Discussion of the wireless communication component in election systems

Wilms posted a link to http://vote.nist.gov/
since the Technical Guidelines Development Committee held a meeting on 4/21 &22
I browsed and dowloaded some documents and since this wireless transmission or modem transmission issue had been bugging me for a long time, I thought I will check.
Ultimately the full findings and recommendations will end up at the EAC.

and for anyone interested to see the current communication set should see page 4 of
http://vote.nist.gov/April2005/6-wirelessv3.pdf

At Issue: Voluntary Voting System Standards

Telecommunication
5.1.1 Integrity
For WANs using public telecommunications, boundary definition and implementation shall meet the following requirements.
a. Outside service providers and subscribers of such providers shall not be given direct access or control of any resource inside the boundary;
b. Voting system administrators shall not require any type of control of resources outside this boundary. Typically, an end point of a telecommunications circuit will be a subscriber termination on a Digital Service Unit/Customer Service Unit (DSU/CSU) (though the precise technology may vary, being such things as cable modems or routers). Regardless of the technology used, the boundary point must ensure that everything on one side is locally configured and controlled while everything on the other side is controlled by an outside service provider; and
c. The system shall be designed and configured such that it is not vulnerable to a single point of failure in the connection to the public network causing total loss of voting capabilities at any polling place.


ES&S Comments on the Draft Standards for Wireless Communications Devices in Voting Systems, Draft Version March 2, 2005

Reference Comment
Specific Issue. ES&S employs the use of an infrared based wireless communications between the iVotronic DRE and the memory device that actuates and works with the iVotronic. An exacting physical alignment is required between the PEB and the iVotronic before either device is powered up and prior to initiation of the infrared communications. Such infrared is enclosed with a physical port/well in the DRE and transmits across a distance of less than a quarter of an inch. When the PEB is removed from the iVotronic well, the PEB powers down and infrared communications ends. There is no broadcasting or continuous communications of data in any direction, unless the strict physical alignment is in place. Over 40,000 such iVotronic DRE voting machines are in the field today. Such controlled, secure wireless communications should not be prohibited.

Specific Issue. Certain customer jurisdictions make use of wireless and cellular based communications to transfer unofficial vote totals from the polling place, after polls close, to the election central computer system. Such unofficial transmissions are later checked and validated against results paper tape printouts generated at the polling place. In addition, jurisdictions have the ability to carry such vote totals into election central via the memory devices from the voting machines. If for any reason a transmission is interrupted or fails, these techniques serve as backup processes and validation / audit points used before the election results are declared official. Such techniques completely mitigate any telecommunications based security concerns and maintain systems integrity regardless of any and all telecommunications techniques that can be used by those attempting to compromise the transmissions systems. While the most advanced encryption and secure transmission based techniques are desirable, they are not absolutely necessary given these overriding systems management processes that guarantee systems integrity.


and yet

Mr. James C. Johnson in his 8 page comment lays out the vulnerabilities among them:

How Secure is IrDA
IrDA does not provide encryption at the Physical Layer, and depends on the end systems to implement security if any. It is possible for the radiation emitted form the voting terminal or the Election Judge’s controller to be intercepted and listened to. Bluetooth, a short range RF technology whose use is restricted by P1583 (as well it should) provides encryption at the physical layer and thus its basic design offers more security than short range optical. The current NIST standard does not mandate link encryption and strong authentication, thus facilitating this kind of attack.
With optical, it is possible for a session to be ‘hijacked’ unless strong authentication measures are implemented between communicating systems. When a session is hijacked, a foreign device masquerades as a trusted system that is authorized to exchange data. Because the system has no way to distinguish the masquerader from the authorized system, it will accept anything from it as if was authorized.

and

Microsoft Statement on the security of IrDA
Microsoft Windows 2000 provides support for infrared-based connectivity. This support is provided through protocols developed by the Infrared Data Association (IrDA). Because of this, they are often called IrDA devices. These devices can be used to share files and printers with other IrDA-device capable systems. The software that handles IrDA devices in Windows 2000 contains an unchecked buffer in the code that handles certain IrDA packets.
A security vulnerability results because it is possible for a malicious user to send a specially crafted IrDA packet to the victim's system. This could enable the attacker to conduct a buffer overflow attack and cause an access violation on the system, forcing a reboot.

