Last week Sen. Dianne Feinstein asked the GAO to conduct aninvestigation into various claims that e-voting machines, called DREs,don't perform properly, requesting that the investigation be completeby the next presidential election.
How odd. If the investigation uncovers faults or fraud shortlybefore the election, what action will anyone take? With time short noremedies will be possible.
Congress is already working to improve e-voting. Identical bills S.559 and H.R. 811 were recently referred to committees. The furor overalleged (I say “alleged” as the vitriol in the media and on web siteshas drowned out reasoned discourse) irregularities should have taughtus one thing: the primary feature we need from an e-voting machine istrust. Our democracy will be imperiled if the electorate isn'tconvinced that their votes are being recorded accurately and fairly.
It's easy to be critical of our elected representatives, as so manyhave wallowed so far below even the most cynical expectations. But S.559 and H.R. 811, introduced February 13, are pretty good bills that,if passed, should silence the critics. To read the full text of thebill go to http://thomas.loc.gov/ and enter S 559 as a search query.
Here are some highlights: “No votingsystem used in an election for Federal office shall at any time containor use any software not certified by the State for use in the electionor any software undisclosed to the State in the certification process.”
“The manufacturer of the software usedin the operation of the system shall provide the appropriate electionofficial with updated information regarding the identification of eachindividual who participated in the writing of the software, includingspecific information regarding whether the individual has ever beenconvicted of a crime involving election, accounting, or computersecurity fraud.”
“After the appropriate election officialhas certified the source code, object code, and executablerepresentation of the voting system software for use in an election,the manufacturer may not–“(I) alter such codes and representation; or”(II) insert or use in the voting system any software not certified bythe State for use in the election.”
“The voting system shall requirethe use of or produce an individual voter-verified paper ballot of thevoter's vote that shall be created by or made available for inspectionand verification by the voter before the voter's vote is cast andcounted.”
This provision, by itself, is one that talking heads have demandedfor several years. Yet by itself it's bogus. A paper trail isimportant, but is no assurance that the vote gets recorded properly.Malicious or buggy code can print apparently correct result whilestoring something else altogether.
However, the following provision addresses that concern: “No voting system used in an election forFederal office shall at any time contain or use any software notcertified by the State for use in the election or any softwareundisclosed to the State in the certification process. The appropriateelection official shall disclose, in electronic form, the source code,object code, and executable representation of the voting systemsoftware and firmware to the Commission, including ballot programmingfiles, and the Commission shall make that source code, object code,executable representation, and ballot programming files available forinspection promptly upon request to any person.”
Anyone, from e-voting guru Avi Rubin to your grandmother, can digthrough the source and look for vulnerabilities. That's the secret tobuilding a trustworthy product.
I predict we'll see a lobbying effort by manufacturers to weaken oreliminate this provision. Consider the implications: unless Microsoftis willing to release the source to CE, that OS will no longer be legalfor e-voting apps. Most if not all machines currently use CE, sothey'll need complete rewrites. Expensive? You betcha. Necessary?Absolutely.
The bills don't mandate a freeze point: the code should be unchangedat least six months before an election, so many eyes can inspect andindependently verify the code. Others, like Black BoxVoting want a raft of other rather technical changes. Nodoubt the bill will change greatly as it moves through the legislativeprocess. But I sure hope the provisions above don't get watered down.
The Embedded Systems Conference San Jose runs from April 1 to 5, andthe promo video is worth watching to see an amusing reference to the e-voting debate.
Jack G. Ganssle is a lecturer and consultant on embeddeddevelopment issues. He conducts seminars on embedded systems and helpscompanies with their embedded challenges. Contact him at . His website is .
The Bill should be stated as follows:
The e-voting machines shall use open source LINUX based OS not Microsoft.
– Steve King
Actually, this paper trail thing is quite good … however, ONLY if coupled with a random, independant audit. I am a big proponent of introducing some form of lo-tech integrity check into the system. Usually, it is this that saves us from ourselves … everything from nuclear disaster, to accounting of large numbers for everyday business.
