[Demexp-dev] O'Reilly Network Article on electronic voting

[David MENTRE]

Hello,

You'll find below a copy of an article about e-voting systems published
on O'Reilly Network (Policy DevCenter).

This article is interesting for two things:

 - it gives a reference on an article that gives criteria for a
   trustworthy e-voting system;

 - it gives somes technical indication how e-voting could be put in
   place.


Of course, e-voting systems have different requirements than our, so
technical details cannot be directly used. But it gives some
information. 

Yours,
d.



http://www.oreillynet.com/lpt/a/4807
    Opening Up E-Voting

by John Adams </pub/au/1053>
04/26/2004

The political dispute over electronic voting in America has little
middle ground. The most rabid e-voting supporters explain e-voting's
many virtues and dismiss its opponents as Luddites in tinfoil hats. The
most extreme e-voting opponents list the known anomalous results of
current e-voting systems and suggest their supporters are corporate
tools at best, and creeping fascists at worst.

The politics of e-voting may be controversial, but the technologies used
for e-voting are not exceptionally complicated or difficult to
understand. Now, two initiatives have opened e-voting systems to public
examination and varying degrees of tranparency and verification. The
Open Voting Consortium <http://www.openvotingconsortium.org>
demonstrated an e-voting system called evm, built from commodity
hardware running GPL'd software last April 1. A few days later, VoteHere
<http://www.votehere.com> opened the source to its proprietary VTHi
e-voting software to public inspection.

Open voting was defined by the late Irwin Mann in his 1993 presentation
on Open Voting Systems <http://www.cpsr.org/conferences/cfp93/mann.html>
given at the Computers, Freedom and Privacy Conference
<http://www.cfp2004.org/index.html>, as a system where:

        * every element of every component, both hardware and software,
          is in the public domain,
        * there are built-in capabilities for independent monitoring of
          software, and
        * there are institutionalized protocols for public monitoring of
          all components and the electoral process, sufficient to find
          any hypothetical discrepancy from the intended design, if it
          should happen to exist.

The Open Voting Consortium's system is designed to be built from
off-the-shelf commodity hardware--the demo system shown in April in San
Jose, California consisted of two PCs, a printer, and a bar code
reader--and is written using open source software. Each PC was running
Linux, and the demo software was written in Python and stores electronic
ballot images (EBIs) in an XML database. Source code from the demo is
available through SourceForge <http://sourceforge.net/projects/evm2003>.
(The one hackish component in the demo system were the cheap bar code
readers, bought for a buck each and physically modified to yield plain
text--these won't be used in production systems.)

Alan Dechert, president of the OVC, noted in an interview, "We used
mostly Python for the demo. The demo software will be thrown out. I
don't know what we'll use for the production system." In answer to demo
audience questions about possible operating systems for evm, OVC member
Fred McClain said, "It's our intent [to use an open source OS], but we
would do an analysis of the security concerns."


        How E-Voting Works

Here's how the OVC open voting system works. Before the polls open, PCs
are booted up from CDs containing the operating system and the
application software. The CDs are prepared and certified ahead of time,
and can be verified on-site by standard methods, such as checking MD5 sums.

Two different stations are set up, with slightly different
configurations. The ballot printer station consists of a non-networked
PC with an attached printer. This is the device found in the voting
booth. The ballot reader station is another non-networked PC with a bar
code reader. This device,found outside the voting booth, allows the
voter to verify that his ballot is an accurate reflection of his vote.

During the day as each ballot is filled out, the ballot printer station
assigns a random number to each ballot. That number, the number of the
election machine, and the votes cast are encoded into a bar code and
printed on each ballot. The random number and the votes are also printed
in plain text. If the voter's intent is questioned, the plain text of
each ballot is the final authority.

Here's a working sample ballot <http://gyaku.pair.com/~vote/ballot.html>
from the April 1 demo. Try it--enter your own votes onto the ballot and
follow through the verification process. (At the demo, votes were cast
using a mouse. Keyboard and touchscreen entry are under consideration
for the production software.) Once the ballot has been filled out and
submitted, the voter's choices are displayed before the ballot is
printed and the EBI is created.

The paper ballot then goes into a privacy folder, with only the bar code
showing. The folder is then carried out to the ballot reader, where the
voter can, if she wishes, scan the bar code and verify that her vote is
correctly recorded. Once that's done, the ballot is then deposited into
the ballot box.

At the end of the day the electronic ballot images are recorded on CD-R.
This makes the stored EBI more secure (since CD-R is write-once, unlike
a hard drive, it can't be changed after it has been written) and more
private (since the write step is randomized unlike the audit tape in a
cash register, voters can't be identified by the order in which EBIs are
recorded.)

The paper ballots are scanned by the ballot reader, which uses the
infomration from the bar code to create reconstructed electronic ballot
images (REBIs), which are then matched against the EBIs on the ballot
printer. If a false ballot has been put into the box, there will be no
matching EBI on the ballot printer and the questionable ballot can be
set aside for further investigation. The ballot reader then gives a
report of all the votes cast in that location.

The VoteHere system is a Direct Recording Electronic (DRE) machine, but
one which produces a verifiable receipt. VoteHere takes a different tack
in providing the voter with an encrypted verifiable paper receipt, but
not creating a paper ballot. VoteHere founder and CEO Jim Adler says,
"Adding paper ballots is a step backward which will add ambiguity to the
election process."

