Electronic voting is actually a very simple problem, complicated only by attempts to obscure methodologies. Companies want to have proprietary systems and monopolize as much of the market as possible. Unethical political operatives want a backdoor mechanism to adjust the outcome. Activists and (honest) election officials want strong security built in to safeguard against these adjustments. But secure (and obscure) proprietary machines and code do little to guarantee that results will not be changed. Instead they increase, at great expense, the risk of inadequate or compromised systems. By focusing on verifiability over security we can make it quite difficult for anyone to rig an election at any level with rather less effort.
Though doubt if any of my ideas are actually new, when I laid them out the other day at Maryscott's monthly meetup I was asked to write a diary describing what I have in mind.
(more below; crossposted at My Left Wing)
Cryptography blossomed as an independent field of study only after the crucial realization that in order to have a secure encoding you need to first assume the person trying to break it knows every detail of the system apart from a 'key'. Though this principle is at the heart of modern information protection, far too often organizations rely on 'security through obscurity'. This is wholly inappropriate and counterproductive for the purpose of voting. Aside from the risk of such systems being compromised, there is also an unacceptable possibility that the creator may have hidden a 'back door'.
The primary advantage of electronic voting has more to do with flexibility than security. It allows the ballot to be presented in any language and can offer accessibility options for people with disabilities. Anything beyond that is frosting, and we need to be careful that extra features do not create more problems than they solve. Perhaps the best system out there uses the machines only for creating paper ballots which are then counted separately.
Personally I think it is a shame not to make use of the computer to add additional levels of verification. Paper ballots are not encoded, nor hidden inside the workings of a proprietary system. Yet they have been acceptable and effective vehicles to accurately tabulate votes for a long time. There is no reason that a computer system subject to the same controls and procedures that protect paper balloting should not be more verifiable and accurate, while keeping its function just as open and clear.
Keeping in mind that our focus is on verifiability, on making it difficult for someone to attack the process at any point without it being noticed and corrected, rather than security, here is a proposal for how you might construct such a system:
- Use inexpensive and standard components. A voting application is not terribly resource intensive, so there is no need for the risk (knowing that it is intended for voting machines, the manufacturer could potentially design in an exploit) and expense of designing custom hardware.
- Use open sourced software with a high standard of documentation and clarity.
- Load the operating system and software off of a CD or similar non alterable media. The computer would not even need a hard drive. This CD would be authorized for a particular election and kept with the ballots produced afterwards for later verification. It could be electronically and physically marked in any number of ways to verify its authenticity. The checksum of the CD, the program, and other identifiers would be recorded along with the votes to help verify that the correct CD was actually used. This makes it more difficult to alter the code during or before the voting.
- Write votes as they are completed to a CD or similar write once media, again avoiding using a hard drive or similar storage method which can be altered after the fact. After a voter sees and verifies his receipt, the confirmed vote is written indelibly on the CD. (A friend suggested you might want to write two copies at once to mitigate the risk of having a corrupted CD.)
- Use two paper receipts. One is used for verification of the vote and has the details listed in plain english (or other appropriate language) as well as in a bar code (for easy input in case of a recount). The other has a code on it which may be used by the voter to later verify her vote by going online or calling in to an automated system on the phone. This code would be generated by encrypting the unique vote identifier with a password provided by the voter. (Only the identifier is stored with the vote, and the identifier can only be derived from the code by decrypting it with the same password.) In this way only the voter can check her own vote, and she can register a complaint if the record on the central computers is different from how she voted.
- The voting stations would not be connected to the internet. Instead initial automated tabulations would occur by uploading the data from the CD's from each station on a separate machine.
- Individual votes are stored and can be counted or checked in a central location, on the original CDs, or on the paper ballots generated with each vote. Some false or erroneous complaints would be expected, but a pattern of complaints should trigger efforts at reconciling the data on the central servers with the precinct CDs, or even lead to a check of the paper ballots or a recount.
This is not meant to be a perfectly secure system. I have no illusions that it, like any method of recording votes, can be compromised. It depends on the honesty and watchfulness of election workers. It is possible to replace the paper ballots, to replace the CDs, and to alter the records on the central server. It would be difficult to do all of this without arousing suspicion or leaving traces, but certainly possible. Even so, while the evidence might not back them up, it is not possible to alter the memories of the voters and as the objections mounted it would become clear that something was wrong.
This system is not that hard to build. There is already at least one (Knoppix) open source general purpose OS which can boot a computer from CD without a hard drive, and could be altered to boot directly into a voting program. The software itself is not terribly complex. It requires no special hardware. There is no reason why this cannot be done.