Tuesday, December 18, 2007

E-Voting

I don't know how much mainstream press the problems in touchscreen voting has got, but it is an amazingly scary situation.

This
is just the top result from Google "Ohio Voting" on Google News.

An article from Wired: Magnet and PDA can change votes

It may seem odd to non-geeks, but the most secure cryptographic systems are the ones where the program source code is public--This lets experts verify that the code works as stated, and that there are not back doors. The code is public, but without the proper keys, the data is still secure. This is a bit like being able to examine the design of a lock to make sure that only your key or combination will open it, and there isn't a passkey or default combination.

Many (possibly most, or all) of the voting machine companies resisted having a human readable paper ballots as part of the system--Coincidentally the only way to verify that their machines are working properly. The problem here is not (primarily) random error, but either biased error or more importantly intentionally introduced error. In the Wired article they found that a person with a PDA and a magnet could make significant changes to iVotronic systems, even if they didn't know the passwords. In addition, there is an undocumented account that bypasses security--Essentially a master key, not unique to a particular machine, but common to all of them that lets an unauthorized user take complete control of the machine. iVotronic is not the only system with poor security--All the top systems have significant, exploitable flaws.

Premier Election Systems used to be a part of Diebold, who also makes Automatic Teller Machines. Odd that they have figured out security there (which includes a mechanically-printed audit tape...)

Various quotes from the voting machine companies say things that basically amount to "not fair, we fixed that in the next version". I reluctantly believe that this is incompetence and laziness rather than deliberate action. It doesn't matter though--Incompetence exploited by others is just as dangerous, and the amount of paranoia that is reasonable in this situation is nearly infinite.

The bare minimum standard is that there is a voter-verified paper ballot printed and saved. Machines should be randomly spot-checked, to make sure that the paper ballots match what is being reported. Any company that resists that should be immediately disqualified from building voting machines. Encryption, security and all software specific to the voting machine should have the source code available for examination--Ideally, all code would have source available.

No comments:

Post a Comment