I object in the strongest possible terms to the notion that it is possible - much less desirable - to establish a fail-safe computing infrastructure for voting based on "open source" software.
The level of protection required to secure voting software far surpasses financial software, but it also certainly deserves far greater protection than mere safety-critical software. Planes can crash, chemical plants accidentally vent noxious gases, and medical devices can malfunction - while our democratic way of life goes on, for everyone but the unfortunate few. Voting systems are national security systems. Compromise voting systems and the outcome is as disastrous as invasion and occupation by a foreign power – even worse. Conquest by exploitation of voting system vulnerabilities not only preserves a country's economy in whole to facilitate plundering, it appears to occur under the guise of the free exercise of the democratic franchise, manufacturing the fraudulent appearance of the consent of the governed while pre-empting resistance.
Those of my colleagues who advocate the benefits of collective development and inspection of software should consider the logistical difficulties of tying a human-readable text document to the invisible binary modules actually running thousands of voting devices in the field, in a highly adversarial environment. Some believe that by adding additional layers of software to check software to check software to check software, that somehow sufficient safeguards can be put in place to provide a suitable foundation upon which we can bet the fate of the American Republic.
This is utterly misguided from a whole-systems perspective. "Open source" software is just one small component in the end to end voting system, which includes not just tabulation software, but a vast array of other computer components such as operating systems, firmware, and device drivers. Consider that even if Diebold's optical scan software operated with perfect fidelity it could be subverted through careful exploitation of integer overflow vulnerabilities using its peripheral memory card in such a way that the hypothetical pure-as-the-driven-snow software would be unable to detect that a bias had been introduced. And consider the process of deploying that vast array of components with total precision on hundreds of thousands of target devices in the field; that's hardly "open source". That's all done by people.
So more fundamentally: I consider all the output of a computer at all times to be suspect unless and until it is verified. Some of my colleagues feel the reverse; that we should trust the output of a computer unless we can show how it could be compromised. That shows a charming faith in other people's fundamental good nature, but that's no way to run a bank - or an election. When it comes to the integrity of computer systems that can quite literally take away my liberty, I don't accept "trust me - you don't need to double check this", and neither should you.
In consulting in e-Commerce security at very large companies over the last seven years, I've been constantly amazed at the astonishing ingenuity that both malicious insiders and external hackers bring to the challenge of compromising financial transaction processing systems. Human ingenuity knows no bounds when the prize is sufficiently rich. How much more dire the threat must be to any conceivable voting system? Some exploits might require years of preparation and millions of dollars to develop, but if the prize is the wealth and power of American Republic, one must presume ruthless people are willing to invest whatever is required. And are out there, right now. And are not going away, simply because someone else steps up to volunteer to write the vote tabulation software.
As a consequence, Jonathan Simon and I have shown that to even consider using optical scan devices, you need a secure hand count audit of a least 10% of the ballots in a congressional election. And potentially more to protect elections with fewer than 150,000 voters. You need to perform this audit whether it's Diebold's Jeffrey Dean, or Avi Rubin, or Alan Turing himself come down from Heaven, who writes the tabulation code. Because you simply don't, can't and never will be able to know - with sufficient certainty to possibly throw away the American Republic - what each of those thousands of optical scan devices are actually doing unless you check their output. By hand.
But ignore the software for a moment.
What. Is. The. Point. of. Optically. Scanning. Ballots?
Cost? Voting is national security. Design, buy, count and secure a decent paper ballot for every election in the US you care to protect for less than the tab for one week's unprovoked military conflict.
Speed? Come off it. Canadian federal election results are known with certainty by midnight. Canadians are worthy people, but they possess no magical powers that enable them to count to 500 or so, in public, with repeatable accuracy and to all parties' satisfaction in a reasonable amount of time.
Ability to infer voter intent? Let me get this straight: it's somehow a good idea to substitute a self-correcting collection of multiple human brains (each one with the processing power equivalent to thousands of conventional computers) with a device dumber than a cockroach; in practice, so limited in its abilities that we have to severely dumb down our ballots for the poor little things to even have a snowball's chance of interpreting voter intent. ("Be careful to fully fill in the oval. Don't go over the edge, or it doesn't count. You must draw a dark line precisely joining the other two lines next to the candidate's name..."). Surely some of the brilliant user interface designers in the IT industry could come up with a paper ballot that would be designed for people and not for machines; for accuracy in recording voter intent and suited to public counting of votes by hand... rather than foisting ballots on people that look like 19th Century newspapers.
In my opinion, one of the most important ethical obligations of a computer professional is to inform the public when automation is an inappropriate solution. Since op scan tallies always have to be verified by hand counting, why invite the machines to the party in the first place? What is the problem that "open source" voting software solves? What aspect of "open source" optical scan tallying supersedes the civic benefits of restoring trust in elections by entrusting election administration to the citizens themselves?
