By Pito Salas

Bruce Schneier on “Worst Case Thinking”

Although he was talking in a very different context, I still think that Bruce Schneier’s perspectives on worst-case thinking have relevance to us:

“Worst-case thinking means generally bad decision making for several reasons. First, it’s only half of the cost-benefit equation. Every decision has costs and benefits, risks and rewards. By speculating about what can possibly go wrong, and then acting as if that is likely to happen, worst-case thinking focuses only on the extreme but improbable risks and does a poor job at assessing outcomes.” (from Schneier on Security)

I recommend you read Bruce Schneier’s perspectives on worst-case thinking, it’s quite interesting, and you will see his second and third reasons why we need to be careful with worst-case thinking.

ATOMS=GOOD, ELECTRONS=BAD?

Seems to me that I’ve seen more interesting videos, alarming articles, and research studies of problems with e-voting than with old-fashioned hand-count paper ballot elections. We hear about many ways and reasons to doubt election results that use machines in some part of the process, and about how “all manual count” elections are the “gold standard.” Good soundbites.

But I wonder:

Are there actually any elections that are “all manual”?

I don’t think so. Certainly the tabulation of results, the transport of results up the chain, the tracking of warehouses full of ballots, the design of ballots, the collection of voter registrations, and the creation and management of poll books, must use computers all along the chain. Is there a single state or county where computers are used for none of these activities? I suspect not.

So, where are the cool videos and PR campaigns illustrating the ways in which an all manual count could be compromised? I’ve seen magicians do some impossible things while manipulating pieces of paper. And there are a lot of magicians.

And by the way, we also use computers… to control whether and in what direction to launch missiles,  to control the brakes in my car (oops, bad example :),  to “land a man on the moon”, and of course our whole financial system only exists inside of the black boxes that are called computers.

Yeah I know the litany of differences between these applications and elections. I am well aware of them. But the differences don’t stop me from questioning the ultra-black-and-white, ultra-soundbite, that I hear all the time:

computers/internet=BAD, manual/physical=GOOD

It might as well be

atoms=GOOD, electrons=BAD

I know as a society we don’t like nuance, but as people who are devoted to making things better, techies and non-techies alike, I’d like to see and read fewer statements like: “We will never ever do X”, “Y is the absolute only way to do this.”

Things are never that black and white. And while we may need to keep it simple to win the argument, it’s more than about just winning the argument. It’s about discovering real weaknesses (and there are always trade-offs — I can hear the black-and-white crowd saying: “We should not ever make ANY trade-offs when it comes to our Democracy”, which is my point, exactly) and so we should always be seeking honest ways of imagining and testing to discover true improvements.

Hacking “Electronic Voting Machines”

The other day I gave a talk at the Boston Bar Camp 2010 about the work we are doing at TrustTheVote. Over the year or so I’ve been involved I’ve collected some good stories and surprising anecdotes about how elections work and don’t work in the US.

After the talk a fellow came over to me and said, how about adopting the way voting is done in India? He was from India and we had a long talk as he described a pretty simple, low tech ‘vote machine’ and process for casting and counting votes.

After all India is the most populous democracy and, he said, the vote there goes smoothly and people trust the process. Why not here in the US? I am not an expert on Indian voting or democracy so I accepted his information at face value and stored it away for some future cocktail party.

And this morning I got this in my email: “India’s EVMs are Vulnerable to Fraud”, a detailed article plus pretty convincing video showing how ‘easily’ hacked India’s Electronic Voting Machines are:

“In the video above, we demonstrate two kinds of attacks against a real Indian EVM. One attack involves replacing a small part of the machine with a look-alike component that can be silently instructed to steal a percentage of the votes in favour of a chosen candidate. These instructions can be sent wirelessly from a mobile phone. Another attack uses a pocket-sized device to change the votes stored in the EVM between the election and the public counting session, which in India can be weeks later.

These attacks are neither complicated nor difficult to perform, but they would be hard to detect or defend against. The best way to prevent them is to count votes using paper ballots that voters can see.” (from India’s EVMs are Vulnerable to Fraud)

This raises a few interesting points I would like to make:

  • Since I said I don’t know anything about India’s voting system, and I don’t really know these researchers, and the paper is on a site I never heard of, who even knows if this article and content is credible at all? For all I know it’s some elaborate psychological manipulation for who knows what purpose.
  • As I discussed in my “Security by Obscurity” rant the other day, is this kind of revelation a good idea? Let’s just grant that the video and paper are legitimate and it shows a real Indian EVM being hacked in a workable way, is it a good idea to publish it in this kind of detail. Will it give ideas to the large number of people who have the motive and ability to execute it? Or is revealing it useful because it will eventually lead to an improvement in the security?
  • Finally, and no surprise to people who read this blog, but isn’t it amazing how an apparently simple thing like voting is subject to so many wheels within wheels of complexity. And the stakes are so high, whether it involves the Indian democracy or our own here in the USA.

