CA Proposes Rigorous Voting Machine Testing

christian.einfeldt writes "During her successful campaign for California Secretary of State, newly-minted California Elections Czar Debra Bowen spoke repeatedly of the need to use free open source software in voting machines to ensure the integrity of California's elections. Now that Secretary Bowen is acting on that campaign pledge, closed-source voting machine vendor Diebold worries aloud that rejecting its black-box voting machines could snarl California's elections. Diebold's concerns come at the same time that it is suing Massachusetts for declining to purchase those same voting machines." Quoting: "California's elections chief is proposing the toughest standards for voting systems in the country, so tough that they could [have the result of banishing] ATM-like touch-screen voting machines from the state. For the first time, California is demanding the right to try hacking every voting machine with 'red teams' of computer experts and to study the software inside the machines, line-by-line, for security holes."

novel idea

[gEvil (beta)]

Thoroughly test the voting machines before deploying them? Wow! Why didn't I think of that?

One principal of a democracy

[saibot834]

One principal of a democracy is that everyone can verify the counting of votes.

Now unless you teach everyone how to program I don't see how you can preserve this principal.

Unaccaptable failure rate?

[Firethorn]

31 machines out of 340 districts? How many were in each district?

Heck, from what I've read, they've had problems with more than 10% of the diebold machines.

At least with an automark type system you still have the paper ballots to fall back on, even if a voter might require assistance to fill it out.

When a diebold type device malfunctions you have the potential for lost and/or erronous vote information, not to mention that NO votes can be taken.

Re:novel idea

[TheMeuge]

I smell a "Diebold sues California" /. headline coming.

e-voting must be as strong as paper

[davidwr]

Properly monitored paper ballot voting system is about as good as you can get for the average person. It's main weakness is that it's not private for people who cannot see or read the language of the ballot and for people who cannot mark the ballot for whatever reason. The fact that you must go to a voting station rather than voting from home is also a disadvantage.

Any replacement system must preserve the strengths of a paper ballot.

This means

• Open specifications
  
• validation and verification of all equipment and procedures concerning the vote

In practice, this means the voting hardware and software must be open to public inspection. The same goes for the procedures used by voting officials.

It also means to the extent possible, the entire process must be observed by interested and neutral parties. Obviously the actual voting must be done in secret but anything that doesn't reveal an individual's vote should be observed. Those things that cannot be easily observed, such as actual electronic count, must be repeatable by another method, such as a hand-count, with the same results.

Funny thing

[WindBourne]

is that we seem to keep learning and re-learning that lesson. Back in the 1960 election, there was a lot of evidence that indicated that kennedy won chicago by having the dems cheat. Many systems were put in place to prevent that cheating. Now, with the new current system, the evidence is even more overwhelming and yet, we are back to trying to prevent cheating. In particular, it appears that Ohio, Florida, and even texas had massive amounts of voter fraud during the last couple of elections. I guess that our society will be doomed to re-living the same problems over and over as long as we have politicians like rove ( and the dem == before).

Re:Yet another CA standard...

[One Louder]

It's a shame you never saw any part of California besides Los Angeles.

Re:Yet another CA standard...

[gurps_npc]

Detroit and Japan continue to make cars that do not meet California emissions tests.

The fact that you bought such a care tells me that you looked at the cars that did not meet the California emissions tests and said "No thank you".

What probably happened is that the majority of the people in the country with needs similar to yours thought that cars should meet California's tests. The few people that did not want the cleaner cars had different needs then you did.

You don't have a beef with California, you have a beef with the majority of AMERICAN citizens. And you personally were still offered a choice to pick another car, but decided not to.

Why don't you stop blaming California, and start taking responsibility for your own actions

Re:Yet another CA standard...

[drinkypoo]

My car has "California" emissions and I live in Connecticut. This is just one example of how California mandates things for the rest of the country.

Interestingly, I can purchase a car in Connecticut, drive it to California, register it, and pass a smog check.

Vehicles with California emissions and vehicles without are smogged to different specifications, even here in California.

The restriction only requires new cars sold in California to conform to different standards.

