[E-voting] comments on the Baker-Carter report
cansbro at eircom.net
Mon Sep 19 21:01:28 IST 2005
Bev Harris's comments on the Baker/Carter report--rightly described on
some websites as a sham. Many comments (e.g. see below about attack
vectors) are relevant for us in Ireland, too.
Posted on Monday, September 19, 2005 - 09:01 am:
The formal report of the Carter-Baker Panel purports to be offering
election reforms to fix our broken electoral process.
In general, the panel fails to address, or even acknowledge, or see the
need for, or even know what the attack trees are for the current voting
system -- therefore, it proposes measures that miss the mark, and offers
up radical changes without examining appropriate checks and balances.
(Links to report at end of this article)
*Here is a point by point synopsis of what it says and how it misses the
*1: Help America Vote Act*
Recommends keeping 2006 deadline and "vigorously enforcing it."
*Misses the boat:* Pushes systems into the elections process without
adequate standards to assure quality, and with very few checks and
balances. Costly, both for federal and local governments. Many systems
will need to be adjusted, replaced, or jettisoned soon after purchase.
HAVA continues to define itself as a collossal example of pork spending
and government waste.
*2: Voter Registration, top-down systems*
The goal is good, the mechanism is flawed. Recommends statewide
computerized systems that interact state to state. That is a valid goal.
*Misses the boat:* The problem is, no one did any analysis of what
specific checks and balances are needed to make sure this system (a) is
accurate and (b) cannot be used to strategically disenfranchise voters.
Like most technology, it must be accompanied by the appropriate
safeguards, and they did not address the safeguards, which has the net
effect of decreasing election integrity.
*3: Voting Technology*
Recommends the VVPAT
*Misses the boat:* Does not recommend how "Voter Verified Paper Audit
Trail" must be used. All it says is that "unambiguous methods" must be
decided on to reconcile paper with computer, and it recommends that "a
decision should be made" as to which is the official record.
*Also sidesteps government waste issues:* By rushing to HAVA
implementation, hundreds of counties got stuck with machines that do NOT
produce a VVPAT. Even if the VVPAT was a viable solution (we believe
that it will prove not to be viable), this is an excellent example of
how rushing ahead with HAVA is becoming an exercise in government waste.
*Security:* Here is where the most glaring example of inadequacy of all
lies. This commission does not appear to even understand the need to
define the problem before it proposes solutions.
*We knew they'd miss this boat*: While in Houston, at the excellent
counter-Baker-Carter Panel event put together by Kip Humphrey, I asked a
member of the Panel why they had not asked a single question about how
hacks can be done. He said it is not necessary to understand how the
system can be compromised in order to protect it.
*Here's what's needed*
In fact, the following procedure is the only way to develop meaningful
protections for the system:
*- Identify categories of attacks.* Example of categories: Software
attack, hardware attack, materials attack (ballots, pens, etc.), People
attack (bribes, cons, manipulations, favors etc)...
*- Identify attack points.* Example of attack points: District
definitions, ballot access for candidates and issues, voter
registration, voter authentication, mail-in voting, vote casting, vote
recording, vote tallying, canvassing & reporting...
*- Identify specific attack vectors for each of the above.* Example:
Materials attack - place pens with organic ink into polling places that
use infra-red optical scanners when you want more lost votes to occur.
*- Assign a risk to each attack vector.* Calculate how many people would
need to be involved, what level of access, how much it would cost, how
much sophistication is required, how many votes could be affected at once.
- Starting with the most high-risk attacks, *develop procedures to
mitigate the risks*
TO DATE, NO ATTACK TREE HAS EVER BEEN DONE. According to Dr. Doug Jones
(see his interview in our video library; just click the video camera at
top right of our home page) -- when attack trees have been proposed,
officials in the elections industry not only don't seem interested in
finding out what they are, they say that if attack trees research is
done, THEY WON'T READ IT. Their excuse is that they don't want public
records available on the subject.
The Carter-Baker Panel seemed to follow this flawed line of reasoning.
They decided they could propose a solution to security without defining
what the security problems are.
*4: Access to voting*
Makes vague recommendations about making sure qualified people are
allowed to vote.
*Misses the boat:* It does not appear that they delved into this much.
Ohio and Florida would have been great starting points. None of the
issues documented with voter purging or failure to authenticate
qualified voters were addressed.
The study also makes vague recommendations about mail-in voting,
overseas and military voting, and the like, basically saying the
situation should be studied and pros & cons evaluated.
*5: Investigation of election fraud*
*Misses the boat:* The absence of the existence of any formal attack
tree, the lack of understanding of even what we know so far about attack
vectors, and the absence of meaningful mitigation procedures was obvious
This exceedingly lame section couches the problem in terms of property
destruction and attempts to decieve or intimidate voters. They seem
blissfully unaware of the new politically correct, kinder, gentler ways
to disenfranchise voters through selective purging of voter registration
databases and voting machine manipulation.
Read section 5. You'll chuckle at its lameness, before the nausea sets in.
*6: Election Administration*
The report makes general recommendations that seem mostly aimed at
cleaning up the (deservedly) tarnished image that elections
administration has achieved.
- It recommends throwing a bit of money at it
*Misses the boat:* but not in a targeted fashion
- it recommends beefing up the EAC
*Misses the boat:* but does not appear to recommend any more money for
the EAC's joke of a budget
- it recommends doing some research on elections management.
*Misses the boat:* If followed, the recommendations appear to put an
increased burden on local officials and local budgets, without providing
any real guidance or financial support.
The Panel advises media to provide a bit more access to candidates, for
example, a five minute discourse per month among candidates. It makes
recommendations about not releasing projections before everyone has
voted (aren't we already there?).
*Misses the boat:* What it doesn't do is make any effort to address
keeping nonfavored candidates and parties off the debates, nor does it
address the validity of the media's exit polling actions, nor
safeguarding the media projections from manipulation as happened in 2000
when a Volusia County voting machine manipulation was used to trigger
the media to make an incorrect projection of the presidential race.
Recommends that independent and international observers be allowed if
they are "accredited" -- which would mean a citizen would need to obtain
credentials before observing the counting of the vote, or attending a
Logic & Accuracy test.
*Misses the boat:* This seems ripe for abuse. They giveth with one hand
(states that only allow political party observers should let
international and independent observers come in too) while taking away
with the other (observers for pre-electon testing, absentee processing,
election day events and counting should have credentials issued in
*9: Presidential primaries and schedules*
They recommend changing the way primaries are scheduled, suggesting
giving over power to decide to a group of NASS (National Association of
Secretaries of State) members to execute the plans.
*Misses the boat:* In view of the secretary of states' failure to
properly monitor certification and their enthusiasm to rush to paperless
touch-screen voting, with the momentum shifting only after a veritable
taxpayer revolt, one wonders if this is the correct body of authorities
to handle this.
*Misses the boat:* They want states to hurry up and certify their
elections, quicker, faster, but what is simply not mentioned is
providing anyone the ability to audit much of anything.
# # # # #
Here is the report:
Here is a summary of recommendations in the report:
More information about the E-voting