Schneier on Security

The paper ballot part has great value. Having to provide the public source code does just about nothing. The source code should be available to the state and to the courts if demanded in a trial.

I can see the price for such machines going way up as the vendor has to take into consideration the cost of sending source code to every requestor.

> I can see the price for such machines going way up as the
> vendor has to take into consideration the cost of sending
> source code to every requestor.

"Providing to the public" could be met by putting the source code up on a website, accessible via download. You could go to the library and download the source. How does this add cost? And if bandwidth is your answer, then my reply is bittorrent and signing the code.

You probably should reword that first sentence to "little common sense". The story has been corrected and it is not truly open source. The Source code is just escrowed with some X agency.

This is the first I've heard of someone argue providing the source is expensive! I'd think that they can charge the printing cost if someone wanted it printed.

Nevertheless, let's move on. I think it is a good idea -- because the public could help in debugging the machine! This would in turn reduce the cost of providing solid code that cannot be hacked. It is no replacement for a good security audit, but it helps.

So, does the law cover making sure the machines rolled out actually contain this code (as in, bipartisan inspection and verification of each machine's program before election day?)

From that story:
"
Correction: the original story was based on an official summary that referred to the bill as introduced and did not take into account certain amendments. Under the law as enacted, the source code would be placed into escrow with the elections board. It would be analyzed in the case of a recount, but not open to the public. WTN very much regrets the error and any confusion it may have caused.
"

...so not quite as enlightened as it first appeared

Open/escrowed/closed source aside - the important part of the legislation seems to be the voter-verified archived paper ballot that serves as an independent record of voter intent. That's a significant boost for common sense. Still don't have it here in Maryland, USA, though (see http://www.truevotemd.org; I am not affiliated w/ the organization).

the passed bill after amendments http://www.legis.state.wi.us/2005/data/acts/... is excerpted below. doesn't sound like "open source" to me. access is granted only in the event of a recount, only to the few, and only after signing an NDA. the original link you cite now has a correction.

(2) The board shall determine which software com-
ponents of an electronic voting system it considers to be
necessary to enable review and verification of the accu-
acy of the automatic tabulating equipment used to record
and tally the votes cast with the system. The board shall
equire each vendor of an electronic voting system that is
approved under s. 5.91 to place those software compo-
nents in escrow with the board within 90 days of the date
of approval of the system and within 10 days of the date
of any subsequent change in the components. The board
shall secure and maintain those software components in
strict confidence except as authorized in this section.
Unless authorized under this section, the board shall
withhold access to those software components from any
person who requests access under s. 19.35 (1).

(sec 3 omitted) ...

(4) If a valid petition for a recount is filed under s.
9.01 in an election at which an electronic voting system
was used to record and tally the votes cast, each party to
the recount may designate one or more persons who are
authorized to receive access to the software components
that were used to record and tally the votes in the election.
The board shall grant access to the software components
to each designated person if, before receiving access, the
person enters into a written agreement with the board that
obligates the person to exercise the highest degree of rea-
sonable care to maintain the confidentially of all propri-
etary information to which the person is provided access,
unless otherwise permitted in a contract entered into
under sub. (5).

""Providing to the public" could be met by putting the source code up on a website, accessible via download."

If it was GPL then you would be correct. But that is not the way things work when it is a government service. The Federal ADA can be a real pain with this kind of thing.

The point appears to be moot as the clarification shows a software escrow. I would also see a way to verify that the object code in use is actualy what is in escrow. Otherwise trojaned voting machines could be a problem.

Just wanted to mention that the story on "Stupid Bandnames" has dropped of the blog. Probably no particular reason other than a small error.. Hope it will return

Electronic voting is the way to go in the future. Its cuts down on the amount of paper used and in the long run is more environmentally friendly.
I don't understand the need for touchscreens and the likes of it. It makes it more expensive.

Case in point: Last general Elections - India. With its huge population, about a year back, its last general election was totally using electronic voting machines. All they had was a set of switches(push button type) for the voter to indicate their choice. Each machine would accept one vote, after which the master key at the voting booth's front desk had to be pressed by the booth superintendent before it would accept the next vote.

