It's an election year here in the United States, and the partisanbickering in Congress is now approaching unparalleled levels ofhysteria. Somehow we citizens will have to bear with the accusationsand silliness through November.
Then, of course, we exercise our Constitutional right to imposepractical term limits (i.e., vote 'em out) or to preserve the statusquo. In many districts those precious signals of democracy will berecorded and hastened to a (hopefully hardened) database by a varietyof electronic voting machines. There's one thing we know will happen:the bickering will only increase as losers contend their constituents'desires were distorted by poor firmware in the machines, or by thelousy procedures used by election workers.
It's not just the machines themselves. Any part of the processcontrolled by software may be suspect. The ACM recently released areport about the software used toregister voters. Here's a quote:
“In light of recent events andlegislation that have underscored the core importance of voting and ofpublic confidence in our electoral system, one might conclude that allVRDs should be built and operated to the highest possible standards.While the highest standards of reliability, privacy, accountability,usability, and security are desirable, they may at times be impracticalbecause of resulting expense or system response .”
What – we're expected to intentionally build substandard code?
The assertion that correct code is slow (“system response”) is a redherring designed to lull non-techies into accepting buggy code.
Two decades ago the MGM Grand Hotel in Las Vegas burned with greatloss of life, in part since there was no sprinkler system. The ownersrefused to shell out $200,000 for sprinklers, as the city fire codes ofthe time didn't require them. The fire and resulting lawsuitseventually cost them $200 million. Substandard construction, of hotelsand of software, leads to expensive chaos.
The (long) ACM report goes on to focus on using tests to prove thesystems are correct. Yet we know testing does not work. Most testsexercise only half the code. While tests are indeed criticallyimportant, it's prudent to focus on the internals. How is the codebuilt? Is it inspected or a spaghetti mess?
Using test alone is like accepting an airplane engine because itruns. The FAA requires all aircraft engines to be totally disassembledevery so often to look for latent internal problems.
There's an enormous amount of press now about defects in the votingmachines. Reports cite vulnerabilities that leave gaping security holeseasily exploited. Others worry about as-yet-unidentified defects thatcould throw an election perhaps without anyone ever knowing it.Vendors claim sainthood for their units while keeping the code underwraps.
I know this much is true: voting machine vendors are in the businessof selling trust. If we don't trust these machines the electoralprocess fails. Yet the message the public hears is one of “software isinherently buggy and insecure; deal with it.”
I think e-voting is the right idea. It'll make the process fasterand more accurate, while opening more opportunities for absentee votes,an important feature in these mobile times.
But a machine built on top of a very complex OS, one that has notbeen certified correct is a Bad Idea. A machine designed for easyin-the-field patches is a Bad Idea. A machine built of proprietarysoftware is inherently not democratic.
We know how to make fabulously-reliable code. Ironically, somevoting machine vendors already do so in their other product lines, likeautomated tellers. Banks are completely intolerant of any process,teller or software that throws the balance off by even a penny. Thegaming industry, too, builds machines of unprecedented reliability. Foran interesting look at the difference between the gaming and votingindustry, see “How To Steal an Election,” inthe Washington Post.
What do you think? Will your vote count?
Jack G. Ganssle is a lecturer and consultant on embeddeddevelopment issues. He conducts seminars on embedded systems and helpscompanies with their embedded challenges. Contact him at . His website is .
I live in Canada where e-voting has only been attempted once (withtechnical disaster) but this issue strikes me as vastly understated bygovernments, news media, IT companies and the mainstream web. In sucha politically volatile time- both domestically and globally- madecomplex by dense networks of economic relations democracy needs to beas clear and hard as a diamond. If e-voting is going to be a realisticfixture of our democracies in the future, there needs to be auniversal firmware that can be adapted to work anywhere, at any levelof government. And in order for it to be universal, it needs to betransparent.
E-voting will never be truly democratic until the code is public, andthe code will never be optimal or secure enough without the force ofmillions of volunteer programmers. Democratic governments need to worktogether to support such an effort to prevent the basic functions ofdemocracy being forced to suffer the inefficiencies of a VHS/BetaMAXbattle, or the frustration of a buggy and exploitable OS. Moreover,this is the first time in the history of democracy that the task ofvote-counting has been contracted out to a private firm, not tomention for software that remains their intellectual property, neverto be openly scrutinized by any third party accountable to the public.
For both our countries sake, and the sake of future democracies, Ihope we leave this ridiculous notion behind in favour of anopen-source approach.
– eben holmes
I have been following the e-voting for many years. As a test engineer, I havefound e-voting development comical. Private companies develop e-votingsystems, without any publicly scrutinized standards, or requirements. Granted, these companies spent millions to develop these systems. But, anyperson wanting to validate or verify, or test this system, is out of luck.
One private company in Arkansas was blessed to evaluate/test e-voting systems. After some public uproar, NIST is now being slated to grant certification tocompanies, wanting to provide e-voting validation services. I found NISTcertification to be laborious, and very expensive, and not entirely clear onif certification would be granted to individuals. How can anyone trust- whatis kept secret?
Trust means that there is verifiable objective evidence that a vote was cast. Bits are not verifiable objective evidence. Bits do not provide me with anycertainty that my vote got counted. Having physical evidence is a must, andshould be an e-voting system requirement. Today, there are many options toprovide cheap, objective, secure, and private methods that one individual casta vote. The hard part is technology consensus, funding, and rollout.
– Ed Marsh