[E-voting] details about ClearVoting
kommer at vooreva.be
Sat Sep 1 00:22:37 IST 2007
On 12:19 30/8/07, emanuele lombardi wrote:
>thank you for your reply.
>I would like to counter your points.
>1) My system does print VVBP and those pieces of paper are the ONLY legal
If so then the print VVPB should be the ONLY votes that are actually
counted .... :-)
>2) Voters don't need to verify nor to trust the software that prints their
>votes as they simply verify the VVBP has printed on it the name of voted
>candidate (or party).
Please don't forget that a large quantity of voters will not actually do
that verification. And from those that will look at it, a part will not
notice an eventual error.
VVPB actually are Voter VIRIFIABLE Paper Ballot.
Hand filled paper ballots are actually VIRIFIED. (because otherwise it is
not possible to fill in the form)
VERIFIED has a degree of security that can not be compared with VERIFIABLE
The assumption that every voter will actually verify is incorrect.
1. DRE without VVPB is not verifiable
2. DRE with VVPB is verifiable
3. Hand filled paper ballot is verified
Sure 2 is better than 1. However, 2 can still NOT be compared to the
quality of 3
Additionally, note that VVPB does not exclude malicious software
If the voter verifies it will allow the voter to correct the error, but
chances are little that the software gets "caught". Imagine a program that
is programmed to cheat from party A to party B every one vote out of 5. If
a voter votes for B, the program will of course not manipulate. If voter
votes for A the program will change the vote to B (and Print B!) one time
out of 5. That means there is a cheat going on in less than 1 out of 10
votes. _IF_ this 10th voter verifies the VVPB and _IF_ he actually notices
the error then he will probably think he made the error himself. He will
then answer NO to the question of the DRE if the VVPB is O.K. The DRE will
destroy the VVPB and allow the voter to vote anew. However, the software
KNOWS now that this voter will read the paper ballot and the software can
now easily be programmed to NOT cheat on this second try. The voter
verifies his second try, sees all is fine and goes home without worry or
without warning poll workers of the incident. All the events happened in
the discretion of the polling booth. The fraudulent DRE software will of
course also take care to not record, or erase the event in/from the log
If the voter does not see the error in the first instance, than the cheat
succeeds, and resists even a manual recount of the printed paper ballots.
It is to be expected that numerous voters do not verify the VVPB and
numerous cheats will pass. Those that will not pass will be corrected but
may not result in suspicion of the machine.
Conclusion: even if all VVPB would be hand recounted, VVPB does NOT protect
against fraudulent voting computer software.
>3) Voters need to trust the software that counts their votes. Of course
>voters may have no competence to verify the software, but parties and
>organizations have it.
Nope, this is simply untrue. Parties or any other organizations do not have
competent people in sufficient numbers of people. The average party
representative (those present at each polling station on polling day!) are
average citizens and do not have those competences at all, not any more
than average voters. On polling day, a party has representatives in a
majority of polling stations. These are thousands of volunteers. They are
not IT specialists, and certainly not e-vote specialists. And you need to
have IT _AND_ e-vote knowledge to see the problems. IT knowledge alone is
_NOT_ enough to understand the problems and dangers of e-voting.
And I am telling this from practical observation experience!
> I'm sure we agree that party representatives must
>carefully watch voting operations whichever the media and the technology.
>Thus they will be present in any polling room even at the opening of
>election when the software is installed booting kiosks from the media that
>has been officially distributed by the Authority (central or local).
Been there, observed that.
1. First. As I said earlier, there are thousands of polling stations. There
can not be e-voting IT specialists in every polling station, whoever the
organisation is that would like to send them. They simply do not exist in
2 Second. Legal procedures set up to correctly manipulate technology by
ignorant people is not followed in practice, and as such becomes non
operative. It is a known social phenomenon that in the long run people will
follow laws and rules only if they are explained the reasons why the rules
are chosen or needed. I am talking personal witnessing here, not
During the two last Belgian elections, members of our association (PourEVA)
has been observing physically in computerized polling and tabulating
stations. The poling workers AND party representatives had NO idea why it
was requested that the booting media be protected and watched. And thus
they did NOT protect those media and did NOT observe the rules. In Belgium,
although the law specifies strict rules on how the booting media must be
handled (sealed envelopes, only certain people are allowed to handle them
etc), in the places where we observed, those rules were NOT followed on
polling day. When asked why, it came out on not understanding why these
measures are needed. This concerned polling workers (chosen among the
people) as well as city house officials. Our observations also include city
house officials telling polling workers to NOT follow the rules because
they would loose too much time....
