I'm at LISA and just listened to this one:
The State of Electronic Voting, 2008
David Wagner, University of California, Berkeley
As electronic voting has seen a surge in growth in the U.S. in recent years, controversy has swirled. Are these systems trustworthy? Can we rely upon them to count our votes? In this talk, I will discuss what is known and what isn't. I will survey some of the most important developments and analyses of voting systems, including the groundbreaking top-to-bottom review commissioned by California Secretary of State Debra Bowen last year. I will take stock of where we stand today, the outlook for the future, and the role that technologists can play in improving elections.
The one-line summary seems to be that voting machines are in a mess, and while there are brave efforts (California's review cited), there are no easy answers. It's a mess. This accords with my own prejudices: it looks like it should be a mess, by architectural requirements. My advice is to keep away, but today I didn't follow that advice, and have a suggestion!
One thing that is frequently suggested is that if the Internet community can build an Internet, surely we should be able to build a secure voting system. We can do big secure systems on the net, right? The counter example for this is IPSec or DNSSec or S/MIME: surely we should have been able to get a secure system into widespread use, but we seem to have failed at every turn here.
One reason why these things didn't work out is that the IETF committees who put them together got bogged down in details, as different stakeholders fought over different areas. The result is that familiar camel known as a secure but unusable architecture. Committees are at their best when they are retro-standardising an already successful design, such as SSL, because then they cannot dive into their own areas. They are forced to focus on the existing successful design.
Another suggestion is to use NIST or the NSA (same thing in this context) to design the system for us. But, this only works when we don't really care so much about the results. With encryption algorithms, for example, we the public get very suspicious about funny S-Boxes and the like, and skepticism dogged the famous DES algorithm as well as Skipjack and the cryptophones. For Hash designs, we are less fussed, because in application space much less much can go wrong if there is a secret way of futzing the hash.
Now, in the late 1990s, NIST took these issues seriously and took a novel path. They created a design competition to create a new encryption algorithm, asking anyone and everyone to propose. Any team around the world could submit an algorithm, and the final winner came from Belgium. As well, all the teams were encouraged to review the others' designs, and knock themselves out with criticisms. (By way of disclosure, Raif in my old Cryptix group created the Java framework for the AES proposals. It was that open that they took in help from crazy net hackers like ourselves.)
This worked! People mutter about AES as being a bit odd, but everyone admires the open design process, the use of the free and open scrutiny, and the way that the worldwide cryptography community rose to the challenge.
Why can't we do that with voting machines? All the elements seem to rhyme: stakeholders who will bog it down, conspiracy theories in abundance, desperate need of the people to see a secure outcome, and lots and lots of students and academics who love a big design challenge. NIST seems to be the ring-in to manage the process, and the result could be a standard design, which avoids the tricky issue of "mandating use".
Just a thought! I don't know whether this will work or not, but I can't see why not?Posted by iang at November 14, 2008 02:42 PM | TrackBack