Go to Original

Pull the Plug on E-Voting By Bruce O'Dell OpEd News Wednesday 25 October 2006 The FBI is investigating the "possible theft" of the Diebold touch screen voting software in Maryland. Excuse me ... but I fail to see what all the fuss is about. I certainly don't condone theft; it's just that I don't understand why anyone would bother with stealing the Diebold source code - or why anyone would take the time to read it. Don't get me wrong: I've spent twenty five years in the financial services industry helping to protect billions of dollars of other people's money. I designed internet security services as an employee of American Express to protect the online financial identities of hundreds of thousands of people, and recently spent a year at one of the twenty largest companies in America as chief architect of a project to replace the foundation of all their internal and external security systems. I understand risks from thieves and embezzlers - I've designed financial audit and control systems. In the world I work in, there's no room for excuses. Source Code Is Irrelevant I'll let you in on a dirty little secret of the computing profession: in the real world, there's simply no way to ensure that any program alleged to be written by Programmer Bob on June 24th bears any relationship whatsoever to what actually runs on computer "X" thousands of miles away on November 7th. Even if Programmer Bob's corporate public relations and sales reps swear up and down that it must be so. When it comes to security, source code is irrelevant. The actual behavior of a computer at point of use is the only thing that matters. Yet many of my IT colleagues continue to believe that it is somehow possible to look at a vendor's source code and determine what a particular voting computer will actually do in a precinct or county election office during an election. This seems to be the rationale behind "open source voting": if I can see the program is benevolent, then must be safe to use. Sounds plausible. But in reality any computer academic or professional practitioner who tells you that anyone on earth can determine whether a vote tabulation system is secure and accurate simply by looking at a source code document ... is either ill-informed or lying. Consider Microsoft's Windows XP operating system. As a critically-important widely-used program nevertheless riddled with bugs and security holes, this is a particularly apt comparison to voting software. Even if I could obtain a copy of the current Windows XP source code and read its millions of lines of text in its entirety with perfect comprehension, the act of reading the program text tells me precisely nothing at all about the integrity and security of any of the hundreds of millions of computers running Windows XP all around the world. Think about it. Some surveys indicate 70% or more of Windows PCs are infested with viruses, spyware or, worst of all, rootkits. Rootkits hijack precisely those portions of the operating system that are used to detect the presence of malicious software and in so doing so become effectively undetectable. Can looking at the source code version of Windows XP tell me whether your particular PC is echoing all your keystrokes to a server owner by the Russian mob while you're innocently doing your online banking? Software Is Inherently Untrustworthy ... How do so many of my colleagues get such a fundamental issue so wrong? Although computer technology can seem endlessly complex, the fundamental issues are simple enough. Computer program "source code" is just a text document. It's written using a word processor in a highly specialized dialect that is a shorthand mishmash of English words and math symbols. In order to get a computer to do my bidding, I first edit and save a text file, then run other programs (called "compilers" or "interpreters") to convert my human-readable text into the binary electrical impulses that a computer can understand and execute. Here's where it becomes one twisty hall of mirrors. All means of verifying the version and features of any program as it is running in a computer require use of other software, the version and features of which in turn are verified by use of other software, the version and features of which in turn is verified by other software ... and so on. Software alone can't vouch for software. It is a very well-known maxim in my profession that the only way to truly know what is running in a computer at any given time is to present all the inputs, record all the outputs, and verify that the two match up as expected. All computer systems which process high-value transactions include audit mechanisms that monitor the advertised features of the system to enable an independent means of detecting flawed or fraudulent program logic ... uh, everywhere that is except for voting systems, which arguably process the most important transactions of all. Go figure. I'm so tired of hearing e-voting compared to using an Automated Teller Machine. Voting could not be more different than using an ATM. ATMs ask for not one but two forms of identification - a bank card and a PIN. Whereas the act of voting is private and anonymous. "Private, anonymous banking" is just another way to say "robbery in progress" - as in sawing open the ATM and taking its cash. ATMs exchange transaction and audit records with multiple counterparties and offer the user a receipt. Some but not all e-Voting systems may create or scan a paper vote record, but the voter surely can't keep it, or votes could be coerced or sold. e-Voting machines