When our association proved this in court, the judges answered that they
AGREED we showed that the rules were not followed. However, they still
certified the election result because they did not believe "that the
observed irregularities would have actually changed the election result".
This means ALSO THE COURT JUDGES did not understand why protection of boot
media is needed. On the last two Belgian elections we do not know with what
media the PC's were booted. As the rules were not followed, the machines
may have been booted with the official software, or with other software.
Nobody will ever know! And I am not talking theory here! I am talking real
live, and documented election observation.
>The use of a Linux distribution downloaded from the Internet and the use
>software written in an interpreted language give a very high level of
>confidence that nothing bad will happen. Please note that the use of an
>interpreted language means that no compilation is involved.
Although an interpreted language does not use a compiler, it uses an
interpreter that assumes a similar function. Although I agree that an
interpreted language is preferable, please note that the difference is
small, and not of significant importance. The only real advantage I see is
that it avoids the need to proof that the compilation would have been done
with the agreed compiler, as the interpreting program is part of the
The difference, however, is small. Flaws in the interpreter can be
exploited in the same way as flaws in an compiler can.
>Even if we think that RedHat, Suse, Ubuntu, Debian, Mandriva, Fedora,
>all distribute some hacked version of their software, I can't image how
>hacked versions could ever make fraud in our Open Source voting software
>that is not compiled and that accomplishes extremely simple operations
>the counting by one.
Please note that these versions need not be hacked to be exploitable. It is
enough that they contain errors or security holes that can be exploited by
a clever source code writer or virus writer. Known faults in underlying
software, BIOS, micro code, drivers for hardware or even errors in hardware
itself, if cleverly exploited, allow a source code writer to program
malicious behavior invisibly to a person reading the source code, and also
invisible to a person testing the source code on a different platform.
Next, it is incorrect to present a voting application software as simple
software that is limited to operations like the counting by one. This is
completely untrue. Voting software is complex and every piece of voting
software we have ever seen contained many thousands of lines of source
code, providing thousands of places to hide malicious code. Voting software
must manage screens, scan keyboards or touch screens, interface with
hardware that records on media, etc, etc. In all these operations errors
can occur, voluntary or involuntary. Voting software is complex and is NOT
And it is a known fact that it is not possible to guarantee absence of
error by proofreading thousands of lines of source code.
To pretend that published source or open source do guarantee security is a
false statement that can be qualified as naif at best.
>Anyway, to increase security the Linux to be used is chosen among the many
>by the bipartisan commission that also chooses a release/version that is
>the latest. Do we really think that (for example) version 5.0 of Ubuntu
>contained such hackings or errors that will make our PHP software give
>results of additions by one?
Yes, although it may eventually be free of hacks, it for sure DOES contain
errors. (This is a known fact, there does NOT exist any piece of complex
software that does not contain errors) If the PHP software if cleverly
written, it can exploit those errors to achieve a change in results without
that being visible in the source code.
>5) How can any software running "under" the Operating System alter the
>results of our high level software that simply adds integers? I don't see
>what BIOS or disk firmware could ever do alter the results of the "n=n+1"
>computations done by our software.
1. It can. It has been demonstrated many times. It is a lack of knowledge
from your part if you don't know how. An example (Intel CPU bug) is given
below. 2. As said ealier, voting software needs to do much more than adding
integers and is not simple.
>In any case voting kiosk are standard PCs that when are not used for
>voting can be used for other purposes by the local administrations. If
>they work properly it means that their low level software also works
That is an also incorrect assumption. Errors can go unnoticed for years
(f.e. if in routines that are not called upon or other circumstances do not
If errors would always show immediately, then software fixes after release
would not exist.
The machines will not run malicious election software outside election
periods. As such errors that allow a malicious election software writer to
change election results invisibly, may very well not be noticeable in other
operations during the rest of the year.
A very well know example is the micro code bug in Intel Pentium processors.
It resulted in calculation errors. (Yes, your windows calculator or even
Excel would come up with erronous results!) It required application program
writers to CIRCUMVENT the bug in order to obtain correct results. Not
circumventing the CPU micro code error with those processors will result in
perfect looking source code, while producing erroneous results.
Additionally you seem to ignore the possibility of ADDING malicious
software. This is in practice the most used method to compromise computer
behavior today. (virii use it) Published source and open source do not
protect against this in any way, while it is actually the most plausible
method a malicious person would use. The possibility has been demonstrated
on voting machines (Princeton). The technique consist in adding software (a
small executable program) on the machine and this program f.e. manipulates
the results files on disk or memory. Many other possibilities exist. After
doing its job, it can erase itself and leave no trace other than the
member of the association "PourEVA" www.poureva.be
More information about the E-voting