The best way to vote
On EVMs, we may be asking the wrong questions.
Whether or not to use EVMs (electronic voting machines) for elections in India has been a raging debate of late. There have been claims of hacking of EVMs and counter-claims of impossibility, steadfast assurances about their safety from election commissioners and technocrats, open challenges through ECI (Election Commission of India)-sponsored “hackathons”, and even live television shows by masked hackers
alleging conspiracies.
alleging conspiracies.
Public arguments on computer security in India have often been outrageous. On the one hand there have been fatalistic claims that all computer systems can be hacked and that it is just a matter of time before they will be. There indeed are computer systems that are provably secure, but sometimes such guarantees are difficult even for many well-designed ones. The question of whether they can be hacked or not is often “undecidable”, even in a technical sense, and is hence futile.
On the other hand, the fact that a system has not yet been hacked has sometimes been claimed as a proof of its infallibility. That a system has not been hacked provides no guarantee that it cannot be. Ultimately the onus of establishing trust, either formally through verifiable proofs, or even informally using best practices and due-diligence, must always lie with the designers. It is difficult to appreciate how difficult the EVM design problem is till one considers the generic requirements outlined below.
Correctness demands that all votes are accurately counted and there are no false or duplicate votes. Secrecy demands that it should be impossible to determine who an individual voted for, provided the voting is not completely lopsided for any candidate or any social or political groups. Anonymity — indistinguishability from a specified number of other voters — follows from secrecy. Secrecy and anonymity are necessary conditions for coercion-free voting, though the converse is not true. Sufficient conditions for coercion-free voting will require methods and processes beyond an EVM.
Verifiability demands that it should be possible to prove to every voter individually that their vote has been accounted for correctly in the aggregate without revealing, or even determining, the vote. Verifiability also implies non-repudiability — that is, if a voter falsely claims to have voted differently from what she actually did, it should be possible to prove that the claim is false without determining who she voted for. Note that whereas verifiability requires that the EVM must record both the vote and some function of the identity of the voter, secrecy requires that the EVM should not allow the inference of the mapping between the two.
Identity verification must be certified by the polling officer and can either be offline or online, and must have its own guarantees.
No hay comentarios:
Publicar un comentario