[E-voting] details about ClearVoting

Kommer Kleijn kommer at vooreva.be
Sat Sep 1 00:22:37 IST 2007


Dear Emanuele,

  On 12:19 30/8/07, emanuele lombardi wrote:
-
>Dear Paul,
>
>thank you for your reply.
>I would like to counter your points.
>
>1) My system does print VVBP and those pieces of paper are the ONLY legal
>votes.

If so then the print VVPB should be the ONLY votes that are actually 
counted .... :-)

>2) Voters don't need to verify nor to trust the software that prints their
>votes as they simply verify the VVBP has printed on it the name of voted
>candidate (or party).

Please don't forget that a large quantity of voters will not actually do 
that verification. And from those that will look at it, a part will not 
notice an eventual error.

VVPB actually are Voter VIRIFIABLE Paper Ballot.

Hand filled paper ballots are actually VIRIFIED. (because otherwise it is 
not possible to fill in the form)

VERIFIED has a degree of security that can not be compared with VERIFIABLE

The assumption that every voter will actually verify is incorrect.

I resume:
1. DRE without VVPB is not verifiable
2. DRE with VVPB is verifiable
3. Hand filled paper ballot is verified

Sure 2 is better than 1. However, 2 can still NOT be compared to the 
quality of 3

Additionally, note that VVPB does not exclude malicious software 
manipulation.

If the voter verifies it will allow the voter to correct the error, but 
chances are little that the software gets "caught". Imagine a program that 
is programmed to cheat from party A to party B every one vote out of 5. If 
a voter votes for B, the program will of course not manipulate. If voter 
votes for A the program will change the vote to B (and Print B!) one time 
out of 5. That means there is a cheat going on in less than 1 out of 10 
votes. _IF_ this 10th voter verifies the VVPB and _IF_ he actually notices 
the error then he will probably think he made the error himself. He will 
then answer NO to the question of the DRE if the VVPB is O.K. The DRE will 
destroy the VVPB and allow the voter to vote anew. However, the software 
KNOWS now that this voter will read the paper ballot and the software can 
now easily be programmed to NOT cheat on this second try. The voter 
verifies his second try, sees all is fine and goes home without worry or 
without warning poll workers of the incident. All the events happened in 
the discretion of the polling booth. The fraudulent DRE software will of 
course also take care to not record, or erase the event in/from the log 
files.

If the voter does not see the error in the first instance, than the cheat 
succeeds, and resists even a manual recount of the printed paper ballots.

It is to be expected that numerous voters do not verify the VVPB and 
numerous cheats will pass. Those that will not pass will be corrected but 
may not result in suspicion of the machine.

Conclusion: even if all VVPB would be hand recounted, VVPB does NOT protect 
against fraudulent voting computer software.

>3) Voters need to trust the software that counts their votes. Of course
>voters may have no competence to verify the software, but parties and
>organizations have it.

Nope, this is simply untrue. Parties or any other organizations do not have 
competent people in sufficient numbers of people. The average party 
representative (those present at each polling station on polling day!) are 
average citizens and do not have those competences at all, not any more 
than average voters. On polling day, a party has representatives in a 
majority of polling stations. These are thousands of volunteers. They are 
not IT specialists, and certainly not e-vote specialists. And you need to 
have IT _AND_ e-vote knowledge to see the problems. IT knowledge alone is 
_NOT_ enough to understand the problems and dangers of e-voting.

And I am telling this from practical observation experience!

>  I'm sure we agree that party representatives must
>carefully watch voting operations whichever the media and the technology.
>Thus they will be present in any polling room even at the opening of
>election when the software is installed booting kiosks from the media that
>has been officially distributed by the Authority (central or local).

Been there, observed that.

1. First. As I said earlier, there are thousands of polling stations. There 
can not be e-voting IT specialists in every polling station, whoever the 
organisation is that would like to send them. They simply do not exist in 
those numbers.

2 Second. Legal procedures set up to correctly manipulate technology by 
ignorant people is not followed in practice, and as such becomes non 
operative. It is a known social phenomenon that in the long run people will 
follow laws and rules only if they are explained the reasons why the rules 
are chosen or needed. I am talking personal witnessing here, not 
suppositions.

During the two last Belgian elections, members of our association (PourEVA) 
has been observing physically in computerized polling and tabulating 
stations. The poling workers AND party representatives had NO idea why it 
was requested that the booting media be protected and watched. And thus 
they did NOT protect those media and did NOT observe the rules. In Belgium, 
although the law specifies strict rules on how the booting media must be 
handled (sealed envelopes, only certain people are allowed to handle them 
etc), in the places where we observed, those rules were NOT followed on 
polling day. When asked why, it came out on not understanding why these 
measures are needed. This concerned polling workers (chosen among the 
people) as well as city house officials. Our observations also include city 
house officials telling polling workers to NOT follow the rules because 
they would loose too much time....