In other words, highly untrustworthy! Yet, ESS closes their comment by adding this:

"We would welcome the opportunity to review our products and processes with NIST personnel and our customers, and have a dialogue on how to help create a successful transition plan to better standards for all jurisdictional authorities tasked with making this happen. As vendors we are delighted to make changes to improve and sell new equipment or upgrade existing equipment as long as the market will support this."

I have yet to research my arch enemy suspect Optiscan and it's software...

Irda is infared limited distance (meters/feet) line of sight communication link (think tv remote control) Some yahoo saying it can be "hijacked", while technically correct if you are in the same room directly in front of the device, might as well say that some large space object might destroy the earth. Either will be obvious before the fact.

How does this concern link to the first part of this post about telecommunications boundaries (eg, the CSU/DSU, Cable Modem, DSL, etc) ??? Do you see some kind of linkage here. and if so can you distill the technical concern down to a few sentences or demonstrable exploit ?

Sorry, I guess I am missing the point of this post other than some "guy" has said that infared, short distance (feet), line of sight communication "might" be comprised and some how a standard SLA for the service providers has been included....

So, as technology professional, please articulate your specific concern so I can evaluate it on merit of "security" and make an appropriate response....

Thanks,

MZr7

specifications for wireless communication between election machines.

The fact that there are manufacturers that offer cradles for IrDA devices that allow them to operate over extended distances of over 100 feet at data rates up to 115kbps is surely a security risk. If I understand it correctly then, technically I could be sitting at home and interfere with the election devices at a polling place without being noticed, provided I live next door.

So how do you protect any machine from "beyond the walls" interference or eavesdropping or software manipulation?

ESS does not address this issue in their comment maintaining only that their machine is set up for short range communication, but what is their protection regarding accessibility from outside unauthorized units and have such confidence?

Unless there are precise restrictions I would be very uncomfortable with wireless communication capable election machines.

What do you think?

by not using the f*cking tabulating machine's in the first place.Paper ballots hand counted.They want us to fear them, but we refuse to,they are few we are many,we will win. Get it!

This is off of your original topic. I thought I would toss it out there while you were on a similar subject...

I know of at least one case where voting technicians were able to dial into tabulation equipment for the purpose of making repairs. Those same technicians were assigned home wireless networking equipment that was not secured. The idea being that someone who knew this information could use the unsecured wireless home network to gain access to the tabulation equipment.

I'm not saying that any fraud actually happened in this case but it certainly could have been possible.

posted the unofficial results on their website, means they had full access the whole time for whatever precinct or region it was.

In the meetings there is one member who points out the integrity of the vendors also so they are aware of our concerns:

(This is from the minutes of their meeting)

Mr. Kelsey made the following points in his presentation:

- Resolution # 17-05 directs NIST to research and draft standards documents requiring testing of voting systems that includes a significant amount of open-ended research for vulnerabilities.

- We cannot rely solely on procedural checklists.

- An open-ended evaluation needs to be adversarial. The goal is to find weaknesses before the system is fielded. We need to try to find a way to fail the system.

- We cannot trust vendor assertions without verification. Vendor insiders may be in on an attack.

- We have to assume the possibility of the existence of serious attackers.

- New requirements are needed on voting system documentation.

- We need to verify claims in voting system documentation and do an open-ended search for problems.

Being able to "dial in" to a remote system and "wireless home networking equipment' are generally not related unless your "dial-in" system also serves as a "router"/"gateway" for your entire home network. I do not believe there is a vendor one that sells a wireless access point that also provides "modem connectivity functions" for calling a remote system. So certainly some guy like me just hanging out and war driving in the hood would generally not be able to get a connection to "a " voting machine using typical wireless networking techniques.

Even if said technician had a "private wireless home network" (using equipment supplied by the vendor), the dial-up connectivity would need to be direct from one system attached directly to the phone line. Now if that "direct system" also had a secondary interface to the local area network, and that direct system did not have any kind of firewall, and that system had never been patched for security purposes, then "perhaps", someone within about 300' of that site could (given enough time and effort) crack the direct system and also connect to the voting machine.

To connect to all voting machines that technician had access to would generally require our hypothetical "hacker" to have planted some kind of logger on the target box (the one mentioned above on the wireless net) to log the numbers/usernames/passwords of each voting system.

The logistics of this being a coordinated effort on a scale large enough to change the outcome of an election is massive.

just my $.02

MZr7

Every vote can be counted at the voting booth, and every voter's registration can be correct and honored, and everyone can have plenty of voting machines or booths, and if the tabulation is flawed or changed by fraud, the election result will be wrong.

If tabulation at central count places can be changed remotely, game over. May the best hacker win. Democracy, of course, loses.

Here is an article that looks at several aspects of the problem.

This includes the tabulating company, Triad, for half the counties in Ohio, saying that they could remotely access their computers to adjust the instructions, between the time of the November election and the time of the recount.

Also, one of the Triad VPs (the company is tiny) says in an email that she has a Microsoft application "that reads/updates a series of Access MDBs through Remote Views stored in DBCs {Database Connectivities}."



"Even a Remote Chance?"
by Pokey Anderson
posted at Voters Unite
January 10, 2005
http://www.votersunite.org/info/evenaremotechance.htm

Rumpel... I am responding in to your initial thread again based on your reply and some other information I would like to put out there.

First, for credibility purposes since I have never posted in this forum before tonight, I think it is important you understand my credentials in the field of software design and software security.

I work for a fortune 50 company as one of their senior software architects that specializes in advanced algorithms and security. Thats really just a fancy way of saying I get paid to figure out how to "compromise" enterprise software but still make it "go fast". *grin

Now.. to your points and questions. Again, Idra is infared. Its like a TV remote.. It wont go through walls, around corners, or to the house next door. While it is "wireless" it is not what the industry considers "wireless" like 802.11b/g etc that allow us to surf the web while having coffee or waiting for our next flight. That version of wireless is really a radio signal in the 2.4Ghz range and can be transmitted and received for some distance away from the source.

That being said, software based voting machines in "theory" are the most secure and viable way to guarantee that every vote is counted. Now before you flame me on that statement, let me give the conditions required to make that true.

1) The software that actually "runs" the end user terminal (eg collects the votes) can not be "owned" by a for-profit company. Proprietary software is ripe for abuse and because it is proprietary (eg Intellectual Property Rights etc) nobody can validate the functional operation of the software. Sure it can pass a test suite, but what else can it do ? How easy is it to compromise the code ? etc.

Take a look at the #1 vendor of software in the world. Microsoft. Now ask what vendor has had more security problems (exploits) than any other. Now ask why ?

Take a look at open source software (not owned by a specific vendor and proprietary) and ask.. How many exploits has that software had ? There is a major difference.

Sure, both have had security problems But the degree is an order or two of magnitude different. Furthermore, in the case of open source software, the more eyes on the code the better. In other words its almost impossible to "hide something that is in plain sight".

2) Once the code that runs the end user terminal is available for public review, then we get to issues of secure delivery to regional counting organizations. That too is a non-issue provided they again use publically available tools like public key crypto (GPA, etc). Eg Secure Communications.

3) Finally the issues of paper trails. They are not needed provided the system is sufficiently architected to "guarantee" transactional integrity. Think on-line banking, stock trading, etc. We have been building systems for the past 20 years that run 24x7 and are "guaranteed" never to drop a transaction and we damn sure don't log everything to physical paper. KWIM ? Do you think a bank is going to put an on-line system up if there is "ANY" possibility they might drop a transaction ? Of course not. The industry term is "audit trails" and has nothing at all to do with physical paper. These are common and even the most "average" software vendor should be able to provide such a thing.

So what is the problem with these "voting systems" ? Proprietary software, No incentives, and No regulations. I dont know about "back-room" deals, but given the current state of the "voting system software industry"... if is more likely than not.

So... bottom line, if you want to fix the crap and uncertainty that exists today in the "electronic voting machies"... my recommendations would be
a) Get it out of private hands and into the public domain
b) If you can't do a) because of excessive corporate influence then (forgive me for saying this) regulate them in a manner similar to the banking and financial institutions. We have FDIC... why not FVIC ?

So, not sure that is as much of an answer as it is a position statement... Really its just a long winded way of saying that electronic cradles using infared are the least of our worries.

MZr7

Think about this:

I can have the latest version of Word.
It can function perfectly.
It can be certified, open source and virtually bug-free.

My documents can be protected, encrypted, and authenticated.
They can be digitally signed, and so can the application itself.

But I can still use it to slander someone, write propaganda, disinformation and lies; I am free to spell and punctuate incorrectly.

Until we look at the human factors of election management systems, all the open source code and security in the world won't make them safe.

Human factors, eg usage parameters, from an engineering perspective are the easiest problem to deal with.

As for the rest of your post.. Well...I am going to assume its late where you are *grin.

MZr7

I am simply implying that they haven't been.

You seem to know something about IT security. Now learn something about election management systems.

same as election management systems,I prefer TABULATORS.I say tomato, You say tomotoe. Election management system = TABULATOR.

I believe what BB is illuminating is the entire infrastructure required to pull off a heist, er, election.

Imagine just some of the bits. And a bit can be hardware, software, our an action on the part of an election worker.

Ballot Creation (Paper and Vapor)

Voting Machines

Voting Machine Ballot Configuration

Tabulators

Voter Registries

you can have paper ballots from one end of the city to the other, then you optiscan them PAPER ballot totals off to the TABULATORS for a grand total thats where they get us. Fight this b*llshit they are few we are many.We don't have to put up with this sh*t.FIGHT! NGU

What about the Voter suppression and dirty tricks?

How provisional votes were handled?

The recount procedure an issue. No?

I'm leaving stuff out.

Point is, it's a big system with lots of parts, very many of which open to tampering. And yes, the tabulators, too.

Right now, on this thread, these really smart engineers are working through one of the parts of that system.
(And I hope they :hug: and make up because a couple of them misunderstood one another, and, well...).

All parts are important. Tabulators, too.

Just compare the precinct totals to the tabulated ones. There are probably some jurisdictions where this isn't done, but the point is that it COULD be done, so anyone planning the fraud would want to do it a different way to avoid detection. In other words, they would want to induce within-precinct errors. And this happens to be exactly what the exit poll discrepancies have found. (Not that I'm a true believer in that stuff either mind you, but it makes a lot more sense than a hack that anyone who knows third grade math could eventually detect.)

As I've said before, I know this little hack makes good TV, but it's just not that hard to discover if people are looking for it.

IMHO, a serious fraudster would find a better way.

Sounds like a big job for a spreadsheet!

If we were to have government mandated, open source voting software available 2 years ahead, and change locked 1 year ahead of an election, we could make some progress here.

Let every vendor join the market and use whatever design they want.

BUT

It runs this software, and only this software on a screen of X resolution and Y display size.

The software would allow for 3 levels of font size increase, and the terminal would as well.

This is at the terminal side.

There would be software involved in sending the data for tabulation. That would have to be open source.

The tabulation should be happening on a system with full open read only access. The tabulation would again be open source.

With all codesets required being open, everybody could look at it, everybody could make sure there is no way to obfuscate the counting to make it look like it counts an X as a Y.

This seems so simple. We have national laboratories that have Linux clusters.

Shut one down for the election cycle, decommission an "old" one that isn't as fast as the latest nuclear simulator, but one that can handle a bunch of tabulation like this.

Have them write it. Post it to the net. Let all comers view the code. Have a very public forum for feedback. Let everybody comment, and help the code get rock solid with total transparency.

This is how it should be done. And it can be done with the technology currently available.

All that would need to change is the voting machines would need to be certified to run this and nothing else.

I'm thinking we could pull this off with notebook computers with a bootable CD for the OS/Voting software, and a live network connection to take the results as they're submitted by the voter.

There are obviously flaws in my idea, but the point is, it can be done. It can be secured. It can be watched.

(in order to avoid all the technical lingo)... *grin

1) Private companies should be allowed to market their wares (in this case voting machines).

