Count me out on the e-voting status quo.

Early this morning, I read Rick Sincere’s blog entry on the matter of e-voting. Rick is a member of the Charlottesville Electoral Board, and his blog entry addresses some concerns about e-voting. The thrust of his post is that Charlottesville citizens have not complained about any security concerns, and that, practically speaking, security isn’t a problem with Charlottesville’s electronic voting systems.

While I don’t doubt that few have complained (I know that I haven’t — I didn’t know that I could report the “incident” of having to vote electronically at the times that I’ve cast my ballot), I disagree strongly with the idea that security is not a concern.

It terrifies me — I mean really terrifies me — that we have put the mechanism of democracy into a black box created by a private corporation. There is no mechanism by which a member of an electoral board or, more important, I can inspect the source code of the software that stores votes. It’s a secret. Punch cards are easy to inspect — piece of paper, stick you shove through a hole. No problem. The lever system can also be inspected — open it up, make sure that the lever connects to the mechanical devices in the system to register the vote. And so on. Voting on computers: who knows?

I’m a programmer by trade. I know code. I’ve written code solo, and I’ve written it in teams. Bugs are in all code. (TeX aside, though Donald Knuth is no mere mortal.) No programming team is going to eliminate them. Sometimes they only show up under extraordinary circumstances. But they’re there, and they always turn up. That’s no vote-fraud conspiracy theory — that’s just a fact.

If voter-verified voting is too expensive, fine, no piece of paper for me. But give me the source code. I want to look it over for bugs, and, if there are bugs, I’ll file my little incident report or blog about it or something.

Democracy is too important to turn over in secret to a private corporation.

See The Jaded JD for more.

Published by Waldo Jaquith

Waldo Jaquith (JAKE-with) is an open government technologist who lives near Char­lottes­­ville, VA, USA. more »

16 replies on “Count me out on the e-voting status quo.”

  1. Go for it, Janis! That way, you can be certain your vote won’t get counted.

    Absentee ballots aren’t usually tallied unless there are enough to change the outcome of an election. (This is because verifying and hand-counting paper ballots can be a major pain in the ass.) So if a candidate pulls ahead on election day with an uncontested margin of 200 votes, and there are 150 absentee ballots in the hopper, no one will bother with the absentees.

    By the way, you don’t have to be out of town on election day to qualify for an absentee ballot. You can just tell the folks at the Registrar’s Office (1st floor of City Hall for C’ville residents) that you might be out of town. They’ll let you fill out the proper form, and then you can cast your ballot.

    Another thing, Waldo: No one’s going to turn democracy over to any private corporation. Elections are run by electoral boards. E-voting won’t change that.

  2. One more thing for Waldo: If you can see the source code, you can hack the source code. You can even find a way to change that code, if you’ve a mind to. That’s why publicizing the source code for e-voting machines is the mother of all bad ideas.

    This doesn’t mean we can’t test voting machines for errors, however. In fact, electoral boards are required to make such a test prior to every election. You can even observe these tests, if you have qualms about the machines’ accuracy. (Oddly enough, opponents of e-voting never stick around long enough to observe these tests: Perhaps they fear the sight would confuse them.)

  3. If you can see the source code, you can hack the source code. You can even find a way to change that code, if you’ve a mind to.

    I can see that you’re not a programmer. :) Everything that you’ve said there is wrong.

    First and foremost, if it’s already possible for unauthorized individuals like myself to change the code, the machines are already hopelessly flawed. If I could “find a way to change that code, if [I had] a mind to,” I’d just decompile the machine’s code into Assembly (one of the language with which I’m familiar) and do whatever evil deed that I wanted to do.

    Second, if I can see the source code, I most certainly cannot “hack” the source code. I can see a diagram of a bank vault in the Bellagio, but that doesn’t get me into the building and in a situation where I can safely break in, steal the money, and then leave. The best that I can do in seeing the source code is determine how it could be cracked, and alert election officials accordingly.

    Thirdly, if at least election officials could see the source code, I’d feel much better. But even they can’t look at it. It’s a violation of federal law for them to do so.

    Fourthly, any computer security expert will tell you that “with enough eyeballs, all bugs are shallow.” The more people that look at the source code to a program, the harder that it is for bugs to hide. That’s why the Firefox browser and the Linux operating system are very secure, and Microsoft Windows is forever being exploited by malicious hackers and 18-year-old Eastern European virus writers. Open source software is secure software. Closed source software is insecure software. “Security through obscurity,” as Bruce Schneier calls it, is inherently insecure.

