Abstract
A voting system should not merely report the outcome: it should also provide sufficient evidence to convince reasonable observers that the reported outcome is correct. Many deployed systems, notably paperless DRE machines still in use in US elections, fail certainly the second, and quite possibly the first of these requirements. Rivest and Wack proposed the principle of software independence (SI) as a guiding principle and requirement for voting systems. In essence, a voting system is SI if its reliance on software is “tamper-evident”, that is, if there is a way to detect that material changes were made to the software without inspecting that software. This important notion has so far been formulated only informally.
Here, we provide more formal mathematical definitions of SI. This exposes some subtleties and gaps in the original definition, among them: what elements of a system must be trusted for an election or system to be SI, how to formalize “detection” of a change to an election outcome, the fact that SI is with respect to a set of detection mechanisms (which must be legal and practical), the need to limit false alarms, and how SI applies when the social choice function is not deterministic.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The idea of evidence-based elections is that election officials should not only find the correct winner(s), but should also produce convincing public evidence that they found the correct winner(s)—or else admit that they cannot.
- 3.
E.g., think of what happened to criminal forensics when DNA tests were introduced.
- 4.
By expressed, we mean what the voter did: the marks the voters make on the paper or the cell they press on a touchscreen. Of course, a confusing user interface—including poor ballot layout—can cause voters’ expressed preferences to differ from their intended preferences. See, e.g. [1].
- 5.
I.e., every voter checks what individual voters can check (individual verifiability), someone checks the aggregation of votes (universal verifiability), and someone checks that every vote has come from a different eligible voter (eligibility verifiability).
- 6.
Recall that the set of outcomes is assumed to be finite.
References
Appel, A., DeMillo, R., Stark, P.: Ballot-marking devices cannot assure the will of the voters. Election Law J. Rules Polit. Policy 19(3) (2020). https://doi.org/10.1089/elj.2019.0619
Appel, A., Stark, P.: Evidence-based elections: create a meaningful paper trail, then audit. Georgetown Law Technol. Rev. 4(2), 523–541 (2020). https://georgetownlawtechreview.org/wp-content/uploads/2020/07/4.2-p523-541-Appel-Stark.pdf
Benaloh, J., Rivest, R., Ryan, P.Y., Stark, P., Teague, V., Vora, P.: End-to-end verifiability (2015). arXiv:1504.03778
Bernhard, M., et al.: Public evidence from secret ballots. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 84–109. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_6
Bernhard, M., et al.: Can voters detect malicious manipulation of ballot marking devices? In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 679–694 (2020). https://doi.org/10.1109/SP40000.2020.00118
DeMillo, R., Kadel, R., Marks, M.: What voters are asked to verify affects ballot verification: a quantitative analysis of voters’ memories of their ballots. Technical report (2018)
Election Assistance Commission: Voluntary voting system guidelines VVSG 2.0 (2021). https://www.eac.gov/sites/default/files/TestingCertification/Voluntary_Voting_System_Guidelines_Version_2_0.pdf
Everett, S.: The Usability of Electronic Voting Machines and How Votes Can Be Changed Without Detection. Ph.D. thesis, Rice University (2007)
Hao, F., Ryan, P.Y.A.: Real-World Electronic Voting: Design, 1st edn. Analysis and Deployment. Auerbach Publications, USA (2016)
Haynes, A., III, M.H.: Georgia voter verification study. Technical report (2021)
Küsters, R., Truderung, T., Vogt, A.: Verifiability, privacy, and coercion-resistance: new insights from a case study. In: 32nd IEEE Symposium on Security and Privacy, pp. 538–553 (2011)
Rivest, R.: On the notion of “software independence” in voting systems. Philos. Trans. Royal Soc. A: Math. Phys. Eng. Sci. 366(1881), 3759–3767 (2008)
Rivest, R., Wack, J.: On the notion of “software independence” in voting systems (draft version of July 28, 2006). Technical report, Information Technology Laboratory, National Institute of Standards and Technology (2006)
Stark, P.: Conservative statistical post-election audits. Ann. Appl. Stat. 2, 550–581 (2008)
Stark, P., Wagner, D.: Evidence-based elections. IEEE Secur. Priv. 10, 33–41 (2012)
Acknowledgements
Peter Y.A. Ryan would like to thank the FNR (Fond Nationale de Research Luxembourg) and the Velux Foundation for support during his sabbatical and to ITU Copenhagen for hosting him when this work was initiated. Steve Schneider is grateful to EPSRC for funding through the VOLT project EP/P031811/1. Wojciech Jamroga acknowledges the support of the National Centre for Research and Development, Poland (NCBR), and the FNR Luxembourg under the PolLux/FNR-CORE projects VoteVerif (POLLUX-IV/1/2016) and STV (POLLUX-VII/1/2019).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Jamroga, W., Ryan, P.Y.A., Schneider, S., Schürmann, C., Stark, P.B. (2021). A Declaration of Software Independence. In: Dougherty, D., Meseguer, J., Mödersheim, S.A., Rowe, P. (eds) Protocols, Strands, and Logic. Lecture Notes in Computer Science(), vol 13066. Springer, Cham. https://doi.org/10.1007/978-3-030-91631-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-91631-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91630-5
Online ISBN: 978-3-030-91631-2
eBook Packages: Computer ScienceComputer Science (R0)