Re: A generic best practice document for New Mexico legislators

From: Kathy Dopp <kathy_at_directell_dot_com>
Date: Tue Dec 21 2004 - 13:59:07 CST

charlie strauss said:
> I am trying to formulate a best practices document for New Mexico's
> legislators.

Charlie,

This is great! Would you please attach a copy to me when you are done so
that I can customize it for Utah and give it to our incoming Lt. Governor
when I meet with him in early January, and post it on
http://utahcountvotes.org ?

I am happy to leave your name on it as the author when I present it, and
to add my name on it if you think it would help or is warranted.

If it might help you, there are a few recommendations that you may/may not
want to look at that a group of about 20 computer scientists made to Utah,
re its RFP etc. linked from the same home page
http://utahcountvotes.org
under a section heading
"What Utah's Computer Scientists Have Recommended to Utah"
but that includes comments from folks like David Dill, Dan Wallach, etc.

Unfortunately I do not have time to help draft your doc as I'm buried in
doing chores for http://uscountvotes.org We're about a week out from
getting our archival system in the testing phase.

Best,

Kathy

>
> comments are extremely welcome.
>
> (NOTE: The omission of Alan Dechert or others tied directly to OVC
> implementation from the list of experts is not a slight but was
> deliberate for the same and obvious reason that I also omitted the CEO
> of Avante and certain other highly skilled people.)
>
> Electronic Voting System Best Practices Document
> Verified Voting New Mexico
>
> Point of Contact: Charlie Strauss http://vvnm.org
>
> Basic principles for trustable elections
>
> 1) It is not enough that elections be accurate, they have to provably so
> and in manner transparent to voters.
>
> 2) Errors will occur. We must design systems that can recover from
> errors, not design systems that require unachievable levels of
> perfection in hardware, software, and operators.
>
> 3) Innocent anomalies will occur. Without open systems, errors, fraud,
> and innocent anomalies can appear indistinguishable; for elections to be
> trustable we have to be confident we can distinguish these.
>
> To strike an analogy: open meetings laws not only prevent conspiracies
> they also lead to public trust in governance without all parties having
> to have blind faith. In any given meeting, the oversight imposed by
> meetings-laws may seem inconvenient or onerous, but in hindsight it
> cumulatively leads to a more efficient government because it is trusted.
>
> Get expert advice
>
> We recommend forming a panel of experts to guide voting system
> requirements. In particular we can recommend Prof. Avi Ruben (Johns
> Hopkins), Prof. Doug Jones (Iowa State), Dr. David Jefferson (Lawrence
> Livermore National Lab), Dr. Rebecca Mercuri, Dr. David Mertz and Prof
> David Dill (Stanford). Dr. Jefferson has been instrumental in guiding
> the creation of California’s new standards. Prof. Ruben researches
> modern voting system security. Prof. Jones has published numerous
> papers on the subject and critically analyzed touchscreen software
> errors in Florida. Mertz, Jones and Mercuri have separately laid out
> design precepts for secure, trustable voting systems with voter
> verified paper trails.
> The new draft California standards and laws will be a useful
> reference for New Mexico. Harvard University recently published
> an election systems best-practices guide that also addresses
> these issues. If you cannot obtain these directly we can assist
> you in getting pre-prints.
> We recommend against two advisors preferred by the outgoing Election
> Director, Denise lamb: many positions advocated by Prof. Ted Selker and
> Prof. Michael Ian Shamos are widely disputed by their peers in the
> computer science community.
>
> Twelve essential requirements for trustable electronic voting
>
> 1) The voting system shall produce a paper ballot, inspectable by the
> voter at the time of voting, and secured at the polling place. The
> voter may spoil the ballot and re-vote if not satisfied the ballot is
> correct. Spoiled ballots should be retained at the poll, or their
> absence explained by polling officials (similar to the method used now).
>
> 2) Voting software must be freely inspectable by the public in both
> source code and binary format, without any non-disclosure agreements.
> By voting software we mean all components: configuration files,
> application, operating system, peripheral drivers, font files, and all
> firmware including video subsystems.
>
> 3) The Bureau of Elections shall conduct mandatory surprise recounts of
> the voter- verified records of each election in 1 percent of the
> jurisdictions immediately following each election. Half should be
> selected after the elections on a random basis. Half should be from
> nominations by the candidates. The Bureau shall promptly publish the
> results of those recounts.
>
> 4) If a bar-code is used in place of a text scanner or human to count
> the paper ballots, then 0.5% of these should be hand counted and
> compared in detail to the bar codes. Additionally, a bar code reader
> accessible to voters shall be available in every polling place so that
> voters may verify their own bar codes. All discrepancies will be
> published before canvassing.
>
> 5) In the event of a discrepancy between any electronic record and the
> paper record, neither has primacy: a judge informed by experts will
> decide how to reconcile the difference on the basis of which is most
> likely to be correct under the specific circumstances in each case. A
> general policy mandating one form shall not be established, and election
> officials will not make the decision.
>
> 6) Vote storage formats, electronic and paper, shall either be
> non-proprietary or licensed under fixed and reasonable terms so that
> alternative vendors can produce compatible voting software and
> machinery.
>
> 7) Ballot secrecy must be preserved. Thus extreme administrative
> precautions must be taken if roll-tape or time-stamped, or
> serial-numbered ballots are employed since these preserve vote order.
