Re: does Diebold have 'quadruple redundancy'?

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Tue Aug 16 2005 - 09:52:25 CDT

On Aug 15, 2005, at 9:30 PM, Kathy Dopp wrote:

> =He is claiming that Diebold DREs have "quadruple redundancy" - that
> there are 3 computer chip records of every vote plus the paper trail.

This is true, but as I've long said, the mere fact of redundancy does
not mean that it does you any good. ES&S, in Miami last summer,
did a great job of demonstrating how not to use redundancy.

(If the machine found an error in one redundant copy, depending on how
you extracted the data, you got one or another copy, with no indication
which. Software in the central tabulator was unprepared to properly
read all but the default copy, and the misreadings caused symptoms
that could also be interpreted as evidence of fraud. All very strange
but sadly, very typical of how naive programmers handle redundancy.)

So, never trust a claim of redundancy unless you know that the folks
making the claim really understand the use of redundancy. In that case,
they need to explain the use of redundancy.

Here are some simple questions to ask:

1) Does the Diebold system use an atomic update model to guarantee that
proper synchronized update of the redundant memories? They either do or
don't. If they hem and haw about this, it means that they don't
understand
the proper use of redundancy. The term atomic update is a standard
technical term that anyone who knows about fault-tolerant computing
will understand. If Diebold has nobody on hand who understands
fault-tolerant computing, they have no business trying to sell voting
machines.

2) Does the Diebold system conform with open records laws? The open
records laws of many states require that ALL records of an election
be available to the public, if requested. This would include the
redundant
records stored inside the machine. Unless Diebold wants to make a
travesty
of the open records laws, they will have to release documentation
explaining
the format of these records so that someone who requests them can
understand
what they have requested.

3) Does the Diebold system preserve the secrecy of the ballot? If the
vote records in one of the redundant memories are shuffled differently
from the vote records in another redundant memory, investigation of
discrepancies becomes very difficult unless each vote record has an
attached "serial number". If the vote records are stored in order in
the order votes are cast, any observer at the polling place can
reconstruct,
from public records of the election, which ballot went with which voter.
If the vote records are serial numbered with sequential numbers,
including
sequential pseudo-random numbers, there is the possibility of
reconstructing
who voted in what order.

4) The last publicly disclosed information about Diebold's system
suggested
that it was using the Park and Miller's minimal standard pseudo random
number generator. This generator is fine for games and simulation
applications,
but it isn't cryptographically secure. As a consequence, using it to
draw
ballot serial numbers or using it to shuffle the ballots in the
electronic
ballot box does not prevent someone from learning the order in which the
ballots were cast. Has Diebold moved to a cryptographically secure
generator?

                Doug Jones
                jones@cs.uiowa.edu

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Aug 31 23:17:26 2005

This archive was generated by hypermail 2.1.8 : Thu Sep 15 2005 - 11:44:12 CDT