When Computers Vote

From: Alan Dechert <dechert_at_gmail_dot_com>
Date: Thu Sep 22 2005 - 17:00:37 CDT

I almost forgot about this interview.

I found this here (free registration):
http://www.byte.com/documents/s=9553/byt1126553342899/0912_woehr.html

**************
When Computers Vote
By Jack J. Woehr
September 12, 2005

The Open Voting Consortium describes itself as "a non-profit
organization dedicated to the development, maintenance, and delivery of
open voting systems for use in public elections." To this end, the OVC
is designing voting stations, ballot counting equipment, and open source
software to run fair and auditable elections. They started with the
voting machines themselves, with an open source project appearing on
SourceForge as the Electronic Voting Machine Project.

Their efforts have garnered some notable attention in California and in
the national press. Could this be the answer to the crisis of confidence
in electronic voting in the United States? With this question in mind, I
spoke by phone with Open Voting's Alan Dechert (President and CEO),
Arthur Keller (OVC Co-founder and Secretary), and David Mertz (Vice
President and CTO, also author of the IBM Developer Works column
"Charming Python").

BYTE.com: Electronic voting is in trouble, down to the encryption issues
[see "A Conversation with Avi Rubin," Dr. Dobb's Journal, November,
2004]. Can you tell us please what got you started actually working on a
solution to this problem?

Alan Dechert: I was a consultant for Sacramento County, California in
2000. When the election mess happened, I had an idea for building a
better voting machine using commodity components and open source
software. I wanted to employ the printed ballot architecture. You print
out your ballot in our system, and that's what you vote with, that's
what you take and put in the ballot box. That's one of the main pieces
of my idea.

Another piece was adhering to the accessibility requirements for new
voting equipment, I wanted to see one system, not one system for people
who can't read, or who are blind, and another machine for normally
sighted people. You should not be able to distinguish whether the ballot
was printed by someone who can read or not.

I tried to sell the idea of a pilot program for Sacramento County to the
Powers That Be. To summarize a very long journey, every step along the
way it was, "You have a very good idea, but you need to talk to
so-and-so." The county sent me to the secretary of state, the secretary
of state said to talk to the legislature, the governor.Over time, I got
a lot of runaround, but on the other hand, I picked up supporters on the
way who wanted to join the project with the idea that eventually we were
going use public money to build public software that anybody can use,
freely available not only to inspect, but to download and do whatever
you want with it

I didn't see why I should have to build a demo on my own dime, but then
Arthur Keller came along and said, "You do have to build a demo on your
own dime." That's where David came into the picture, about two years
ago. We put out some feelers about what language we should use for our
demo. The Python community responded. David is an influential author in
that community.

So Arthur Keller and Doug Jones of the University of Iowa and I
formalized this organization as a non-profit corporation. Doug brought
with him considerable expertise in the voting arena and good credentials
in computer security.

BYTE.com: Is the paper ballot integral, or are you also working on the
feasability of a making an all-electronic system auditable and secure?

Dechert: We feel the paper ballot to be imperative, because it's
imperative that people understand and trust what happens to their vote.
A paperless system means a large percentage of people will not
understand what's happening. I wouldn't rule out a paperless system in
the future, but right now it's not something I'd even consider.

Arthur Keller: A reliable system has multiple representations of the
data. In a transaction system, a committed transaction is written to
"stable storage," stable because there are multiple copies, e.g., a
record in the log and a record in the database. If all records are
stored on one component, there is a degree of reduced security.

BYTE.com: A single point of failure.

Keller: On the other hand, a record stored in multiple places, on paper
and in a computer record, it's more likely the record is immutable,
because the paper trail is harder to change. Paper trails of computer
voting are wonderful advance over direct recording electronic voting
devices, but paper trails are hard to recount.

So our proposal is that the paper itself be the ballot. If the official
thing is the computer memory and the paper is the backup, then you get
into all this complexity about putting it under glass so that you have a
tamper-free paper trail. But if the paper ballot is the official thing,
then there's no reason the voter can't hold onto their ballot, look at
it, put it to another device to verify what the ballot says for those
who are reading-impaired or visually impaired, and then physically place
it in a ballot box to cast it. Going from the official ballot being
computer bits to the official ballot being the paper ballot that people
know and love."I'm going to take this paper ballot and put it in the
box, and that's casting my ballot." People understand that intuitively.
The know that unless and until they place that paper ballot in the
ballot box, it is not cast.

David Mertz: From a security analysis perspective, there's a fundamental
flaw with direct recording electronic (DRE) systems like those
manufactured by Diebold and Sequoia and ES&S. Some DRE systems also
possess a voter-verified paper audit trail (VVPAT), as distinguished
from a ballot printer system. These latter also possess incidental
flaws, such as the paper trail being printed on a continuous roll of
paper of poor quality, perhaps a thermal roll which has longevity
concerns.

