Sequoia to release voting system software [LWN.net]

Sequoia to release voting system software

Posted Oct 28, 2009 14:57 UTC (Wed) by tdz (subscriber, #58733) [Link] (5 responses)

"Fully disclosed source code is the path to true transparency and confidence in the voting process for all involved."

Obviously, it's not. One still cannot see whether the executed binary code is the same as the supplied source code.

Sequoia to release voting system software

Posted Oct 28, 2009 18:39 UTC (Wed) by drag (guest, #31333) [Link] (1 responses)

Voting machine companies in the USA are not allowed to build their own
software and use it, generally. (it depends, see below)

Instead they are required to supply the audited source code (they have to
submit changes to a third party for auditing during development) to a third
party certification body which then builds the binaries. Representatives
from the voting machine company can be observers during the build process,
but are not allowed to touch any of the software or hardware. This is
called the "trusted build".

Those binaries are then hashed (crc32, md5, sha1 currently, but in the
future: sha2) and those hashes are placed in the "National Software
Reference Library" which you can obtain from here:
http://www.nsrl.nist.gov/votedata.html

Then the voting machine company retrieves the software binaries back from
the certification folks which then is what they use in manufacturing.

This should cover not only the application, but any OS software and any
programmable firmware on the device.

Then the voting machine company must supply directions to the certification
folks on how to validate the software/firmware on the voting machines with
the NSRL database. All of this has to go through a testing and approval
process before the voting machine company is allowed to use any of their
hardware in a election that gets federal funds and such thing. I am not
sure of all the details. These procedures are designed for customers and
third parties to validate contents of the hardware/firmware/software.

This is for hardware that must meet the Voluntary Voting Software
Guidelines 2005. Which you can get from:
http://www.eac.gov/voting%20systems/docs/vvsgvolume_ii.pd...
ad/file

If the link does not work google around for VVSG 2005. Not all voting
machines are required to support it automatically... The Federal government
does not have authority over the states in that way. But states usually
follow the federal guidelines in their own procurement. You can see
variations in requirements all the way down to individual voting areas in
cities. Some states have their own special requirements. It all depends on
the politics involved. You'll have to check with your local election board
if your curious about all the exact details.

Since we are dealing with the USA Federal government the rules often make
little sense. Like every thing else that happens in the government they are
huge, sprawling, may not mesh well with rules made previously or since, and
made by committee so that there are plenty of conflicts and people in
charge of elections can cherry pick what rules and how to interpret them
often. So like I said before if your curious about what is going to be used
in _your_ elections you have to contact your election board. What I
described above though standard operation for people that choose to follow
the federal guidelines (which comes as strings attached to federal money).

Sequoia to release voting system software

Posted Oct 28, 2009 22:31 UTC (Wed) by jpritikin (guest, #51591) [Link]

Even with the precautions you have described, there are still plenty of weak points in the process. Instead of open source, what we need is cryptographically verifiable voting:

http://www.youtube.com/watch?v=ZDnShu5V99s

value of revealing source code

Posted Oct 29, 2009 4:30 UTC (Thu) by pjm (guest, #2080) [Link] (2 responses)

I agree it's not sufficient to guarantee that it gives the right result, and I don't think any software proofs, soldered ROMs etc. are enough to make it redundant to provide independent verification that's strong enough to detect software/hardware/clerical errors.

However, allowing public access to the supposed source code surely does provide some additional transparency (by definition), and should allow greater confidence about the absence of accidental bugs.

value of revealing source code

Posted Oct 29, 2009 10:56 UTC (Thu) by tdz (subscriber, #58733) [Link] (1 responses)

> I agree it's not sufficient to guarantee that it gives the right result, and I don't think any software proofs, soldered ROMs etc. are enough to make it redundant to provide independent verification that's strong enough to detect software/hardware/clerical errors.
>
> However, allowing public access to the supposed source code surely does provide some additional transparency (by definition), and should allow greater confidence about the absence of accidental bugs."

These paragraph seem to contradict each other: First, you say it's not sufficient, and then you say it adds confidence.

Also, _accidental_ bugs do not seem to be the problem here.

Regards, Thomas

value of revealing source code

Posted Oct 30, 2009 10:03 UTC (Fri) by pjm (guest, #2080) [Link]

[Readers who do not share tdz's objections can safely skip this longish and uninteresting reply.]

> These paragraph seem to contradict each other: First, you say it's not sufficient, and then you say it adds confidence.

Is this what you meant to write? I don't see any problem with saying that something increases confidence of property P but doesn't absolutely guarantee that property P holds. Perhaps it would help if I clarified that I was using guarantee in an absolute sense and confidence in a relative sense (as indicated by the word greater). Does that clarification resolve things for you? If so, can you suggest how it should be reworded such that it would be understood, e.g. would you still have objected if I'd written absolutely guarantee instead of just guarantee? Otherwise, why do you consider there to be a contradiction in it's not sufficient [to guarantee P] but does add confidence [that P holds] ?

