David Dill opend CFP2004 with a keynote address on the perils of
electronic voting systems as they currently exist. It went something like
this . .
David Dill: The role of elections in a democracy is that they are social
contracts to make it that everyone -- especially the losers -- accepts the
results.
Given that, where should the burden of proof lie?
We should be able to prove that elections are accurate. That
requires reliable and secure equipment, and it requires routine and
meaningful audits.
There can be problems with paper ballot systems, but we understand the
integrity measures: -
voter makes a permanent record of her vote
- it goes in a
locked box, in public view, and
-
ballots are observed and counted by multiple parties and officials.
We understand these measures with respect to paper balloting systems. Any
new system should be at least that good.
Compare a paper system in which voters dictate their preferences to a
scribe behind a curtain. That system would preserve anonymity, but there
would be no accountability.
In a DRE system, an accidental (or deliberate) flaw in the recording
mechanism can alter the election -- and never be detected.
Computer systems cannot be expected to be perfect -- which is what we
expect.
There are bugs. (We can eliminate obvious ones, but leave obscure,
unpredicatable, potentially nasty ones.)
A LOT IS AT RISK, which entails that attackers may be very sophisticated,
and they may be well financed. (threat model matters)
Consider a generic attack.
- Someone adds hidden vote changing code (whether programmer or
janitor).
- Conceal it from inspection.
- Use cues that correspond to real voting situations to trigger the
processes to run, or trigger explicitly by voter, poll worker, or wireless
network user outside.
- Use the malicious code to change small percentage of the votes in
plausible ways.
Inspecting the software won't do the job of stopping the attack in
advance, testing it won't do it, statistical analysis won't tell us after
the fact.
DREs are beyond the scope of current technology if you accept that the
burden of proof is to show that elections are accurate. Indeed, they
create new risks. In particular, the ratios between level of effort
required and number of votes that can be changed, and between the risks of
changing votes and the effects that can be had on elections are altered
dramatically.
Voting is an especially hard security arena because every good
voting system must discard vital information: the voter-vote
connection By contrast, banking systems feature audit trails that
link names to transactions, photos of users, paper backup, and so on.
There's a lot of accountability -- insiders still commit crimes, but fraud
can be quantified and customers can (in the main) be protected.
It is currently impossible ("impossible" suitably qualified for the
audience) because: we can't eliminate program bugs, guarantee program
security, or verify that the desire software is what's running when voters
use the touch screen.
What to do?
Reconsider the "man behind the curtain." Imagine the voter can verify the
vote, the ballot is deposited in a secure box, voter-verified records are
audited (and that audit takes precedence over other counts.
Voter verified audit trail is necessary but not sufficient. Also need
physical security, transparent process, accessibility, and more.
Recounts can't be simply re-reading of the data stored electronically.
recounts need to be independent of the suspect equipment and should be
performed
- for cause -- when there are doubts about the election
- when candidates challenge, and
- on a random basis.
Computer-generated ballots can have additional security features.
Audit trail, audit trail, audit trail.
Put money into XXXX (missed that) rather than technology.
As things stand, all elections conducted by DREs are open to question, in
which case there would be grave doubts about the outcome of a close
election.
4:01:59 PM 
|
