Thursday, June 17, 2004

"A Better Ballot Box" by Rebecca Mercuri, a highly respected electronic voting expert, from Bryn Mawr College explains very clearly the problems with electronic voting. She concludes:

"An observer of voting technology once remarked: "If you think technology can solve our voting problems, then you don't understand the problems and you don't understand the technology." Computerization alone cannot improve elections. Those designing and those buying election systems must be aware of their inherent limitations, mindful of the sometimes conflicting needs for privacy, auditability, and security in the election process, and willing to seek out-of-the-(ballot)-box solutions."

Incidently Rebecca Mercuri was proposing voter verified paper trails for electronic voting machines over ten years ago.

Rebecca was one of a select group of delegates invited to take part in Harvard University's Kennedy School of Government and National Science Foundation "Voting, Vote Capture, and Vote Counting" Digital Voting Symposium a couple of weeks ago.

Ron Rivest of RSA public key encryption fame was another in attendance and someone who sees the difficulties with electronic voting as a challenge which can be overcome with sufficient thought and effort.

"We see that innovations in voting systems are continuing, and will continue. We need to manage well this process of continual improvement. I believe that security in voting systems can be substantially improved. While some current DRE [direct recording electronic] systems definitely seem a step backwards in terms of security, it does appear probable that we can eventually have highly secure electronic voting systems, with a reduced or eliminated need to trust the voting machine equipment and software. We will be developing assurance and certification for the election results, rather than for the voting machines. While paper may not go away, we may be able to eventually have secure electronic ballots, rather than paper ballots."

The organisers of the symposium have drawn up a set of best practices that they believe fairly summarise the overall conclusions of the event. I hope they won't mind me reprinting these in full here. They deserve the widest possible circulation.

Certain immediate steps must be taken.

Election Assistance Commission and National Institute of Standards and Technology open standards must be developed and implemented.

The process is even more important than the underlying technology.

The educational process for given technologies must follow a "chain of trust" where the election workers trust their trainers and are trusted by the public.
Poll workers should be well chosen from a motivated pool with incentives, and monetary incentives have proven to work. Poll workers are more important than the technology.
Poll workers should be well trained to fully understand the technology and how to handle contingencies.
Poll workers should not have to rely solely on the vendors to address observed errors.
Speed and accuracy in the process are both achievable, but not simultaneously possible. The public should be educated about the distinction between the speed that allows immediate returns, and the accuracy required in the official tally.
There should be adequate time for determining the official tally.
There should be provisional voting mechanisms, and adequate time to evaluate provisional votes for the final tally.

A hybrid of paper and electronic systems provides the most effective voting system.

Electronic interfaces can meet the widest range of accessibility needs.
Electronic interfaces enable customized ballots by zip code, party, or disability.
Voter examination of a paper ballot allows the greatest degree of confidence that the ballot was cast as intended.
A paper ballot, when handled properly, allows a robust audit trail for a recount to ensure that the ballot was counted as cast.
Hybrid systems can be designed to accommodate provisional arrangements and contingencies for equipment failure. There are many possible implementations.

Good voting systems require good design standards.

There is no single voting interface that can meet everyone's needs.
An untrained voter should be able to know when voting equipment fails.
Access is critical: not to a specific, single technology, but to the ability to vote in a fashion that provides full civil rights.
Rigorous testing is needed for all voting system components to ensure security, reliability and usability.
Even with full auditing of each vote, testing for usability and reliability remain critical.

Openness of a voting process is critical for the perception of legitimacy of that process.

All security issues should be fully disclosed, although allowing vendors a limited, fixed time between notification and public disclosure could foster more public trust.
If underlying mechanics or software are not in the public domain, they must at least be available for inspection by the larger security research community.
The voting technology acquisition process should be open for public scrutiny from constituents.
The voting technology acquisition process should be open to allow jurisdictions to learn from each other; to be specific, records of difficulties should be made available to all election officials.

Election systems must have built-in auditing capabilities.

The reconciliation procedure must be clear, precise, authoritative, and binding.
The cast ballot must follow a "Chain of Custody" from the moment it is cast to the moment the vote is entered into the final official tally. This chain must be subject to audit and oversight at each step regardless of technology.
If some metric of voting irregularity is exceeded in a given jurisdiction, a court-supervised manual recount should be required.
Auditing should not be implemented by a vendor affiliated with the original system.

The general approach to building and implementing elections processes must carefully targeted.

Policymakers should first focus on the overall election process before selecting a specific technology. However, process details must then be tailored to meet the requirements of each specific technology. Technology neutral policies are inadequate in elections.
Policy makers must specify desirable priorities before designing an election system and its technologies. They must identify the problems they wish to solve and how each proposed solution will solve them.
There is an inevitable trade-off between authentication of voters and access. Requiring greater proof of the right to vote will prevent some from voting; removing any requirement for proof will allow those without the right to vote to cast ballot.
Elections and the surrounding systems should be explicitly designed to handle crises. Policy makers and elections officials should assume in every case that there will be a contested recount and plan accordingly.
Given that no voting system can ever be perfect it is crucial to incorporate technologically appropriate risk management tools into the design and evaluation of voting systems and implementation strategies.

No comments: