Presentation on theme: "A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project."— Presentation transcript:
A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project
A standard should Say WHAT needs to be done –Performance standard –High level goals –Encourages innovation Not HOW to do it –Design standard –VVPAT –Discourages innovation
Software Independence (SI) Definition –“…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.” (Introduction 2.4) I.E. check the election, not the equipment High level goal – good intentions
What I will show The software independence definition is subject to multiple conflicting interpretations. IVVR does not fit any of the interpretations. There are real voting systems that actually do satisfy the SPIRIT of the definition.
Pitfalls of the definition The definition is ambiguous because it does not specify –WHO can check Privileged people Anyone –WHEN it can be checked Anytime after the tally is posted When the voter is in the booth (there is no tally) The definition does not mandate audits –Perform an audit if something went wrong –Realize if something went wrong from an audit
How is SI supposed to be interpreted by the VVSG Voters can check a piece of paper Everyone trusts the chain of custody Everyone trusts manual recounts
IVVR is a design standard “it must be possible to audit voting systems to verify that ballots are being recorded correctly” (Introduction 2.4) In many states, at casting time, the official ballot is the electronic record The voter CANNOT check the correct recording of the ballot –But only the correct printing of the IVVR There is no ballot (electronic record) when the voter checks the IVVR
IVVR is not SI There is a huge gap between being able “to verify that ballots are being recorded correctly” and the fact that the tally is correct – not in the spirit of software independence. Simply trust the chain of custody? Not scalable –Custodized as recorded –Counted as custodized. Simply trust the manual recounts? Not scalable A count is meaningful only for the person doing the recount
The spirit of Software Independence Cast as intended Recorded as cast Custodized as recorded –The voters can check it at anytime after casting. Counted as custodized –Anyone can check it at any time after election day
Conclusion Specify a goal that is not susceptible to interpretation (needed: who can check, when it can be checked). Should not specify how to achieve the goal. IVVR is not SI (even for the weakest interpretation). An open problem: not exclude VVPAT systems because they are implemented, but we should encourage any type of system that meets the spirit of the high level requirement
Your consent to our cookies if you continue to use this website.