Originally published at: https://boingboing.net/2018/08/23/freedom-zero.html
Originally published at: https://boingboing.net/2018/08/23/freedom-zero.html
This is not a panacea. Are you going to watch them install the OS, the toolchain, compile the source, configure the network, etc.? Of course not. You still have to trust that a hundred different things were perfectly configured by unpaid, non-technical election judges, or worse, people hand-picked by a partisan politician.
We still need paper ballots. They can (and should) be machine readable, but physically recorded votes are a must.
All true, but it’s still a step in the right direction when so many other districts are going the other way with their counting and tabulation systems.
Open source is absolutely required for maximum transparency in an election process. Opaque democracy is no democracy at all.
Independent audits of randomly selected devices would alleviate most reasonable concerns and build confidence in the process.
It is possible to make digital ballots that are more tamper proof than paper ballots. I’m not saying they’ve done that here, but that blanket statements like yours aren’t strictly accurate.
So, where can we access the source code since it’s open source ?
What the hell is wrong with old school scantron machines? To recount just feed the ballots through again and you have them easily readable for a manual recount.
WA does it this way.
Also I will plug that vote by mail is awesome.
When I was reading that long, scary piece about the NotPetra attack on Mearsk, I kept thinking about the trade-offs between an all-out rush to adapt digital technology as fast as possible, VS the slower, more careful rollout that keeps analog methods in reserve. Like the Navy resumes training in sextant navigation or air traffic controllers keeping those little aluminum “shrimp boats” handy by their terminals, just in case.
Among the worst, has got to be the super-twitchy stock exchanges that squeeze out all the latency they possibly can, not for the public good, but so that hedge funds can shave microseconds from their trades.
All of these weird failure modes point (me) toward a deep misunderstanding of the human economy.
If you were a voter in Los Angeles, you’d know that we use the “Inka-Vote” system (an pen-sized ink stamp that fills in bubbles on a Scantron-style card; the ballots are read optically and stored in boxes in case of a recount); if you’d read the linked article you might have noticed this sentence:
The ballot-counting equipment is part of a broader redesign of Los Angeles County’s voting system, which will include new equipment while relying on a traditional paper ballot.
That’s what we’re already using in Los Angeles; here, it’s called “Inka-Vote” (possibly to curry favor with the Peruvian community, although you’d think they’d just bring back qipus.)
The announcement is regarding a refresh of the counting machines (which are getting a bit long in the tooth) and software (currently proprietary). Come to think of it, “Inka-Vote” was probably a trademark of the current software, so I’ll have to come up with a silly joke about whatever comes next.
It is likely necessary (doesn’t necessarily imply open-as-in-GPL, you can transparently present source and still assert copyright to prevent others from producing derivative works; and might allow for some closed-in-name-only black box accompanied by a thicket of publicly disclosed and testable proofs about its behavior; though, even if the computer science allows it, doing it that way would be fairly perverse); but definitely not sufficient.
I’d propose an informal metric. We’ll call it the “Nixon Number”; because it’s alliterative and he deserves it:
The Nixon Number of a system is the number of people required for the smallest plausible subversion of that system. It’s an informal metric because ‘plausible’ is a weasel word; but still a helpful way to think about it:
A proprietary black box is almost certainly going to have a Nixon number close to 1 because someone sufficiently well placed with the vendor can tamper with it without fear of detection(as in the not-at-all-hypothetical post validation “patching” that made Diebold’s reputation in the field).
A system with serious security flaws is pretty much always going to have a Nixon number of 1 because any script kiddie could knock it over.
However, a fully OSS system, with security provided by Puffy in full barbarian mode, can also have a Nixon number close to, or equal to, 1. Classic Unix security tends to either explicitly assume that if root does it it’s by design; or give root enough power that detecting malfeasance on root’s part is quite a challenge, or both.
In the ideal case, you want a system’s Nixon number to approach or exceed the number of voters required to achieve a given outcome; since that is where “large conspiracy” turns into “the democratic expression you were trying to measure”(if and only if it isn’t possible for a large conspiracy that isn’t made up of the same people as the electorate can’t pull off a subversion; that keeps ‘conspiracy’ from moving into ‘plurality’; cynics would argue that this is basically how disenfranchisement of the criminally convicted works…)
This metric is, admittedly, informal; but what it lacks in rigor compared to formal proofs of a given piece of software it gains in being a useful antidote to excessive focus on the sort of very strong; but Genie-class narrow and precisely worded, security guarantees provided by even carefully vetted systems (among innumerable other options, simply ensuring that the supply of formally proven voting bastions is inadequate in…areas of demographically suspect loyalty…you can achieve a subversion without beating your head against some impregnable and elegant cryptographic widget).
