differences between votes and financial data

Our world if so full of computers and electronic devices that it comes natural for us to think they might be used for elections too. After all, isn't voting a mere transaction by which we simply add 1 to the electoral "balance" of our candidate, just the way we add money to someone's bank balance when we use our credit card?

Unfortunately votes and economical data largely differ in the level of the secrecy they require thus we can't use the same techniques to process both. In fact:

• financial data can be kept secret to people not involved with them, but are well known to payers, intermediaries, and payees. Financial data are in someone's name: when we pay by check, bank card or credit card, accounts are generated (receipts, debits, credits, orders) in which our name (or our code number) is specified along with the amount paid. Specifically because economic transactions are in someone's name, they can be verified and checked. Receipts can be given to payers so that they can verify their own account.
• votes must be secret from everybody since democracy requires absolute vote secrecy. Each vote must be known only to his own voter (the payer) and unknown to all the others, particularly to the electoral service (the intermediaries) and candidates (the payees).
  Electors can't be given any "receipt" stating how they voted since:
  • people could be encouraged to sell their own vote because they could demonstrate whom they actually voted for.
  • such a "receipt", whichever media could be made of, could be used as an illicit way to know people's electoral preferences: not only employers could discriminate among employees according to what they voted for, but gangsters could verify if people really voted as ordered!
  We can't permit electors any verification of the vote stored in their behalf for the following reasons:
  • a link between each vote and its elector should be stored somehow somewhere and this is obviously dangerous for vote secrecy.
  • even if we could find a safe way to allow voters to verify the vote stored in their behalf, we couldn't trust their verification since they might be under illicit pressure to confirm or deny such vote, they might have changed their mind, or they might simply wish to mess election up!
  In any case, the verification that a vote has properly been stored doesn't imply it has also properly been counted up.

There is another difference between financial data and votes: the balance of our account depends only on our transactions, while the "balance" of the election (who wins) depends on the votes of millions other people, thus checking and verifying only our vote don't help much. We can say that financial transactions are 1:1 relationships while electoral transactions are 1:N relationships.

if our bank would record only anonymous data

Let's imagine that our bank starts recording all its economical transactions in a completely anonymous way and thus not any transaction is referenced to us (nor by our name, nor by any secret code). Let's also imagine we have no idea about our monthly earnings, nor about the telephone bill, the insurance bill, the tax bill and so forth and that all our incomes and outcames are automatically accounted to and from our bank account without any notice to us! Let's suppose we are told by the bank itself how much money we have left only at the end of each year!

It's even difficult to image a situation like this one! It would be a real nightmare since it would prevent us from checking the fairness of the bank and from questioning the settlements of account even if the bank boasts about its honesty and accuracy of procedures and technical means.

I'm sure none of us would like such a situation: better entrust our money to another bank!


And yet with electronic vote we find the same inacceptable situation as with the bank. In fact vote procedures must not memorize anything that can relate the vote to the voter, this we want because we want the vote to be anonymous. But without such records how will it be possible for us to check the fairness of the results?

In order to accept electronic vote is necessary an act of absolute faith in the procedures, in the technical means and in the honesty of people and services who actually owns and manage the computers carrying out the counting (exactely like in the above example of the bank).

And we cannot relay upon the hope that special technologies will be used in the electronic vote: procedures and technical means of the electronic vote are simply those already used in any bank: programs, computers and data tranfer lines.

votes must be tangible human-readable objects

The only way to realize the absolute secrecy required for voting is to use anonymous votes. Thus votes can be:

1. anonymous records
   The following is an example of anonymous record: an unknown lady likes black roses.
   Since only the lady herself could confirm she likes black roses, we should ask her to know if the above sentence is true. But we don't know who she is, so we can't confirm, nor deny, she likes black roses.
   Having no references to external entities to check with, we can decide to trust or distrust anonymous records but for sure we are not able to verify their truthfulness.

   By the way, anonymous records are unusual in the real world; to be honest it's even difficult to imagine human activities in which files of anonymous records are useful.

   Files of cast votes must be made of anonymous records, to ensure that nobody will ever be able to identify what each voter voted for. Thus for each cast vote, electoral files can have the following information:
   • the name or the code of the chosen candidate or party
   • the name or the code of the polling station where the vote has been casted
   • the serial number of the voting machine which casted the vote
   • ... other info BUT anything which could ever link to the identity of the voter.....

