Skip to main content

How secure is the papal election?

By Bruce Schneier, Special to CNN
February 21, 2013 -- Updated 1100 GMT (1900 HKT)
The Conclave of Cardinals that will elect a new pope will meet in the Sistine Chapel in Vatican City.
The Conclave of Cardinals that will elect a new pope will meet in the Sistine Chapel in Vatican City.
STORY HIGHLIGHTS
  • Bruce Schneier: Rules for picking a new pope are very detailed
  • He says elaborate precautions are taken to prevent election fraud
  • Every step of the election process is observed by people who know each other
  • Schneier: Vatican's procedures, centuries in the making, are very secure

Editor's note: Bruce Schneier is a security technologist and author of "Liars and Outliers: Enabling the Trust Society Needs to Survive." In 2005, before the conclave that elected Pope Benedict XVI, Schneier wrote a piece on his blog about the process. This essay is an updated version, reflecting new information and analysis.

(CNN) -- As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote?

The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The "Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff" is surprisingly detailed.

Every cardinal younger than 80 is eligible to vote. We expect 117 to be voting. The election takes place in the Sistine Chapel, directed by the church chamberlain. The ballot is entirely paper-based, and all ballot counting is done by hand. Votes are secret, but everything else is open.

Bruce Schneier
Bruce Schneier

First, there's the "pre-scrutiny" phase.

"At least two or three" paper ballots are given to each cardinal, presumably so that a cardinal has extras in case he makes a mistake. Then nine election officials are randomly selected from the cardinals: three "scrutineers," who count the votes; three "revisers," who verify the results of the scrutineers; and three "infirmarii," who collect the votes from those too sick to be in the chapel. Different sets of officials are chosen randomly for each ballot.

Each cardinal, including the nine officials, writes his selection for pope on a rectangular ballot paper "as far as possible in handwriting that cannot be identified as his." He then folds the paper lengthwise and holds it aloft for everyone to see.

When everyone has written his vote, the "scrutiny" phase of the election begins. The cardinals proceed to the altar one by one. On the altar is a large chalice with a paten -- the shallow metal plate used to hold communion wafers during Mass -- resting on top of it. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice.

Pope may change rules to allow earlier election

If a cardinal cannot walk to the altar, one of the scrutineers -- in full view of everyone -- does this for him.

What some Catholics want in next pope
Where does an ex-pope go?
Pope's popularity on display in market
Could Pope Benedict be put on trial?

If any cardinals are too sick to be in the chapel, the scrutineers give the infirmarii a locked empty box with a slot, and the three infirmarii together collect those votes. If a cardinal is too sick to write, he asks one of the infirmarii to do it for him. The box is opened, and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first scrutineer shakes it several times to mix them. Then the third scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes, each ballot is opened, and the vote is read by each scrutineer in turn, the third one aloud. Each scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals.

The total number of votes cast for each person is written on a separate sheet of paper. Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots with no name written on them (undervotes). Illegible or ambiguous ballots are much more likely, and I presume they are discarded as well.

Then there's the "post-scrutiny" phase. The scrutineers tally the votes and determine whether there's a winner. We're not done yet, though.

The revisers verify the entire process: ballots, tallies, everything. And then the ballots are burned. That's where the smoke comes from: white if a pope has been elected, black if not -- the black smoke is created by adding water or a special chemical to the ballots.

Become a fan of CNNOpinion
Stay up to date on the latest opinion, analysis and conversations through social media. Join us at Facebook/CNNOpinion and follow us @CNNOpinion on Twitter. We welcome your ideas and comments.



Being elected pope requires a two-thirds plus one vote majority. This is where Pope Benedict made a change. Traditionally a two-thirds majority had been required for election. Pope John Paul II changed the rules so that after roughly 12 days of fruitless votes, a simple majority was enough to elect a pope. Benedict reversed this rule.

How hard would this be to hack?

First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky.

Second, the small group of voters -- all of whom know each other -- makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you're ever going to find.

A cardinal can't stuff ballots when he votes. The complicated paten-and-chalice ritual ensures that each cardinal votes once -- his ballot is visible -- and also keeps his hand out of the chalice holding the other votes. Not that they haven't thought about this: The cardinals are in "choir dress" during the voting, which has translucent lace sleeves under a short red cape, making sleight-of-hand tricks much harder. Additionally, the total would be wrong.

The rules anticipate this in another way: "If during the opening of the ballots the scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name, they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled." This surprises me, as if it seems more likely to happen by accident and result in two cardinals' votes not being counted.

Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there's one wrinkle: "If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote." I assume that's done so there's only one plume of smoke for the two elections, but it would be more secure to burn each set of ballots before the next round of voting.

