CFP'93 - Open Voting Systems
by Irwin Mann
New York University
It is the security of the electoral outcome which may become most at hazard. In the absence of the installation of prudent precautions, the machine and the process shall likely be more vulnerable to large inadvertent errors, and much more ominously, to electoral fraud. The essential reason for this is that, with the technological sophistication, the internal operation of the machine will be less apparent and therefore less apprehensible by the wider public. It will be a premise of this paper that the public itself is an - indeed the - essential watchdog of electoral integrity.
Those forms of discrepancies, error and fraud, except in many transparent cases, can be almost invisible if the software within the machine is hidden or uninterpretable. We must determine how the governance of the operation of the machine can be made accountable to the public, and provide for the integrity of our electoral process.
In order to establish a context for the discussion, it would be useful to distinguish among lesser and greater threats to that integrity. These different levels of threat can be characterized by their relative visibility, their effect on the election if unchecked, and the nature of the precautions which are required to thwart them. For instance, there is a difference in kind between the prospect of someone voting more than their allotted once, and a clandestine software "trapdoor" or patch which can be used to transform votes in unknown ways. Though the law has been violated in both cases, the act of voting twice is much more detectable in a greater variety of ways, and is likely to have far less effect. Though all threats, large and small, should be addressed, it is the larger which requires the higher priority.
It is often proposed that the guardians of software fidelity will be its vendors together with the administrators of the election (public, private, or both). But this degree of trust in such matters surely cannot be, for the future, always warranted. The safeguards must also include the practiced scrutiny of the public. It is fair to say - though perhaps shocking to realize - that a government itself is by far the greatest threat to insufficiently regulated fair elections. It is upon that premise, among others, that the proposal of this paper rests.
For this and similar reasons, there cannot be a relatively small group of persons who exclusively have access to, and control over, the inner workings of an election process. In order to ensure that such an insulated group cannot occur, we conceive of a condition under which this insulation is virtually impossible. We provide a paradigm whereby the voters have relevant access to the accountability of the voting process. We refer to such a system as an "open voting system".
Such a system is defined as one where:
- every element of every component, both hardware and software, is in the public domain,
- there are built-in capabilities for independent monitoring of software, and
- there are institutionalized protocols for public monitoring of all components and the electoral process, sufficient to find any hypothetical discrepancy from the intended design, if it should happen to exist.
This open protocol, in conjunction with the standard protocols of a rigorous auditing trail, and sufficient redundancy (including the existence of hard copies of ballots) is essential for full accountability of the system. It will enable the public to serve as watchdog in ways foreseen, and ways perhaps not yet foreseen. The accountability is accomplished by means of the possibility - not necessarily taken up in many cases - of public monitoring of any or all of the components of the system. The propriety of this monitoring must be regularized. The mechanisms for it, as they evolve, must be put in place. It may occur at times both before and after an election, according to the discretion of the watchdog itself.
In order to facilitate such potential monitoring, all software programs must be written in a high-level language, and well-annotated, so that they may be understood, replicated, and compared. The compilers used shall be from a standard repertory. These specifications exist so that there are measures whereby unauthorized patches on hardware or software may quite likely be detected.
There may be objections that, despite their evident qualities for accountability, the specifications of an open voting system are not feasible. Generally, there might be the given reasons:
- there are no vendors who would not insist on proprietary elements of their voting systems,
- the common knowledge of the working of an open system would make it more vulnerable to tampering, by newly enabled participants or the watchdog itself,
- the procedural cost would be unacceptable, and
- the measures would not be certain to detect tampering anyway.
In the environment of such an open system, any attempt at tampering with an election would incur a considerable risk of detection. With a sufficiently diligent and conditioned watchdog, the detection would become ever more likely. In this sense, these proposed protocols taken all together are as surely effective as can be expected.
There remains to express a deep personal faith. An electoral process, with whatever technology, can be made virtually free from error and fraud, though by its nature there can never be a guarantee of certainty in such matters. If the system is unremittingly open, there can come to be full accountability, and correspondingly high public confidence in the process. This requires sufficient public priority, or political will, to achieve. Of course there will be costs for this complete accountability, but those augur to be small in relation to the rewards. Alternatively, if the system is not open, there can never be complete accountability and the public will never have complete confidence in the electoral process. The public itself must be the ultimate watchdog and guarantor of faithful elections.
Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004