Re: "Open Voting Systems" from Irwin Mann in 1993

From: Richard C. Johnson <dick_at_iwwco_dot_com>
Date: Sat Aug 05 2006 - 15:16:44 CDT

Thanks, Joe, for forwarding this precise and prescient argument for open voting systems. The complete absense of anything proprietary, hardware or software, (no COTS) is ideal. It remains to be shown that completely adequate "open" computers, using no commercial proprietary parts, are available. No scanners of that description are available, either, to my knowledge.
  One can always advocate for paper untouched by machine fingers and unaccompanied by electronic anything. Less than 1% of voters in the next national election will use paper alone. So, for the present, any real hope of building an understandably open voting environment with some control over known means of frauding must include some degree of commercial, off the shelf components. Only these can, today, replace the proprietary and dedicated voting-specific election equipment many of us would wish not to see used.
  For example, HP, Kodak, and others sell scanners which, with a hosting computer and auxiliary open voting applications, can be replicated, understood, and safeguarded far more than the proprietary and dedicated scanner-based voting machines of today. COTS can be purchased, torn down, and disected much more easily than the Diebold machine, which became available only by chance.
  Over half of the voters in 2004 used proprietary scanner voting machines; I would argue that COTS hardware and software (no design for voting purpose) plus open source voting applications adds up to a step on the road to the ideal, to totally open voting hardware and software.
  I do not believe that the good is the enemy of the best. I would not choose to remain with the bad and wait for the best, if I could get the good. Yes, I want totally open hardware on which I can put open voting applications. But, while I am waiting for the totally open hardware, I would prefer to combine open voting applications with COTS rather than retreat to paper alone.
  I don't believe that proprietary COTS equipment is equivalent to dedicated, proprietary voting equipment as a threat to the integrity of elections. Rather, I believe that COTS plus open voting applications is as good as you can get right now. I also look forward to open hardware designs, including open processors, firmware, and all of the many parts to scanner-based voting systems. Of course, it is important to use COTS in ways that enhance voting security; every existing voting system of any description has flaws and security holes.
  We will see Open Design Hardware some day, just as we now have Open Source available in software. As components become available, I can see more and more of voting systems becoming potentially open. Unless, of course, we stick with today's total proprietary systems for a few more elections...
  -- Dick

Joseph Lorenzo Hall <> wrote:

CFP'93 - Open Voting Systems
by Irwin Mann

New York University

The advent of computer technology will inevitably affect all the
systems that we use for voting and for recording tallies in public
elections. In particular, it is all but certain that voting machines
will tend to become technologically more sophisticated, more
fashionable in design, and likely more expensive. [It may be said here
that the need or advantage of this is not necessarily apparent to the
author.] This evolution will be accomplished in the name of accuracy,
efficiency in recording, flexibility of operation, and the security of
the electoral outcome. It is natural to consider the possible
ramifications of these advances.

It is the security of the electoral outcome which may become most at
hazard. In the absence of the installation of prudent precautions, the
machine and the process shall likely be more vulnerable to large
inadvertent errors, and much more ominously, to electoral fraud. The
essential reason for this is that, with the technological
sophistication, the internal operation of the machine will be less
apparent and therefore less apprehensible by the wider public. It will
be a premise of this paper that the public itself is an - indeed the -
essential watchdog of electoral integrity.

Those forms of discrepancies, error and fraud, except in many
transparent cases, can be almost invisible if the software within the
machine is hidden or uninterpretable. We must determine how the
governance of the operation of the machine can be made accountable to
the public, and provide for the integrity of our electoral process.