In California, they make you label everything, including restaurants, informing you that your food might cause cancer. Then they all go outside and breathe air they can see.

I live in a county which has spectacularly good air quality, and it happens to be within California.

The worst air quality that I'm aware of in the US is in Houston.

What we need is a slot machine...

[Anonymous Coward]

Any electronic voting machines should be regulated to at least the same level as a slot machine. But for some reason we apparently believe that handling the $20 dollars we want to gamble in a casino is more important than the results of an election.

A casino would never field a slot machine (even a 1c machine) that was as insecure as a Diebold voting machine.

The security model for a slot machine is rock solid. The hardware and software (source included) must be submitted and approved by each jurisdiction. The security model ensures that if even one bit in the software has been corrupted, the machine ceases to function. The cash-in and payout of each machine is redundantly logged. The machines are completely power tolerant, meaning you can cut the power at any time; when the power is restored the machine will come back up in exactly the same state that it was in before power loss. The machine can print tickets (for a paper trail), as well as talk securely over a network.

Basically, all the requirements we'd like to see in a voting machine are the same that a slot machine already conforms to. There's no reason to re-invent the wheel here, most of the work has already been done.

Re:e-voting must be as strong as paper

[morgan_greywolf]

Right. And that's why I keep saying that if you want to know what I think is the approach, it's touch screens with Open Source software/firmware with a paper receipt trail. This allows for the accuracy of electronic counting with a paper backup -- if the paper doesn't match the electronic count, then the software either has bugs or has been tampered with (or there are forged paper ballots, but that's easily countered). Either way, the software can be reviewed by independent computer experts to determine which of three has occurred.

Re:Yet another CA standard...

[fredrated]

Born and raised in Cal, yeah, there are 'kooks' for politicians sometimes, but these kooks are like 'let's see if we can make people happier by making their food less poisonous' as opposed to the kooks that think things like 'let's not tell people the air at ground zero is poisonous because then bin Laden will be even more satisfied with the results'.

We'll keep our kooks, you keep yours and we will both be happy. I hope.

Treason

[loftling]

I think that attorneys for the government should be able to demand to see source code for all the machines already deployed. If source cannot be produced (or it does not compile to the same machine code present on the voting machines) then those responsible should be rounded up and tried for treason. Seriously: at no point should *anything* related to how these machines tally votes have been regarded as a secret: that's simply not how voting works in the US.

I believe that California shouldn't have to demand transparency, I think that we citizens have implicitly expected transparency all along.

Donate to the Open Voting Consortium [openvotingconsortium.org], they've been working with Debra Bowen and many others to fix the system.

Re:As much as I dislike CA....

[neomunk]

That's not CA setting the emissions standard for your state, it's the auto companies deciding that the economy of scale on the changes that need to be made are a greater benefit to the bottom line if applied to the whole production line than either a) not selling cars in CA or b) setting up a separate production line for CA specific autos. CA has every right to set emission standards for their own state, and the auto companies have every right to deal with those standards in any way legal.

Your post (to me at least) smacks of bashing those damn hippies without saying so directly. If you're really pissed about the situation, place the blame on the car companies, where it belongs.

And this is again making an assumption, but you seem to be pissed that programmers are gonna be pouring over this code. WTF? Do you really think that this is some big negative inconvenience, or is it just west coast bashing? I just don't see the problem.
 

Re:Good idea

[RingDev]

check to make sure the code works as intended.

The next step would be to check and make sure that the intention the code works with is the intention the people desire.

-Rick

They'll "study the software inside the machines"?

[roystgnr]

I suspect they'll really study software outside the machines, code which the manufacturer swears is the same as the software inside the machines, cross his heart. That's still an improvement over the current situation, but it's not good enough for democracy. If a computer is turning your ballot into a microscopic electromagnetic pattern rather than a human-readable printout, you simply can't be certain that your vote was counted. Software audits may make election hacking more difficult, but they'll never make it impossible.

