Re: what would model legislation require?

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Wed May 19 2004 - 01:59:28 CDT

At 12:57 AM -0400 5/19/04, Teresa Hommel wrote:
>Hi Everyone,
>I live in New York, and I have been going to Albany, our state
>capital, to observe our HAVA conference committee composed
>of members of our NY Assembly and NY Senate.
>They are about to address voting system standards.
>I have already provided them with a list of suggestions, and
>I was asked today for any other specific provisions I would
>like to suggest. Below are some questions, and the list of
>suggestions I already gave them.
>If anyone would like to help, please send me your ideas.
>Our Assembly bill is the Voting Systems Standards Act of 2004, A8847-A
>Our Senate bill is the Voting Machines Modernization Act of 2004, S6207
>The bills are quite different, but both require a voter-verified paper
>audit trail. Printing a ballot which the voter can verify is one thing,
>but counting the paper is another. To my thinking, a professional-
>quality independent audit of any election would require counting
>100% of the ballots. I have spoken to many people, and very
>few like the idea of counting ballots.
>Teresa Hommel
>==Here are my specific questions for anyone who can reply==
>1. Is there anything else I should ask for? What would model legislation
>2. Why is open source more secure than secret software? Is
>there an already-written plain-language explanation that I can

Security through obscurity is simply bad
security. Security that can withstand scrutiny
is secure indeed. The only way to ensure the
faith of the technical community is to make the
software publicly available. However, people of
the copyright issues and the potential for
lawsuits if the code is reused for something
else, the greatest pool of software inspectors
will be harnessed by mailing all the code for the
voting machines and canvassing systems open
source. Note that it is not only the voting
machine software that must be made publicly
available, but also all the canvassing software.

>3. I said that Sequoia uses different software for their machine
>tests and their real elections. Is there any published evidence for
>this other than Jeremiah Akin's report?
>I heard that another manufacturer also does that. Which one?
>4. Why is a requirement for "chain of custody" documentation, or
>"control of the chain of custody" NOT a protection from software
>tampering? I said (1) it won't protect against intentional insider
>tampering (2) it won't protect against innocent errors in software
>(3) it is impossible to monitor and enforce. You are basically asking
>someone to tell you "who had the software" and they are telling you
>something plausible, and there is no way to know if it is true.

It is important that the software use checksums,
like MD5, that are obtained at the point of
certification and are inspectable at each voting
machine. The New York Times can publish the
checksums of each voting machine approved for use
in New York State. That's the best way to ensure
that certified software, that has not been
tampered with, is in use.

>5. One fellow I spoke with thought it would take a lot of expertise
>to modify election results. I recall reading somewhere that the
>ballots were stored in an Access data base, and could be
>modified by anyone without even a password. For which
>system(s) is this true? Is it only Diebold? Since it was reported
>a while back, is it still true?

GEMS uses file formats compatible with Access.

>====here are the suggestions I already made====
>A total ban on wireless communication devices in the voting and
>tabulating equipment.
>Specific provisions to require inclusion of independent computer
>professionals and computer scientists.
>A provision guaranteeing voters and/or candidates the right to petition
>for and obtain manual recounts before certification of the winner of an
>Legally binding guidelines for recount/audit standards:
>---- If the recount of one machine shows inaccuracies, all machines of
>the same manufacturer and model with the same ballot must be recounted.
>----A fixed percentage of precincts should be subject to random recount
>audits using primary voter-verified paper documents. (This is already
>in the bills passed by the Assembly and the Senate.)

Which precincts are to be randomly recounted
should be determined after the election.

>----The selection of precincts will be made using random selection
>techniques comparable to those used in public state lotteries.
>----The process of randomly selecting precincts will be conducted in
>open session, scheduled a specified number of days in advance, and
>announced publicly so that both interested public and press may attend.
>----In addition to random audits, each political party on the ballot
>will be allowed to designate a pre-determined number of specific
>precincts for routine audit.
>----All recounts will be open to observation by the public and press.
>Vendors of computerized voting systems must be held accountable and
>penalties specified if:
>----Vendors sell certified systems but deliver different, uncertified
>----Vendor technicians fail to report in advance any change to voting
>systems, including hardware, software, or other parts.
>----Vendor technicians fail to get certification or evaluation for
>security purposes in advance of making changes.
>----Vendor’s equipment fails or malfunctions during an election,
>placing an unanticipated financial burden on the Board of Elections
>and the State or community. This should include complete
>reimbursement of costs incurred, up to and including the
>cost of a complete restaging of the election.
>The following must be freely available for public examination in
>computer-readable form and posted on the state Board of Elections
>website for viewing and downloading:
>----Certification reports from Independent Testing Authorities
>----All software used in the voting systems

including in the voting and other machines at the
polling place, plus the canvassing systems at the
county and state.

>Prior to initial use of computerized voting systems, local and county
>Board of Election staff must be trained to handle technical aspects of
>the computerized equipment and management of secure computer systems.
>Ongoing training must be required to handle new security risks, and for
>new staff.

HAVA money should be spent on SUNY researchers performing threat analyses, etc.

>Specific provision to guarantee adequate funding for this training must
>be made.

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:53 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT