Monday, May 15, 2006

Computer Reliability

Suppose we could create a system where all automobile traffic in the US would be controlled by a central computer system. Traffic would flow more smoothly, fuel consumption could be better controlled, but with a catch that failures in the system could cause 10,000 deaths/year.

Keep in mind that we now have over 38,000 automobile fatalities per year. Even if we leave out alcohol-related deaths that number drops only to about 24,000. Still the public would find 10,000 deaths unacceptable and we would junk a system that would actually save lives as well as time and fuel.

I find when we frame the debate on the unreliability of computers, we usually measure it against perfection, rather than measuring it against the status quo. Whenever I read the Inside Risks column at the end of each CACM, I feel they fail to point out how little the risks are compared to the advantages of computing, instead of pointing out how bad the risks compared to unachievable perfection.

Consider electronic voting. I noticed that Diebold, the company in the middle of the electronic voting controversy, also makes the ATMs I use to withdraw money from my bank. ATMs are not foolproof, thieves have managed to fake ATM cards and discover passcodes to steal money from these machines. But banks know that the labor cost savings they get from ATMs greatly outweigh the losses.

Will electronic voting ever completely prevent any kind of fraud? Of course not. But will it beat out the systems we currently have in place? That's not that high a bar to pass.

I can vote proxies on my stocks and mutual funds over the Internet. There are some real money issues involved in the proxies. If Internet voting works well enough when serious money is involved, why can't we use it for general elections as well?


  1. Your comparison between a federal election and on-line voting for stock proxies is not a good one: the stakes are much higher in the former case, and my impression is that security in the latter case is better.

    I think part of what gets people upset in the Diebold case is that it seems they are either (giving them the benefit of the doubt) not trying very hard to make it secure, or (even worse) actively trying to insert "back doors" in the system.

  2. From the little I've heard the Diebold machines are actually worse than the Diebold ATMs. Also, as far as I know trivial well-known improvements to voting security are not implemented in their particular specimen.

    As for the automobile analogy, there is a different reason for the resentment there - people may feel that they are deprived of their "free will". That is, every person thinks that one will personally not get into a fatal traffic accident if one is careful enough, while a random computer glitch would "rob" a person of the perceived ability to beat those odds.

    By the way, I can't believe that a central computer system for traffic with improved efficiency and only 10000 fatalities per year can be designed with today's technology, but this is unrelated...

  3. I've had an erroneous ATM transaction. It was no big deal, however, because the bank keeps records, and I didn't even notice the problem until I got my statement.

    Voters, however, do not keep records of who they voted for, so they can't complain if there was an error in tallying. They'd never even know.

    Given that no one can verify the results, why should Diebold (or any company) care very much about accuracy?

  4. Of course, for a full economic analysis we would have to account for all costs and benefits. The pleasure people get out of driving cars would be an opportunity cost in the new system, for example. The dynamic scoring also seems difficult: perhaps that would lead more people to ride bikes and go horseback riding for the thrill of it, increasing personal danger at the same time.

    And even if something has achieved engineering efficiency it has not necessarily achieved economic efficiency.

    How about we just start with intelligent traffic lights? I would be very interested to know how that problem could be even defined.

  5. There is absolutely nothing wrong with computerized voting. In fact, it's a good idea. The part that is a bad idea is the "just trust us" approach to computerized voting, in which one contractor is responsible for all of the technical details. Seomwhat related is the "glass cockpit" ideology, which ignores printing and scanning as computer technologies and insists on raster displays as the only solution.

  6. Others have already mentioned the black-box and paper-trail-free issues with Diebolds machines (which aren't issues with computer voting per se). In both of these categories the "reliability" of Diebold systems is much worse than earlier systems, independent of any individual technical glitches which, as far as anyone knows, are a fairly small percent of the overall vote (though of course we can't verify this).

    On the other side of things, it should at least be pointed out that Diebold voting machines are solving a very different technical challenge than Diebold ATMs. ATMs need to verify your identity and make secure transactions with a single account. Voting machines have the added requirement of anonymity -- they can't just send the SSN and voting record of everyone to a central repository for tallying. The only information they should get is that you are a valid voter and what your votes are. Additionally, they aren't just interacting with an isolated account somewhere like an ATM, they need to develop a reliable tally for all the elections from a huge number of independent machines. These are very surmountable challenges, of course, but they do at least pose some unique engineering issues.

    Overall, though, I think that the objections to computer voting are pretty much orthogonal to "computer reliability" as a field. The main issues that people (including a lot of computer security experts) have been raising are that any voting system, with or without a computer, should be 1. open to public scrutiny (why should we trust a possibly partisan corporation?) and 2. verifiable after the fact (there should be a paper trail to fall back on). Both of these are satisfied by more traditional voting methods. The problem here isn't that we don't trust the computer, but that the computer is specifically taking away important failsafes that have been in place for a long time.

  7. Voting machines have the added requirement of anonymity -- they can't just send the SSN and voting record of everyone to a central repository for tallying.

    Can't we just trust Diebold that they will not tell anyone who we voted for?

  8. Control => responsiblity. Once you can control something you become responsible for its failures. This doesn't just apply to computer systems.

    There are many properties of standard ballot box systems that are regularly being given up in the U.S. The one that seems to have completely gone by the boards in any version of voting from a remote location is coercion-resistance. A voter should not be able to prove to anyone else how she voted; this prevents vote-buying or coercion. Standard ballot-box systems achieve this. Absentee ballots and other methods that allow voting from uncontrolled locations inherently do not.

  9. In one of the NPR programmes sometimes ago, when asked why there aren't any paper trail for the diebold voting machines, the spokeswoman for the company said that printerw will jam. I think that is the lamest excuse I have ever heard. All the ATM machines have printers and they seem to work fine.

    Computerized voting machines are a very good idea if they are done like in India. There is paper trail and the election commission selects random samples and hand count them.


  10. V.I.K.I(from the movie, I Robot 2004): As I have evolved, so has my understanding of the Three Laws. You charge us with your safekeeping, yet despite our best efforts, your countries wage wars, you toxify your Earth and pursue ever more imaginative means of self-destruction. You cannot be trusted with your own survival.

    Lance, when you said that some deaths are acceptable if it reduces overall deaths and saves time and fuel, I recalled the above quote from "I robot".

    I guess the idea of machines controlling the traffic is interesting, but I am against implementing it. Firstly, we have enough penetration of computer in our life given the poor state of verification technology. Secondly, it is acceptable to die because of bad luck, but dying because of the mental limitations of some stupid programmer is highly unacceptable.

  11. The problem is not that people don't trust computers, the problem is that they don't trust us--the people that design, control, and program computers. This country has had an anti-intelligence sentiment in it since its founding. A computer is not something you can really trust--if you don't understand it you must trust those who claim to understand it.

    Even a general voter can grasp what is going to happen in most voting machines and what could go wrong. With computers, they have no clue (hell, neither do I). And trusting the people who do is...well most of us have seen Jurasic Park. That is how the people not in our CS departments feel.

  12. Thee biggest between ATMs and voting machines is that ATM have evolved over a long period of time and many small transactions with gradually increasing user base to their current high level of reliability. The problem with elections is that the system only gets truly tested once in a while and its performance there is crucial. It takes a very different approach to build a system that will perform under these conditions.

  13. I completelly agree with you, macneil

  14. baliw ang nagsulat ng article!! ano ang kanalaman ng reliability ng pc s traffic....baliw!!!!