VoteHere also opened its proprietary source code to audit and review
earlier this month. "It would be unfair to our investors to give away
our code," Adler said in an interview. "We believe--the company and I
believe--that elections should be transparent and open, but that our
source code shouldn't be free [of cost]. We're practicing the openness
and transparency part of open source." The reference code is available
for download here <http://www.votehere.com/downloads.html>, after
agreeing to various license terms.


        Why E-Vote?

"Quite a bit of work to get an electronic ballot!" e-voting opponents
might suggest. "What's wrong with paper ballots?" It's not so much that
there's anything wrong with paper ballots, but that there's a lot right
with electronic ballots.

For instance, consider that federal law requires that ballots be
accessible to all citizens. This means ballots must be provided to
people in a variety of languages. Printing enough ballots to cover every
language for, say, Los Angeles County, with enough ballots in each
language for each precinct not to run short, is an expensive and
time-consuming problem. The electronic ballot makes localization simple
and eliminates the calculation of how many ballots to print.

Accessibility issues aren't limited to multi-lingual communities.
Electronic voting systems offer improvements for the visually impaired
and those with limited mobility. Text size and display colors can be
adjusted by the user with poorly functioning vision, or text-to-speech
can be used by those who cannot see the screen at all.

E-voting can also prevent many common vote frauds and inadvertent
miscounts. One form of fraud is to purposely provide too few ballots,
whether in a specific language or all ballots, at certain precincts.
When the precinct "runs out" of ballots, the late-arriving voters are
denied their vote. Think of it as a denial of service attack.

This is a hard type of fraud to guard against, because printing ballots
is expensive, and budget limitations for election activites make it
necessary to print what seems a reasonable amount of ballots for each
precinct. Thus it's possible to innocently run out of ballots,
especially in an election with a heavier-than-expected turnout.

Worse, as with most frauds which short-circuit the right to vote, after
the fact remedies and penalties are too late. The right to vote has
already been violated, the election outcome has been fraudulently
altered--possibly so altered that penalties and remedies are no longer
politically feasible to impose.

The electronic ballot makes this fraud impossible (though other denial
of service attacks are possible). The electronic ballot also can alert
the user to undervoting (not casting a vote in every race) and will not
allow overvoting (casting more votes than allowed in a single
race--usually one vote, but sometimes more in races for county
commissions or city boards.)

By now, you may be thinking, "Why would anyone object to this system?
Maybe e-voting opponents are tinfoil-hatted Luddites after all."

While some arguments against e-voting are partisan or circumstantial,
many others, particularly against DRE voting machines, are born of
experience. Security analysis of Diebold DRE machines in Maryland showed
multiple vulnerabilities, many of them serious. During the recent
California elections, there were multiple accounts of DRE voting
machines, made by more than one manufacturer, providing inconsistent
vote counts.

Just last week, California's Voting Systems and Procedures Panel
recommended that California Secretary of State Kevin Shelley decertify
Diebold's Accuvote DRE machines from use in the upcoming state
elections, a decision which would leave four counties--Kern, San Diego,
San Joaquin, and Solano--with no certified voting machines and little
time to find replacements.

After the 2000 election fiasco in Florida, Congress made money available
through the Help America Vote Act (HAVA)
<http://fecweb1.fec.gov/hava/law_ext.txt> for election machine upgrades
throughout the country. The Open Voting Consortium, a 501(c)6
non-profit, has a grant pending for some of that funding through the
National Science Foundation. Companies like VoteHere, that are service
providers and hardware companies, have been getting that funding less
directly, from local election officials in charge of putting their
voting systems into good shape. If money alone could buy a reliable
voting system, the United States would be in good shape for the 2004
election.

Most voters aren't technically savvy. They don't understand why a voting
machine can't be at least as reliable as a cash register, an ATM, or an
electronic gasoline pump, all of which give them printed reports, at the
time of the transaction and at the end of the billing cycle--and they're
right not to be understanding. People check their receipts, match them
against their monthly bills, and sometimes catch mistakes. If they
didn't have some form of verification, how many more mistakes might not
be caught? Why, then, should an unverifiable voting machine be any more
reliable than an unverifiable ATM?

In this case, voters' limited technical knowledge serves them well,
giving them a healthy sense of skepticism about the voting process.
Skepticism becomes more useful as it becomes more informed and more
focused, though, and here the voters have not been so lucky. Much of the
e-voting discussion has been less a debate than a free-for-all,
contentiousness likely to encourage many voters to become less trustful
of the voting process--perhaps less trustful of democratic process, as well.

The intended benefit of open and verifiable voting systems will be
accurately tallied elections that more fully reflect the will of the
nation. But if taking the hood off the machinery of the republic for
direct inspection by the voter helps bring about a more informed
skepticism, one still capable of trust in the democratic systems, that
may be e-voting's greatest benefit.

/Editor's Note: For more of John's musings on e-voting check out his
O'Reilly Network weblog <http://www.oreillynet.com/pub/au/1053>./

// John Adams </pub/au/1053> is a natural contrarian and a born critic,
whose fullest energies manifested themselves in the act of doing
intellectual isometric exercises against the fixed objects presented by
someone else's ideas. //

------------------------------------------------------------------------

/Return to the Policy DevCenter <http://www.oreillynet.com/policy/>./

/Copyright © 2004 O'Reilly Media, Inc./


-- 
 David Mentré <address@hidden>