In order to establish a context for the discussion, it would be useful
to distinguish among lesser and greater threats to that integrity.
These different levels of threat can be characterized by their
relative visibility, their effect on the election if unchecked, and
the nature of the precautions which are required to thwart them. For
instance, there is a difference in kind between the prospect of
someone voting more than their allotted once, and a clandestine
software "trapdoor" or patch which can be used to transform votes in
unknown ways. Though the law has been violated in both cases, the act
of voting twice is much more detectable in a greater variety of ways,
and is likely to have far less effect. Though all threats, large and
small, should be addressed, it is the larger which requires the higher

It is often proposed that the guardians of software fidelity will be
its vendors together with the administrators of the election (public,
private, or both). But this degree of trust in such matters surely
cannot be, for the future, always warranted. The safeguards must also
include the practiced scrutiny of the public. It is fair to say -
though perhaps shocking to realize - that a government itself is by
far the greatest threat to insufficiently regulated fair elections. It
is upon that premise, among others, that the proposal of this paper

For this and similar reasons, there cannot be a relatively small group
of persons who exclusively have access to, and control over, the inner
workings of an election process. In order to ensure that such an
insulated group cannot occur, we conceive of a condition under which
this insulation is virtually impossible. We provide a paradigm whereby
the voters have relevant access to the accountability of the voting
process. We refer to such a system as an "open voting system".

Such a system is defined as one where:

* every element of every component, both hardware and software, is
in the public domain,

* there are built-in capabilities for independent monitoring of
software, and

* there are institutionalized protocols for public monitoring of
all components and the electoral process, sufficient to find any
hypothetical discrepancy from the intended design, if it should happen
to exist.

In particular, this means that the system can have no proprietary
parts! It is proposed here that as a matter of public policy, every
voting system used for a public purpose shall be "open" in the sense
given above.

This open protocol, in conjunction with the standard protocols of a
rigorous auditing trail, and sufficient redundancy (including the
existence of hard copies of ballots) is essential for full
accountability of the system. It will enable the public to serve as
watchdog in ways foreseen, and ways perhaps not yet foreseen. The
accountability is accomplished by means of the possibility - not
necessarily taken up in many cases - of public monitoring of any or
all of the components of the system. The propriety of this monitoring
must be regularized. The mechanisms for it, as they evolve, must be
put in place. It may occur at times both before and after an election,
according to the discretion of the watchdog itself.

In order to facilitate such potential monitoring, all software
programs must be written in a high-level language, and well-annotated,
so that they may be understood, replicated, and compared. The
compilers used shall be from a standard repertory. These
specifications exist so that there are measures whereby unauthorized
patches on hardware or software may quite likely be detected.

There may be objections that, despite their evident qualities for
accountability, the specifications of an open voting system are not
feasible. Generally, there might be the given reasons:

* there are no vendors who would not insist on proprietary
elements of their voting systems,

* the common knowledge of the working of an open system would make
it more vulnerable to tampering, by newly enabled participants or the
watchdog itself,

* the procedural cost would be unacceptable, and

* the measures would not be certain to detect tampering anyway.

These points, which are themselves conjectural, are perhaps best left
to argue and attempt to resolve in another place.

In the environment of such an open system, any attempt at tampering
with an election would incur a considerable risk of detection. With a
sufficiently diligent and conditioned watchdog, the detection would
become ever more likely. In this sense, these proposed protocols taken
all together are as surely effective as can be expected.

There remains to express a deep personal faith. An electoral process,
with whatever technology, can be made virtually free from error and
fraud, though by its nature there can never be a guarantee of
certainty in such matters. If the system is unremittingly open, there
can come to be full accountability, and correspondingly high public
confidence in the process. This requires sufficient public priority,
or political will, to achieve. Of course there will be costs for this
complete accountability, but those augur to be small in relation to
the rewards. Alternatively, if the system is not open, there can never
be complete accountability and the public will never have complete
confidence in the electoral process. The public itself must be the
ultimate watchdog and guarantor of faithful elections.

Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
OVC-discuss mailing list

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Aug 31 23:17:04 2006

This archive was generated by hypermail 2.1.8 : Thu Aug 31 2006 - 23:17:10 CDT