Fair Electronic Voting - Technical Discussion of Electronic Voting.
by kathy@truthisbetter.org Last updated 2005-09-05

Summary:

It would take many months to enact procedures that might achieve fair voting with electronic voting machines. Prior to elections, voting machines could go through a lengthy certification process to document their hardware and software configurations and check their programming code, so that they could be verified post-election for fairness.

Congress could amend the Help America Vote Act of 2002 to:

1. require open source or public programming instructions that are given to the public months prior to the election for thorough examination by independent computer scientists
2. require a voter verified paper ballot that can be independently audited or used in case of electronic failures, and for recounts
3. require a pre-election certification and post-election verification to ensure that the voting machines actually used the public programming instructions
4. rescind parts of the act that encourage the use electronic voting machines
5. require procedures to reduce tampering (see below)
6. require randomly selected statistically significant independent audits of election districts that compare the voter verified paper ballot counts with the electronic voting machine counts
7. have electronic voting machines generate scan-able paper ballots that are first checked by the voter and then counted by independently programmed scanning machines as well as audited in a small percentage of precincts

The Help America Vote act of 2002 needs to be amended many months prior to November 2004 if that election is to be fair.

An alternative, less expensive solution, would be to use electronic voting machines for the friendly user interface to ensure voters vote correctly, eliminate under and over votes, and to generate a scannable ballot that the voter can verify before turning in, and to do a preliminary vote count. Vote tallies could be done by reliable optical scan machines that are less vulnerable to tampering. Another good solution, would be to use a mathematical system such as Dr. David Chaum proposes to encrypt votes whose images are then released to the public via the Internet for verfication and re-counting by anyone who wishes to do so. However, it is unlikely that Chaum's system could be implemented in time for 2004.

Rush Holt has proposed good legislation but it requires manual recounts in only .5 percent of the jurisdictions in each State giving fraud a 95.5% chance of being undetected in any one jurisdiction.
Congressman Kucinich is proposing legislation..
Support or bring legal actions to find that electronic voting machines that do not meet these conditions are unconstitutional

Caution:

According to Professor Beebe, Center for Scientific Computing, U of Utah, and other computer experts, including Computer Professor David Dill of Stamford, the problems with electronic voting are NOT solvable to a sufficient degree that would make electronic voting reliable. There are lots of components of the software where things can go wrong in a computer system, and even having open source software isn't sufficient. There is the compiler, O/S, loadable kernel modules, the file system, the network, interrupt handlers, a collection of shared libraries, and so on. These simply cannot be validated to a level that is required for electronic voting to be acceptable.

The escalating attacks against computer systems in the forms of viruses, worms, and denial-of service attacks, show all too clearly that there are clever adversaries out there who seem to take great pride in disrupting computer operations.

Paper ballots have far fewer problems, and are much less susceptible to massive attacks against the voting system.

Recommended book: Beyond fear: thinking sensibly about security in an uncertain world by Bruce Schneier, 2003, Copernicus Books. On the inside cover flyleaf it says "Replacing paper ballots with computerized voting machines is a horrendously dangerous idea"

There is anecdotal evidence of election fraud in 2000 and 2002 using Diebold electronic voting systems.

Why is verification of programming instructions needed?

The information below was provided to me by Salt Lake Linux User Group members, professors and other computer experts via email.

Post-election verification of voting machines can only be done if preparations are done prior to the election.

It is not possible for anyone, no matter how technical, to read through the programming instructions which ran an electronic voting machine after an election because the high level (human readable) computer programming language instructions are "compiled" into "machine language" instructions in order to execute the instructions on the voting machine. The machine language code cannot be returned to the high level computer programming language that a programmer can understand. At most, the program code can be de-constructed to "assembly language". Reading assembly language is time-consuming and tedious. Very few technical persons know how to read assembly language. It would be possible to tell what the code did after a very long time. A state-wide paper ballot recount would likely be faster. No court order could remedy this situation.

It is not technically possible to verify the programming code used on the voting machine after an election unless the steps mentioned below are taken prior to the election.

The method of checking the programming instructions is to compare the machine language code on the voting machine with a second copy of the "same" high level programming readable instructions independently compiled into machine language code using the same type of hardware and compilation configuration settings as the original. Running a byte by byte check to compare the two versions of machine language takes one command and less than a minute once the test has been prepared. If the two machine language versions are the same, then the programs must tell the same type of machine to do exactly the same steps.

