect. You as a voter verify that your vote is counted and then the public, in the process called public verification, verifies that all the votes are counted correctly. So again, you verify that your vote goes into the votes that are counted and then the public (in the form of various political parties, newspapers and other media outlets, international observers and interested groups and individuals) verifies that all the votes are counted correctly.
NO uninformed trust is required, that is the whole point. The whole system is transparent and verifiable so that there is no part of it that we have to blindly trust.
Dear David,
Thank you for answering. But I’m afraid you are not making your case yet. “The voter” refers to one thing, “the public” to another, quite different thing. Hence “voter verifiable” is one thing and “verifiable by the public” is another thing.
In an answer to another post you said it explicitly:
“There is a lot of cryptography going on in the system and the average voter should not be expected to understand or be able to verify that it happens correctly.”
In your system the voter can safely check that his ballot is taken into account and not thrown away. But the rest of the process is not voter verifiable in the strong sense, i.e. verifiable by the single voter. Thus the voter has to blindly trust experts anyway, or hope that her representatives or the media are expert enough to do the check. This is uninformed trust to say the least.
The advantage of the old system is that although one has to trust her political representatives, the trust is perfectly, wonderfully informed: all the steps of the process are understandable to anyone who can make sums!
One does not see the point of having a new voting system one part of which is voter verifiable in the strong sense, the other part of which is not and requires uninformed trust, given the fact that the actual system only requires informed trust. (Unless one is trading on the ambiguity to smuggle in acceptance of EVS, which I trust is not your case, but I can see many distorting uses of ideas like yours.)
Most cordially
Roberto
This is a definition of a completely verifiable electronic voting system, i.e. end-to-end verifiable system:
Voter verifiability + Public verifiability = End-to-end verifiability
Voter verifiability: The individual voter can verify that her vote has been correctly recorded and that it is among the encrypted votes that go into the decryption and counting phase.
Public verifiability: The public verifies that all the votes, that the voters have cast and are able to individually verify has made it correctly into the election tally, are decrypted and counted correctly. “The public” refers to any interested organisation or individual; to perform the verification of the various stages of the decryption (and mixing of the votes, which hides the identities of the voters) it is necessary to be able to program software and to understand the technical specifications that you must follow. Therefore, we envisage that each of the political parties will appoint their own experts to write a piece of software, that when run on the published election data, will verify that the decryption of the votes and the subsequent tally of the plaintext votes, have been done correctly. Any other organisation such as newspapers and other media outlets, election reform societies, the United Nations and governments of other countries, international election observers as well as domestic observers, can all appoint their own experts to write such software. This means that there are many different pieces of verification software run on the same data all over the country, so the probability that the verification is done incorrectly is small.
So you as a voter will have to trust an expert (if you do not choose to learn to program, study the technical specifications and write your own piece of verification software – which you can!) but the thing is – there are many, many different experts. So if the expert I trust is not someone who you would trust, then your political party or your group may have its own expert and perhaps you trust that one. This is quite different from a setting where the governments appoints one or a handful of experts to certify election equipment – because then we do not have any choice in who we trust.
Dear David,
Thank you again for your generous answer. Definitions clarify, as usual.
Let me deepen a bit,
Informed voter verifiability = voter verifiability (as defined), with the proviso the voter has, individually, the knowledge necessary to understand each single step of the voting process
Informed public verifiability = public verifiability (as defined), with the proviso that the individual voter has the knowledge necessary to understand each single step of the voting process
(mind the fact that it is the individual voter who figures in both definitions.)
The distinction that you point to at the end of your reply is a distinction between trust in government and trust in non governmental, independent bodies. Clearly, a voting system that allows for independent bodies to check each single step of the process would be superior to a voting system that only allows for government appointed experts or certification.
But nothing in principle in the old manual system forces exclusive trust in government. It is in principle possible for independent bodies to check all the phases of a manual count (and it has happened, and party representatives are there to follow the scrutiny, etc.). So there is no difference, on this score, between the old manual system and an end-to-end verifiable Electronic Voting system.
Thus the difference is elsewhere, and is captured by the distinction between informed/uninformed verifiability, be it voter or public verifiability. And on this score, all else being equal, the old system wins with flying colors. All you need to understand it, is your ability to understand sums.
It is not a marginal or technical point. We do need to trust experts in many cases in our complex societies, but it is not an innocent move to request deference to experts where there are not, in principle, necessary.
Most cordially
Roberto
In a traditional paper-based voting system you as an individual voter will have to trust that thousands of election workers around the country have all done their jobs correctly and that no-one tries and succeeds in cheating. There are normally large election observation operations that try and find out if anything untoward is going on. But as we see in all elections in all countries (with the glaring exception of the last election under the reign of Saddam Hussein) there are always things that go wrong for one reason or another. We do not necessarily make it impossible for things to go wrong, but if they do go wrong, this must be detectable. So our system is not error proof, but it is error evident. The traditional paper-based system is not error proof and not error evident.
