Lessons From the Papal Conclave About Election Security

Hugh Pickens writes "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The 'Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff' is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."

This is blindingly obvious

[Chrisq]

Anyone who has had a group of friends vote on whether to eat Chinese or Italian knows that a group who all know each other can hold a secure vote immune from multiple votes or outsiders voting too. Its also obvious that this is not scalable beyond a group in which everyone does recognise everyone else

Re:This is blindingly obvious

[bondsbw]

Elections for high office should always be completely verifiable, and the identity of those who cast their ballot should be without doubt. In my opinion, the verification process for very important positions should be automatic and involve multiple competing groups.

Absurdity at its best

[cellocgw]

OK, step back. Take a deep breath. The pope is sort-of oughtta be elected on the basis of what the Catholic god (or maybe Jesus, it ain't clear) tells the cardinals is the right choice. So how the fuck could a vote that's determined by the Almighty(s) possibly be rigged by mere mortals?

Lobbying, Bribery, Extortion, Persuasion.

[mrthoughtful]

Why focus on the voting mechanism? It's like testing the quality of a democracy by looking at the voting procedure in the house of commons. The weakness, as is always the case, is human accountability. This is just as true within a theocratic oligarchy as it is within a representative democracy.

Anyone who thinks that powerful interests have no sway in the election of a pontiff is uneducated in history and blissfully naive.

Re:Absurdity at its best

[Anonymous Coward]

Same reason the Popemobile involves bulletproof glass.

Re:This is blindingly obvious

[Anonymous Coward]

It is astounding how many people don't understand the simple paper ballot voting system as it is still applied in many countries and hopefully will for a long time to come. It is based on the same principles as the papal vote, or actually the other way around. The most important aspect is that of public observability of all but the single secret aspect that exists in a proper election, and that single aspect is still completely observable by the person currently voting.

This scales up to millions of voters by distributing the process such that partial results and their propagation to higher levels are observed by local competing groups, and not only isn't electronic voting helping, it's actually destroying the very core of this protocol: The observability.

Re:This is blindingly obvious

[starworks5]

If the pope is the representative of god on earth, I am assuming that the cardinals are all praying to god for guidance, therefore there shouldn't be any competing groups, assuming that we can verify that god exists.

You're looking in the wrong place

[Arancaytar]

Elections like this don't get manipulated during the ballot-casting, because they're not decided during the ballot-casting. Just like the decisions of a legislative body, the vote itself is merely the result of a ton of secret politics leading up to it.

Re:This is blindingly obvious

[Minupla]

The problem with this and most similar schemes is it allows you to sell your vote.

The thing that protects against vote selling is the difficulty of proving that you were faithful in your execution of the agreement. If I pay you 10$ to vote for the great flying spaghetti monster, I want to know you did in fact vote as instructed, and not for the lazy ravioli monster.

The inability to verify a secret ballot is a feature, not a bug.

Min

Not unusual [Re:Doesn't Scale]

[Geoffrey.landis]

As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

This is not unique, not even very unusual. What we are seeing here is members of a parliament voting for a prime minister. That happens in a hundred places across the world. Why doesn't Schneier analyze whether you can "hack the vote" in the House of Lords?

If you do want to compare it to the US, this compares to a vote in the Senate, and is somewhat much smaller than a vote in the House of Representatives.

Re:Exciting news

[Eunuchswear]

Well, about a billion actualy.

But you're only a few orders of magnitude out.

Re:Absurdity at its best

[Turminder Xuss]

Or church steeples have lightning rods.

Re:Its racist

[Anonymous Coward]

Nice try. When you can come up with an intellectually honest answer as to why voter ID laws always seem to specify types of IDs that non-Republican voters tend on average to be lacking in greater quantities I might even buy it. A citation for Mother Jones saying that this "never actually happens" wouldn't hurt either. The position on the less right wing side in this country, which has always lacked a definable left wing by world standards, is that voter fraud is so statistically rare as to defy the amount of resources right-wingers seem to want to use to fight it. There is no credible evidence which refutes this.

There is an avalanche of evidence and CONVICTIONS for multiple votings, fraudulent registrations, and the like. ACORN registered Mickey Mouse, and voting records showed that he voted.

Mother Jones' assertion that it costs hundreds of dollars to get ID is bullshit. I have done it recently, it is nowhere near the expensive. MJ is cherry picking by getting the most expensive documents in the most expensive states. You will have a BC/COLB unless your parents were retarded and threw it out or you were unlucky and lost it in a fire/flood/whatever. Replacements are non-free but they are cheap as BCs never expire so it is a once in a lifetime fee ($45 here). BC gets SS card. BC + SSN gets state ID ($25). If you can't come up with $25 once every 5 years you're street homeless and have bigger issues than not being able to vote.

Re:Its racist

[pla]

When you can come up with an intellectually honest answer as to why voter ID laws always seem to specify types of IDs that non-Republican voters tend on average to be lacking in greater quantities I might even buy it.

You mean, something so rare as a "Driver's license"? Or a free (to the poor and elderly) state-issued ID card as an alternative? Yep. Clearly racist, right there. Everyone knows minorities don't drive, fly, buy cigarettes, buy alcohol, use credit cards, use checks, or visit certain federal buildings.

Seriously, how does anyone (retirees aside, but they had to have made it through the rest of their life to get that status) manage to live in the modern world without a license or ID?

Re:Its racist

[pla]

This is not as rare as many people might like to think - it's been a fact of recent civil wars in my lifetime, that one side systematically destroyed all birth records of the other.

We, uh, haven't had a whole lot of civil wars in the US since the birth of anyone currently living here. Yes, we've all heard about the sisters from middle-of-nowhere Appalachia who never left their home valley for their first 40 years of life and now can't prove themselves as US citizens. And yes, I'd still have to call that pretty damned rare.


Their lives are already greatly limited and with the aggressive work of republican groups screaming about vote fraud, we can ensure that they lose even the right to vote in our lifetime, since they certainly would have voted democrat anyway.

Does that bother you? I mean, that people (on both sides of the aisle) automatically assume voter ID laws disproportionately affects Democrats? It basically shouts to the world, "We have such a strong association as the party of complete losers, of illegals, of 3rd gen welfare dynasties, that we just assume all the human trash in our society will vote blue".


And FWIW, I don't vote red. You can't just assume that everyone belongs to the GOP who happens to believe we should verify citizenship before allowing people to exercise the core right of that citizenship. That everyone who believes in fiscal responsibility sides with the misogynistic religious whackjobs on the right. That "I disagree with you" automatically makes me a member of "the enemy".