A post-election check could be prepared from a central location and distributed to local technicians prior to the election.

How to Set up a post election Verification Test of the Programming Instructions

As part of the development process, the manufacturer of an electronic voting machine must provide full disclosure of both the hardware and the software, as well as full documentation on how to create a new image from the provided source code. What you need is the source code to the program, access to the scripts/build tools needed to build the source code, and a set of _exact steps_ used to build the software (since varying these a little may give you a program that effectively does the same thing, but would be a different binary and would make comparison of binaries nearly impossible).

Independent developers could then compile a binary image from the provided source code, and compare it to the image on the voting machine - if they match, then you can certify that the machine used the provided source.

The Nevada Gaming Commission has a procedure for qualifying computerized slot machines that may be similar enough to help when it comes time to develop an actual evaluation process to verify an election has been fair.

The most common license for Free Software/Open Source Software) states in section 3 (see http://www.gnu.org/licenses/gpl.txt) that "...complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable..."

Other Issues to Resolve

The program isn't the sole location where problems can reside. Intermittent failure, shared libraries, kernel modules, network connections, storage device connections, and others, any of which could be used to intentionally subvert the voting process or invalidate the vote. The whole set of circumstances and procedures in which they are used are important. Potential for these problems need to be minimized in any voting system design.

To verify the system, you have to use a trusted compiler sufficiently similar to produce the same output. Use one that's too different and you risk false alarms. Use the one the vendor gives you and you're trusting an unaudited tool in the chain that could add a backdoor login into the system. Any program-handling program such as an assembler, a loader, or even hardware microcode can have the same problem. As much as possible, off the shelf hardware should be used. It might be possible to subvert the computer by using a chip that interprets the machine code differently. Supply one version for audits, use the other in distribution. But if that chip is a standard x86 from the neighborhood computer shop, you're talking a pretty big conspiracy before it can be subverted.

Reducing the Problem of Tampering

• keeping voting machines disconnected from the network except while uploading vote tallies,
• keeping the machines locked up except when in use
• witnessing the certification and verification process
• A complete copy of the system drives and memory could be made ASAP after the voting period and before connecting to a network or transmitting data. The copy program and backup drives would have to be examined for potential problems.
• Voting tallies (as transmitted) could be compared by hand with the paper voting records on a randomly selected basis.

A study of ways to prevent tampering could be done and recommendations made to election districts. Transmission of the tally is probably the most vulnerable point. By its nature, it has to be possible to change the count. Any point in storage and transmission of that count is vulnerable, especially when an attacker has physical access.

It is important to note that some methods that are being suggested for preventing tampering, such as the "Black Box" method of burning the programs into the hardware, are very costly and time-consuming to implement, nearly impossible for an independent third party to verify if its program and circuitry are not open source. It would require a very technically savy government agency to procure black box circuitry machines and you would have to have an enormous amount of trust in that agency. If it were to be a federal election agency that would require an amendment of the US Constitution. Constitutional amendments to shift responsibility to the federal government from the states for overseeing or procuring voting equipment would require 2/3rds vote of Congress and ratification by 2/3rds of the states.

Black Box circuitry solutions are not 100% tamper proof. Data transmitted to the collection and tallying machines may still be vulnerable. Unless the storage hardware is soddered in place there is still the remote chance for replacing it. Applying updates or code fixes to a circuiry solution could be a huge expensive project because it involves replacing the hardware. While "black box" hardware solutions for addressing the tampering problems may have technical merit, it would be impractical to consider such solutions for the 2004 election.

The arguments for Open Source (Public) Programming instructions

Open Source ensures that programming instructions do what they are supposed to do in the first place.

Open Source programs ensure that no trapdoors are left open in the instructions which allow tampering with the results after voting. Having lots of eyes looking at source code improves the quality of the code. Open source programs would give the public and its educational institututes time to study and evaluate the programs for fairness, security and accuracy prior to the elections.

Fair voting programs are not complex and are readily available on the Internet for free.

Voting machine companies are providing a service, not a product. The only reason a voting company would insist on proprietary code would be to implement election fraud.

Germany requires open source programs for all its electronic voting machines.

Open source code is a requirement if the election is to be verified as fair without the need for state-wide paper ballot recounts in all states covered by a given voting machine company.

Some Possible Solutions

• Open Source E-Voting