[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] License for an open-source voting system?



On Wed, 2008-08-13 at 06:47 -0700, Bill Ries-Knight wrote:

> 
> The concern is the possibility, with open source code, that a pre zero
> day flaw is discovered and manipulated in some fashion.  I do suggest
> that the more restrictive the views, the less likely the bad hats of
> hacking will meet up with the bad hats of politics and run some
> nefarious scheme.  You are right in that open source offers
> transparency, but it also opens up that other world.
> 
The existence of a (pre)zero-day exploit is not enhanced by
fully-auditable code. Bear in mind that the proposal is to use a
touchscreen that produces _THE_ hardcopy ballot that is the official
"ballot of record". The airgap between candidate choosing and vote
counting ensure that any flaws are isolated and can be manually
accounted for and solved.
>         
>         With closed but "verified" source this only expands the number
>         of people
>         required to effect fraud by a few. It also makes real
>         programming
>         mistakes (the accidental ones that are going to exist in
>         nearly any
>         project) visible to fewer eyes for resolution.
>  
>  And this is the reason that open source is only a "not so much"  for
> security.  There is a need for anyone with the appropriate level of
> "Need to Know" to be able to look over the source code. 

In the principle of open and fair, ANYONE should be allowed to
participate in the inspection and evaluation of all aspects of the
election process. Can Aunt Mable who doesn't know how to keep her VCR
from blinking 12:00 all the time fully understand how the software is
going to print her choices onto a card and then later scan and identify
those choices? Nope. But she can, if she chooses, learn how. "Need to
know" is the top of the slippery slope argument that restricts access
until the system falls below the current level of untrustworthyness.

>  In the United States there are over a 1,000 County/Parish level
> election jurisdictions.  There are 50 States plus the Federal
> Government.  Until now the process has been "Closed Proprietary
> Systems"  where testing is performed in a sterile environment.  The
> vendor prepares the systems and monitors the testing, and no one is
> allowed to see the software that makes the black box run. 
> 
> The Federal Government has an office that takes care of this testing
> and the tests are run behind sealed doors.  Once passed by the Feds,
> that is good enough for everyone.
Nope. The duty of handling elections is left to the states. The Feds can
set a minimum standards without which funding is withheld. But only each
individual state can decide how to perform it's elections.

What _has_ happened is only a few companies produce election systems
(it's a small market!) and the largest has been caught performing some
horrible practices that everyone who knows anything about computers (and
computer failure rates!) is screaming mad about. There is a rather valid
suspicion that the three main providers have colluded in some ways (one
make vote makers, one makes vote counters and one makes both) and that
has led to a serious trust issue.
> 
> .  Only a select few see the process.  This has to come to a
> screeching stop.  
100% agreement!

> If one of those 1,000 plus jurisdictions wants to examine the systems
> for safe stable code, they should be able to do so.  This minimizes
> the closed nature.  But at the same time, would you want the security
> software at a Nulear Weapons Material Facility for the USA be
> availible to international crime syndicates or National Governments
> that have a desire to see some objective met in an election.  Elected
> Government Persons often have access to secure information that would
> otherwise be well above their pay grade.
> 
Closed code means backdoors. People who are proud of their code want
others to look at it and see what they have produced. Peer review is
vital to the growth or real knowledge.  It's hard to hide a backdoor in
code that many people can view. So a transparent OS like Linux with a
python (or bash, perl, java, <your favorite language here>) application
that generates printed cards that are manually counted and machine
counted with an off the shelf transparent OS like BSD or Linux or
freedos with a transparent application that reads the cards and tallies
votes sounds like the best of all worlds to me. Maybe even add in a
mechanical counter as well as the electronic counter.
>         
>         I have come to the conclusion that every aspect of the voting
>         process
>         must be fully open for analysis by everyone. From the design
>         and
>         components of the machines hardware to the process used to
>         count,
>         verify, tally and present the scores, every aspect must be
>         fully
>         available for review by everyone who wants to review it.
>  
> And this is where we disagree.  Not just "Everyone" on the street
> should have access.

