Voting machine integrity through transparency [LWN.net]

By Jake Edge
March 26, 2008

It is hard to believe that governments would spend money on voting equipment that they are not allowed to test, but that is exactly what multiple counties in New Jersey appear to have done. They are certainly not alone, many other places are likely to have the same restrictions on "their" voting machines. This begs the question: where are the free software voting systems?

Union County wanted to ask Ed Felten to look at the voting machines it purchased from Sequoia Voting Systems because of several anomalies—less charitably known as miscounts—observed when using them in the primary elections. Once Sequoia got wind of the plan, they emailed Felten a nastygram because he might engage in "non-compliant analysis" of the machines in violation of the Sequoia license. It seems quite likely that is exactly what Felten and the county clerk had in mind as a third-party analysis is the only sensible way to evaluate voting machines.

Other jurisdictions have done better of late, with Felten's Freedom to Tinker weblog noting that California has denied certification for two voting machines from Election Systems & Software (ES&S). California Secretary of State Debra Bowen has been at the forefront of trying to ensure that voting machines work correctly. LWN's home state of Colorado also decertified a number of voting machines, but, like the earlier California study, it was done after those machines were purchased. As in California, it seems likely that Colorado will be using those machines in November.

Things are getting a little better, perhaps, but no one has, as yet, tried to take on the four major voting machine makers with a system that is built with security in mind. There is no reason that the source code for a voting machine could not be made available for study. The voting machine vendors claim all sorts of proprietary secret sauce in their code, but that isn't the real reason they hide it. Covering up their shoddy code is much more likely.

Every independent review of voting machines has found numerous, fundamental security flaws that should make anyone with an interest in the integrity of the election process cringe. Many of those analyses were done without the source code, so there is little doubt that even uglier problems would have been found in the code itself. It just cannot be that difficult to produce something vastly more secure than what is made available today.

One could speculate about the motives of these companies, but instead looking at what could be built, with mostly off-the-shelf software, is more fruitful. The place to start is by hiring a few good security-minded developers, while lining up an independent review team. One might guess that Felten and his associates would be a good place to start.

A stripped down Linux system could very easily be the basis for a voting machine, but other free software choices would serve just as well. Some user interface code for touchscreens and alternative input methods for those with disabilities would need to be written. Some kind of printing output device would need to be made a part of the system so that voter-verifiable audit trails—better yet, ballots that can be put into a locked box—can be created.

Source code availability does not, in and of itself, ensure vote security. That code needs to be reviewed by as many experts as can be found. In addition, there needs to be some mechanism to show that the source code being reviewed is the same as that being run.

For that reason, the system itself might run on some kind of Trusted Platform Module (TPM) chip so that interested parties can verify that the published code is the same as that running on the system. If the system runs Linux, it might use the integrity management patches for that. Most importantly, the outside interfaces (network, USB, PCMCIA, etc.) to the device would either not be present or be very tightly controlled. Any kind of removable vote recording memory would need adequate cryptographic safeguards to eliminate tampering between vote taking and vote tabulating machines.

Instead of an emphasis on PR, schmoozing, and bamboozling non-technical folks, the focus of a free software voting system would be on transparency. The number one goal would be to give everyone, from the least technical voter to the Bruce Schneiers of the world: confidence in the machines and the process. It is hard to fathom how anyone could want anything less.

Index entries for this article
Security	Voting machines

Voting machine integrity through transparency

Posted Mar 27, 2008 9:07 UTC (Thu) by ljt (guest, #33337) [Link] (3 responses)

Transparency is impossible as soon as you have a two stages (source and compiled) code
production.
No matter how you lock things (TPM, source review, etc..) the interaction between compiler (a
complicated compiled code) and source code cannot be ensured.

The only solution would be to write directly machine code by hand and have it audited by
independent people. But then you have the processor and its intruction set, etc..

IMHO, the traditionnal hand based process solves all the issues and is much cheaper and
infinitely more trustable.

Voting machine integrity through transparency

Posted Mar 28, 2008 10:45 UTC (Fri) by dvdeug (subscriber, #10998) [Link] (1 responses)

The traditional hand-based process isn't much cheaper, which is one of the reasons they're
changing. It's basically not auditable; any sort of recount is very expensive. And do you have
any idea what type of insane, biased software is running on some of the vote counters in the
traditional hand-based process?

Standard off-the-shelf processors and compilers are generally trustworthy. If they give you
the code, you can compile it yourself. Alternately, high-reliability software, like for
airplanes and military applications, will compile without complex optimizations just so they
can audit the assembly and the source code simultaneously.