2) Those machines must comply with a nationally defined architectural standard for electronic voting machines. (let one of the national standards bodies define it, not clueless government lackies)

3) That architecture dictates they run "public" or possibly "Open Source" voting software that meets yet another set of accepted national standards from the same or another relative consortium.

Beyond that, said private enterprises can do what they like relative to look and feel, services, etc... We have national standards for everything from web page markup, to remote object access, to security, to the simplest of communications protocols... why should a "electronic voting" standard be all that different ?
Not to mention that voting is just a wee bit more important... *grin

The hook (which the private companies will hate and where the base problem lies) is that these private companies basically become "hardware vendors". The software and communications would no longer be private.....Since hardware is only about 10% of a systems cost...well guess what, they make fewer $$$$.... Damn.

I think that covers it... *grin.

MZr7

when you don't even know who's going to be on the ballot at that time?

I know you don't have to change the source code to change the names on the ballot. But my whole point, which is apparently lost on MazeRat7 is that the configuration needs to be audited before and after the election or the ballot printing in the case of Op Scans. No amount of open source code is going to ensure that this takes place.

BTW, I do agree that the source code should be open; It's just not a complete solution.

So, As part of the "code".. I am suggesting that the local registrar provide in a single location (like the county web site) a simple XML document with the "authorized" candidates. If the local county does not have that technology they would supply that information to the state who would post it on-line for use during the election (both by machines and humans)

As part of the "open standards" I am suggesting, each system would only need to "render" this document in a standardized way for the voter to use during the voting cycle. These documents would be available to the general public both before, during, and after the election.

I see your concern, but it sounds like it is based on the assumption that "each" machine must be manually configured... I am suggesting automating this and other portions of that configuration process. It would work like a large company that needed to insure a standard configuration of 1000's of corporate desktops/laptops/servers, etc.

Something like 1) power the machine up, 2) tell it where to find the "candidate document", 3) where to "log the votes"....etc.... We need to get the vendor out of this phase of the process and specify how the system should "configure itself" based on publicly available and verifiable configuration information.
(on edit: the machines could also be told where to get the actual software they are to run for the current election cycle... maybe through something like PXE or other network boot protocols.. just a last min thought)

Tell me again if I am missing the mark of your concern...

MZr7

First, what you describe is in general almost exactly how the junk that's out there works now, except that it's done using well, junk! And it's proprietary junk too. Machines aren't configured manually now; this is why any errors in the configs can be large enough to affect outcomes -- they are multiplicative -- not to mention the deliberate stuff. So making this an open yet secure process instead of a closed yet insecure one would be a step in the right direction.

That said, ballots are highly localized, even within a county, so there are lots of different standard configurations administered by the central IT department (County BOE). They are not known for their technical expertise, so how do they do it? At present a lot of this is being outsourced and there are no auditing requirements that I'm aware of. So you need some (total) quality management procedures, and/or you have to do it yourself.

You want to get the vendors out of the business and let the machines configure themselves, but the templates still has to be set up by someone. So either the BOEs will have to be trained to do it or they will have to outsource.

The basic problem is that you have a system that's only used a couple of times a year but you need people to be familiar with it to the point where they configure it perfectly every time.

let's say a router and the infrared now.

I also agree that the a large problem is the secrecy surrounding the source code. Albeit I found Avi Rubin's discovery an amazing oversight of the programmers or else:

"All commercial programs have provisions to be encrypted so as to protect them from having their contents read or changed by anyone not having the key..The line that staggered the Hopkin's team was that the method used to encrypt the Diebold machines was a method called Digital Encryption Standard (DES), a code that was broken in 1997 and is NO LONGER USED by anyone to secure prograns.F2654hd4 was the key to the encryption. Moreover, because the KEY was IN the source code, all Diebold machines would respond to the same key. Unlock one, you have then ALL unlocked."

The lawsuit that was being talked about by Brad today is also pertaining to Snohomish County's agreement with the vendor about the source code and software disclosure issues.
I find this a bizarre election environment, considering also very few, if any, election officials are knowledgeable enough about the whole system. In fact vendors in many cases actually ran the election.

In relation to audit trails, for example banks, I presume, have some form of data that is verifyable, but with the DRE's there currently is none. Then the question arises why not?

All this talk about the possibility of Voter Fraud is miniscule when you think how many voters are in fact capable of compromising. This narrows the potential fraudsters down quite a bit.

I take it that the possibily of large scale centralized manipulation is your main concern. I happen to think that it may have occurred. I am trying to understand where, at what stage it can occur.

First yes...
It was a shock to learn they were using DES... *LOL. We cracked that years ago. They should have been using RSA... but I digress.

Second yes.. well more of a WTF ?
I had the opportunity to review several of the Diabold exploits and was shocked. What those cracks showed me was the sheer stupidity of their chief software architect. Had I made the same design decisions, in even the smallest of systems I work with daily, I would have been dismissed (*errr ask to move on to other "opportunities") *grin... due the the financial risk to my company.

The third yes.... I do believe that the "vote counts" were manipulated on a much larger scale than others (outside this forum) think. My reasoning there is the topic of a much more detailed discussion. My concern is that without standards and the unregulated participation of for-profit companies, this problem will only get worse.

Thanks for the discussion....

MZr7

On edit: This is in response to MazeRat7, post #6

I don't have an issue with your position as long as we are talking from a theoretical point of view. I've said in other threads recently that it is theoretically possible to develop a secure voting system and I've also voiced my opinion that such a system would be open source and would run on an open source operating system.

But as you correctly point out, that is in theory.

If you look at the

• woefully inadequate standards produced so far by the NIST,
  
• the agonizingly slow pace at which these bureaucratic efforts proceed,
  
• the counterproductive nature of the interaction between the NIST and the vendors,
  
• the fact that the vendors are entrenched and politically connected,
  
• the fact that DREs are dispersed across the country and in most cases managed by officials who are not technically savvy,
  
• the fact that Congress would have to empower such a change by way of legislation,
  
• the fact that Congress is unlikely to get the details right on such a technical issue and
  
• the fact that politicians are likely to look at this issue in political rather than technical terms,

then what chances would you give for this solution happening in our lifetime? My answer is zero. Let me know what your guess is.

So my bottom line reaction to the solution you describe is: "let me know when you've got a couple of those high-level requirements in place and then we can talk about the details".

Now can we turn to solutions that are more likely?

Luckily there is a silver bullet solution available. Require that every vote in the country be by way of a voter verified paper ballot. This solution is incredibly simple to legislate, to understand and to implement and it obviates the software security conundrum.

You talked against a paper ballot in your post but it was within the context of your "in theory" solution. Do you agree with my assessment of the realities and do you agree that the VVPB is a simple and elegant solution, even if only an interim one?

at least to the point where the chances of an erroneous outcome can be ruled out mathematically.

I think that coming from the banking biz (or whatever), MazeRat is thinking in terms of transactions that are not anonymous to begin with (no secret ballots), i.e., the identity of the buyer and seller, or some trusted intermediary, are known to each other before every transaction. This makes it much easier to verify each and every transaction. Anyone who reads their bank statement every month can complain if there's a mistake, including the bank if they made one! But no one has the ability to verify that their secret ballot was counted as cast. Therefore the only way to know that one's vote was counted as cast is to prove that ALL votes were counted as cast. And the method of proof needs to be understandable to the average (or even EVERY) voter. Otherwise there will be no confidence in the process, which in itself will affect participation, thereby altering the totals and perhaps even the election outcome.

None of this is a problem with financial transactions. If worst comes to worst, the customer can just take her business elsewhere and of course there is also legal recourse once a transaction is found to be erroneous or fraudulent.

My other point, which is apparently falling on some deaf ears, is that the configuration data is dynamic and has little to do with the application itself, but is extremely important in that it can also determine outcomes. Attempting to provide a purely technical solution for verification and integrity of the application and its output (the count) does nothing to ensure that the inputs are correct. I hope one thing we can all agree on is "garbage in garbage out" and IT Security and open source code alone do little to address this.

and agree completely. It doesn't do any good to achieve perfection in one area and leave a gaping hole in another.

This hits close to home for me. Here's an article about what's going on in my county:



So according to Miami-Dade officials, it was the configuration that caused serious errors in elections.

As is generally the case systems are designed and deployed in a "rush for version 1.0" and then left to evolution, for lack of a better word, to become more usable, secure, etc.

