At the e-Vote conference, we had some very interesting discussions about the issue of certification. Perhaps the most interesting comment was by one of the German computer scientists, who noted that discussing the security of any voting system outside of an implementation environment is very difficult. It is this implementation environment that is critical; a “secure” system implemented in an insecure environment is definitionally not secure. Likewise, a system that has some security flaws but is well implemented may have those flaws mitigated. Security cannot be understood outside of this context of use.
To appreciate this point in the American context, consider the evaluation that was done of voting systems in California and recall that two election systems used–or potentially used–in the state were not evaluated. The two unevaluated systems were hand counted paper ballots and absenter voting. Imagine subjecting either to tests related to tampering, fraud, coercion, or security without assuming an implementation context. All you would have to do is pull down a copy of any good American history textbook or any book about elections and you could find dozens of examples that state the limitations of paper ballots in poor implementation contexts (actually, even in relatively good implementation contexts!). People stuff ballot boxes, steal ballots out of ballot boxes, intentionally spoil ballots, “lose” and “find” ballots, and have all sorts of issues with absentee ballots.
The point here is that, when we think about paper ballots and absentee voting, we do not typically think about or evaluate them “naked” but within an implementation context yet we think nothing of evaluating e-voting “naked” and some almost think it “cheating” to think about e-voting security within the context of implementation. However, if we held both systems to the same standard, the people in California probably would not be voting using any voting system; given its long history, it is inconceivable that paper ballots would fail to meet the standards to which e-voting is held, absent evaluating its implementation context.
In our book Electronic Elections, Mike and I argue that this context is critical. In some ways, it would be beneficial if election jurisdictions could be certified too so that it could be determined that the officials have the capacity to implement the system they want to implement–from paper ballots to electronic voting machines.