Forgot your password?
typodupeerror
Security Government News Politics

Lessons From the Papal Conclave About Election Security 183

Posted by timothy
from the ok-who-dropped-the-black-ball? dept.
Hugh Pickens writes "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The 'Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff' is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."
This discussion has been archived. No new comments can be posted.

Lessons From the Papal Conclave About Election Security

Comments Filter:
  • by Chrisq (894406) on Sunday February 24, 2013 @09:34AM (#42994913)
    Anyone who has had a group of friends vote on whether to eat Chinese or Italian knows that a group who all know each other can hold a secure vote immune from multiple votes or outsiders voting too. Its also obvious that this is not scalable beyond a group in which everyone does recognise everyone else
    • by bondsbw (888959) on Sunday February 24, 2013 @09:46AM (#42994949)

      Elections for high office should always be completely verifiable, and the identity of those who cast their ballot should be without doubt. In my opinion, the verification process for very important positions should be automatic and involve multiple competing groups.

      • by starworks5 (139327) on Sunday February 24, 2013 @10:05AM (#42995023) Homepage

        If the pope is the representative of god on earth, I am assuming that the cardinals are all praying to god for guidance, therefore there shouldn't be any competing groups, assuming that we can verify that god exists.

        • by jamesh (87723) on Sunday February 24, 2013 @10:27AM (#42995075)

          If the pope is the representative of god on earth, I am assuming that the cardinals are all praying to god for guidance, therefore there shouldn't be any competing groups, assuming that we can verify that god exists.

          I assume this is why they are all looking over each others shoulders too - you wouldn't want to be the odd cardinal out who votes the wrong way, letting on that God isn't in fact guiding him at all!

          To be honest though, I don't believe in God, but if one existed i'd fancy it would be the kind described on Futurama - only helping out when he's sure nobody is looking.

          • by sFurbo (1361249)
            Looking at how the world runs, I would imagine that the only possible god is like Cthulhu: Mad, probably evil, and favoring cephalopods over mammals.
        • by bondsbw (888959) on Sunday February 24, 2013 @10:35AM (#42995107)

          True, and the nature of their electoral process makes it instantly verifiable by all parties. Large elections with anonymous voting and close results can be the target of sophisticated election fraud.

          In American presidential elections, I would like each vote to be anonymous but traceable. You randomly select a ballot that has a randomized code, and tear-off or write down the code. Then, no less than 3 groups should receive every vote (the official ballot counters and the two main parties, and any other groups who wants to tally the results). They would each post a website, or equivalent anonymous function, where you can enter your random code associated with your vote and check for yourself that your vote was transmitted properly (alerting each group when your vote appears incorrect). Then each group would individually tally the votes and confirm the election results.

          • by Minupla (62455) <minupla@gmaiGINSBERGl.com minus poet> on Sunday February 24, 2013 @10:42AM (#42995139) Homepage Journal

            The problem with this and most similar schemes is it allows you to sell your vote.

            The thing that protects against vote selling is the difficulty of proving that you were faithful in your execution of the agreement. If I pay you 10$ to vote for the great flying spaghetti monster, I want to know you did in fact vote as instructed, and not for the lazy ravioli monster.

            The inability to verify a secret ballot is a feature, not a bug.

            Min

            • by rvw (755107) on Sunday February 24, 2013 @10:59AM (#42995245)

              If I pay you 10$ to vote for the great flying spaghetti monster, I want to know you did in fact vote as instructed, and not for the lazy ravioli monster.

              Yeah that ravioli monster should be canned!

            • by Kjella (173770)

              And coercion for example from friends and family. Claiming to not have the code can in itself be grounds for negative reactions or be taken as an admission that they didn't vote for somebody else.

            • by khallow (566160) on Sunday February 24, 2013 @11:53AM (#42995447)

              The inability to verify a secret ballot is a feature, not a bug.

              Until, your vote is not counted as you intend. Then it becomes a bug.

