Go to Original
Pull the Plug on E-Voting
By Bruce O'Dell
OpEd News
Wednesday 25 October 2006
The FBI is investigating the "possible theft" of the Diebold
touch screen voting software in Maryland. Excuse me ... but I fail
to see what all the fuss is about. I certainly don't condone theft;
it's just that I don't understand why anyone would bother with
stealing the Diebold source code - or why anyone would take the
time to read it.
Don't get me wrong: I've spent twenty five years in the
financial services industry helping to protect billions of dollars
of other people's money. I designed internet security services as
an employee of American Express to protect the online financial
identities of hundreds of thousands of people, and recently spent a
year at one of the twenty largest companies in America as chief
architect of a project to replace the foundation of all their
internal and external security systems. I understand risks from
thieves and embezzlers - I've designed financial audit and control
systems. In the world I work in, there's no room for excuses.
Source Code Is Irrelevant
I'll let you in on a dirty little secret of the computing
profession: in the real world, there's simply no way to ensure that
any program alleged to be written by Programmer Bob on June 24th
bears any relationship whatsoever to what actually runs on computer
"X" thousands of miles away on November 7th. Even if Programmer
Bob's corporate public relations and sales reps swear up and down
that it must be so.
When it comes to security, source code is irrelevant. The
actual behavior of a computer at point of use is the only thing
that matters. Yet many of my IT colleagues continue to believe that
it is somehow possible to look at a vendor's source code and
determine what a particular voting computer will actually do in a
precinct or county election office during an election. This seems
to be the rationale behind "open source voting": if I can see the
program is benevolent, then must be safe to use. Sounds plausible.
But in reality any computer academic or professional practitioner
who tells you that anyone on earth can determine whether a vote
tabulation system is secure and accurate simply by looking at a
source code document ... is either ill-informed or lying.
Consider Microsoft's Windows XP operating system. As a
critically-important widely-used program nevertheless riddled with
bugs and security holes, this is a particularly apt comparison to
voting software. Even if I could obtain a copy of the current
Windows XP source code and read its millions of lines of text in
its entirety with perfect comprehension, the act of reading the
program text tells me precisely nothing at all about the integrity
and security of any of the hundreds of millions of computers
running Windows XP all around the world.
Think about it. Some surveys indicate 70% or more of Windows
PCs are infested with viruses, spyware or, worst of all, rootkits.
Rootkits hijack precisely those portions of the operating system
that are used to detect the presence of malicious software and in
so doing so become effectively undetectable. Can looking at the
source code version of Windows XP tell me whether your particular
PC is echoing all your keystrokes to a server owner by the Russian
mob while you're innocently doing your online banking?
Software Is Inherently Untrustworthy ...
How do so many of my colleagues get such a fundamental issue so
wrong? Although computer technology can seem endlessly complex, the
fundamental issues are simple enough.
Computer program "source code" is just a text document. It's
written using a word processor in a highly specialized dialect that
is a shorthand mishmash of English words and math symbols. In order
to get a computer to do my bidding, I first edit and save a text
file, then run other programs (called "compilers" or
"interpreters") to convert my human-readable text into the binary
electrical impulses that a computer can understand and execute.
Here's where it becomes one twisty hall of mirrors. All means
of verifying the version and features of any program as it is
running in a computer require use of other software, the version
and features of which in turn are verified by use of other
software, the version and features of which in turn is verified by
other software ... and so on. Software alone can't vouch for
software. It is a very well-known maxim in my profession that the
only way to truly know what is running in a computer at any given
time is to present all the inputs, record all the outputs, and
verify that the two match up as expected.
All computer systems which process high-value transactions
include audit mechanisms that monitor the advertised features of
the system to enable an independent means of detecting flawed or
fraudulent program logic ... uh, everywhere that is except for
voting systems, which arguably process the most important
transactions of all. Go figure.
I'm so tired of hearing e-voting compared to using an Automated
Teller Machine. Voting could not be more different than using an
ATM. ATMs ask for not one but two forms of identification - a bank
card and a PIN. Whereas the act of voting is private and anonymous.
"Private, anonymous banking" is just another way to say "robbery in
progress" - as in sawing open the ATM and taking its cash. ATMs
exchange transaction and audit records with multiple counterparties
and offer the user a receipt. Some but not all e-Voting systems may
create or scan a paper vote record, but the voter surely can't keep
it, or votes could be coerced or sold. e-Voting machines and ATMs
are truly "apples and bicycles".
When it comes to electronic voting, we can't use any of the
techniques we apply to securing electronic financial transactions
all of which are predicated on the strong proofs of identity and
exchange of transaction data with multiple counterparties that are
rightfully banned in voting systems. Voting systems are national
security systems demanding a much higher standard of protection
than mere financial systems.
... Yet the Behavior of Voting Software Is Allowed to Go
Unaudited
Many voting systems provide only an internal electronic audit
trail of electronic vote tallies. What foolishness to allow
programs to vouch for programs in such a way; as if it is somehow
impossible to make two programs lie consistently!
Rep. Rush Holt's HR 550 legislation and its supporters in the
academic computer science community are trying to salvage
computerized voting by requiring that e-Voting touch-screen
equipment always produce a "voter-verified paper audit trail"
(VVPAT). This is a kind of receipt which in theory could be audited
sometime after an election if the official results were contested.
Setting aside the chain of custody problem - as soon as paper
leaves the room, it is potentially compromised - when it comes to
observing voters actually verifying their paper audit trail, the
results are startling.
A 2005 study by the Caltech-MIT Voting Project concluded the
following: " no errors were reported in our post-survey data ...
and over 60 percent of participants indicated that they were not
sure if the paper trail contained errors." That's right: in test
elections full of deliberately engineered VVPAT errors - including
swapped votes and even missing races - no one reported a VVPAT
error while voting, a majority were unsure wtether there were any
errors or not, and almost a third of the participants continued to
insist that there no errors at all even after they were told
otherwise by those who switched the votes!
But even that subset of touch screen voting systems with some
kind of voter-verified paper trail, and optical scan systems that
could in theory be audited ... in practice, are not. Certainly not
by the standards of the financial services industry.
HR 550 was regarded as something of a revolutionary
breakthrough in voting accountability simply by requiring a random
audit of 2% of precincts after the fact. Under the Sarbanes-Oxley
financial accountability law passed in the wake of the Enron
scandal in 2002, the board of directors of any public company
foolish enough to apply the same standard of auditability to their
own books now have personal criminal liability for their decisions
and so would face prison time for approving such a threadbare
scheme.
But apparently when it comes to elections, no standard of
protection is too lax.
Voting by Computer Considered Harmful
There was a remarkable article published by the Computer
Professionals for Social Responsibility in 2001, citing work by the
Caltech-MIT Voting Project:
... our best efforts applying computer technology have decreased
the accuracy of elections, to the point where the true outcomes of
many races are unknowable. Many technologists and technology
enthusiasts will read the above words and refuse to believe them.
'There must be some other explanation,' they will say. 'Nothing has
been proven,' they will say. 'Future technology will be better,'
they will say. But there is no other plausible explanation: new
technology may have reduced the cost of elections, and certainly
has increased counting speed, but the above results show no
statistically significant progress in elections accuracy over
people counting paper ballots, one at a time, by hand.
Let me recap: voting by computer may be inherently
untrustworthy and in practice poorly crafted, overpriced, prone to
breakdowns and wide open to subversion - but at least it's less
accurate than counting by hand.
Here's an indictment of the IT profession, and a fine irony:
the degree of independent hand-auditing of paper ballot records
sufficient to verify the corresponding computerized vote tallies is
comparable to the effort required to more accurately count all the
ballots by hand in the first place, dispensing with the machines.
But until that day arrives, the programs that the voting vendors
actually distribute - as opposed to the software they may say they
distribute - will continue to determine who takes power after the
votes are tallied.
Part II: Pull the Plug on E-Voting
By Bruce O'Dell
OpEdNews
Thursday 26 October 2006
Here's an indictment of the IT profession, and a fine irony: the
degree of independent hand-auditing of paper ballot records sufficient
to verify the corresponding computerized vote tallies is comparable to
the effort required to more accurately count all the ballots by hand
in the first place, dispensing with the machines. But until that day
arrives, the programs that the voting vendors actually distribute - as
opposed to the software they may say they distribute - will continue
to determine who takes power after the votes are tallied.
How does Diebold or ES∧S software wind up in my precinct?
Consider that while there are a relative handful of programmers at
companies like Diebold or ES∧S, there are hundreds of thousands of
voting machines out in the field. After a programmer writes a piece of
software, compiles it into binary form, and tests it well enough to
say it's done and working properly, many additional people - dozens to
hundreds of them, in fact - get involved in the long chain of events
to get that software out to the polling station and election office,
ready to be used.
This highly complex process includes the programmers who write the
"application programs" that display ballots and counts votes
electronically; the testers who install a copy of the application
program as provided by the programmer, to run it for themselves to
verify that the specified inputs correspond to the specified outputs;
and the software deployment specialists who take a copy as provided by
the tester to distribute to their customers (once they're told by
management it's good enough to be used by the public).
Deployment specialists package the software so that it can be
cloned thousands of times to be installed by vendor field
representatives or election administrators on the vast number of
precinct machines and central tabulators out in the field.
Vote counting application programs don't just run themselves:
there's a vast array of supporting software modules, such as operating
systems - rock-solid, dependable products like Windows; device drivers
- software that hooks up to input-output devices such as wireless
network cards and telephone modems (you did know that voting equipment
can be accessed remotely) and firmware - the software that all other
software depends on to interact with the physical world. Thousands
upon thousands of software modules and hardware components from
vendors all over the world all playing some supporting role in vote
tallying.
If all this sounds complicated, well, it is. It's awesomely
difficult to get this just right even within the relatively safe
confines of a private network inside a bank. While Diebold, ES∧S and
other vendors certainly pay lip service to accepted professional
standards of best practice for system development, testing and
deployment, there are abundant indications that each link in the
end-to-end software process has been compromised.
Software developers and other insiders pose the greatest risk
Above and beyond the well-documented criminal records of some of the
key programmers who wrote a large portion of our current voting
systems (just start at
http://www.bbvforums.org/forums/messages/1954/17305.html?1138394704
and go from there), there's ample room for insider misconduct in any
organization. My profession has largely failed to adequately inform
the public that the most severe security risks in any organization are
from insiders. Quoting from Dan Verton's book "Identity Thieves:"' as
excerpted at CSO Magazine Online:
The modern American bank has recognized the security risks
associated with the new electronic frontier and, as a result, has
deployed all the state-of-the-art electronic security devices that
one would expect to find in a security conscious enterprise -
firewalls, intrusion detection devices, password management
systems, and powerful encryption technologies. Yet banks and
financial institutions continue to lose millions of dollars every
year to trusted insiders who understand where the weaknesses are in
the system. In fact, insiders accounted for approximately 70%, or
$2.4 billion, of the $3.4 billion that banks lost as a result of
both internal and external fraud and hacker incidents in 2004."
Electoral systems grant regulatory power over a $12 trillion
economy and access to the world's largest checkbook: the federal
procurement budget. By the Willy Sutton rule, voting systems are truly
"where the money's at".
Constant, ruthless and highly sophisticated attempts by insiders
to subvert voting software should be assumed as a given. And yet a
representative from Diebold can still say - with a straight face, and
without being laughed out of the room: 'For there to be a problem
here, you're basically assuming a premise where you have some evil and
nefarious election officials who would sneak in and introduce a piece
of software,' he said. 'I don't believe these evil elections people
exist.' (New York Times, 5/12/2006)
Testing can't prove software is safe
The second link in the chain - testing - is no better. When it comes
to computerized voting systems, internal and field software testers as
well as external "certification labs" are one astonishingly
lackadaisical and inattentive bunch, judging by the vast array of bugs
in the public record (as tallied at
http://www.votersunite.org/info/messupsbyvendor.asp and many other
places). As a consultant to financial institutions I'd be fired - and
then likely sued for gross professional misconduct - if I did my job
so poorly and so publicly.
To be fair, of course, although bug reports show voting software
testing is mind-bogglingly lax, all any software testing process can
do is find problems that testers know to look for and report honestly.
There are countless billions of internal states within all but the
simplest of programs. Both practically and theoretically, it is
impossible through testing to determine that any computer system has
no flaws - much less, to rule out the existence of secret backdoor
functions to be triggered on a future date. (This is no science
fiction; see http://www.bbvdocs.org/reports/BBVreportIIunredacted.pdf
).
Software distribution: a shell game with an invisible pea
It will come as no surprise that the third link from programmer to
voter, field deployment, is also wide open to covert manipulation. As
soon as the programmer is done typing, software becomes invisible - it
lives on as magnetic and electrical impulses on silicon chips, disk
drives, memory cards, and CD-ROMs. Specialized software called a
"configuration management system" is then used to control which of the
many versions of which of the thousands of software components are
sent to which device in the field.
