U.S. To Certify Labs For Testing E-Voting Machines

InternetVoting writes "In a clear counter to the recent criticisms of secrecy involving Ciber labs the National Institute of Standards and Technology (NIST) has issued recommendations (pdf) to the Election Assistance Commission (EAC). NIST recommends the accreditation of two labs, iBeta Quality Assurance and SysTest Labs. The recommendation, emphasizing the need for transparency, includes on-site assessment reports, lab responses, and on-site reviews for each lab. These reports shed much needed light into the process of voting machine certification. Learn more from the Q&As About NIST Evaluation of Laboratories that Test Voting Systems."

Opaque Audits

It sounded, prima facie, like progress was being made; but quoth TFA:

Currently, laboratories are using proprietary test methods and test cases to determine that a voting system meets existing federal standards. . . . By law, NIST must protect proprietary information. This includes details of a laboratory's specific testing methods and protocols.

Call me cynical, but auditing opaque processes with equally opaque tests doesn't change much; I foresee a holographic sticker labelled “certified.”

I'd wager, furthermore, they expect us to buy it at face value.

Re:Opaque Audits

They do have a halfway decent excuse for that, though.

Why are laboratories using proprietary test methods?
Currently, no uniform set of tests exists to determine that a voting system meets federal standards. With the support of the EAC, in 2007 NIST will begin to develop a uniform set of non-proprietary tests to be used in conjunction with the next version of the Voluntary Voting System Guidelines (VVSG 2007). The availability and use of these open tests will improve consistency and comparability among testing laboratories.

Even a baby step in the right direction counts at this point.

Re:

So, does that mean once these non-proprietary tests are created the process will be made more open? I agree, any step in the right direction is something good. I just hope that in the end we have real transparency.

Re:Opaque Audits

Even a baby step in the right direction counts at this point.

I think you're being too soft on your own government. Government isn't a child in need of coddling: it's a cynical and self-aware machine that studies to persist at your expense.

Re:

>Government isn't a child in need of coddling: it's a cynical and self-aware machine that studies to persist at your expense.

I think you're confusing the government with those who abuse it (whatever party is in power).

The government at times resembles a

Re:Opaque Audits

When you think about it, the lack of standards is probably what has caused the current crop of voting machines to be such dismal failures. While I'm not sure I trust Diebold anyway, given their political connections, they probably would have done at least a halfway decent job on their machines if there were a set of standards to measure them against. It's not enough for the US Government to send out a Request For Proposals outlining what they are looking for, unless the functionality and security can be defined against some kind of standard. If the standards had existed first, maybe the machines would not have all the loopholes and omissions which make them such trash currently.

Re:Opaque Audits

And if standards exist, maybe more companies can compete equally for the contracts.

Re:

Perhaps it wasn't easily inferred, but the article is talking about voting machines in the United States.

Re:

I agree with you, but not having standards has some value as well. Once you publish a standard it makes it a lot easier for someone to create an exploit that will not be detected by that standard testing method. Of course, that assumes the standards will s

Re:

It may still be a step in the right direction, but I would rather have the source code. Really, aren't we as both citizens and voters buying the machines? Shouldn't we have access to them? If a company doesn't want to open the source code, then they sho

Re:

It looks more like a moonwalk in the wrong direction...

Re:Opaque Audits

Wait, I thought the Dems won. Doesn't that mean there was no cheating?

Re:

No, it just means the Reps didn't cheat hard enough.

going back in time

I wonder how the previous elections' voting computers would fare, being put through the new tests... think diebold would like to see exposed just how many security holes there were in their last series of "machines"?

Once that's done....

When they get done fixing the broken system for certifying voting machines, how about an effort to screen the certifiable morons who keep getting onto the ballot?

Re:Once that's done....

how about an effort to screen the certifiable morons who keep getting onto the ballot?

I know you're trying to be funny but every state has requirements for people who want to run for office. So long as they meet those requirements, anyone can get on the ballot.

However, some states, such as Pennsylvania, have stacked the odds against third party candidates by requiring those candidates to meet higher standards. In Pennsylvania, if you are third party candidate and want to be on the ballot in November (you can't be on the ballot in May), you would need to gather signatures equal to or greater than 2% of the ballots cast for the largest vote-getter in the last statewide election race.