   Thus electoral files will contains info of the following kind: an unknown elector casted his vote for candidate "A"
   It's easy to see that in the above situation no votes verification is possible since each vote could be verified only by the one who casted it, but nobody knows who he is! The above statement is true whichever techniques are use to collect and store votes: we can use criptography, secret passwords, special networks, Mathematical Voting Systems and any other techniques, but at the end of the story all we have is always an anonymous file as the one described above!
   All we can verify is that the final result of each candidate is actually the sum of his/her recorded votes, but this is not a real verification since it doesn't ensure that recorded votes store the actual electors' choices.
   We can't verify the truthfulness of electoral results based on anonymous records.

2. anonymous physical objects
   Obviously we can verify the number of anonymous physical objects thus we can verify the truthfulness of electoral results based on them.

Democracy also requires electoral results to be verifiable, thus we can't use anonymous records as votes since can't be verified.

In Democracy the term "verifiable" means "verifiable by the common people", thus we can't honestly think a string of bytes recorded on some electronic media as a physical object because it can't be directly verified by any human being.

votes must be anonymous human-readable tangible objects
collected, transmitted and tallied up publicly.

It is not by chance that democracies have always used ballot papers and public electoral procedures!

who owns the computers can alter any data they contain

Computer security is worldwide intended as a protection setup by the owner of the systems against external attacks and attackers. In fact it is well known that there is little to do if the "falsifying agent" is who owns the computer since, having complete control over the computer, he can alter, modify and delete any data and program it contains.

We can invent all the passwords, PINS, codes and security procedures we like, but who owns the computer will always be able to modify, cancel and add any data and program memorized on his computer!

In real world, were transactions and data are not anonymous, security "against" the owners of computers is obtained verifying the data they store with some other data out of their reach (paper receipts, data stored on computers belonging to another bank...).

In the "anonymous" world of electronic vote we can't have any external references for verifying recorded votes and thus we don't have any protection against fraud made by the owner of the computers used for voting.

This problem is very well known to be insoluble and nobody has even tried to solve it! In fact all the projects and prototypes of electronic voting produced to date have faced (and only partially solved) the problems of voter identification, privacy of the vote, and falsification of the data by external agents, but they have ignored the problem of the owner's dishonesty!

My 20-year experience as a systems manager working also in the field of security convinces me that the results of an electronic vote can easily be changed by whoever is running the system and no-one would have the slightest chance of finding out.


In the case of the electronic vote for political elections, the government will decide who will manage the computer and therefore, without fear of discovery, can alter the election results.

e-vote results can't be verified

With the aim of overcoming the fact that results of electronic elections are not verifiable, some people suggest a couple of (supposed) solutions:

1. Voter Verified Balloting
   The concept of Voter Verified Balloting was created by Rebecca Mercuri.
   VVPAT is the acronym of "Voter Verified Paper Audit Trail" and VVBP is the acronym of "voter verified paper ballot". The terms are equivalent and refer to a kind of "vote receipt" printed by an electronic voting machine that shows the elector his/her vote as it is being entered into the electoral system. The voter must be required to perform an action that confirms that their choices have been recorded correctly on the paper, hence making it a verified (rather than just "verifiable") ballot in a legal sense. The VVPAT/VVBP is kept by the election official, as the record of votes cast, for audit and recount purposes. Verification of a small percentage of VVPAT should to be activated when elections are close.

   I see the following points about VVPAT:

   • the winner of the election is decided in the first count (probably the only count) which is based on electronic votes. Infact VVPATs are counted in the second count (recount or audit), but this rarely happens thus VVPATs will most likely not be used or counted. You are able to view the Paper Audit Trail, and make sure it is correct. You have no way of knowing what your electronic ballot says. You can feel relatively certain that if there is a hand recount, your vote will be counted properly. But since hand recounts are very rare, when you look at that piece of paper, you are not actually verifying your vote. There is still nothing to verify that your actual vote was correct.
   • VVPAT recounts shouldn't occur only when elections are very close.
     Infact where deliberate fraud does take place, the magnitude of the fraud may not be small. And also the magnitude of accidental errors may not necessarily be small. Thus fraud and errors can produce very different results. Unfortunately many people, and state laws, only want recounts to be conducted when elections are very close. It seems that people are willing to do recounts in the case of small accidental errors but not to detect fraud or large errors!
   • it is not possible to make a statistical "recount" of VVPATs by manually counting a small percentage of them and seeing if the result is more or less the same as the electronic one. Infact, as candidates of USA-2000 election well remember, elections can be very close and so a precise count of all the VVPATs could be necessary. Some legislations require a little 1% recount to validate electronic results!

   Thus VVPAT can't be used to verify electronic electoral results unless they are all counted. But if we really print and count VVPAT for each casted vote then we simply run a paper election which ballots are printed by machines instead of being hand written by electors!

   • we double the efforts of each election, which is now made of an electronic one and a paper one
   • we greately increase the election cost (try to imagine how it costs to buy and maintain a PC in each voting boot, plus the software, plus the network apparatus and lines, plus the high-tech skill involved, ... and compare it with the cost of ballot papers and pencils!)
   • we know from the beginning that the official result will always be the one coming from the counting of VVPATs. Infact we use them to confirm electronic results, thus in case of discepancies they surely win. Thus, what for do we also run an electronic election?
   
    
2. Electors' verification of their recorded vote. If each elector could (and would) verify the vote recorded on his behalf is really the one he cast, then we would verify the correctness of the election's result. I think such a result's verification is impossible to realize since:
   • all the electors should verify their own vote simultaneously at the same time in which a (proven error-and-fraud-free) tally is executed to produce the final result. If the counting would not occur in the same moment while ALL the votes are being verified, we could not have the prove votes being properly tallied up: it's a joke to program any computer to show to an elector his true vote and then not taking it in account during the count.
   
   Furthermore, we can't build any system allowing people to verify how their votes have been recorded because:
   
   
   • votes would be no more anonymous since voters could be tracked (otherwise we couldn't know who can verify them).
     We would miss the anonymity requirement due to the possibility to link a vote with its voter. It is not enough to say that the "key" to make such link might be only available to the elector himself. In paper ballots such key doesn't exist at all! Anyway, even if we could find a safe way to allow voters to verify the vote stored in their behalf ...
   • there is no way to know if a claim of error would be honest
     We know electors can't be given (for their own sake!) any "receipt" stating how they voted, and thus there is no way for them to prove, if it is the case, the vote stored in their behalf is not the one they really cast.
     Even if it would exist an algorithm allowing the verification of the recorded votes without breaking their anonymity, it should be used with great care. In fact it would in any case show the electors how their vote has been recorded and thus it would be much like as they were given a receipt of the cast vote. But vote "receipt" can't be used!
   • we must have options in case such verification fails
     Any verification process must have at least two options to be taken upon its result: if the prototype of the new car is properly working we start producing it on large scale, but if such verification is negative we don't.
     But what could we do if somebody claims his vote to be erroneously recorded? There would be no prove pro or against such claim; should we change the result of elections because of it? Electors might even change their mind, what should we do if half a million people request to change their vote? Should we allow it? Will the pro tempore winner agree?
     Electronic voting's verification is quite a strange process: regardless how it goes, the election's results are in any case confirmed! We didn't notice it but we entered a logical loop:
     1. due to the large interests moved by elections (we talk about ruling people and nations), we want electoral results to be verifiable.
     2. we want to use electronic vote and find out the only way to verify the final result is to verify each electors' vote.
     3. discrepancies between recorded votes and what electors claim they cast cannot be proved, thus we can't modify the result nor cancel an election simply because (few?) people claim vote have been falsely accounted for.
     4. not permitting any changes we act like if results were error-free and fraud-free and thus we could blindly accept them. This is an obvious contrast to the starting point 1)
     If anybody can honestly say elections results' don't need any verification, please go to e-vote otherwise go back to point 1)