Can we swallow our collective technical pride for once as a profession, and just say "no" to such an utterly inappropriate use of technology?
Bruce O'Dell is a self-employed information technology consultant with more than twenty five years experience who applies his broad technical expertise to his work as an election integrity activist.
His current consulting practice centers on e-Commerce security and the performance and design of very large-scale computer systems for Fortune 100 clients. He recently spent a year as the chief technical architect in a company-wide security project at one of the top twenty public companies in America, led a multiple client projects for compliance with new credit card data security standards, and has designed secure "virtual cash" e-commerce protocols. In 2007 he was invited to testify on computer voting security issues to the Texas and New Hampshire legislatures.
He lives just outside Minneapolis, Minnesota, and shares a love of good books with his wife - and her beautiful garden, with their talkative cat.
This author propagates security by obscurity! The best way to secure a system is to make sure all pieces are public and ready for inspection. For example the most secure OS on this planet, OpenBSD, is completely open sourced. Even the most secure parts of it are completely open and ready for anyone to inspect, and yet it's the most secure.
If you build a machine with which so many people have interest of frauding it you cannot rely on a single entity like a vendor to be reliable unless everything they do is public. You can't trust a vendor like Microsoft not to include a backdoor into your software, you simply cannot know if it's there or not until you see the whole design including the source for yourself.
Claiming open source software is insecure is typical salestalk of lobyists.
Lobyists use simplyfied one-sided arguments which can be easily understood by anyone, and if you understand their argument you feel like a sort of an expert. But they always make false simplifications.
For example microsoft lobyists claimed that linux would fall prey to virusses as soon as it would be sufficiently popular.
Simple, easy to understand, but flawed to the core. Virusses get a foothold on an OS because of bad design and security problems known by the crackers before they are known by the vendor. Linux has a sane security-design which give no foothold to virusses. Even years after the first time this argument was proposed there is still not a single linux virus.
Don't believe lobyist. Believe in the power of the masses and the public process of peer review. If there is something wrong with the design it will be found eventually by an expert and can be confirmed by others. It can be fixed.
Voting is too important to leave into the hands of a private company. Diebold has shown us again and again.
by
Han (0 articles, 2 quicklinks, 0 diaries, 195 comments)
on Friday, October 27, 2006 at 5:39:00 PM
I'm a software designer and you don't convince me.
I've been involved in software development since 1987 Han, and you don't convince me. Sometimes you just have to do like O'Dell says and throw out the machine.
Paper works for Canada. We should go back to it.
by
Rob Kall (760 articles, 3850 quicklinks, 320 diaries, 1642 comments)
on Saturday, October 28, 2006 at 10:52:12 AM
Bruce O'Dell did not state, in any way, shape, or form, that proprietary software is better than open source. How could anyone possibly infer what the first commenter just wrote from this article unless he didn't read it?
He is arguing AGAINST electronic tabulators and FOR hand-counting.
by
khedges1 (0 articles, 0 quicklinks, 1 diaries, 19 comments)
on Saturday, October 28, 2006 at 4:06:28 PM
Open source software is not a solution. It isn't even a partial solution.
As O'Dell has explained in his series of articles here on opednews, computers can be hacked. People like O'Dell make a darned good living trying to keep that from happening, but it still happens all the time because there aren't enough O'Dells to go around and not everybody can afford to hire one.
The source code may be clean when it is delivered to the election officials, but with trillions of dollars at stake, as O'Dell explains, only a small handful of the hundreds or thousands of technicians necessary to implement the open source voting systems would have to be compromised in order to subvert an election. And they're the same people who would be verifying the election afterwards, so they're not likely to tell anyone what they've done.
Elections have to be transparent to ordinary voters. That means hand counted paper ballots (HCPB) at the precincts. The more machines, the more technicians we have to trust because they can install, operate, maintain, repair, and verify the machines, whereas ordinary citizens, even if we had the access that elections officials and vendors have, which we don't, simply can't do it. So we'd have to trust them, which means that even with open source, we'd still have faith-based rather than transparent elections.
O'Dell is no Luddite. His computer credentials far outweigh those of many of the open source vendors. So if they only trust experts, he's an expert -- why don't they trust him? Can even experts be wrong? Of course they can. Anytime two experts disagree, one of them is probably wrong, and sometimes both of them are wrong. O'Dell is an expert who says that we shouldn't trust the experts. He's right.
by
Mark E. Smith (21 articles, 29 quicklinks, 77 diaries, 975 comments)
on Friday, October 27, 2006 at 7:53:28 PM
Sure, there can be fraud with paper ballots. But there are more opportunities to catch it if we have multiple sets of eyes following a paper trail.
We also need to prevent candidates from taking office before the election results are final (including recounts in close races) like Brian Bilbray in CA-50, or premature concessions.
by
khedges1 (0 articles, 0 quicklinks, 1 diaries, 19 comments)
on Saturday, October 28, 2006 at 4:11:45 PM
