E-Government & Transparency

EFF predicts that the Holt bill will finally be coming to the floor for a vote later this week. As Larry Nordin and I wrote last month (and as I wrote in The American in May) the bill would be an important step in the direction of a more secure and reliable voting process. If you didn’t catch it, be sure to check out the discussion we had on the podcast with Ed Felten on e-voting reform and the Holt bill.

Still, I agree with EFF’s Matt Zimmerman that the Holt bill leaves a lot to be desired:

Are DREs, even those utilizing VVPATs, fraught with problems? Of course. Should more rigorous audits be mandated? Absolutely. But a heartfelt desire to ban DREs or improve audits is no reason to oppose this bill, especially since states are not prohibited from making either of these reforms — or nearly any other voting system-related reform — on their own.

Our support for HR 811 is tempered by profound disappointment that one of the bill’s pillars has been watered down to the point of ineffectiveness due to pressure from the proprietary software industry. The source code disclosure provisions, requiring that voting system source code be disclosed at the very least to litigants and other “qualified persons” who can test the integrity of the voting system under a non-disclosure agreement, have since the bill’s introduction been replaced by a requirement that “voting system software” — a definition that does not explicitly include source code — be disclosed. While “correcting” language was included in the Committee Report as a result of prompt feedback from computer security experts after the bill’s current language was released, that Report will likely not be sufficient to ensure source code access. Having litigated cases in which prompt access to voting system source code is critical, EFF’s strong advocacy for this bill has been based in large part on the source code disclosure requirement. We call on Rep. Zoe Lofgren and the other members of the Elections Subcommittee to promptly fix this provision — using the explicit language included in the Committee Report — before the bill makes it to the floor of the House.

Probably the biggest problem with the latest versions of the Holt bill are the provisions allowing the use of cheap thermal printers in the 2008 and 2010 elections. In my opinion, using these cheap printers might be worse than no paper trail at all, because they’re prone to jamming and because if the paper is left on the reels it can compromise vote anonymity. I would rather have legislation that exempted states entirely for 2008 and imposed more rigorous standards for 2010 than to try to impose half-baked reforms for 2008 that end up making the concept of paper trails look bad.

SHARE: 0 comments

Radley points to this story about a Minnesota ruling that the state must give a man convicted of drunk driving access to the source code of the breathalyzer used in the case against him. Radley gets it exactly right:

This is a great ruling, and needs to happen more often. Not just for breath machines, but for red light and speed cameras, too.

The companies that make these machines have in the past refused to turn over source code, which in some instances has led to mass acquittals.

You’re supposed to have the right to confront your accuser in this country. If these machines are going to be the only thing standing between an innocent person and the wreckage that comes with a DWI conviction, defendants have every right to examine their margin for error, how they process breath samples, and whether they’re tamper-proof.

Quite so. I also think the “trade secret” argument is a bit of a red herring:

This isn’t the first time breathalyzer source code has been the subject of legal scrutiny. A Florida court ruled two years ago that police can’t use electronic breathalyzers as courtroom evidence against drivers unless the source code is disclosed. Other alleged drunk drivers have had charges thrown out because CMI refuses to reveal the Intoxilyzer source code.

If a state is contractually prohibited from allowing a defendant from examining all relevant evidence in a criminal case—and that’s what the source code is—then the state should have to choose between re-negotiating the contract or dropping the case. Any trade secret issues are and should be the problem of the prosecutors, not the defendant.

SHARE: 4 comments

A great insight from Avi Rubin, who attributes it to California Secretary of State Debra Bowen:

The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. The software lifecycle is dynamic. As an example, look at the way Apple distributes releases of the iPhone software. The first release was 1.0.0. Two minor version numbers. When the first serious flaw was discovered, they issued a patch and called it version 1.0.1. Apple knew that there would be many minor and some major releases because that is the nature of software. It’s how the entire software industry operates.

So, you cannot certify an electronic voting machine the way you certify a lever machine. Once the voting machine goes through a lengthy and expensive certification process, any change to the software requires that it be certified all over again. What if a vulnerability is discovered a week before an election? What about a month before the election, or a week after it passes certification? Now the point is that we absolutely expect that vulnerabilities will be discovered all the time. That would be the case even if the vendors had a clue about security. Microsoft, which arguably has some of the best security specialists, processes and development techniques issues security patches all the time.

Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software. Since we cannot change the nature of software, the certification process for voting machines needs to be radically revamped. The dependence on software needs to be eliminated.

SHARE: 6 comments

Ed Felten reports on the results of California’s studies of the source code of e-voting machines used in the state. I haven’t had time to read the reports myself, but according to Felten, they’re pretty devastating:

All three reports found many serious vulnerabilities. It seems likely that computer viruses could be constructed that could infect any of the three systems, spread between voting machines, and steal votes on the infected machines. All three systems use central tabulators (machines at election headquarters that accumulate ballots and report election results) that can be penetrated without great effort.

It’s hard to convey the magnitude of the problems in a short blog post. You really have read through the reports — the shortest one is 78 pages — to appreciate the sheer volume and diversity of severe vulnerabilities.

It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.

I think there are two policy lessons to take away from all of this. First, source code secrecy is a lousy way to protect voting machines. Any moderately skilled hacker who gets his hands on an e-voting machine will be able to reverse-engineer enough of the voting machines’ innards to uncover one of the many flaws in these machines. Secrecy simply shields e-voting vendors from public scrutiny and criticism, thereby making it less likely that these security problems will be detected and fixed in a timely manner.

Secondly, given the sheer number of vulnerabilities, it’s not reasonable to expect there to be secure voting machines on the market any time soon. Even if it were theoretically possible to create such machines, it will take several iterations of companies developing new machines and security experts tearing them apart before they get it right. So for at least the next couple of elections, states that care about security should be using paper ballots.

SHARE: 0 comments

In his latest column for The Hill, The American Enterprise Institute’s John Fortier has a critique of the Holt bill that I found rather frustrating:

Election administrators have weighed in with a dose of reality. There is no way to implement nationwide paper trails by the 2008 elections, nor by 2010. House leaders have floated a compromise to delay implementation, but to require simple cash register-style paper trails in 2008. This also will not work.

The expedited timeline for these changes is driven by activists who are convinced that manufacturers like Diebold or clever hackers are likely to commit massive voter fraud. Some have even come to the position of opposing electronic voting machines altogether, even those with paper trails. They now advocate for voting on paper alone, counted by hand. While this might work in some parliamentary systems, where voters cast a single vote on a ballot, try counting ballots by hand in California, with 20 offices up for election and 20 more referenda. And paper ballots are also susceptible to fraud through ballot-stuffing or lost or defaced paper ballots.

What is needed is a modest push for paper trails, with flexibility for states and federal money to help states move in that direction over a six-year period.

This modest approach will not please those who now favor voting only on paper. One request: If you have comments about this column, no e-mails, please–write to me on paper.

The critique of paper ballots here is breathtakingly inane. Hardly anyone is opposing the use of optical-scan machines to count paper ballots marked by voters, because the results of optical-scan ballot counting machines can always be verified with a hand recount. And of course, the retort in that final sentence is a complete non-sequitur.

Like virtually all defenses of e-voting I’ve seen, the piece does not even mention, much less respond to, the substance of the anti-e-voting argument. Fortier’s argument, if we can call it that, is limited to portraying us “activists” as paranoid luddites who are just opposed to technological progress. That ignores the fact that the critics of e-voting include a significant number of computer science professors and a whole lot of computer programmers. These are not people with a knee-jerk opposition to technology, as such. Rather, they are people who understand the limits of technology well enough to know that touch-screen voting is a bad idea.

SHARE: 0 comments

In The Hill today, Lawrence Nordin and I make the case that the Holt e-voting bill, while far from perfect, would be a step toward more secure elections.

SHARE: 0 comments

The New York Times has a story on voting reform that suggests an explanation for something that’s puzzled me for a while. One of the consistent patterns you’ll find in the e-voting debate is that state election officials tend to side with e-voting vendors rather than with security experts. This always struck me as a little bit puzzling, because the case against e-voting isn’t that hard to understand, and people who work with these technologies every day, of all people, should be able to understand them.

One explanation is that once a state has chosen a particular voting technology, they get egg on their face if they subsequently have to admit that the technology in question is a disaster. But some voting officials’ vehemence, especially as documented by Avi Rubin, seemed too strong to be explained purely as not wanting to admit you own mistakes.

Things make more sense if there’s a revolving door between state election officials and voting equipment vendors. You don’t even have to imagine explicit corruption. If many of your friends and former colleagues work for e-voting vendors, you’re more likely to believe them than some Ivory Tower security researcher you’ve never heard of.

