Security Requirements for Voting

So now, that we've adopted the security
mindset, let's return to election systems and start thinking about what are the
security requirements that a voting system needs to enforce in order to be considered
secure? The first requirement that we usually
think about is integrity. And one definition is that this simply
means that the outcome of the election matches voter intent.
Now, this might seem obvious but if we unpack it, there turn out to be a few
subtleties here. First, why are we saying outcome?
Well, outcome, in other words, the winners of the election is a, is a slightly weaker
requirement than we might ask, we might be asking that the, the counts should be
exact. But it turns out that in real elections,
if you're counting a million votes it's almost impossible to guarantee 100 percent
accuracy. There are always going to be some errors
that aren't caught. So, we're going to have a slightly weaker
requirement and just say that the "right" candidate should be declared the winner.
Then, there's the notion of voter intent. Voter intent means that your vote is
counted the way you intended it to be counted.
This seems obvious but there are actually a lot of places where things can go wrong.
The most famous recent example is probably from the 2000 presidential election in
Florida, where the particular design of the ballot appears to have caused many,
many voters to cast votes for a candidate that they didn't intend to vote for.
And we'll see more about that in the next lecture but it's just one example of where
things can go wrong with voter intent. So another way to phrase this requirement
is to break it down into two parts. A, that votes are cast as intended, and b,
that votes are counted as cast. There is room for fraud or error in both
places. And this is what election systems need to
be engineered to avoid. Our next security requirement is ballot
secrecy also known as the secret ballot. And one weak form of stating this is that
the election system should ensure that nobody can figure out how you voted.
This protects your privacy against your, your snooping neighbors your employer.
It's a, it's a way of just as we intuitively think that your vote should be
private. But the real security mechanism that's
built into our election requirements is a stronger form of this.
It's not enough that nobody can figure out how you voted, we also ask that should be
true even if you want to or try to reveal to these other parties how you voted.
Now, that's where the property gets really interesting.
So, why, why do we think about this strong form and why shouldn't you be able to
reveal to someone how you voted? Because if you did, if you were able to
reveal how you voted, that would make it much easier for people to, to buy your
vote, for you to sell it. Because then if someone agreed to pay you
money to vote a certain way, they could know they were getting their fair their,
their fair bargain for it. If we have this property then you can say
you're going to vote for their candidate and still vote whichever way you really
wanted to. The strong form of ballot secrecy also
protects against coercion. So a, a criminal might come up to you and
tell you, you have to vote a certain way and prove it to them or else they're going
to take some kind of, of revenge on you. And this form of ballot secrecy, the
strong form, protects against that too because even if someone threatens you the
system is not going to let you reveal how you voted to someone else.
There is always going to be some doubt. Coercion historically, was a major problem
even in, in, in elections in the US and even today, you, you, you have to think
about many different parties who might want to coerce voters into, to voting a
certain way. Employers unions perhaps even spouses or
parents might want to have some say in how you vote.
And coercion doesn't have to be a threat of physical violence, it could be
something much softer than that, just that someone is going to think less of you if
they found out you voted a certain way. And the weak form helps protect against
that but the strong form and the weak form, put together, protect against,
against even more violent or intimidating forms of coercion.
Our next security requirement is voter authentication, which says a, that only
authorized voters should be able to vote. And b that voters should only be able to
vote once, or whatever the legally permitted maximum number of times is.
Who is eligible to vote is generally something set by the law and, as, as how
many times you vote fraud by voting multiple times was in the United States
once a very common form of cheating today because we have voter registration
systems, this is something that's, that's less prevalent but this is part of the
reason of why voter registration was introduced.
Our next security property is enfranchisement and this means that all
authorized voters should have the opportunity to vote.
You might think about this as a corollary to authentication that we just talked
about because, just as having people who are not authorized to vote could be an
attack on a voting system. Discouraging people who are authorized to
vote, who you think would vote a certain way, could be an equally powerful attack.
