Wednesday, November 30, 2022

VVPAT doesn’t guarantee free and fair elections

“Those who vote determine nothing; those who count the votes determine everything”Joseph Stalin

Fearful that those who vote in the 2019 may, in a Stalinist sense, determine nothing, the Umbrella for Democratic Movement (UDC) is ratcheting up its campaign against the planned use of electronic voting machines in that election. UDC insists that if EVMs are to be used, there should be security safeguards in the form of the Voter Verifiable Paper Audit Trail (VVPAT). The latter is basically a manual audit capacity that produces time-stamped paper audit trails that permit the reconstruction of an election’s results ÔÇô including matching voter names to actual votes.

“EVMs are banned in some countries, including in Germany, Ireland and the Netherlands. In India, the Supreme Court has ruled that the use of the EVMs is unconstitutional if it is implemented without a Voter Verifiable Paper Audit Trail,” reads a letter that UDC’s Secretary General, Ndaba Gaolathe, has written to foreign governments to get them to dissuade the Botswana government from using VVPAT-less electronic voting. 

However, there is a major problem that UDC leaders may just not have wrapped their minds around: VVPAT compromises the integrity of the secret ballot and can itself be manipulated to produce false results.

In jurisdictions where VVPAT has been used (like the United States), there have been complaints that it necessarily makes a secret ballot less secret. In the state of Ohio, those who petition election result obtain two crucial documents: a list of voters in the order they voted and a time-stamped list of the actual votes. Petitioners are given two pieces of paper which they merge and by doing so, can see who voted and how. The problem with this is that someone with access to this information (and malicious intent) can easily correlate this data for extra-electoral purposes. In the particular case of Botswana, some people have become filthy rich on the basis of their patronage of the Botswana Democratic Party. If the BDP suspects that someone who benefitted from lucrative government tenders is a closet opposition sympathiser, it could access VVPAT data to get the answer and thereafter exact revenge.

Despite all the impossible claims that government officials have made about EVMs being impossible to hack, the reality is that no computer system is secure. At a time that Russian hackers are alleged to have hacked much more sophisticated computer systems at the headquarters of both the Democratic and Republican parties, Botswana’s Independent Electoral Commission wants citizens to believe that its EVMs are tamper-proof. Use of EVMs in the 2000 US presidential election led to large-scale irregularities and some First World countries (like Germany) have banned them precisely because they can be easily tampered with. A Netherlands TV station aired a documentary showing how easy it was to hack EVMs that were about to be used in the country’s general election, prompting the government to withdraw the machines and revert to paper ballots. After spending close to US$75 million on these machines, Ireland scrapped them upon the discovery of their manipulability.

Some ÔÇô like UDC, have proposed VVPAT as the solution but there is scientific evidence that argues otherwise. David Dill, a professor of Computer Science at Stanford University in the United States found that the introduction of malicious software into a VVPAT system can cause it to intentionally misrecord the voter’s selections.  Another American, Michael Shamos, has dealt with VVPAT issue much more broadly. Shamos is a Distinguished Career Professor in the School of Computer Science at Carnegie Mellon University, has served as an expert witness in more than 160 cases involving computer technology and since 1980, has conducted over 120 voting system examinations for seven states. Shamos finds VVPAT to be a “first crude attempt” to provide verifiability at the expense of security, secrecy, usability and reliability. At worst, Shamos says VVPAT can introduce inaccurate or misleading information that might reverse a legitimate result from a direct recording electronic voting device ÔÇô or DREs as Americans call EVMs. “In addition, introducing or emphasizing the audit trail expands the attack surface for those inclined to nefariously influence the electoral outcome,” he asserts in one of his writings.

One such is an academic paper titled “Paper v. Electronic Voting Records ÔÇô An Assessment” and in it Shamos observes: “It is alleged that adding a so-called “voter-verified paper audit trail” to a DRE machine will either permit tampering to be detected or at the very least will provide a reliable record of how each voter voted that can be used for a recount, even if the recount must be conducted by hand.  This is incorrect.”

Laying out the case for such incorrectness, he points out firstly, that the “only voter-verified part” of VVPAT is providing assurance to the voter that his or her vote was initially captured correctly by the machine.

“The paper trail provides no assurance at all that her vote will ever be counted or will be counted correctly.  The reason simply is that the paper trail itself becomes insecure at the moment of its creation,” Shamos says.

Secondly, he asserts that if the machine cannot be trusted – which is the working hypothesis of the desirability of the paper trail, then it cannot be trusted to deal with the paper trail safely: “After the voter leaves the voting booth, it can mark her ballot as void and print a different one. The voter will have left the booth believing not only that her vote was cast and counted properly, but that it will also be counted properly in any recount.  None of these beliefs is correct.”

The physical constitution of the paper trail presents the third layer of difficulty. It cannot be on a continuous roll of paper since that would permit reconstruction of each voter’s ballot based in the order in which votes were cast. 

“Therefore, the paper trail must consist of separate pieces of paper.  However, once the pieces of paper are separated, the integrity of the trail is lost.  Looking at a piece of paper, we will not be able to tell for certain where it came from.  Stuffing and all other paper ballot tampering methods then become possible,” Shamos writes.

Fourthly, adding a paper printing device to an EVM adds another component that can fail, run out of ink, jam or run out of paper. Lastly, Shamos found that the presence of the VVPAT mechanism increases the load on the EVM’s power supply and processor and itself increases the probability of failure.

If what Shamos and Dill say is accurate, UDC may be digging a hole for itself. If there is criminal intent on the part of the government as has been alleged, it may ÔÇô having learnt of the VVPAT weaknesses – cave in to UDC’s demands, knowing full well that it will exploit those weaknesses in an election.


Read this week's paper