A generic best practice document for New Mexico legislators

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Tue Dec 21 2004 - 12:46:16 CST

I am trying to formulate a best practices document for New Mexico's legislators. This is intended as a terse summary of mandatory items to consider in legislation with specific reccomendations. It is not supposed to be a discussion of issues, tradeoffs or considerations. It's also intended to be vendor neutral and not to overtly prohibit any reasonable vendor. It's not an advertising brochure for OVC. It is a foot in the door and was in fact solicited by govenment officials. We hope to provide a broader discussion document later.

If you have your own best practices documents or links to ones you like or links to effective legislation please send those to me or post them as a reply.

comments are extremely welcome.

(NOTE: The omission of Alan Dechert or others tied directly to OVC implementation from the list of experts is not a slight but was deliberate for the same and obvious reason that I also omitted the CEO of Avante and certain other highly skilled people.)

Electronic Voting System Best Practices Document
Verified Voting New Mexico

Point of Contact: Charlie Strauss http://vvnm.org
 
Basic principles for trustable elections

1) It is not enough that elections be accurate, they have to provably so and in manner transparent to voters.

2) Errors will occur. We must design systems that can recover from errors, not design systems that require unachievable levels of perfection in hardware, software, and operators.

3) Innocent anomalies will occur. Without open systems, errors, fraud, and innocent anomalies can appear indistinguishable; for elections to be trustable we have to be confident we can distinguish these.

To strike an analogy: open meetings laws not only prevent conspiracies they also lead to public trust in governance without all parties having to have blind faith. In any given meeting, the oversight imposed by meetings-laws may seem inconvenient or onerous, but in hindsight it cumulatively leads to a more efficient government because it is trusted.

Get expert advice

        We recommend forming a panel of experts to guide voting system requirements. In particular we can recommend Prof. Avi Ruben (Johns Hopkins), Prof. Doug Jones (Iowa State), Dr. David Jefferson (Lawrence Livermore National Lab), Dr. Rebecca Mercuri, Dr. David Mertz and Prof David Dill (Stanford). Dr. Jefferson has been instrumental in guiding the creation of California’s new standards. Prof. Ruben researches modern voting system security. Prof. Jones has published numerous papers on the subject and critically analyzed touchscreen software errors in Florida. Mertz, Jones and Mercuri have separately laid out design precepts for secure, trustable voting systems with voter verified paper trails.
       The new draft California standards and laws will be a useful reference for New Mexico. Harvard University recently published an election systems best-practices guide that also addresses these issues. If you cannot obtain these directly we can assist you in getting pre-prints.
        We recommend against two advisors preferred by the outgoing Election Director, Denise lamb: many positions advocated by Prof. Ted Selker and Prof. Michael Ian Shamos are widely disputed by their peers in the computer science community.

Twelve essential requirements for trustable electronic voting

1) The voting system shall produce a paper ballot, inspectable by the voter at the time of voting, and secured at the polling place. The voter may spoil the ballot and re-vote if not satisfied the ballot is correct. Spoiled ballots should be retained at the poll, or their absence explained by polling officials (similar to the method used now).

2) Voting software must be freely inspectable by the public in both source code and binary format, without any non-disclosure agreements. By voting software we mean all components: configuration files, application, operating system, peripheral drivers, font files, and all firmware including video subsystems.

3) The Bureau of Elections shall conduct mandatory surprise recounts of the voter- verified records of each election in 1 percent of the jurisdictions immediately following each election. Half should be selected after the elections on a random basis. Half should be from nominations by the candidates. The Bureau shall promptly publish the results of those recounts.

4) If a bar-code is used in place of a text scanner or human to count the paper ballots, then 0.5% of these should be hand counted and compared in detail to the bar codes. Additionally, a bar code reader accessible to voters shall be available in every polling place so that voters may verify their own bar codes. All discrepancies will be published before canvassing.

5) In the event of a discrepancy between any electronic record and the paper record, neither has primacy: a judge informed by experts will decide how to reconcile the difference on the basis of which is most likely to be correct under the specific circumstances in each case. A general policy mandating one form shall not be established, and election officials will not make the decision.

6) Vote storage formats, electronic and paper, shall either be non-proprietary or licensed under fixed and reasonable terms so that alternative vendors can produce compatible voting software and machinery.

