100 likes | 209 Views
A technical analysis of the VVSG 2007. Stefan Popoveniuc George Washington University The PunchScan Project. A standard should. Say WHAT needs to be done Performance standard High level goals Encourages innovation Not HOW to do it Design standard VVPAT Discourages innovation.
E N D
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project
A standard should • Say WHAT needs to be done • Performance standard • High level goals • Encourages innovation • Not HOW to do it • Design standard • VVPAT • Discourages innovation
Software Independence (SI) • Definition • “…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.” (Introduction 2.4) • I.E. check the election, not the equipment • High level goal – good intentions
What I will show • The software independence definition is subject to multiple conflicting interpretations. • IVVR does not fit any of the interpretations. • There are real voting systems that actually do satisfy the SPIRIT of the definition.
Pitfalls of the definition • The definition is ambiguous because it does not specify • WHO can check • Privileged people • Anyone • WHEN it can be checked • Anytime after the tally is posted • When the voter is in the booth (there is no tally) • The definition does not mandate audits • Perform an audit if something went wrong • Realize if something went wrong from an audit
How is SI supposed to be interpreted by the VVSG • Voters can check a piece of paper • Everyone trusts the chain of custody • Everyone trusts manual recounts
IVVR • is a design standard • “it must be possible to audit voting systems to verify that ballots are being recorded correctly” (Introduction 2.4) • In many states, at casting time, the official ballot is the electronic record • The voter CANNOT check the correct recording of the ballot • But only the correct printing of the IVVR • There is no ballot (electronic record) when the voter checks the IVVR
IVVR is not SI • There is a huge gap between being able “to verify that ballots are being recorded correctly” and the fact that the tally is correct – not in the spirit of software independence. • Simply trust the chain of custody? Not scalable • Custodized as recorded • Counted as custodized. • Simply trust the manual recounts? Not scalable • A count is meaningful only for the person doing the recount
The spirit of Software Independence • Cast as intended • Recorded as cast • Custodized as recorded • The voters can check it at anytime after casting. • Counted as custodized • Anyone can check it at any time after election day
Conclusion • Specify a goal that is not susceptible to interpretation (needed: who can check, when it can be checked). • Should not specify how to achieve the goal. • IVVR is not SI (even for the weakest interpretation). • An open problem: not exclude VVPAT systems because they are implemented, but we should encourage any type of system that meets the spirit of the high level requirement