Yes. EVERYONE. Right down to Aunt Mable and Uncle Bubba. I am not a
supporter of restricting the freedoms of the many because of the
transgressions of a few. In my mind, that is punishment with out trial,
or even a crime being committed. Innocent until proven guilty demands
fully open systems.
> 
>         
>         I personally like the big touchscreen displays. It makes the
>         choosing
>         process quite simple. What I would like to see produced by
>         these
>         touchscreens is only a single, card stock ballot that is
>         printed, in
>         easy to read text, with an <office>=<choice> pattern. This can
>         be
>         verified by humans and quickly counted by machine. We have the
>         technology to do this. Further, I would like to see the
>         counting
>         machines produced by a separate company from those that make
>         the
>         balloting machines. I also want to be able to feed my
>         newly-printed
>         ballot into a counting machine and be able to verify that that
>         machine
>         has correctly read my ballot accurately.
> 
> I too love the touch screens that you mention for the same reasons.
> Yours is a differnt solution to the hardcopy version of a vouchsafe
> tracking.  The printed rolls, in reality, are more secure because each
> transaction, good or bad, is counted.  With the card there can arise
> other issues.  The big reason that we don't want to have a "free copy"
> of the votes in the wild is the sale of votes.  There are good aspects
> to your solution, but very negative ones as well. 

As the card _is_ the ballot of record, it is never "in the wild". It has
a serial number stub that is separated from the ballot and is counted
separately to act as a checksum of the number of counted ballots. 

Further each ballot has a transaction ID (a timestamp and machine
number) printed at the bottom to identify which ballot machine it was
generated from. Remember, the ballot is ink on paper so the only reason
or this is to track printing issues to a specific machine. 

When was the last time anyone wrote "John Hancock" on a word processing
app and the printer spelled it "Douglas Adams"? That's the simplistic
beauty of the printed paper ballot. As long as Aunt Mable can read it,
she can verify it is the way she wanted it to be.

(Of course, here in Georgia, Aunt Mable has about a 20% chance of not
being able to read the ballot in the first place. The schools need
serious help!)
> 
>         
>         In other words, I want full accountability for every aspect of
>         what the
>         Constitution describes as my right to vote. Closed-source does
>         not, and
>         can not, fulfill that requirement.
>  
> And I agree. TRADITIONAL open source has issues as I noted above.
> Open source, yes.  Universal access, no.  Perhaps there is a need to
> consider a limited access version of a license.

Given that we are discussing the process to provide representation to a
participatory democracy, any limitation on access to process is a denial
of rights that are supposed to be protected. If I can decide that
programmers in FORTRAN are "not qualified" to examine the code that
elects the next batch of decision makers, what's to stop the next batch
from saying that PERL programmers are now deemed "unqualified". Yes,
it's a slippery slope argument but I believe it is one with merit.
Freedom is not something granted once then possessed forever. It appears
that human nature (what ever _that_ means) tries to limit freedoms on
others while expanding freedoms for the self. From a philosophical
perspective, that process is too similar to the feudalism state that did
not benefit the bulk of humanity but greatly enriched a charismatic,
powerful, and often cruel few.
> 
>         
>         >
>         > my FWIW.
ditto :-)
>         >
>         > Bill
>         >
>         > On Mon, Aug 4, 2008 at 3:20 AM, Joel Kahn <jj2kk4@xxxxxxxxx>
>         wrote:
>         >         Here's an angle on FLOSS principles
>         >         applied to electronic voting systems:
>         >
>         >         http://www.freedom-to-tinker.com/?p=1305
>         >
>         >         Be sure to look at the responses; this
>         >         posting really brought lots of analytical
>         >         nerds out of the woodwork.
>         >
>         >         I'm thinking the topic might have educational
>         >         value at the college level--maybe even high
>         >         school? Any ideas for ways to fit this into
>         >         a curriculum somehow?
>         >
>         >         Joel
>         
>         
>         James P. Kinney III
>         CEO & Director of Engineering
>         Local Net Solutions,LLC
>         http://www.localnetsolutions.com
>         
>         GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
>         <jkinney@xxxxxxxxxxxxxxxxxxxxx>
>         Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C
>         6CA7
>         
>         
>         --
>         This message has been scanned for viruses and
>         dangerous content by MailScanner, and is
>         believed to be clean.
> -- 
> -- 
> Bill Ries-Knight
> Stockton, CA
> 
> SaveStockton.org Just make it better!
> Read The Mayors Blog at http://savestockton.org/blog/mayor
> Why you have the wrong view. http://savestockton.org/chicken.html
> 
> Respect the process, Vote.
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean.
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC                           
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney@xxxxxxxxxxxxxxxxxxxxx>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.