Reason for move to machines

Posted Apr 14, 2008 21:38 UTC (Mon) by Max.Hyre (subscriber, #1054) [Link]

Despite all the hoopla, the real reason machines are being pushed is so the vote is available the instant the polls close—we can't keep CNN waiting, now can we?

Canada manages to do it on paper ballots quite well, thank you. (For an interesting aspect of the method, check out the FAQ Can I eat the ballot?) Given the Canadian example, it's perfectly reasonable for every state to use paper ballots, including California, the most populous.

Voting machine integrity through transparency

Posted Mar 28, 2008 15:40 UTC (Fri) by alkandratsenka (guest, #50390) [Link]

I just wanted to post similar comment.

But I don't think it's impossible. You 'simply' need to audit machine code of one version of
gcc (statically linked) and one version of kernel.

Then you publish this gcc and kernel along with source and then anyone can verify object code
by recompiling it with published certified gcc launched on certified kernel.

Via source code review and usage of certified tools you can then certify other versions of gcc
and kernel more easily.

Something like this should work I think.

Voting machine integrity through transparency

Posted Mar 27, 2008 11:02 UTC (Thu) by ortalo (guest, #4654) [Link] (3 responses)

What's the (security) problem to be solved by automatic/electronic voting machines?
It's probably not the security of voting (unless one defends that our democracies have been
built for 2 centuries on bad manual voting procedures, something I would certainly not adhere
to). In fact, (computer) security is the problem such machines are going probably going to
create, not solve.
Then what? The counting speed? The cost of the election?
Well, I am really skeptic that such issues are so bad currently that they would be enough to
motivate the potentially huge investment needed for highly secure voting machines.
First of all, I think we need a real multi-party qualification of why we need to build a
voting *machine* at all.

PS: "Because it's fun" may be the best answer know to me up to now... :-)

Voting machine integrity through transparency

Posted Mar 27, 2008 18:08 UTC (Thu) by iabervon (subscriber, #722) [Link] (1 responses)

The main need for a machine is to have a way that spoiled ballots (i.e., ballots that cannot
be unambiguously read) can be rejected (and recast) without any human other than the voter
seeing them (or the result on them) before they can no longer be connected to a particular
voter. The second need for a machine is to allow people with disabilities to vote, again
without revealing the vote to another human.

There's plenty of history of votes which have been miscast or discarded on account of voters
accidentally submitting ballots which the election officials could not interpret successfully.

Of course, the right device is a machine which optically scans hand-marked ballots and
collects them (if they're unambiguous) in a box for later recount (if necessary). This could
be coupled with a device that uses an audio interface and a button to decide what to print on
a ballot for blind people as well as the ability to read the ballot through the headphones
(optically scanning it) so the voter can confirm their vote independently of what they did
with the interface, before casting it. Of course, this needs very little source, open or
otherwise, and it can all be verified experimentally to behave correctly.

Voting machine integrity through transparency

Posted Mar 27, 2008 20:51 UTC (Thu) by ortalo (guest, #4654) [Link]

Maybe a machine can help a human to cast a correct ballot, but I doubt this would have a
significant influence on the overall vote validity. (If a majority of voters spoil their
ballots, I guess the democratic problem is not only a technical one!)

Concerning people with disabilities, I really have similar doubts. I witnessed such situations
myself as my grand father was blind. As a child I had several opportunities to see him
participate in an election and, well, his pragmatic solution was obvious: he was the one who
chosed who was going to help him cast his ballot. Furthermore, being technically curious
himself, I am pretty sure he would not have trusted the machine more than the person he
designated.
All in all, IMHO, such an example probably reduces to a conventional delegation issue, not
specifically related to disabilities.

Voting machine integrity through transparency

Posted Mar 28, 2008 16:18 UTC (Fri) by copsewood (subscriber, #199) [Link]

The only election issue that I can see machinery helping with is the cost of the election. But
it seems very surprising then that richer countries rather than poorer ones are obsessed with
using machinery for this purpose. In the UK we have not yet (in my view fortunately) succumbed
to the temptation to use machinery to count votes. As a software engineer and frequent
participant (candidate and agent) in my local elections there is no way I could trust anything
as complex as a computer to do this job. My city may have plenty of software engineers capable
of verifying the machinery as well as is possible, but why should everyone else trust a small
group of specialists to do this job, when we can and do use a much simpler system that
everyone can see work in front of them ? 

