Page 29 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 29
21
The Witness-Voting System
Voting System Requirements
7
The Voting System Requirements (Requirements) are limitations to prevent con-
ceptual and physical interference. Mirroring the broad scope of interference as
defined in this work (section 6.2), the Requirements will include functional and
performance aspects as well as environmental and non-functional aspects. With
such a comprehensive approach we want the Requirements to be expressive
enough to comprise a variety of means that can be falsely used to influence
elections without voting, including interference that does not even exist physi-
cally and just stays as a perceived threat.
The Requirements are derived using the VITM considerations in Section 6
and work together with the VITM to setup a conforming voting means (the
WVS, Section 8). Some requirements were already naturally motivated in the
VITM, such as the secret ballot, one ballot per voter, and transparency. Further
consideration is provided in [40], extended in this work.
The VITM does not require open source software as a sine qua non condition
since, as Linux demonstrates, even a long development time and thousands of
eyes do not guarantee accuracy and reliability. Bugs, fraud, virus, Trojan horses
and faults may still influence the outcome, without possibility of detection [49]
even with open source software. The VITM solution to the software (and hard-
ware) reliability question is further discussed in Section 8.3.
As the final and simple step in calculating election outcome, tallying can use
open source to allay error concerns. Following the optimal design, detection and
correction of errors is provided when diverse tallying modules are used and the
outputs compared. To prevent fraud, tallying modules should consider informa-
tion on a strict “need to know” basis. Tallying should not receive any informa-
tion that it does not need, and it should not produce any information that is
not needed to define the election outcome. For example, the voter’s ethnicity or
choice of ballot language should not be a consideration in tallying. An important
requirement, thus, is that the cast ballot should be only choice-dependent, so
that it must be independent from all other types of data (e.g., the cast ballot
must be representation-independent and language-independent).
7.1 Privacy Considerations
Voter privacy is necessary to prevent coercion and vote buying. It is also, often,
a legal requirement (see footnote 1).
The voter privacy condition is at times confused with anonymity. However,
to assure election integrity voters must not be anonymous. Both the voter and
thevotemustbe and are well-known atdifferent stages of the election process.
Yet, because no one should be able to link votes with voters (unlinkability), if
we know the voter (e.g., in voter registration) we cannot know the vote that was
cast by that voter; if we know a vote (e.g., in tallying) that was cast, we cannot
know the voter who cast it. All voters are identified and still the election results
are anonymous.
