It is hard to believe that governments would spend money on voting
equipment that they are not allowed to test, but that is
exactly what multiple counties in New Jersey appear
to have done. They are certainly not alone, many other places are
likely to have the same restrictions on "their" voting machines. This begs the question:
where are the free software voting systems?
Union County wanted to ask Ed Felten to look at the voting machines it
purchased from Sequoia Voting Systems because of several
anomalies—less charitably known as miscounts—observed when using
them in the primary elections. Once Sequoia got wind of the plan, they
emailed Felten a nastygram
because he might engage in "non-compliant analysis" of the machines in
violation of the Sequoia license. It seems quite likely that is exactly
what Felten and the county clerk had in mind as a third-party analysis is
the only sensible way to evaluate voting machines.
Other jurisdictions have done better of late, with Felten's Freedom to
Tinker weblog noting that California has denied
certification for two voting machines from Election Systems & Software
(ES&S). California Secretary of State Debra Bowen has been at the
forefront of trying to ensure
that voting machines work correctly. LWN's home state of Colorado also
a number of voting machines, but, like the earlier California study, it
was done after those machines were purchased. As in California, it
seems likely that Colorado will be using those machines in November.
Things are getting a little better, perhaps, but no one has, as yet, tried
to take on the four major voting machine makers with a system that is built
with security in mind. There is no reason that the source code for a
voting machine could not be made available for study. The voting machine
vendors claim all sorts of proprietary secret sauce in their code, but that
isn't the real reason they hide it. Covering up their shoddy code is much more likely.
Every independent review of voting machines has found numerous,
fundamental security flaws that should make anyone with an interest in the
integrity of the election process cringe. Many of those analyses were done
without the source code, so there is little doubt that even uglier problems
would have been found in the code itself. It just cannot be that difficult to
produce something vastly more secure than what is made available today.
One could speculate about the motives of these companies, but instead
looking at what could be built, with mostly off-the-shelf software, is more
fruitful. The place to start is by hiring a few good security-minded
developers, while lining up an independent review team. One might guess
that Felten and his associates would be a good place to start.
A stripped down Linux system could very easily be the basis for a voting
machine, but other free software choices would serve just as well. Some
user interface code for touchscreens and alternative input methods
for those with disabilities would need to be written. Some kind of
printing output device would need to be made a part of the system so that
voter-verifiable audit trails—better yet, ballots that can be put
into a locked box—can be created.
Source code availability does not, in and of itself, ensure vote security.
That code needs to be reviewed by as many experts as can be found. In
addition, there needs to be some mechanism to show that the source code
being reviewed is the same as that being run.
For that reason, the system itself might run on some kind of Trusted
Platform Module (TPM) chip so that interested parties can verify that
published code is the same as that running on the system. If the system
runs Linux, it might use the integrity management patches
for that. Most importantly, the outside interfaces (network, USB, PCMCIA,
etc.) to the device would either not be present or be very tightly
controlled. Any kind of removable vote recording memory would need
adequate cryptographic safeguards to eliminate tampering between vote
taking and vote tabulating machines.
Instead of an emphasis on PR, schmoozing, and bamboozling non-technical
folks, the focus of a free software
voting system would be on transparency. The number one goal would be to
give everyone, from the least technical voter to the Bruce Schneiers of
the world: confidence in the machines and the process. It is hard to
fathom how anyone could want anything less.
to post comments)