7) Ballot secrecy must be preserved. Thus extreme administrative precautions must be taken if roll-tape or time-stamped, or serial-numbered ballots are employed since these preserve vote order. Similarly, electronic records that would enable reverse engineering vote order must be avoided or admistratively secured. Notably, if ballots reveal the voter’s preferred language some precautions should be used to preserve ballot secrecy, since rare languages may indicate ethnicity or identity.

10) Absolutely no voter receipts — vote confirmation records taken home by a voter — shall be produced including “secure” cryptographic records.

11) Absolutely no remote communications or networking of machines. All data ports on the machine must be physically secured with tamper evident seals. Exposed data cables should be armored

 12) All vote and audit records as well as all ballot configuration files should include standard good-practices such as checksums and digital signatures so that every file can be validated by any software reading it. Notably this includes all vote processing software not just the voting terminal software.

Fourteen additional recommended best-practices

1) Legislation should distinguish between ballot marking devices, ballot storage systems, ballot readers, ballot counters, and Ballot databases. At present these separate functions are somewhat conflated in NM laws.

2) All machine audit logs should be written to non-volatile, write-once media, signed by witnesses and physically secured in the machine with tamper evident seals. An example of this would be a paper tape or a write-once CD-r. Audit logs shall be published promptly.
3) To hold an election when a known bug exists, the SOS must identify the risk and certify countermeasures and each clerk must certify that the countermeasures are in place. All bugs, countermeasures and certification shall be published before an election is canvassed.

4) All software and operating systems should follow software design best practices, and notably all data records should be read into memory using a no-execute protocol available on modern CPUs, and any writable storage devices should be mounted using no-execute protocols. (In the event of a software error, no-execute protocols prevent accidental execution of portions of memory meant to store data and not programs.)

5) To allow a machine to securely self-witness it’s own data: before any electronic vote storage devices are removed from a machine or the any device is connected to the machine after an election, the machine itself should write the vote records to a write-once non-volatile medium (CD-R) that was signed in advance by the election judges or other witnesses.

6) All software used by the machine should be loaded into the machine memory from non-writable media physically secured inside the machine and not accessible to any poll worker. This could include CD-roms or could include hard disks or flash memory whose write-functions have been physically disabled. The media should be encased in tamper evident seals and all randomly audited machines should have the software-containing device audited to insure that the binary software matches the certified software.

7) The voting machine should produce an audible ding (or flashing lamp) audible (or visible) to both the voter and election officials whenever a valid paper ballot is produced. If a voter walks away without producing a ding or otherwise not depositing a ballot election officials should try to inform them a ballot has not been cast. The ding also inhibits voters with multiple stolen terminal activation cards from voting multiple times unobserved.

8) Parallel testing. At random on Election Day itself machines will be selected and pulled from operation. Teams of testers will vote on the machines under conditions simulating election conditions and patterns (including environmental factors). These should be video taped and the intended votes compared to the recoded votes with any discrepancies reconciled with the video.

9) In a similar vein the computer should have no means of estimating the true date beyond what is entered by a user via a single portal. Examples of hidden alternate time keeping include, battery drain, IR light sensors, AC wall voltage, and the clocks onboard peripheral devices such as the graphics card or power management units.

10) Screen calibration validation periodically throughout Election Day. Anomalies logged

11) Line voltage logging on Election Day.

12) Cameras, particularly the voter’s own camera, are not permitted in the voting booth. This prevents spying, intimidation and vote-selling.

13) Sufficient voting machines to deal with 100% turnout and reasonable failure rates should be available.

14) Policies for abnormal conditions such as printer malfunction or machine malfunction should be established and published by the SOS prior to elections.

Future issues
        In the future we anticipate the development of a hardware technology known as a “trusted computing platform” to emerge. This technology will allow a computer to self-validate it’s own software and hardware have not been tampered with and greatly enhance security. At present this technology is NOT available. However legislation should be designed foster migration of this technology when it becomes available. Legislation can be designed now to anticipate securing the new key hardware devices that enable this platform.

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Dec 31 23:17:18 2004

This archive was generated by hypermail 2.1.8 : Fri Dec 31 2004 - 23:17:22 CST