| |||||||||||||
|
| |||||||||||||
Will 'controlled open source' software take over election work? (NewsForge)Will 'controlled open source' software take over election work? (NewsForge)Posted Aug 19, 2004 18:36 UTC (Thu) by QuisUtDeus (guest, #14854)Parent article: Will 'controlled open source' software take over election work? (NewsForge)
The problem with computer-based voting is that, without a paper trail that takes the place of the ballot (so the counting of the votes is done with tangible ballots), no one can truly convince anyone (even himself) that the counting of the votes was accurate and reliable. There is nothing to show, nothing tangible to handle. You can't reveal the memory of the computer and all the logic that manipulates it. Even an open source voting program cannot prove that that is the software running on the machine.
Computer assisted voting, where a receipt is printed and used as the ballot would probably be acceptable, so long as those receipts are counted (or are at least available to be counted).
If there is a problem, a power failure, an abend, whatever, then the votes already cast are not lost. Then the tabulators would know that a hand-count of the receipts was required. In the case of smooth operation, a computer-counted tally could be accepted as a quick answer, but if people demanded a recount in a certain precinct, then the receipts are available to be counted.
The potential for fraud in a receipt-less computer-based election is too high.
For a (somewhat extreme) presentation of the problems with computer-only elections, see http://www.votefraud.org/ .
Free elections work only because people can see for themselves (or can hear from others they trust) that the reported results accurately reflect the votes that were intended to be cast by the voters.
There are other factors as well, like confidence that only those who are elible to vote for a decision voted, and that each voted at most once for each decision. These involve determining identity and matching identity to elibility. People can be fooled, but it is not clear that a computer-based ID and eligibilty check would be any more accurate or resistant to wide-scale fraud.
Don't hand over your freedoms (the few that are left), not even for nifty gadgets. Use computer voting all you like for your own needs, but don't remove the mechanisms that keep the elections of our public officials verifiable, even if many elections aren't verified that should be.
Don't tempt the powerful with a tool that only the powerful can effectively wield to their own advantage.
"Those who cast the votes decide nothing. Those who count the votes decide everything."
attributed to Communist Tyrant Josef Stalin
(Log in to post comments)
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 19:06 UTC (Thu) by crouchet (guest, #1084) [Link] Unfortunately one of the selling points of e-voting is that the costs of a recount are negligible because it just consists of having the computer add up the same numbers again and get the same result. Eventually the idea of a recount would fall into disuse.
To a public official that looks quite attractive from both a political and financial standpoint. It becomes easy to accept the justification that it does not matter because the overall result will be more accurate anyway.
Democracy is messy and expensive. When we try to avoid that reality we only dilute our own power.
JC
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 19:17 UTC (Thu) by Baylink (subscriber, #755) [Link] Florida (duh) is embroiled in a controversy right now because the non-direct-recording electronic voting machines in use in the state violate the state statute requiring something which can be independently recounted -- Miami/Dade has outlawed touchscreens, falling back on scantrons which *can* be counted by hand, if necessary.
A *whole lot* of people (hopefully including ex-Sarasote stripper and US Senatorial candidate Katherine Harris) are gonna lose their jobs this year...
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 19:22 UTC (Thu) by jabby (subscriber, #2648) [Link] I agree that a paper trail is a necessary condition for the proper recording of votes. I also hold that open source code is a necessary condition. Neither is by itself sufficient, but taken together they create a set of circumstances that are the best one can hope for with computerized electronic voting.
I disagree with this statement, however: "Even an open source voting program cannot prove that that is the software running on the machine."
Open source software built using an open toolchain (compiler, linker, etc.) and running on an open source OS would be sufficient for being able to literally *prove* that the code over here resulted in the binary over there.
Now if you're talking about the span of time between when the binary was verified and the election, more conventional means have to be relied upon, such as putting the binaries on a read-only medium and locking them in a safe until election time. I'm specifically thinking about KNOPPIX-like CDs with an entire open source election "distro". Everything could be run from read-only media bearing verified binaries of open source code.
Another option would be to avoid compilation altogether and go for an interpreted language, like Python or Perl. Then you would literally have the source code available on the machine *during* the election. It could even be compared against a read-only medium carrying the original before *every* vote is cast.