In the most recent election, third party candidates would have needed 67,070 valid signatures to be on the ballot as the highest vote count in the last statewide election was 3.4 million.

Contrast that with the 2,000 signatures that either a Democratic or Republican candidate must gather.

Obviously the answer is to have the legislature change the reqirement but the vast majority of the unwashed masses don't know about the requirement, don't care about the requirement, and are happy enough simply voting straight ticket.

Besides, can you imagine what would happen if it were easier for third party candidates to get on the ballot? Why, there would be competition and choice during an election! We can't have that, now can we?

Re:

In the UK:

To stand for election, a candidate must submit a nomination paper signed by ten electors* for the constituency and lodge a deposit of £500, which is refundable only if the candidate receives more than 5% of the total votes cast for each ca

Advances in technology for voting

will not only bring the process of voting into the 20th century, but it will allow a much faster recount of dead people's votes.... /sarcasm

i like the way i vote now

I take a black marker and complete an arrow next to the item I wish to cast my vote for. There is an election official next to the machine which reads in my ballot and electronically tallies my votes, along with the rest of the votes for that district. Tha

Re:

With electronics, the biggest issue is the tallying, not as much the method of voting. Tallying can be corrupt with no voter noticing.

Re:

And the guy doing the tally puts a big mark next to your name because you didn't vote for the person that your boss "requested" you vote for. You didn't need that cost of living wage anyway, because that is part of the trickle down theory your canidate wo

Doesn't matter if the standards are the same...

Are these new testers truly being paid to examine these machines completely and exhaustively, or are they being paid to run a script, and sign a document?

If it's the latter, then as long as the standards anywhere close to where they have been, we'll continue working with virtually whatever the voting machine companies assert is good.

Ryan Fenton

Why is it

That politicians can't grasp the immediately obvious? Why do they even bother with electronic voting machines when:

• The voters don't want them, and,
• They cost more and are less reliable than paper ballots, and,
• The technical community thinks they're dangerous to democracy.

How could any politician come to a conclusion that electronic voting machines make sense? There is no compelling reason to use electronic voting machines at all. The only possible explanation I see is that counties which bought electronic voting machines had county officials on the payroll of the voting machine makers.

The fact that they've been purchased seems to suggest that politics is already not quite as transparent as it should be.

Re:

I think you over-estimate how much people "actively" don't want these things. I'm sure plenty of people don't like them, but are people really going to get involved?

The "scandal" around the 2000 election opened the door - "hanging chads", people whinging

Re:

There are two compelling reasons for EVMs. The most important is that the blind can vote without assistance (preserving the secret ballot). The second is to simplify ballot format: no more will we have the creative "butterfly" ballot (an attempt to squeeze

Blind Votes

You guys are getting way complicated. Forget the punch-outs, the electronics, etc. Print a list of names with a box next to the name, and the voter puts an X in the box. Print a batch that is both in ink and in braille, with a raised edge around the box

Re:

The voters don't want them

I think you are confusing the /. crowd with the 'normal' mom & pop crowd. For the non-technical people it is much easier to press a box with the person's name (which then changes color) that poke a hole in a card.

Re:

I have an amazing piece of technology I'd like to suggest that makes hole punching absolutely obsolete: the Sharpie Brand Permanent Marker.

Re:

I think you are confusing the /. crowd with the 'normal' mom & pop crowd. For the non-technical people it is much easier to press a box with the person's name (which then changes color) that poke a hole in a card.

It's even simpler to place a cross in

Why do they even bother?

Florida, 2000. Hanging chads. Confusing paper ballots. The electronic voting mess was supposed to prevent that from ever happening again.

Re:

You don't understand - we've got this surplus of cash sitting around which we're not allowed to spend on education or universal health care.

Recommendations?

How will "recommendations" change anything? Don't we need laws that protect the integrity of the voting process? Just asking...

Re:

No. If I've learned anything on slashdot, it's that the free market will sort this out.

All joking aside, there needs to be a law that does protect the integrity of the voting process. But I believe we have these. It gets to be a problem though when y

Watchmen

Let me guess: the auditors are political appointees?

