Reliable voting.
It was a nice talk. Most of it was just information to show how truly
terrible the problem is — it's probably worse than you think.
There's an IEEE standard being developed for voting machines, and guess
who's on the committee? All the voting machine companies. No security
experts.
He went to visit a company once and asked about their security. They
said they used cryptography. He asked what algorithms they used. After
some attempt to avoid the issue, they finally admitted that they had
made up their own.
Diebold's software has the cryptographic key hardcoded in the source,
as found by investigators
at Johns Hopkins. That means that every Diebold machine in an
entire election probably has the same key — crack one key
and you can hack them all. Worse than that, it almost certainly means
that you can find the key in the software binary, which is widely distributed.
David Dill's main proposal is for a "voter-verifiable audit trail".
It's very simple: if the voting machines produce a printed record
of your vote, you can look at the paper to make sure it's correct
and put it in a box. Then you can recount the election by looking
at the paper ballots.
One really surprising thing was that there are actually quite a few
advocacy groups that oppose this. Groups that represent disabled
people oppose it because it increases the cost of deploying
electronic voting machines. They fought hard to get voting machines
in order to improve accessibility for people who have vision problems,
people with motor problems that prevent them from marking a paper
ballot, or people that can't read.
So, i have an alternate proposal.
My motivation behind this approach is that we can address the issue of
insider fraud in at least two ways: (1) a paper audit trail lets us do
random samples and detect after the fact if something was fishy; or (2)
using open source software lets us all make sure that nothing is fishy
before the election takes place. David argued that (2) did not solve
the problem because we don't have a way for people to make sure the
software that happens to be running on the machines is really the same
software we all decided to audit and trust, so we have to go with (1).
I'm suggesting that we may never be able to satisfy the groups that are
demanding accessibility with solution (1), so it may be more effective to
argue for (2). if there is a way to solve the verified software problem.
Here is how you might do it.
The votes are cast using software that runs on off-the-shelf PCs. The
election officials buy the PCs with no hard drives, and on election day
any voter is permitted to request that the case be opened so they can
see that there is no hard drive.
The election software is open source, and is distributed as a bootable
CD image. At some point before the election, the software is reviewed
by experts, development on the software is stopped, a distribution is
built, and the MD5 hash of the CD image is widely publicized.
Pre-burned CDs are at the election site. The CDs are all verified at
the beginning of the day, and voters are also allowed to bring in
laptop computers, put in any CD, and verify that the hash is correct.
Voters are also allowed to burn their own CDs at home and bring them
to the polling place, where they are hashed and verified on a separate
computer. At the end of the day we might also allow people to take
any CD with them and verify it at home if they wish.
The reason i'm suggesting we use plain PCs is that they're cheap and come
from lots of sources. We do have to trust that the hardware isn't
tampered with, but we would be no worse off in this scenario than we
are now, and because the PCs can come from all over the place, no one
vendor can control the election. Similarly i'm suggesting the use of CDs
because CD-R drives are so commonplace these days, so we can distribute
the cost of verifying the election by letting conscientious voters
burn their own CDs or verify existing CDs if they so desire.
How does it sound?