Notes for remarks made by Prof. Ronald L. Rivest on October 1, 2011 for the EIPPF 2011 Conference (Election Integrity: Past, Present, and Future) held at MIT, Cambridge, MA. See http://shass.mit.edu/news/news-2011-election-integrity-past-present-and-future These remarks are for the "Future" panel. These are the notes I spoke from, but may not be a particularly accurate transcription of what I actually said. A video transcript of the actual event is available at: http://techtv.mit.edu/collections/vtp ------------------------------------------------------------------------------ What might voting look like in the future? This depends, of course, on whether we are talking about the "near-term" or "far term". What are the ``mega-trends'' that shape what will happen? Trend 1: World is becoming increasingly technological. Computers, and the internet, are everywhere. This goes without any need for explanation or elaboration. Each of you carries in your cellphone more computing power than was in all of Massachusetts twenty-five years ago, and this room provides more bandwidth than all of Massachusetts had then. Trend 2: On balance, computer and internet security have not improved in twenty-five years. There continues to be an "arms race" between the attackers and the defenders. *Both* sides have gotten much better. On balance, attackers have the edge, and a concerted attack against almost any system will eventually succeed. (Note Stuxnet attack on Iranian atomic plants, or recent attack on RSA.) Trend 3: Increased sensitivity to possible vulnerabilities in voting systems, plus availability of suitable techniques, has increased demand for *auditable* election systems -- systems where computer-based attacks, internet-based attacks, or even insider attacks can be detected and defeated by effective low-tech and statistical countermeasures. Auditability has become an *essential* systems requirement for any voting system. A voting system must not only produce a conclusion as to who the winner is, but it must also produce evidence sufficient to enable others (including the loser) to verify that conclusion. I note that it is *no* *longer* enough to verify that the voting equipment is well-designed and appears to working properly when tested. By way of analogy, when you audit a company's books, you don't just check that they are running the right accounting software! You have to look at the actual financial and transaction data. "Trust me" no longer cuts it. Auditability is the new cool. Trend 4: There appears to be increased support for, and tolerance of, "remote voting" -- where the voter may cast his or her vote at some place other than an official pollsite. Some voters are voting remotely because they have no alternative; others are doing so merely for convenience. Allowing a voter to vote remotely gives up all pretense of preventing the voter from selling his or her vote, and eliminates any possibility of protecting the voter from outside influence or coercion. For the record, let me state that I am against remote voting merely for convenience. To summarize, these are the four trends I notice: (1) continuing increase in spread of computers and the internet (2) no net improvement in computer and internet security (3) increased demand for auditable voting systems (4) increase demand for widespread remote voting So, the obvious "solution" for the future would be a remote voting system where everyone can vote over the Internet in an auditable manner, and where vote-selling and voter coercion are altogether prevented. Let me call this the "oxy-topian" voting system. Here "oxytopian" is a combination of the two words "oxymoron" -- self-contradictory, and "utopian" -- ideal, because such a set of "ideal" requirements is intrinsically oxymoronic and unrealizable. We might also call this the "White Queen's voting system" because the White Queen (as she explains to Alice in "Alice in Wonderland") is well practiced at believing "six impossible things before breakfast" (one of those, being, I suppose, the question as to why a Queen would want a voting system anyway!). I note, just for emphasis, and as number one, that it is impossible to have a voting system where voters are voting remotely in an unsupervised manner, and where voters are prevented from selling their votes. I note, as a second impossible thing before breakfast, that it is impossible to have the Internet serve as the *only* communication channel between the voter and voting system, and have any hope of having a "chain of custody" for the vote that meets any reasonable minimal standards of trustworthiness. Without other means of communicating with the voter, man-in-the-middle attacks are devastatingly effective. (That is not the say that the Internet is totally useless; protecting communications over the Internet can be done with trusted computer systems and pre-established cryptographic keys. But this is another story, and definitely would involve communication channels, such as mail or in-person registration, in addition to the Internet.) For a third impossible thing to believe before breakfast, you should try believing that a remote voter's personal laptop is free of malware that might try to interfere with or manipulate the voter's voting process. For a fourth, try believing that it is possible for a certification process to certify that the software for a particular voting system is absolutely free of bugs that might cause a vote cast for X to be recorded as a vote cast for Y. As a fifth, try to believe that there is no one in the world who would be motivated to disrupt or manipulate an American election over the Internet. Do you think that the Iranians, the North Koreans, or perhaps even the Chinese wouldn't find American election systems attractive targets? As a sixth, try to believe that the IT department and servers