San Mateo does electronic voting okayPosted 2007-11-07.
When I got my ballot pamphlet a few weeks back, I was disappointed to see that they were moving to electronic voting. I think the chain of reasoning here is pretty clear:
- Senile idiots in Florida can't figure out how to operate paper.
- Electronic voting systems are even harder to use for easily befuddled retirees.
- Electronic voting systems cost a lot more and make more money for government contractors.
- Clearly we should move to electronic voting systems.
They list all sorts of ways I know that my vote is secure, like “rigorous logic and accuracy testing”, and “stored in four physically separate locations for backup”. All of this is smoke and mirrors. In fact, all established methods of testing make the assumption that the person producing it intends for it to work as described. The problem with the security model they are using to evaluate these systems is that electronic votes behave like pieces of paper. That is, they assume that the system accurately records the vote cast, that the system will not change the vote without malevolent outside intervention, and that the system will accurately count the votes. None of these types of controls will do anything to prevent an insider (someone at the manufacturer) from adding code to switch votes to a preferred candidate.
There is mention that the source code was audited by an outside source. Even assuming that it was feasible to do this audit in the time provided (a separate issue), and that an audit can find flaws in a short period of time (it can’t generally find security flaws, but it should prevent intentional vote manipulation by insiders), there is a remaining problem. We will assume that the source code was audited, and the auditors found no problems because there were no problems to find – the source code was perfect. (this wasn't the case) The remaining issue is, how do I know that the source code matches what is actually running on the machines? It’s a long process to go from source code to the actual machines sitting in polling stations. Nothing guarantees that the source code didn’t have malicious bits purged before giving it to the auditors. Nothing guarantees that the machines won’t get a “more up-to-date version” of the software. Nothing guarantees that someone in the manufacturing plant doesn’t replace the software with something of his own design. Even if the audit was perfect, all we get is that some source code looks like it works right, but this tells us nothing about the machines that are supposedly running that software.
But they have a voter verifiable paper trail. And this is all that saves the process. Computers are a great way to produce something which is easy to read. They make it easy to catch spelling errors, and so on. So the eSlate is a thousand dollar machine to make sure that the paper ballots are readable. All the security features are a waste of tax dollars.