If we can't trust computer software to securely and correctly count our votes, what are we to do? We've already seen that every previous voting technology has also had problems. But the best defense, the best approach to voting that's a, agreed upon by, by most researchers in, in the voting security community, is to add paper as a form of defense. Now, paper? Really? Isn't that old fashioned technology? Are, are, are all these scientists turning into Luddites, people, people might say? But paper actually provides some very, very important security advantages, especially when it's coupled with, with some kind of electronic system. So, to see why something like this might, might be might be the right thing to do, let's look into the cockpit of a modern jetliner. This jet airliner cockpit is largely driven by computer software. Critical things like the, the navigation system are almost entirely computerized. That's the modern way to do it. But it still makes sense if you acknowledge that computers sometimes are not going to be available, sometimes are not going to be correct, sometimes are going to have errors, to have a kind of physical backup to a computer system in any kind of critical infrastructure like, like a plane, where if things go wrong, peep, people will suffer or die. So, inside the cockpit of every modern airliner, one thing that you're going to find by law is a magnetic compass. A simple, old physical technology that provides a backup to the fancy electronic systems. This is just common sense to have a backup to a computer system that's something simple and physical in a case where problems are going to result in serious damage. And a voting machine is quite the same situation. You want to have some kind of physical backup that records the votes just in case the computer software is insecure or in error. So, the scheme that, that most researchers believe is the best we can do with available technology is to combine paper records and electronic records to have redundant records. And one way to, to think about the, the advantage of having these two records, is that they have what, what we might say are orthogonal security modes. So, these are the differences in the ways they could be induced to fail. With an old fashion paper record stored in a ballot box, you have the possibility of physical tampering and retail fraud but this is something that would take a large conspiracy to execute. You need people at each of the ballot boxes you want to tamper with to change the votes. With the digital records, things stored in a, a memory card site, we have the possibility of, of cyber-tampering or, or electronic tampering that would cause a form of wholesale fraud. But this would require only a very small conspiracy. Perhaps, just one person with brief access to the electronics. So, when you combine these records however, if we checked to make sure that they agree by performing some kind of auditing process after the election, then we can have a very, very difficult situation for the criminals. They need to have a large conspiracy to change paper records to match the electronic records. And they have to be sophisticated enough to make sure that they cheat in both records in a way that agrees. Or else, we're going to notice a miss, mismatch in the audit. So, by combining these low tech and high tech records, we can have something that's far more secure than either paper ballots or electronic records on their own. We can have in a way, the best of both worlds from a security standpoint. One manifestation of this today, is precinct count optical scan, where you have an electronic record made right at the ballot box. The problem is that in many places, in most states, audits to check that the paper records and electronic records agree are exceedingly rare, and only happen if, say, there's a, a very large a very small margin of victory rather. But we'll talk about auditing, and we'll talk about some of those procedural questions later in the course. For these reasons, most researchers in this field consider precinct count optical scan with audits to be the gold standard in what today's technology can do for securing the election. But there is another way that you can combine paper and electronic records, and this is a technology that was invented to try to overcome some of the objections to, to DRE voting machines. The idea is, is pretty simple. Why not have the DRE every time someone votes, print out a piece of paper with record of that individual ballot? And this is something that's, that's called a Voter-Verifiable Paper Audit Trail, or VVPAT. Also, you'll sometimes see that stand for Voter-Verified Physical Audit Trail. Emphasizing that it's not paper that's important so much as some kind of physical non-electronic record. The critical thing about a VVPAT is that it has to be something that the voter can see and check is correct at the time their casting their vote. Otherwise the, the DRE could just print out whatever it wanted if it was behaving dishonestly at the time votes were being cast. VVPATs are an, an interesting thing to compare to precinct count optical scan because they have some, some slightly different failure modes and for this reason, VVPATs although probably better than paperless DREs are not regarded so highly by, by many researchers. Before we conclude this week's lecture, I'd like to ask, what could go wrong with DREs and VVPATs? Let's see if you can spot a couple of the problems. A Voter-Verifiable Paper Audit Trail adds some kinds of protections for the correctness and security of the DRE. It's better than nothing but there's still a, a number of pretty important criticisms. First of all since the VVPAT is completely controlled by the computer in the voting machine, if the, the computer software is dishonest, it could print paper records that don't match the voter's intent. If the voter doesn't check that these records are what they thought they would be this creates the opportunity for the, the DRE to cheat and get away with it. You can imagine variations of this. The DRE depending on the, the specifics of the design of the VVPAT mechanism might try to print extra ballots when no one is there interacting with it. It might try to, to cancel and replace the voter's ballots after the voter walks away. The devil's in the details but there's all sorts of things that can go wrong with the mechanism. Another kind of problem has to do with the most common way of implementing a VVPAT, which is to use a, a cash register tape style paper similar to what you saw earlier with the, the totals tape that the Diebold DRE printed out. That kind of printing device is, is economical. But it's not particularly reliable. It's not particularly permanent. Those records will fade away to nothing if you leave them in the sun for too long. And probably, probably, most importantly it's very hard to read. So, most voters are going to be deterred from checking just by the poor quality of the print. Some mechanisms even require the voter to open a door to look at the tape and see how their votes have been recorded, this is totally antithetical to the security defense that the paper is intended to provide. The final problem with having a cash register style tape is similar to the problem with the Diebold memory cards that we talked in the last segment. Just that if your not cutting the tape between each voters vote, then you have a record of all of the votes in the order they were cast. So, this means that if someone is watching the, the polling place and seeing who goes up to that particular machine that votes and later they can look at the tape, they could just figure out that this the, the, the third ballot on the tape and I was the third voter to use the machine, therefore, they know all of my choices on the supposedly secret ballot. So, for these reasons and, and, some others most researchers prefer precinct count optical scan and consider the VVPAT to be a flawed security enhancement. Then again, it's still probably better than a purely paperless DRE. So, in the next lecture we're going to see hands on, some of the things that can go wrong with DREs.
