Trustworthy Elections without Paper Ballots

1
Trustworthy Elections without Paper Ballots

• Why vote receipts deserve consideration

C. Andrew Neff, Ph.D.Chief ScientistVoteHere,
Inc.
May 26, 2004
2
How does this relate to technology?

• The election community is in a bind
• It wants to use machines to improve things as
  the finance industry has
• But there is a widespread feeling that machines
  cannot be trusted for elections
• or at best, can only be trusted when used in
  ways that severely restrict their capabilities
  and functions

I am not here to say that machines are inherently
safe for our elections, nor that any machine can
be sufficiently secured for our elections.
I am here to say that a great deal of machine
power can be used safely in our elections.
In fact, our elections can be made safer with
machines than they have been without them.
3
Are machines the problem, or what we expect from
them?

• Systems are just a means to an end. What
  matters is that there be trust in election
  results.
• -- Ron Rivest (paraphrased), NIST 12/2003

The Goal Accept that machines (as well as
humans) have vulnerabilities and uncertainties,
and instead of attempting to prevent them, enable
a way to openly audit the accuracy of the final
count so that fraud and errors are always
detected. Lets enable confidence in the
results, rather than demand trust in specific
system components.
4
What mechanisms enable confidence in results?

• Option 1 Use familiar, psychologically
  comfortable methods and devices (such as paper
  ballots)
• Science cannot help Like trying to argue
  evolution with a creationist
• Option 2 Take someone elses word Results are
  announced by NBC
• Again, science cannot help
• Option 3 Verify results through first hand
  observations of events data
• Science can and should help, but this requires
  transparency of data and events

5
How to bake a ham

• Jack Why do you cut the ends off the ham?

Jill It cooks better that way.
Jack Cooks better how? Faster? Tastier?
Jill Thats how my mother always did it.
6
How to bake a ham round 2

• Jack Why do you cut the ends off the ham?

Mother-In-Law It cooks better that way.
Jack Cooks better how? Faster? Tastier?
Mother-In-Law Thats how my mother always did
it.
7
How to bake a ham round 3

• Jack Why do you cut the ends off the ham?

Grandmother-In-Law I only had a very small
pan.
8
Elections ham baking have a bit in common

• For current DRE's, hand recount is
  anachronistic.
• Voter Verified Paper Ballot systems are better,
  but
• Remarkable lack of precision in specifying what
  to do with the paper
• Print a paper ballot for the voter to look at
  is far from a complete system specification
  because it only addresses voter verification at
  the poll site
• Trust/confidence properties are highly dependent
  on the specifics
• Most disappointingly, few have stopped to ask,
  Why?
• Why are we cutting the ends off the ham?
• Do we have a bigger pan now?

9
Key ingredient for trusted results

• Independent / external verification (audit)
• Need lots of people to look at the data - the
  more the better.
• All the data? Not necessarily random sampling
  can be powerful tool.
• Requires transparency
• Data from which results are reasoned must be
  first hand available to many.
• Should allow basic logic and reasoning tests by
  anyone who wants to independently check results
• Precise accountability is highly desirable.

10
We do have a bigger pan now

• We can now make digital data permanent and
  authentic
• Methods for encryption and authentication in
  widespread use
• The technology that makes e-commerce work.
• NIST Digital Signature Standard (DSS)
• So now, digital data can be indisputably audited
  around the world.
• Solves the audit-scale problem with physical
  objects, bringing us much closer to the ideal
  one room paper ballot election

11
Steps in an electronic show of hands election

• Voters cast ballots.
• Leave with permanent, authentic vote receipt
  listing vote choices.
• Permanent, authentic ballot box data is
  broadcast to the world.
• Voters compare their receipt data to ballot
  data.
• Any discrepancy voter wins Election
  compromises always detected.
• The final count (tally) can be verified by
  anyone.
• But, does not provide a secret ballot.

12
Steps in an electronic show of hands election
with secret ballots

• Voters cast ballots.
• Still leaves with permanent, authentic vote
  receipt, but receipt does not show yes or no,
  but voter-specific data (e.g. X3Z1 or 17JK)
• In privacy of voting booth, voter sees something
  that convinces
• If I see X3Z1 on my broadcast ballot, my vote
  will be counted as yes
• If I see 17JK on my broadcast ballot, my vote
  will be counted as no
• All other aspects of election verification
  (audit) are the same

13
Lottery audits are more sound than election
audits today

• Would you walk away from the lottery counter
  without a ticket?
• Trust that everything will be taken care of?
• That youll be contacted in the case you are a
  winner?
• That the ticket sellers wont claim the winnings
  as their own?
• Current paper ballot elections ask you to do
  exactly this.

14
Detection and the importance of saying fail

• USA vs. USSR man on the moon programs
• USA succeeded because failures were openly
  acknowledged
• USSR hid failures for sake of propaganda
• Florida 2000 is a perfect example of how this
  should NOT work.
• Failure hidden by legal and political maneuvering
• Flipping a coin might have been as good a method
  for resolution!

15
Conclusion

• Receipt based, secret ballot election
  methodologies have been the subject of research
  for 20 years
• D. Chaum, J. Benaloh, M. Yung, B. Schoenmakers,
  et. al.
• Openly seek review and dialog
• NIST, IEEE, EAC, GAO, peers, election officials,
  voters, activists
• Without this, cannot achieve best of breed
  solutions
• With caution, let science and innovation work
• Legislation has been a deterrent by mandating
  specific solutions rather than accuracy and audit
  requirements.

16
Conclusion

• To bake a bigger ham, you need a bigger pan.
• But
• If you have a bigger pan, use it.