risks@CSL.SRI.COM (RISKS Forum) (05/30/91)
RISKS-LIST: RISKS-FORUM Digest Wednesday 29 May 1991 Volume 11 : Issue 75
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Vote-by-Phone - Promises and Pitfalls (Roy G. Saltman)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive
"Subject:" line. Others ignored! REQUESTS to RISKS-Request@CSL.SRI.COM. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 11, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Wed, 29 May 1991 14:17:27 EDT
From: SALTMAN@ECF.NCSL.NIST.GOV
Subject: Vote-by-Phone - Promises and Pitfalls
[Moderator's note: Roy is not a regular RISKS Reader, but is one of the
world's most honored watch-ers of electronic voting. He asked for some
feedback on this, so the RISKS Forum seemed like an ideal place for him to
find some knowledgeable and interested sources of feedback. You may respond
to him directly. If you think your response would be of general interest to
RISKSers, then please CC: RISKS as well. PGN]
Vote-by-Phone - Promises and Pitfalls
Roy G. Saltman, National Institute of Standards and Technology
Many of us have had contact with a voice-response system (VRS). Perhaps you
called some organization on the phone, possibly a bank to obtain your account
balance, or the Motor Vehicle Bureau with a question about car registration,
and you heard, not a real live person, but a recorded voice. The voice was
clear and unaccented, pleasant and neutral; it was trying to be a voice with
which you couldn't get personal, but it was recorded. The voice told you to
push particular buttons on your phone to obtain particular kinds of
information.
VRSs have come into wide use in the past few years. The systems are
computer-based. The voice you hear when your call is answered is not on an
audio tape like an answering machine, but it is a reconstruction from computer
memory of the voice of an actual person. That individual and others, if more
than one speaker was used, have pre-recorded all the potential messages. The
messages were "digitized" (converted into data for a computer) and stored in a
computer memory. When you selected a particular push-button on your phone,
that selection activated a corresponding branch of a computer program. The
program chose the appropriate response message from the computer memory. The
digitized message was then reconverted to a real voice that you heard through
your phone.
If you were fortunate, the choices offered you by the voice included exactly
the information you were seeking; if not, you stayed on the line even if you
didn't have a dial phone, and perhaps you got to talk to a flesh-and-blood
human.
Some Questions
Could we vote by phone, using a VRS with the added functions of vote recording
and summarization? It's technically feasible, and will be tried in at least
one community if some folks in Boulder, Colorado, have their way. However,
there are special considerations in addition to the ordinary questions of
system design to meet the needs of the particular election situation. Here are
some concerns:
* Proof of identity could be a problem.
* Privacy could be an issue, as well, if the voter is in a location where
others might be watching or listening or electronically eavesdropping.
* User-friendliness would need to be designed into the system. Voters
have different capabilities. There are always special cases when a person with
no special training uses an unfamiliar machine.
* The voter without touch-tone phone service must be considered; older
ways of voting might have to be retained, in addition to voting-by-phone.
* Accounting and accountability are a concern. It must be absolutely
certain that the computer is correctly recording each voter's choices and
accurately summarizing the votes for each candidate.
* The system would have to be secure against malicious mischief; extra
phone calls from disrupters should not be able to clog the system and prevent
its use by participating voters.
* Reliability must be a priority; the system would need to available for
use at all times throughout the hours that the polls are open.
Dialing In
The voter with touch-tone phone service would dial a toll-free number.
Hopefully, the system will have been designed to be able to accept the maximum
number of calls expected at any one time, so that the chance of getting a busy
signal will be very small. When the call is answered, the voice would identify
its function of providing the voter with election choices and of recording the
voter's selections. Perhaps the first selection that the voice will ask the
voter to make is the language that the voter would wish to hear. For example,
the voter might be asked to push 1 for English, 2 for Spanish, and 3 for
another language widely used in the local area. Alternatively, different phone
numbers could be used for speakers of different languages.
Verifying Registration
The next step would be to identify the voter as eligible to vote. For this
purpose, the system would have to have the complete file of registered voters
resident in the jurisdiction "on-line," that is, instantly accessible. The
voter would be asked to enter a multi-digit personal identification number
(PIN) and possibly some not-publicly-available personal data. The voter would
have been prevously sent his or her PIN by mail.
