Executive summary of Auditability Working Group report
2010-12-22
The Auditability Working Group found no alternative that does not have as a
likely consequence either an effective requirement for paper records or
the possibility of undetectable errors in the recording of votes. If
undetectable errors can be introduced at any point in the process, then the
argument for the correctness of the process as a whole inevitably has a missing
link. Optimism that approaching the problem from the auditability
perspective would make the "paper or plastic" question go away was based on
faulty premises:
- Premise: The risk of undetected error in elections can be handled as
a form of audit risk. Fault: Ground truth regarding the
correctness of cast vote records comes from the voters alone. After the
voters have left the building, votes that were recorded consistently but
incorrectly are not detectable by election officials. It is not a matter
of detection risk—the errors are not detectable by any
audit. This motivates the creation of cast vote records that are
directly verified and independently valid.
- Premise: In the absence of directly verified cast vote records, the
practice of dual control can be used to manage the risk of misrecording of
votes via independent electronic records. Fault: Dual control is
effective at managing risks involving error or fraud by human beings;
unfortunately, it is not entirely valid when applied to complex
software. Unlike human beings, separately developed pieces of software
can share common components, thereby compromising their independence from one
another.
Thus, a choice among five mutually exclusive alternatives is presented:
- Software Independence—robustly mitigates the risk of undetectable error at
the cost of effectively requiring paper records with all of the difficulties
thereunto appertaining, unless and until a paperless design that satisfies the
same requirements is demonstrated.
- Independent Verification—improves auditability without requiring paper,
but certain plausible classes of error remain undetectable.
- Lossy SI—requires a marginal increase in auditability, but with most of
the same costs as Software Independence. Undetectable errors remain
plausible.
- VVSG 1.0—no change. Undetectable errors remain plausible.
- Hybrid systems—explicitly requires a combination of different kinds of
vote-capture devices, where some robustly mitigate the risk of undetectable
error while others sacrifice this capability in exchange for providing the
best available accessibility.
Once a choice among these alternatives has been made, a set of testable
requirements can be derived.