Hi,
The organizers of the UOCAVA workshop are interested various aspects of
remote voting systems, architecture being one of them. Here are some
thoughts on how we might approach a UOCAVA position paper that
recommends an architecture for remote systems:
- For background purposes, we could delineate the risks of
paper-based absentee balloting, including the issues of ballot
stealing, unlawful ballot modification, ballot destruction, and voter
bribery or coercion.
- We could then continue setting the problem context by summarizing
the risks of various kinds of precinct-based, electronic voting
systems. We could then discuss how making electronic voting operate
remotely generally exacerbates these risks.
- We could then split the problem space of remote electronic voting
systems into two main categories. One category is characterized by the
election authority owning all system hardware and software, the other
is characterized by some system hardware or software not under the
direct control of the election authority (...vote with your iPhone).
- Of these two categories, I submit that it is easier to solve the
security, integrity, and reliability problems of remote voting systems
that are completely under the control of the election authority. More
important, that category is of special of interest to the conference
sponsors: the military and other federal entities can provide
reasonably secure environments where tamper-resistant, distributed
voting systems can operate.
- We could suggest affordable, standardized technologies, such at
the Trusted Computing Platform and EML, as ways to provide
tamper-resistant software platforms that could be distributed around
the world before elections. All communication between the remote and
centralized components of the voting system would take place after the
hardware, firmware, and software stacks of these components have been
mutually authenticated and attested. This, for example, would allow us
to assure with a high degree of confidence that the DREs or optical
scanners on a navy vessel have not been hacked.
- We could also propose that all transmitted data are
electronically signed and encrypted using a Certificate Authority under
the control of the election authority and using data formats defined by
EML.
- We can suggest delivering by physical or electronic means a
passcode or token to each voter that authorizes that voter to vote
once. In the case of federal employees, secure passcode distribution
should be easy enough to manage. Voters would use their passcodes when
casting their ballots.
- Finally, we could assess how the risks in the proposed
architecture compare to those of paper-based absentee balloting and
precinct-based electronic voting. We could explore the question of how
much risk is acceptable, especially in light of the risks that we
accept routinely in today's paper-based and electronic voting systems.
Regards,
Rich
|