Electronic Voting is Hard to Certify
Position Statement for the
Workshop on Software Certification and Dependability
Computer Science and Telecommunications Board of the National Academies
March 1, 2004
Secure voting is extremely difficult, whether done using manual, mechanical or electronic means. While the algorithms involved are trivial, nothing more than a sum, for each candidate or ballot position, of the number of votes, the distributed nature of the computation and the number of participants pose immense problems. Elections involve an appreciable fraction of the entire national population as participants, and the history of election fraud includes examples that were perpetrated by every class of participant, from voter to polling place election judge to election administrator to voting system maintenance technician.
All of today's voting systems are software based, with the exception of hand-counted paper ballots and mechanical lever voting systems. The correctness of this software is central to the trustworthiness of our election results, and because the current system of software certification is seriously flawed, the move to computerized election technology has simply replaced known evils with poorly understood systems instead of addressing the underlying problems. This is essentially the same thing we did a century ago when most of the nation began its move from paper ballots to mechanical lever voting systems.
The current practice in certifying voting software involves submitting it, under nondisclosure agreement, to a Federally accredited independent testing authority who issues certificate of compliance with the current voting system standards. Most states make only limited efforts to go beyond this. Several of us have questioned this certification process for years, and in the last year, a series of independent reports on the security problems of one vendor's system have destroyed lost all credibility of the current system.
The central problem with voting system certification is that no individual or small group of individuals can be trusted. The potential gains from a corrupt election are immense and have driven many individuals and corrupt organizations to undertake great efforts to gain control over the machinery of elections. Therefore, a credible system of software certification for voting systems must rely on open disclosure of all software that can possible have an impact on the outcome of the election.
Open disclosure does not guarantee that there are not hidden features in the code. By analogy, our legal system offers full disclosure of the text of all laws, yet our code of law includes many provisions that nobody understands until long after they are enacted. Therefore, in addition to disclosure, we need a full array of other measures, including rigorous testing, thorough and routine auditing of elections, and software designs that support testing and auditing. To support the latter, we need tools, at the operating system and programming language level, that erect demonstrably secure firewalls between software components, so that all communication between components is out in the open and obvious.
It is important to note that the security of election software cannot be evaluated in isolation; rather, we must evaluate the software in the context of its human setting, including administrative rules and laws. In too many cases, systems that could have been modestly secure have been rendered laughably insecure by failures in this larger context.