    Finally, the entire setup right now requires that the software manufacturers and all of their employees and subcontractors be trusted entirely. If one of these manufacturers outsources their coding to India or Eastern Europe, as is the industry standard, we now have foreign nationals developing the mechanisms of U.S. democracy. I don’t trust Bulgarians with my vote. I shouldn’t have to do that.

    This doesn’t mean we can’t test voting machines for errors, however. In fact, electoral boards are required to make such a test prior to every election. You can even observe these tests, if you have qualms about the machines’ accuracy.

    I have observed the tests, when the city first acquired the machinery. Such tests are not nearly as exhaustive as is necessary for sufficient debugging.

  4. When voter tallies are maintained in black boxes that cannot be inspected (and doing so is a violation of federal law), democracy has been turned over to private corporations, in my estimation.

    Pardon me for saying so, Waldo, but your estimation is wrong. It is not only wrong, but it has been disproven outright through empirical and objective means. Epistemologically speaking, this contention falls somewhere between intelligent design and cold fusion. It makes pixie dust or alien abduction seem reasonable in comparison.

    Fact: Electoral boards run elections, not corporations.
    Fact: Electoral boards, not corporations, test voting machines for errors prior to each election.

    We can go into the merits of paper vs. electrons any day of the week, but if we’re speaking in terms of cold, hard facts, we have to concede that private corporations don’t exercise any control over the election process. What’s more, given the security protocols surrounding these machines (including but not limited to source codes), corporations couldn’t gain access to them even if they wanted to.

  5. Tim, the tally for elections is maintained inside of computer software that cannot be inspected. That means that electoral boards cannot review the machines. They can review some of the inputs and some of the outputs. But the mechanism cannot be inspected.

    If I were a mean and nasty programmer, I would set my voting software to skew the results in a low-key fashion. If the current date is an election day, if votes have been cast more or less continuously for X hours, if at least Y hundred votes have been cast on the machine, then Z% of the votes for the Republican should silently go to the Democrat. I could do that in a single line of code. Nobody would ever notice it, the log files would have no record of it, and because these systems have no audit mechanism, there’d be no way for anybody to ever find out.

    Physical machines can be inspected. My mother, who has spent her day as an election official in past years, was one of the people to inspect the mechanics of the device to ensure that when the lever is pulled, the machinery does its thing. A visual inspection can make clear that not only do the outputs match the inputs, but that there is no clear method for anything else to happen.

    Closed-source computerized machines cannot be inspected. We can check the inputs, we can check the outputs, but we can’t know.

    A better question is this: Why in the shouldn’t election officials be permitted to inspect the source code? What possible rationale is there for them not having that ability? Does that hypothetical harm of inspection outweigh the potential harm of a malicious programmer changing a election?

    What’s more, given the security protocols surrounding these machines (including but not limited to source codes), corporations couldn’t gain access to them even if they wanted to.

    Tim, they made the devices. “Gaining access” isn’t a problem. They not only created them, but they continue to possess them until the time of purchase. Then the machines are regularly updated — as they must be — with new releases of the software.

  6. The best that I can do in seeing the source code is determine how it could be cracked, and alert election officials accordingly.

    So you could see how the source code could be cracked, but you couldn’t actually crack it yourself? And what would happen if, say, someone less scrupulous than yourself were to examine the source code? I’m sure not all computer programmers possess your impeccable ethics, Waldo, and you’d be making a hacker’s job much easier.

    We’re not talking about Microsoft Windows here, and we’re not taking about viruses on a PC or iMac. The election process can’t be an anarchic, “open source” affair. It requires a very different sort of security than your home computer does.

  7. So you could see how the source code could be cracked, but you couldn’t actually crack it yourself? And what would happen if, say, someone less scrupulous than yourself were to examine the source code?

    Bellagio, Tim. Bellagio.

    The election process can’t be an anarchic, “open source” affair. It requires a very different sort of security than your home computer does.

    Open source software is relied on for the core operations of companies like Bank of America, Google, IBM, and, yes, Microsoft. There’s nothing anarchic about having source that people can see. Not edit. Not contribute to. See.

    I like my democracy out in the bright sunlight, please. Any election that can only function in great secrecy is un-American, at best.

  8. We can check the inputs, we can check the outputs, but we can’t know.

    Of course we can, unless you’re defining the word “know” in some trifling Cartesian sense. When the voting machines are tested, the inputs are known. If the output matches the input, we know — which is to say, we presume on the basis of empirical evidence — that the machine is functioning as it should. A simple test would catch even the “low-key” skewing you’ve proposed, even if employees of the corporation that produced the machines were to do the tampering. Granted, such a simple test would not actually “debug” the machine, but it would resolve reasonable doubts as to its accuracy or inaccuracy.