With open source code, a plethora of options are available for protecting the integrity of a voting system. With paper ballots as a backup, the resulting system earns my confidence. But, as they say, "trust, but verify". No matter how much I might trust such a system, all voting solutions require constant vigilance. Someone must still be actively looking for tampering and comparing exit polls to the computerized tallies.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 20:19 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] I would be satisfied with a paper printout for every vote that is checkable by the voter (printed out in large type for easy reading by the elderly), then dropped into a locked box for use in recounts as well as for cross-checking.The code need not be open source, however, it would need to be made available in source form to trusted third parties (including opponents of software voting machines) for inspection and review, with no restrictions placed on the inspectors that harm their ability to report flaws to the public. Regardless of whether the code is open source or not, the third-party inspectors should verify the process for producing the binary code (possibly by running the build process themselves with the specified software development tools, and checking that the binaries match). Open source would be nice, but it's not a necessary condition for confidence in the election, and that's the problem that vitally needs to be fixed.
open source necessary condition for voter confidence Posted Aug 20, 2004 2:49 UTC (Fri) by jabby (subscriber, #2648) [Link] I don't trust any third party... or even a couple of them. I want to be able to review the code myself and to have the local computer science department perform a code review and the military and all interested political parties and the foreign governments who are affected by our political choices... Yes, everyone should be able to inspect the code. No more "trade secret" or "competitive advantage" whining from the companies who are making money hand over fist at the taxpayers' expense.
Remember Linus' Law: "Given enough eyes, all bugs are shallow." How long do you think it would take for *someone* *somewhere* in the world to find subverted code? With as much as there is at stake in the general election, my guess is "not long." When the Diebold source was leaked on the internet it took very little time for computer scientists to examine the code and find dozens of critical weaknesses.
Also, the compiler has to be open source and inspectable as well. I'm not forgetting the famous backdoor-inserting compiler hack by Ken Thompson:
http://www.acm.org/classics/sep95/
This actually demonstrates that you can't trust any program that handles programs, but I would still maintain that you are *far* better off with open source than with closed source. With closed source, only those "trusted parties" (who sign NDAs and are therefore bound in ways that make them untrustworthy) can see the source code and try to compile it and verify the binary. That's when you have the problem of closed source compilers and the inability to verify that the binary produced actually obeys the code that you approved and fed to it.
As for confidence in the election, I fail to see how closed-source (secret) software running on closed-source, proprietary operating systems and inspected by only a few "trusted parties" is going to inspire confidence. In general, people are smart enough to know that transparency is good and trustworthy and that wherever something is hidden from public view there resides the temptation to deceive the public.
open source necessary condition for voter confidence Posted Aug 20, 2004 17:59 UTC (Fri) by tzafrir (subscriber, #11501) [Link] You should realise though, that the "software" is the whole stack, not only the the voting software itself.
Backdoors cdan be added in the underlying OS. Quite easily.
But you can go even further: What about the firmware of the CPU? The firmware of the BIOS? The firmware of the disk controller?
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 20:23 UTC (Thu) by bdixon (subscriber, #1055) [Link] Ownership and visibility into the codebase that constitutes an open voting machine does not mean that we can be assured that a subversion hasn't been planted. It is impossible to be assured that inspection has found all subversions.
Solving this problem will take a codebase that is simpler and far more verifiable then either Windows or Linux.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 20, 2004 13:58 UTC (Fri) by hummassa (subscriber, #307) [Link] " Ownership and visibility into the codebase that constitutes an open voting machine does not mean that we can be assured that a subversion hasn't been planted. It is impossible to be assured that inspection has found all subversions. "... but it is possible (even easy) to establish a system of distributed, formalized testing that finds /many/ possible subversions (read my other posts in this same thread)
" Solving this problem will take a codebase that is simpler and far more verifiable then either Windows or Linux. "... I won't argue this, the simpler the system, the easier to make it secure.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 20, 2004 18:28 UTC (Fri) by tzafrir (subscriber, #11501) [Link] No. This is practically impossible.
Yes, programs in OCAML (?) can be officially verified. How nice. But what about the implementation of the OCAML compiler? run-time environment? (which are probably written in C)?
What about the libraries and the kernel of the underlying OS? A formally-verifiable OS is, ATM, a non-practical academic research subject.
But then again, the aim is not a totally safe system, but a practically-safe system. If someone wants winning hard enough one can always take a shot at bribing citizens and other low-tech methods. See http://www.schneier.com/crypto-gram-0404.html#4 for a better insight.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 20:43 UTC (Thu) by mmarsh (subscriber, #17029) [Link] I often hear the statement that our voting machines need to have paper trails. Technically, this isn't true. What we need is _some_ sort of voter-verifiable, recount-enabling trail. It need not specifically be printed on paper. Granted, printed ballots are a reasonable solution, but we shouldn't focus on one particular technology or technique at the exclusion of all others.