Unfortunately, while achieving a decent Nixon number does require refraining from the usual vices, getting the one we really want is actually a pretty novel challenge: systems utterly hardened against root’s enemies won’t be enough; fraud-detection heuristics borrowed from Team Credit Card and similar(while sometimes spooky powerful) tend to work poorly if you want to preserve ballot secrecy; and nobody even wants to think about a reliable mechanism for a bunch of largely non-technical and not necessarily 100% trustworthy staff to ensure that a zillion terminals are actually running the hardware and software the spec says they are(actually, the DoD would be delighted to have you think about it and generate some helpful hints; turns out that avoiding ding counterfeit parts while also maintaining legacy systems in quantity is a hard problem that they have; and have a strong interest in).
Well I said Open Source, not Free Software.
You can get the Windows kernel source code under an open education license. You can’t redistribute it outside of your institution though. This is kind of why a lot of the GPL folks (FSF) wrestle with people confusing the two, as simply being open source doesn’t meet the goals that FSF has.
Cheezus. Don’t they make CS students read “On Trusting Trust” any more?
Electronic voting machines are anathema. They have no good reason to exist.
If you trust your democracy to electronic voting machines with no paper record, you should quit being surprised when the results aren’t what you expected.
There is NO secure electronic voting machine. None. It’s impossible in principle.
If anyone tells you otherwise, you should find out why they’re lying to you.
Because they are.
Machine-counted ballots mean trusting the machine.
Trusting the machine means trusting the people who built the machine, the people who transported the machine, the people who plugged it in and set it up for the current election, the people who read the result and told you about it. Any one of these people could fuck your election.
Hand-marked, hand-counted paper ballots mean not having to trust anybody. Each of the antagonistic parties can put their own eyeballs on the ballot boxes, watch every vote being counted, and agree whether the count is correct or not.
There is no reason to automate this fundamentally human activity.
I guess they don’t want to Make America Great Again, again.
Except for the fact that it just Does. Not. Scale.
I absolutely agree that getting the true result is more important than getting it fast - but an actual hand count in (just to name a hypothetical) Los Angeles County would take days or weeks, even if you put far more people on the job than are currently employed. Also, in our last election (the spring primary) I voted on dozens of separate issues - a wide field of candidates for governor, senator, local reps, judges, and ballot propositions. Hand-counting even a single ballot would have taken several minutes (it took me about thirty seconds to re-check my own ballot), and I’m not sure I would have trusted the result even then.
I suppose that you could strip things down until each person only voted YES or NO on a single issue; that would definitely make counting ballots easy. But I don’t think I’d like to live under the resulting system of government.
…and the problem with that would be… what, exactly?
Is someone going to pee their pants if they don’t get instantaneous election results?
There’s no need for hand-counting. What’s needed is an auditable paper trail. Scantron-counted ballots are fine as long as there are regular, random audits - a necessity with any auditable system.
Automated ballot-counting is fine as long as the process produces auditable paper records with proper chain-of-custody measures. Any question about the accuracy of the machine count can be resolved by hand-counting the paper records.
And anyone who connects a voting machine to the internet is either a dimwitted incompetent, or someone with a vested interest in wholesale vote fraud.
This isn’t rocket science.
(And it’s DEFINITELY not computer science.)
Of course it does.
Where there are more voters there are more poll workers and more party volunteers.
Then you’re back to trusting the auditors. An adversarial process derives integrity from simplicity and transparency, not blinking lights and technocrats.
In a sense you’re both right.
It won’t scale until election day is a mandatory holiday, but once that’s done it scales just fine, for exactly the reason you stated.
Touch things on screen, receive printed (filled in) ballot. Drop ballot in box. Printed ballot is used for official results. Electronic version is used for “instant (and nonbinding) reporting”.
Reasonably secure, it does assume a “big enough” fraction of people will double check their printed ballots that any fraud would be detected. It could be successfully attacked by altering a small enough percentage of the votes that you wouldn’t expect to be detected (or that it would be written off as a glitch), you can fight that by reminding people to double check the printed results. I expect you would get a pretty high double check rate if you explicitly mention the Russians.
Granted it also brings you only a subset of what makes electronic voting “great”, but instant binding reporting isn’t worth also having zero assurance that the votes are even remotely real.