              How about this approach? You case a vote. At that time, a cryptographically strong hash of your vote is made and printed out as a receipt. The raw data of your vote remains with a special ID generated at the time of the vote and tied to that receipt.

              You can query against the data base to generate your hash. If that hash changes, then possibly your vote changed as well. Or a vote tabulator can query against the data base to get how many votes for each candidate.

              But the act of tying a particular vote to particular voters, would require both the receipt and access to the raw data of the database. Similarly, changing the vote tabulation without being caught would require either creating phantom voters or getting hold of those receipts and then changing the vote associated with the receipts you obtain. Neither is impossible, but beyond the reach of much of the would-be vote manipulators out there.

              • The only problem with your plan is that normal people will not every understand it.  And a system which only an elite understands....
              • by Sabriel (134364)

                The problem with your approach is that it works right up until someone, sometime, learns the private key - and then EVERYONE's underwear is instantly on the outside.

                Actually, no, it mightn't work even that long. So long as a bad guy can make enough people believe the key is hacked, true or not, your election can be influenced.

                • by khallow (566160)

                  The problem with your approach is that it works right up until someone, sometime, learns the private key

                  There's no private key with a cryptographic hash. Well, unless someone back-doored it in the first place.

                  • by Sabriel (134364)

                    Doh, sorry. Hmm. What if the villain gets their hands on the hash function, can they generate the hash for "I voted for X" and then see whether or not it matches your receipt? Or do they need more than that? The ID? Which is printed right next to the hash on your receipt so that you can look it up yourself? If I'm understanding you, apologies if I'm not.

                    • by RevDisk (740008)
                      You can hash as many variables as you want. Social security number, date/time, machine ID, election salt, local salt, etc.

                      The receipt you keep isn't important, per se. Assuming it prints an anonymous hash that the election people can use to verify scores, is. And the best way to make it "honest" would be after-the-fact random audits plus regular audits of areas with a history of election fraud. Chicago comes to mind. Said audits would ideally find out how folks cheat in elections, that information could
              • You are playing around with the right concepts.

                What exactly would you be taking a hash of, however, and how would you verify the vote totals? Are you hashing the ballot serial number + the vote? Just because the election authority has published a hash that matches your, doesn't mean they used your vote in the announced total.

                David Chaum developed the punchscan voting system as an end-to-end verifiable election protocol for paper ballots that allows anonymity and verifiability. Scantegrity is a successor s

            • by trout007 (975317) on Sunday February 24, 2013 @12:58PM (#42995789)

              So it's OK for the politician to buy your vote by promising to give you tax payers money but not someone buying your vote using their own money?

          • by sFurbo (1361249)
            I have heard of a better, though more complicated solution: You fill out three ballots, so that the selections you want is marked on two, and the selection you don't want is marked on one (a computer is probably needed to check this). Each ballot have a unique serial number. You hand in all three, and get a copy of one of them (it isn't noted which one). The ballots are counted, and 1/3 of the number of ballots is subtracted from all total. All ballots are made public. Everyone can check the count, and thro
        • by mark-t (151149)
          Nice try, but no. It assumes that God has similar priorities to human beings, like expedience.
        • The papal conclave of 1903 [wikipedia.org] was very contentious. But perhaps you believe that a Jus exclusivae [wikipedia.org] is a form of divine intervention, and not merely Francis Joseph I playing politics.

    • by Anonymous Coward on Sunday February 24, 2013 @10:03AM (#42995013)

      It is astounding how many people don't understand the simple paper ballot voting system as it is still applied in many countries and hopefully will for a long time to come. It is based on the same principles as the papal vote, or actually the other way around. The most important aspect is that of public observability of all but the single secret aspect that exists in a proper election, and that single aspect is still completely observable by the person currently voting.

      This scales up to millions of voters by distributing the process such that partial results and their propagation to higher levels are observed by local competing groups, and not only isn't electronic voting helping, it's actually destroying the very core of this protocol: The observability.