Why the need for a paper trail? Posted Aug 20, 2004 0:57 UTC (Fri) by vdvo (guest, #24133) [Link] The problem with computer-based voting is that, without a paper trail that takes the place of the ballot (so the counting of the votes is done with tangible ballots), no one can truly convince anyone (even himself) that the counting of the votes was accurate and reliable. There is nothing to show, nothing tangible to handle.Why do we need papers or something tangible to convince us of anything? I thought we were hackers, here? This argument is so often repeated that I keep thinking I must be overlooking something, because it seems so obviously false. I offer you a paper-less, yet verifiable solution. In fact, my solution seems to be much better that paper voting, because only a few selected individuals have access to the paper ballots, so most people can't verify anything. Tell me where I'm wrong. The solution:
What have I missed?
Why the need for a paper trail? Posted Aug 20, 2004 1:29 UTC (Fri) by vdvo (guest, #24133) [Link] There's one more thing I forgot to add: with this solution, it doesn't matter whether the voting machine's software is open source or proprietary, nor whether it's made by Diebold or whoever. When you can verify the results, it's not important how you obtained them.
Why the need for a paper trail? Posted Aug 20, 2004 3:44 UTC (Fri) by freemars (subscriber, #4235) [Link] What have I missed? Sammy the Enforcer hangs around outside the polls and offers you $100 to vote for Slimey Fred. He instructs you "use 8353459322 as your identifier." The day after the election Sammy reads the newspaper and notes that voter "8353459322" voted for Honest Ellen. After breakfast Sammy stops by your house and breaks your legs. Or Sammy reads the paper and notices that nobody used ID "8353459322" in your ward. After breakfast Sammy stops by your house and breaks your legs. But if Sammy sees that voter "8353459322" cast a ballot for Slimey Fred he'll stop by your house and give you $100. Isn't it simpler to just print the official, recountable, ballot, let the voter view it behind glass, and then drop it into the locked box?
Why the need for a paper trail? Posted Aug 20, 2004 11:23 UTC (Fri) by hingo (guest, #14792) [Link] You have missed Sammy as explained above, also known as coercion. But other than that, your thinking is on the right tracks, just add some appropriate cryptography.see http://www.eucybervote.org/xootic2000.pdf, http://citeseer.ist.psu.edu/40542.html and http://votehere.net/. Of course, even with this kind of system you could add paper receipts as well, but there is less need for them.
Why the need for a paper trail? Posted Aug 20, 2004 13:35 UTC (Fri) by arafel (subscriber, #18557) [Link] You've missed people forgetting their ID, particularly if it's a random string of numbers. You've also missed the fact that who you vote for is supposed to be confidential, unless you choose to tell people. Having it published in a paper doesn't sound too confidential to me. :-)
Also, unless someone takes the printed paper, and counts up the number of people listed as voting for X, and the number of people the system *said* voted for X, how do you know they match?
I'm not entirely sure why people are rushing for electronic voting anyway. What's wrong with the systems currently in use?
Why the need for a paper trail? Posted Aug 20, 2004 14:52 UTC (Fri) by dskoll (subscriber, #1630) [Link] Complicated series of steps deleted What have I missed? A very important point: Joe Average's eyes will glaze over when he gets to step 2. Voting must not only be fair, it must be seen to be fair by average members of the public. A voting system is no good if only 1% of the population (computer scientists) can understand and trust it. A simple paper ballot is easily understandable by anyone capable of voting. Recounting paper ballots is easily understandable and verifiable by anyone capable of voting. Even if someone came up with hack-proof hardware, hack-proof software, hack-proof officials and a hack-proof voting protocol (all of which is highly unlikely), it would still not be good enough because it's too complex for the large majority of the population to understand. I don't know why people insist on trying to mis-apply technology where it will only create new problems. There is no problem whatsoever with paper ballots; there's absolutely no need to corrupt the system with technology.
Will a paper trail help? Maybe not. Posted Sep 2, 2004 21:28 UTC (Thu) by lilo (guest, #661) [Link] How will a paper trail actually help? Yes, I'll be able to walk away with my vote, and if I ever have any question about whether it was falsified, I can come back and check to make sure my vote was registered properly. But votes are fungible pieces of the vote total. A system with a backdoor could simply replace the complete ballot with a bogus one, and still be able to verify that my vote was registered properly in the original, fraud-free ballot. The only way I can think of to use those paper ballot receipts would be to have every single voter in the original election come back and verify their ballots as part of a single process. In a country like the US where there's relatively poor voter turnout, one could reasonably suspect that two elections in a row might not have more than 60-70% voter overlap. Getting all the same people back to verify their votes might be a non-trivial exercise. All of this assumes that the original receipt wasn't bogus, and that the process of verification is closely monitored. Paper receipts would seem to be no panacea.
|
|
||||||||||||