Re:e-voting must be as strong as paper

[Coryoth]

* Open specifications
* validation and verification of all equipment and procedures concerning the vote

In practice, this means the voting hardware and software must be open to public inspection. The same goes for the procedures used by voting officials.

I would go even further and demand that both an English language and a formal specification that are open. That way you can validate the formal speciifcation against the English language version, and you can formally verify software code against the formal specification. There are plenty of independent systems that would allow such formal verification of code to be done, and machine checked. Sure, this requires more work to write a formal specification and to write code that can be verified against it... but if there was any case where you would want to be able to do full machine assisted verification of code against a specification rather than just eyeballing it and hoping you catch the errors, electronic voting would be it!

Re:Good idea

[Coryoth]

The next step would be to check and make sure that the intention the code works with is the intention the people desire.

And this is why formal specification should be used. It provides a middle tier between implementation code, and English language specification. Verifying that the code properly implements the formal specification can be done programatically and independently quite easily. In turn, validating the formal specification, by comparing it to the peoples desires in terms of a English language set of requirements is easier than trying to compare coed to the requirements, since it is only intentions that are formally defined, with no issues of implementation to complicate the matter. Stating your intentions in an unambiguous way, via formal specification, ought to be an obvious first step for anything where the need for assurance is as high as it with electronic voting.

Re:Pre-Hacking

[mOdQuArK!]

Well, it'll cost the taxpayers a fair bit to do that kind of testing properly - looking at it that way, you'll get a dollar value of how much the taxpayers think a corruption-resistant democracy is worth!

Re:They'll "study the software inside the machines

[PPH]

That's the same conundrum presented by Microsoft's 'open source' model. They'll let you look at something which they claim is thew same as what you are running on your system. But if you can't do a clean build, you can't be sure the two are really the same.

This situation is unacceptable in critical systems' embedded software. Not only is the source subject to audit, but the entire compilation and installation process is as well.

That doesn't quite fit my definition of "simple"

[achurch]

Heck, I think even _I_ could design such a system:

[8(!) steps and commentary elided]

Or am I over looking something here...?

Perhaps you might not have heard the story of the king and the toaster [netinteraction.com]?

This may not be quite that bad, but the point still stands: Don't use more technology than is needed to solve the problem. In this case, it's much simpler than you suggest:

1. Election supervisor checks that voter is authorized to vote.
2. Voter takes pen and paper ballot.
3. Voter writes candidate's name on paper.
4. Voter deposits ballot in box.

In fact, if you were clever you could even combine steps 1 and 4, saving a line at the supervisor's table.

Oh, and don't give the voter a copy to take home, unless you want supporters for the "wrong" party to start getting their pillows replaced by severed horse heads. "I've got a very good deal for you, and all it needs from you is one little piece of paper . . ."

Re:Shouldn't this be obvious ?

[Dragonslicer]

the machines' output decide the faiths of millions

I think that may be the eeriest typo I've seen in a long time.

Re:One principal of a democracy

[AK Marc]

One principal of a democracy is that everyone can verify the counting of votes.

We do not now, nor have we ever had, any system to verify votes. We can count them again, certify them, but never verify them. Until I, as a voter, can see how the state counted my vote, no vote is ever verified. They may count my ballot twice, but I can never know who they count it as having voted for. True anonymous verification is a system where I can identify my vote, but no one can determine how I voted.

Re:This should be so simple...

[Manchot]

Even relatively sane, simple mandates like checking for a valid ID at the poling station get shut down.

Those laws are often struck down as unconstitutional, and for good reason. If you are an American citizen who doesn't have an ID (which you cannot constitutionally be required to own as a direct result of our right to privacy), you should still be able to vote. More practically, from a statistical viewpoint, people with lower incomes and the elderly are surprisingly likely to not have IDs. You might say, "Well, if they want to be able to vote, they need an ID," but if voting laws disenfranchise even one person who has done nothing wrong, they have already gone too far.

Re:novel idea

[gyroid]

If a state selectively purges voter rolls, supplies too few machines for specific precincts, or uses law enforcement and batteries of volunteers to challenge or intimidate voters, the accuracy of the machines doesn't really matter.