In their article, “When Is an Election Verifiable?”, published in the June issue of IEEE Security & Privacy, Ronald L. Rivest and Philip B. Stark argue that verifiable elections currently require voter-verifiable paper ballots, demonstrably adequate custody of those ballots, and well-designed audits of the results based on manual inspection of those ballots. According to Rivest and Stark, paper ballots are “tamper-evident, and readable and countable by humans without relying on software.” However, due to “partisan wrangling and laws,” even in jurisdictions that have voter-verified paper ballots it can be nearly impossible to use those ballots to check the accuracy of electronically tabulated results.
As we reflect on the one-year anniversary of the 2016 U.S. Presidential Election and its aftermath: which includes, according to Rivest and Stark, “public demands to audit the results and legal battles over recounting the results in three states,” while most “U.S. voters now use systems that produce a durable, tamper-evident, voter-verifiable, auditable record, our elections aren’t much more verifiable.” As the limiting factor is, according to the authors, “by and large not technical,” as demonstrated by the statewide risk-limiting post election audit just conducted in Colorado, but rather legal and political, how can we ensure that our voting systems not only produce the correct election outcome, but also produce evidence to back up that outcome?
Spotlight spoke with Rivest and Stark for more.
TA Spotlight: You write “it must not be necessary to trust a computer in order to trust the election outcome.” How do we advocate for software independence in a society where we are taught to become increasingly dependent on software?
Ronald Rivest: We see daily reports of computers being hacked. Voting has the wonderful property that “we don’t need to go there”: into the world of being critically dependent on the software. How nice! Paper ballots work well to provide a level of assurance that is hard or impossible to match with software-based systems. Given the news, I don’t actually think advocacy for software independence is a tough sell. Most states are moving towards paper ballots in a strong way.
Philip Stark: Using software is not the problem: the problem is using software in a way that cannot be checked without trusting that software. We see technology as extremely valuable in running elections efficiently, but the results need to be validated by auditing against a durable, tamper-evident audit trail.
TA: You write that U.S. elections are unverifiable due not to technical factors, but legal and political ones. How can we best alleviate those factors? What technical factors contribute?
RR: Technical obstacles may arise due to poor choice of voting system equipment, which choices in turn might be caused by legal or political considerations. Education is the best cure.
PS: Some aspects of current voting system design make auditing harder than it has to be. For instance, many systems shuffle the CVRs and images, which makes it impossible to check how the system interpreted individual ballots. Similarly, some tabulation systems cannot report how they tally physical batches of ballots, which complicates accuracy checks. To fix the legal factors will take political will. Some state and local election officials will resist.
TA: Has technology contributed to mistrust of candidates by the public?
PS: Perhaps surprisingly, the general public and most candidates do not seem to take the security risks seriously, despite demonstrations of widespread vulnerabilities and the possibility that elections can be stolen wholesale, or be Just Plain Wrong as a result of software errors or configuration errors.
TA: Verifying voters’ eligibility and maintaining privacy are often positioned in the media as two of the most pressing issues voters face today. How may we convince the public that, while these are important to deal with, stealing of elections wholesale may be a more pressing issue to combat?
RR: When an election is stolen, everyone is disenfranchised. Voter eligibility becomes an irrelevant consideration if your votes aren’t even counted. And voter privacy is there to prevent coercion. But stealing an election is the ultimate coercion…
TA: You write “auditability without auditing is toothless.” Why are so many officials (and the public) unaware of using post-election audits or recounts? Why is best practice rarely practiced? How can we change this?
PS: We think most election officials are aware of auditing. In some states, laws make auditing illegal. In others, the audits are nearly worthless. Recount laws vary widely as well, but the work involved in a recount is far higher than a good audit would typically require, and the legal setting for recounts is adversarial while for audits it is not. Routine post-election audits could make our elections much more trustworthy. Raising awareness of the problem and of the solution to build grassroots support seems like the most promising path.
RR: I think that we are on a good path, and that more and more of the public and of election officials are becoming aware of the advantages of post-election audits. Continued publicity and education will help.
TA: How can we better educate voters on the necessity of using voter-verified paper ballots?
RR: Some demonstrations of hacked voting computers, for instance the 2017 DefCon “Voting Village” hacks, may be effective at educating folks about how disconnected what they see on the screen of a voting computer can be from how their vote is really recorded.
TA: Is there a future for secure, verifiable, Internet voting? What does this future look like?
RR: I don’t think there is a near-term future for Internet voting. At least, not for “secure, verifiable” Internet voting. We don’t yet know how to solve many of the key security problems. For example, what should one do if an entire city (full of Democratic voters) is subject to a “denial-of-service” attack? Or if malware corrupts the voting software?
TA: What is the ideal, verifiable voting system? What is the biggest challenge to making this possible?
PS: Right now, it’s optically scanned voter-marked paper ballots, with a ballot-marking device for accessibility. The system should produce a cast-vote record (CVR) for each ballot, and should be able to export the CVRs in a way that allows the CVR corresponding to each physical ballot to be uniquely identified. The system needs to be able to export its CVRs as well (see “Principles for New Voting Systems”). End-to-end cryptographically verifiable (E2E-V) voting systems are in development. Those provide a different set of assurances: an individual can verify whether his or her vote was recorded correctly, and whether the recorded votes were tallied correctly. The STAR-Vote system developed by Travis Count, TX (Austin) combines CVR paper auditing with E2E-V, but that project was recently abandoned—in part for financial reasons. It was a very ambitious project for a single jurisdiction to undertake.
RR: Adequate funding for the building of new systems is one of the key challenges.
TA: How can the IEEE contribute to knowledge about the importance of verifiable elections and creating less vulnerable voting systems and regulations?
RR: As noted above, education is key, and the IEEE can contribute by continuing to publish high-quality articles about voting system security.