    Two good reasons, then, why election officials shouldn’t see the source code:

    1. Most of them wouldn’t understand it. They know even less about computer programming than I do. They wouldn’t be able to find any problems unless they gave the machines a trial run — which is exactly the method they use anyway. And if one of them were to find a bug in the code, s/he couldn’t fix it without inviting suspicion. Even at best, this measure would be useless.

    2. If electoral board members actually understood this code, one of them could alter it, and rig elections all by him- or herself. We’ve seen this happen with slot machines in Nevada: On a few occasions, programmers who could read the machine’s source code on-site altered that code so the machines would give fewer payoffs, or rigged the slots to hit jackpots after coins had been dropped in a particular sequence.

  9. I like my democracy out in the bright sunlight, please. Any election that can only function in great secrecy is un-American, at best.

    Nonsense. American elections use secret ballots because they help prevent voter intimidation. If no one can prove that you voted for John Kerry last November, no one can fire you from your job or harass your person for the choice. I like my government transparent, but I like my voting secret.

    One major objection to the Voter-Verified Paper Trail is that it could seriously compromise the secret ballot. A low-level corporate boss could easily check up on his employees’ voting patterns — “unofficially,” of course — just to make sure they made the right choice on Election Day.

    (I should have mentioned in that last post about the slot machines, that individual machines were rigged — which means that a wider knowledge of the unaltered source code wouldn’t have prevented these instances of tampering.)

  10. Two good reasons, then, why election officials shouldn’t see the source code

    This is amazing. You really and truly believe that voting by computer, such that election officials cannot inspect the equipment’s functionality mechanisms, is more secure than voting by mechanisms by which the equipment can be fully inspected?

    Nonsense. American elections use secret ballots because they help prevent voter intimidation.

    Strawman. I’m not talking about votes here. I’m talking about the election mechanisms.

    Here are the problems with your logic, Tim:

    * We can agree that if guns are illegal, only criminals will have guns. Why? The crime of illegally possessing a gun is a trifle to somebody who wants to commit murder. Likewise, if making available the source code to voting software is illegal, only criminals will have the source code. Why? Because they can always reverse-engineer a device. It’s illegal, but what do they care? The crime is far less than tampering with an election.

    * If the inspection is so thorough each time, as you say, then our evil programmer’s tampering would be detected, and he would be caught. So what’s the problem?

    * The computer security model that you describe — security through obscurity — fundamentally reinterprets everything known about good security. You have invented a new model of computer security without actually describing the mechanism by which it is superior to the modern standard. The model established by DoD/DARPA is the global standard today. What you’re saying is akin to telling a businessman “buy high, sell low,” or a baseball player “keep your eye off the ball.” Merely asserting that computer security is improved by only giving the bad guys access to the code does not make it so.

    I’m trying to envision the scenario in which, everyone given access to the source code, something bad happens. And, I gotta tell you, the only theories that I can come up with are no different than what our bad guy could do right now, with the source secret.

  11. You really and truly believe that voting by computer, such that election officials cannot inspect the equipment’s functionality mechanisms, is more secure than voting by mechanisms by which the equipment can be fully inspected?

    Yes. Your mistake is applying a model of cyber-security to a situation where it would be at best ineffective and at worst counterproductive. I’m talking about physical security, the kind where you lock things up so that other people can’t get at them. To use your firearms analogy, open source code on an e-voting machine would be akin to having a loaded gun in plain sight on your dining-room table: It would be fairly easy for someone to get to the gun and make unauthorized use of it. The system we have, however, is like having that same gun, unloaded, in a locked drawer or cabinet: It’s comparatively more difficult for others to gain access to the item, and even if s/he were to break the lock and grab the thing, it would be useless without ammo.

    You’re right to note that this locked-room approach doesn’t work for home computers or ATMs. Your PC and your ATM are designed for frequent unsupervised access, while voting machines are used only one day every several months (at most) under tightly controlled conditions. Your PC and ATM connect to phone and/or cable lines, so that information can flow freely back and forth. E-voting machines, in contrast, are isolated from each other, precisely so information won’t flow back and forth. The best protection for PCs and ATMs is open-source code. But the best protection for an e-voting machine is an old-fashioned system of locks, keys and alarms.

    If e-voting machines were connected to phone or cable lines (or for that matter, to each other), or if anyone could use these machines, without supervision, at any time, then you would be right to want open code. As it stands, security through limited access happens to be the best way to protect these machines against casual tampering.

