Identifying the Gold, Redux
John Sebes
I recently commented on specific connection, in the case of the TrustTheVote project, of open source methods and the issue of identifying a “gold build” of a certified voting system. As a reminder to more recent readers, most states have laws that require election officials to use only those specific voting system products that were previously certified for use in that state — and not some slightly different version of the the same product. But recently, I got a good follow-up question – what is the role of the Federal government, in this “gold build” identification process? There is in fact an important role, that is potentially very helpful, and where openness can help magnify the benefit of this helpful role of the government.
Here’s the scoop. The EAC has the fundamental responsibility for Federal certification, which is used in varying degrees as part of some states’ certification. Testing is the main body of work leading up to certification. Testing is performed by private companies, that have qualified in a NIST-managed accreditation program as an official Voting Systems Test Lab. There are two key steps in the overall process in which a test lab verifies that it can re-do the “trusted build” process to re-create the soon-to-be “gold” version, so long as the lab can verify that the trusted build process did in fact re-create the same exact software that was tested. Then, as the EAC Web site briefly states: “Manufacturer provides software identification tools to EAC, which enables election officials to confirm use of EAC-certified systems.”
But here is the fly in the ointment: for your typical PC or server, this is not easy! and the same is true for current voting systems. Yes, you could crack open the chassis, remove the hard drive, examine it as the boot medium, re-derive a fingerprint, and compare the fingerprint to something on the EAC web site. But in practice this is not going to happen in real election offices, and in any case it would be fruitless — even if you did, you would still have no assurance that the device in the precinct was still the same as the gold build, because the boot media can be written after the central office tests the device, but before it goes into use in a polling place.
That’s quite an annoying fly in the ointment, but it doesn’t have to be that way. In fact, for for a carefully designed dedicated system, the fingerprinting and re-checking can be quite feasible — and that applies to carefully made voting systems too, as we’ve previously explained. Such carefully made voting systems would be a real improvement in trustworthiness (which is why we’re building them!), but they aren’t a silver bullet, since you can never 100% trust the integrity of a computing system. That’s why vote tabulation audits are an important ingredient, and why I periodically bang on about auditing in election processes.
— EJS