Voting systems require end-to-end trustworthiness, commencing with blank ballots and registration lists and concluding with the correct and auditable tallies of the marked ballots, reflecting the choices of the voters. This ballot round trip must resist well financed and organized adversaries that may include the very people who develop, maintain, or deploy the election machinery, and the process must be accessible to all citizens regardless of their disabilities or native language. The center's research investigates software architectures, tamper-resistant hardware, cryptographic protocols, and the role that various verification systems (e.g. paper, audio, cryptographic) can play in electronic voting systems. The center also examines system usability and studies how public policy and administrative procedures can, in combination with technology, better safeguard voting systems.
The voting system integrity problem is a paradigmatic hard Cyber Trust problem, requiring trustworthy system architectures, security, integrity, privacy, anonymity, high assurance, and human-machine interfaces. Voting systems must preserve a voter's privacy and anonymity, to reduce risks of voter coercion and bribery, yet they must be sufficiently auditable and transparent to allow for mistakes and errors to be identified and reconciled. This center's research develops a deeper understanding of how to organize, develop, and evaluate not only voting systems, but a wide range of other systems with end-to-end trustworthiness requirements.
An important finding of the SRI International grant as part of the ACCURATE center (although not at all surprising to the submitter) is that trustworthiness in the election process is a beginning-to-end bottom-to-top whole-system process in which potential weak links may exist in every stage in the life cycle of an election and in every component in any technological approach. In contrast to the elaboration of this holistic reality in several book chapters and other publications written by the SRI PI during the life of the ACCURATE center, the existing commercially available proprietary systems and corresponding operational procedures are riddled with vulnerabilities whose accidental triggering or intentional exploitation can compromise the results of elections. For example, the CaliforniaTop-to-Bottom Review of three major election-system vendors' offerings demonstrated clearly but painfully how vulnerable those systems were at the time. They still are, as in many realistic and significant respects the overall situation has not improved substantially since then. In part as a result of the ACCURATE center's work, the goal of developing and enforcing the use of trustworthy systems and operational procedures is now much better understood in the research community (and especially within the ACCURATE team), but still almost totally unrealized in practice in the commercial world. Much more work remains. However, the fundamental principles and potentials for composably trustworthy system components are now much clearer insofar as they should be applied to election systems. The SRI ACCURATE contributions include at least 41 applicable refereed research publications (including chapters in 4 different books), training and development particularly with respect to summer interns, and outreach to government and election officials as well as the general public and computer science communities. The results are also applicable widely in other communities that require hlghly trustworthy computer-communication systems and networks in support of their requirements. See the SRI final report for details. Over the six years of ACCURATE, our work has not only influenced the state of science, but also helped inform the policymakers and the general public about understanding the risks of current voting systems -- and through that process helped educate the public about computer security in everyday life. However, despite the fact that current technology is immature and insecure, election technology has continue to evolve in ever-more insecure directions. The current drive towards Internet voting is even more dangerous than the existing systems; early ACCURATE research has begun investigating techniques that may partially mitigate the danger, as well as understanding security, privacy, and usability issues inherent in elections using the Internet. Overall, the ACCURATE center has made some very significant contributions to what remains an extremely difficult challenge. The lessons of ACCURATE are that we still need to dramatically increase the overall integrity of our elections, recognizing that it would be very difficult to completely avoid residual vulnerabilities. We clearly need meaningfully trustworthy systems and networking, understandable cryptographic algorithms where applicable, better software engineering practice, the use of formal methods where most effective, and above all sensible laws and operational practices relating to overall accountability, oversight, evaluations, and remediation in the face of detected irregularities as important contributors, but all of these are by no means sufficient.
