I find it fortuitous that this announcement is coming at this point in time. This has a couple of unfortunate- maybe deliberate, effects:
1) Remember the people on the California Task Force, who agreed we needed an audit trail but were kind of looking at a "someday" solution and ignoring the present, urgent, need? Were they lobbied by this company? If people get all jacked about this, they won't focus on the right now and 2004 will be a goner, guaranteed.
2) Takes the focus off the Blackboxvoting topic. Almost sounds like a Carl Rove move. The Election Center has done its job of conditioning election officials against paper, anything but paper. So, "Ta Da!", here's someone with a solution.
3) We'll just wait and put this system in our machines at some unknown future time. Meanwhile, elections go on....
4) How many ways and places can an Internet election be subverted? We know that cryptography is only part of it. Votes can be hacked at either end of the cryptography.
5) How do you realistically audit such a system? I can see maybe individual audits, but that's not how you recount an election.
6) The election process gets closed up again. Maybe the program is clean now, but you can never guarantee that all the time. What is the continuing cost in upgrading it? How many ways can it be manipulated while upgrades are installed? Somebody better clue in counties that buying the program is only a small part of the cost. This could make paper look real cheap.
7) A program is a sitting target. It's done, in the bag. Hacking is a mobile entity. It can respond very fast, ever changing. A voting program can't do that, hackers have time to exploit every vulnerability they can find.
8) Is a true, independent, audit trail produced? I don't see how you can do that with a computer program. HAVA Act, Title III, requires a PERMANENT PAPER RECORD with AUDIT CAPACITY. Period. That record can only be produced by the voter filling in the tangible evidence of their vote, or by witnessing/verifying the computer printout. I totally disagree that this program can fulfill HAVA requirements. See Wold article below Internet security article.
9) See the article below on the speed of hacking and the impossibility of security. I believe this author has an excellent point, and I've already mentioned part of it.
10) If their security is so cool, why have they contracted with Bruce Schneier's company Counterpane? Does Counterpane provide security for this company on a day to day basis? (I emailed Schneier about it, and whatever Counterpane does, it's not working on the voting program and Schneier reiterated that he would never endorse Internet voting. Schneier and Kitkat may be two people to get to review it)
11) Look at the program, yes. AFTER we've researched Diebold's programs and others, and secured voting for the time being with paper ballots. Say, very nicely, that you're glad they are working on it and we'll take a look AFTER WE PUT OUT THIS BLAZING INFERNO OVER HERE!!! You don't get distracted over a new, unproven, firefighting gizmo while the inferno rages. Keep the eye on the goal. Secure elections first. Then we can play with other people's new toys.
Security Attacks' Speed Outpaces Time To Respond
By , InternetWeek
May 19, 2003 (9:28 AM)
URL:
http://www.internetwk.com/story/showArticle.jhtml?articleID=10000220Symantec CTO warns of the increasing gap between speed of security attacks, speed of response. By Michael Vizard, CRN
Symantec Corp. chief technology officer Robert Clyde is warning that there's a growing gap between the speed at which security attacks are being launched and the industry's ability to respond. Speaking at the Global E-Commerce Summit at the United Nations on Thursday, Clyde said that, historically, most attacks on Web sites are classified as Class III threats because they tend to take several hours and even days to execute. But in recent months, the industry has seen the emergence of Class II attacks--also known as Warhol attacks--that manifest themselves in minutes. "Over 90% of hosts that came under attack from SQL Slammer were hit in under 10 minutes," Clyde said. "We call these Warhol threats because they make themselves famous in about 15 minutes." Before long, Clyde predicts that groups of hackers working in concert will be able to launch attacks in seconds to create a set of Class I attacks, also known as Flash attacks. "The attacks are increasing in frequency and in complexity," noted Clyde. "And the bar to becoming an attacker is being lowered because the tools are getting more sophisticated. Someone can now learn to use the tools effectively in weeks to months rather than years." The eventual rise of Flash attacks means that the industry will have to take a more proactive approach to security because the attacks will happen faster than humans can respond, Clyde said. "The vulnerability threat window is shrinking and in theory could become zero. We used to have six months between when a vulnerability was discovered to come up with a patch before somebody exploited it. But for Code Red, the time was only 28 days." To deal with this eventuality, Clyde said patches need to be developed more quickly and deployed continuously in an automated mode. Other areas that need to be worked on include adaptive management and lockdown of networks so an attack on one router is automatically recognized by all routers on the network; the ability to throttle back the throughput of suspicious packets on the network in order to limit damage; automated tools for ensuring that all network clients are compliant with security policies; and advances in securing Web services technologies that do not interfere with application performance, he said. In addition, Clyde said Symantec will also begin focusing beyond the network layer by researching application-level security to protect business processes. All of these efforts will be needed to combat hackers that Clyde expects will soon be working as coordinated sets of teams. "It will not be long before well-funded teams of hackers sponsored by countries or other organizations begin to create Flash attacks that can be launched in seconds," he said.
