The Pre-Arranged-Transfer-Pattern Hack
How publically-accessible proportional-representation voting data allows votes to be bought and sold
(please add comments at bottom of page)
Ireland's proposed e-voting system (ICTE website) contains an interesting feature. All vote data will be uploaded to a public website, allowing third parties to download the raw votes, and simulate counting themselves, verify the results, experiment with new transfer methods, etc.
This has been identified as a good feature by several commentators, notably Annrai O'Toole and Brendan Tangney in their 6 April 2004 Irish Times article entitled 'Time for a rational debate about the future of electronic voting', who noted, 'analysing voter trends should not be limited to a high priesthood of tallymen. Electronic voting could yet make experts of us all!'
The data is anonymized, replacing real names with random numbers, so that an attacker cannot determine which way a given person voted.
However, Ciaran Quinn on the ICTE mailing list has noted that this feature still does allow votes to be bought and sold. In summary, it exposes a means for an attacker to determine if an accomplice or accomplices voted the way they were instructed to vote. Here's the mails in question:
From: Ciaran Quinn <election .at. polarbears.com> To: Irish Citizens for Trustworthy Evoting <e-voting .at. lists.stdlib.net> Subject: [E-voting] STV and e-voting incompatible I have just downloaded the election results for Dublin North and I have just realised that there is a very simple way of selling one's vote using e-voting. There were 12 candidates in Dublin North. I estimate that there must be almost 500 million possible vote combinations. If I wanted to buy votes >from a group of voters, I would give them instructions of the sequence in which they were to vote (eg I would give each voters a list of numbers such as 3 5 10 2 1 6 9 4 8 11 7 12 showing them how to mark their ballot paper. Each voter would get a slightly different combination. When the election is over, all I would have to do is to check which combinations occurred and pay the relevant voters).
Date: Sat, 06 Dec 2003 22:07:15 +0000 From: Ciaran Quinn <election .at. polarbears.com> To: David GLAUDE <dglaude .at. gmx.net>, Irish Citizens for Trustworthy Evoting <e-voting .at. lists.stdlib.net> cc: Subject: Re: Fwd: [E-voting] STV and e-voting incompatible By my calculations, in a 12-candidate STV election, there are actually 522,956,313 different ways of marking the ballot paper. (12!+11!+10!+9!+8!+7!+6!+5!+4!+3!+2!+1!) In STV, the 12 candidates are listed and the voter numbers the candidates from 1 to 12 (they can stop at any point if they wish). Having said that, if I was paying someone to vote for a candidate, I would want them to have the same no. 1 every time, so there would be 43954713 combinations remaining for about 40,000 voters, which is plenty to allocate specific combinations to each voter. If only full combinations of 1 to 12 were generated, there would only be a 1000-1 chance of someone else accidentally using that combination. It would not be difficult to set up a website outside Ireland where people could sell their votes at election time. The voter would log on to the site and be given a unique pattern of vote preferences to use.