The scrutineers are in the best position to modify votes, but it's difficult. The counting is conducted in public, and there are multiple people checking every step. It'd be possible for the first scrutineer, if he were good at sleight of hand, to swap one ballot paper for another before recording it. Or for the third scrutineer to swap ballots during the counting process. Making the ballots large would make these attacks harder. So would controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.

There's so much checking and rechecking that it's just not possible for a scrutineer to misrecord the votes. And since they're chosen randomly for each ballot, the probability of a cabal being selected is extremely low. More interesting would be to try to attack the system of selecting scrutineers, which isn't well-defined in the document. Influencing the selection of scrutineers and revisers seems a necessary first step toward influencing the election.

If there's a weak step, it's the counting of the ballots.

There's no real reason to do a precount, and it gives the scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. Shaking the chalice to randomize the ballots is smart, but putting the ballots in a wire cage and spinning it around would be more secure -- albeit less reverent.

I would also add some kind of white-glove treatment to prevent a scrutineer from hiding a pencil lead or pen tip under his fingernails. Although the requirement to write out the candidate's name in full provides some resistance against this sort of attack.

Probably the biggest risk is complacency. What might seem beautiful in its tradition and ritual during the first ballot could easily become cumbersome and annoying after the twentieth ballot, and there will be a temptation to cut corners to save time. If the Cardinals do that, the election process becomes more vulnerable.

A 1996 change in the process lets the cardinals go back and forth from the chapel to their dorm rooms, instead of being locked in the chapel the whole time, as was done previously. This makes the process slightly less secure but a lot more comfortable.

Of course, one of the infirmarii could do what he wanted when transcribing the vote of an infirm cardinal. There's no way to prevent that. If the infirm cardinal were concerned about that but not privacy, he could ask all three infirmarii to witness the ballot.

There are also enormous social -- religious, actually -- disincentives to hacking the vote. The election takes place in a chapel and at an altar. The cardinals swear an oath as they are casting their ballot -- further discouragement. The chalice and paten are the implements used to celebrate the Eucharist, the holiest act of the Catholic Church. And the scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election, under pain of excommunication.

The other major security risk in the process is eavesdropping from the outside world. The election is supposed to be a completely closed process, with nothing communicated to the world except a winner. In today's high-tech world, this is very difficult. The rules explicitly state that the chapel is to be checked for recording and transmission devices "with the help of trustworthy individuals of proven technical ability." That was a lot easier in 2005 than it will be in 2013.

What are the lessons here?

First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything.

Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.

And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good.

Follow @CNNOpinion on Twitter.

Join us at Facebook/CNNOpinion.

The opinions expressed in this commentary are solely those of Bruce Schneier.

