Tuesday, 9 November 2004

Inappropriate voting technology, part 2

There are a number of persistent claims that the recorded results for the US presidential election don't actually match the voters' intentions.

What's worrying me is the number of people (look at the comments) talking about optical scanning machines. Sorry, but an optical scanning machine is just as open to fraud by its manufacturer or operators as a touch-screen voting machine. The counting needs to be as observable as the casting of the ballots. I can't see any way that a counting machine can be certified honest, on every day of the year, without actually checking the totals before and after scanning and confirming that the correct numbers are indicated, on the actual day of the election and for every ballot.

You'll note that this amounts to hand-counting. Why not get rid of the expensive, corruptable machinery, in that case? Use hand-counting alone. As I said last time, it doesn't actually take that long. What's more, the actual counting can be observed - the correct assignation of ballots to candidates can be verified, the correct number of ballots in a pile can be checked (normally ballots are placed in piles of 100 during a UK count), and the number of piles and the remainder can be easily counted. Also, the acceptance or otherwise of a voter's mark can be contested.

If you trust the machinery to give you not only the individual totals, but also the total number of papers counted, you have no true paper trail. You can only verify the results by counting the votes.

I've also seen the Open Voting Consortium site. They propose a touch-screen system which produces a paper ballot which can then be machine counted. The touch-screen system does not produce totals, it merely prints a paper ballot with the choices.

Unfortunately it suffers from an even greater flaw than optical-scan - it uses barcodes for the machine counting. There is absolutely no guarantee that the barcode actually contains the choices indicated on the human-readable face of the ballot. There's no guarantee that the barcode reader reports the correct information. There's no guarantee that the totalling machine records the right numbers.

In addition, there's way too much software and hardware to go wrong. Any time a UPS is brought into the discussion, you have to cringe.

My Dad (a 34-year computing industry veteran) pointed out something obvious with even Open Source voting software. There's no guarantee that the code running on the system is in fact compiled from the provided source. There's also no guarantee, as some have already pointed out, that the tools used to compile the source have not been subverted. The only way you could trust a compiled binary is to validate the object code. I've unpicked compiled code and believe me, that's not fun. I'm not sure I trust the security credentials of any organisation that states:

"The companies that produce voting machines have poured gasoline onto the smoldering embers of concern.  Some of these products are built on Microsoft operating systems - operating systems that have a well earned reputation for being penetrable and insecure."

Yup, it's a bunch of ABMers.

1 comment:

nikita said...

Validating an object code is not enough too.
As was already known at the times of Ken
Thompson, micro-code exploits are almost
impossible to detect.