These are in fact the procedures adopted to date by all the liberal democracies; a written vote in secret on an anonymous ballot-paper that is first mixed with hundreds of others and then counted in public together with the others. In this way the ballot-papers are tangible, legible to the naked eye, anonymous and durable in time. They are also verifiable later. The counting procedures, if public control is effectively carried out, guarantee that all the ballot-papers of a polling station are correctly interpreted. In this way, the electors are certain that their own vote has been correctly counted even though the anonymity of the ballot-papers does not allow the identification of individual votes. The results of the count at every polling station are numbers visible to the naked eye and, being public, also the counting procedures are verifiable by everyone; even the sums at the various levels (local authority, province, region/state and nation) can be verified.
The public and repeatable procedures and votes that are tangible objects, like the ballot-papers, constitute the only system that can guarantee anonymity and assure the correct counting of the votes.

e-vote results can't be certified

In the aim to override the matter of fact that e-votes results are not verifiable, some people suggest they could be "certified" that is not verified but only declared to be trustable or not, according to some info. We could safely accept certified results. There are plenty people claiming they are able to certify electronic elections' results provided we buy and use their software & hardware.

Unfortunately, we know very well that from the beginning of history men do the worst things to get the political (and thus economic) power. That's why the aim of any electoral mechanism should be to provide results that are in accordance with the will of the electorate, not to the will of those who manage the elections!

In elections errors and fraud cannot be detected from the fact they produce wrong results (as, on the contrary, it happens in most human activities), since correct electoral results are obviously not known in advance. Thus, the only way to certify an electronic electoral result is to ensure that the whole electoral process (machines & humans) is properly designed and built and that it has run without any problem in each part all the time until the end of all electoral activities.


Furthermore, we must not forget that even a perfect electoral mechanism can guarantee true results only if those who manage it are 100% honest!

In any case the process of certification, being very technical and complex, cannot be done by the public (as it happens for the counting of ballot papers), but only by experts in computer science and communication. Public opinion, in the lack of any tangible proof, has to trust their words and thus blindly accept their certification (obviously hardware & software vendors forget to say that).
Mistakes and/or fraud can be detected by public opinion only if results are evidently wrong: as single candidate getting 99% of the votes, or cast votes being more than electors. But, in case of tampering, nobody would give the public such evidently wrong results.

As things stand, we could contract the entire electoral process to someone we trust. A limited group of technicians could control the programs that produce the election procedures and the count, but that would certainly not be democratic monitoring, completely free of suspicion of pressure or illicit interest. In real life elections, governments entrust the control of elections to a company that lives on their contracts (usually the same company that produces e-vote equipment).

We would like to trust our government during elections, but we mustn't forget that democratic monitoring of the election process should be directed mainly not at individuals who might vote twice, or modify, or cancel a few ballot-papers in a few polling stations, but principally at the governments. They, in addition to having an interest in falsifying election results to their advantage, have the technical means, human and economic to do so, if public opinion cannot or will not exercise control.


Can we rely on their honesty in deciding who is going to rule over countries and million people, without even the possibility to be contradicted?


N.B. ENRON's fraud has been discovered because money is a physical and traceable object and thus investigators could find evidences of illicit transactions. On the contrary investigators can do very little about e-vote fraud since the only proof of elector's intentions are the recorded votes which, being unverifiable due to their anonymity, could already have been tampered with.

the 1:N electronic voting scheme

Electronic elections implement the 1:N relation scheme where 1 stands for the electoral service and N stands for the electors which, one by one, cast in secret their votes directely to 1. At the end 1says who got more votes. Nobody, not even the electoral service, can know who voted each vote. Votes are anonimously collected, stored and counted by means of electronic devices.

It easy to see that in the above conditions the results of the 1:N relation scheme are absolutely UNVERIFIABLE because 1 can announce any result and nobody can prove it is right or wrong. Let´s just take an example:
the very large building where you have your apartment, needs some maintenance. The chairman of the committee of apartment-owners in the building will benefit particularly by the work to be done and he is in charge of the ballot to approve the work and the expenses. We want the ballot to be secret, and he suggests to do as follows:

• The chairman 1 stays at home
• Each of the apartment-owners N calls the chairman using the building entry-phone and declares his/her vote to him
• At the end the chairman 1announces the results.

It doesn´t take much to imagine that the chairman 1 could, perhaps, announce a decision that is the best option to himself. And no-one could ever prove that what was announced was not the truth. The chairman might even be able to recognise who voted for what by voice.