When our association proved this in court, the judges answered that they 
AGREED we showed that the rules were not followed. However, they still 
certified the election result because they did not believe "that the 
observed irregularities would have actually changed the election result". 
This means ALSO THE COURT JUDGES did not understand why protection of boot 
media is needed. On the last two Belgian elections we do not know with what 
media the PC's were booted. As the rules were not followed, the machines 
may have been booted with the official software, or with other software. 
Nobody will ever know! And I am not talking theory here! I am talking real 
live, and documented election observation.

>The use of a Linux distribution downloaded from the Internet and the use 
>of
>software written in an interpreted language give a very high level of
>confidence that nothing bad will happen. Please note that the use of an
>interpreted language means that no compilation is involved.

Although an interpreted language does not use a compiler, it uses an 
interpreter that assumes a similar function. Although I agree that an 
interpreted language is preferable, please note that the difference is 
small, and not of significant importance. The only real advantage I see is 
that it avoids the need to proof that the compilation would have been done 
with the agreed compiler, as the interpreting program is part of the 
package itself.
The difference, however, is small. Flaws in the interpreter can be 
exploited in the same way as flaws in an compiler can.

>Even if we think that RedHat, Suse, Ubuntu, Debian, Mandriva, Fedora, 
>Gentoo
>all distribute some hacked version of their software, I can't image how 
>such
>hacked versions could ever make fraud in our Open Source voting software
>that is not compiled and that accomplishes extremely simple operations 
>like
>the counting by one.

Please note that these versions need not be hacked to be exploitable. It is 
enough that they contain errors or security holes that can be exploited by 
a clever source code writer or virus writer. Known faults in underlying 
software, BIOS, micro code, drivers for hardware or even errors in hardware 
itself, if cleverly exploited, allow a source code writer to program 
malicious behavior invisibly to a person reading the source code, and also 
invisible to a person testing the source code on a different platform.

Next, it is incorrect to present a voting application software as simple 
software that is limited to operations like the counting by one. This is 
completely untrue. Voting software is complex and every piece of voting 
software we have ever seen contained many thousands of lines of source 
code, providing thousands of places to hide malicious code. Voting software 
must manage screens, scan keyboards or touch screens, interface with 
hardware that records on media, etc, etc. In all these operations errors 
can occur, voluntary or involuntary. Voting software is complex and is NOT 
simple.

And it is a known fact that it is not possible to guarantee absence of 
error by proofreading thousands of lines of source code.

To pretend that published source or open source do guarantee security is a 
false statement that can be qualified as naif at best.

>Anyway, to increase security the Linux to be used is chosen among the many
>by the bipartisan commission that also chooses a release/version that is 
>not
>the latest. Do we really think that (for example) version 5.0 of Ubuntu
>contained such hackings or errors that will make our PHP software give 
>wrong
>results of additions by one?

Yes, although it may eventually be free of hacks, it for sure DOES contain 
errors. (This is a known fact, there does NOT exist any piece of complex 
software that does not contain errors)  If the PHP software if cleverly 
written, it can exploit those errors to achieve a change in results without 
that being visible in the source code.

>5) How can any software running "under" the Operating System alter the
>results of our high level software that simply adds integers? I don't see
>what BIOS or disk firmware could ever do alter the results of the "n=n+1"
>computations done by our software.

1. It can. It has been demonstrated many times. It is a lack of knowledge 
from your part if you don't know how. An example (Intel CPU bug) is given 
below. 2. As said ealier, voting software needs to do much more than adding 
integers and is not simple.

>In any case voting kiosk are standard PCs that when are not used for 
>voting can be used for other purposes by the local administrations. If 
>they work properly it means that their low level software also works 
>properly.

That is an also incorrect assumption. Errors can go unnoticed for years 
(f.e. if in routines that are not called upon or other circumstances do not 
occur).

If errors would always show immediately, then software fixes after release 
would not exist.

The machines will not run malicious election software outside election 
periods. As such errors that allow a malicious election software writer to 
change election results invisibly, may very well not be noticeable in other 
operations during the rest of the year.

A very well know example is the micro code bug in Intel Pentium processors. 
It resulted in calculation errors. (Yes, your windows calculator or even 
Excel would come up with erronous results!) It required application program 
writers to CIRCUMVENT the bug in order to obtain correct results. Not 
circumventing the CPU micro code error with those processors will result in 
perfect looking source code, while producing erroneous results.

Additionally you seem to ignore the possibility of ADDING malicious 
software. This is in practice the most used method to compromise computer 
behavior today. (virii use it) Published source and open source do not 
protect against this in any way, while it is actually the most plausible 
method a malicious person would use. The possibility has been demonstrated 
on voting machines (Princeton). The technique consist in adding software (a 
small executable program) on the machine and this program f.e. manipulates 
the results files on disk or memory. Many other possibilities exist. After 
doing its job, it can erase itself and leave no trace other than the 
modified results.

Best regards,

Kommer Kleijn.
member of the association "PourEVA" www.poureva.be




More information about the E-voting mailing list