Papal Election To Use Irish E-Vote System
Nah, only joking. But as the College of Cardinals prepares to elect a new pope, Crypto-Gram's Bruce Schneier has been wondering about just how hard is it to hack the vote. Bruce works in security , so he can't help looking at a system without trying to figure outhow to break it...
First, check out the latest version of the rules: "Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff" (February 22 1996).
The paper-based ballot takes place in the Sistine Chapel, all counting is done by hand. Votes are secret, but everything else is done in public.
In the "pre-scrutiny" phase, "at least two or three" paper ballots are given to each cardinal (115 will be voting). Then nine election officials are randomly selected for each ballot: three "Scrutineers" to count the votes, three "Revisers," who verify the results, and three "Infirmarii" (don't ye love it) who collect the votes from those too poorly to be in the room.
Each cardinal writes his selection on a rectangular ballot paper, disguising his handwriting. Then he folds the paper lengthwise and holds it up for all to see.
In the "scrutiny" phase, the cardinals proceed to the altar in turn, to a large chalice with a paten (the metal plate used for communion wafers during mass) on top. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice. Got that? So he can't stuff more than one ballot into it.
And if a cardinal can't walk to the altar, a Scrutineer does this for him, in full view of all. If any cardinals are too sick to be in the chapel, the Scrutineers give the Infirmarii a locked empty box with a slot, and the three Infirmarii together collect those votes.
Wait for it: if a cardinal is too poorly to write, he gets one of the Infirmarii to do it for him. There's the potential for one of the Infirmarii to do what he wants when transcribing the vote of a poorly cardinal, but there's no way to prevent that. If the cardinal is concerned, he could ask all three Infirmarii to witness the ballot.
So where are we? Oh yeah. Theythe box, and the ballots are placed onto the paten and into the chalice, one at a time. The first Scrutineer gives it a good shake, then the third Scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and they all vote again.
To count the votes, each ballot isd and the vote is read by each Scrutineer in turn, the third one aloud. Each Scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals. The total number of votes cast for each person is written on a separate sheet of paper.
In the "post-scrutiny" phase. The Scrutineers tally the votes and work out if there's a winner. Then the Revisers verify the entire process, then the ballots are burned. Cue black smoke, or maybe even white.
It's a totally manual process, making it immune to the sorts of technological attacks/flaws that make modern voting systems wild dodgy. It's a small group of voters, everyone knows each other, so no way can an outsider to affect the voting in any way (unless, of course, they kidnap one or two of the lads and do the old Mission Impossible thing with a rubber mask and wig).
The chapel is cleared and locked before voting. Eavesdropping is possible, although the rules explicitly state that the chapel is to be checked for recording and transmission devices "with the help of trustworthy individuals of proven technical ability". And what out for the laser microphones, picking up stuff through the windows near the chapel's roof.
So what are we left with? The first Scrutineer, using sleight of hand, swaps one ballot paper for another before recording it. Or the third Scrutineer swaps ballots during the count.
The cardinals themselves are in "choir dress" during the voting, with translucent lace sleeves under a short red cape - much harder for sleight-of-hand tricks.
Bruce recommends making the ballots large, and controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.
Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there's one slight loophole: "If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote." Presumably so there's only one plume of smoke for the two elections.
Bruce writes: "Two or three Scrutineers in cahoots with each other could do more mischief, but since the Scrutineers are chosen randomly, the probability of a cabal being selected is very low. And then the Revisers check everything. More interesting is to try and attack the system of selecting Scrutineers, which isn't well-defined in the document. Influencing the selection of Scrutineers and Revisers seems a necessary first step towards influencing the election."
The weakest bit is the counting of the ballots. "There's no real reason to do a pre-count, and it gives the Scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. I like the idea of randomizing the ballots, but putting the ballots in a wire cage and spinning it around would accomplish the same thing more securely, albeit with less reverence. And if I were improving the process, I would add some kind of white-glove treatment to prevent a Scrutineer from hiding a pencil lead or pen tip under his fingernails."
Mind you, Bruce concludes that when an election process is developed over nearly two thousand years, you're bound to "end up with something surprisingly good".
Posted by mick cunningham at April 19, 2005 10:55 AM | Email a friend this entry
| TrackBack
I see the former Hitler Youth boy won...
Posted by: micko at April 19, 2005 08:00 PM