ADVERTISEMENT
Part of complete coverage on
April 16, 2014 -- Updated 1642 GMT (0042 HKT)
Rick McGahey says Rep. Paul Ryan is signaling his presidential ambitions by appealing to hard core Republican values
April 16, 2014 -- Updated 1539 GMT (2339 HKT)
Paul Saffo says current Google Glasses are doomed to become eBay collectibles, but they are only the leading edge of a surge in wearable tech that will change our lives
April 15, 2014 -- Updated 1849 GMT (0249 HKT)
Kathleen Blee says the KKK and white power or neo-Nazi groups give haters the purpose and urgency to use violence.
April 16, 2014 -- Updated 1156 GMT (1956 HKT)
Sen. Sheldon Whitehouse and Rep. Henry Waxman say read deep, and you'll see the federal Keystone pipeline report spells out the pipeline is bad news
April 16, 2014 -- Updated 1153 GMT (1953 HKT)
Frida Ghitis says President Obama needs to stop making empty threats against Russia and consider other options
April 15, 2014 -- Updated 2129 GMT (0529 HKT)
Peter Bergen and David Sterman say the Kansas Jewish Center killings are part of a string of lethal violence in the U.S. that outstrips al Qaeda-influenced attacks. Why don't we pay more attention?
April 15, 2014 -- Updated 1641 GMT (0041 HKT)
Danny Cevallos says families of the passengers on Malaysian Airlines Flight 370 need legal counsel
April 14, 2014 -- Updated 1523 GMT (2323 HKT)
David Frum says Russia is on a rampage of mischief while Western leaders and Western alliances charged with keeping the peace hem and haw
April 14, 2014 -- Updated 1156 GMT (1956 HKT)
Most adults make the mistakes of hitting the snooze button and of checking emails first thing in the morning, writes Mel Robbins
April 14, 2014 -- Updated 1754 GMT (0154 HKT)
David Wheeler says as middle-class careers continue to disappear, we need a monthly cash payment to everyone
April 14, 2014 -- Updated 1155 GMT (1955 HKT)
Democrats need to show more political spine when it comes to the issue of taxes.
April 14, 2014 -- Updated 1555 GMT (2355 HKT)
Donna Brazile recalls the 50th Anniversary of the Civil Rights Act as four presidents honored the heroes of the movement and Lyndon Johnson, who signed the law
April 14, 2014 -- Updated 1317 GMT (2117 HKT)
Elmer Smith remembers Chuck Stone, the legendary journalist from Philadelphia who was known as a thorn in the side of police and an advocate for the little guy
April 13, 2014 -- Updated 1856 GMT (0256 HKT)
Al Franken says Comcast, the nation's largest cable provider, wants to acquire Time Warner Cable, the nation's second-largest cable provider. Should we be concerned?
April 11, 2014 -- Updated 1522 GMT (2322 HKT)
Philip Cook and Kristin Goss says the Pennsylvania stabbing attack, which caused grave injury -- but not death, carries a lesson on guns for policymakers
April 11, 2014 -- Updated 1906 GMT (0306 HKT)
Wikipedia lists 105 football movies, but all too many of them are forgettable, writes Mike Downey
April 11, 2014 -- Updated 1432 GMT (2232 HKT)
John Sutter and hundreds of iReporters set out to run marathons after the bombings -- and learned a lot about the culture of running
April 11, 2014 -- Updated 1649 GMT (0049 HKT)
Timothy Stanley says it was cowardly to withdraw the offer of an honorary degree to Ayaan Hirsi Ali. The university should have done its homework on her narrow views and not made the offer
April 11, 2014 -- Updated 1416 GMT (2216 HKT)
Al Awlaki
Almost three years after his death in a 2011 CIA drone strike in Yemen, Anwar al-Awlaki continues to inspire violent jihadist extremists in the U.S, writes Peter Bergen
April 12, 2014 -- Updated 0121 GMT (0921 HKT)
David Bianculli says Colbert is a smart, funny interviewer, but ditching his blowhard persona to take over the mainstream late-night role may cost him fans
April 10, 2014 -- Updated 1731 GMT (0131 HKT)
Rep. Paul Ryan says the Republican budget places its trust in the people, not in Washington
April 10, 2014 -- Updated 2128 GMT (0528 HKT)
Aaron David Miller says Obama isn't to blame for Kerry's lack of progress in resolving Mideast talks
April 14, 2014 -- Updated 1522 GMT (2322 HKT)
David Weinberger says beyond focusing on the horrors of the attack a year ago, it's worth remembering the lessons it taught about strength, the dangers of idle speculation and Boston's solidarity
April 10, 2014 -- Updated 1632 GMT (0032 HKT)
Katherine Newman says the motive for the school stabbing attack in Pennsylvania is not yet known, but research on such rampages turns up similarities in suspects and circumstances
April 11, 2014 -- Updated 1103 GMT (1903 HKT)
Simon Tisdall: Has John Kerry's recent track record left Russia's wily leader ever more convinced of U.S. weakness?
April 10, 2014 -- Updated 1640 GMT (0040 HKT)
Mel Robbins says Nate Scimio deserves credit for acting bravely in a frightening attack and shouldn't be criticized for posting a selfie afterward
April 9, 2014 -- Updated 1839 GMT (0239 HKT)
Wendy Townsend says the Rattlesnake Roundup -- where thousands of pounds of snakes are killed and tormented -- is barbaric
April 10, 2014 -- Updated 1345 GMT (2145 HKT)
Dr. Mary Mulcahy says doctors who tell their patients the truth risk getting bad ratings from them
April 9, 2014 -- Updated 1328 GMT (2128 HKT)
Peggy Drexler says the married Rep. McAllister, caught on video making out with a staffer, won't get a pass from voters who elected him as a Christian conservative with family values
April 9, 2014 -- Updated 1143 GMT (1943 HKT)
David Frum says the president has failed to react strongly to crises in Iran, Syria, Ukraine and Venezuela, encouraging others to act out
April 9, 2014 -- Updated 2057 GMT (0457 HKT)
Eric Liu says Paul Ryan gets it very wrong: The U.S.'s problem is not a culture of poverty, it is a culture of wealth that is destroying the American value linking work and reward
April 9, 2014 -- Updated 1151 GMT (1951 HKT)
Frida Ghitis writes: "We are still seeing the world mostly through men's eyes. We are still hearing it explained to us mostly by men."
April 10, 2014 -- Updated 1408 GMT (2208 HKT)
Chester Wisniewski says the Heartbleed bug shows how we're all tangled together, relying on each other for Internet security
April 9, 2014 -- Updated 1926 GMT (0326 HKT)
Danny Cevallos says an Ohio school that suspended a little kid for pointing his finger at another kid and pretending to shoot shows the growth in "zero tolerance" policies at school run amok
ADVERTISEMENT