Joop wrote:
> I still believe that dishonesty of the voters is not the central problem
> and that web based voting can easily be audited after an election in case
> the results are challenged.
I'm no expert on membership -- was only peripherally involved in Berkman's
Representation in Cyberspace Study (see
<http://cyber.law.harvard.edu/icann/rcs>) and the work of the MAC. But, in
my mind, "fraud" can occur at any of several levels of the process. It
could occur with fraudulent registrations -- me registering Benjamin A.
Edelman, Benjamin B. Edelman, and so on. It could occur with non-fraudulent
but still "not representative" messages -- like if I signed up as members of
ICANN everyone I knew (or all the employees of my corporation) and had them
all vote for me. And it could occur if I simply hacked into the voting
tabulation system, added a lot of seemingly-legitimate members who voted the
way I wanted them to vote, and covered my tracks.
Preventing the first seems tricky to me, especially since, for privacy
reasons, ICANN is understandably hesitant to require identification like a
photocopy of a driver's license, and in any case there's no international
standard for identifying documents of that sort. But an outside auditing
firm -- the kind of thing I understand KPMG to be able to do, for a fee --
could potentially watch for that sort of problem and let the world know if
they see what they suspect to be "fraud." Same with the second kind of
fraud, I suppose, though I'll admit that it'll be harder to know this kind
of fraud if we are unlucky enough to see it.
The third kind of fraud is perhaps the most worrisome of all -- if it were
possible, it would seem to be the "easiest" way to rig an election, and the
way most certain to have the desired result from the defrauder's
perspective. But, in my experience with software development, it seems like
something we should be able to prevent, primarily through careful review of
the code and infrastructure that make up the online voting system. I'm
thinking of a sort of peer review -- a group of talented programmers,
security experts, professionals who do exactly this kind of thing all the
time -- who would examine the system, perhaps try to hack in (anyone see the
movie _Sneakers_?), and report their findings. This would of course require
the permission of the author and administrator of the software, which makes
me ask...
Joop, would you be willing to submit your code for peer review? By a small
group of professionals, or by the entire community? I can understand good
reasons why you might not be -- despite the growing respect given by the
programmer community to open source, there are those, including myself I'll
admit, who have our doubts. But I can easily imagine a credible argument
being made for why any voting software used by ICANN has to be open, at the
least, to a select panel of software security experts, and perhaps to the
world at large.
Thoughts from others?
