RE: [election-services] NIST Workshop on UOCAVA Remote Voting Systems

[Richard Cardone <richcar@magneticpotato.net>]

Hi,

The organizers of the UOCAVA workshop are interested various aspects of remote voting systems, architecture being one of them.  Here are some thoughts on how we might approach a UOCAVA position paper that recommends an architecture for remote systems:

1. For background purposes, we could delineate the risks of paper-based absentee balloting, including the issues of ballot stealing, unlawful ballot modification, ballot destruction, and voter bribery or coercion.
   
2. We could then continue setting the problem context by summarizing the risks of various kinds of precinct-based, electronic voting systems.  We could then discuss how making electronic voting operate remotely generally exacerbates these risks. 
   
3. We could then split the problem space of remote electronic voting systems into two main categories.  One category is characterized by the election authority owning all system hardware and software, the other is characterized by some system hardware or software not under the direct control of the election authority (...vote with your iPhone).
   
4. Of these two categories, I submit that it is easier to solve the security, integrity, and reliability problems of remote voting systems that are completely under the control of the election authority.  More important, that category is of special of interest to the conference sponsors:  the military and other federal entities can provide reasonably secure environments where tamper-resistant, distributed voting systems can operate.
5. We could suggest affordable, standardized technologies, such at the Trusted Computing Platform and EML, as ways to provide tamper-resistant software platforms that could be distributed around the world before elections.  All communication between the remote and centralized components of the voting system would take place after the hardware, firmware, and software stacks of these components have been mutually authenticated and attested.  This, for example, would allow us to assure with a high degree of confidence that the DREs or optical scanners on a navy vessel have not been hacked. 
   
6. We could also propose that all transmitted data are electronically signed and encrypted using a Certificate Authority under the control of the election authority and using data formats defined by EML.
7. We can suggest delivering by physical or electronic means a passcode or token to each voter that authorizes that voter to vote once.  In the case of federal employees, secure passcode distribution should be easy enough to manage.  Voters would use their passcodes when casting their ballots.
   
8. Finally, we could assess how the risks in the proposed architecture compare to those of paper-based absentee balloting and precinct-based electronic voting.  We could explore the question of how much risk is acceptable, especially in light of the risks that we accept routinely in today's paper-based and electronic voting systems.  
   

Regards,
Rich