Navigate this BlogHome
Idealog AlliesWork In Progress (Chris)
Thoughts on Electronic Voting
Thursday, July 31, 2003
Recently, the leaked source code for a Diebold voting machine was analyzed by security specialists and found wanting. Rather than discuss that in depth (you can find out quite a bit by following the links given above), I want to mention some thoughts I've had about a system for electronic voting.
I think the most important thing about an electronic voting system is that it should produce an audit trail that can be verified after the election is over, without compromising the anonymity of the process. Of course, the system should also be able to ensure that each person votes exactly once. The person involved should be able to verify the audit information produced, so the important audit information should be kept human-readable.
I'm assuming that we'd like a method that can run on relatively commodity hardware, based on some sort of PC architecture. The primary purpose of this system is to allow the user to verify how he voted, reducing mistakes. A secondary purpose of the system is to improve the speed of an uncontested election, by allowing voting information to be read directly from the machine.
The process I've devised (which I doubt is all that original) begins with the priming of the booth by an election worker. It's important that this occur between voters, as we need a way to ensure that the same voter can't vote twice in a row. I'm not completely sure how this would be done. It's possible that the voting machine could be signaled over a network, but this would imply some sort of network connectivity, which isn't all that desirable. (Even though no voting data would go over the LAN.) Alternatively, a poll worker could push some sort of button connected to the machine, or the voter could be given a card that only worked once.
Once the user entered (and perhaps pushed some sort of start button), he would be prompted with a ballot. This is the part that I've thought least about, as discussing the security of the system is more interesting. The machine would somehow guide the user through the voting process, and verify that all the information required has been collected. The user could be warned if undervoting was detected.
Once the user was satisfied with his vote, he would tell the system this. It would print out a paper ballot, and ask him to confirm that it is correct. If the user does not like the printout, he is asked to correct his ballot. Otherwise, he is told to deposit the paper in some sort of ballot box, and the vote is recorded in the voting machine's storage.
The paper ballot given provides the key to the system's auditability. So, let's look at an example:
Basically, what we have here is the big ballot box, some instructions, and a bar code. The most important feature is the ballot, which is easily read by both humans and machines. The paper audit trail so provided allows for an ultimate degree of security, even if the machine somehow fails to operate properly.
Now, there are a few attacks that can occur on the system. A person could bring to the election site a fake ballot and stick it in the ballot box, or he could put all of the ballots he printed into the ballot box. These attacks are defeated by the barcode. The barcode encodes a unique random voter identifier, a ballot serial number, and the private-key signed hash of the same. (The barcode given is probably far too small for this, but it's just there for example purposes.)
If a recount proves necessary, the ballots will be scanned. Ballots with bad encrypted hashes will be rejected, as they could be forged. It's assumed that an attacker will not have the private key, which may never leave the voting machine. Only the public key corresponding to a given private key is needed to verify the ballots.
The voter identifiers are chosen randomly for each voter, while the serial numbers are given to printouts serially. For each voter, we take the ballot found in the ballot box with the highest serial number. This ensures that the each voter can vote at most once, with the random voter identifiers making it hard to associate a ballot with a given voter.
The ballot scanner would read the large boxes directly. There's no hidden vote information on the ballot that isn't disclosed to the voter himself.
The paper ballots would correspond to ballots stored in the machine itself. This would allow the machine to be checked by comparing a sample of ballots with the corresponding paper ballots, to ensure the correctness of the electronic results.
A design like this would be very robust, against both tampering and hardware or software failures. I'd be interested in writing such software (which would be open source, of course), if someone could propose a way of getting it certified and accepted for use in elections. As far as I can tell, right now, that process is greatly skewed toward commercial (closed source) development models, much to the detriment of the voter.
Commenting has been suspended due to spam.