[E-voting] comments on the Baker-Carter report

Catherine Ansbro cansbro at eircom.net
Mon Sep 19 21:01:28 IST 2005


http://www.bbvforums.org/cgi-bin/forums/show.cgi?tpc=1954&post=12041#POST12041

Bev Harris's comments on the Baker/Carter report--rightly described on 
some websites as a sham.  Many comments (e.g. see below about attack 
vectors) are relevant for us in Ireland, too.
Catherine

Posted on Monday, September 19, 2005 - 09:01 am:    	

------------------------------------------------------------------------
The formal report of the Carter-Baker Panel purports to be offering 
election reforms to fix our broken electoral process.

In general, the panel fails to address, or even acknowledge, or see the 
need for, or even know what the attack trees are for the current voting 
system -- therefore, it proposes measures that miss the mark, and offers 
up radical changes without examining appropriate checks and balances. 
(Links to report at end of this article)

*Here is a point by point synopsis of what it says and how it misses the 
boat:*

*1: Help America Vote Act*
Recommends keeping 2006 deadline and "vigorously enforcing it."

*Misses the boat:* Pushes systems into the elections process without 
adequate standards to assure quality, and with very few checks and 
balances. Costly, both for federal and local governments. Many systems 
will need to be adjusted, replaced, or jettisoned soon after purchase. 
HAVA continues to define itself as a collossal example of pork spending 
and government waste.

*2: Voter Registration, top-down systems*

The goal is good, the mechanism is flawed. Recommends statewide 
computerized systems that interact state to state. That is a valid goal.

*Misses the boat:* The problem is, no one did any analysis of what 
specific checks and balances are needed to make sure this system (a) is 
accurate and (b) cannot be used to strategically disenfranchise voters. 
Like most technology, it must be accompanied by the appropriate 
safeguards, and they did not address the safeguards, which has the net 
effect of decreasing election integrity.

*3: Voting Technology*

Recommends the VVPAT

*Misses the boat:* Does not recommend how "Voter Verified Paper Audit 
Trail" must be used. All it says is that "unambiguous methods" must be 
decided on to reconcile paper with computer, and it recommends that "a 
decision should be made" as to which is the official record.

*Also sidesteps government waste issues:* By rushing to HAVA 
implementation, hundreds of counties got stuck with machines that do NOT 
produce a VVPAT. Even if the VVPAT was a viable solution (we believe 
that it will prove not to be viable), this is an excellent example of 
how rushing ahead with HAVA is becoming an exercise in government waste.

*Security:* Here is where the most glaring example of inadequacy of all 
lies. This commission does not appear to even understand the need to 
define the problem before it proposes solutions.

*We knew they'd miss this boat*: While in Houston, at the excellent 
counter-Baker-Carter Panel event put together by Kip Humphrey, I asked a 
member of the Panel why they had not asked a single question about how 
hacks can be done. He said it is not necessary to understand how the 
system can be compromised in order to protect it.

*Here's what's needed*

In fact, the following procedure is the only way to develop meaningful 
protections for the system:

*- Identify categories of attacks.* Example of categories: Software 
attack, hardware attack, materials attack (ballots, pens, etc.), People 
attack (bribes, cons, manipulations, favors etc)...

*- Identify attack points.* Example of attack points: District 
definitions, ballot access for candidates and issues, voter 
registration, voter authentication, mail-in voting, vote casting, vote 
recording, vote tallying, canvassing & reporting...

*- Identify specific attack vectors for each of the above.* Example: 
Materials attack - place pens with organic ink into polling places that 
use infra-red optical scanners when you want more lost votes to occur.

*- Assign a risk to each attack vector.* Calculate how many people would 
need to be involved, what level of access, how much it would cost, how 
much sophistication is required, how many votes could be affected at once.

