			Comments of Professor Ronald L. Rivest
			CalTech/MIT VTP Press Conference
			July 16, 2001

Our democratic society depends upon the integrity of the voting
process and the privacy of votes.  During this phase of our project,
we have paid particular attention to the security that can be provided
by various voting technologies.

We do so in the midst of a technological revolution in computing and
communications that promises voting systems with greatly increased
convenience and user friendliness.  Great care is required, however,
lest such new high-tech electronic voting systems yield their benefits
only at the cost of increased vulnerability to fraud and abuse.

Designing secure voting systems requires getting all of the details
right.  General principles of computer security and cryptography can
be very helpful.  Standards, certification, and testing must play an
important role.  Openness, a high degree of observability for most
aspects of the voting process, and separation of privilege are key
general principles.

Voting systems are particularly challenging from a security viewpoint
because of the need to remove voter's identities from their cast
ballots, in order to prevent vote-buying and the coercion of voters.
Electronic voting is therefore different than e-commerce or electronic
banking, where well-labeled receipts and well-labeled audit trails are
standard. The anonymity of voting can also make fraud easier, as the
addition, deletion, or modification of anonymous ballots is harder to
detect.

Four specific security-related recommendations are as follows; see
our report for more discussion, details, and other recommendations.

(1) Move away from monolithic voting architectures.

    Some proposals for electronic voting systems try to have one
    system do everything.

    Instead, by dividing a voting system to have separate components for the
    creation and casting of ballots, as Professor Shuki Bruck outlined, 
    security is enhanced because the second, most security-critical component,
    becomes smaller and more easily auditable.

(2) Maintain a physical audit trail of votes cast.

    The audit trail need not be paper---it may be electronic---but it 
    should be an immutable and archival redundant recording of the vote.
    The audit trail should be directly created by the voter, or at 
    least be directly verifiable by the voter when he casts his vote.  

    -- Many proposed electronic voting systems fail this requirement.

(3) Make the source code for the vote recording and vote counting components
    "open source".

    Vote recording and vote counting are the security-critical components; 
    open-source implementations of these components will greatly 
    increase confidence in election results.  Manufacturers
    may still have proprietary code in the components used to create
    the ballots.

(4) Delay Internet voting (voting from home) until fundamental security
    issues, such as the security of the underlying platforms (that is, 
    of the home PC's) have been adequately addressed.

    -- We believe that for now all voting equipment should be under the 
    control of election officials.  At least a decade of further research 
    and development on the security of home computers is required before
    Internet voting from home should be contemplated.  Even then, issues
    of voter privacy and voter coercion may make Internet voting from home 
    inadvisable.  In essence, voting from home inherits all of the 
    problems of absentee balloting, and then makes the situation worse by
    adding problems of computer security.  This is clearly an area for
    further research and study...

Thank you for your attention.