Open Voting Consortium
Posted on:: January 1st, 2009
This systems seems really good. You cast your vote using a computer, but the computer prints out a paper document. This prevents the ambiguity that inevitably occurs when users directly fill out paper ballots, such as when a voter fills in one circle by mistake and then puts an X through it. The resulting paper ballot shows the choices the voter made and includes a bar code for optical scanning. The software is entirely open source. It uses off-the-shelf, inexpensive components.
By the way, open source paper ballots is the leading idea in the Tech Policy section of Change.org’s contest.
Categories: Uncategorized dw
As with all computerized systems, this one has important security flaws.
“Open source” does not guarantee security. Even if citizens somehow know (how?) that the source was honestly built into a binary, and the binary was honestly installed into every machine on election day, an attacker can program the machines’ firmware to patch the binary to behave as she wishes.
The attacker could then program the system to, e.g., remove candidates from the ballot, reorder the ballot, change the headings, or make it easier (or more difficult) to select a candidate. Or she could program it to stop working entirely if voters choose the “wrong” candidate too often.
The attacker could also cause the system to print ballots that appear correct to human eyes, but that scan incorrectly.
This system’s reduction in paper-ballot ambiguity is inconsequential in most elections, but its use (as with the use of *any* programmable vote casting device, e.g., DREs) imperils every election’s security. It should be reserved for voters who cannot independently cast a ballot without its assistance. Non-disabled voters should use hand-filled paper ballots.
Ronald,
Quite a few of your points are covered in this article I wrote after seeing this system demoed–and thank you for noting the usefulness of voting machines for the disabled!
That article does not, among other things, address firmware-based attacks. It is one thing to assert the goal that “every element of every component, both hardware and software, is in the public domain”, and quite another to realize it. Similarly with “there are built-in capabilities for independent monitoring of software”: who watches the watchers? And “institutionalized protocols for public monitoring” are a real problem even with non-computerized voting systems; proper public supervision of computerized systems is much more difficult to implement.
As for VHTI, its security “guarantee” holds only if the voter performs an unfamiliar (and unintuitive) protocol correctly. An attacker could program the system to deceive the voter into performing the protocol incorrectly, completely voiding the security guarantee. Since the protocol is unintuitive, the vast majority of voters wouldn’t understand that anything had gone wrong.
But most fundamentally, the article does not tell us why we should, as it urges, prefer (its brand of) e-voting to hand-filled paper ballots for nondisabled voters. Yes, it has some advantages over hand-filled paper ballots — an unlimited supply of ballots, easy multilingual ballots, overvote/undervote checking, reduced ambiguity — but also, as I described, serious security flaws. And there are almost certainly many flaws that I (and others) haven’t yet found. Are the advantages worth that risk? I don’t think so, except possibly with respect to voters who cannot otherwise vote independently.
We should prefer a less-complex system to a more-complex one unless we have very good reasons not to do so.
Ronald,
I place more weight on the security problems solved by machine-generated paper ballots than those created by them. Here’s a for-instance:
The constituency that wasn’t counted is Tain, in the Brong-Ahafo region, a largely rural area which had a misvote during the runoff. Insufficient ballot papers were available – some argue that papers were stolen – and the electoral commission decided to hold a revote tomorrow.
You place more weight on the problems created than the problems solved. Fair enough–I just disagree with that weighting.
We clearly weight the issues differently. I’d note, however, that machines would not solve the “for-instance” you postulated. If someone can steal paper ballots, they also can steal (or disable, and possibly hack) machines. There is, for example, significant evidence that someone attacked the vote in Ohio’s 2004 Presidential election by, among other things, manipulating machine availability. See, e.g., http://www.harpers.org/archive/2005/08/0080696, which, citing a Congressional report on the problem, says, among other things:
1. At Kenyon College in Gambier, for instance, there were only two machines for 1,300 would-be voters….Gambier residents and Kenyon students had to stand in line for hours…with some of them inevitably forced to call it quits. “In contrast, at nearby Mt. Vernon Nazarene University, which is considered more Republican leaning, there were ample waiting machines and no lines.â€
2. In Franklin County alone, as voters stood for hours throughout Columbus and elsewhere, at least 125 machines collected dust in storage. The county’s election officials had “decided to make do with 2,866 machines, even though the analysis showed that the county needs 5,000 machines.â€
3. “One polling place in Lucas County never opened because all the machines were locked up somewhere and no one had the key.”
And so forth.
By replacing hand-filled paper ballots with machine-filled paper ballots, you increase the number of possible attacks and make it more difficult for officials (and the public) to supervise the process.
[...] Open Voting Consortium SHARETHIS.addEntry({ title: “Email Update About Message Magic”, url: “http://donalddriscoll.com/blog/email-update-about-message-magic/” }); Share and Enjoy: [...]
Voting machines, even open-source ones, do present their own problems. I argue that is we move to electronic systems, we should be trying to do better than merely emulating paper ballots. From an article I just finished on “end-to-end verifiable” voting systems:
“Modern cryptography suggests the possibility of a new kind of incredibly transparent and fair election, where ordinary citizens can verify the soundness of the election for themselves without ever being asked to trust any sort of hardware, software, government, or election official. This represents a fundamental shift in capability: for the first time, it may be possible to hold truly ‘open’ elections.”
Re: Cryptographic systems. First, these systems are susceptible to the same presentation (e.g., ballot manipulation) and reliability attacks (selective “failure”) as ordinary e-voting systems. And their “end-to-end verifiab[ility]“, depends upon the voter performing an unintuitive protocol. An attacker can program the system to perform the protocol incorrectly, which voids the associated security guarantees. Since the protocol is unintuitive, at most a tiny sliver of voters will realize that something has gone wrong. And, as is almost always the case with problems during elections, officials will chalk them up to “voter error” or, at best, “a glitch”.
Computers are powerful tools, but they are not suitable for every purpose. We should strive to avoid the many security and transparency traps created by leaving voters alone with computational ballot presentation and recording devices.
Hospedagem de sites com a TRM Hospedagens e o melhor negocio.
Banda ILIMITADA.
Obrigado por esse pequeno espalo em seu site, para eu divulga meu novo servi?o http://www.trmhospedagem.com.br