 |
Convened by the American Association for the
Advancement of Science
Main | Participants
Voting systems should be considered national security targets. As such, they
should be designed to withstand attacks from well funded adversaries who may
be interested in changing the outcomes of elections, or simply disrupting the
elections. The systems should also be as resistant as possible to accidental
failures that could be caused by bugs in software, power outages, or other unexpected
circumstances. Much of the worry about electronic voting systems could be eliminated
if the systems are built so that there is no dependence on the correctness or
trustworthiness of any software component. Simply put, the less software the
system depends on, the easier it is to have assurances about it.
Obviously, there is no practical way to run elections without any software.
Thus, the components that are software based should be identified and provisions
should be made to independently audit those pieces. For example, if an optical
scanner is used to count paper ballots, then the scanners should not be trusted
to produce the correct tally, but rather, the scanners should be audited by
manually counting some percentage of them and comparing them to the electronic
tally. Alternatively, a different vendor's scanner that was developed completely
independently could be used for the audit. Ideally, both audit mechanisms should
be used.
Components of the system that cannot be subjected to independent (preferably
manual) audit should be rejected. There is enough room in the design space of
voting systems to produce only auditable mechanisms.
Here are some specific computer science research projects that I recommend.
Some of these are already being undertaken within ACCURATE, our NSF center,
and others I think are worthwhile:
- How to minimize the trusted software code base in a voting system
- Pre-rendering all screens in a voting machine
- Designing write-only logging schemes, preferably with hardware enforcement
- Human factors and ballot design focus groups
- Utilizing software virtualization to provide forensics capabilities
- Cryptographic key management for voting systems
- Data structures to support e-voting
- Designing voting systems for verification
Obviously, there are many aspects of voting systems that are important besides
security, such as accessibility, usability, availability, transparency, and
many others. I believe that all of these can be achieved without compromising
security.
|
