April 21, 2004

Notes on David Dill's Keynote

Ed Note: IRC back channel available at irc.freenode.net: #CFP

The Battle for Accountable Voting Systems

1) Principles

- Elections are dispute resolution for social conflicts
* "The people have spoken ... the bastards!" -- Dick Tuck concession speech.

- Where should the burden of proof lie in elections?
* Now, losers have burden to prove election results are inaccurate.
* Dill proposes that burden should be on providers of elections. They have access to the information, technology, process, etc.

Audit: The ability to independently construct election results from original recortds.

For paper, you need:
* chain of custody
* locked ballot box
* voter makes permanent record
* transportation and counting of ballots are observed by officials and political parties.
- e.g. in California, two poll workers accompany each ballot box in transit

2) Trust and DREs

* "You have to trust somebody" Is this true?
* DRE = "Direct Recording Electronic"; does not necessarily include voter verifiable record.
* Consider a scribe system. You walk into a booth with a man behind the curtain. You tell him your vote and he writes it down but you never see him do this. This is essentially a DRE system.

* The only person who can check that the ballot is recorded correctly is The Voter. Any system that claims to be verifiable without the Voter is not really verifiable.

* Voting from a computer security scenario: pretty much worse case possible.
- Assets being protected: democracy
- Potential Attackers: Hackers, Candidates, Zealots, Foreign Gov'ts, Criminal Orgnaizations -- maximum number of attackers.

What Prof. Dill is worried about:
- Programmer adds hidden vote-changing code
- Code concealed from inspection
- Code only triggered during real election using cues (date,voter behavior) or explicitly by voter, poll worker, wireless network
- Changes small % of votes in plausible ways.
- Election outcomes can be changed without detection. No way to challenge results.
- No DRE can give us verfiable elections without paper.
- Local election officials are helpless to intervene -- they have no access to the electronic election process.

- Voting systems are especially vulnerable because they discard vital information for verfication -- the identity of the voter. In other secure transactions, we count on the identity of the transactors (e.g. bank transactions). ATMs have videocameras and three separate paper trails.

- What software are we running?
* open source does not solve the problem. Can still be hacked.

3) Voter Verifiable audit trail

* Voter instructs machine to fill out ballot
* Machine shows ballot to Voter
* Voter verifies that vote is correct via "trustworthy technology", e.g. paper printout.
* Record of verfication can be audited later by local officals.


* Manual ballots with manual counts
* Optically scanned paper ballots
* Touch screen mahcines with voter verifiable printers
* maybe crypto-based systems?
* Bottom Line: Paper is the only current option

4) Conclusion

- Before we adopt any radical new election technology, burden of proof should be on providers that elections are verifiable.

Posted by jasonschultz at April 21, 2004 10:25 AM
Post a comment

Remember personal info?