> Similarly, electronic records that would enable reverse engineering vote
> order must be avoided or admistratively secured. Notably, if ballots
> reveal the voter’s preferred language some precautions should be used to
> preserve ballot secrecy, since rare languages may indicate ethnicity or
> identity.
>
> 10) Absolutely no voter receipts — vote confirmation records taken home
> by a voter — shall be produced including “secure” cryptographic records.
>
> 11) Absolutely no remote communications or networking of machines. All
> data ports on the machine must be physically secured with tamper evident
> seals. Exposed data cables should be armored
>
> 12) All vote and audit records as well as all ballot configuration
> files should include standard good-practices such as checksums and
> digital signatures so that every file can be validated by any software
> reading it. Notably this includes all vote processing software not
> just the voting terminal software.
>
> Fourteen additional recommended best-practices
>
> 1) Legislation should distinguish between ballot marking devices, ballot
> storage systems, ballot readers, ballot counters, and Ballot databases.
> At present these separate functions are somewhat conflated in NM laws.
>
> 2) All machine audit logs should be written to non-volatile, write-once
> media, signed by witnesses and physically secured in the machine with
> tamper evident seals. An example of this would be a paper tape or a
> write-once CD-r. Audit logs shall be published promptly. 3) To hold an
> election when a known bug exists, the SOS must identify the risk and
> certify countermeasures and each clerk must certify that the
> countermeasures are in place. All bugs, countermeasures and
> certification shall be published before an election is canvassed.
>
> 4) All software and operating systems should follow software design best
> practices, and notably all data records should be read into memory using
> a no-execute protocol available on modern CPUs, and any writable storage
> devices should be mounted using no-execute protocols. (In the event of
> a software error, no-execute protocols prevent accidental execution of
> portions of memory meant to store data and not programs.)
>
> 5) To allow a machine to securely self-witness it’s own data: before any
> electronic vote storage devices are removed from a machine or the any
> device is connected to the machine after an election, the machine itself
> should write the vote records to a write-once non-volatile medium (CD-R)
> that was signed in advance by the election judges or other witnesses.
>
> 6) All software used by the machine should be loaded into the machine
> memory from non-writable media physically secured inside the machine and
> not accessible to any poll worker. This could include CD-roms or could
> include hard disks or flash memory whose write-functions have been
> physically disabled. The media should be encased in tamper evident
> seals and all randomly audited machines should have the
> software-containing device audited to insure that the binary software
> matches the certified software.
>
> 7) The voting machine should produce an audible ding (or flashing lamp)
> audible (or visible) to both the voter and election officials whenever a
> valid paper ballot is produced. If a voter walks away without producing
> a ding or otherwise not depositing a ballot election officials should
> try to inform them a ballot has not been cast. The ding also inhibits
> voters with multiple stolen terminal activation cards from voting
> multiple times unobserved.
>
> 8) Parallel testing. At random on Election Day itself machines will be
> selected and pulled from operation. Teams of testers will vote on the
> machines under conditions simulating election conditions and patterns
> (including environmental factors). These should be video taped and the
> intended votes compared to the recoded votes with any discrepancies
> reconciled with the video.
>
> 9) In a similar vein the computer should have no means of estimating the
> true date beyond what is entered by a user via a single portal.
> Examples of hidden alternate time keeping include, battery drain, IR
> light sensors, AC wall voltage, and the clocks onboard peripheral
> devices such as the graphics card or power management units.
>
> 10) Screen calibration validation periodically throughout Election Day.
> Anomalies logged
>
> 11) Line voltage logging on Election Day.
>
> 12) Cameras, particularly the voter’s own camera, are not permitted in
> the voting booth. This prevents spying, intimidation and vote-selling.
>
> 13) Sufficient voting machines to deal with 100% turnout and reasonable
> failure rates should be available.
>
> 14) Policies for abnormal conditions such as printer malfunction or
> machine malfunction should be established and published by the SOS prior
> to elections.
>
> Future issues
> In the future we anticipate the development of a hardware technology
> known as a “trusted computing platform” to emerge. This technology
> will allow a computer to self-validate it’s own software and hardware
> have not been tampered with and greatly enhance security. At present
> this technology is NOT available. However legislation should be
> designed foster migration of this technology when it becomes available.
> Legislation can be designed now to anticipate securing the new key
> hardware devices that enable this platform.
>
>
>
>
>
> _______________________________________________
> OVC discuss mailing lists
> Send requests to subscribe or unsubscribe to
> arthur@openvotingconsortium.org

-- 
Kathy Dopp
US Count Votes
http://USCountVotes.org
I am a firm believer in the people. If given the truth they can be
depended upon to meet any national crisis. The great point is to bring
them the real facts” Abraham Lincoln
This message (and any associated files) is intended only for the use of
the recipient and may contain information that is confidential. You should
not disseminate, distribute or copy this email.
_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Fri Dec 31 23:17:18 2004

This archive was generated by hypermail 2.1.8 : Fri Dec 31 2004 - 23:17:22 CST