Problems with the proposed system                                        (עברית)

The move to electronic elections in the United States has triggered a massive public debate on what is the right approach for designing an electronic voting system. At the heart of the debate is the question of whether electronic devices should be accompanied with a "physical" mechanism that can be verified by a human (e.g. a paper trail of the vote). The necessity for the latter arises from the realization that it is impossible to verify whether a computer faithfully follows its specification, be it due to buggy software or maliciously installed code.To advocate the need for alternative means of verification, Ron Rivest (MIT) and John Wack (NIST) formulated the principle of "software independence" in voting systems:
 
          any undetected change or error in the system's software cannot cause an undetectable change or error in an election outcome.
 
The conclusion, unanimously reached by Computer Scientists, Software Security experts, the Press, and Federal and State committees alike, was that voting machines should be made software independent. One natural way to achieve this would be to mandate a paper audit trail for every vote. Indeed, paperless voting has become illegal in most US states.
 
TEHILA's solution was different. They ignored the recommendation to incorporate a paper trail, and instead chose to tighten the underlying computer security. According to TEHILA, the verification issues will be resolved once we use smart cards.
 
We think that the use of smart cards fails to address the heart of the problem. In fact, it makes things even worse:
  • The dependency on machines becomes even more acute. Not only that we depend on software, but we also have to check the smart card. Given that smart cards were designed to protect their content from outsiders, checking what is on a smart card is even harder.
  • For the same reasons, even though using smart cards might make forgery more complicated for an outsider, it makes forgery for an insider much easier and hard to detect.
  • In case of a mismatch (e.g., as in the 2006 Florida election for congress) there is no way to determine whether forgery took place. Tehila builds on the assumption that no party can simultaneously control the software on two machines. But if a mismatch will happen and the case will reach the court, security experts will probably argue that this assumption is invalid (would you believe this assumption?).
Thus, instead of addressing the heart of the problem (machine dependency) TEHILA tries to change things in the periphery (by trying to make the hardware safer). But when potential attackers adjust to the new setting, and after all it's mostly a question of incentive and money, the problem wil show up again, in an even stronger form and, worse of all, in an undetectable way.
 
Moreover:
  • the system appears not to have been carefully thought through -- a variant of chain voting was demonstrated just 10 minutes after TEHILA started presenting their solution in the Technion meeting,
  • the smart cards are made by a foreign manufacturer, who has control of the master keys,
  • the protocol was never made public, and
  • the solution was never tested.
Thus, even on the technical level the system seems to be unsatisfactorily designed. However, our main point is not this. Even if these problems will be fixed, we believe the system is inherently flawed because it is paperless and in particular not software independent.
 
 
1 An important exception is "open audit" cryptographically based elections, but this is not the solution adopted by TEHILA, and hence is irrelevant to the current discussion.