Reply #7: bev, you are right on about getting auditors involved [View All]

computer scientists can operate best within the confines of their discipline. The best teams that I have been on have used SMEs (subject matter experts) and computer scientists together. SMEs define the business logic and the computer scientists implement it within technological constraints (this can get to be a iterative process with computer scientists telling SMEs that some business logic can't be implemented in a computer system and SMEs refining their business logic and SMEs telling computer scientists that the system must have this business logic in there or else the system is worthless!!!).

It is of the utmost importance that the team be a multi-disciplinary team because of auditing and legal considerations.

The choice of words to describe things is very important... just as certain words resonate in a technological sense so do certain words resonate especially in a legal sense. There are legal principles and laws as part of the "business logic" to be embedded within these computer systems. The word "ballot" has a legal meaning. This word needs to be used in legislation and also in computer specifications so that there is a direct link between the law and the computer system. This way you can directly tie the workings of the computer system to the law. Then it will be much clearer when the law is being violated if the ballot is not functioning in accordance with legal principles. Use of terminology forces the issue. Using a synonym creates a grey area, a veritable legal thicket, for obfuscation. This is balanced by the need to communicate across disciplines. One way to achieve this balance would be the following: The law is written using legalistic terminology. As the specification is developed, we may choose to link the ballot to "trail" or "receipt" (these words should be defined in the specification itself so that there is no confusion) as these words have meanings within the computer science community (ie audit trail is commonly used) and may provide clarity for a programmer coding the specification. For example, a ballot may have an audit trail, ie we will log its entrance into the system and at critical junctures within the system and we will also create output showing the ballot has not been tampered with. One form of the printed output may be called a receipt. There may be other tallies necessary to cross check the validity of the ballot. "Ballot" should be used especially in terms of drafting legislation -- ie, you monkey with the ballot, you go to jail. That way clever attorneys don't debate what a ballot really is.

There are also basic principles of holding free and fair elections systems that honese and competent election officials want to see embedded in a computer system. Auditing is one of them.

I have been down this route before...I can tell you a computer system will work according to specification. I can not always tell you if the specification is correct; that is the job of the SME. I can tell you if the equations that you have given me have been implemented in the computer system according to the document. I can not tell you if basic physical equations are correct or if accounting equations are correct. I have told people what the limits of my expertise are and have refused to certify a system to the extent that they wished. I am also smart enough not to want to go to jail due to ignorance of the law on my part or to risk explosions!!!!

Certification needs to include both the validaton of the system according to computing standards and it needs to include validation of the system according to business logic, ie auditing. The former can be done by computer scientists and the latter by lawyers and election officials/auditors experienced in certifying elections. There is some overlap in these areas especially when trying to assess failure of the system. Did the computer system contain code that did not follow specification or was configured incorrectly? Or, was the specification wrong or inadequate or incomplete? These answers need different skill sets to be answered correctly.

The type of auditing/cross-checking that you are asking for is critical to ensure that the ballot has not been tampered with. And I believe it is the minimum set of rules or tallies. There are probably more. SME's can help computer scientists both with implementing these tallies and also with interpreting the data to account for anomalies.

At the end of the day, you are correct in asking for output that is readily understandable by anyone. Just as we merely plug in an appliance into a wall socket without understanding all the details of a city's electric grid and we can verify that there is indeed electricity at a particular outlet, so should our voting system be verifiable by its citizens without technical knowledge.