Dear David,
Mentioning Saddam Hussein’s electoral system is quite helpful here. I am as concerned as you and as many other activists and social researchers about voting systems. And having been a party representative at many elections I have a sense of the difficulties involved. Much wish there was an improvement over the manual system. But one may want to enlarge the picture and consider that voting is not only a matter of expressing a preference and then counting. Civic control over voting is also a matter of getting involved into campaigning and checking the results. Of trusting the system. Of being informed.
This is why I allow myself to be a bit fastidious about definitions. I guess we are all looking for equilibrium points in a complex space whose dimensions are trust, informed consent, reliability, accuracy, transparency, effectiveness – and civic participation. I am concerned about a shift in the discussion about the fascination with the reliability, to the detriment of all other dimensions, in particular civic participation. In previous waves, reliability was even considered more important than secrecy (as if an election was an open doodle of sorts).
The old system has an equilibrium of sorts (and it relies a lot on voluntary civic participation, as you say: mistakes are possible, but isn’t the participation an important dimension?). Other equilibria are possible, but I just would like the discussion to be honest about it. Pret-a-voter may solve some important problems, but it breaks the equilibrium on the trust dimension.
Best
Roberto
Dear David and Roberto, thanks for this fascinating debate. Let me take a step
back and try to look from a wider angle the crux of your discussion, trying as
best as I can to be neutral from your point of views.
It’s undebatable that both voter verifiability, public verifiability are
desirable properties. To achieve any of them, there are underlying assumptions
to be made on the minimum required abilities of the
verifier. In a head count system those minimum abilities, as pointed out by
Roberto, include the ability to make sums. Mind you: it surely is a
widespread ability, but it still is a required skill: if you are unable to make
sums, you won’t be able to be sure that yours (or any other vote FWIW) is taken
into account properly.
In David’s system, there is some sort of “reassuring tangible witness” which is
offered to voters (the paper trail) to make them feel safe about the fact that
their vote has been counted. But that is far from giving actual guarantees to
the voters. To reach that point, the voter needs to get the cryptographic
details of the voting system, need to retrieve all the votes of the election,
the software used to evaluate vote results (which must be Free as in Freedom!);
then the voter must either review the software source code and convince herself
that it is correct, or write her own implementation, run it on the votes, and
compare the results with the “official” ones. Alternatively, as David points
out, the voter can surrender her trust by delegating it to some trusted expert
(from her own party, local community, etc.).
As a computer scientist and free software / knowledge advocate, I’ve more than
a sympathy for David’s position, but the underlying ethical dilemma remains
unsolved: how much are we allowed to raise the bar of minimal required ability
for vote verification, before risking to exit the boundaries of democracy to
enter technocracy?
In that respect, I dare to challenge also Roberto’s position, which implicitly
assumes that the ability to make sum has to be taken for granted. Isn’t that a
too constraining requirement yet? And if it is not, why is it not? One
might argue that it is not since primary education teaches basic maths to most
citizens, but then in a world which is more and more permeated by software
(cars, medical devices, fridges, ovens, …) the education should include more
and more basic computer science (although it’s hardly imaginable that that will
ever reach the knowledge needed to review David’s voting system).
To conclude in a tangential way, I have to point out that even all the
knowledge discussed by David will not be enough to trust an
election result, as the data flow chain from the ballot boxes to the
publication of results is not in the control of voters. No EVS can be fully
trusted by anyone, unless that anyone has full control (including physical
access to the used devices and data storages) over it.
The point of end-to-end verifiable systems such as Prêt à Voter is specifically so that this “flow chain” is completely auditable and verifiable. There is no chain of custody issues because it can be verified that the votes that went into the ballot box in one place were counted in a different. To again refer back to the traditional paper-based voting system, this would mean that each individual voter would be able to verify that her vote is in the ballot box (after the close of the election) and anyone who feels so inclined can verify that all the votes in that box were counted correctly. This is verification, not trust.
The fact that the flow chain is completely auditable and verifiable does not imply that individual voters can do that audit/verification.
Take the following example: I’m an attacker who would like to invalidate the vote of a specific voter, because I think she will vote against my candidate. One way to do that is to “remove” his ballot from the box (or from the vote database in EVS); this attack can be countered by systems such as the one you propose, as the voter will notice that her vote is not in the final public tally sheet.
Another way to do that is however to inject a new vote which “counters” the vote of the specific voter (if she really voted for someone else; if not, even better!) we want to attack. In such a scenario the voter will happily find her vote in the final sheet and will be led to be believe that everything is fine, while it is not actually the case.
Note that in the latter scenario the voter will be even able to recompute the election result by executing the voting software (or a reimplementation of her own) on the published encrypted votes. She will then be able to compare the results she obtains with the official one and she will find them to be the same, but still someone had been able to cheat.
The point, once more, is that the voter has no full control on the complete voting toolchain, which includes not only her vote, but all the votes, all the machines used to vote, all the software running on them (which is not necessarily the some advertised as the software running on them …), etc. There is no way out of it, unless voters are in control of all that.
So, while advancement like the one you propose here are nice, we should all be very careful in advertising them as panacea solving all the issues of trust in electronic voting.