I'm looking over those sections of the bill that have to do with technology. Here are my comments.
Certification of Software - the ApplicationsFirst let's look at the security and certification of software applications.
4 ``(8) PROHIBITION OF USE OF UNDISCLOSED
5 SOFTWARE IN VOTING SYSTEMS.--No voting system
6 shall at any time contain or use any undisclosed
7 software. Any voting system containing or using
8 software shall disclose the source code, object code,
9 and executable representation of that software to the
10 Commission, and the Commission shall make that
11 source code, object code, and executable representa-
12 tion available for inspection upon request to any per-
13 son.
My guess from this language and other paragraphs in the bill is that the authors were thinking in terms of one or more software applications that are installed on top of the operating system. But the operating system itself is software. This language should be improved to make it clear what is really intended. I believe strongly that the operating system has to be treated like any other piece of software but I will take that up in the next section. This section will focus on software applications that are installed on top of the operating system.
I believe that the bill does not go far enough in that there is no mechanism for verifying whether the version of software actually deployed on a machine in the field is the same as the version that was certified in the lab. The bill should probably require that a mechanism be developed and specified in a regulation. The mechanism could use checksums and/or digital signatures. This issue has been raised by other posters in this thread so I just add my support for this position.
Along with the checksum or digital signature mechanism, there would need to be some way to gain access to the machines to perform the check. There should be very carefully crafted language requiring audits of the machines both before and after the election. I say carefully crafted because we have seen how election officials put on a dog and pony show in place of real testing under the current regime. This step should be performed by one of the accredited laboritories mentioned in the bill. This is potentially a nightmare due to the number of DREs that could be out in the field all across the country.
Another thing lacking in the bill is any remedy. It just says the software has to be disclosed. So let's say that some vendor discloses software that has flaws that are not themselves fraudulent but are easily exploited. I think it is Bill Bored who has made the point many times that it may be the configuration that implements fraud, not the software code as such. What can we do about a vulnerability when we discover it? We will once again be left standing outside in the rain while inside the building the election is stolen by use of an exploitable feature.
A related point is that there must be disclosure and auditing of the configuration of the software, not just the software code itself.
Also, a known exploit of software is to place executable code in data. The data is read from somewhere (say a database, an http request to a web application, a smart card or wherever) and then the data is executed as code. So you need disclosure of all the data on the system too.
Where this is taking us is that you need to capture and disclose an image of the entire system including all software and all data. Only in this way can you cover all the bases.
Certification of Software - the Operating SystemThe literal language of paragraph (8) shown above would seem to include the entire operating system since the op sys is in fact software that is contained by and used by a voting system. However, I doubt that is what the authors intended. The language should be clarified.
The way the language should be clarified, as I see it, is to make it clear that the operating system is software and must be disclosed and certified like any other software.
You would have to include the operating system in order to know there is no fraudulent code lurking somewhere either as a modified version of a legitimate op sys component or as a bogus component given some legitimate sounding name. Since the state of the art of viruses and other malicious code is so advanced, there is significant risk in the operating system part of the voting system, not just in the software specifically intended for e-voting.
This interpretation of the operating system being software has a couple of consequences. One is that any version of Windows or any other proprietary operating system would be disallowed.
To me disallowing Windows is a good thing (actually a necessary thing) but there will surely be vendors who will not go along with this without screaming and kicking. Then there are all those counties that have already bought voting systems that run on Windows or some other proprietary operating system. I would be surprised if this interpretation of the operation system being sofware and therefore disclosable would ever make it into law. That said, I still believe it is essential.
But for the sake of argument, if Windows is ruled out and only open source operating systems are allowed then we are most likely looking at some flavor of Linux.
Another consequence of my interpretation is that the disclosure called for by paragraph (8) is much larger than what the authors likely envisioned. To disclose the source code, object code and executable representation of the entirety of any of the commercial distributions of Linux is a large and difficult task. So large that its usefulness would be doubtful at the same time that it is essential.