> Also, _accidental_ bugs do not seem to be the problem here.

LWN has already documented one case where accidental errors associated with voting software have led to wrong vote counts, and more generally I believe that accidental errors are a significant source of wrong vote counts in elections that are considering using voting software, so I think reducing accidental errors is still useful.

Even considering malicious errors, see http://lwn.net/Articles/275092/ Voting machine integrity through transparency for evidence that at least one person would be more confident in election results with publicly-visible source code than hidden source code; and see http://lwn.net/Articles/100177/ Back door in Diebold voting systems? for a possible attack vector that would be facilitated by hidden source code and that appears to have been brought to the attention of general public.

Note that the first of those articles directly concerns anomalies less charitably known as miscounts associated with Sequoia voting machines, so I would say that Sequoia is speaking from direct experience when voicing its belief that making source code visible will increase confidence in the results.

Sequoia to release voting system software

Posted Oct 28, 2009 16:01 UTC (Wed) by proski (subscriber, #104) [Link] (8 responses)

It would be great if the voting software could make preferential voting (like Condorcet or IRV) less confusing to an average voter, and thus viable above the city level. That would greatly change the political landscape by giving realistic chances to the independents and centrists not backed by the major parties.

Sequoia to release voting system software

Posted Oct 28, 2009 16:55 UTC (Wed) by dskoll (subscriber, #1630) [Link] (7 responses)

It would be great if the voting software could make preferential voting (like Condorcet or IRV) less confusing to an average voter

Pipe-dream.

Anyway, as I've written many times before, any kind of electronic voting is inherently bad and inherently insecure. The only form of voting that is trustworthy uses physical ballots. Sure, computers can be used to accelerate the counting, but the physical ballots must always be authoritative.

Sequoia to release voting system software

Posted Oct 28, 2009 17:16 UTC (Wed) by proski (subscriber, #104) [Link] (6 responses)

Well, the filled ballots could still be printed and deposited into the ballot box. At least the computer system could print the ballots in an unambiguous way, with the preferences clearly marked and verifiable by the voter.

The main concern about preferential voting is that the voters can get confused and fail to mark their preferences correctly.

Sequoia to release voting system software

Posted Oct 28, 2009 17:48 UTC (Wed) by tdz (subscriber, #58733) [Link] (5 responses)

"Well, the filled ballots could still be printed and deposited into the ballot box. At least the computer system could print the ballots in an unambiguous way, with the preferences clearly marked and verifiable by the voter."

The printed ballots need to take precedence over the machine's result, so they have to be counted anyway.

But then, what is the point of using voting machines in the first place? They only cost money and make the process of voting more complicated.

Sequoia to release voting system software

Posted Oct 28, 2009 18:41 UTC (Wed) by jamesjolsen (guest, #61658) [Link]

A few points:

Before printing the ballot, the software can detect apparent errors and verify that the voter's choices are what is really wanted. Overvoting (too many votes) can be made impossible, and undervoting (too few votes) can be confirmed with the voter.
Rather than having to guess how many ballots are needed, printing them (plus a margin for safety) and keeping them in secure inventory, election officials need merely to inventory blank paper and ink/toner.
Multiple ballot versions for different languages, different localities, etc., do not require separate, secure inventories of ballots. Each version can be printed on the spot as needed.

The key thing is that the paper ballot should be paramount. The electronics can simply implement a better way for the voter to produce a completed paper ballot.

Sequoia to release voting system software

Posted Oct 28, 2009 21:26 UTC (Wed) by iabervon (subscriber, #722) [Link]

In my district, we make our marks on paper, put the paper in a sleeve, and then feed the paper into a machine. The machine spits it back out if the ballot isn't clear. Otherwise, it puts it in a box and counts the votes. When the polls close, the machine reports the votes and people know who won. Then they count the ballots and see whether the machine is broken. Then they certify the election.

The machines provide two advantages: if you mark something invalid, you can try again, with no humans seeing your spoiled ballot; and they have a preliminary count immediately. The preliminary count is always correct, because they test the actual case after the fact, and they would notice if the machine was ever not right. The inevitable mistakes and bugs don't affect the actual outcome of the election, and they reflect badly on the responsible parties, rather than being hidden. (Of course, if bugs resulted in valid combinations of votes not being possible to cast, or invalid combinations of votes that people actually made being accepted, this would affect the election, but this would also be obvious and probably lead to some sort of replacement procedure if it ever happened.)

There's also the more difficult need for a system to allow someone who can't see a ballot to produce one that they trust matches their intent without letting anyone else see or affect this ballot. I think we have some sort of procedure for this in my district, but I've never tried it.