      • Excellent simple explanation of the beauty of paper ballots. In any sensible setting (lacking truckloads of armed goons stealing ballot boxes etc) you can't beat paper ballots and scrutineers overseeing the counting. Plus you can actually go back and recount.

        Of course voting technology is the least of the problems with our current electoral and government systems.
      • by hawk (1151)

        This type of election scales *very* poorly.

        It isn't a single vote, but a series, until someone gets two-thirds (under the newer rules, the super-majority eventually drops).

        And "conclave" is *quite* literal: con clave; "with key."

        This comes from two occasions when the cardinals did not get around to electing a pope, living the good life.

        The people of Rome locked them in a leaky building, sending in only bread, wine, and water until they elected a Pope.

        And there is not, nor has there ever been, a claim that

        • The super majority doesn't drop. The drop of the supermajority is one of the things introduced by John Paul II and removed again by Benedict. His reason for removing it was that any simple majority could simply block the election until the supermajority requirement had dropped, thus making it completely irrelevant. So now a 2/3 majority is needed at all times.

          http://en.wikipedia.org/wiki/Papal_conclave [wikipedia.org]

    • by flyneye (84093)

      I just noticed the article could be describing Capitol Hill. Not so sure this is a very good process.

  • So even in one of the oldest and most conservative institutions in the world, the black guy's votes carry as much weight as the white guys' and they aren't repressed in any way and can post their ballot in a timely fashion?
  • I can't see how their system would hold up when those who don't share the same intrinsic values and contradict the prevailing group think are included in the vote. Oft times with Catholics, as well as other sects, the idea is to fit the data to mold, not the mold to the data.

  • by mbone (558574) on Sunday February 24, 2013 @09:45AM (#42994945)

    As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

    I also think it relies some on the autonomy of the Cardinals, which wouldn't necessarily map well to a civil election. Suppose that 100 people got together to elect (say) a town mayor using this protocol, and one of them was the employer of most of the rest. Would this be sufficient to prevent him from influencing or even coercing his employees to vote his way?

    • In some ways the "circle of trust" can be used, and has been used before in elections, but there have to be multiple circles obviously, and many of them are overlapping.

      Its simple as this you live if you in a small city, each person announces their name and vote, members can say "thats not really john smith", and members also keep tallies.
       

    • by Geoffrey.landis (926948) on Sunday February 24, 2013 @10:51AM (#42995203) Homepage

      As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

      This is not unique, not even very unusual. What we are seeing here is members of a parliament voting for a prime minister. That happens in a hundred places across the world. Why doesn't Schneier analyze whether you can "hack the vote" in the House of Lords?

      If you do want to compare it to the US, this compares to a vote in the Senate, and is somewhat much smaller than a vote in the House of Representatives.

      • This doesn't quite compare to votes in either the House of Lords or the Senate. I believe that the votes in neither establishment are secret. Both you (as a citizen) and they (as a Lord / Senator) can check the way they voted.

        The Cardinals' vote for Pope is different, in that I think it is meant to be secret.
        • by hawk (1151)

          Not just secret, but a very well kept secret.

          No results are released save the elected Pope, and the witnesses are bound to secrecy as to who the other candidates even were (but there have been rumors, possibly based on big mouths, possibly not).

          hawk

    • by BitterOak (537666)

      As Mr. Schneier points out, this doesn't scale. There is no way you could do a US Presidential election this way.

      Actually, that is close to how the US Presidential election really does work. The President isn't elected by the people, but rather by the Electoral College, a group more similar in size to the College of Cardinals than to the entire US population. They have very well defined rules as to how to vote, just as the papal conclave does. And so far, it seems to have worked pretty well. Many have proposed abandoning the electoral college system, but this article provides some good reasons why it should be ret

      • Get your head out of the clouds and come back down to earh. The electoral college does not have meaningful autonomy. The college of cardinals does, at least when it comes to papal elections.

        However, it should be noted that the pope chooses the cardinals. Since only cardinals under the age of 80 can vote, the chances that the new pope will make a political break with his predecessor are somewhat slim.

