1 / 10

A technical analysis of the VVSG 2007

A technical analysis of the VVSG 2007. Stefan Popoveniuc George Washington University The PunchScan Project. A standard should. Say WHAT needs to be done Performance standard High level goals Encourages innovation Not HOW to do it Design standard VVPAT Discourages innovation.

spiro
Download Presentation

A technical analysis of the VVSG 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project

  2. A standard should • Say WHAT needs to be done • Performance standard • High level goals • Encourages innovation • Not HOW to do it • Design standard • VVPAT • Discourages innovation

  3. Software Independence (SI) • Definition • “…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.” (Introduction 2.4) • I.E. check the election, not the equipment • High level goal – good intentions

  4. What I will show • The software independence definition is subject to multiple conflicting interpretations. • IVVR does not fit any of the interpretations. • There are real voting systems that actually do satisfy the SPIRIT of the definition.

  5. Pitfalls of the definition • The definition is ambiguous because it does not specify • WHO can check • Privileged people • Anyone • WHEN it can be checked • Anytime after the tally is posted • When the voter is in the booth (there is no tally) • The definition does not mandate audits • Perform an audit if something went wrong • Realize if something went wrong from an audit

  6. How is SI supposed to be interpreted by the VVSG • Voters can check a piece of paper • Everyone trusts the chain of custody • Everyone trusts manual recounts

  7. IVVR • is a design standard • “it must be possible to audit voting systems to verify that ballots are being recorded correctly” (Introduction 2.4) • In many states, at casting time, the official ballot is the electronic record • The voter CANNOT check the correct recording of the ballot • But only the correct printing of the IVVR • There is no ballot (electronic record) when the voter checks the IVVR

  8. IVVR is not SI • There is a huge gap between being able “to verify that ballots are being recorded correctly” and the fact that the tally is correct – not in the spirit of software independence. • Simply trust the chain of custody? Not scalable • Custodized as recorded • Counted as custodized. • Simply trust the manual recounts? Not scalable • A count is meaningful only for the person doing the recount

  9. The spirit of Software Independence • Cast as intended • Recorded as cast • Custodized as recorded • The voters can check it at anytime after casting. • Counted as custodized • Anyone can check it at any time after election day

  10. Conclusion • Specify a goal that is not susceptible to interpretation (needed: who can check, when it can be checked). • Should not specify how to achieve the goal. • IVVR is not SI (even for the weakest interpretation). • An open problem: not exclude VVPAT systems because they are implemented, but we should encourage any type of system that meets the spirit of the high level requirement

More Related