For assured identification, the possibility must be minimized that a random
selection of digits, or even the filching of a PIN, could result in a
successful masquerade. A PIN is typically employed with an automatic teller
money machine (ATM). In using an ATM, the accountholder enters a PIN and
physically inserts a plastic card with a magnetic-stripe containing encoded
data. The information available to the system from the stripe on the card
enables the PIN to be as short as four digits. With the concept that any
touch-tone phone could be used for voting, the absence of ATM-like
functionality is assumed. In that case, the PIN would need to be cosiderably
longer than four digits, perhaps eight or more, and the inclusion of personal
data would serve additionally to prevent fraud.
In addition, it is assumed here that typical State legal requirements for a
signature on voting, or personal recognition by a precinct official, or a
similar requirement, would have been previously circumvented by legislation.
The Voting Process
Once registration has been verified, and the voter has not been recorded as
having voted, a review by the computer of the voter's residence location would
determine the contests for which the voter is entitled to vote. The system
would then begin to request choices from the voter; for example, "For
president, to vote for Washington, Federalist, push 1, for Jefferson,
Democrat-Republican, push 2, for Roosevelt, Bull Moose, push 3, for a write-in,
push 9, and to go on to the next contest, push 0."
The "go on to the next contest" message provides the voter with the option of
not voting for any candidate. An alternative is for the voice to say, "for
none of the above, push 0." With either message, if the voter selects any
option but write-in, the voice can repeat back the choice ("you voted for ....
") and then proceed immediately to the next contest.
If the voter selected a write-in, the system could then ask the voter to enter
the name of the write-in candidate using the letters on the phone buttons, and
to push # when finished. Voters planning to write in a candidate's name should
be told to prepare beforehand the number-equivalents of the letters in the name
(e.g., Smith is 76484), so that the entry process will be as simple as
possible. Special assignments for the letters Q and Z would need to be made if
those letters were included in a candidate's name, as those letters do not
appear on the phone buttons. Usually, Q is assigned to the PRS (7) button and
Z to the WXY (9) button. The # button, or * or 1, could be used as an
indication that the voter is finished with the write-in, as none of those
buttons is used for letters.
The use of phone buttons to represent a name provides a somewhat ambiguous
result, since each button represents three or four letters. There would have
to be an understanding and agreement by the election administrators of what
name is intended. If this procedure is not acceptable, some other write-in
method would need to be invented.
User-Friendly Requirements
System designers would need to keep in mind the following:
Sign-In Problems: If a legitimate voter is not able to get his or her
identity and registration verified, for whatever reason, the voter must be able
to contact the election administrators to get help or to obtain a different
method of voting.
Time Allowance: How long should a voter be allowed to ponder a particular
contest, and what should the system do if the voter has failed to vote when
that interval is up?
Voter's Error: What does the voter do if he or she has pushed the wrong
button, and wants to reverse a choice, (a) while the contest is current or (b)
during a choice for a subsequent contest?
Repeating the Choices: How does the voter indicate to the system that he
or she wants the choices repeated before casting a vote? Voting by phone would
be particularly difficult where the voter has to select a large number of
choices from an even larger number of candidates, typically for certain public
boards, such as political party central committees. Voice-response is serial;
the voter cannot see all the choices at once, and cannot see the selections
made. It may be that a ballot should be sent to each voter beforehand, so that
the voter could visualize the choices to be made while on the phone.
Overvotes and Undervotes: The system could indicate to the voter that he
or she has voted for more or fewer candidates than permitted. Overvotes should
be prevented and undervotes allowed. What messages, if any, should be system
provide to the voter in these cases?
Failure to Complete the Process: It is possible that a voter could be
called away from the phone by an emergency or a higher priority task while in
the process of voting. This could happen with a voter at home or at the
office. What does the system do?
Voter Disinterest: The voter does not wish to vote on the lower-level
offices or referenda, except for one particular contest. How does the voter
tell the system to skip to that contest, or cancel the remainder of the
process?
Verifying Choices: After the voter has completed voting, does the system
repeat back to the voter the choices made?
The only "correct" answers to these questions are those that demonstrate to
voters that the system is easy to use and should be widely adopted. If ease of
use cannot be implemented, voters will find the system too complex and may not
vote at all.
