I'd be curious to hear your ideas on how elections that depend on technology could improve their security. From collecting ballots, to transmitting tallies, to demonstrating assurance of votes cast, to redundancy and integrity checks, to maintaining confidentiality of votes. How would you create a trustworthy system that can scale from rural to metropolitan densities -- and do this economically?
And I'm talking from tabula rasa. This is a "roll your own" configuration question. Don't include any current voting technology systems, unless you happen to be familiar with a specific vendor's level of security assurance, and what they specifically do to preserve integrity.
Thanks!
You'd have to make the audit trail extremely transparent, so easy to audit that the "man off the street" can follow it while making the results open to the public.
Anything else will result in mass conspiracy theories and overt views of corruption.
- b/eads
In listening to an audiobook yesterday this quandry hit me. When using biometrics the device doing the scan (fingerprint, facial recognition, etc.) takes the analog "image" and translates it into a digital image that can be compared against in the future. A digital image by itself (with no hashing, salting, encrypting, or other technique to make it unique or copy proof) can be duplicated and potentially replayed at a later date. Once all of these digital images are captured, are we sure that they cannot just be duplicated? I know some fingerprint recognition software has limitations on how many unique images it can capture before it can't accurately distinguish between two different fingerprints.
With this kind of knowledge known, how can we be sure that:
1) A unique person has
a) submitted a unique vote
b) has not allowed the vote to be tampered with
c) is not able to cast someone else's unique vote
2) The voting place has
a) Verified that the unique person
i)is who they claim
ii) has not already voted in this cycle
iii) submits a clear and readable vote
b) has taken precautions that once the unique person has voted that
i) the vote cannot be changed
ii) the vote is accurately added to the tally
c) ensures that nothing is altered in the final local tally
d) the final local tally is delivered to the main site for total tally without corruption
Heck we can't even agree on voter id here in the US. How would making it digital help any? I once went to my local voting place and asked if my mother-in law was registered to vote. She was but had already told me that she wasn't going to vote. They were not asking for proof of ID, just name and address. I could have sent my wife back later with a wig on and had her vote for her mother.
Unless we did facial recognition and took a picture of everyone casting a vote and matched it up to a name, followed up with a facial recognition program to check for duplicates, then maybe we could do this securely.
Invoke an acceptable digital identity and trust framework nationwide decentralised for users to accept and control what they input is a good start.
Regards
Caute_cautim
@ericgeater wrote:I'd be curious to hear your ideas on how elections that depend on technology could improve their security. From collecting ballots, to transmitting tallies, to demonstrating assurance of votes cast, to redundancy and integrity checks, to maintaining confidentiality of votes. How would you create a trustworthy system that can scale from rural to metropolitan densities -- and do this economically?
...
I'd start by addressing in more detail each of the components of the process, as I posted in brief here in our four and in more detail on my blog at
DHS Security Tip 19-001, Best Practices for Securing Election Systems
Craig
@ericgeater wrote:I'd be curious to hear your ideas on how elections that depend on technology could improve their security.
http://catless.ncl.ac.uk/Risks/search?query=voting
But the current evidence and a risk analysis says that preventing in person fraud is not the right target. Even with the best targeting data, it would be horribly inefficient to even attempt to engage in.
That said, I am all for paper ballots. My county uses a scantron type ballot, so you mark the ballot, then it goes into a scanner and is kept in paper form as well. While not quite as efficient as some of the more computer based models, I like it for its simplicity and auditability. The item I think could be added to make it even better would be a real time screen showing the votes you cast on the scanned in sheet, for one last review, both for accuracy and completeness, in case you had items that were not recorded, it could eject the ballot, you could modify it, then pass it back in and accept it. A paper receipt with the recorded votes would be great, too, but that is more for voter satisfact, as it would be impossible to collect them all back up after an election if something were to happen to the votes.
Yes it would be nice if you could see your totals added in real time as you put the scan tron sheet in. Then you would know, at least for a moment, what the current totals were. You might be able to detect fraud if you knew when you inserted your sheet if your candidate had 100 votes but then later saw that your candidate finished with less than 100 votes you could point out the discrepancy. Might "spoil" the results or trending vote pattern but I think the whole US system should not be revealed until the next day. I fear the "East Coast bias" is real. Before the polls close in the West Coast sometimes a projected winner is selected causing some voters to go home without casting their votes as they feel it is useless and "wouldn't change the outcome anyways.
Well except for then the "popular vote" can get skewed as voters in a state that leans one way usually will keep sending those voters to the polls while the usual loser goes home and doesn't vote.
@CraginS As far as I know, USA does not have a Digital Identity or Trusted Network for verifying the credential of users. Happy to be told, they do, or not as the case maybe, but unlike many other nations including those of Iran, India, Estonia, Singapore and others, they have been far more successful. The context I come from is as we know people, processes and technology perspective. Yes, you can use technology to a certain degree, for instance we can use Machine Learning, AI, to look at behavioural fraudulent activities. We should be looking at inherent bias, ethical practices and other such nuances of human beings to establish expected and unexpected outcomes, to establish baselines. We have the capability these days, to detect bad behaviour. This will not of course, stop unethical and criminal activities in terms of influencing outcomes, or party funding, external to the system.
I will review your paper, later on to busy or "QRL" at the moment.
Regards
Caute_cautim
@Caute_cautim wrote:@CraginS As far as I know, USA does not have a Digital Identity or Trusted Network for verifying the credential of users. ...
John,
USA not only has no digital identity credential, we have no universal national identity credential. The only fully authenticated national identity document is the passport but it is not required and is not held by a major portion of the population. We have a nominal national identification number, our Social Security Account Number (SSAN) or Social Security Number (SSN). However, there is almost no actual vetting when the SSN is assigned, and due to the broad use of the number there is a high level of fraudulent and duplicated numbers.
Due to a long-standing history and the heritage of USA history as a joining of separate states, the commonly and legally accepted identification credential for adults is a drivers license (or non-driver identification card) issued by the states, not the national government. In recent years states have been offering a more thoroughly vetted drivers license, called REAL ID, but still have the standard license (or ID card), also. The incentive to obtain the REAL ID version is the requirement to use it (or a passport) to board commercial airliners.
We have strong history of states rights and privacy concerns that result in broad resistance to the idea of establishing a national identity credential, whether paper or digital.
Another aspect is that possession of a legitimate drivers license or state ID card does not indicate eligibility to vote. That is why each state has as a separate process for registering as an eligible voter, which also ties the registration to local and regional ballot access. Many non-voting residents have driver licenses, including legal aliens, foreign diplomats, and, as of recent practice in some states, illegal aliens (before anyone complains, this is the accurate, actual language used in public law), also called by some "undocumented immigrants."
Yes, we have a complex systems mess here.
Craig