Personal tools


CFP'93 - Mann

CFP'93 - Open Voting Systems

by Irwin Mann

New York University

The advent of computer technology will inevitably affect all the systems that we use for voting and for recording tallies in public elections. In particular, it is all but certain that voting machines will tend to become technologically more sophisticated, more fashionable in design, and likely more expensive. [It may be said here that the need or advantage of this is not necessarily apparent to the author.] This evolution will be accomplished in the name of accuracy, efficiency in recording, flexibility of operation, and the security of the electoral outcome. It is natural to consider the possible ramifications of these advances.

It is the security of the electoral outcome which may become most at hazard. In the absence of the installation of prudent precautions, the machine and the process shall likely be more vulnerable to large inadvertent errors, and much more ominously, to electoral fraud. The essential reason for this is that, with the technological sophistication, the internal operation of the machine will be less apparent and therefore less apprehensible by the wider public. It will be a premise of this paper that the public itself is an - indeed the - essential watchdog of electoral integrity.

Those forms of discrepancies, error and fraud, except in many transparent cases, can be almost invisible if the software within the machine is hidden or uninterpretable. We must determine how the governance of the operation of the machine can be made accountable to the public, and provide for the integrity of our electoral process.

In order to establish a context for the discussion, it would be useful to distinguish among lesser and greater threats to that integrity. These different levels of threat can be characterized by their relative visibility, their effect on the election if unchecked, and the nature of the precautions which are required to thwart them. For instance, there is a difference in kind between the prospect of someone voting more than their allotted once, and a clandestine software "trapdoor" or patch which can be used to transform votes in unknown ways. Though the law has been violated in both cases, the act of voting twice is much more detectable in a greater variety of ways, and is likely to have far less effect. Though all threats, large and small, should be addressed, it is the larger which requires the higher priority.

It is often proposed that the guardians of software fidelity will be its vendors together with the administrators of the election (public, private, or both). But this degree of trust in such matters surely cannot be, for the future, always warranted. The safeguards must also include the practiced scrutiny of the public. It is fair to say - though perhaps shocking to realize - that a government itself is by far the greatest threat to insufficiently regulated fair elections. It is upon that premise, among others, that the proposal of this paper rests.

For this and similar reasons, there cannot be a relatively small group of persons who exclusively have access to, and control over, the inner workings of an election process. In order to ensure that such an insulated group cannot occur, we conceive of a condition under which this insulation is virtually impossible. We provide a paradigm whereby the voters have relevant access to the accountability of the voting process. We refer to such a system as an "open voting system".

Such a system is defined as one where:

  • every element of every component, both hardware and software, is in the public domain,

  • there are built-in capabilities for independent monitoring of software, and

  • there are institutionalized protocols for public monitoring of all components and the electoral process, sufficient to find any hypothetical discrepancy from the intended design, if it should happen to exist.

In particular, this means that the system can have no proprietary parts! It is proposed here that as a matter of public policy, every voting system used for a public purpose shall be "open" in the sense given above.

This open protocol, in conjunction with the standard protocols of a rigorous auditing trail, and sufficient redundancy (including the existence of hard copies of ballots) is essential for full accountability of the system. It will enable the public to serve as watchdog in ways foreseen, and ways perhaps not yet foreseen. The accountability is accomplished by means of the possibility - not necessarily taken up in many cases - of public monitoring of any or all of the components of the system. The propriety of this monitoring must be regularized. The mechanisms for it, as they evolve, must be put in place. It may occur at times both before and after an election, according to the discretion of the watchdog itself.

In order to facilitate such potential monitoring, all software programs must be written in a high-level language, and well-annotated, so that they may be understood, replicated, and compared. The compilers used shall be from a standard repertory. These specifications exist so that there are measures whereby unauthorized patches on hardware or software may quite likely be detected.

There may be objections that, despite their evident qualities for accountability, the specifications of an open voting system are not feasible. Generally, there might be the given reasons:

  • there are no vendors who would not insist on proprietary elements of their voting systems,

  • the common knowledge of the working of an open system would make it more vulnerable to tampering, by newly enabled participants or the watchdog itself,

  • the procedural cost would be unacceptable, and

  • the measures would not be certain to detect tampering anyway.

These points, which are themselves conjectural, are perhaps best left to argue and attempt to resolve in another place.

In the environment of such an open system, any attempt at tampering with an election would incur a considerable risk of detection. With a sufficiently diligent and conditioned watchdog, the detection would become ever more likely. In this sense, these proposed protocols taken all together are as surely effective as can be expected.

There remains to express a deep personal faith. An electoral process, with whatever technology, can be made virtually free from error and fraud, though by its nature there can never be a guarantee of certainty in such matters. If the system is unremittingly open, there can come to be full accountability, and correspondingly high public confidence in the process. This requires sufficient public priority, or political will, to achieve. Of course there will be costs for this complete accountability, but those augur to be small in relation to the rewards. Alternatively, if the system is not open, there can never be complete accountability and the public will never have complete confidence in the electoral process. The public itself must be the ultimate watchdog and guarantor of faithful elections.

Return to CPSR conferences page.

Return to the CPSR home page.

Send mail to webmaster.

Archived CPSR Information
Created before October 2004

Sign up for CPSR announcements emails


International Chapters -

> Canada
> Japan
> Peru
> Spain

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
Why did you join CPSR?

To network and volunteer to support initiatives.