By Jack Ganssle
E-Voting
Published 1/28/2008
Later this year the US will chose a new president. But who will make that choice?
So how did we react? By acquiring voting machines with many known security flaws, developed without using best engineering practices, whose code is proprietary, and that use hacker-friendly operating systems. In effect, the government, by making these purchasing decisions, sanctioned a "trust us" appeal to the electorate.
Ironically, the citizenry has never trusted the government less than in recent years (and put down the flamethrowers; that would probably be true no matter who was in DC now).
We know how to build reliable software systems. We know how to build secure software systems. But we decided not to.
How dumb is that?
Project EVEREST in Ohio completed an evaluation of three commercial voting machines last month. On a twelve point scale only one managed anything other than a zero. And it scored 1. Those aren't even flunking grades; it's more like not even showing up for the test.
Democracy is hard. We citizens have to be involved. We need to hold our elected officials accountable, and toss them out when they fail to meet our standards. But that requires we trust the integrity of the ballot box.
Recent e-voting travails are not new; ballot-stuffing is as old as the Republic. The difference is that now it may be possible to stuff millions of votes with a few clicks.
I believe that e-voting holds the promise of eliminating compromised elections. But not with the approaches being discussed now. I'm sickened to read of various commissions demanding that vendors add printers to their machines. That's does nothing to prove that each vote is recorded properly. The printer could show one candidate and record another. And the voting machine itself is not the issue: it's the entire system, including the computers that hold the databases, which are even more attractive targets.
We citizens must demand a system that works. That requires the following:
- Open source both the software and hardware. Publish the code and schematics on the web. Sure, we can hire a private company to develop and manufacture the equipment, but the IP should be owned by those footing the bill. Us.
- A dead simple design with minimal features. Prune anything not completely necessary.
- Use provably-correct components. No proprietary code is allowed.
- No changes may be made to the design within six months of an election, to give the community time to evaluate the proposed change. If the design is dead simple, few changes should be needed.
- Certify the code to DO-178B level A
- Certify the code to Common Criteria EAL7, the highest security standard.
Will this happen? I doubt it. Conspiracy theorists probably feel The Overlords who control the government want to have hackable elections. But I suspect there's more truth in: Never ascribe to malice, that which can be explained by incompetence.