Voting Systems

I just had a fascinating conversation with one of my co-workers. We were discussing what it would take to convince the government and the populace that an Open-Source electronic voting system is the only acceptable solution for electronic voting.

Here were the main points of discussion:

1. Software Security:
Who knows the most about security? Cryptographers. Cryptographers are the most paranoid people you will ever meet, they worry about every possible thing that might go wrong with a security protocol. You know how they design good protocols? They get as many people as possible to submit ideas, then pick a few of the best, and get as many people as possible to review these to look for any problems (This is how the NSA does it). The worst possible thing you could do, and the cardinal sin of Cryptography is to try to build a secret protocol.
Therefore, in order to build a secure voting system, it should be as open to review as possible. The best way to make it open to review is to allow the populace to write it-- Open-Source. You get the work done for free, and with thousands of people reviewing the code you have a very strong assurance that the final product will be secure.
Everyone that works on the code will be afraid of leaving a vulnerability because then someone they don't like might exploit it, so they'll be very careful to make sure it's safe. This design structure coupled with the use of NSA approved, strong cryptographic protocols for information exchange provides a very high level of trust in the system. Much higher than the current garbage being sold by companies like Diebold.

2. Hardware Security:
The hardware itself needs to be secure and trusted. The design of the hardware should be open to review by the populace just as the software is. Once the leading experts in the field are satisfied with the hardware design we can move forward.

3. Operating System Security:
The voting application and the physical machine need to be secure, and so does the operating system mediating between the two. Luckily for us there are Open-Source builds of Linux distributions called SELinux (Security-Enhanced). The NSA has created these distributions and recommends them for people needing the highest possible level of security. The code is still open-source and can be reviewed by anyone using the system.

4. Accounting for Paranoia:
Now, the paranoids of the software security world will bring up the Ken Thompson Compiler Hack. If you have no idea what that is, just ignore this section. To mitigate the possibility of a compiler-inserted backdoor the people creating the software could first use standard compilers that can be expected to be safe. And if that's not enough to satisfy them, they can write their own compiler in some exotic language (to prevent the self-propagation), and use the newly compiled compiler.


5. Paper Backup:
When a person places a vote the system should display their vote on the screen in a simple, unambiguous manner. Then a cash register type tape printer (within a enclosed system) prints off the ballot and the user verifies that the screen matches the printout. The printout is then mechanically detached and dropped into a secured bucket/box. This allows the user to be sure that their ballot was correctly cast both electronically and on paper. If there is ever a question of the validity of the election the paper ballots can be manually counted, and the user has already verified that the ink on the paper showed their vote (No more hanging chad problems). For the uber-paranoid the register tape can print an ink receipt and a pressure paper (canary colored "carbon-copy") which are stapled together and dropped in. This way no tricky disappearing ink thing could work without also tampering with the pressure paper.

When you take all of these things into account you will have an electronic voting system which is extremely secure. Elections could occur more quickly and easily with tallies that are verified by trusted cryptographic protocols, as well as unambiguous, dual paper backups.

This, of course, is not a fully detailed description of a secure voting system. But it is the start of what should be done to move on from the terrible systems currently being used.