I'm waiting for the day when...

some hacker group gets Mickey Mouse elected via electronic voting machines. I'm wondering if even then people will pay attention.

Re:I'm waiting for the day when...

Well, you elected GWB twice and nobody suspects a thing. Now tell me what makes you think people would pay attention if Mickey Mouse got elected... ?

I thought so.

Bah!

Mickey Mouse wouldn't get elected. His sexuality would be questioned immediately. He walks around bare-chested, hangs out with a pantless duck, and has yet to produce a single offspring or even marry his girlfriend of 50+ years (not to mention that odd h

whats wrong with this picture?

Why is this just happening now after several years of use (and possible misuse)? Note to readers: this is a rhetorical question. I work for the cable industry which spends lots of money and time for years, certifying devices that get attached to the cable networks. I guess this is more important that ensuring the veracity of our voting systems. But this begs the question. The voting machines are only one link in the chain and perhaps not even the weakest link. Previous elections have quite possibly been affected by selective voter purges and mishandling of ballots--do provisional and absentee ballots even get counted? So, certification of the devices is a needed measure as is holding in escrow the source code of the devices. But this is not the only measure that should be taken.

"If god had wanted us to vote, he would have given us candidates"

Re:

Why is this just happening now after several years of use (and possible misuse)? Note to readers: this is a rhetorical question. I work for the cable industry which spends lots of money and time for years, certifying devices that get attached to the cable

if you ask me....

Any election where your vote is secret can be rigged. There have been stories of boxes of paper ballots disappearing. If the e-voting machines gave you the voter a receipt with a vote ID number, and your vote was published(say online) how could elections

Re:

And any vote that's not secret can be coerced. Heard any news lately about the U.S. Chamber of Commerce pushing for legislation to make votes to form a union non-secret?

Admittedly, in this country, it's hard to believe there could be wide-spread voter tam

Re:

It wasn't that long ago that being identified as a "Communist" was enough to be accused of treason and brought before a Congressional inquest. It's nice to think that nobody will care how you vote, but once your voting record is public there are all sorts

Re:

Ok, well we could give everyone a receipt. And you could go online to make sure no one changed who you voted for. Like you can look up keno games now. You could look up vote #s. As long as the vote # isnt ties to a person there would be no problem. Wi

Re:

There have been stories of boxes of paper ballots disappearing.

How hard is it to design ballot boxes with a tamper resistent tracking device and to have cameras watching when the ballot papers go in and when the boxes are opened to count the votes?

Just another money grab

Is it just me, or is this another chance to create a group that will just suck all the money in and be corrupt?
What is the likelihood that this group would be able to satisfy everyone and have enough power to keep elections from being rigged? //Thanks God

Voting Computers

As was pointed out on slashdot yesterday http://politics.slashdot.org/article.pl?sid=07/01/ 18/152205 [slashdot.org], calling these things voting computers rather than voting machines gets the story across much better. People might wake up when they hear these things mor

More crap like NIAP?

Another one of NIST's big security certification schemes is NIAP. It's difficult to see it as anything but a failure. The "protection profiles" that systems are tested against sometimes explicitly assume a benign environment with no hackers. Hello, what's the point then? Also, the most common certifications don't involve source code verification or any other kind of strenuous testing. Just take a look at the list of crap [bahialab.com] that they have validated, including some products with absurd levels of vulnerabilities. Apparently, Microsoft Windows is very secure, according to NIST's NIAP. Note also that, because this is pay to play, many of the best security tools are completely missing from the list. If I had to bet money, I'd say that well-heeled companies like Diebold will make it through the testing despite a lot of vulnerabilities, and the public will be no better off.

Nothing wrong with NIAP itself

You're got the right idea, but you're placing the blame with the wrong folks.

Protection Profiles are written by the organizations using NIST standards. If Microsoft (for example) chose create a really, really lame Protection Profile for their ToE (Target

Re:

Be that as it may, the NIAP is still a failure because the agencies don't seem to understand the short comings of the program. The perception is that EAL levels are some quantification of security. The higher the level, the better it must be, and if a pr

Re:

Worked for the US government for a while in security.

Rainbow Books WTF!