In November 2000, in the wake of the uncertainty regarding the U.S. presidential vote tallies in Florida, security expert Bruce Schneier penned an essay that Scott reprinted, with Bruce's permission, for Planet IT. In that essay, Schneier argued that one of the quintessential values of voting in this country - anonymity - would be endangered in a society where all paper balloting is replaced by electronic databases, where individual votes are aligned with known individuals for the sake of validity and accuracy.
For his counter-argument, Scott wrote that the real danger was not that databases would accurately attribute votes to people, but would inaccurately do so. Scott published both articles prior to the landmark Supreme Court Bush v. Gore decision:
As always, Bruce's commentary gets me to thinking on a higher level about the problems we need to solve in the next few years if the IT industry expects to continue its pattern of growth. This morning, I turned on CNN and found testimony in the Leon County Circuit Court hearing in Tallahassee, where the Gore campaign is seeking an order for counties to conclude the recounts they started. On the stand was a gentleman representing a company that manufacturers vote-tallying equipment. He was called as an expert witness for the Gore team (the plaintiff) to testify that there are significant means of determining the will of the voter through human observation, that the tallying machine would not be able to detect.
During cross-examination, the Bush team's attorney tried to cast doubt on the process of determining what it was that could possibly cause a "chad" (the little perforated tearout from a punch card) to bulge out in one direction or another, by raising the issue of whether it's obvious that a bulge is definitely caused by the voting stylus, or instead by a fingernail. It's a valid issue; can anyone's eyes definitely see the imprint of a little stylus on what is already a damaged chad? (Notice we've been using these machines throughout the US for almost thirty years now, and this issue never came to a head until this morning.)
While listening to this cross-examination, it occurred to me that both sides were in agreement on one part of a basic principle: it does require close human examination to absolutely certify the will of the voter, with regard to one of these hole-punched or butterfly ballots. What's at issue is whether, with all the variables in play, a human would be able to clearly infer the will of the voter--we already agree that a machine cannot.
It is here that it occurred to me that if any one county or precinct were to completely replace paper ballots or mechanical tallies with ordinary databases, it may be _less_ possible for any human being to clearly establish the will of a particular voter than it is now. You may be thinking, that can't be. There are no pregnant chads in a database. There are no "almost votes;" it's a binary thing. You either vote for a guy or you don't, 1 or 0. It is because of all the necessary requirements for a survey of individuals to become certifiable votes in elections, that the intent of the voter may become obscured once it becomes electronic.
Remember what Bruce said in his last essay: "Anonymity requires a secret ballot. Scaling and speed requirements lead to mechanical and computerized voting systems. The ideal voting technology would have these four attributes: anonymity, scalability, speed, audit, and accuracy--direct mapping from intent to counted vote." It occurred to me that this may be impossible, for the following reason: In a database representing people, a person is a discrete unit. A database of votes counted could appropriately uphold the principle of anonymity if it ignored the identity of the individual--if, in other words, it acted as little more than a "clicker" of votes tallied so far for whoever's running. Such a low-tech database would not contain discrete records that represented people's votes, the way punch cards and paper ballots do now. And many who vote today with mechanical voting booths may not realize that paper records of each vote are indeed produced inside the machine, each time the voter pulls the lever that opens the curtain.
Bruce's key requirement is "direct mapping from intent to counted vote." In a mechanical voting booth, this is possible because something stamps a piece of paper whenever the voter exits. With paper ballots, this is possible because a piece of paper represents some voter someplace who once held this paper in his or her hand. We don't have to know who she is to know she voted. There is a direct mapping in both cases. How could such a direct mapping be possible with a database, and still maintain the required element of anonymity?
Someplace in a database, a vote must be mapped to a person. To use some terms from programming, there must be a pointer to that person (*p). Which means there must be some discrete element of data that represents the person--what E. F. Codd would call a "key." (Not a "key" like in cryptography, but instead like in a relational database--an identifier of a record.) A key can be a numeric thing, and the number itself might not directly imply to a human reader who the person it represents actually is. But someplace in the database is a "direct mapping" from the key to the identity of the voter (*p->vote). For that mapping to be programmable, it must be interpretable to human beings--and so much for anonymity. The requirement for auditability (Bruce's #3) would counteract the maintainance of anonymity (Bruce's #1). At some point, the content's of an identified person's vote could be determined by some other person. And that would be contrary to law.
A database, as we all know, is not a program. The program created to manage a database could be set up to refuse to reveal the identity of a voter and the contents of his vote on the same page. But that would not be protection enough. Anybody who wants to hack the database won't bother with the program.
So we could set up a system where the only data that is recorded in the database--like the data extracted from a mechanical voting booth--omits the identity of the voter. The single tier of indirection, to borrow another programming phrase, would be permanent, because there would be no record of the identity of the voter in that database. As far as the database manager was concerned, the voter came into existence on this Earth the moment he cast his vote. Certainly it takes no "crypto guru" to decipher the danger in that. Not only do we eliminate the capability of audit and possibly compromise accuracy (Bruce's #5), but we open up wide the possibility that any hacker can invent people at random and at will. Which is a lot easier than tampering with absentee ballots, I assure you.
Inevitably, in some electronic race somewhere for Mayor or Attorney-General or President of something, there would be a near-tie vote, which would require us to closely re-examine the votes cast. Unlike the slightly-dimpled punch cards, a database record reveals no evidence of anything. A counterfeit database record looks exactly like any other database record. What would have to be researched is the means to which the database is accessed, which would require an operating system with a much stronger and more reliable audit trail than anything we have in place today. No matter how bad things get in Florida, I would dread even more the possibility of the leadership of the free world hanging in the balance, dependent entirely upon a diagnostic of the behavior of Microsoft Windows on somebody's homemade server.
Which leads me to this conclusion: Bruce's book talks about the arrival of the day when an individual can know anything at any time about any other individual, simply because of the accuracy and accessibility of private databases. I would argue that, in the era in which we live today, the combined probabilities of error, inaccuracy, and insecurity completely trounce any capability we have today to directly map anyone's identity to anyone's properties or preferences. As databases that record people's habits or preferences or lifestyle choices or favorites or votes become more abundant, the capability for a hacker or an innocent bystander or a bulldozer or a bolt of lightning to render those databases invalid increases proportionately. As a result, the value of such electronic tallies only diminishes, the more we know that what they may mean is less than we want them to mean. What we are left with is the want for something solid that we can hold in our hand--something which, however meekly or meagerly, registers the intent of someone to resolve something discretely, concretely, and indisputably.
This society is not so much endangered by what data tells us that is true, as by what data tells us that is false.