Spoiled paper ballots really are not an issue. We might get one or 2 votes in several thousand
that are genuinely ambiguous - where the common sense of the returning officer takes on the
slightest possibility of being in any way arbitrary. I have seen several hundred deliberately
and some marginally spoiled ballots, without once seeing a case where I have felt the
returning officer made the wrong call. In the very rare occasions where the majority is less
than 2 or 3 (in local elections majorities of hundreds or thousands are more common and in
parliamentary elections majorities are usually 10,000 or more) the recount would subject
spoiled ballots to much closer scrutiny.

The only way I can see computers assisting with the process would be for the computer to print
a paper ballot which is checked by the voter (and which has a "none of these" deliberate spoil
option) and put into an ordinary ballot box, which can be sampled in the event of a large
machine counted majority to verify it, and with all the paper ballots counted manually and
treated as canonical in the event of a very small majority or statistically large enough
sampling discrepancies.

If our American friends can't afford to have a few hundred people in a city of a million stay
up for a few hours once a year to count a few thousand paper ballots each, this doesn't speak
as highly of your commitment to a democratic process as many of your other actions do.

Voting machine integrity through transparency

Posted Mar 27, 2008 12:21 UTC (Thu) by ahoogerhuis (guest, #4041) [Link] (1 responses)

TPM? Clearly you have not understood what TPM is created for. It's there for Big Media(tm) to
verify they get eough of your money, not for you to verify you get your tax money's worth from
your gummint. ;)

-A

Voting machine integrity through transparency

Posted Mar 27, 2008 14:40 UTC (Thu) by kirkengaard (guest, #15022) [Link]

And here I was thinking, "finally, a good use for platform lock-down!"

Technological protection measures should only be used where something legitimately needs to be
protected, and then they should work.  The security of a voting system in operation is
certainly a legitimate example of a place where hard verification and few keys should be used.

Voting machine integrity through transparency

Posted Mar 27, 2008 16:08 UTC (Thu) by smoogen (subscriber, #97) [Link] (3 responses)

Actually I can really understand that people will go off and buy things that they can't test.

1) Most people live in a world where you trust that someone is going to sell you something
that works. Most people do not take their car completely apart before driving it. Most people
do not do the same with their washing machine, dryer, furnace, etc. And many people will buy a
service contract that states that they will get service from one company and if it will cost
them less.. that they will return it if they don't want service from that company. Its the
world that most people live in. So when they are told that their is a nice shiney gadget that
will cost the counting, is faster, and make sure you never have to hear the word hanging chad
with your next election. Bingo.. you have a sale.

2) Most people live in a world view where technology == win. Want to make a cheaper, faster,
more reliable car.. use robots versus people. Want to make a cheaper, faster, more reliable
cloth.. use 'robotic weavers' versus people. Want to make a cheaper, faster, more reliable
election.. well why shouldn't election machines do it? And aren't the arguments against it the
same as those people who throw their sabots into the robotic weavers of the 18th century???
[No but since every technological change gets people riled who are out of a job.. it has
become a habit to downplay it as Luddite rambling.]

3) Most people are not qualified to first discern whether or not that using electronic voting
machines is better or not. 90+% of people who code would look at the Sequoia code and probably
not find as many problems. And for all the questions from people like Felten and Schneier
there are equally 'qualified' who say the opposite. And qualifications do not mean the same
everyone. Written a book on coding, or been contracted by the US government is as valid to
most people as Felten's.

So I am not surprised that lots of places bought stuff that was snake-oil. I am more surprised
that we are re-evaluating it so quickly :).

Voting machine integrity through transparency

Posted Mar 27, 2008 18:29 UTC (Thu) by martinfick (subscriber, #4455) [Link] (1 responses)

Actually I can really understand that people will go off and buy things that they can't test.

Perhaps they trust that they will work when they buy them, but they do test them with regular usage to prove so!

I certainly test my washing machine, if it no longer gets my clothes clean, I buy a new one! I tend to notice when my dryer runs much longer, perhaps I stick my hand inside to see if the heating element is coming on (analysis) and then if not, I fix/replace it. If my furnace no longer heats my house (I do own thermometers to actually measure temperature), I higher a plumber to fix or replace it. Why would voting machines be any different? If they have been shown to not work, it might be time to consider putting your hand in the dryer to see if the heating element is coming on, (run a test election,) or call the plumber (send it to Ed Felten)

But these aren't even good examples, we are not talking about individual consumers, but rather organizations!

So I am not surprised that lots of places bought stuff that was snake-oil. I am more surprised that we are re-evaluating it so quickly :).

