[Fsfe-ie] perspective on e-voting

[Fergal Daly]

On Sun, Feb 29, 2004 at 08:08:43PM -0000, Niall Douglas wrote:
> > The problem is that you don't know that the source code you saw is
> > actually running on the machine and now matter how much you study it,
> > you'll never really know that it's actually 100% bug free.
> 
> Data signing techniques could fix this and all software has bugs. 
> Also, you don't need a perfect voting system, just one which is 
> better (more accurate) than the current system - and I'm personally 
> not too bothered about a flawed system which has in place an active 
> method of improvement over time.

Data signing only works for the person who checks the signature and since
I'm not going to be let near a machine in order to check the ROM signature,
it's no good for me. It's also no good for people who have no idea what a
"ROM signature" is. They shouldn't have to know.

How do I check the signature of a PCI controller or a chip that's labelled
as a Motorola 68000 anyway?

A "well funded adversary" could very easily make a ROM chip containing 2
images, switchable in some way (possibly by radio). This is all a bit much
but in 10 years how much will it cost to do this? These machines will be
used for 20 years.

And so far I've only been talking about intentional alterations and software
bugs, there's radiation induced bit-flipping to consider too. It happened in
Belgium, some guy got 4096 more votes than his own party's total, so they
spotted it and the expert conclusion was a bit-flip. It's probably happened
lots more in non-spectacular ways but it's never spotted because there's no
paper trail.

There's also the possibility of hardware glitches where all the days votes
get wiped etc etc. There's a zillion things that can go wrong. A backup
record that's not susceptible to microscopic influences is the only remedy.

We actually have a very secure system at moment. It's secure because people
from all sides of the election are keeping one-another honest. There is no
single point of failure. The ballot boxes are watched by multiple people
(who don't trust each other) from the time they're opened to the time
they're emptied.

> BTW when I said "open", I meant it being able to be altered by 
> volunteers a bit like a sourceforge project - not just publishing the 
> source. This brings the formidable security & debuggability 
> advantages of free software to bear. By far and away free software is 
> *ideal* for these kinds of software as they don't need to be 
> innovative.

That would be great but it doesn't address the trust problem. The citizens
still have to take the word of an elite. It's a bigger more varied elite but
still.

> The worst thing in my mind is to make these boxes and use them 
> unchanged - this gives time for special interests to discover how to 
> compromsie them with no opportunity for the holes to be found and 
> sealed.

Haven't several studies shown that open source and security by obscurity are
about equal. Open source beats SBO for fix time but in this case, you only
need to fix the hole for polling day, so it's not a huge matter. In fact
recently several exploits have been found and fixed after first being used
by blackhats (Debian's recent compromise was a case I think). This would be
disastrous for democracy as the people who just stole the election are now
in power unlikely to look too hard for the security hole they used to get
there.

I actually think that SBO could be better for voting machines than open
source security. Many holes in MS software (for example) are found through
repeated probing of interfaces looking for buffer overruns etc. This is only
possible if you have unrestricted access to a copy of the software to play
with. If you have no voting machine, you'll have to wait a few years between
attempts to compromise it. So finding the holes will be difficult.

That said, I believe it should be open source because a paper trail makes
software security a relative non-issue.

> A paper trail is only useful if what is printed out is 
> identical to the vote recorded electronically and if humans continue 
> to manually count the paper copies (and the latter is precisely what 
> the government is trying to save costs upon).

The paper trail is most useful when what is printed out _differs_ from
what's recorded electronically. In fact it's whole raison d'etre is to catch
this problem. When there's no difference, it simply only job is to reassure
people that the system is working ok (also important).

As for manual counting, the proposed system (and any other system that puts
computers in control) has massive staff overheads. Each of the 6,300
machines needs an operator and polling stations are open for 14 hours. The
government will be training 15,000 people in the operation of these
machines. The number of counting staff used to be about 2,300.

Also the machines need to be stored in a secure and controlled environment
whereas ballot boxes were stored in any old cowshed. The budget for
Waterford's storage for this year is 50,000. That means about 1 million per
year just to store the things. Then there's transport - they're heavy.
There's also batteries.

The supposed big problem with the current system is accidental vote
spoiling. For me, the best solution to that is computer assisted voting. The
computers help a voter produce an unspoiled ballot paper. The computers can
also help the counters to classify and count the papers. At no stage is a
computer responsible or in control.

A system like this would be much cheaper to implement than the proposed one
and it wouldn't need an army of operators to control and monitor all the
machines - if the machine isn't controlling the recording of votes then
there's nothing to gain from tampering with it.

F