Research Officer in E-voting (3.5 years, fully funded)

http://www.jobs.ac.uk/jobs/JT084/Research_Officer/

Department of Computing
University of Surrey, UK

The E-voting group at Surrey is looking for a Research Officer to work on an EPSRC-funded project on Trustworthy Voting Systems (EP/G025797/1), starting in January 2009.

This project, run in conjunction with Birmingham and Newcastle, is, to the best of my knowledge, the first time a public research council has approved funding on this scale to look at secure electronic voting. This is a huge opportunity to be part of a project that could affect how national elections are run in the future.

For more details, please follow the link above. I am more than happy to answer informal enquiries about the post.

James

We are pleased to announce the relaunch of the scantegrity.org website. This renewal has been undertaken to reflect both the growth of the Scantegrity project, as well as to reflect the shift in focus to invisible ink (i.e., from Scantegrity I to Scantegrity II).

Likewise our project blog which was hosted heretofore at punchscan.org will now be hosted at scantegrity.org, reflecting our changing focus. Note to the punchscan blog subscribers: you do not have to update your feed.

Finally and most interestingly, we’re taking this opportunity to launch the Scanegrity wiki — a place to learn about and contribute to the Scantegrity project. It includes several interesting features:

• A comprehensive list of research papers about Punchscan and Scantegrity with links,
• A comprehensive list of press articles about Punchscan and Scantegrity with links,
• An extensive bibliography of research papers about the broader topic of cryptographic voting,
• A glossary of terms and definitions used in cryptographic/end-to-end voting,
• An suite of developer resources including,
  • A means of submitting feature requests / bug reports as well as patches,
  • Both software design and component specification documents,
  • Source code repository (of course!).

Like most wikis, you do not need an account to make contributions–just click and edit. We hope to encourage contributions in this way.

Scantegrity.org circa 2007

Scantegrity.org now

I took a moment today to reflect on being alive, and to mourn the folks in the other universe that were annihilated today by the Large Hadron Collider. A friend told me he was particularly saddened by the loss of what he believed would have been his pirate alter ego (and pet monkey). In bygone times people would have said “you watch too many movies.” Well today it’s, “you read to many blogs.”

Punchscan colleague, and blogosphere power reader Jeremy Clark introduced me the other day to the awesome power of the Google Reader Next>> button. Now I can keep track of all my favorite election blogs in a very efficient and immediate way.

So this is how I came across Election Technology Blog’s post today offering a list of such blogs, with which you can fill your Google Reader, and hearts. I would like to the opportunity to also endorse,

• Allaboutvoting — A software developer with a broad interest in voting,
• Benlog — Harvard researcher Ben Adida. He’s multifaceted guy, so its more than just voting, but he’s an authority on end-to-end via his PhD work and the Scatch & vote and Helios systems.

Of course it’s also a brand new, four-day old, federal election campaign in Canada, so lots of action coming through my NEXT>> button. However instead of the campaign being a year long, its only ONE MONTH long. So it’s actually all still fresh and interesting, even though we don’t have a full-time Canadian Colbert equivalent (closest being Rick Mercer). Although granted you would also never actually see Bush doing a shtick like this (though probably Obama would: “Steven, grizzly bears are the #1 threat to America”).

Beyond voting is the perhaps unoriginal choice, everyone’s favorite, Freakonomics blog.  I think Jeremy and I would be totally thrilled if Levitt ever gave his thoughts on the economics of end-to-end verification, thought it may not be pretty.

This brings me back to this blog. You’ll be seeing a change soon. The time has come to expand our blogging scope. Punchscan is in hibernation now until society can catch up. That said, we’re busier now with our research than ever before, that’s why we need a new blog, one more generally about end-to-end election verification where we can mix things up (and maybe get some new cartoon characters).

An article about the first version of Scantegrity was published in the May/June issue of IEEE Security and Privacy Magazine.

Scantegrity II will appear at EVT at the end of next month.

A recent post at VoteTrustUSA, entitled Electronic Verification for E-voting: A Dead End for Voter Confidence, contains misleading and false information. While such pieces are commonplace in the blogosphere, this particular piece is notable because it has enough references to seem plausible. The author also references our work, which makes a response inevitable.

In an effort to be brief, I will address the systemic errors in roughly the order they appear and avoid getting into unnecessary analysis and discussion. This is by no means a comprehensive refutation of everything wrong with the post, just the higher level ideas.

Invalid comparison. From the title, we are lead to believe that the post will discuss the topic of “electronic verification.” That term means E2E based on the link to our work and discussion of cryptographic voting protocols. However, the topic is inconsistent with the very first sentence of the post:

Paperless electronic voting is in retreat, its popularity done in by disturbing security reviews of current e-voting systems and significant voter concern about the integrity of elections.

This sentence is equating the existing paperless DRE voting systems with E2E, but clearly they cannot be the same. E2E, or electronic verification, is a set of methods that guarantee certain properties. In other words, E2E is technology neutral and not specific to paperless DREs.

The idea to compare and contrast E2E with specific technology is flawed. Systems based on E2E methods derive their properties from the underlying protocols and not the specific hardware. Since they do not correspond, it is not possible to usefully compare them unless you are comparing a specific implementation using such technology, which the article fails to do.

