Back   OpEd News
Font
PageWidth
Original Content at
https://www.opednews.com/articles/Trust-the-vote-Not-in-DC-by-Rebecca-Mercuri-101108-990.html
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).

November 8, 2010

Trust the vote? Not in DC!

By Rebecca Mercuri

Despite a massive and successful hacker attack (during the pre-election trial) of the Washington DC Internet voting system, the officials decided to allow remote votes to be cast using this highly vulnerable product. This problem is as much one of election integrity advocacy as it is of election administration.

::::::::

I was shocked to read on the DCBOEE's website (at <http://www.dcboee.us/DVM/default.asp>) that they had decided to proceed with the use of the voting system they obtained from OSDV to collect Internet ballots in the November 2, 2010 general election, despite it having been proven to be highly flawed in terms of both security and integrity. I have become increasingly concerned that the recent wave of "voting hack exhibitions" are having the reverse effect. I'm not saying that these experiments shouldn't continue, but by somehow validating that the systems have been subjected to "testing" (even when this testing exposes massive vulnerabilities), the vendors and election officials seem to feel that it is appropriate to go ahead with deployment of these products. "At least we know [some of] the problems" is no way to run elections.

A lengthy October 22nd posting by Gregory Miller at the OSDV's TrustTheVote Project blog (at <http://www.trustthevote.org/d-c-reality-check---the-opportunities-and-challenges-of-transparency/comment-page-1#comment-9463>) underscores this "head in the sand" attitude by lauding the fact that "the District owns 100% of the source code, which is fully transparent and open source" as somehow a good thing. Actually this "ownership" means that the DC Election Officials had the freedom to deploy it, and they apparently did do so, despite knowing that it was vulnerable to international attack.

Does the DCBOEE really think that their website admonishment about the paltry $10,000 fine and possible imprisonment is going to stop anyone, especially foreign hackers (who may not be subject to US laws), from using proxy servers to avoid detection? Does the OSDV truly believe that the DCBOEE has the ability to detect tampering if it occurs? And if they discover that the system was hacked during the election, do they have a plan to allow the affected voters to recast their ballots in a secure way? Heck, when consumer electronics or automobiles are discovered to have systemic problems, they are RECALLED! Shouldn't the OSDV folks be ashamed of themselves for not including a clause in their distribution that IMMEDIATELY RECALLS THIS PRODUCT and ENSURES IT WOULD NOT BE USED IN ANY ACTUAL GOVERNMENT ELECTION, if any vulnerabilities test or subsequent data exposes it as insecure and/or unreliable?

Even more disconcerting is the cavalier attitude by the DCBOEE, in deciding to go ahead with this moronic experiment, knowing that the system was so massively flawed. This proves EXACTLY WHAT I (and others) HAVE ALWAYS SAID ABOUT OPEN SOURCE VOTING -- even if OSDV had been able to provide an update to remedy all of the KNOWN problems, there would be no time to adequately test it, and there would be no way for the voters to ensure that the CORRECTED version (and not a flawed or hacked one) is being used at the time of the election.

Open source voting thus provides a false sense of security about electronic elections, which this sad experience has vividly demonstrated. As Ken Thompson said in 1984: "You can't trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code." This is still true, whether the election community, seemingly well-intentioned developers, and security experts want to believe it or not. Transparency is NOT equivalent to Trust, especially in voting systems.

Don't get me wrong, of course I believe that open source is a good thing for many types of applications -- voting (especially over the Internet or in fully electronic systems) just is NOT one of these. Sure, all aspects of voting systems must be open to thorough review. But the voting problem CANNOT BE SOLVED using open source. (If this sounds like a contradiction, it is, as I described in my doctoral dissertation, downlodable at <www.notablesoftware.com/evote.html>, because there is an inherent conflict in the ability to create a trusted system that also provides full anonymity.) Our election integrity colleagues must ensure that these points are made whenever they demonstrate vulnerabilities. Anyone who allows voters, election officials, and members of the press to think otherwise is contributing to this outright fraud. Perhaps if the VENDORS are fined $10,000 and threatened with jail sentences, this charade will finally end.

Rebecca Mercuri.


Authors Website: http://www.notablesoftware.com

Authors Bio:

Rebecca Mercuri has been in the forefront of the voting integrity movement since 1989. She provides expert witness services for elections and other forensic computing matters.


Back