- Starting with the most high-risk attacks, *develop procedures to 
mitigate the risks*

TO DATE, NO ATTACK TREE HAS EVER BEEN DONE. According to Dr. Doug Jones 
(see his interview in our video library; just click the video camera at 
top right of our home page) -- when attack trees have been proposed, 
officials in the elections industry not only don't seem interested in 
finding out what they are, they say that if attack trees research is 
done, THEY WON'T READ IT. Their excuse is that they don't want public 
records available on the subject.

The Carter-Baker Panel seemed to follow this flawed line of reasoning. 
They decided they could propose a solution to security without defining 
what the security problems are.

*4: Access to voting*

Makes vague recommendations about making sure qualified people are 
allowed to vote.

*Misses the boat:* It does not appear that they delved into this much. 
Ohio and Florida would have been great starting points. None of the 
issues documented with voter purging or failure to authenticate 
qualified voters were addressed.

The study also makes vague recommendations about mail-in voting, 
overseas and military voting, and the like, basically saying the 
situation should be studied and pros & cons evaluated.

*5: Investigation of election fraud*

*Misses the boat:* The absence of the existence of any formal attack 
tree, the lack of understanding of even what we know so far about attack 
vectors, and the absence of meaningful mitigation procedures was obvious 
here.

This exceedingly lame section couches the problem in terms of property 
destruction and attempts to decieve or intimidate voters. They seem 
blissfully unaware of the new politically correct, kinder, gentler ways 
to disenfranchise voters through selective purging of voter registration 
databases and voting machine manipulation.

Read section 5. You'll chuckle at its lameness, before the nausea sets in.

*6: Election Administration*

The report makes general recommendations that seem mostly aimed at 
cleaning up the (deservedly) tarnished image that elections 
administration has achieved.

- It recommends throwing a bit of money at it

*Misses the boat:* but not in a targeted fashion

- it recommends beefing up the EAC

*Misses the boat:* but does not appear to recommend any more money for 
the EAC's joke of a budget

- it recommends doing some research on elections management.

*Misses the boat:* If followed, the recommendations appear to put an 
increased burden on local officials and local budgets, without providing 
any real guidance or financial support.

*7: Media*

The Panel advises media to provide a bit more access to candidates, for 
example, a five minute discourse per month among candidates. It makes 
recommendations about not releasing projections before everyone has 
voted (aren't we already there?).

*Misses the boat:* What it doesn't do is make any effort to address 
keeping nonfavored candidates and parties off the debates, nor does it 
address the validity of the media's exit polling actions, nor 
safeguarding the media projections from manipulation as happened in 2000 
when a Volusia County voting machine manipulation was used to trigger 
the media to make an incorrect projection of the presidential race.

*8: Observers*

Recommends that independent and international observers be allowed if 
they are "accredited" -- which would mean a citizen would need to obtain 
credentials before observing the counting of the vote, or attending a 
Logic & Accuracy test.

*Misses the boat:* This seems ripe for abuse. They giveth with one hand 
(states that only allow political party observers should let 
international and independent observers come in too) while taking away 
with the other (observers for pre-electon testing, absentee processing, 
election day events and counting should have credentials issued in 
advance).

*9: Presidential primaries and schedules*

They recommend changing the way primaries are scheduled, suggesting 
giving over power to decide to a group of NASS (National Association of 
Secretaries of State) members to execute the plans.

*Misses the boat:* In view of the secretary of states' failure to 
properly monitor certification and their enthusiasm to rush to paperless 
touch-screen voting, with the momentum shifting only after a veritable 
taxpayer revolt, one wonders if this is the correct body of authorities 
to handle this.

*Misses the boat:* They want states to hurry up and certify their 
elections, quicker, faster, but what is simply not mentioned is 
providing anyone the ability to audit much of anything.

# # # # #


Here is the report:

http://www.american.edu/ia/cfer/

Here is a summary of recommendations in the report:

http://www.american.edu/ia/cfer/report/CFER_summary.pdf




More information about the E-voting mailing list