My guess is that the author mistakenly believes that an E2E based system is simply a piece of software put on a DRE. The word “paperless” supports this conclusion, because every proposed E2E based system for poll site voting that I have seen uses paper (or transparency sheets) in some way.

Confusion between use of a cryptographic protocol designed for voting and one for secure key exchange. The “bullet proof system” story referenced is about the use of quantum cryptography. This is not an E2E based system, so the comparison does not apply here either outside of the notion that it could have security problems. This is about as useful as saying “elections can have fraud.”

The effect of security problems are in the details, and E2E based systems show pretty graceful failure in the face of unforeseen flaws. What we have found is that the concepts in E2E are somewhat independent of the cryptographic algorithms used, and some newer E2E systems do not use cryptography.

E-commerce misconception. The post states that “it is necessary to compare electronic voting to electronic commerce.” Unfortunately, the post provides a rather narrow view of e-commerce, equating it only with non-anonymous transactions and glossing over many topics like anonymous digital cash. It is also not very clear why such a comparison is necessary or what it proves outside of the problem being difficult.

Improper assertion of the motivation behind Scantegrity. The 6th paragraph cites our work on Scantegrity, which adds E2E security properties to optical scan systems. Unfortunately, it is depicted as a descendant of a paperless system, but this is false as Punchscan uses a paper ballot. Apparently the author’s definition of paper ballot is not “a piece of paper the voter uses to vote” but “a hand readable piece of paper available after the voter votes.”

Regardless of the definition of paper ballot, the implication is that the paper ballot is necessary for some sort of security property. The reality of the situation is that we really, really care about having secure elections as soon as possible. An add-on is, in my view, the best way to meet that goal because it will work with existing election equipment without modification and allows us to add security properties to systems that are already in use. Certification becomes clear and simple, and a voting system does not have to be created around it. The path to adoption is substantially cleaner and cheaper.

An unintended consequence of this choice is that the people who think paper provides certain security features find it less objectionable. The irony is that Scantegrity is a great example of what E2E can do better than paper, and in that sense it is particularly damning to someone saying that paper must be used, especially if his argument is against the use of E2E. Paper certainly can be useful, but it is more a matter of convenience than security.

Confusion between properties of a method and certification of an implementation. The post asks “Is the certification process for voting equipment up to the challenge of ensuring that electronic verification can secure an election?” Again, E2E is a method, and not a piece of equipment. E2E based systems are created to be secure assuming the public has full knowledge of their inner workings. They can be reviewed by any interested party, and not simply through a closed certification process. E2E methods are also designed to resist equipment failure. Whether a particular E2E method works is something you could verify once. After that you simply verify that the implementation adheres to the prescribed method and addresses the other certification requirements.

Ignorance of E2E requirements on voters. The post states:

Cryptographic verification requires that voters use a code to avoid compromising the secrecy of the ballot, and understanding the mathematics of the coding system would require substantial training on the part of voters.

This is simply false. While the privacy preserving receipt that the voter receives might have a code on it, this is not always the case and there is no requirement for the voter to understand it. In some cases the E2E parts can be ignored by many of the voters if they are uninterested in using it. There is no training involved outside of pointing out what it is and maybe how to check if there are no clear directions on the receipt. Anything more than a poster and maybe a handout would probably be overkill.

The post also seems to ignore the feature that the privacy preserving receipts let each voter check that his or her ballot was actually counted and represented in the final tally. Even if voters understood only how to use this receipt, this is much more feedback than what they currently receive.

The author also fails to understand that it is possible for anyone to take the receipt data and verify that the receipts were correctly counted. This capability is in stark contrast to what we have now, where you have to stay the whole day and watch the counting afterward. Instead, you are only limited by your knowledge. If you couldn’t do it on your own, you could get someone you trust to do it for you. You, by yourself—sitting in your jammies the next morning—could do it for the whole state, or even the whole country, in no time at all. This is a lot different than taking several days off work and having a limited ability to check the goings on of one polling place.

The end of the article is a quote from Bruce Schneier that doesn’t make a whole lot of sense in the context the author uses it:

Building a secure cryptographic system is easy to do badly, and very difficult to do well. Unfortunately, most people can’t tell the difference.

The use of the quote seems to imply that since it is hard to make cryptographic systems, we should not try. I find the implication absurd—think of all the other things we shouldn’t be doing since they’re hard…What ever happened to that “can-do” american attitude? JFK once said:

We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.

Voting is a far cry from going to the moon, but it is an important and difficult problem.

I recently created a poster about Scantegrity that may be of interest to those wishing to learn more about it.

The poster won first place at a competition at the annual UMBC CSEE department research day.

I upgraded the blog recently, and the feed URL went from:

http://punchscan.org/blog/?feed=rss2

To

http://punchscan.org/blog/feed/

This caused an RSS feed error on the front page. It is fixed now. This will probably break everyone’s RSS feed reader (although google reader is still working for me). I apologize for the inconvenience.

Check out this video of Ben Adida at Google giving an overview of cryptographic voting and read his afterthoughts.

Having given similar talks on Punchscan, I know how tricky it is to explain the concepts to a lay audience, especially the verification technique (the divide between individually verifying the inclusion of your ballot and collectively verifying the decryption and tallying of all ballots–this is in need of a good real-world analogy). He does an excellent job.

Election Technology lists the best of the voting blogosphere.