Lessons From the Papal Conclave About Election Security 183
Hugh Pickens writes "The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The 'Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff' is surprisingly detailed. Now as the College of Cardinals prepares to elect a new pope, security people like Bruce Schneier wonder about the process. How does it work, and just how hard would it be to hack the vote? First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky. Second, the small group of voters — all of whom know each other — makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find. A cardinal can't stuff ballots when he votes. Then the complicated paten-and-chalice ritual ensures that each cardinal votes once — his ballot is visible — and also keeps his hand out of the chalice holding the other votes. Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. What are the lessons here? First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything. Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good."
No surprises here (Score:5, Interesting)
Considering that this voting process has evolved in the face of thousands of years of intrigue and backstabbing that makes even politicians look like choirboys, why is this a surprise? The evolutionary pressure was most certainly there.
And of course this analysis overlooks the most reliable way of rigging an election, and one that is most certainly practiced here: hand-picking the electorate. Who appointed those cardinals in the first place, eh?
Re:This is blindingly obvious (Score:5, Interesting)
True, and the nature of their electoral process makes it instantly verifiable by all parties. Large elections with anonymous voting and close results can be the target of sophisticated election fraud.
In American presidential elections, I would like each vote to be anonymous but traceable. You randomly select a ballot that has a randomized code, and tear-off or write down the code. Then, no less than 3 groups should receive every vote (the official ballot counters and the two main parties, and any other groups who wants to tally the results). They would each post a website, or equivalent anonymous function, where you can enter your random code associated with your vote and check for yourself that your vote was transmitted properly (alerting each group when your vote appears incorrect). Then each group would individually tally the votes and confirm the election results.
Re:Its racist (Score:2, Interesting)
You know, if you're going to go off on republicans and election fraud, need I remind you that in the 2012 election, EVERY SINGLE SWING STATE went democrat. You'd think for certain that at least one of them would have gone republican. That's the definition of swing state, you don't know which way they're going to go, and when you have what was it, 10 of them, odds are one of them should have gone republican, but no. Surely at least Wisconsin should have gone red, but it didn't. So if you're going to throw out your conspiracy theories, just let that one sit on your mind while you're doing it.
Re:This is blindingly obvious (Score:5, Interesting)
The inability to verify a secret ballot is a feature, not a bug.
Until, your vote is not counted as you intend. Then it becomes a bug.
How about this approach? You case a vote. At that time, a cryptographically strong hash of your vote is made and printed out as a receipt. The raw data of your vote remains with a special ID generated at the time of the vote and tied to that receipt.
You can query against the data base to generate your hash. If that hash changes, then possibly your vote changed as well. Or a vote tabulator can query against the data base to get how many votes for each candidate.
But the act of tying a particular vote to particular voters, would require both the receipt and access to the raw data of the database. Similarly, changing the vote tabulation without being caught would require either creating phantom voters or getting hold of those receipts and then changing the vote associated with the receipts you obtain. Neither is impossible, but beyond the reach of much of the would-be vote manipulators out there.
Every step of the election process is observed (Score:5, Interesting)
That's the key, and makes for clean elections - I've observed elections in the UK, Kosovo and Ukraine.
This tends to mean manual counting of physical pieces of paper that have been marked by the voter by hand, as that's vastly easier for lay people to observe and verify than hidden things going on inside computers or other machines. (I'm not saying that proper independent observation by lay people of what goes on inside a machine isn't possible, just that nobody has worked out how to do it yet.) If I'd observed an election involving machines I would have had to write in my report that I had no confidence in the outcome of the election because I had no visibility of what was going on inside the machines.
The big problem with the cleanliness of the UK voting system is postal votes - and this is in my view precisely because this is a part of the process which is *not* independently observed - you don't know for sure who applied for the postal ballots, who acquired them, or who filled them in under what pressure.
Re:This is blindingly obvious (Score:4, Interesting)
So it's OK for the politician to buy your vote by promising to give you tax payers money but not someone buying your vote using their own money?
Re:Its racist (Score:3, Interesting)
Simple, they can't get one. They came from a place where the records were destroyed, or never existed in the first place. This is not as rare as many people might like to think - it's been a fact of recent civil wars in my lifetime, that one side systematically destroyed all birth records of the other.
There are people who can't afford to fly, who buy their cigs and alcahol off a younger family member, have no credit cards or bank accounts (using just the check cashing place and paying an exorbitant fee there too boot), and yes, can't visit certain federal buildings. Their lives are already greatly limited and with the aggressive work of republican groups screaming about vote fraud, we can ensure that they lose even the right to vote in our lifetime, since they certainly would have voted democrat anyway.