Tempus Fugit

Electronic Voting — closed source, closed minds

The “Touchscreen Voting Systems Issue Paper” by the Florida State Association of Supervisors of Elections states the following:

SOURCE CODE/PROPRIETARY SOFTWARE

Much is being said about the lack of availability of the systems’ software, firmware and hardware to the general public. Voting systems software is proprietary. Because of this, there is the general thought that it is controlled by the manufacturer, one specific individual or small group of individuals. Nothing could be further from the actual facts. Simply because the software is not open to every hacker in the world, does not mean the software is not reviewed and exposed to public scrutiny. For obvious reasons, strict control of this software is maintained and provides further safeguards from unauthorized individuals altering or tampering for private gain.

There’s a phrase for the idea of hiding your code from prying eyes as a means of making it secure. It’s called “security through obscurity.” It’s the idea that your code can be riddled with security holes… but if hackers don’t know how your code works, they will be unlikely to find those holes.

“Security through obscurity” is a derisive phrase. It is a concept that was regarded as inherently insecure over 100 years ago. It is the fragile shelter chosen by those who trust the security of their software so little that they dare not let more than a few NDA-bound individuals view its workings. It’s a futile “duck and cover” operation by people who doubt the security of their own code.

Would you trust your vote to a system whose security depends on its inner workings remaining a secret?

The opposite of “security through obscurity” is “security by design,” whereby your system’s security is ensured by the very design of the system. Such a system’s code could be revealed without compromising the security of the system.

What would happen if all vote counting source code were revealed? Well, holes would be found. Those holes would be fixed. More holes would be found, and those would be fixed. With enough eyes scrutinizing the code, it could be made actually secure. People would know that it is secure… not because some government-funded secretive certification group said it was secure… but because the 14-year-old computer whiz down the street said it was secure. Think of what that’d to to voter confidence.

The “Issue Paper” continues:

A small number of persons has put forth that there be a requirement for touchscreen systems to produce a paper receipt after the voter casts his ballot. The systems currently certified provide the necessary safeguards and security to insure accurate elections. It would appear that the reason this concern arises is either a distrust of technology by the people who would request such a printout or a lack of understanding that in the event that there is a close election or other issue which arises after the election, there is an ability to make a determination of the votes that were actually cast. It may be impossible to eliminate the distrust of modern technology by persons who may have this concern. However, the equipment now in place does provide the elections authorities, as well as the judicial system, a means by which all votes can be ascertained from the images on the DRE system. It is critical to understand that each DRE has a record that can be retrieved from each machine to show the votes that were actually cast by the voter. While it may be a lengthy process, the equipment can provide the authorities with the ability to demonstrate the votes actually cast if a recount or some similar issue presented itself, post election. Therefore, the issue of creating a paper trail for each voter is unnecessary except to eliminate the paranoia of the critics of these systems.

I ask for a paper trail precisely because I understand the technology. A purely electronic record, stored on one machine is insufficient. They claim that each machine stores a record of the votes that were actually cast. The only thing that provides is a check against the central tabulator. An electronic record cannot exist as proof of its own authenticity. These systems can and have been hacked on an individual level. An audit of those results would reveal no evidence of malfeasance because the malfeasance is the only record.

Paul DeGregorio, Chariman of the U.S. Election Assistance Commission provides more misinformation in an editorial published in the Tallahassee Democrat:

Americans have been bombarded with tales about how easy it is to hack into a voting machine. Academics, computer scientists and others tell us that they have done it and that we cannot trust voting systems, specifically electronic or touch-screen systems.

Ironically, all of these experiments took place in the sterile environment of a laboratory. In each instance, these experts demonstrated only that, with unlimited time and resources, they could hack a voting machine.

The hacks that have been demonstrated didn’t require “unlimited time and resources.” Many of the hacks could be done with a pair of paperclips, a memory card, and 3 minutes.

The bottom line is that our nation’s voting equipment, election results and election officials can and should be trusted. Election officials are some of the hardest-working, most dedicated public servants in the country, and they welcome input and support to keep our democracy strong and elections trustworthy. They deserve constructive criticism and solutions, not baseless attacks and unfounded accusations about the equipment they use. Attacking their integrity and the system in broad strokes is even less productive.

Current electronic voting systems are open to tampering. The tampering can leave no evidence that there was any tampering. These are not baseless attacks or unfounded accusations. These claims have been documented and reproduced by security and computing professionals. These are flaws unique to electronic voting systems. When there is a paper record, it takes a significant amount of effort to make votes disappear. With an electronic-only record, thousands of votes can change hands in an instant, without any evidence of malfeasance.

There are solutions to electronic voting issues, but elections officials have to be open to them. The current stance is that the public should not know how electronic voting systems work (closed-source software), and that any people who do manage to find flaws are merely scaremongers in a laboratory. That stance needs to change.