Quickly? If a ski resort buys an expensive charging mechanism to scan skiers passes at lift lines, they surely would evaluate whether it were properly denying access to unauthorized skiers pretty early in the process, surely before it were used on real customers, not after??? Why would voting be much different? Perhaps even a dry run with both systems (old paper/new electronic) side by side would be tried for a while, no? This would certainly be expected behavior from ordinary people/organizations, not just us free software supporters (we would expect more), wouldn't it?

But since businesses actually care about accuracy and govs. don't, perhaps it is surprising that it is being evaluated? ;)

Voting machine integrity through transparency

Posted Mar 27, 2008 19:19 UTC (Thu) by smoogen (subscriber, #97) [Link]

Most voting machine purchases were done on individual basis by people were told to get
something to comply with Federal Law but without the tools to figure out if they were getting
things good or not. I know for the elections in 2006.. the money to buy the required
electronic voting items came in 5 weeks before the drop dead date of getting the machines into
the state. They were given a customary test of "does the dummy light work. Yes. do they put in
the items we laid out, good. Do they collect my 5-10 votes that I put in.. good. Onto the
polls." And then they were put into storage after the election because the funding to pay for
the testers etc only goes for 2 weeks after the elections. Then they were pulled out for the
next elections.

To abuse my analogy and your extension of it.. a bit further. If you only used your washer or
dryer every 2 years.. would you know that it was taking longer? Voting doesn't happen every
week or every day like the ski resort or my washing machine analogy. It is a process that
shows up and in most elections are not decided by little margins.. so if you have a 0.1%-5%
mis-tally it doesn't matter and might never be caught. It is only a problem to the majority of
people when you have to worry about every vote. When the margin of error is greater than the
difference in vote tally's.

I will also disagree about the government view... having been at the end of a government audit
or two. People in government do like accuracy.... The problem is what they are told be
accurate about is not what most people consider important until they don't win an election.

What do we citizens yell the most about to the government:
1) Keep our taxes low,
2) Make sure that the roads, schools, sewage, phones, electricity, social security checks for
grandma, etc are paid.

Those things are watched as closely as possible. The IRS and various IG's are actually highly
accurate for an organization keeping track of things on nearly 40 year computers. That local
pork barrel project your Senator/Congressman/Parliament member brought home? Every cent is
going through 2-3 auditors hands to make sure that none of it is mis-spent beyond what
Congress/Parliament said it should. Yes there is some corruption going on, but the lack of
finding it is limited in the number of people you can hire to keep it going. The number of
auditors is at the point of diminishing returns.. you hire more auditors, require more
paperwork to be triple checked and the cost of the government goes up.

Outsource it to contract agencies shows a lower cost initially.. until people find that
someone cheated.. and then you have to hire more auditors to watch the contractor who is now
filing more paperwork to keep track of things so their cost goes up.. and you end up in nearly
the same boat (sometimes it remains cheaper.. sometimes it gets more expensive.. it all
depends on how much you are willing in a 1 billion dollar contract to find 1 million dollars
in corruption. Most of the time, the cost is in the multi-millions and if there is no
corruption.. everyone feels like you REALLY wasted money. If however there is corruption, then
you feel justified or wonder if you found it all and need more auditing.)

Voting machine integrity through transparency

Posted Apr 6, 2008 2:42 UTC (Sun) by rmunn (guest, #40618) [Link]

So I am not surprised that lots of places bought stuff that was snake-oil. I am more surprised that we are re-evaluating it so quickly :).

I would add another reason to your list of 3. Most people tend to know the limits of their own competence, and trust experts in fields they're not competent in themselves. Most people know they aren't cryptology experts, for example, so when someone who claims to be a crypto expert tells them "Hey, I've got a really cool new crypto system to sell you," they have a tendency to trust that he knows what he's talking about. The way to get really secure crypto -- open design that's been hacked at for twenty years by an entire community of experts -- doesn't occur to them, because it's slightly counterintuitive. Your average non-expert thinks, "Yeah, but this new system has a secret design, so it must be even more secure than that open-design system over there." And that's why people continue to pay millions for snake oil like CSS (the DVD type, not the HTML type).

I think something similar may be happening with the voting-machine problem. You've got a bunch of election officials who aren't computer experts (and know this), so when someone sells them a system with the proviso "You can't reveal how the system works, so that the Bad Guys won't be able to hack it," they actually think this is a good idea.

Hmmm, maybe that's two reasons, not just one. First, people tend to trust those they believe to be experts; and second, Security through Obscurity is something that intuitively makes sense to non-experts. And so when one "expert" tells them S-through-O is a good idea and the other "expert" tells them no, it's not -- they tend to believe the first guy, and question the expertise of the second guy.