This story appears courtesy of CRN, the newspaper for builders of technology solutions.
THE HAVA REQUIREMENT FOR A VOTER VERIFIED PAPER RECORD
Darryl R. Wold (1)
July 23, 2003
This paper explains that the Help America Vote Act of
2002(2) requires that any voting
system used in an election for Federal office must produce a paper record
of the vote cast by
each voter that has been seen and verified by the voter. HAVA further
requires that this voter
verified paper record be available for a manual audit of the voting system,
and for any recount.
HAVA requires, in section 15481, subdivision (a)(2)(B), that:
“(i) The voting system shall produce a permanent paper record with a
manual audit
capacity for such system.
“(ii) The voting system shall provide the voter with an opportunity
to change the ballot or
correct any error before the permanent paper record is produced.
“(iii) The paper record . . . shall be available as an official
record for any recount . . ..”
Taken together, these provisions requiring a “paper record” that is
to be used for a
“manual audit” for the “voting system” make it apparent that HAVA requires
a paper record that
is seen, verified, and turned in by the voter.
The suggestion has been made, however, that the requirement of a
paper record to be
used for a manual audit can be satisfied by a paper record of votes that is
produced for the first
time after the polls have closed – that is, a printout of what the computer
has stored, and that has
never been seen by the voter.
This interpretation, however, that a post-closing printout of what
the computer has stored
would satisfy HAVA, would permit an audit or a recount to be conducted on
the content of a
computer and not on a contemporaneous paper record of votes cast, and would
make the
requirement for a “manual audit capacity” virtually meaningless.
_______________
1 Mr. Wold served as chairman of the Federal Election Commission
in Washington, D.C., during
2000, and as a Commissioner from 1998 to 2002. He is currently an attorney
in private practice
in Orange County, California. His practice emphasizes political and
election law, including
campaign finance compliance issues, ballot access, and recounts. His
clients include AccuPoll,
Inc., Irvine, California, a manufacturer of electronic voting systems.
2 Help America Vote Act of 2002 (“HAVA” in this paper),
enacted as Public Law Number 107-
252, October 29, 2002, 116 Statutes 1704, and codified at 42 U.S.C. §15301
et seq.. All
references in this paper are to 42 U.S.C. §15481 unless otherwise noted.
page 1
_______________
A paper record consisting solely of ballots printed by the computer
after the closing of
the polls -- and therefore never seen by the voters -- would mean that a
manual audit or recount
would simply amount to reviewing what was stored in the computer. The audit
or recount could
not manually verify that the computer had accurately recorded the voter’s
intent, or had
accurately stored that information, or had accurately printed out that
information. Both an audit
and a recount, therefore, would miss the key element of the system –
whether the voter’s
intention had been accurately recorded.
At most, even a complete manual count of paper ballots printed by the
computer postclosing
could only verify that the computer had accurately tabulated various totals
– that is, that
the computer had “done the math.”
Such an audit or recount could not manually determine whether the
computer had
accurately made a record of voter intent – that is, that the paper record
printed post-closing
actually represented the votes intended to be cast by the voters.
An audit using a record of votes printed post-closing, of course,
could not be considered a
manual audit of the complete voting system – it would be a partial audit,
at best, limited to the
math performed by the computer. It would not be an audit of whether the
voters’ intent was
accurately recorded by the computer – and that is the critical issue.
HAVA’s requirement of a “manual audit” compels the interpretation of
“paper record” as
meaning a record that has been seen and verified by the voter.
First, it is apparent from the common meaning of the words “manual
audit” that HAVA
requires that this audit be conducted by visual examination and counting by
hand, and not by
machine. A common dictionary definition of “manual” applicable to this
context is “worked or
done by hand and not by machine.” The term “audit” applicable to this
context means “a
methodical examination and review.” (Both definition’s from Webster’s Ninth
New Collegiate
Dictionary.)
So far, therefore, we have a requirement for a methodical review by
hand. The next
question is: What is to be reviewed?
HAVA provides that it is the “voting system” that is to be audited
(§15481(a)(2)(B)), and
defines the voting system as including “the total combination” of equipment
that is used “(A) to
define ballots; (B) to cast and count votes; (C) to report or display
election results; and (D) to
maintain and produce any audit trail information . . .” (§15481(b)(1)). In
other words, the system
to be audited is the complete process of casting and counting votes. There
cannot be a “manual”
audit of the casting of votes, of course, unless there is credible and
contemporaneous evidence of
the votes cast that can be reviewed by hand, as a check on the electronic
portion of the system.