Yes I was speaking of green field opportunity where you analyze a problem domain, architect a solution, design, build, and deploy. Since we have this mess on our hands and since its such an un-holy alliance between business interest and politicians, we need to figure out how best to meet our objectives.

a) I really wasn't thinking about the NIST but rather some of the more academic based standards bodies like W3C, Oasis, etc - maybe there needs to be a new standards body formed explicitly for electronic voting. - not that NIST should not be considered.

b) I am all for your short term silver bullet suggestion, it should have been part of the initial design. I see no reason that the machine could not provide a printed receipt (say bar code or other OCR type font) that could be dropped into a box at the polling place as well. This would give a backup for what was electronically recorded until a true standard for secure electronic collection and backup is established. And even if we could "guarantee" the secure collection and archiving of digital voting data, there is the human interface aspect. Most people are going to want a piece of paper or receipt in their hand that confirms what was recorded.
This is not a bad thing, its kind of like making a deposit at an ATM... Technically speaking is not required for the "system" - its there so the "people" can verify what actions were taken.

On a small side bar - even this has the potential for fraud. Print one thing and electronically record another. I would also like to see some kind of unique id associated with every vote so we could verify our votes ourselves after the fact. Something kin to an anonymous token (or paper tab) that could be detached from the "official" printout given to the voter after voting with a phone # or web site to utilize to validate their vote.

c) Legislation is going to be the most difficult part. Passing regulations that "require" vendors to adhere to the standards mentioned will be hard. What if different states adopt different standards, etc ? What if they refuse to adopt standards and give the old dodge... let the market (vendors) sort it out ? etc.

d) Adoption of open standards (and ultimately the supporting open software) might happen out of respect and understanding of how important an individual vote is. My guess (fear) is that any such adoption will ultimately come down to financial concerns. Given the right backing, such a company could be founded. It would would need to use something like a telecom model (cell/cable) where they charge for the service and hardware only... the actual code and standards would be parameters they must adhere to in order to participate in the market.

So... no I am not as pessimistic about seeing this in my lifetime but I also dont think we will see any of this before the next national election either. Maybe we could get some $$$ backing for GS or the like and actually start a company to compete with the current field of vendors. *grin (thats dreaming isn't it)

MZr7

I would be more optimistic about the chances for a secure e-voting system if it were started from scratch, in an academic setting, and without involvement of the vendor players who benefit only by obstructing the effort, without political interference, etc. I believe you would need this kind of an unfettered environment because the technical challenges are enough to deal with by themselves without throwing in all the other distractions, hurdles and roadblocks.

I also agree with your point about paper ballots being an important human interface. I am in favor of paper ballots even if we were to achieve the "dream" system that you and I would swear up one side and down the other was secure and trustworthy. Because even in that case, the rest of the citizens should not have to take your or my word for it. They are entitled to a system that they can trust based on their own direct observation and understanding of it.

About your comment on a system by which voters can validate their votes - I know there is a pretty sophisticated system that has been designed to do just this. I'll see if I can find the documentation. The danger with this kind of thing is that it could potentially be used within the context of vote buying. If a voter is able to verify online the candidate for which the vote was counted then that voter could voluntarily allow someone else to verify the same in exchange for payment for a vote delivered. I don't remember whether the design that was proposed avoids this problem or not. I'll post if I can find it.

Thanks for coming back to discuss further. I hope you will hang out here from time to time to explore these kinds of issues.

I wasn´t aware you were a crypto expert. It´s interesting to learn about the hardware part of these wonder boxes, good threads.

I mostly agree with about everything you said in the post here, but I disagree there are no dropped translations. My bank lost our telephone bill twice a few years ago that we paid in cash, my flatmate had the reciepts and the bank agreed to pay the fees to open our phone again at both occations. They simply had no explanation at all, and the system was very properly insured against fraud by the cashier. We are speaking digital and hard copies to state authorities etc, there simply was no possible technical explanation except hacking, but then even that seemed either a bit far fetched or alternatively an incredible story since they ran like their own proprietary software made in like the late 70s. My former flatmate, an accountant, have all the paperwork, in frame...