To cut out all the details, the elections went off smoothly, and it took 1/4th of the total time for the results to be announced than the regular paper voting of the previous occasions.

There's no super source code- nothing to tamper- the boxes are completely self contained-only the master key goes by a cable to the reg desk. And u have the break the seal of the box to get at the results.

Bruce what about this?!? I'm a freaking genius!

Government opens a bank and gives every person an account.
The accounts are filled with various "currency" Local election dollars, state election dollars, national election dollars, etc. Of course the currency is non transferable.
Every person is given a VISA check/credit card for their account.
To vote you go to a regular ATM, put in your card, your PIN, and Vote.

Advantages: The systems are already in place, tested, and reasonably secure.

During elections you would "buy" a vote for which ever candidate you were voting for. The candidate would have an account and your vote would transfer to their account. The candidate with the most "voting dollars" in their account wins.

Fraud? You could check your "voting statement" or "online voting account" and verify no one is stealing your votes.

Got to go

You could vote in the line at the supermarket.
If you had questions you could call the 1-800-Visa-Vote number and the customer service rep could review your account.

Thoughts?!?

You could even have two or three Voter Banks to ensure competition?

@supersaurus
"The board shall
equire each vendor of an electronic voting system that is
approved under s. 5.91 to place those software compo-
nents in escrow with the board within 90 days of the date
of approval of the system and within 10 days of the date
of any subsequent change in the components. "
-It should be reviewed & placed in escrow prior to approval or any change, not escrow only afterwards.

@Adam Gates

That ignores the reality of people influencing the votes of others. For example, if your union told you to vote for someone and wanted to see your statement for proof that you voted "correctly", you'd have to do it if you wanted to keep your job.

Any solution that makes it possible for you to verify your vote after the fact allows someone else to verify your vote as well. Of course, you could create a Machiavellian system where you are able to create as many ballot receipts as you want, but only one would actually be submitted and there was no way to differentiate between a submitted and unsubmitted receipt.

@Adam Gates
Disadvantages:
1) It would dramatically increase vote-buying; it may even enable vote-buying after the initial vote ("Hey! I voted for the other person!").
2) It would change the source code issue from a voting machine to an uncontrolled ATM, making any software or physical security problems worse.

Adam, you're missing one reason for a secret ballot: if a voter can verify his/her vote in a form that allows a third-party to view that vote, that voter can be bribed or intimidated into voting a particular way - if the fraudster can tell whether or not the vote was cast as desired, the bribe can be given to only those that vote in the chosen fashion.

As for the law passed, all it takes is for the voting machine manufacturer to declare that the fraud-inducing portion of their code is "proprietary", and the reviewer is bound by NDA not to reveal that fraud is going on. Sometimes I wonder if our elected officials are paying attention; on my darkest days, I realise they probably are.

Cash up front for a vote seems less of an evil than the current method of opening the public coffers once elected to reward the groups that supported the candidate.

If you will sell your vote for a pack of smokes you will do the same for a larger welfare check.

Sorry about the double post here but here is an idea.

Each election a special batch of $1 bills are printed up (adjust currency value as desired). When you show up at the poll you are given one bill for each person on the ballot. You vote by placing a $1 bill into the slot for your candidate. You also have the option of not voting and taking the money and going home.

It would be interesting to see who would acutaly vote.

I believe Adam Gates is talking virtual dollars. He's using the dollar idea as a token of a vote by using existing secure hardware/software that's been proven fairly secure.

"proven fairly secure."

Fairly secure is not good enough, the existing banking system is *not* fairly secure (look at identity theft and phishing), and the existing banking system is primarily secure in a way that is the opposite of the type of security needed for a voting system: namely, bank machines are designed to ensure that every transaction is traceable to the parties involved, and a voting system MUST be designed to make it IMPOSSIBLE to trace transactions to the voter involved.

@Mike Sherwood---> Vote buying? How is this any different than the current system?

@Fred Page ---> Vote buying? Again how is this different than the current system?