This is not a magic process ordained by saints and administered by
angels.
Voting software is software distributed through use of software,
vouched for by other software, that itself vouches for other software.
Surely nothing can possibly go wrong with such a system, even though
the highly complex
logistics of installing thousands of software modules on tens of
thousands of precinct devices and country central tabulators is under
the full control of ordinary people fully susceptible to blackmail,
greed, or the pursuit of their own ideological agendas.
Did I mention this is done entirely outside public view?
To make things even more interesting, sometimes a lot of voting
software is changed all at once with distribution of a brand new
version with many new features, while other times, just a few software
modules are updated (often called a "patch"). Patches occur especially
frequently to poorly-written software; just ask any PC user who pays
attention to the pitter-patter of incoming Microsoft security updates.
The level of scrutiny that a patch receives is even less than the
ordinary lax standard applied to voting software. That there were
last-minute patches to voting software in Georgia and Minnesota
immediately before the elections of 2002 is indisputable. That may
have had nothing at all to do with the surprising outcomes of two US
Senate races a few days later... but we can never know for sure.
Pre-Election Slumber Party
Sure, just one vendor insider with access to just one of the
master copies of one of the software version or patch distributions
can compromise thousands of devices long, before the equipment ever
reaches the voter. But you'll be comforted even further to know that
even after the devices are readied for an upcoming election, local
election officials have a surprising degree of cozy hands-on access to
voting equipment. In fact, all over the country -most notoriously in
California Congressional District 50 this year - voting machines are
commonly brought home by poll workers for "storage" prior to the
election. Voting equipment vendors allege that their equipment has
tamper-proof seals, while in reality, it takes only minutes using
household tools to gain sufficient access to voting equipment to
permanently and in practice undetectably alter the software (see
http://www.bbvforums.org/forums/messages/1954/36510.html?1158778859 ).
An apology on behalf of the information technology profession
Here's the truth, and the truth hurts: my profession has enabled the
development and deployment of voting systems which are obviously and
patently unfit for use.
In fact, the whole system of computerized voting in America is so
far removed from standard best practices for information technology
that I can only conclude that - far from being the product of
accidental defects or stupid sloppiness - the vast array of security
vulnerabilities found in every type of electronic voting equipment
that has ever been independently examined can quite plausibly be seen
as deliberate features introduced to subvert the voting process
itself.
And so I can only say: I apologize on behalf of my profession, to
the American people. You have been so ill-served by those of us who
bear the unique responsibility of ensuring that the computer systems
upon which our civilization is now almost totally dependent operate in
the public interest.
But even knowing what we do know, many of my IT colleagues
continue to try to salvage some application of computer technology to
voting. To them I say - just look at what we have done in the name of
automation. We led the public into this predicament and we owe it to
them to help lead the way out. We have an ethical duty to honestly
advise the public when most appropriate choice is not to use
computers.
Pull the Plug!
So let it be computer professionals who finally help he public to
pull the plug on electronic voting.
The most urgent ethical duty facing the American information
technology profession is for once to see past our technocentric
arrogance and acknowledge that from a whole-systems perspective,
computerized voting is surely one of the great blunders in the history
of technology. Let us lend our full support to replacing computers as
quickly as possible with the worst way of tallying votes - except, of
course, for all the others: citizen-run elections using the most
appropriate and secure vote tallying technology of all, hand counted
paper ballots. While it may take a while to get there, let's start
now. This is the least we can do to be worthy of all those who laid
down their lives to win and defense our right to vote, the foundation
of our freedom.
Don't throw good money after bad: ban computer technology in
voting. Put ballots back on paper for everyone, using the VotePAD
device for the visually impaired. My profession has talented user
interface designers who can craft a paper ballot to meet the needs of
the people who fill it out and count it - rather than dumbing it down
to accommodate the pitiful limitations of an optical scan program, or
making a paper ballot look like a 19th century newspaper to skimp on
printing costs. Get serious about security for early and absentee
ballots; treat them at least as well as if they were bearer bonds;
their true value is, of course, priceless.
Let citizens take control of the election process to cast paper
ballots by hand, and count them on election night in the polling
place, in public. In the final analysis, we ourselves are the only
people we can trust - or should ever trust - to safeguard the
Republic.
We, the people, have the inalienable right to run our own
elections. Pull the plug.