But the fundamental flaw for security and transparency is the question
of what is the fundamental representation of a vote. That term,
"fundamental representation," is a term the Election Assistance
Commission (EAC), created by the Help America Vote Act (HAVA), uses.

Dechert: The UNDERFUNDED and LATE-CREATED Election Assistance
Commission!

Mertz: There's a joint publication of the EAC and the National Institute
of Standards and Technology (NIST) that defines terms. "Fundamental
representation" means "what counts as the official vote." In VVPAT
systems, the fundamental representation is on the electronic media. The
audit trail is a secondary verification. If there's a discrepancy, the
electrons win.

If a voter is to look at a representation, the voter can't look at
electrons, only paper. For true verifiability and transparency of the
election process, you need the representation that the voters look at,
i.e., the paper, to be the fundamental representation. Where paper is
the fundamental representation, that's a ballot printer, and that's what
the OVC system is.

BYTE.com: So the paper that the voter held in his or her hand, mentally
verified and threw it in the box because "this is my vote" should really
be the vote.

Mertz: Exactly. Direct equivalency between what is verified and what is
official.

BYTE.com: How is the project set up?

Keller: What we showed in April, 2004 was a demonstration of an
Electronic Ballot Printer (EBP) architecture.

Mertz: .Produced by volunteers with the software being EVM2003 from our
SourceForge project.

BYTE.com: Is that still the main open source project?

Keller: The process has to be end-to-end. It can't just be open source
in the precinct. It also has to be open source in the tabulation. So,
putting aside EVM2003 (the voting machine itself) for the moment-though
some people are still working on it-we are now focusing on making the
central tabulator open source, which will help even with VVPAT systems.

BYTE.com: Is there already a SourceForge project for the central
tabulator?

Keller: We're working on design and specifications. We haven't created a
repository yet.

BYTE.com: So to some extent you're parking the voting machine, out of
limited resources, and building the second part of the system, a
tabulator, without which the first part would never be adopted?

Keller: When we started out, people wanted to see what we were talking
about, so that meant the voting machine, which you can touch. Now we're
going to the center and working our way outwards.

We're currently working on a plan with multiple phases. The first phase
is to build an open source central tabulator which could be adopted even
by the current vendors to improve their systems. We'd be happy to work
with them towards that. The second phase is to build an open source
central bulk optical scanner that works with the central tabulator. The
third phase is precinct-based optical scan to allow realtime
computerized overvote validation and precinct tallying of the ballot.

Dechert: We're not talking about scanners that only work with our stuff.
We're talking about scanners that work with ballots produced on any
system. That's a departure we made just in the past year.

Keller: And phase four is to use our own EBP architecture to generate
the ballot.

BYTE.com: At which point you've open sourced the entire chain.

Keller: But even if we don't reach the point of open sourcing the entire
chain, we have still improved the process, because the thing you feed
into our tabulation system is always a checkable paper ballot. Also, our
design is to have the system make an image of the ballot as feed it in
at the precinct to be tallied, so you can't have ballot stuffing after
leaving the precinct.

Mertz: An advantage of using our EBP over other EBP or simple
ballot-marking systems is that we can include a cryptographic hash code.

BYTE.com: Encoded in bar codes on paper.

Mertz: .And in electrons in the secondary, electronic representation.
This allows greater verification against tampering since a ballot can
attest to its own authenticity. Of course, this has to be done in a way
that does not compromise anonymity, so that there is no covert channel
included by the hash codes that could potentially reveal the particular
voter. We've thought about this a lot.

Keller: In particular, making sure that no information about the voter
ever gets into the voting machine itself, thus into the hash codes.

Mertz: In addition to the toolchain of the various components of a
voting system, there's a parallel effort to create open standards for
communications formats between machines at different levels of voting
software. This is now before various standards bodies, in particular,
the IEEE. [See IEEE Voting Equipment Standards and IEEE Voting Systems
Electronic Data Interchange].

Keller: I'm also participating in Voting System Performance Rating, an
ANSI-compliant effort which balances the needs of the voting authorities
against the needs of the vendors, who tend to dominate some other
standards committees. These kinds of efforts on standardized data
interchange will allow the emergence of third-party tools such as
auditing, analysis and reporting tools.

BYTE.com: Suppose people want to work with you? What do coders do if
they want to play?

Keller: People should go to the Open Voting Consortium website and join
the mailing lists. We're working on a "How to Get Involved" web page.

Mertz: Also, Arthur and my e-mail addresses are on the OVC web page.
Developers can just send us e-mail if they have any questions about
participating.

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Nov 30 23:17:02 2005

This archive was generated by hypermail 2.1.8 : Wed Nov 30 2005 - 23:17:06 CST