@Alun Jones ---> Unions, Companies, etc cannot get a printout of my bank account statement. Why would they have access to the voting account?

@jammit Exactly correct Voting money not Real money

All of the vote dollars ignore that the current system isn't very secure. It's just secure enough to still be profitable. There is a lot of fraud that happens with the current system, just not enough to bring it down.

@AG

In the current system, you don't get a receipt that allows the buyer of the vote to verify that you didn't lie to them. Currently, the one who gets a vote out of coercion or purchase is only getting the word of the voter that they have complied.

@Mike Sherwood
Well then don't include the candidates on the receipt!

If you think you are going to make a more secure system than one that is created to protect money... yeah good luck with that.

I work with taxing agencies for state and fed electronic filing, and Minnesota is one of the best to work with. They use current and proper technology, they listen to their partners, and they run a nice operation.
I'm not surprised to see MN being sensible in the voting arena as well.

@AG:

"If you think you are going to make a more secure system than one that is created to protect money... yeah good luck with that."

Money is typically protected by locking it up. Can democracy and freedom be protected in the same way?

"Bruce what about this?!? I'm a freaking genius!"

If you're willing to give up the secret ballot, secure voting becomes easy. Once you add anonymity to the system, though, the problem becomes much much harder.

@AG

If the receipt no longer has the candidate name, it can't really confirm for whom your vote was cast. If it does, it can be used as proof for a vote for pay or benefit scheme.

@ John Ridley

While easily confused, Wisconsin and Minnesota are actually separate states. Just ask a Vikings fan.

@ AG

> how is this different from the current system?

Then why make any change? ;)

@ Anonymous

> Its cuts down on the amount of paper used and in the
> long run is more environmentally friendly.

That argument may be factually correct, but "more environmentally friendly" could easily be substituted with "infintesimally more environmentally friendly". The Los Angeles Times probably blows through more paper printing a single sunday edition than the entire country does printing paper ballots for a year's elections. Okay, that may be an exaggeration (it's probably not too far off the mark), but the environmental cost of printing paper ballots is miniscule. There is also an environmental cost to electronic balloting... if you're manufacturing balloting machines you're creating silicon chips, circuit boards, wiring, plastics, etc. with their associated waste products (anyone know of a good EIR for the production of integrated circuit machines in the U.S.?) Not to mention you're using power, which has its own environmental cost.

> It took 1/4th of the total time for the results to be announced
> than the regular paper voting of the previous occasions.

Whenever I get into "electronic vs paper" arguments, this is always a point the "electronic" side makes. It's also, the only point that makes any sense. I don't see any advantages to electronic voting in areas of voter security, election auditing, or cost (most electronic voting systems actually either lose security, have less auditing ability, or have an outrageous price tag.)

And I, personally, don't care if the election results take a day or even a week if I'm confident that they're secure, reliable, and auditable. I'm not entirely confident in the current paper balloting systems in the U.S., but I'd rather see those concerns fixed in the current methods of balloting than have the country switch to a new technology with much more dubious reliability, especially when the manufacturers and distributors of electronic polling machines may have their own political agenda.

The whole "electronic voting" hoopla strikes me as a giant sales campaign for gadgets and widgets that we don't need.

--"It's also, the only point that makes any sense."

Well, not quite the only. Electronic voting also allows for better accessability, since it's easier for every polling place to load multi-language software than it is to have ballots in all possible languages (including braille).

We, as a country, have managed to go about this whole thing back-asswards though.

> Electronic voting also allows for better accessability, since
> it's easier for every polling place to load multi-language software
> than it is to have ballots in all possible languages (including braille).

Point taken.

It also results in greater logistical problems, since the polling places have to have they physical configuration to allow the machines to be delivered, set up, plugged in, etc.

It's really easy to unfold a couple of tables and plop down a box and a pile of ballots :)

Again, this seems to me to be a wash.

The accessibility issue can be solved by making machines to punch or mark paper ballots, which can be verified by eye, then handed in.