One thing that would make the disclosure of an entire operating system more feasible is to use a very minimalist version. The modularity of Linux lends itself to this approach and there are quite a number of tiny versions that were developed for various reasons such as being able to fit on a single floppy disk.
To sum up what I think about certification of the operating system - I think this is an essential element of any trustworthy system and I think it is very unlikely to happen.
Certification of Hardware:Now to make the problem even more difficult, there is no reason we should trust the hardware either. Just like you can sneak a malicious component into the operating system, you can also sneak a malicious piece of hardware into the box. Look at paragraph (10):
19 ``(10) CERTIFICATION OF SOFTWARE AND
20 HARDWARE.--All software and hardware used in any
21 electronic voting system shall be certified by labora-
22 tories accredited by the Commission as meeting the
23 requirements of paragraphs (8) and (9).
The certification of hardware seems to certify only that the software it contains has been disclosed and that there is no wireless, powerline or concealed communication device (paragraphs (8) and (9)). The certification does not say that there is no other type of hardware component whose purpose is nefarious.
Now maybe you could render many types of malicious hardware components inoperable and moot if you can control the operating system. I'm not sure of what the possibilities and issues might be here. This question would need further development by someone whose expertise is operating systems (I am a software person).
Further, even if the hardware certification were comprehensive, how can you verify that the hardware in the field is the same as the hardware tested in the lab. You could check that it is the same model number or something like that but it is very common for individual components of a computer model to be changed at any point in time without changing the model number. A certifcation that the machine in the field is the same as the machine in the lab is basically not possible. You would have to perform an autopsy on the machine in the field and the patient would not survive the procedure. I really doubt that the jurisdictions buying voting equipment would agree to destructive testing.
So the conclusion on hardware certification, just like that of operating system certification, is that it is essential and very unlikely to happen, at least in any meaningful way.
General Comments and ConclusionsOne issue that spans across both hardware and software is the creation of accredited labs. Is the language in the bill sufficient to make sure the accredited labs are not shills? How do we know that we can trust these certifications? We certainly can't trust the current election authorities involved in certification. We also know we can't trust the EAC as currently composed. This seems to be a serious risk in this age of fake media, fake think tanks, fake intelligence and fake commissions. We'll just add fake labs to the list.
A related problem is that election officials, including the EAC, the state officials and the county officials, do not have the knowledge necessary to evaluate and oversee the work of any accredited lab. Even if the labs are not shills, they can be imcompetent. There will be motivation to be incompetent if they are profit-based since the most profitable approach would be charging high rates for cheap labor.
While we're at it, what do we do about any of the players, from hardware sources to software vendors to accredited labs being foreign owned or having foreign connections. Witness the purchase of Sequoia by the firm in Boca Raton (sorry, I don't remember the name right now) that has connections with the Venezuelan government.
To wrap up my general conclusion about this endeavor to create a trustworthy e-voting system, I am absolutely convinced that the goal will not be met. There are just too many ways this can go wrong. It would be very difficult to accomplish even by a team of the top experts in the country who had no other motivation other than the trustworthiness of the system. Even in that case it would require a major investment in R&D and would probably be years in the making. And that's the best case scenario.
A more realistic scenario is that:
- Funding will be inadequate
- Oversight and direction will be incompetent
- Bad actors will infiltrate the process
- Essential elements will be ommitted
And finally, even if all these obstacles were miraculously overcome, the result is still a system that an ordinary person cannot reasonably trust. The trust in our election system should not be by faith. It should be by transparency and an understanding of how the system operates. This trusted computer system, if achieved, could only be understood by computer scientists and, in fact, only by computer scientists that have a spare couple of years to study the system and verify that it is trustworthy. Certainly it cannot meet the test that many have suggested that it must be understood "by my mother".
So the solution to this problem is to consider any computer system untrusted. Use touchscreens only as ballot marking devices so that there is a decoupling between the technology and the vote generated by the technology. If opscan counters are used, or if central tabulators are used, then there must be a system that allows independent, low-tech (hand counting) verification in way that is meaningful and substantive and prior to results becoming final or even presumptive.