in your favorite jurisdiction are capable of withstanding an concerted attack by the Iranians or the Chinese. (I note for reference the recent experience of the Washington DC jurisdiction who tried a pilot Internet voting system; their security was broken in just a few hours by Alex Halderman and colleagues.) That's six impossible things -- time to serve breakfast! The White Queen voting system is, in my opinion, a hopeless fantasy -- an "oxytopian" vision. What *can* we do to improve the integrity of voting systems, in the context of these trends and impossibilities? I think that voting systems will, of necessity, need to be founded on the use of paper ballots for most voters. There is no simpler and better way for the voter to be sure that a durable and correct record of their choices has been made, than to use a paper ballot. Any indirect means of casting a ballot, using software to mediate the casting, requires lots of faith-based reasoning before breakfast! If we look at the requirements for election integrity, they clear involve having auditable processes for ensuring that (1) votes are cast as intended (2) votes are collected as cast (chain of custody), and (3) votes are counted as collected These operations must not only "be correct", they must be "verifiably correct" -- it must be possible to audit each such operation. A system with auditability for all three steps is said to be "end-to-end verifiable". It is worth emphasizing that complex systems tend to be fragile, error-prone, and corruptable. A computer is such a complex system. So is the Internet. If you a depending on a complex system to perform some critical task in a voting system, then you should devise a method for making that task auditable, if possible. Security researchers know from time immemorial that the route to security is via simplicity; it is essentially impossible to build a secure system out of complex parts. However, a simple auditing process can provide a good means of mitigating the failure modes of the complex part. The notion of "software independence" developed by John Wack and myself for the use of the TGDC, advisory to the EAC, is another variation on these ideas; it requires that an election outcome determination not depend in a critical way on the operation of complex software. A paper ballot allows the voter to audit and verify that the ballot correctly represents the voter's choices (and no one else can really do so). Current voting systems, even paper-based ones, tend to use unauditable procedures for ballot transmission -- there is no way to verify that the votes collected for counting are really the ones cast. While good procedures may be used, they are not auditable -- if ballots are changed there may not a good way to detect such manipulation. Some recent proposals, however, show how the Internet can be used to help provide such an "auditable chain of custody". That is, after the polls have closed, a voter can log in over the internet to ascertain that their ballot has correctly made it all the way to the final collection stage, and that it will be counted in the final tally as intended. This is not simple to do, as it needs to be done in a way that prevents a voter from "selling her vote". But there are nonetheless methods for making this work out that are secure and usable. They are similar in spirit to the publication of all ballot images, as done in Humboldt county, except that the ballots are identified with the voter who cast them, and the choices are represented in a coded manner to prevent vote-selling. The verification of the counting of the ballots so published is in principle straightforward, although the ballot-coding required to prevent vote-selling makes it non-trivial. The "scantegrity system", used in Takoma Park in November 2009, and to be used again there this November, is an example of such a system. Pret A Voter is an example of another system of this type. So, the Internet may well end up being used widely in voting systems of the future. But it will be used for verification and auditing purposes, not for the casting of ballots. Paper ballots will continue to be the medium of choice for the casting of ballots, for all the reasons mentioned above. I expect some jurisdictions to experiment with "White Queen" oxytopian voting systems, but such systems are like products that claim to turn water into gasoline with the addition of a pill -- you have to be well practiced at believing impossible things before breakfast. And when you try such things, you shouldn't be surprised if your car doesn't run, or your voting system fails catastrophically. From an election integrity point of view, remote voting is a severe challenge, and one that we are not prepared to meet well. Using the Internet to cast votes just make the problems one hundred times worse. At some point in the far distant future --- perhaps by mid-century -- the see-saw battle between attack and defense for computer and internet security will have settled down with a total victory for the defenders. But I'm not particularly optimistic about this. If that should happen, then perhaps we'll have some sort of voting method where you can vote in an auditable and uncoercable manner using a provably secure smart-phone implanted in your cranium, with communications secured by unbreakable cryptography, in a manner where your vote is necessarily private and visible only to you. Such a vision is perhaps a bit less oxytopian than the White Queen voting system, but it would require decades of progress on many fronts to realize. But for the near future, I think we should all continue to emphasize the goal of auditability for all voting systems, and continue to expand our toolkit of auditing techniques for each step of the voting process. That concludes my remarks for this panel; thank you for your attention.