Voters Without Phone Access
The voter lacking personal access to a touch-tone phone would need to be
provided with an alternate method. Touch-tone public phones could be used and
the phones could be arranged to require no fee for a voting call. However,
these phones are typically in locations where privacy could be a problem.
Another method would be to treat those without touch-tone phones as absentee
voters, and send them ballots to be returned by mail. If polling stations are
to be kept open, each voter would have to declare in advance, like absentee
voting, whether he or she planned to vote by phone or vote at the polls.
Otherwise, each polling station would need to have on-line access to a voter
database that reported which voters had already voted by either method.
On-line updating would be needed to prevent an individual from voting by both
methods.
Accuracy, Accountability, and Public Confidence
The vote-by-phone system is somewhat more complex than a typical VRS. In
addition to the selection of particular messages, the voter's button-pushing
actions must cause his or her voting choices to be correctly recorded and
accurately assigned to particular candidates. In addition, the system uses no
ballots independently filled out by the voter. Consequently, there is no way
that a true recount of the results reported by the system could be obtained.
In view of the manner of system operation, it is essential that all the groups
involved, that is, the voters, the election administration, the contending
parties, and the candidates, have full confidence in the results that the
system produces. The only way that confidence can be achieved is for operation
of the system be thoroughly tested and checked out before the election. The
software used in the system should be totally protected from outside
influences, and an identical copy of all of it secured in the hands of the
chief State election officer. System testing should use both internal analysis
of the computer program, as well as testing and checking system response to a
variety and quantity of different potential voter selections and actions. In
addition, voter accounting data must be retained. These data include the
number of voters signed in and eligible to vote for each contest, and the
number of undervotes in each contest. The number of votes plus undervotes in
each vote-for-N contest, N = 1, 2, 3, etc., should equal N times the number of
voters voting for the contest.
Public understanding that the system does not violate voter privacy is also
essential to public acceptance. Voters must be certain that the part of the
system that verifies their identities is distinct and separate from the part of
the system that records their votes, and that there is no communication of
voter identity between the two parts.
Assuring System Security
Total system integrity involves security, in addition to accuracy and
accountability. By security is meant the control of access to the system,
where legitimate access is allowed and other access prevented. In an on-line
system, such as vote-by-phone, it is crucial that callers only be able to
record their voting choices and not be able to, by any combination of pushing
buttons, achieve access to the controlling programs of the system.
Based on a history of hacker activity, protection must be implemented against
potential disruptions. Other on-line systems have restricted attempts to
sign-on to a small number of successive tries on a single call, e.g., not more
than three, so that it would not be possible to randomly try many PINs on one
call until a correct one is found. Extra calls clogging the system could not
be prevented unless automatic number identification (ANI), with which the call
recipient knows the caller's phone number, could be used in connection with
pre-established voter phone numbers. Voters could be asked to specify a phone
number, and one or two alternates, from which they would vote. Then, if ANI
were available, the system could ignore those calls not from a voter's phone.
If ANI were not available, calls could be timed-out and ended if the caller
remained on the line for more than a maximum number of seconds without
successfully completing the initial steps. If a phone from which clogging
calls were being made could be identified, it is possible that laws that
already exist or could be enacted would allow legal action to be taken. Of
course, the election would be long over before a penalty could be imposed.
The Future
The expectation of supporters of vote-by-phone is that its convenience will
increase turnout. With a well-designed system, convenience would be improved
for persons who are handicapped or home-bound, for frequent travelers away on a
moment's notice, and those who always seem to be too busy to go to the polls.
Of course, absentee ballots are already available for them.
Some think that failure to vote is simply an administrative problem that new
technology or simplified procedures could easily solve, but this article has
attempted to show that the application of new technology requires thoughtful
and detailed consideration of implementation issues that connect technology to
effective human use. Issues have been raised, and some directions for
solutions identified, but the real challenges are left to the designers.
Other persons think that failure to vote is a social problem with much deeper
causes and solutions than the type of technology being employed. Only several
trials of vote-by-phone in different kinds of communities could provide some
answers, but the funding of such trials is not a trivial issue. Election
administration must compete for funds with all of the other concerns that face
State and local governments; advocates of vote-by-phone would need to
demonstrate the urgency of their proposals.
------------------------------
End of RISKS-FORUM Digest 11.75
************************