One goal of any election saboteur would be to make the margin of
victory high enough so that no recounts or other challenges are
triggered. This is easy to do.
The worst thing about using malicious software to bias an election is
that you don't even have to mess with the vote counting. If you know
which precincts favor your opponent, or you simply notice that your
opponent is ahead on a particular machine, simply slow down or crash
the machine. Long lines discourage voters. When you hear stories of
voters waiting hours to vote, rest assured that some decided they
couldn't wait. No audit or recount will ever catch such chicanery. I
would wager that even a 1-hour wait reduced the percentage of voters
by quite a bit -- how long is your lunch break? What if you were on
line with a child?
Again I must say that it is very easy for malicious software to erase
itself and cover its tracks and thus deliberate tampering becomes very
hard to prove.
Also note that it doesn't take a vast conspiracy to alter a lot of
voting machines, depending upon when and how the malicious entry is
achieved, it could be the work of just one person. Many viruses that
swept the Internet were the result of one lone individual.
Malicious entry and alteration of software can be achieved in many
ways. Phone lines, networks, wireless devices, memory cards, data
discs are just some of the opportunities for an attacker to access and
change the software in a computer. Given the potential high value of
election tampering, one must not rule out the possibility of sabotage
introduced in the software at the factory, or at any point from
factory to Election Day. It is really easy to make software that lies
in wait, passing all tests, until the election itself.
Testing. I'm currently employed in testing software, so I'd like to say
a few words about testing. Testing, even when it goes under a fancy
name such as "certification", is NEVER perfect. Testing does not find
all errors. Deliberate errors, i.e., sabotage, if designed to lie in
wait until the right moment, are especially hard to uncover by
testing.
Some people think that "open source" software is the solution. The
more eyes that actually study and work with software, generally the
better it becomes. "Open source" would force a saboteur to be subtle.
However, as with any software, open source software is never perfect.
And open source software isn't per se less prone to malicious entry
or other tampering.
Central Tabulators. Everything said so far applies not only to the
systems that count the votes (whether they are DREs or Optical Scan),
but also to Central Tabulators. The Central Tabulator may be an even
more attractive target for malicious entry and alteration of results.
There is no reason, however, that all of the data that goes into the
Central Tabulator is not made immediately public, at polling places,
Town Halls, and on the Internet, so that anybody can check the
calculations.
Audits -- Catching Errors How do you know if you have an error in your
vote count? Should voting be a "faith-based" activity? Or should it
be possible to prove election results?
Our computer systems can be made more tamper-resistant -- at a price
(and making them even more obscure) -- but they will never be
perfectly secure. It is always necessary to audit the results.
Auditing an election is not a recount in the traditional sense. An
audit, whether for a bank or an election, is a check to see if
anything is going wrong. An audit should be an essential part of
every election whether it is close or not; an election should not be
certified until it passes an audit.
(One problem is what do you do if it doesn't pass audit? Perhaps
that's one reason we don't even bother to audit elections.)
Audting of our elections must be done in the open, in public -- not
behind closed doors.
People have varying opinions on what constitutes a good audit. Any
credible audit must meet accepted statistical and forensic standards;
after all, the purpose is to catch both errors and tampering. In
every case, an election audit must compare original ballots with the
counted result. Thus we must have original ballots, as marked by the
voter.
One reason our group does not accept DREs is that DREs do not use an
original voter-marked ballot. Some DREs don't have a paper trail at
all. Even those DREs that do print a paper record are inadequate to a
true audit.
The same software risks that apply to the count apply to the printing
of the paper record in a DRE. Malicious software could alter the
paper record. "Voter verification" of such paper is very unreliable.
Only a small percentage of voters will actually check every vote
carefully. The paper output of a DRE is NOT an original paper record
of the voter's intentions and is not suitable for a meaningful audit.
victory high enough so that no recounts or other challenges are
triggered. This is easy to do.
The worst thing about using malicious software to bias an election is
that you don't even have to mess with the vote counting. If you know
which precincts favor your opponent, or you simply notice that your
opponent is ahead on a particular machine, simply slow down or crash
the machine. Long lines discourage voters. When you hear stories of
voters waiting hours to vote, rest assured that some decided they
couldn't wait. No audit or recount will ever catch such chicanery. I
would wager that even a 1-hour wait reduced the percentage of voters
by quite a bit -- how long is your lunch break? What if you were on
line with a child?
Again I must say that it is very easy for malicious software to erase
itself and cover its tracks and thus deliberate tampering becomes very
hard to prove.
Also note that it doesn't take a vast conspiracy to alter a lot of
voting machines, depending upon when and how the malicious entry is
achieved, it could be the work of just one person. Many viruses that
swept the Internet were the result of one lone individual.
ways. Phone lines, networks, wireless devices, memory cards, data
discs are just some of the opportunities for an attacker to access and
change the software in a computer. Given the potential high value of
election tampering, one must not rule out the possibility of sabotage
introduced in the software at the factory, or at any point from
factory to Election Day. It is really easy to make software that lies
in wait, passing all tests, until the election itself.
Testing. I'm currently employed in testing software, so I'd like to say
a few words about testing. Testing, even when it goes under a fancy
name such as "certification", is NEVER perfect. Testing does not find
all errors. Deliberate errors, i.e., sabotage, if designed to lie in
wait until the right moment, are especially hard to uncover by
testing.
Some people think that "open source" software is the solution. The
more eyes that actually study and work with software, generally the
better it becomes. "Open source" would force a saboteur to be subtle.
However, as with any software, open source software is never perfect.
And open source software isn't per se less prone to malicious entry
or other tampering.
Central Tabulators. Everything said so far applies not only to the
systems that count the votes (whether they are DREs or Optical Scan),
but also to Central Tabulators. The Central Tabulator may be an even
more attractive target for malicious entry and alteration of results.
There is no reason, however, that all of the data that goes into the
Central Tabulator is not made immediately public, at polling places,
Town Halls, and on the Internet, so that anybody can check the
calculations.
Audits -- Catching Errors How do you know if you have an error in your
vote count? Should voting be a "faith-based" activity? Or should it
be possible to prove election results?
Our computer systems can be made more tamper-resistant -- at a price
(and making them even more obscure) -- but they will never be
perfectly secure. It is always necessary to audit the results.
Auditing an election is not a recount in the traditional sense. An
audit, whether for a bank or an election, is a check to see if
anything is going wrong. An audit should be an essential part of
every election whether it is close or not; an election should not be
certified until it passes an audit.
(One problem is what do you do if it doesn't pass audit? Perhaps
that's one reason we don't even bother to audit elections.)
Audting of our elections must be done in the open, in public -- not
behind closed doors.
People have varying opinions on what constitutes a good audit. Any
credible audit must meet accepted statistical and forensic standards;
after all, the purpose is to catch both errors and tampering. In
every case, an election audit must compare original ballots with the
counted result. Thus we must have original ballots, as marked by the
voter.
One reason our group does not accept DREs is that DREs do not use an
original voter-marked ballot. Some DREs don't have a paper trail at
all. Even those DREs that do print a paper record are inadequate to a
true audit.
The same software risks that apply to the count apply to the printing
of the paper record in a DRE. Malicious software could alter the
paper record. "Voter verification" of such paper is very unreliable.
Only a small percentage of voters will actually check every vote
carefully. The paper output of a DRE is NOT an original paper record
of the voter's intentions and is not suitable for a meaningful audit.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