The point of using voting machines

Posted Oct 28, 2009 22:18 UTC (Wed) by rfunk (subscriber, #4054) [Link] (2 responses)

"But then, what is the point of using voting machines in the first place?
They only cost money and make the process of voting more complicated."

In increasing order of political difficulty:

1. They can make the process more simple for a lot of people, especially in
the US where there can be many races with many candidates each, and often
scenarios of "vote for 3 here but vote for 1 here".

2. They can make it easier and faster to get a count of the results, giving
results within hours rather than days or weeks.

3. They can make it possible for people with various handicaps (especially
blindness or near-blindness) to vote privately without assistance.

I'm one who'd rather go back to paper ballots, no machines, but these are
the main points in opposition.

The point of using voting machines

Posted Oct 28, 2009 23:45 UTC (Wed) by dskoll (subscriber, #1630) [Link]

1. They can make the process more simple for a lot of people, especially in the US where there can be many races with many candidates each, and often scenarios of "vote for 3 here but vote for 1 here".

That is a problem with the US, I agree. Perhaps it should simplify its votes?

2. They can make it easier and faster to get a count of the results, giving results within hours rather than days or weeks.

We (Canada) get results within hours. Same with Germany. It is not hard to hand-count lots of ballots. If done correctly, it takes time O(logN)

3. They can make it possible for people with various handicaps (especially blindness or near-blindness) to vote privately without assistance.

Not really. The blind person has to trust the machine; he/she can't verify the ballot for correctness the way a sighted person can. This can be overcome with (for example) special Braille ballots.

The only real advantage is in case (1), and that's not an advantage: An election that needs a computer to make sure people don't make mistakes is too complex and error-prone to be democratic in the first place.

The point of using voting machines

Posted Oct 29, 2009 10:50 UTC (Thu) by tdz (subscriber, #58733) [Link]

> 1. They can make the process more simple for a lot of people, especially in
> the US where there can be many races with many candidates each, and often
> scenarios of "vote for 3 here but vote for 1 here".

But people have to understand this in either case. At best, the machine can help to not make ballots unintentionally incorrect.

One user here mentioned the use of different languages, which might be a point for voting machines. On the other hand, a lot of people have problems with using a computer (in contrast to pen and paper). So I don't really buy that machines make voting easier in general.

> 2. They can make it easier and faster to get a count of the results, giving
> results within hours rather than days or weeks.

This point is absolutely not convincing.

I live in Germany, where almost all elections are done with pen and paper and counted by hand. The process and organization of elections here is highly decentralized.

Elections are generally on Sundays and all polling places always close at 6 pm. A forecast is available at 6:01. At the latest at 7 pm there is a preliminary result that is close to the fraction of a percent to the final result.

Personally, I took part in helping with elections and counting (by hand) several times. We had several hundred ballots with up to 3 votes each, like the one you describe in the point 1 above. We were 10 to 20 people and it only took an evening to count them. We actually counted at least twice to ensure the correctness of the result.

> 3. They can make it possible for people with various handicaps (especially
> blindness or near-blindness) to vote privately without assistance.

Depends on the person and the handicap.

Regards, Thomas

Sequoia to release voting system software

Posted Oct 28, 2009 21:19 UTC (Wed) by Burgundavia (guest, #25172) [Link] (2 responses)

The local municipality I live in uses the best sort of electronic voting. You get a paper ballot and a pen. It is then fed into a machine to read it, much like a test answer paper would. This means you get the security of a paper ballot with the speed of electronic voting.

Sequoia to release voting system software

Posted Oct 28, 2009 22:18 UTC (Wed) by drag (guest, #31333) [Link]

That is what most people are moving to.

In situations like that they will still usually have a voting machine that can mark the ballots for you sitting in the corner somewhere. Generally that is useful for people with disabilities, that way they can have a audio ballot or can market ballots using paddles or sip-n-puff device. The poll worker inserts the ballot, the voter votes on the touchscreen/touchpad/paddle/etc and then it prints out the ovals on the paper, which then is removed and fed into the ballot box or into the scanner.

The touchscreen-only devices that record the results to compact flash or other removable media (as opposed to printing out on paper) are called "DRE"s and while there are still plenty of them floating around and are being used they are not generally being used in new purchases. The DRE is what is usually shown in the media when they talk about voting machines, but not all are like that.

Sequoia to release voting system software

Posted Oct 28, 2009 23:48 UTC (Wed) by dskoll (subscriber, #1630) [Link]

This is what my city uses too. I wouldn't classify it as a "voting machine". It's a "counting accelerator", and if election results are challenged, the recount is still done by hand-counting the paper ballots.

I don't have objections to counting accelerators as long as the paper ballots are authoritative.