With the electronic vote in politics, instead of the chairman above, we have:

• an electoral organisation 1 equipped with a central computer which manages the voting procedure
• Each of the N electors who expresses its wishes by pressing a key or a touch screen on a local computer linked to the central machine over a network.
• At the end the organisation 1 announces the results.

The organisation plays exactly the same role as the chairman above: being an entity of the government of the day or a paid contractor (hoping for future contracts) the organisation has an inbuilt interest in the result.

• in ballot paper elections the public counts votes and declares the result of each ballot station
  leaving to the electoral service the mere role of tallying them up.
• in electronic elections the electoral service "counts" votes and declares results
  out of any democratic monitoring

For the sake of completeness we have to know that
In the above 1:N example only the chairman can act incorrectly; however, in a real voting situation we should use elecronics and computers to connect the N voters to the 1 electoral service. In such a situation even outsiders can interfere with the result or can identify the voters. It is technically possible to fraudulently act at every level of the electronic polling mechanism: at the local computers in the polling stations, during the transmission of the votes to the organisation and at the central computer itself.

Thus in the elecronic vote many people and organizations can

• alter recording of votes
• falsely identify themselves and vote for others.
• record the name (or an identifier) of the voter beside each vote

Much worse, if the network involves the Internet! This because all the problems described above become enormously more difficult to control if the network used is the Internet since attacks on the system could come from all over the world (e.g. viruses, Trojan horses, etc.)
Some very optimistic people suggest to vote from home without going to a polling station. This is the worst kind of electronic vote since, in addidion to the risks of the electronic vote and those associated with the Internet, it gives the possibility a person´s vote might be expressed under duress, with gangsters actually standing behind the voter. In some regions of the world this would be a real possibility.

Some other people suppose electoral results to be implicitly correct since votes are collected, stored and tallied up by means of computers. This is absolutely false because who owns the computers can alter any data they contain.

voting computers are unnecessary

Computers are marvellous machines that are necessary for carrying out complex tasks where speed and/or computational power are very important. Computers are used in image recognition, the guidance of missiles and airplanes, surgery robotics, the management of nuclear power plants, the management of the worldwide telephone network, hurricane forecasting, etc, etc.

But in elections we simply need to tally-up votes, that is to count 1 + 1 + 1 ... + 1. I wouldn't say we need the power of computers to do such an addition! Neither do we need the speed of computers because it is perfectly acceptable to have electoral results in a dozen hours time instead of a few seconds. Thus, the use of computers in voting is not only dangerous but also unnecessary!

Thus, we can use computers everywhere except elections, but we don't have to worry: mankind has a very good chance of surviving just the same!

technology can help paper voting

We have demonstrated that, for elections to be democratic and verifiable, ballot papers must be used and computers avoided.

But this doesn't mean we can use no technology at all! Infact both the voting and the counting of ballot papers can be technologically assisted:

• ballot papers can be voted:
  1. manually (by electors' hands) or
  2. by offline devices which print the voted ballot paper (the real one, not a simple VVPAT) following the directions given by each elector. Such offline devices must be located in the polling stations (for security reasons) and they can use video or audio to help electors with sigth or language problems. Each elector verifies that his printed ballot paper is what he wants and then he places it into the traditional ballot box.
• voted ballot papers can be counted:
  3. manually (by scrutineers' eyes) or
  4. by offline scanners, the so called PCOS

Making election of type 2+4 we use electronics at its maximum, while those of type 1+3 are the traditional electronics-free elections (manual paper ballot voting and counting). Types 1+4 and 2+3 are also possible ways to make safe and verifiable elections.

As shown only a very small amount of electronics can safely be used in elections: just a couple of offline devices are allowed: one for printing votes and another to read them! They can be, and surely they will be, computers. In any case it is extremely important that any device is used offline (not connected to any other computer nor network) because this is the only way we can be sure their results are not fraudulently remote-controlled nor monitored. Please be aware that off-line hardware can be hacked as well, as demonstarted in Optical scan system hacked in Florida

All the computer programs done to improve e-vote accessability can be used with paper elections. The only difference is that the casted votes are to be printed on paper instead of being transmitted to some other electronic equipment, but this doesn't change anything of the action of voting.

e-vote and paper vote not together

Up to now e-vote experiments have all been paired with a usual ballot-paper vote. It has been compulsory to vote also in the old fashioned way since ballot-papers were the official votes for any recount. Thus we can say e-vote experiments are an expensive way to demonstrate how hardware & software vendors are good in producing voting machines.

