Problems with the proposed system (עברית)
The move to electronic elections in the United States has triggered a massive public debate on what is the right approach for designing an electronic voting system. At the heart of the debate is the question of whether electronic devices should be accompanied with a "physical" mechanism that can be verified by a human (e.g. a paper trail of the vote). The necessity for the latter arises from the realization that it is impossible to verify whether a computer faithfully follows its specification, be it due to buggy software or maliciously installed code.1 To advocate the need for alternative means of verification, Ron Rivest (MIT) and John Wack (NIST) formulated the principle of "software independence" in voting systems:
any undetected change or error in the system's software cannot cause an undetectable change or error in an election outcome.
The conclusion, unanimously reached by Computer Scientists, Software Security experts, the Press, and Federal and State committees alike, was that voting machines should be made software independent. One natural way to achieve this would be to mandate a paper audit trail for every vote. Indeed, paperless voting has become illegal in most US states.
TEHILA's solution was different. They ignored the recommendation to incorporate a paper trail, and instead chose to tighten the underlying computer security. According to TEHILA, the verification issues will be resolved once we use smart cards.
We think that the use of smart cards fails to address the heart of the problem. In fact, it makes things even worse:
Thus, instead of addressing the heart of the problem (machine dependency) TEHILA tries to change things in the periphery (by trying to make the hardware safer). But when potential attackers adjust to the new setting, and after all it's mostly a question of incentive and money, the problem wil show up again, in an even stronger form and, worse of all, in an undetectable way.
Thus, even on the technical level the system seems to be unsatisfactorily designed. However, our main point is not this. Even if these problems will be fixed, we believe the system is inherently flawed because it is paperless and in particular not software independent.
1 An important exception is "open audit" cryptographically based elections, but this is not the solution adopted by TEHILA, and hence is irrelevant to the current discussion.