[E-voting] reply to Thomas Greene
michael at hexmedia.com
Wed Oct 25 09:21:34 IST 2006
I sent them a response as well.
I disagree with Thomas Greene's assessment of the e-voting debacle in
I have replied to some of the points he makes below.
> The combination of electronic machines with a paper record has become
> an obsession among a number of "activists", but it, too, can only be
> useful if the design is secure. Still, it's the /least/ desirable
> alternative because it introduces needless complexity, and tremendous
> uncertainty when results are in dispute. How do you know which record,
> the electronic or the paper, is valid? Either component can be
> attacked, can fail, or can simply be designed badly.
This is a common misconception. The paper ballots are the ones verified
by the voters. So, if there is any uncertainty, then the paper takes
precedence. It's a matter of system design to ensure that in practice,
there is no discrepancy between the electronic and paper versions.
Why should there be, since the same software is recording the votes
electronically, and printing the paper ballots out?
There may be better solutions than voter verified paper ballots (VVPB),
but the least desirable system is not VVPB.
It is unverifiable electronic voting machines.
> The Irish system is now so mistrusted that there is nothing anyone can
> do to fix it (including actually fixing it). Ahern is in a terrible
> position. His government squandered the €52m, and everything he says
> sounds like spin, even on those occasions when it isn't.
> For example, when confronted by news that a voting machine had been
> compromised, Ahern noted that "the anti-electronic voting campaign
> group in the Netherlands physically hacked into a machine to
> demonstrate security flaws. If one hacked into a ballot box one could
> do that too".
> It's a sensible observation, but it doesn't help. The public
> perception is that machines are easier to hack, and that it's easier
> to conceal the fact. Meanwhile, the opposition likes having the
> e-voting debacle to hang around Ahern's neck when it suits them.
It is not a sensible observation. Ballot boxes are prepared for use in
the presence of candidates and their agents. Everyone
can ensure that there are no ballots already present. At the end of
polling, they are sealed under a similar level of scrutiny.
They are opened under similar secure conditions at counting centres,
under full public gaze.
Unveriable voting machines simply do not have this level of
transparency. There is no escaping the fact that we are required
to blindly trust whatever software happens to be running on the machine.
There are certainly risks associated with paper ballot elections. But
every objective assessment shows they are far more
trustworthy than unverifiable electronic voting machines.
> At this point, the only sensible thing to do is start over. A
> well-designed paper system would be a perfectly good place to start.
> But if Ireland has got to have electronic voting to boost the
> government's self esteem, then fine.
> For secure, trustworthy e-voting, one needs hardware validated by an
> independent (and competent) testing agency, and a system to ensure
> that only validated hardware is used (ie, no post-validation equipment
> changes of any sort, and fragile seals to indicate tampering visibly).
Wrong. We don't need ballot boxes to be tested by any "independent
testing agency". So, we demand the same level of assurance
from electronic voting, which is a system that can be verified by the
users, ie. the voters, and does not require us to trust
any independent testing agency.
The experience in Ireland has been that once a government chooses a
system to use, the testing simply becomes a rubber stamping
exercise. One can see this in the Irish case, where for example, the
testing performed by the PTB institute in Germany, was not testing
at all, rather it was a form of inspection and observation.
Unfortunately, few people read the test reports, and even fewer actually
understand the implications of the (lack of) actual testing done.
> Next, one needs software validated by an independent testing agency,
> and a mechanism to ensure that only validated software can be
> installed. This would involve the compiler, all source code,
> libraries, encryption software, etc. It doesn't have to be /open
> source/, but the validating agency has got to have access to every
> single bit. It would then build all of the software and issue approved
> copies. This can be verified cryptographically, cheaply, and easily.
Wrong again. Exactly the same argument applies as for the hardware.
> Of course, there must not be any mechanism for remote IP access or
> switched telephone access to the machines or the database. Leased
> lines only.
> There also needs to be a validated auditing mechanism to show every
> instance of access to the machines and the database.
Internal audit trails produced by the software which we don't want or
need to trust, are worthless.
All the best,
More information about the E-voting