Pairing paper voting with electronic voting tends towards giving us confidence in the latter. If software & hardware vendors succeed in not having (or masking) problems, in a few years time public opinion will be convinced that e-vote gives the same results as paper elections and thus we'll accept to vote without any alleged useless paper verification.

At that point we'll be in a mess since technology never stops and thus there always will be new software releases, new hardware architectures, new network technologies, new hacking technologies... Furthermore we will possibly have to trust new shareholders, new management and new employees of companies manufacturing e-vote hardware & software.
We will have to passively accept any electoral results coming from such much changed situations because in the lack of old-fashioned ballot-papers we'll have no way to do any "visible" verification.

P.S. In real electronic elections as in India, Brasil and USA there has been no parallel paper vote and infact electoral results has been accepted without any verification.

public opinion and electronic voting

Unfortunately, despite strong opposition from many computer scientists, it seems that nobody can prevent electronic from being used in elections. Of course there is a very strong pressure from voting machines vendors, but the greatest problem is that public opinion, politicians and intellectuals don't realize how dangerous the e-vote is. They do not seem to know that the main aim of present-day verifiable electoral procedures is to prevent Governments from committing acts of electoral fraud. Governments who wants to be re-elected have a motivation to commit such acts and a means of doing that through the handling of the electora apparatus.

Many people, parties, economic groups, lobbies, countries, criminal or terrorist groups would like to have the power given by elections. This is not theory! Power is still the greatest desire for many people: a few months ago in the Republic of Ukraine a politician was poisoned by his opponents. Do you think such people would be incapable of counterfeiting files of anonymous votes?

Opposition against electronic voting goes against our technological trend, and thus it is hard to explain. Nevertheless our society needs to think and argue about electronic voting before it is actually used and some multinational corporation is given the contract to hold our elections and thus the possibility to decide (with no democratic control) our next governors and rulers.

We, the people, must decide what to do with our Democracy: do we want to have to trust unverifiable electronic votes or do we prefer to carry on using verifiable ballot papers and repeatable public counting procedures?

Democracy can't survive the electronic vote because the use of computers actually changes the very nature of voting!

our Democracies are at risk, but not because we use ballot papers!

A prerequisite of any Democracy is that people have full knowledge and understanding of what's going on. In fact people participate in political life by being able to access all the info, the documents, and the news about the country and its government. That is why media must be free and pluralist in Democracies. Voting is only the (recurrent) final act of the people's participation in politics.

Nowadays the real danger to democracies is the concentration of media and economic power in the hands of a few people and certainly not the fact that we use "old-fashioned" ballot papers to elect our representatives.

Thus, it is obvious that we can't revitalize our democracies by simply converting ballot papers into "ballot bytes"!

The fact that e-voting equipments (hardware and software) is under the complete control of a big business is a major threat to our democracies. All over the world e-vote equipment is designed, developed, built and sold by just a few companies, and it is really difficult to know who such companies belong to.

nevertheless they want us to use e-vote

Summarizing we have the following points:

• it is impossible to ensure at the same time anonymity and verificability of anonymous records
• results of the 1:N "chairman" scheme are unverifiable by their nature
• fraud made by the owner of the computers can't be detected
• There are no way to verify results of electronic voting
• There are no way to certify results of electronic voting
• ballot papers elections have properly worked for over two centuries in all western countries

All of them are clearly pro ballot-papers elections and against e-vote!



To fascinate us, the (interested) supporters of e-vote claim to have technological solutions for each of the problems posed by any electoral system,


Due to the enormous political & economical interests elections have, many people, countries, criminal or terroristc groups would like to alter results (and many of them are so powerful to have plenty of chances in succeding). Please read and who is interested in counterfeiting elections?. So, for the sake of democracy, it is extremely important that results of any elections be really those the people expressed by its vote.