![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Entry tags:
electronic voting: some thoughts
This fell out of a discussion with a friend this morning, so it may be treated as an ill-considered hare-brained notion, but anyway. I'm very much a real-world-vs-ivory-tower person; I feel very strongly that a delivered but incomplete product beats out a 100% complete product every time. This is sort of the Richard P. Gabriel "Worse Is Better" argument writ large; I feel it has applications well outside the realm of computers. Anyway. As such, I feel that if we spend all our time pissing about looking for 100% secure solutions to electronic voting, we're never going to get there. I'm handwaving the 100% insecure systems already deployed, obviously. What is needed is a system that's as trustworthy as a paper ballot. Paper ballots can be gamed, but their nature is generally that you can't severely game the system. The Canadian voting system is a good example of how this gaming is kept in check: each party can send people to witness the counting to make sure it's done fairly. There's still the issue of people being bribed or otherwise persuaded to vote in a particular way, and the issue of getting ballots from A to B, and the issue of how the final tallies are collated on a large scale. The system has holes, but is largely trustworthy. The biggest problem with an electronic system is that of verification. If you can't verify that your wishes are being converted into reality, then the system is useless. But relatively few people can look at a circuit, or lines of code, and say "this is good". So here's my idea:
You've essentially got three things to worry about: hardware, software, and communication. Everything else remains identical to a paper ballot system: voter identity verification, physical location security, etc.
First, let's address hardware. Build the system out of off-the-shelf parts. And I mean off-the-shelf. I don't mean bespoke hardware from a single manufacturer; I mean a stock PC with the necessary peripherals (touchscreen, printer, etc.) from random sources. The stock PC is a well-understood beast in terms of hardware and capabilities, so within certain specifications of speed, display resolution, and capacity, one is as good as the next. Rather than verify your sources, your verification mechanism is this: a verification team can, at any time, turn up at a polling station and replace arbitrary parts of a polling machine with identical replacements. Apply statistics to determine how much of this needs to be done to effectively make gaming the hardware a high-risk, low-gain venture. Presto, your hardware problems are now simply an issue of making sure that your verification team is trustworthy, which in turn puts you more-or-less on par with a paper ballot.
Secondly, software. The software should be the bare minimum required to operate the polling booth. Ideally this would mean a bespoke OS, but that will run into the same issues as above. So let's be OS agnostic for now; in an isolated standalone box with a closed noninterruptible front-end, one OS is as good as the next. Sorry, open source people, but do feel free to prove me wrong on this point. Again, using off-the-shelf software means that in theory your verification team can wander in, reload the OS and application, and continue on their verifying way as above. However, they can also come bearing a standard laptop with a spare drive port of some sort (hey! firewire drives! neat!); they remove the drive from the booth, plug it into their laptop, and run a checksum on it. In the style of the Canadian system above, each party can provide a person to check, so you're not relying on a single working verification machine. I'm handwaving the verification software since checksumming is well enough understood that the auditing body simply needs to publish the checksum and its means of calculation, and leave implementation up to any number of third parties. It is then in the interests of each verifier to ensure that what they've got is kosher, once more achieving parity with a paper ballot. The auditing body itself is responsible for determining that the software is trustworthy, that a voter-verified audit trail (VVAT) accurately reflects the vote cast, etc. You're left with the question of who audits the auditors, but again I'm handwaving that. Make it an open process. Allow anyone to audit the system. For the OS, use of a defined level of a standard OS available to anyone means that literally anyone can verify the OS themselves, leaving just the application in the hands of the auditing body, and mandating that the application be publically available open source means that again, literally anyone can verify the application.
All of the above focuses on the voting machines themselves, but can equally well be applied to the tally systems.
That leaves communication. I've not given this quite as much thought (which means I've not really thought about it at all). My first thought would be to not use electronic means of communication to get your votes from A to B, but to rely on the same system as is currently in use: physical transport coupled with physical security. You lose the convenience of simply flinging bits from the booths to the tally system, but noone ever said democracy had to be convenient... I'd like to suggest the use of public key encryption, but that implicitly requires a private key, which means someone has a secret they can divulge which affects the trustworthiness of the system. I guess I'll have to think about it some more.
