ATM Network For Voting: A Non-Starter by David Jefferson
ATM Network For Voting: A Non-Starter by David Jefferson© 2000 David Jefferson
Reproduced under the Fair Use exception of 17 USC § 107 for noncommercial, nonprofit, and educational use.
| EJF Home | Where To Find Help | Join the EJF | Comments? | Get EJF newsletter |
| Vote Fraud and Election Issues Book | Table of Contents | Site Map | Index |
| Chapter 2 — Essays On Voting Problems |
| Next — Vote Of No Confidence |
The suggestion to use the inter-bank ATM (automated teller machine) networks for voting in public elections has been floated in several places recently. From a purely hardware point of view, the ATM network has some very desirable security properties: It is a private, national-scale network, unconnected to the Internet, and thus not subject to Internet-based attacks. The terminals are hardened, and are often equipped with cameras and other security devices for remote monitoring, and hence are resistant to tampering (as befits machines carrying tens of thousands of dollars in cash). They are very rugged and reliable. Many have touch-screens, which allows about the simplest possible human interface.
However, in a number of other ways the ATM network is not appropriate for voting. The first problem has to do with voter privacy, coercion, and vote selling. When a person votes in a private situation (i.e. other than a public polling place) there is opportunity either for the voter to be coerced, or to sell his/her vote. Although we live with this fact for absentee ballots, it is not a good idea to give up entirely on the strongest election security and privacy measure ever invented: the Australian secret ballot system in which people are required to vote alone in the privacy of the voting booth, with public observers to assure that no one accompanies them to influence them.
A related issue is voter authentication. It is not sufficient to simply issue voters ID cards with magnetic stripes so they can authenticate themselves using the ATM machine's bank card reader. This is a clear case where the requirements for voter authentication are much stronger than that for financial transactions. People are entitled to authorize someone else to use their ATM card, since it is common for people to share access to money accounts. But a voter authentication system must prevent such sharing, even with a trusted person or a spouse, since the right to vote is nontransferable. Furthermore, unfortunately, voter ID cards and PINs can also be sold, opening the door to widespread vote selling. Stronger authentication than the presentation of a card and PIN must be required when there are no election clerks around to take voters' hand signatures (which can be checked against registration records).
By far the greatest concerns, though, with the possible use of the ATM network for voting, are reliability and security. Even assuming we have confidence in our ability to design and build reliable, secure distributed systems in general (a false assumption), an additional fundamental problem arises in contemplating voting over the ATM network: an irresolvable conflict in the need to run two independent secure systems (the election system and the ATM banking system) on the same networked platform at the same time.
An absolute requirement for the reliability and security of any voting system is for election officials to control all of the hardware, software, and networking of all clients and servers, including the operating systems on the voting terminals. (This is the same argument showing why remote Internet voting is today so hopelessly insecure.)
An exactly symmetric argument applies, of course, from the bankers' point of view: the security of the ATM system also rests on the fact that they control all of the hardware, software, and networking of their platforms.
If one tried to run both systems on the same terminals and network concurrently, then either the banking software could act like a giant Trojan horse inserted into the election system, or vice-versa. Election officials would worry (rightly) that bank employees or contractors might insert code to undermine the election; and banking officials would worry (rightly) that election administrators or vendors would insert code to steal money! Or the presence of either system might degrade the reliability or performance of the other. It is a practical impossibility to prove that the combined system has no bad interactions, and in general it is just not hopeless to run two mutually-distrusting, mission-critical, high security systems on the same network platform. The situation is made even worse (if that is possible) by the fact that ATM software is totally proprietary; and unless the principle of public source software is established for elections, the same will be true for election software.
The bottom line, then, is that in order to permit secure voting over the ATM network, the (many) network owners would have to be willing to turn it over entirely to election officials for the duration of the election. Since, quite reasonably, the owners are not about to do that even for one day, let alone for enough time to build, test, debug, and certify such a system, the suggestion to use the ATM network for voting is a complete nonstarter.
Compaq Systems Research Center
(now HP SRC Classic Lab)
© 2000 Jeremy Epstein
David Jefferson's well thought out critique of ATM-based voting misses one small but important point. Depending on where you live, it is not necessary to provide any authentication, or even to sign, in order to vote. Until this year, in Virginia all I had to do was state my name and address to the election official, and that was sufficient. Given the number of voters in each precinct (thousands in a presidential election), it's likely that I could have voted several times using a different (valid) name each time. If I knew the names and addresses of people in other precincts, I could therefore vote for them as well.
The law changed this year, and now you either have to present some form of picture ID, or you must sign an affidavit. But they don't have a signature to compare to at the voting booth, so in the best case they find out after the fact that someone voted illegally (but they can't tell which vote it was).
I mention this because all of the discussions about electronic voting (ATM-based, Internet-based, or otherwise) presuppose a requirement for strong authentication. If we're trying to model the paper world, that's not necessarily so. [Recognizing, of course, that there's not enough time to vote 1,000 times in the same day in the paper world, under the assumption that I'd have to rotate between precincts to escape detection, but I can certainly vote electronically 1,000 times in the same day.]
| EJF Home | Where To Find Help | Join the EJF | Comments? | Get EJF newsletter |
| Vote Fraud and Election Issues Book | Table of Contents | Site Map | Index |
| Chapter 2 — Essays On Voting Problems |
| Next — Vote Of No Confidence |