|
|
|
|
Terms and Issues in Voting Systems
The ideal voting system is Voter Verifiable, has recountable paper ballots, and is open source with secure code escrow. All transactions that alter the voting machine, such as software changes, should be logged in an unforgeable or tamper evident manner.
Voter Verifiable: Simply seeing your final ballot on a touch screen and then approving it is NOT a voter verifiable system. You need two things:
In some systems these hard copies are fed into a separate tabulator, such as existing optical scanners, to perform the count. Optical scanners are potentially more secure than other systems where the initial count is done by the touch screen system and the hard copies are available to be recounted.
Manually Auditable: The HAV act used this term presumably intending Voter Verification but this has become the lesser requirement of machines that are capable of printing out a receipt at the end of the day showing all ballots recorded by the machine. This receipt will not be any different than the totals reported by the machine itself, so is utterly pointless. Pending legislation H.R. 2239 clarifies that machines must be Voter Verifiable.
Recountable Ballots: If vote totals are stored as machine totals and as hard copies that might conceivably disagree, laws have to state unambiguously and beforehand which takes precedence. One cannot assume that voter verified hard copies will in fact be recounted unless state law clearly states that they will.
Open Source and Disclosed Source: Open source is vastly superior to Disclosed source. Computer programs run on software that needs to be tested and examinable. Disclosed Source means the company places a copy of the source code on file with the state. However, states are frequently unable to legally authorize a state employee or third party to examine the code. Moreover if examination requires Non-Disclosure Agreements, the most qualified persons are removed from the examiner pool and, if flaws are found. it may limit revelation of them. Open source, which does not mean that a company forfeits copyrights on code or methods, allows nearly anyone to examine the code at will. Experts widely agree this is essential for quality assurance and trust. Australia uses open source code that was developed in less than two years with many bugs found and fixed by outside reviewers. The code is now widely trusted by the public. By contrast, for example, Diebold does not make its code Open and leaked copies of its decade-in-development code showed shoddy practices, mistakes, and security holes.
Secure Code Escrow: Human readable source code is converted to a machine readable binary form. Some mechanism must exist to assure that the binary code in the machines at the time of the vote is actually the one that was supposed to be there. With a lever voting machine, for example, you can open it up and look to see if it has been altered.
One possibility with touch screen voting is for the machine to copy an image of the binary code in the voting machine or a unique fingerprint (see checksums) to a logging device (such as a CD-Rom) that can be preserved by human observers in a chain of custody. The machine needs to be rendered tamper-proof or tamper evident after the code image is captured so you can be assured no one clandestinely changed the instructions. This is what is known as secure code escrow.
Caution: Some companies might say that their code is escrowed but then fail to do so in a complete and trusted fashion. For example, they will not dump all of the binary code in the machine, just some of it (e.g. the application but not the OS). And they will use the code itself to perform its own dump - which is like the IRS letting you audit yourself.
Logging Transactions: A true logging device creates an unerasable output that records all transactions that occur. For example, a paper printer or write-once cd-rom would allow a voting machine to retain a record of when and what changes were made to it. Or it could be used to retain a time-stamped image of the binary code for escrow.
Caution: Machine manufacturers colloquially appropriate the term to mean a transaction log that is erasable or alterable, such as are found on hard disk based databases.
Kiosks, Tabulators, Communications, and Databases: Usually there is a division of effort in voting. The kiosks are the touch screens that generate the filled-in ballot; the tabulator counts the ballots and then these tabulations are transmitted away from the precinct to a final data base where all the results are tallied. In most cases the tabulator and kiosk are the same machine, but not always: if they are physically separated, the vote can be made more secure. Finally, transmission of data and the databases rely on other software and computers. All of these components are vulnerable to attack and all must be certified.
Caution: Sequoia and Diebold have frequently obfuscated security issues by only discussing parts of this complete system. For example Sequoia touts that their Edge System does not run on Microsoft's vulnerable OS, while not mentioning that their Database software and transmission systems do run on MS software. Likewise they will say their ethernet communication system is a private network not the public internet, but they fail to mention that the receiving computer and data base may be connected to the public internet. Likewise, Diebold has insisted their connections are "upload from kiosk to database only" when this is only a policy and not an enforceable fact: there is no such thing as unidirectional TCP/IP communication.
Self Checking Systems: Systems ought to do some sort of self test to verify that their hardware works and that their software has not become corrupted (perhaps by a passing cosmic ray, power surge, or Logic error). This is fairly obvious and a standard practice in mission critical devices. For example, airplane computers generally are triply redundant. Most voting systems on the market, however, do not seem to have these provisions, with the possible exception of Sequoia which has a software corruption test ( a very naive one).
Security Through Obscurity: Manufacturers often suggest that not having open source or transparency in how their machines function provides a layer of security. The concept of security through obscurity is one of the most ridiculed concepts in all of computer history. While obscurity can improve weak security, it is not robust, often masking the lack of skill to produce true security.
Logic and Accuracy Tests: These are mostly meaningless tests that are performed on electronic voting machines where all the machines or a sample of them (in the case of Diebold) are turned on, their buttons pushed, and test programs run. It is not a painstaking code review. Originating from tests performed on traditional mechanical or otherwise "dumb" electronic system, it assumes that if a machine appears to work after a few trials that it will work in production mode.
Checksum: A code may be prohibitively long to write down (or examine), or you may want to prove to someone that two copies of a piece of code are identical without actually showing them the code. Checksums are a mathematical method that takes any long series of binary numbers or text and maps this to a modestly short single number. Any changes in the code would result in a different number being output. It is thus a unique fingerprint of whatever was checksummed. Cryptography can be used to ensure that the mapping is unforgeable and unique, in the same sense that human fingerprints are effectively unforgeable and unique.