@Xellos

ATM machines are already programmed in different lang and Braille

@Pat Cahalan

I was referring to the one argument: Vote buying

Electronic Voting with Proven ATM technology has huge advantages:
1. Ease of use
2. International Access
3. Security
4. Fraud detection and recovery
5. Accessibity
6. ASSUREANCE (thats for Bruce)
7. Infrastructure already in place!

@EVERYONE
WHY IS VOTING DIFFERENT THAN MONEY?!?

I think everyone is making this overly complicated the solution is staring us in the face EVERYDAY. Use ATMs to vote!

@Bruce
My solution isn't the coolest, newest, or the one with the most bells and whistles... that is why it is perfect.

The source code itself is worth nothing by itself. As long as there is no way to build the software from this source and deploy it to one of the devices yourself to verify that the built software in use is exactly the same as the software you built from the "open source" source code you cannot say releasing the code as open source makes the device safer or more transparent.

Bruce, some time ago I sent you an e-mail regarding similar news from Buenos Aires, Argentina. Here is the transcription for the rest.

Wed, 26 Oct 2005 17:54:04 -0300
Dear Bruce,

Some months ago the government of the city of Buenos Aires, Argentina,
started a project to develop voting software for its electoral process.

We've had elections last Sunday (that's an interesting topic for another
time, how elections are mandatory and exclusively held on Sundays over
here), and I've been told that a pilot program was in place at some
voting points. A friend, who was working as technical support for the
machines, told me that they had a variety of models to see how people
reacted to the different hardware and user interfaces. Of course, being
a pilot, the electronic votes didn't count for the election and they
were completely optional, but it served to gather feedback and test the
system stability.

I still don't know the results of the experiment, and I'm not sure my
friend will have access to that information. However, the government
released the complete design documents, user and technical manuals and
source code for the system, plus emulators to run the source for those
mortals who don't have access to the hardware.

Here is the pilot's website:
http://www.buenosaires.gov.ar/dgelec/index.php?... .
It's in Spanish, but very brief and to the point. The open documents and
software can be found under the Plan de Publicación link.

Under the Informes e Investigación section you can find case studies
comparing the electoral process in different countries, including the
USA. It looks like the government is doing TheRightThingTM, or at least
the process seems well-intentioned. This surprises me, but as a citizen
of Argentina, it gives me some hope as well.

Last but not least, here are some animations showing the different
machines in action: http://www.buenosaires.gov.ar/dgelec/index.php .

@everyone but Tobias :)

Tobias is right. Seeing the source code doesn't prove anything. Prooving that this source code
1- was ever loaded on the box.
2- was the one used for counting ballots

is very hard to put in place. And that's not all. What does tell me that those votes get to be the ones counted?

"Security is only as strong as the weakest link"

For all those who believe that security by obscurity is not the way to go, making things open in the voting machine is one first step. If the code is open (and it doesn't even look it's really going to be), the weakest link becomes something else: the reporting of the results.

So don't come and mess with my 1xx years perfectly valid people counting ballots system and obscur it with some black box technology before you've got something that I can really really *really* trust. It's the hard way, but it's the only way.

I'd be much more confortable if technology addressed the aggregation of the results in a completely open way (e.g. with a fully open system that puts the nation results online inside a single spread-sheet, one line per voting center) but let the local voting be done in a completely accountable and manual way. That would still let people check things at both the local and global level. Then make sure citizen get the encentive to be in the voting center when results are counted and reported. Anonymous and very hard to temper with.

But do they really want to make it open?

Alas, apparently the source code is no longer open, the article says that was the original intent, but not the amended legislation. It will be escrowed, but not public. So no 'peer review'...

please do it as soon as possible

Requiring a paper trail is great. I looked at mine after the last election to prove my vote counted.
It was actually who and what I voted for.
What should help is that each political party be charged $1 for every vote cast for each of their candidates, after the election results are posted.
Send the politicians the bill, and spend the money on keeping paper trails and voter access.
That would encourage a few 'bases'.

i will accept this concept...your project desing very well...i am also doing project in rfid used for voting system...please help me..give tips
my project name is :rfid use for voting system

I have intrerst