[With apologies to my grandmothers, some of the most insightful people I’ve known.]
When you want to build a publicly accountable secure system, must you build to the lowest common denominator? The key example is, of course, voting. It’s clear that you have to build the user interface to the lowest common denominator: given minimal direction, anyone should be able to vote. But must the audit/security process be equally “dumbed down?”
Most election activists (Bev Harris, Black Box Voting, Open Voting Consortium, etc..) clearly answer “yes.” Yes, my grandma needs to understand every security aspect of the entire voting system. I’ve even had an argument on the OVC mailing list on the meaning of the word “transparent.” Some election activists have, in a way, hijacked the word “transparency” to mean “understandable by the average person,” regardless of how much effort the average person is willing to make, or how much pre-existing knowledge the average person has. In other words, a completely documented system that requires an understanding of high school algebra would, by this definition, not be transparent, since most people don’t understand algebra.
So what happens if you can’t get true security that fits this constraint? What if the algebra really is necessary to achieve the right level of auditing and security, but you simply refuse to use it? Then you get a system that looks secure to the average person, but that has little to do with real security. This is security inspired by the Transportation Security Administration (TSA), the folks who force 5 year-olds to to take off their shoes at the airport.
Security experts often explain that the TSA security measures are pure theater. A no-fly list sounds great to the average person, but it simply doesn’t help, especially once it’s widely announced and the terrorists can easily get fake identification. Forcing everyone to pack 3oz toothpaste bottles because of “liquid explosives” sounds insightful, but top chemists in this country still don’t see how a bomb could be assembled in flight from 8oz of anything that doesn’t already alert the bomb-sniffing dogs. The TSA puts on security theater, so that the average person is reassured. Security theater has everything to do with perception, and nothing to do with reality. And that’s what you get when you’re trying to do security that the average person understands.
In the voting field, we have a similar brand of security theater: the widespread misconception that we should just hand-count ballots, because, clearly, to the average person, that sounds a lot more secure and publicly verifiable than some other complex scheme. But studies show that, because of the complexity of our ballot, unintended human tallying mistakes occur far more often than the average person’s intuition would indicate. And, to anyone familiar with quality control processes, the ballot chain-of-custody is a reliability nightmare: how does one check that no one has tampered with a ballot box full of de-identified ballots that no one can look at during the 24 crucial hours where low-wage, minimally trained election workers are entirely responsible for them?
Now, to be fair, today’s touch-screen voting machines are worse: they suffer from most of the same issues as hand-counted paper ballots, and provide less transparency: the source code isn’t even available for review!
But the important detail that many voting activists sweep under the rug is Open-Audit Voting. Open-Audit Voting is a truly revolutionary approach that provides every voter with the equivalent of a ballot “tracking number”. At a high-level, this tracking number lets the voter come home and check (online or on the phone) that their ballot made it into the final tally. At a low level, the tracking number involves some fancy and fascinating cryptography that ensures that, even if all voting machines and officials are corrupt, they cannot alter the election result.
That is the true meaning of the word “transparent:” any voter can verify their vote and the overall tally. But a number of election activists disagree: if grandma can’t understand the crypto, then the system is supposedly not transparent. It has to feel right, and this complicated crypto doesn’t feel right, whereas hand counting feels right, never mind the pesky scientific studies that prove otherwise.
Take a step back for a second. If this attitude is justified here, then how can one complain about the anti-science approach of the Bush administration? After all, winter this year was awfully cold, I’m not so sure this global warming broohaha feels correct. Don’t show me charts, and graphs, and trends, and standard deviations: grandma thought this year was the coldest winter she’d felt in years!
So the key question is this: how do you build a transparent, publicly accountable system when the science required to understand it is more than the average person knows? That’s an interesting debate! Here’s what I (and many others before me) propose, as a definition of transparency:
A system is transparent if, given a reasonable amount of time and effort, a person with a college education can understand it. Then, those without the education, time, or willingness to understand it can consult with someone they trust who does understand it.
In other words, a system is transparent if all you need is knowledge. If you need privilege, e.g. being an employee of the vendor, then it’s not transparent. If all you need is knowledge and not privilege, then anyone can find someone they trust who’s had the time to look at the system and declare it secure.
I don’t expect everyone to understand the depth of Open-Audit Voting. But I do think that many of the election activists, if only they were willing to spend the time and effort, could understand it, could realize its amazing benefits, and then could give their thumbs up to their organizations saying “we trust this system.” It’s just a question of whether they want to go beyond their gut feeling and look at the science. The alternative is security theater.