software inspection, security, and VVPBs [Re: OVC-discuss Digest, Vol 36, Issue 10].

From: Hamilton Richards <hrichrds_at_swbell_dot_net>
Date: Thu Nov 01 2007 - 14:40:49 CDT

At 7:00 PM -0700 2007/10/30, wrote:
>Message: 2
>Date: Tue, 30 Oct 2007 17:40:44 -0700
>From: Danny Swarzman <>
>Subject: Re: [OVC-discuss] Representative Holt's OWN WORDS [Re:
> OVC-discuss Digest, Vol 36, Issue 9]
>To: Open Voting Consortium discussion list
> <>
>Message-ID: <>
>Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>I can't help it there are many things in this that are almost right.
>On Oct 30, 2007, at 2:49 PM, Hamilton Richards wrote:
>> [snip]
>> If the video's unsourced claim that "up to 10% of the
>> electronically-generated paper records allowed by HR811 are damaged,
>> unreadable, and unusable for audits" is based on anything, it's based
>> on early implementations produced by manufacturers who have an
>> interest in seeing them rejected. Electronically generated
>> voter-verified paper ballots can be far more reliable than
>> hand-marked ones, and far less vulnerable to ballot-box stuffing and
>> spurious rejection by crooked election officials.
>If this has change, we need to see the data verifying it. The
>inherent problem with the paper trail is that there is no way to
>know. Voters don't check it. It is not easy to inspect. When there is
>a difference between the way a voter remembers marking a ballot and
>the paper, they just assume it was their mistake.

"No way to know" what, exactly? As for "not easy to inspect", take a
look at the OVC prototype (OVC sponsors this discussion group).
Couldn't be easier. Moreover, the voter is responsible for carrying
her ballot from the printer to the ballot box, and the ballot isn't
cast until she drops it in the box.

> >
>> Concerning code inspection, it's universally accepted in computing
>> science that code cannot be validated by inspection.
>David Wagner made this point. Effective disclosure would require that
>the inspector be able to do unit testing and follow the code with a
>debugger or other tools. That is what people do when they make
>software. They specify, code and test. All of this needs to be clear
>and transparent.

"Effective disclosure"? Unit testing and debugging are no more
capable of guaranteeing software's validity than inspection alone.
It's true that this "is what people do when they make software", but
the wretched quality of the results is ample demonstration of its
inadequacy. This too is well known in computing science.

Think about this: What other industry packages its products with
explicit disavowals of any claims that it does anything
correctly--and gets away with it?

> > The video's contention that "The committee changed the bill when they
> > heard from Microsoft ... so ordinary American citizens can never know
>> how their votes are being counted" is disingenuous. Microsoft could
>> publish its entire inventory of software on the web, and "ordinary
>> Americans" would still never know how their votes were being counted.
>There is a large portion of the population who are capable of
>studying software. It's true that the biggest problem with Windows is
>that it is just too big. Also that it is vulnerable to abuse as we
>all know.

The entire population of the US could study election software from
now until the end of the millenium, and they still wouldn't "know how
their votes were being counted."

>> Some proponents of open source, always looking for more arguments in
>> its favor, claim that open source is less insecure than undisclosed
>> source. That claim may have some merit, but it's of no practical use
>> ("less insecure" is like "less pregnant")--unless the software is
>> known to be completely secure, other security measures such as
> > voter-verified paper ballots are still essential.
>There is no such thing as completely secure. I think every expert on
>computer security would reject that notion.

And so would yours truly. That was my point, which I evidently failed
to state with sufficient clarity.

>You need to look at the
>features of the software, do testing and get smart people to try to
>break it. Then you have MORE confidence. Not complete security.

Exactly. And therefore measures such as VVPBs (voter-verified paper
ballots) are still needed.

> > The mythical golden age
>> --------------------
>> The video makes the claim that "we already have 'verifiable'
>> elections. They're called hand counted, paper ballot elections. We
>> don't need a federal bill...". The colorful history of election fraud
>> in the days before computers is so widely known that this can only be
>> another disingenuous claim. Its author's antipathy to the use of
>> computers in elections is evident, but since it is unsupported by any
>> logical arguments, it's far from persuasive.
>If there are fewer steps, fewer things to go wrong, that is a source
>of security. How can you dispute that.

Easy. Printing VVPBs is an extra step, but it greatly increases the
security of the machine to which it is added. Removing that step
would decrease the system's security.

>There can be fraud without
>computers. Using computers gives more means of cheating.

Yes, but using computers properly also closes off some means of
cheating. Computers without VVPBs are disasters waiting to happen,
but VVPB systems are much less susceptible to such cheating
techniques as ballot-box stuffing and fraudulent ballot invalidation.
Used unwisely (as they are at present), computers bring a serious net
loss of security compared with hand-marked paper ballots, but used
wisely they can improve security considerably.

Moreover, computers open the way towards dramatic improvements in
elections' convenience and accessibility. Here in Travis County,
Texas, we can vote at any time during the two weeks before the
official election day. The early-voting polling places are open
evenings and weekends, and many of them are in places, such as
supermarkets, which many voters visit routinely. Roughly half of the
county's voters vote early; how many of them would not vote otherwise
is not known.
It's worth noting that any voter can vote at any early-voting place
in the county. What makes this possible is that each polling place
has ballot templates for all of the county's precincts; when a voter
goes to vote, the appropriate ballot is loaded into the machine. For
county officials, this is a considerable improvement over early
voting in the days of hand-marked paper ballots, when each polling
place had to have a stock of every ballot used in the county.
Now imagine extending this system beyond the borders of a single
county. A traveller could walk into any polling place in the country
and present her voting credentials (e.g., a voter registration card).
The appropriate blank-ballot image would be obtained via the Internet
and loaded into the machine. The resulting printed ballot would be
sealed in an envelope by the voter in view of the poll workers, who
would mail it to the voter's home precinct to be counted along with
all the other ballots. Such a system would eliminate the need for
mail-in absentee voting, and thereby close the vote-buying and voter
coercion loopholes.

For the convenience of US citizens travelling or residing abroad, or
serving in the military in foreign lands, such a system could be
extended to include US embassies, consulates, and military bases. One
can even imagine an international system, with official
professionally staffed polling places (under UN auspices?) offering
voting services for elections worldwide.

> > Profits are evil?
>> ------------
>> The video ends by asserting that no one should make a profit from
> > elections. Does that mean that election officials should not be paid?
>> That the suppliers of printed paper ballots should provide them at
>> cost? How about the printers' suppliers of paper and ink? This smells
>> like a religious argument more than a logical one, and the thing
>> about religion is that you either get it or you don't. Brandishing
>> religious arguments at nonbelievers is famously counterproductive.
>The problem with the 'profit' motive in practice is that large
>corporations have the power to corrupt the system. History tells us
>that they do.
>The privatization of government functions opens the door to conflicts
>of interest. Not the same as paying a salary to elections officials.

Good point--clearly it's a balancing act, and the current situation
in which election-system vendors call the shots is way out of balance.



Hamilton Richards, PhD           Department of Computer Sciences
Senior Lecturer (retired)        The University of Texas at Austin      
OVC-discuss mailing list
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Fri Nov 30 23:17:03 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST