Professors Avi Rubin and Ed Felten are renowned computer security experts. Their work has made the press numerous times, and they’ve testified to various Congressional Committees on many issues, including voting. But when it comes to voting, their statements tend to leave out an entire category of voting systems for no clear reason. It’s as if they think this category of systems — open-audit elections with cryptography — is not fit for public consumption, even though it has been the focus of 20+ years by talented cryptographers (Benaloh, Chaum, Naor, Neff, etc…). There are, of course, valid criticisms of open-audit systems. But criticism and information blackout are two different things. The latter is, in my opinion, unhealthy for the larger debate of how we should audit our elections and, more generally, how we achieve technology transfer from academia to the public.
Open-audit elections allow anyone to verify that an election has been properly carried out. In particular, political parties, activist organizations, and interested citizens can effectively see the entire tallying process and verify its correctness. Individual voters get a physical receipt of their actions, which they can take home with them because it provides a meaningful and extremely-high-assurance audit while protecting ballot secrecy. Open-audit elections achieve the holy grail of elections: the reconciliation of verifiability and secrecy.
I should make one important point: when Avi and Ed say “paper-based voting”, I assume they do not include open-audit systems where the only paper is the encrypted receipt obtained by the voter. If my assumption is incorrect, and they really do mean to include crypto voting when they say “paper-based”, then that deserves significant clarification, because I’m fairly certain no one is interpreting it that way. Okay, that said, here goes….
Ed says, in a recent blog post:
By now there is overwhelming evidence that today’s paperless computer-based voting technologies have such serious security and reliability problems that we should not be using them.
Yes, absolutely, but in the next sentence:
Computers can’t do the job by themselves; but what role should they play in voting?
No! That’s a big leap. Computers can do the job by themselves in a truly secure way, it’s just that none of the fantastic protocols we know have been deployed in existing elections. In other words, let’s not throw out the baby with the bathwater: current, classic computer voting systems are no good, but that doesn’t mean secure computer-based voting is impossible.
Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today’s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.
This is an inaccurate description of the “software independence” concept. Check out Rivest and Wack’s definition over at NIST. The abstract clearly states: “VVPAT and some cryptographically-based voting systems are software-independent.” In other words, the requirement is that we don’t trust the software on the voting machine, but it’s okay to trust that some verification software, either the ACLU’s, the EFF’s, the Democrats’, the Republicans’, or your own home-brewed verification code, will actually catch an error. And that’s the power of open-audit voting: you only need one auditor, any auditor, to do the right thing to catch an error. And anyone can be an auditor.
The rest of Ed’s post, on how to augment the security of classic, non-open-audit voting schemes with computers, is great. I’m all for it, as long as people realize that these approaches can only achieve a small fraction of the security we can get from open-audit techniques.
Meanwhile, Avi talks about his Congressional testimony:
Another member of the committee gave me the best opening I think I’ve ever had. He asked me if I thought it was possible to have a trustworthy and secure election using paperless DREs. I replied “no”. He then said, “Why?” It was a question I was hoping for. I explained that a software only system, especially one as complex as a DRE where all all of the voter input and vote tabulation takes place in a closed box, cannot possibly be audited. There is no way to know for sure that the totals produced by the machines at the end of the election correspond to the votes that were cast by the voters.
That is not true. Using cryptographic proofs, a software-only system can provide a rock-solid proof that it captured the voter’s intent correctly and tallied all of the votes correctly. The remains true even if the software was written by your worst enemy: no one can cheat the proof system.
So what’s going on? I doubt that Profs. Rubin and Felten don’t know about these open-audit systems. I really don’t think they have a vested interest in paper-based systems prevailing. No, they’re obviously trying to do what’s right. My guess is that, in their mind, what’s right is to get a better voting system deployed as quickly as possible, and anything that gets in the way of that hurts us. They probably worry that “the perfect will be the enemy of the good enough.”
Well, that may be. Life is full of such cases. But I’m not sure anyone should be withholding a potential solution for fear that it will confuse non-experts. It seems important to me to let the people decide. Maybe open-audit techniques can’t be made usable enough. Maybe people will reject them because they’re too complex. Maybe. But let’s not pre-judge that. Let’s put every solution on the table. Let’s not shut down options by writing blunt laws that prescribe VVPAT only. If, as a nation, we choose a solution without open-audit, let’s do so because we actively reject other solutions, not because we simply don’t know other options even exist. Let’s make this decision fully informed.
(Though the specific opinion here is mine, I have to thank Andy Neff for many long discussions which helped me form my vision of the role of an academic.)