Comments appreciated, since I've never really considered this stuff seriously before.
You've essentially got three things to worry about: hardware, software, and communication. Everything else remains identical to a paper ballot system: voter identity verification, physical location security, etc.
First, let's address hardware. Build the system out of off-the-shelf parts. And I mean off-the-shelf. I don't mean bespoke hardware from a single manufacturer; I mean a stock PC with the necessary peripherals (touchscreen, printer, etc.) from random sources. The stock PC is a well-understood beast in terms of hardware and capabilities, so within certain specifications of speed, display resolution, and capacity, one is as good as the next. Rather than verify your sources, your verification mechanism is this: a verification team can, at any time, turn up at a polling station and replace arbitrary parts of a polling machine with identical replacements. Apply statistics to determine how much of this needs to be done to effectively make gaming the hardware a high-risk, low-gain venture. Presto, your hardware problems are now simply an issue of making sure that your verification team is trustworthy, which in turn puts you more-or-less on par with a paper ballot.
Secondly, software. The software should be the bare minimum required to operate the polling booth. Ideally this would mean a bespoke OS, but that will run into the same issues as above. So let's be OS agnostic for now; in an isolated standalone box with a closed noninterruptible front-end, one OS is as good as the next. Sorry, open source people, but do feel free to prove me wrong on this point. Again, using off-the-shelf software means that in theory your verification team can wander in, reload the OS and application, and continue on their verifying way as above. However, they can also come bearing a standard laptop with a spare drive port of some sort (hey! firewire drives! neat!); they remove the drive from the booth, plug it into their laptop, and run a checksum on it. In the style of the Canadian system above, each party can provide a person to check, so you're not relying on a single working verification machine. I'm handwaving the verification software since checksumming is well enough understood that the auditing body simply needs to publish the checksum and its means of calculation, and leave implementation up to any number of third parties. It is then in the interests of each verifier to ensure that what they've got is kosher, once more achieving parity with a paper ballot. The auditing body itself is responsible for determining that the software is trustworthy, that a voter-verified audit trail (VVAT) accurately reflects the vote cast, etc. You're left with the question of who audits the auditors, but again I'm handwaving that. Make it an open process. Allow anyone to audit the system. For the OS, use of a defined level of a standard OS available to anyone means that literally anyone can verify the OS themselves, leaving just the application in the hands of the auditing body, and mandating that the application be publically available open source means that again, literally anyone can verify the application.
All of the above focuses on the voting machines themselves, but can equally well be applied to the tally systems.
That leaves communication. I've not given this quite as much thought (which means I've not really thought about it at all). My first thought would be to not use electronic means of communication to get your votes from A to B, but to rely on the same system as is currently in use: physical transport coupled with physical security. You lose the convenience of simply flinging bits from the booths to the tally system, but noone ever said democracy had to be convenient... I'd like to suggest the use of public key encryption, but that implicitly requires a private key, which means someone has a secret they can divulge which affects the trustworthiness of the system. I guess I'll have to think about it some more.
Comments appreciated, since I've never really considered this stuff seriously before.
no subject
The issue isn't that US electronic voting companies have an acknowleged incomplete system that they're striving to improve. I could totally live with that. The issue is that electronic voting machines are lacking fundamental features like physical paper trails to allow recounts and verification, and the manufacturers are arguing that this absence is not a sign of incompleteness. In other words they're arguing that this *is* a 100% complete product. That's the real issue: not that the current system has flaws, but that the flaws will never be fixed or even acknowleged as flaws.
Incidentally I've heard that the Indian voting machines are a good example: they're simple and open-source, relying on physical buttons and simple counters rather than elaborate database-and-smart-card storage/retrieval system. They also leave a verifiable paper trail making audits easy.
no subject
no subject