Enfranchisement, the right to vote, is often a hard earned civil right, and is a
core democratic value in many societies. The last security requirement I want to
talk about, is availability. And, this means that the system is going
to be able to accept votes on schedule during election day and it's going to
produce results in a timely manner. You can imagine attacks on availability as
ones that are going to just stop the system from functioning successfully by
say, either having to turn people away on election day or causing excessive delay
before a count can be announced. Often in computer security, we think about
attacks on availability as things like denial of service attacks, where people
try to overwhelm a web server by sending so much traffic to it.
That has the effect of knocking the service offline and preventing it from,
from being available to real users. Availability in election systems is in, in
many ways, even more of a difficult challenge to provide because the date of
the election is usually fixed. There is no provision in the law of many
places to postpone the election day if none of the voting machines are working
that day. We're to run the election again if all of
the voting machines mysteriously lose the information they're supposed to have
counted. As I said before, security rarely comes
for free. And often satisfying one of our security
requirements makes satisfying some of the others all the more difficult.
When this happens, we say that the requirements are in tension.
And this is true for many of our requirements for voting security, its part
of what makes election security particularly difficult and interesting.
Let me give you an example of a couple of the tensions now.
One tension is between integrity and ballot secrecy.
To see why these are in tension, I can give you a hypothetical example for a voting,
voting system that provides a very, very high integrity.
We're going to allow everyone to cast their vote and we are going to write down
their name next to who they voted for and we are going to publish the whole list in
the newspaper. So, this hypothetical example would have
very high integrity because you can verify that your vote appears on the list
correctly, that none of the names on the list are people who are dead or who are
not authorized to vote, your neighbors can all do the same it would be much harder to
cheat. On the other hand, there will be no ballot
secrecy so it's much easier to coerce people into voting a certain way or to
sell your votes. It's much easier to cheat, different kind
of trade off. Another example of a tension, is the
tension between voter authentication and enfranchisement.
In order to achieve a very high level of voter authentication security, we might
ask that anyone who wants to vote provide a drivers license and a passport, a
fingerprint maybe produce their birth certificate.
This would help ensure that no one who is not who they claimed to be could vote.
On the other hand, it would have the effect of driving a lot of people who, who
wanted to vote, who were authorized to vote away, because they didn't have the
required documentation. On the other hand, if we wanted to ensure
that it was very easy for everyone to vote, we might ask for no identification
whatsoever, just for the voter to assert that they had the authority to vote.
But that would make it very easy for people who weren't authorized to just go
and falsely claim so. So, once again, these requirements are
in tension. Technology has the ability sometimes to
influence where we can fall on these and, on these tug-of-wars, these trade-offs.
Or sometimes to even make the choice less stark, less of an either-or, by letting us
have, have some of each. But ultimately, these are not tensions we
know how to completely resolve right now. And, it's usually a decision for public
policy where we want to be on the different spectrum of possibility.
In addition to the security requirements, we've just discussed there are also a
number of additional requirements that we consider to be very important for election
systems. Sometimes, these have security implications to and we'll talk about them
at various points throughout the course. One of these is cost effectiveness.
We don't have unlimited resources to spend on our voting systems.
So, certain engineering trade-offs going to be necessary.
Another is accessibility. We want to make sure that voters who were,
are physically disabled or, or blind or nearsighted or, or illiterate can all
participate in the process. This is an important social value in many
countries. Then, there's convenience.
If the system is just, just too much of a pain many voters will stay home in places
that don't have compulsory voting. Since we want to increase voter turnout in
many societies, making sure that the system is convenient is very important.
Then, there's intelligibility. Which, which says, basically, that if the
system is too complicated for voters to understand how the count is being produced
or why they should accept the outcome then, that's, that's violating something
that, that, that ought to be considered a, a, a very basic value.
The system should be designed such that all voters are able to understand why
their votes counted. So, the, the history of the election
technology has been a struggle to find ways to satisfy all of this various,
various requirements at the same time. Because of the tensions between them,
trade-offs are inevitable and there is no one way to balance them all, that's the,
the right answer for all societies at all points in history.
But over the past two centuries, people have invented a, a range of ingenious ways
to, to try to provide many of these properties.
Some fared better, some went disastrously wrong.
And in the next lecture we're going to see how these tradeoffs have evolved over time
as election systems developed from the earliest forms of voting into the digital
world.