On Fully Informed Decisions and the Role of Academics

Posted on March 8, 2007 by ben

Professors Avi Rubin and Ed Felten are renowned computer security experts. Their work has made the press numerous times, and they’ve testified to various Congressional Committees on many issues, including voting. But when it comes to voting, their statements tend to leave out an entire category of voting systems for no clear reason. It’s as if they think this category of systems — open-audit elections with cryptography — is not fit for public consumption, even though it has been the focus of 20+ years by talented cryptographers (Benaloh, Chaum, Naor, Neff, etc…). There are, of course, valid criticisms of open-audit systems. But criticism and information blackout are two different things. The latter is, in my opinion, unhealthy for the larger debate of how we should audit our elections and, more generally, how we achieve technology transfer from academia to the public.

Open-audit elections allow anyone to verify that an election has been properly carried out. In particular, political parties, activist organizations, and interested citizens can effectively see the entire tallying process and verify its correctness. Individual voters get a physical receipt of their actions, which they can take home with them because it provides a meaningful and extremely-high-assurance audit while protecting ballot secrecy. Open-audit elections achieve the holy grail of elections: the reconciliation of verifiability and secrecy.

I should make one important point: when Avi and Ed say “paper-based voting”, I assume they do not include open-audit systems where the only paper is the encrypted receipt obtained by the voter. If my assumption is incorrect, and they really do mean to include crypto voting when they say “paper-based”, then that deserves significant clarification, because I’m fairly certain no one is interpreting it that way. Okay, that said, here goes….

Ed says, in a recent blog post:

By now there is overwhelming evidence that today’s paperless computer-based voting technologies have such serious security and reliability problems that we should not be using them.

Yes, absolutely, but in the next sentence:

Computers can’t do the job by themselves; but what role should they play in voting?

No! That’s a big leap. Computers can do the job by themselves in a truly secure way, it’s just that none of the fantastic protocols we know have been deployed in existing elections. In other words, let’s not throw out the baby with the bathwater: current, classic computer voting systems are no good, but that doesn’t mean secure computer-based voting is impossible.

Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today’s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.

This is an inaccurate description of the “software independence” concept. Check out Rivest and Wack’s definition over at NIST. The abstract clearly states: “VVPAT and some cryptographically-based voting systems are software-independent.” In other words, the requirement is that we don’t trust the software on the voting machine, but it’s okay to trust that some verification software, either the ACLU’s, the EFF’s, the Democrats’, the Republicans’, or your own home-brewed verification code, will actually catch an error. And that’s the power of open-audit voting: you only need one auditor, any auditor, to do the right thing to catch an error. And anyone can be an auditor.

The rest of Ed’s post, on how to augment the security of classic, non-open-audit voting schemes with computers, is great. I’m all for it, as long as people realize that these approaches can only achieve a small fraction of the security we can get from open-audit techniques.

Meanwhile, Avi talks about his Congressional testimony:

Another member of the committee gave me the best opening I think I’ve ever had. He asked me if I thought it was possible to have a trustworthy and secure election using paperless DREs. I replied “no”. He then said, “Why?” It was a question I was hoping for. I explained that a software only system, especially one as complex as a DRE where all all of the voter input and vote tabulation takes place in a closed box, cannot possibly be audited. There is no way to know for sure that the totals produced by the machines at the end of the election correspond to the votes that were cast by the voters.

That is not true. Using cryptographic proofs, a software-only system can provide a rock-solid proof that it captured the voter’s intent correctly and tallied all of the votes correctly. The remains true even if the software was written by your worst enemy: no one can cheat the proof system.

So what’s going on? I doubt that Profs. Rubin and Felten don’t know about these open-audit systems. I really don’t think they have a vested interest in paper-based systems prevailing. No, they’re obviously trying to do what’s right. My guess is that, in their mind, what’s right is to get a better voting system deployed as quickly as possible, and anything that gets in the way of that hurts us. They probably worry that “the perfect will be the enemy of the good enough.”

Well, that may be. Life is full of such cases. But I’m not sure anyone should be withholding a potential solution for fear that it will confuse non-experts. It seems important to me to let the people decide. Maybe open-audit techniques can’t be made usable enough. Maybe people will reject them because they’re too complex. Maybe. But let’s not pre-judge that. Let’s put every solution on the table. Let’s not shut down options by writing blunt laws that prescribe VVPAT only. If, as a nation, we choose a solution without open-audit, let’s do so because we actively reject other solutions, not because we simply don’t know other options even exist. Let’s make this decision fully informed.

(Though the specific opinion here is mine, I have to thank Andy Neff for many long discussions which helped me form my vision of the role of an academic.)

This entry was posted in crypto, voting. Bookmark the permalink.
  • http://avi-rubin.blogspot.com/ Avi Rubin

    Ben, I have read and also studied some of the protocols you describe. I think they are ingenious and extremely interesting. However, if I had tried to discuss these in that hearing, with members of Congress who want to help their districts switch to better voting machines next year, I would have been ignored immediately and not taken seriously for the rest of the hearing. These are people who want today’s solution right now. When I meet with these people in less public fora, I always talk about the promise of cryptographic protocols, but if you don’t have a certified machine that they can use right away, then they will not be interested in it. You have to understand the circumstances when you make recommendations. I have no doubt that some day we will be using open-audit elections with cryptography, as you call them. It’s just that I think there are some barriers to adoption related to complexity, awareness, education, and availability of off the shelf products.

  • http://avi-rubin.blogspot.com/ Avi Rubin

    Ben, I have read and also studied some of the protocols you describe. I think they are ingenious and extremely interesting. However, if I had tried to discuss these in that hearing, with members of Congress who want to help their districts switch to better voting machines next year, I would have been ignored immediately and not taken seriously for the rest of the hearing. These are people who want today’s solution right now. When I meet with these people in less public fora, I always talk about the promise of cryptographic protocols, but if you don’t have a certified machine that they can use right away, then they will not be interested in it. You have to understand the circumstances when you make recommendations. I have no doubt that some day we will be using open-audit elections with cryptography, as you call them. It’s just that I think there are some barriers to adoption related to complexity, awareness, education, and availability of off the shelf products.

  • Pingback: Benlog » I Stand with Avi (regarding American Idol)

  • http://www.freedom-to-tinker.com Ed Felten

    In the section you quote from my blog post, the key word is “Today’s”. The advanced cryptographic systems are interesting, but they’re not ready for use yet. I support the NIST paper’s call for more research in this area. When these systems are ready, I’ll support them.

    I’ll probably blog about this issue soon.

  • http://www.freedom-to-tinker.com Ed Felten

    In the section you quote from my blog post, the key word is “Today’s”. The advanced cryptographic systems are interesting, but they’re not ready for use yet. I support the NIST paper’s call for more research in this area. When these systems are ready, I’ll support them.

    I’ll probably blog about this issue soon.

  • Ronald Crane

    I do not think that crypto voting systems give as much assurance as is commonly claimed.

    First, they are not proof against many presentation attacks (e.g., dropping candidates from the ballot, rearranging the ballot, modifying the headers between races, modulating the sensitivity of the touch-screen to make it more difficult to select certain candidates…) nor against delay- or denial-of-service attacks.

    Second, though they might (or might not) be proof against vote-flipping attacks, they are not proof against vote-cancellation attacks. In such an attack, the attacker programs the machine to generate a corrupted electronic record of her vote, along with a matching cryptographic receipt. When the votes are tallied, the corrupt record will either not decrypt to anything sensible, or will decrypt, but will contain a bad signature (depending on the crypto scheme). Now it doesn’t matter whether the voter checks the tally, since both her electronic record and her receipt are corrupt.

    Now let’s assume that the attacker corrupted enough records to theoretically flip the election. What do the officials do? Write it off as a “glitch” and certify the election, as is all too common with existing e-voting systems? Order a forensic investigation that concludes long after the fact, long after the attacker’s program has erased itself, and long after the election has been certified? Order a re-vote?

    I don’t see that crypto voting solves much.

  • Ronald Crane

    I do not think that crypto voting systems give as much assurance as is commonly claimed.

    First, they are not proof against many presentation attacks (e.g., dropping candidates from the ballot, rearranging the ballot, modifying the headers between races, modulating the sensitivity of the touch-screen to make it more difficult to select certain candidates…) nor against delay- or denial-of-service attacks.

    Second, though they might (or might not) be proof against vote-flipping attacks, they are not proof against vote-cancellation attacks. In such an attack, the attacker programs the machine to generate a corrupted electronic record of her vote, along with a matching cryptographic receipt. When the votes are tallied, the corrupt record will either not decrypt to anything sensible, or will decrypt, but will contain a bad signature (depending on the crypto scheme). Now it doesn’t matter whether the voter checks the tally, since both her electronic record and her receipt are corrupt.

    Now let’s assume that the attacker corrupted enough records to theoretically flip the election. What do the officials do? Write it off as a “glitch” and certify the election, as is all too common with existing e-voting systems? Order a forensic investigation that concludes long after the fact, long after the attacker’s program has erased itself, and long after the election has been certified? Order a re-vote?

    I don’t see that crypto voting solves much.

  • http://ben.adida.net ben

    Ed, I look forward to your blog post about this. I definitely think the crypto voting systems are ready to be tested, prototyped, evaluated. Most importantly, it would be a huge lost opportunity (and a mistake, I believe) to pass laws that inherently forbid these systems, because of some overly prescriptive approach.

    Ronald, you’re highly misinformed regarding crypto voting systems. I need to address your points in detail, lest they misinform others. I will do that in a follow-up blog post.

  • http://ben.adida.net ben

    Ed, I look forward to your blog post about this. I definitely think the crypto voting systems are ready to be tested, prototyped, evaluated. Most importantly, it would be a huge lost opportunity (and a mistake, I believe) to pass laws that inherently forbid these systems, because of some overly prescriptive approach.

    Ronald, you’re highly misinformed regarding crypto voting systems. I need to address your points in detail, lest they misinform others. I will do that in a follow-up blog post.

  • Pingback: Benlog » Responding to Ronald

  • http://josephhall.org/nqb2/ joe

    Sorry to be late to the party here… lame stomach flu.

    Ben, you suggest that the bill premise its requirements on “software independence” as articulated by NIST yet the STS subcommittee of the NIST TGDC has found it very difficult to write requirements and testing procedures for independent verification systems based purely on software. Their current proposal is to allow an “innovation class” where a party could propose a new voting system and NIST would come up with requirements and testing procedures for that new class of voting systems.

    So, I think, if software-based IV were to be incorporated as an option in HR 811, the language should not be pinned on “software independence” but more along the lines of: “Any State wishing to use a technology that does not comply with the [paper record requirements] shall submit the technology as an innovation class to the NIST TGDC and have it federally certified in the innovation class to meet the auditability, durability, privacy-preserving and voter verification requirements of this Act.”

    What do you think of this?

  • http://josephhall.org/nqb2/ joe

    Sorry to be late to the party here… lame stomach flu.

    Ben, you suggest that the bill premise its requirements on “software independence” as articulated by NIST yet the STS subcommittee of the NIST TGDC has found it very difficult to write requirements and testing procedures for independent verification systems based purely on software. Their current proposal is to allow an “innovation class” where a party could propose a new voting system and NIST would come up with requirements and testing procedures for that new class of voting systems.

    So, I think, if software-based IV were to be incorporated as an option in HR 811, the language should not be pinned on “software independence” but more along the lines of: “Any State wishing to use a technology that does not comply with the [paper record requirements] shall submit the technology as an innovation class to the NIST TGDC and have it federally certified in the innovation class to meet the auditability, durability, privacy-preserving and voter verification requirements of this Act.”

    What do you think of this?

  • http://ben.adida.net ben

    Hi Joe,

    Hope you’re feeling better!

    I think your proposal would certainly be better than what we currently have, but it would probably still be too onerous (and unjustifiably so given how much DRE+VVPAT gets a pass with very little real-world testing). I also think that, in the end, determining how to test crypto auditing will turn out to be a whole lot simpler than classic systems. But I digress a bit.

    I would go further than you suggest and say that NIST and the TGDC should complete guidelines on testing cryptographic auditing, and the Holt bill could certainly point to that work as “the standard” for how these things should be tested. At least 2 crypto voting systems have been fully built and tested (VoteHere and Punchscan), which means this is a bit further along than a brand new innovation class.

    That said, I think on the core we agree: having *something* in there that accounts for crypto voting and that doesn’t prescribe paper no matter what would be a good idea.

  • http://ben.adida.net ben

    Hi Joe,

    Hope you’re feeling better!

    I think your proposal would certainly be better than what we currently have, but it would probably still be too onerous (and unjustifiably so given how much DRE+VVPAT gets a pass with very little real-world testing). I also think that, in the end, determining how to test crypto auditing will turn out to be a whole lot simpler than classic systems. But I digress a bit.

    I would go further than you suggest and say that NIST and the TGDC should complete guidelines on testing cryptographic auditing, and the Holt bill could certainly point to that work as “the standard” for how these things should be tested. At least 2 crypto voting systems have been fully built and tested (VoteHere and Punchscan), which means this is a bit further along than a brand new innovation class.

    That said, I think on the core we agree: having *something* in there that accounts for crypto voting and that doesn’t prescribe paper no matter what would be a good idea.

  • http://josephhall.org/nqb2/ joe

    Ok. The trick is that they seem to know how to write requirements and testing specs for DRE+VVPAT (and other classical systems). They can’t easily write such things for a class as general as “open audit” systems as you describe them. I know they had been working specifically with VoteHere to do some threat-modeling and attack tree work; I don’t know what happened to that or if there are plans to use something like VoteHere or Punchscan as test cases to iron out the innovation class stuff. I guess we’ll see. The question is, if we want to seriously include these systems as possibilities in legislation like HR 811, what would the language have to look like. I think waiting for NIST to complete the 2007 VVSG and some test case innovation class work isn’t politically feasible in terms of the timing of all this…

  • http://josephhall.org/nqb2/ joe

    Ok. The trick is that they seem to know how to write requirements and testing specs for DRE+VVPAT (and other classical systems). They can’t easily write such things for a class as general as “open audit” systems as you describe them. I know they had been working specifically with VoteHere to do some threat-modeling and attack tree work; I don’t know what happened to that or if there are plans to use something like VoteHere or Punchscan as test cases to iron out the innovation class stuff. I guess we’ll see. The question is, if we want to seriously include these systems as possibilities in legislation like HR 811, what would the language have to look like. I think waiting for NIST to complete the 2007 VVSG and some test case innovation class work isn’t politically feasible in terms of the timing of all this…

  • http://ben.adida.net ben

    Joe,

    You’re making a good point: how do we certify open-audit systems. I have one idea as to how to start: every open-audit system should publish a reference implementation of the verification program with detailed comments and explanations. That’s probably a great place to start the auditing process: what is the verification program verifying, and what guarantees does that verification give us? I’ll think about this some more and post thoughts in a few days. Thanks for bringing this up!

  • http://ben.adida.net ben

    Joe,

    You’re making a good point: how do we certify open-audit systems. I have one idea as to how to start: every open-audit system should publish a reference implementation of the verification program with detailed comments and explanations. That’s probably a great place to start the auditing process: what is the verification program verifying, and what guarantees does that verification give us? I’ll think about this some more and post thoughts in a few days. Thanks for bringing this up!