[E-voting] details about ClearVoting

emanuele lombardi vote at electronic-vote.org
Fri Aug 31 21:13:36 IST 2007


I'm still against electronic voting, but I'm afraid that electronics will
enter voting more and more despite our talks (1.5 Million French voted
electronically, last May). So my aim is to propose vendors a technological
system that preserve as much popular control over elections as possible. 

I'm sure you'd prefer to vote using my system than Nedap's, Diebold's,
Sequoia's or any other on the market today (and tomorrow, as Claude just
told us)!

Before answering your objections, I'd like to review the main points of my
system:

1) kiosks are not connected to the outer world

2) voting implements the Mercuri method (VVBP)

3) VVBP are the only legitimate vote and they are printed in plain human
language. Their count (if any) must be manual (and public, of course!)

4) the software is made under public control and it contains an installable
Linux distribution taken from the Internet. Voting kiosks will run such
operating system. Voting software is all public and written in high level
languages interpreted by the Linux operating system.

5) the distribution of the software to the polling rooms is done by means of
read-only media officially distributed. The software is in any case
available on the Internet for public download and testing

6) the installation of the software on the kiosks automatically formats all
disks, installs the above Linux and the voting software, reboots to the
newly installed Linux and finally it runs the voting software

7) to preserve vote secrecy no voter info is never recorded 

8) votes are counted in each polling room, published locally and on the web
from where anyone can download them to compute the final result of the
election



OK, now I try to go into each point you made 

Colm: VVBP are human-readable thus they must be counted and not scanned.
Counting can be done as always in public under the control of all parties'
representatives

Paul: I don't propose VVBP to be all manually counted (unless we want to
make a fully-paper election which only novelty is that ballot papers are
printed by computers instead of voters). I say that "ClearVoting gives every
confidence in its electronic results. Nevertheless it is wise to manually
count the VVBPs of some polling rooms, provided the latter are randomly
chosen after their electronic results have been published".

Caterine: the software doesn't tell the voter "thank you, good bye" until he
confirms or rejects the VVBP. Voter can't exit the polling booth before
otherwise his vote remains visible on the LCD and on the VVBP. If voter
leave the booth without confirming his vote, he acts just like when in paper
election the elector shows his voted ballot paper to the public instead of
putting it into the ballot box.

Caterine: boot loader attack happens if the boot-loader of the booted disk
is hacked. But ClearVoting boots from ClearSoftware DVD thus it uses the
boot loader shipped on the verified read-only media. Then ClearVoting
installs from scratch a new operating system (Linux) which hacks-free
boot-loader is written on the MBR of the hard disk. At the next boot, BIOS
will use the hard disk and thus its newly installed (and clean) boot loader.

Caterine: BIOS viruses and BIOS hacking can make PC unusable, but can't
change the results of any program running on it (unless they can boot from a
network, but we have no network!). This is what happened up to now with BIOS
viruses.
In any case, having a bootable PC, ClearVoting could run using its read-only
media as a Live CD which content can't be modified not even by a virus
hidden in the BIOS. (drawback: power failures imply manual recount of VVBS
since counters go lost, but home-styled UPS can prevent power loss to
kiosks). 

Caterine: physical access to the hardware before the election doesn't help
making fraud since all disks will be automatically formatted and  the whole
system will be re-installed on election day. The only risk is that someone
adds a concealed (and wireless) network interface that could be illicitly
used, during election, by an hacked BIOS to boot from the net instead from
the hard disk. 

Caterine: there are no password, no username in my system because as soon as
the system is installed the voting software automatically starts without any
authentication.

Paul: the verification of the software is not done at the polling room but
within the "bipartisan commission" that, at the end of its work publishes
the bootable media and burns it into many thousand of copies (one or two for
each polling room). The commission also published the checksum of the media.
Any party representative or common citizen at the polling room can verify
that the media officially brought by police (or whoever else) has the right
checksum and that kiosk are really booted of the media. People can also
verify that nobody reboots nor power kiosks off.

Paul: I say that the "bipartisan commission" a couple of week before the
elections selects from the Internet any of the many working Linux, downloads
its ISO file and uses it to produce the bootable media. There are plenty
source of each Linux distribution and each of them has its own checksum
published. After downloading the ISO file the commission verifies its
integrity simply computing its checksum and comparing it with those
published. I firmly believe doing this why we overcome Thompson's problem
(too much scepticism may stop everything!).

Paul: I'm quite sure that a PC unable to make integer additions of unities
would be soon discovered. 

Paul (and also David): We all download our preferred Linux from the Internet
to run, for example, the apache server to publish our web pages. I don't see
way we shouldn't do the same to run our voting application on the same
apache server.

Dermot: I believe my system needs more "democratic control" than classic
paper voting. In fact the people has to verify what is done at the making of
the software (through the "bicameral commission"), how the bootable media
are given to the polling rooms, how the media are installed on the kiosks,
how the kiosk are run (not halted nor rebooted), how results of each polling
room are published on the Web site and, finally, how the counting procedure
running on the Web site computes seats. 

David: exactly as in paper voting in my system "anybody from poll worker to 
party representative know that they must be there and they must watch 
for unexpected behaviour" (and, if requested, for manually count VVBPs)


I thank you all very much for your patience, 

Ciao,
Emanuele Lombardi




 









More information about the E-voting mailing list