and ATMs are truly "apples and bicycles". When it comes to electronic voting, we can't use any of the techniques we apply to securing electronic financial transactions all of which are predicated on the strong proofs of identity and exchange of transaction data with multiple counterparties that are rightfully banned in voting systems. Voting systems are national security systems demanding a much higher standard of protection than mere financial systems. ... Yet the Behavior of Voting Software Is Allowed to Go Unaudited Many voting systems provide only an internal electronic audit trail of electronic vote tallies. What foolishness to allow programs to vouch for programs in such a way; as if it is somehow impossible to make two programs lie consistently! Rep. Rush Holt's HR 550 legislation and its supporters in the academic computer science community are trying to salvage computerized voting by requiring that e-Voting touch-screen equipment always produce a "voter-verified paper audit trail" (VVPAT). This is a kind of receipt which in theory could be audited sometime after an election if the official results were contested. Setting aside the chain of custody problem - as soon as paper leaves the room, it is potentially compromised - when it comes to observing voters actually verifying their paper audit trail, the results are startling. A 2005 study by the Caltech-MIT Voting Project concluded the following: " no errors were reported in our post-survey data ... and over 60 percent of participants indicated that they were not sure if the paper trail contained errors." That's right: in test elections full of deliberately engineered VVPAT errors - including swapped votes and even missing races - no one reported a VVPAT error while voting, a majority were unsure wtether there were any errors or not, and almost a third of the participants continued to insist that there no errors at all even after they were told otherwise by those who switched the votes! But even that subset of touch screen voting systems with some kind of voter-verified paper trail, and optical scan systems that could in theory be audited ... in practice, are not. Certainly not by the standards of the financial services industry. HR 550 was regarded as something of a revolutionary breakthrough in voting accountability simply by requiring a random audit of 2% of precincts after the fact. Under the Sarbanes-Oxley financial accountability law passed in the wake of the Enron scandal in 2002, the board of directors of any public company foolish enough to apply the same standard of auditability to their own books now have personal criminal liability for their decisions and so would face prison time for approving such a threadbare scheme. But apparently when it comes to elections, no standard of protection is too lax. Voting by Computer Considered Harmful There was a remarkable article published by the Computer Professionals for Social Responsibility in 2001, citing work by the Caltech-MIT Voting Project: ... our best efforts applying computer technology have decreased the accuracy of elections, to the point where the true outcomes of many races are unknowable. Many technologists and technology enthusiasts will read the above words and refuse to believe them. 'There must be some other explanation,' they will say. 'Nothing has been proven,' they will say. 'Future technology will be better,' they will say. But there is no other plausible explanation: new technology may have reduced the cost of elections, and certainly has increased counting speed, but the above results show no statistically significant progress in elections accuracy over people counting paper ballots, one at a time, by hand. Let me recap: voting by computer may be inherently untrustworthy and in practice poorly crafted, overpriced, prone to breakdowns and wide open to subversion - but at least it's less accurate than counting by hand. Here's an indictment of the IT profession, and a fine irony: the degree of independent hand-auditing of paper ballot records sufficient to verify the corresponding computerized vote tallies is comparable to the effort required to more accurately count all the ballots by hand in the first place, dispensing with the machines. But until that day arrives, the programs that the voting vendors actually distribute - as opposed to the software they may say they distribute - will continue to determine who takes power after the votes are tallied. Part II: Pull the Plug on E-Voting By Bruce O'Dell OpEdNews Thursday 26 October 2006 Here's an indictment of the IT profession, and a fine irony: the degree of independent hand-auditing of paper ballot records sufficient to verify the corresponding computerized vote tallies is comparable to the effort required to more accurately count all the ballots by hand in the first place, dispensing with the machines. But until that day arrives, the programs that the voting vendors actually distribute - as opposed to the software they may say they distribute - will continue to determine who takes power after the votes are tallied. How does Diebold or ES∧S software wind up in my precinct? Consider that while there are a relative handful of programmers at companies like Diebold or ES∧S, there are hundreds of thousands of voting machines out in the field. After a programmer writes a piece of software, compiles it into binary form, and tests it well enough to say it's done and working properly, many additional people - dozens to hundreds of them, in fact - get involved in the long chain of events to get that software out to the polling station and election office, ready to be used. This highly complex process includes the programmers who write the "application programs" that display ballots and counts votes electronically; the testers who install a copy of the application program as provided by the programmer, to run it for themselves to verify that the specified inputs correspond to the specified outputs; and the software deployment specialists who take a copy as provided by the tester to distribute to their customers (once they're told by management it's good enough to be used by the public). Deployment specialists package the software so that it can be cloned thousands of times to be installed by vendor field representatives or election administrators on the vast number of precinct machines and central tabulators out in the field. Vote counting application programs don't just run themselves: there's a vast array of supporting software modules, such as operating systems - rock-solid, dependable products like Windows; device drivers - software that hooks up to input-output devices such as wireless network cards and telephone modems (you did know that voting equipment can be accessed remotely) and firmware - the software that all other software depends on to interact with the physical world. Thousands upon thousands of software modules and hardware components from vendors all over the world all playing some supporting role in vote tallying. If all this sounds complicated, well, it is. It's awesomely difficult to get this just right even within the relatively safe confines of a private network inside a bank. While Diebold, ES∧S and other vendors certainly pay lip service to accepted professional standards of best practice for system development, testing and deployment, there are abundant indications that each link in the end-to-end software process has been compromised. Software developers and other insiders pose the greatest risk Above and beyond the well-documented criminal records of some of the key programmers who wrote a large portion of our current voting systems (just start at http://www.bbvforums.org/forums/messages/1954/17305.html?1138394704 and go from there), there's ample room for insider misconduct in any organization. My profession has largely failed to adequately inform the public that the most severe security risks in any organization are from insiders. Quoting from Dan Verton's book "Identity Thieves:"' as excerpted at CSO Magazine Online: The modern American bank has recognized the security risks associated with the new electronic frontier and, as a result, has deployed all the state-of-the-art electronic security devices that one would expect to find in a security conscious enterprise - firewalls, intrusion detection devices, password management systems, and powerful encryption technologies. Yet banks and financial institutions continue to lose millions of dollars every year to trusted insiders who understand where the weaknesses are in the system. In fact, insiders accounted for approximately 70%, or $2.4 billion, of the $3.4 billion that banks lost as a result of both internal and external fraud and hacker incidents in 2004." Electoral systems grant regulatory power over a $12 trillion economy and access to the world's largest checkbook: the federal procurement budget. By the Willy Sutton rule, voting systems are truly "where the money's at". Constant, ruthless and highly sophisticated attempts by insiders to subvert voting software should be assumed as a given. And yet a representative from Diebold can still say - with a straight face, and without being laughed out of the room: 'For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software,' he said. 'I don't believe these evil elections people exist.' (New York Times, 5/12/2006) Testing can't prove software is safe The second link in the chain - testing - is no better. When it comes to computerized voting systems, internal and field software testers as well as external "certification labs" are one astonishingly lackadaisical and inattentive bunch, judging by the vast array of bugs in the public record (as tallied at http://www.votersunite.org/info/messupsbyvendor.asp and many other places). As a consultant to financial institutions I'd be fired - and then likely sued for gross professional misconduct - if I did my job so poorly and so publicly. To be fair, of course, although bug reports show voting software testing is mind-bogglingly lax, all any software testing process can do is find problems that testers know to look for and report honestly. There are countless billions of internal states within all but the simplest of programs. Both practically and theoretically, it is impossible through testing to determine that any computer system has no flaws - much less, to rule out the existence of secret backdoor functions to be triggered on a future date. (This is no science fiction; see http://www.bbvdocs.org/reports/BBVreportIIunredacted.pdf ). Software distribution: a shell game with an invisible pea It will come as no surprise that the third link from programmer to voter, field deployment, is also wide open to covert manipulation. As soon as the programmer is done typing, software becomes invisible - it lives on as magnetic and electrical impulses on silicon chips, disk drives, memory cards, and CD-ROMs. Specialized software called a "configuration management system" is then used to control which of the many versions of which of the thousands of software components are sent to which device in the field. This is not a magic process ordained by saints and administered by angels. Voting software is software distributed through use of software, vouched for by other software, that itself vouches for other software. Surely nothing can possibly go wrong with such a system, even though the highly complex logistics of installing thousands of software modules on tens of thousands of precinct devices and country central tabulators is under the full control of ordinary people fully susceptible to blackmail, greed, or the pursuit of their own ideological agendas. Did I mention this is done entirely outside public view? To make things even more interesting, sometimes a lot of voting software is changed all at once with distribution of a brand new version with many new features, while other times, just a few software modules are updated (often called a "patch"). Patches occur especially frequently to poorly-written software; just ask any PC user who pays attention to the pitter-patter of incoming Microsoft security updates. The level of scrutiny that a patch receives is even less than the ordinary lax standard applied to voting software. That there were last-minute patches to voting software in Georgia and Minnesota immediately before the elections of 2002 is indisputable. That may have had nothing at all to do with the surprising outcomes of two US Senate races a few days later... but we can never know for sure. Pre-Election Slumber Party Sure, just one vendor insider with access to just one of the master copies of one of the software version or patch distributions can compromise thousands of devices long, before the equipment ever reaches the voter. But you'll be comforted even further to know that even after the devices are readied for an upcoming election, local election officials have a surprising degree of cozy hands-on access to voting equipment. In fact, all over the country -most notoriously in California Congressional District 50 this year - voting machines are commonly brought home by poll workers for "storage" prior to the election. Voting equipment vendors allege that their equipment has tamper-proof seals, while in reality, it takes only minutes using household tools to gain sufficient access to voting equipment to permanently and in practice undetectably alter the software (see http://www.bbvforums.org/forums/messages/1954/36510.html?1158778859 ). An apology on behalf of the information technology profession Here's the truth, and the truth hurts: my profession has enabled the development and deployment of voting systems which are obviously and patently unfit for use. In fact, the whole system of computerized voting in America is so far removed from standard best practices for information technology that I can only conclude that - far from being the product of accidental defects or stupid sloppiness - the vast array of security vulnerabilities found in every type of electronic voting equipment that has ever been independently examined can quite plausibly be seen as deliberate features introduced to subvert the voting process itself. And so I can only say: I apologize on behalf of my profession, to the American people. You have been so ill-served by those of us who bear the unique responsibility of ensuring that the computer systems upon which our civilization is now almost totally dependent operate in the public interest. But even knowing what we do know, many of my IT colleagues continue to try to salvage some application of computer technology to voting. To them I say - just look at what we have done in the name of automation. We led the public into this predicament and we owe it to them to help lead the way out. We have an ethical duty to honestly advise the public when most appropriate choice is not to use computers. Pull the Plug! So let it be computer professionals who finally help he public to pull the plug on electronic voting. The most urgent ethical duty facing the American information technology profession is for once to see past our technocentric arrogance and acknowledge that from a whole-systems perspective, computerized voting is surely one of the great blunders in the history of technology. Let us lend our full support to replacing computers as quickly as possible with the worst way of tallying votes - except, of course, for all the others: citizen-run elections using the most appropriate and secure vote tallying technology of all, hand counted paper ballots. While it may take a while to get there, let's start now. This is the least we can do to be worthy of all those who laid down their lives to win and defense our right to vote, the foundation of our freedom. Don't throw good money after bad: ban computer technology in voting. Put ballots back on paper for everyone, using the VotePAD device for the visually impaired. My profession has talented user interface designers who can craft a paper ballot to meet the needs of the people who fill it out and count it - rather than dumbing it down to accommodate the pitiful limitations of an optical scan program, or making a paper ballot look like a 19th century newspaper to skimp on printing costs. Get serious about security for early and absentee ballots; treat them at least as well as if they were bearer bonds; their true value is, of course, priceless. Let citizens take control of the election process to cast paper ballots by hand, and count them on election night in the polling place, in public. In the final analysis, we ourselves are the only people we can trust - or should ever trust - to safeguard the Republic. We, the people, have the inalienable right to run our own elections. Pull the plug.