    • by jim_deane (63059)

      There is no way you could do a US Presidential election this way.

      Maybe. Scale it up in steps. Groups of 12 citizens who are known to each other get into rooms to conduct a vote. One is chosen to take their group's decision to the next level, where 12 group representatives who know each other get together to vote. And so on...you'd only need seven levels of voting to reach the final 12 representatives in the current US voting population.

      I'm using a fuzzy interpretation of the Six Degrees of Kevin Bacon g

  • by cellocgw (617879) <<moc.liamg> <ta> <wgcollec>> on Sunday February 24, 2013 @09:50AM (#42994963) Journal

    OK, step back. Take a deep breath. The pope is sort-of oughtta be elected on the basis of what the Catholic god (or maybe Jesus, it ain't clear) tells the cardinals is the right choice. So how the fuck could a vote that's determined by the Almighty(s) possibly be rigged by mere mortals?

  • by mrthoughtful (466814) on Sunday February 24, 2013 @09:55AM (#42994985) Journal

    Why focus on the voting mechanism? It's like testing the quality of a democracy by looking at the voting procedure in the house of commons. The weakness, as is always the case, is human accountability. This is just as true within a theocratic oligarchy as it is within a representative democracy.

    Anyone who thinks that powerful interests have no sway in the election of a pontiff is uneducated in history and blissfully naive.

    • Because the whole article was about whether the vote could be hacked, not whether the voters could be influenced. Of course the vote can be affected, as has happened many times in history, but that's not what's being talked about here. This is about physical hacking of the process. From the very first line of TFA:

      As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote?

  • Um...there goes my plans of choosing the next Pope myself...

    Now if only it was possible to bribe the clergy that votes. Well, one can dream.
    • Now if only it was possible to bribe the clergy that votes. Well, one can dream.

      Rumour has it the Cardinals are amenable to a little black-mail.

      (The littler the better.)

  • Maybe is how is really elected the president of USA since decades ago.
  • No surprises here (Score:5, Interesting)

    by mean pun (717227) on Sunday February 24, 2013 @10:29AM (#42995083)

    Considering that this voting process has evolved in the face of thousands of years of intrigue and backstabbing that makes even politicians look like choirboys, why is this a surprise? The evolutionary pressure was most certainly there.

    And of course this analysis overlooks the most reliable way of rigging an election, and one that is most certainly practiced here: hand-picking the electorate. Who appointed those cardinals in the first place, eh?

    • "And of course this analysis overlooks the most reliable way of rigging an election, and one that is most certainly practiced here: hand-picking the electorate. Who appointed those cardinals in the first place, eh? "

      That can be done on a large scale, too. It's known as gerrymandering and is done by both parties. It's especially common for congressional districts. If you look at the national map, you see all kinds of bizarre shapes designed to give one party or the other a majority. They don't follow

      • by Talderas (1212466)

        A lot of gerrymandering is required by the Voting Rights Act in order to create minority majority districts so that minorities can be guaranteed to have representation. Simply putting 51% of a minority in a district is not sufficient either. That's a fairly significant contributing factor to the oddly shaped districts. Given the way minorities generally vote, this favors Republicans.

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Sunday February 24, 2013 @10:33AM (#42995099) Homepage

    Elections like this don't get manipulated during the ballot-casting, because they're not decided during the ballot-casting. Just like the decisions of a legislative body, the vote itself is merely the result of a ton of secret politics leading up to it.

    • by Sloppy (14984)

      When you win a battle, celebrate that you moved the front. Don't fret that you didn't win the war yet. It is good to lock a door and make a burglar noisily kick it in, even if he still gets in.

      The process changed the place. The reason elections are won by pre-election dealing, is that we have (mostly) succeeded at making it sufficiently hard to win by ballot box hacks. Pre-election deals are relatively expensive compared to ballot box hacks.

