eGov monitor Feature: Indistinguishable from magic? The Oxford e-Voting debate

Jason Kitcat, founder Free e-Democracy Project

14 July 2003

Indistinguishable from magic? The Oxford e-Voting debate

By Jason Kitcat, founder Free e-Democracy Project

The venerable science fiction author Sir Arthur C Clarke once said that "any sufficiently advanced technology is indistinguishable from magic". This was in many senses the central issue at the Oxford Union debate organised by the Oxford Internet Institute on 23rd June. The event not only provided one of the few high-profile opportunities there have been to rehearse the arguments for and against electronic voting but it also showed that even the Oxford Union can innovate with this their first ever debate to be webcast.

Jim Adler, CEO of voting supplier VoteHere spoke for the motion "This house has confidence in voting via the Internet", arguing on the basis that technology did exist to meet the minimum requirements we should expect from our ballots. Verifiability was a keyword he continually returned to, insisting that voters needed to be able to check their votes had been accurately cast for them to have confidence in the system. Unfortunately the time limitations and non-technical nature of audience did make it extremely hard for him to convince listeners that his technology could in fact do all that was necessary. As a result he brought into service the analogy of aircraft and flying, whereby most are happy to fly even if they don't understand how modern airliners work. Mr Adler argued that in the same way as for flying, voters would be comfortable using a voting technology they didn't understand. And thus Sir Arthur's wise words began to exert themselves.

Speaking against the motion I was happy to agree with my opponent's views of what should be required of ballots, but keen to disagree that the technology could meet those fundamental needs. Before delving into technical issues, it is vital to highlight why voting is important. Unless we accept that votes are the key to legitimising representative democracy, and thus our governments, then the technology used to cast ballots is of little importance. If there is any doubt over the result of a vote the positions of those elected are undermined. So if e-voting can cause people to question election results the risk is that internally and internationally our system of government's legitimacy is questioned.

Taking voting to be important then, why can't the technology deliver? Elections need to have certain properties before they are considered to have been free and fair. Votes must be…

· Cast by valid citizens entitled to vote who haven't already cast a ballot

· Secret yet accurately record the voter's intention

· Counted transparently with full scrutiny by all candidates and observers

· Verifiable from end to end in case fraud allegations are made

Unfortunately there are technological difficulties with all these requirements. As the famous cartoon says "on the Internet, nobody knows you're a dog" and so proving voters are who they claim to be is difficult. PIN codes and passwords are easy to break and are susceptible to interception when being posted to voters. Smartcards also have to be posted, need special readers (which most do not have) and would be extremely costly (Ł6 billion initial costs followed by Ł2-3bn per annum if the entitlement card estimates are to be believed). Biometric credentials raise serious privacy questions, pose logistical problems (how do we scan every single citizen's fingerprint?), also require readers to be plugged into computers and are actually quite easy to fool¹. Furthermore if the database of biometric data was ever compromised it would have to be discarded - we cannot issue new fingers to everyone as we can with passcodes, thus if we suspect someone has illegally accessed the fingerprints they become useless.

Keeping a ballot secret when voting from home is a serious issue, opening up problems of family voting, vote selling and so on. There are also technological issues, as unlike e-commerce, we need to keep the voter's identity separate from the vote in the database, an extremely hard technical problem. Even if we keep the vote secret we have a trust problem - how can we be sure that when a voter clicks 'Party A' that this is indeed what is stored on the server and not 'Party C'? There are no simple answers, particularly when transmitting over the Internet, which is a rather unreliable medium.

Scrutiny and verification are also very problematic when votes are just electrons sitting in a computer. Returning officers, candidates and independent observers are unable to understand the workings of the system and so just read numbers displayed on a screen. Recounts are useless in e-votes, the same numbers will always appear whereas with paper ballots different tellers can be used, everyone can check that ballots are properly allocated to piles and so on. To most the technology for Internet voting is indeed like magic.

This is a most undesirable situation for voting, which effects us all. The worst-case scenario is that a rogue nation, terrorists, criminals or a party alter the results of an election without anyone ever knowing. And because the technology is opaque (as so few understand it, let alone are allowed to see it by the vendors keen to protect their interests) this scenario becomes increasingly likely. While there are flaws are in current voting systems, the logistical problems in mass paper-based fraud make it difficult to throw anything but the closest of elections, whereas one attack on an electronic system could change one or a million votes with the same ease. The more measures we put in place to try and detect attacks on systems, such as logging all activities on the system, the more we compromise the crucial anonymity of voters.

As Finagle's Law of Dynamic Negatives states "anything that can go wrong will". e-Voting is a complicated technology which few understand and even fewer can truly scrutinise, if they were allowed to. Internet voting doesn't solve the most pressing problems in elections - voter authentication and turnout - and it doesn't seem to be delivering the expected benefits, such as lower costs; the pilots in Sheffield (according to Richard Allan MP) cost Ł55 per head!

After excellent discussions from the floor, some wonderful emailed questions and two rounds of summing up, the floor voted and rejected the motion. It seems that voters are beginning to realise that instead of risking the legitimacy of our democratic system with expensive technology we should, like with GM foods, take the opportunity to say 'No' before it's too late. The costs to taxpayers and risks to democracy just aren't worth it.

Jason Kitcat (jeep@free-project.org) is founder and co-ordinator of the free e-democracy project. The arguments for and against e-voting can be explored in full at http://www.free-project.org/learn/

¹ A scientist in Japan used gelatine to make an impression of his finger and successfully spoof a wide range of 'foolproof' biometric systems. See: http://www.counterpane.com/crypto-gram-0205.html#5 and T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact of Artificial Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002