I also think this is another reason that touch-screen voting machines are a bad idea—even with paper trails, audits, and the rest. Voting machine vendors have an incentive to make their products as complicated as possible so that they can charge the state more money for them. Making a touch-screen machine more secure means buying more hardware—fancier printers and diagnostic and auditing tools. On the other hand, making paper balloting more secure mostly means investing more in human inputs—hiring more election observers, giving election judges more training, conducting more hand recounts. Those aren’t things for which voting equipment vendors can charge a premium.

A voting machine with a paper trail is still a lot better than a voting machine without one. So I hope the Holt bill passes. But it would be much happier if Congress passed a law simply outlawing the use of touch-screen voting machines. (perhaps with an exception for disabled voters) Such a bill would be a lot shorter and less intrusive, because it wouldn’t include all these extra provisions aimed at papering over the weaknesses of DRE+printer combinations.

SHARE: 4 comments

I’ll wait to see the final proposal, but my initial reaction is that this is not a compromise worth having:

House Democratic officials say they are now working on compromise legislation that could allow hundreds of counties in 20 states to simply add tiny, cash-register-style printers to their touch-screen machines for the 2008 and 2010 elections, while waiting for manufacturers to develop better technology by 2012.

House officials said the compromise would ensure that all voting machines nationwide would have some kind of paper trail in 2008 through which voters could verify that their ballots were properly recorded and that could be used in recounts. Under the plan, New York, which has delayed replacing its old lever machines, would be the only state that would have to change its entire voting system by November 2008.

Adding cheap, easily-jammed printers to voting machines and then making fragile cash-register-style rolls of paper the official voting record is a just a horrible idea. Printers will jam. Those giant paper rolls will be a pain to deal with. Frustrated poll workers will have no choice but to continue the election on machines with broken printers. With a significant number of votes either never printed or stored on damaged paper tape rolls, it will be impossible to conduct a meaningful recount. Which, if the election is close, will mean endless litigation as the courts try to reconcile a legal mandate that the paper record be the official record with the bare fact that many of the votes were never recorded on paper. And then, of course, the failure of those crappy printers will be used as an argument against paper trails altogether.

Also, if the paper tapes aren’t expected to be a permanent solution, how much sense to does it make to force states to purchase them for one election? They might be cheap, but they’re not free. And it’ll be a non-trivial amount of work to install them and train poll workers to use them properly.

My sense is that states can still have a high-quality paper-based voting systems in place by 2008. If nothing else, Congress can allow states that really can’t meet the deadline to petition for a federal waiver. But if it’s really true that we can’t get high-quality, paper-based systems in place by November 2008, I would much rather have Congress leave the rules for 2008 unchanged and put good rules in place for the 2010 election than force states to install some kind of horrible frankenstein voting system for one or two elections.

SHARE: 0 comments

I’ve got a new article on e-voting up at the American. The basic argument will be familiar to regular TLF readers:

The fundamental problem with computerized voting machines is their lack of transparency. In order to ensure that elections are conducted fairly and accurately, it is important that election officials, candidates, and members of the general public be able to observe and verify every stage of the election process. Computerized voting machines make independent verification of election procedures extremely difficult because important steps of the election process, including recording, tallying, and reporting votes, occur unseen inside a computer chip.

That’s not the only reason e-voting is dangerous. One of the important safeguards in the traditional election process is that it is extremely labor-intensive. Thousands of people are involved in the process of collecting and counting votes. As a result, stealing an election almost always requires a large, organized conspiracy that would be hard to keep secret. In contrast, e-voting can allow a single, well-placed individual to tamper with the software of numerous voting machines at once, potentially altering the outcome of an election in an entire congressional district or state. Indeed, this is more than a hypothetical scenario. Last fall, Princeton computer science professor Ed Felten obtained a widely-used e-voting machine and created a virus that could be used to steal an election. The virus would spread from machine to machine through the memory cards that install software upgrades…

The safest course of action is to return to a tried and true technology: paper ballots. There are a variety of ways to mark and tally paper ballots, but probably the best choice is optical-scan machines. These have a proven track record, and many state election officials have decades of experience with them.

I go on to discuss the Holt bill, which is certainly less than ideal, but which in my judgment would be a big improvement over the status quo.

SHARE: 0 comments