Ed Note: IRC back channel available at irc.freenode.net: #CFP
The Battle for Accountable Voting Systems
1) Principles
- Elections are dispute resolution for social conflicts
* "The people have spoken ... the bastards!" -- Dick Tuck concession speech.
- Where should the burden of proof lie in elections?
* Now, losers have burden to prove election results are inaccurate.
* Dill proposes that burden should be on providers of elections. They have access to the information, technology, process, etc.
Audit: The ability to independently construct election results from original recortds.
For paper, you need:
* chain of custody
* locked ballot box
* voter makes permanent record
* transportation and counting of ballots are observed by officials and political parties.
- e.g. in California, two poll workers accompany each ballot box in transit
2) Trust and DREs
* "You have to trust somebody" Is this true?
* DRE = "Direct Recording Electronic"; does not necessarily include voter verifiable record.
* Consider a scribe system. You walk into a booth with a man behind the curtain. You tell him your vote and he writes it down but you never see him do this. This is essentially a DRE system.
* The only person who can check that the ballot is recorded correctly is The Voter. Any system that claims to be verifiable without the Voter is not really verifiable.
* Voting from a computer security scenario: pretty much worse case possible.
- Assets being protected: democracy
- Potential Attackers: Hackers, Candidates, Zealots, Foreign Gov'ts, Criminal Orgnaizations -- maximum number of attackers.
What Prof. Dill is worried about:
- Programmer adds hidden vote-changing code
- Code concealed from inspection
- Code only triggered during real election using cues (date,voter behavior) or explicitly by voter, poll worker, wireless network
- Changes small % of votes in plausible ways.
- Election outcomes can be changed without detection. No way to challenge results.
- No DRE can give us verfiable elections without paper.
- Local election officials are helpless to intervene -- they have no access to the electronic election process.
- Voting systems are especially vulnerable because they discard vital information for verfication -- the identity of the voter. In other secure transactions, we count on the identity of the transactors (e.g. bank transactions). ATMs have videocameras and three separate paper trails.
- What software are we running?
* open source does not solve the problem. Can still be hacked.
3) Voter Verifiable audit trail
* Voter instructs machine to fill out ballot
* Machine shows ballot to Voter
* Voter verifies that vote is correct via "trustworthy technology", e.g. paper printout.
* Record of verfication can be audited later by local officals.
Options:
* Manual ballots with manual counts
* Optically scanned paper ballots
* Touch screen mahcines with voter verifiable printers
* maybe crypto-based systems?
* Bottom Line: Paper is the only current option
4) Conclusion
- Before we adopt any radical new election technology, burden of proof should be on providers that elections are verifiable.
Posted by jasonschultz at April 21, 2004 10:25 AM