    Once again, I should note that for the pragmatic purpose of an election, we don’t need to know how these machines work as long as we can verify that they do. The trial run establishes verification as well as an on-site code inspection could, without the risk of tampering (cf. those Vegas slot machines).

    BTW, one brief correction: I just received an e-mail informing me that absentee ballots received by 7 p.m. on election eve must be counted under Virginia law. I think I confused them with provisonal ballots, which are even worse than absentees. So Janis’s absentee vote will probably be counted — provided she doesn’t make stray marks. Hand counts usually lose about one percent of ballots cast.

  12. Tim,

    Are you saying that there’s no difference between reading something and changing it? I get my local paper. I can read the stories. That doesn’t mean somehow magic happens and I get to edit those news stories from home and change the newspapers of every other person reading the paper.

    It’s the exact same thing with source code. Hand out a CD of the source code to an auditor (or even the public). Let them look it over and figure out how it works. Let them find problems and notify the state and the vendor. But just because they can look over the source code at home doesn’t mean that somehow I can change the source code and instantly upload it to every voting machine using that code.

    Also, just testing a machine is next-to-useless. Run a hundred ballots through a voting machine. That means it’ll work, right? Hardly. A machine that works 99.9% of the time would pass that test well over 90% of the time. Yet it would still lose thousands of votes on election day.

    Software is the most complex creation known to man. Windows XP alone has over 45 MILLION lines of code. A Boeing 747-400 “only” has about 6 million. And a lot of these vendors base their system on Windows. Even if it’s a stripped-down version — like WinCE for embedded devices — that’s “only” about 18 million lines of code. And given that voting machine vendors don’t have to audit the source code for “off-the-shelf” products like Windows, that means that the source code to well over 99% of the software running on your modern voting machine has NEVER been examined by ANY voting-related certification board.

    There’s a REASON that the Common Criteria — used by the federal government and private industry to evaluate software products and assign an Evaluation Assurance Level for code quality — lists functional testing as only the first step in examining a product.

    http://www.cygnacom.com/labs/cc_assurance_index/CCinHTML/PART3/PART36.HTM

    In other words, testing provides the absolute weakest guarantee of correctness.

    Given that every single screw-up in E-voting history — i.e., the 4500 permanently lost votes in Carteret County, NC, the replacement election in Hinds County, MS in 2004, the hundreds of blank votes in Dade County during a single-seat special election decided by 12 votes, the “flipped” votes in the School Board race in Fairfax in 2003, etc, etc — occurred on machines that had passed all sorts of tests, doesn’t that say something about the effectiveness of testing and certification we use on these machines?

    And given that over 95% of computer professionals polled by the Association for Computing Machinery, the largest and oldest professional organization for computer scientists, oppose paperless voting, doesn’t that say something about the confidence the vast majority of computer scientists have in these machines?

    -jdm

  13. Clarification: a Boeing 747-400 only has about 6 million physical parts. A 777 has 3 million parts, and 5 million lines of code. It took a team of 500 programmers over 5 years to write that code at a cost of $2 billion. I spoke to one of the developers who worked on the 777 (who has also written software for devices such as pacemakers, where the consequences of a bug are, shall we say, serious), and he says the software development and certification process for voting machines is an absolute joke.

    I gave a presentation to the top IBM product developers and researchers in Research Triangle Park, North Carolina — the largest IBM installation in the world — and they /laughed/ when I explained the arguments voting machine vendors used to support their claims of reliability. We, as a profession, know how to write solid code. We don’t know how to do it cheap, though, which is what the vendors are claiming they’re doing. And that’s just flat-out misinformed, misleading, or lying.

    -jdm

  14. Two last points (I promise :)).

    1. A computer security expert who audits computerized Vegas slot machines for a living testified on August 22nd before the Virginia Special Committee on Electronic Voting (or whatever it’s called). He described the methods they use to audit the source code, the machines, and the “hacks” that have slipped through the system, even given all the tests and physical security on Vegas casino floors (I’ll give you a hint: it’s more invasive and sophisticated than what is legally allowed in a precinct). He, as a computer security professional, voiced his support for voter-verified paper ballots. (Full disclosure: I was part of the same panel).

    2. Several studies by statisticians, political scientists, and engineers have found that hand-counted paper ballot “lose” the smallest percentage of votes: around one-tenth of one percent at most. This is based on a study of one-third of the precincts in the U.S., spanning 1988 – 2000. This is also significantly less than votes “lost” by paperless machines and punchcards; optical scanners and lever machines had reliability statistically identical to hand-counted paper. Google for studies by Charles Stewart of MIT.

    -jdm

Comments are closed.