Open Source and Voting Machines
As the US election approaches, the paranoia about electronic voting machines grows. It is strange that the most technologically advanced nation in the world has so many problems with producing and implementing reliable voting machines. It is also a little bit bewildering.
The level of failure of electronic voting machines is bizarre to say the least. You’d think that before any electronic voting machine could be deployed in the US it would have to be certified as having bullet-proof security and perfect reliability. No so.
The US Democratic Process
Before I dive into this topic, it’s worth explaining something to those who don’t live in the US and have never experienced a US election. First of all, it needs to be understood that, depending on where you are in the US, the number of votes you cast on election day can be very high. It varies from state to state, but you can be voting for the President, a senator, a congressman and a whole swathe of local officials including judges, sheriffs, constables and maybe even democratically elected bottle washers.
You may also be voting on propositions that have been added to the ballot on anything from gay marriage to the environment. So you may be casting many votes. The whole thing is made more complex by the fact that the names and voting possibilities change from district to district. Now you can simply “vote the slate”, which means voting for every single candidate that your party (Democratic or Republican) has put forward. In that case, one button is all you push, but you still cast many votes. However the voter may prefer to be selective, in which case you go through the whole “slate” contest by contest.
It naturally follows that electronic voting – where an electronic device presents you with screen after screen of choices and you select what you want – makes a great deal of sense. And, into the bargain, you can make voting machines more accessible for disabled voters and they can be multilingual too.
Flawed Machines
The only catch is that voting machines have to be secure and impossible to compromise. Unfortunately trying to rig the vote seems to be a local sport in some parts of the US and the voting machine industry seems to have great difficulty in producing a product anyone has confidence in.
If you do a Google search on electronic voting machine failure you get over 300,000 references, including many referring to accusations of actual and potential election fraud plus some simply describing bizarre (and incorrect) vote machine behavior. There’s a specially large amount of criticism for Diebold machines, which produce no paper record of votes cast. In fact problems with Diebold machines led to a satirical video from the Onion in February with the title
Shock, As Diebold Accidentally Releases Result of 2008 Election Early.
As far as I’m aware vulnerabilities have been found on every voting machine currently on offer in the US. However that is not surprising because voting machines are computers and there are thousands of ways of compromising the average computer, whether it runs Windows, OS X or Linux. Nevertheless it is not beyond the wit of man to invent a system that is pretty much bullet-proof. The banks, for example, run thousands of ATM machines and they don’t easily get compromised. There are also tens of thousands of personal gambling terminals issued by the Hong Kong Jockey Club, which don’t get compromised.
Getting cash or placing a bet are, of course, different transactions to registering a vote. But designing safe electronic voting machines is a soluble problem.
The new Voluntary Voting System Guidelines (VVSG) has been undergoing a review for more than a year including a request for public comments. Visit http://www.eac.gov/vvsg if you want to review the 598 page document. These guidelines have numerous and significant changes that will change the voting process in years to come.
The new certification guidelines REQUIRE that new voting processes shall be SOFTWARE INDEPENDENT. This does not mean that no software is permitted. The definition of “software independence” is that any software failure will not change the outcome of the election. This requirement is intended to increase voter confidence that their vote is counted as intended.
The use of connectivity to the Internet is expressly forbidden as is the use of wireless including Bluetooth. Infrared is however permitted.
Also, a new class of voting processes is going to be created for INNOVATIVE systems. The EAC (Election Assistance Committee) realizes that they may not be able to write today appropriate guidelines for processes that have not yet been created. To encourage innovation the VVSG allows for innovators to bring to the EAC new processes, systems, technologies and they will design guidelines that permit certification if warranted.
Robin you have made a good point suggesting that there be multiple processes that can independently count the vote and have them reconciled. The new VVSG will encourage these types of solutions.
Steve
Thanks for the feedback. I’m pleased that something intelligent is being done. The mere suspicion of voter fraud and stolen elections undermines the whole democratic process.
The idea of completely forbidding internet connection seems a little bizarre since it implies that no connection via the Internet can be secured and that is simply not the case. A better idea would be to forbid all unsecured internet connection.
It’s an important point because, in what I’m suggesting, you need 2 data paths back to a central point in order to ensure that no votes are compromised on the way back.
Having a dual process system where one process uses the Internet and the other doesn’t seems sane to me.
The system I’ve mooted in the posting could work without Internet connection, but it would make it unnecessarily complex.
Ultimately, using open source to review the code is a partial solution at best. If officials have the opportunity to test a system end-to-end (and the system has no way to determine whether it’s running the “real” election or the test), the high volume testing that California has proposed would make it difficult to create a trojan that presumed a test based on volume, and therefore didn’t hack specific results.
I understand the call for open source, but I think it’s the kind of thing that could engender a false sense of security. If you’re blindly trusting the hardware and firmware, reviewing only the source is a bit lame. – Tim