Further, the critical issue in any voting system is whether the
system has accurately
reflected voter intent. The question raised in counting the votes in
Florida in the 2000
Presidential election, for instance, was not whether the machines had
accurately done the math –
it was whether the ballots that were counted actually reflected the voters’
intentions. That issue
page 2
_______________
can be determined in an audit of a voting system only by examining what the
voter has seen and
approved -- a paper record reviewed and verified by the voter.
The importance of a paper record verified by the voter is also
emphasized by HAVA’s
use of the term “audit” rather than some other term that would merely
require some lower level
of examination. Requiring an “audit capacity” for the voting system,
including the accurate
recording of the votes cast, clearly contemplates a paper record as the
source document – as the
original record of the voters’ actions – and not a secondary document
produced after the fact as
evidence only of what is in the computer system at that time.
The distinction between an original paper record of an act and
electronic records as
indirect evidence is an important one in the field of auditing, as
indicated by the standards of
auditing practice promulgated by the American Institute of Certified Public
Accountants in its
Statements on Auditing Standards (AICPA Professional Standards, 1998,
American Institute of
Certified Public Accountants, New York). The AICPA’s “Standards of Field
Work” require that
“Sufficient competent evidential matter is to be obtained through
inspection, observation . . . and
confirmations to afford a reasonable basis for an opinion.” (AU §150.02, ¶
3.) Under “Nature
of Evidential Matter” the standards recognize that “Corroborating
evidential matter includes both
written and electronic information” (AU §326.17), and that “In certain
entities, some of the
accounting data and corroborating evidential matters are available only in
electronic form” (AU
§326.18). Thus, the AICPA standards draw a distinction between a source
document that is an
original written record, on one hand, and an electronic record, on the
other. The standards for
field work do not contemplate that an electronic record printed out after
the fact is the same as an
original written record.
In this light, the significance of the HAVA requirement that the
system produce “a
permanent paper record” for use in a “manual audit” or a recount is again
apparent. HAVA does
not provide for a manual audit of an electronic record of votes cast (or of
a printout of an
electronic record, which is the same thing). HAVA requires a permanent
paper record of votes
cast, and that can only be read as meaning a contemporaneous paper record,
that the voter has
seen and verified.
This distinction between an original paper record of a transaction or
an act and electronic
records as indirect evidence of that matter is also found in standards
promulgated for government
auditing promulgated by the Comptroller General (Government Auditing
Standards, 2003
Revision, General Accounting Office, June 2003), which incorporate the
AICPA standards for
field work for financial audits (§4.01). In addition to financial audits,
government audits also
include performance audits. In that context, the field work standards
require that “Sufficient,
competent, and relevant evidence is to be obtained to provide a reasonable
basis for the auditor’s
findings and conclusions” (§7.48). Guidance provided for concluding what
constitutes
“sufficient, competent, and relevant evidence” provides that “Evidence
obtained through the
auditors’ direct physical examination, observation, computation, and
inspection is more
competent than evidence obtained indirectly” (§7.53, ¶ b) and “Examination
of original
documents provides more competent evidence than do copies” (§7.53, ¶ c).
Thus, these
government auditing standards also contemplate that an original written
record is the better
evidence of a fact than indirect evidence or a copy. Applied to the context
of an audit of a voting
page 3
_______________
system, it is apparent that a paper ballot that the voter has seen and
verified is better evidence
than a printout of an electronic record that the voter who purportedly
created the record hasn’t
seen.
In summary, it is apparent that the requirement of HAVA that a voting
system used in a
Federal election provide a paper record for a manual audit can be satisfied
only by a system that
produces a paper record that the voter sees and verifies, and that is
retained by the election
official as the record of votes cast for purposes of an audit and any recount.
This statutory requirement is not a bare legal requirement without
practical significance.
To the contrary, a paper record that has been reviewed and verified by the
voter is an essential
element of a transparent and open voting system. A voter verified paper
record that will be
available for an audit of the system and for any recount greatly reduces
the possibility of fraud
and provides a means of detecting and correcting unintentional error in the
electronic system.
Equally importantly, it assures each voter that the vote has been
accurately cast, and that there is
a paper record of that vote to serve as a check on the electronic system,
and eliminates the
suspicion of impropriety. An open and transparent voting system increases
the voters’
confidence in the system and the public’s trust in the results. It is an
essential element of the
democratic process by which we elect the government of this great republic.
page 4
-----------