In other words, all those things you mention are pretty good … but will not hold a candle unless there is some form of accountability … implemented by human beings!
You know??? that thing called checks and balances!
– Ken Wada
I agree with everything Jack wrote. Closed systems must be assumed to be insecure, not the other way around. An interesting question, though, is what will happen in the future when an election is closely contested? Currently, a candidate marshals between one and an army of lawyers, depending on their budget, to claim that the election was invalid due to any of a variety of problems (ballot design, polling place irregularities, etc). In the future, perhaps we engineers can all get post-election contracts doing critical code reviews of balloting software, hoping to find a crucial bug that just might have improperly altered the result. The hard part will be educating the Judiciary in software fundamentals so that they can properly evaluate our claims.
– Jonathan Broadwell
Has anybody thought about making voting machines comply with the nevada gaming commission regulations? It seems like voting and gambling are basically the same problem from an engineering perspective.
– Cameron Kellough
Why is the US so fixated upon voting machines. Their use seems to cause so many problems simply because part of the process is invisible. The generation of the election result seems to have much in common with a conjuror's trick where the magician hides is hands under a cloth and then, Ta-Daa, the result is…a white rabbit.
It seems to me that the only reason for using these machines is to get the result onto the TV screens within minutes of the polls closing. Why this is important escapes me, particularly when it is at the price of a verifiable and trusted result. To me the age old cross on a piece of paper that can be seen and followed through its life will produce a much more trustworthy result.
Attempting fraud by inserting thousands of pieces of paper into the voting system is far more obvious than modifying one or two bits in the final result value when these bits are hidden deep inside an embedded processor.
– Ian Okey
Jack, for a moment consider how the Electronic Voting machines work in India (largest democracy !!!). Not much fuss about using EVMs. No windows, no connectivity, nothing. Works in some of the remotest parts of the country, with people with very little knowledge of handling the electronics.
Bare metal firmware, no additional overheads like touch screen etc, but it works.. !!!
Check out this blog for a comparison with the contemprorary US voting machine which seems to be a overkill.
– Badrinath Dorairajan
Electronic or otherwise, voting machines are silly! Voting is a process. When looking at automating a process, one of the earliest questions that need to be answered is–should this process be automated?
In a democracy, voting is one of the principal ways of communicating and participating with our fellow citizens; it is not just an opinion poll, instead it is the opinion poll, the expression of opinion, that matters. The citizen goes to his polling place, identifies himself or herself, and decides who should have the burden, privilege, power, and responsibility to represent their interests.
Punching holes in paper, penciling circles, or writing down someone's name: these are all real and undeniable; immediately afterward, we could break into the polling box and see…
A process, any process, should not be automated simply because it can be automated.
– Ed Ezzell
The bill should require the software to be written to some standard similar to standards like DO-178B. Further, the software should undergo complete and thorough testing, including code coverage testing. The process and test results should be audited by qualified, competent state and/or federal election officials. Making the software open source will expose its vulnerabilities, but will also expose it to scrutiny, which should help make it more robust. Transparency and accountability need to be present throughout the software lifecycle process. Hopefully, then the accuracy of the data will not be questioned.
– Brian Handley
I dis-agree with the requirements on full software disclosure. I think the emphasis is in the wrong place. Instead of forcing companies to disclose intellectual property, I suggest independent verification is a better solution.
I would add to the e-voting process a paper receipt which can be verified by the voter plus be read by an independent system. The verification system could read a barcode or checkbox on the paper receipt at the e-voting station after it is accepted by the voter. This data would be gathered by a single system at teach polling location to provide an independent verification of poll results. The cost would be no more than one or two e-voting machines and provide concrete verification. The two systems, e-voting and verification must be provided by independent vendors. The paper receipts should be on rolls which in an emergency, could be re-scanned quickly.
– Mike Reed