Re: code validation?

From: Ron Crane <voting_at_lastland_dot_net>
Date: Wed Feb 23 2005 - 15:33:14 CST

On Feb 23, 2005, at 10:50 AM, David Mertz wrote:

> On Feb 23, 2005, at 12:03 PM, Ron Crane wrote:
>> Nonetheless states increasingly are choosing to allow widespread
>> absentee voting, and, as noted, Oregon conducts all its elections by
>> mail. Obviously they don't see vote buying as a significant problem
>> relative to the benefits of widespread absentee/mail-in voting.
>> Thus...
> Well... if we adopted a purely Hegelian "The Real is the Rational"
> approach, we could equally note that:
> "States are increasingly choosing unauditable, proprietary DREs.
> (Georgia conducts all its...)"
> Hopefully the 'increasingly' part isn't true any more. But in
> general, I don't think we can make a direct deduction from what states
> *are* doing to what they *should be* doing.

I wasn't as clear as I should have been. The argument I meant to make
was that states are unlikely to object to EEVV on the grounds of vote
buying, since they're increasing their use of other techniques that
also allow vote buying. But see below.

>> I'm afraid I don't see EEVV's "numerous new vulnerabilities". It's
>> the exact same vulnerability as widespread absentee/mail-in voting,
>> no more and no less.
> An absentee ballot must be verified by the buyer/coercer at the moment
> it is sealed in the envelope. A receipt for votes may be verified at
> ANY time after it is issued (or at least after its code is posted
> publicly).
> Just one scenario:
> (1) Thug/Crime boss goes around to all the houses in the neighborhood,
> and tells each resident that he would "really appreciate" a vote for
> him as mayor (what a pretty family they have too). He suggests they
> can further discuss their votes later.
> (2a) Absentee system: Voter seals ballot in envelope at time (election
> minus N). If no assistant thug is watching them, they will perhaps
> vote for Ms. Honesty-Integrity instead. In subsequent conversation,
> they can *tell* Mr. Crime-Boss they voted for him (need good poker
> face, maybe).
> (2b) Vote receipt system: Voter votes at polls and takes home magic
> code number. No assistant thug is watching. At some (any) subsequent
> time, Mr. Crime-Boss visits voter and says he would be very curious to
> see voters receipt.
> The latter system provides much greater scheduling convenience for
> vote coercers (or buyers who want proof too).

Ah, point well taken. Now, is there any way to address it? An
encryption-based approach [1] solves that problem, but re-introduces
the very security hole we're trying to fix, plus it makes verification
much more time-consuming. I've got to think more deeply about
alternatives. What if we simply increased the penalties and enforcement
for vote coercion? Would that be an effective use of law? My tendency
would be to say, "mostly". Why? Because most people understand vote
coercion, agree that it's possible, and agree that it's wrong.

>> Eek! Such a proliferation of vendors will fragment the open-source
>> review community and thereby make it much more likely that there
>> won't be enough interested people available to know about and review
>> every change.
> A vendor need not modify the code necessarily.

But it could. And ROM-based cheating might be very difficult to

>> And law is often a remarkably weak tool to enforce compliance with
>> complex procedures. How would you write a statute requiring a vendor
>> to incorporate all significant security fixes? How would the
>> enforcement clause read? Could you get a TRO (temporary restraining
>> order) forcing the inclusion of a fix? Is a judge going to understand
>> what the hell you're talking about, or will she refuse the TRO and
>> let the case go to trial behind 2 years' worth of criminal docket?
>> Speaking of which, will there be criminal penalties? Will they really
>> be enforced?
> Law is complicated; we have a number of excellent lawyer on this group
> who can attest to that.
> But at a certain level, some details are of necessity regulatory
> rather than statutory. But this is nothing new, as such:
> Certification of elections system is already a complex system (and
> different between states)--it may not work to the standards we would
> like, but that's not because it's too *simple* to do so.
> Ideally, a SoS (or whatever office a particular state delegates this
> to) would certify a particular software version by hash. That is: If
> its SHA-1 is 0xa3902cf..., it is certified. Otherwise, it is not
> certified (and illegal to use in elections).

That won't do anything to prevent ROM-based attacks by vendors.

> Now, yeah... laws can still be broken. And judges--who are, as a
> rule, quite smart people--still need to weigh facts, and make
> decisions. Whether a TRO is an appropriate remedy is very fact driven
> by a particular circumstance: I can't categorically say "always/never
> issue TROs."

As a lawyer, I can say that unless you show a judge a very clear
violation of a very clear right, she won't issue a TRO. She'll let the
case proceed, possibly considering an injunction after some discovery
(months later), or maybe not until after trial (years later). It's
going to be difficult to craft a mechanism to force a vendor to
incorporate changes it doesn't want to incorporate, no matter how
meritorious those changes are. Perhaps the "Secretary of State's
Election Committee" you describe below would be enough. Perhaps.

> Significant violation of law, as a rule, should indeed be met with
> criminal penalties, IMO.
>> Many of these violations are felonies under Ohio law, but I haven't
>> heard a peep about prosecutions.
> Sure. Laws are not always well or uniformly enforced. That's bad;
> but I'm still not quite willing to give up the system of law just yet.
> What else have we got?!

I'm not giving up on it. But neither do I think we should try to
stretch it beyond its natural boundaries. This is one of the reasons I
think OVC should become the sole vendor of systems based upon its
software, at least initially.


[1] e.g. The system encrypts the voter's choices and prints the result
in the newspaper. The voter gets half of the key required to decrypt it
to reveal the choices, and the elections staff keep the other half. The
voter verifies the result in person at elections offices, and no one
else (e.g. an enforcer) is allowed to be present.

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Feb 27 17:17:12 2005

This archive was generated by hypermail 2.1.8 : Sun Feb 27 2005 - 17:17:13 CST