      Sure, we're looking in the wrong place, but only because it was

  • open systems conducted within a known group make voting fraud much harder.

    doesn't anyone remember the Chicago political machines? if the group becomes corrupt group control is a bad thing and remember the voting all happens in front of that group ONLY no outsiders are told the vote only the result

  • Oh really? (Score:5, Funny)

    by wonkey_monkey (2592601) on Sunday February 24, 2013 @11:25AM (#42995321) Homepage

    No one is going to dress up as a cardinal and sneak into the Sistine Chapel.

    Challenge accepted!

    • by jsepeta (412566)
      It's not as if there are any candidates who would promote a human rights agenda that focuses on equality for ALL people, regardless of race, gender, or sexual orientation. The problem is, all of these guys running for pope are pretty much the same.
  • by Tim Ward (514198) on Sunday February 24, 2013 @12:01PM (#42995485) Homepage

    That's the key, and makes for clean elections - I've observed elections in the UK, Kosovo and Ukraine.

    This tends to mean manual counting of physical pieces of paper that have been marked by the voter by hand, as that's vastly easier for lay people to observe and verify than hidden things going on inside computers or other machines. (I'm not saying that proper independent observation by lay people of what goes on inside a machine isn't possible, just that nobody has worked out how to do it yet.) If I'd observed an election involving machines I would have had to write in my report that I had no confidence in the outcome of the election because I had no visibility of what was going on inside the machines.

    The big problem with the cleanliness of the UK voting system is postal votes - and this is in my view precisely because this is a part of the process which is *not* independently observed - you don't know for sure who applied for the postal ballots, who acquired them, or who filled them in under what pressure.

    • by the_B0fh (208483)

      And it can still be corrupted. By buying the votes before hand. In fact, back home, there was one very famous case of vote buying, and the people went to their religious leader saying they were offered $150 for their votes. He told them to take the money, but once inside the voting booth, to vote their conscience.

      FTW! :)

      • by Tim Ward (514198)

        Exactly. The problem with buying votes is verifying that you've got what you've paid for. With a vote placed in the ballot box by the voter there is no way to achieve this ... but there is a way to achieve it with postal votes, which is one of the things wrong with postal votes.

  • I read a really neat paper about the implications of the Doge election protocol to distributed systems. There the focus was more on preventing bribary and less on more general fraud, but it was a pretty cool system. [pdf] www.hpl.hp.com/techreports/2007/HPL-2007-28R1.pdf

  • The book "Sex Lives of the Popes" documents numerous instances of corruption in the election process. During the 10-11th century, one mother and daughter pair got 7 popes onto the papal chair, by having affairs with, or giving birth to them.

  • You can hack it when the ballots are being counted. How? Because it's unclear if the scrutineers are really randomly chosen.

    What is the process of selection? Do they draw the names out of a hat? Easy: the person picking the names can substitute any name they want. They just need 3 scruitineers, and they can tally the votes any way they'd like.

    Taking a step back, how are candidates selected? You don't have to hack the process if you manipulate the selections or compromise the candidates.

  • ... rent (or own as I do) the movie "The Shoes of the Fisherman" from 1968. It shows in detail the process of a fictional papal conclave including the steps the cardinals take to ensure fairness. Quite revealing.

    On a completely different subject, for those movie geeks of you out there who love "2001: A Space Odyssey" as I do, this film is where Alex North recycled some of his rejected score for 2001.

    • by hawk (1151)

      >... rent (or own as I do) the movie "The Shoes of the Fisherman" from 1968.

      Or be *really* drastic and read the book . . .

      (Btw, the elected bishop in that was closely patterned after the actual Ukrainian Catholic leader who was imprisoned by the Bolsheviks, and reputed to have been the runner up when Pope Paul was elected. The book was written before Vatican II, but significantly foreshadowed some of its events . . .).

      (Thre are also two more books in that "trilogy")

      hawk

  • Does all this blah blah mean Dennis Leary is the new Pope or not? If not, who gives a flying rat's ass.

Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb

Working...