Risk Limiting Audits: progress

An interesting bit today from UC Berkley about a trial of so-called “Risk Limiting Audits”, advocated by Philip Stark. Apparently it went well, well enough that:

“Stark’s technique passed the test and five others, impressing California Secretary of State Debra Bowen, the state’s chief elections officer, and spurring her to sponsor a bill, AB 2023, to conduct in 2011 a statewide experiment of this kind of “risk-limiting audit.” (from UCBerkeleyNews)

The article is a breezy summary of the approach and the pilot, with lots of endorsements and quotes, but not too much detail about the actual trial, other than it was successful:

“Although the canvass (we do today) is a comforting thing, and it’s certainly necessary, it is not state-of-the-art,” said Freddie Oakley, the county clerk recorder of Yolo County and the person responsible for double-checking voting machine counts as well as certifying the final results. “We will be close to state-of-the-art with the bill that the secretary of state is sponsoring.” (from UCBerkeleyNews)

More thoughts on email voting

Following up on John’s discussion of “Internet Voting” in North Carolina…  Let me pick up the thread from the perspective of Vote By Mail as a point of comparison.

I think it’s an interesting comparison because it’s worth asking whether using the Internet makes voting immediately riskier than the model we all know (and some love) of receiving and returning ballots using the mail (broadly defined – I suppose it’s not always the good ole US Postal Service that is doing the delivering).

Key problems that John discussed the other day with using email to deliver marked ballots back to the jurisdiction were that on the trip from the voter (imagine a soldier casting his or her vote while serving overseas) the ballots could be intercepted, read and even changed as it traversed email servers.

One might say, who said that the humans who handle the bags of paper ballots on their trip are any more trustworthy? [Did you notice what I just did there? I went from talking about digital delivery in general to email delivery, which are not the same thing!]

I would respond that it’s just much more difficult to do bad things to ballots on route if their route uses atoms (paper, trucks, aircraft) rather than bits (files, email messages, protocols.) It’s  harder to deal with when it’s paper – you have to find the paper and get physical access to it, you need to work on it without being observed.

I suppose you could cause a whole bag of ballots to fall of a truck, but you’d need to also then falsify paper manifests and other like documents. These are real risks but the truth is that we’ve come to understand and accept these kinds of risks as acceptable trade-offs for the greater good of allowing our citizens in far places to cast their vote.

Less well understood are the new and highly technical kinds of risks that we’re looking if we want to allow those citizens to use email to return their marked ballots back home. Think about all the pieces of software and infrastructure that handle the returning email starting from the voter’s potentially virus laden PC (or weirdly hacked Internet Cafe station), through a series of servers that are invisible and controlled by who knows who, all the way back to the Jurisdiction. Ouch.

But let me argue against myself now. First of all, I was very facile in claiming that it would be harder to attack the physical transportation of paper ballots when traveling from Camp Foobar in Farawayistan. I was just using common-sense and intuition. But the truth is I don’t know a whole lot about how that actually works, or about the real so-called attack surface is for delivery of paper marked ballots.

And let me also argue against myself by pointing out that many of my arguments against email voting may not apply to other more direct ways of delivering marked ballot, not with email, but some other digital means.

In any event, in my opinion, we need to face up to the reality that the world is getting flatter and  we have more and more citizens whose votes must be counted who are in very faraway places. The time it takes to send a blank ballot by snail mail and send a voted ballot back with snail mail, makes the voters’ time window much too slim in many cases.

— Pito

New York Times on Voting Technology

A couple of days the New York Times Editorial page commented on Voting Technology in an editorial titled “The Voters Will Pay”. Some bits that interested me (but you should read the whole thing):

“[snip…] If the deal is allowed to go through, it would make it harder for jurisdictions to bargain effectively on price and quality.[snip…]” (from The New York Times)

One of the reasons that we are enthusiastic about the Open Source approach is that, oddly enough, we believe (as many do) that this approach will lead to better quality and even better price (i.e. no price. We give our stuff away.) How is this possible?

We don’t possess a secret super power allowing us to develop software for free.

However by approaching the problem as a non-profit foundation, by definition, we are relying on the goodwill of others (foundations and philanthropists) to raise funds to pay for professional software and technology staff. And of course, again by definition, we will not be making a profit, which also saves money.

Secondly, we have already found, even in these cynical times that top notch talent is inspired to apply their abilities to work that has a positive impact on our society and world, and work for a lot less than they’d make in the private sector (analogous I suppose to many people who work in other public sector positions.

Read the whole editorial here.

AR vs. UVR?

I came across an interesting article about voter registration: “The Alternative to Universal Voter Registration” where John N. Hall strongly supports Automatic Registration (AR) over Universal Voter Registration (UVR).

To people who are not election experts the distinction is a bit subtle. UVR has states proactively try to register everyone to vote, while AR has the federal government somehow use Social Security records to automatically register people.

In Mr Hall’s words, AR can be implemented by doing the following:

“Computer programs read through the Social Security Administration database, extract the data of age-eligible citizens, then send that data to the states.” (from The Alternative To Universal Voter Registration)

Now that I started writing this post and did some more googling I see that this is already a heavily debated topic that has flown back and forth, starting with John Fund’s (of the Wall Street Journal) original talk, to Rep. Barney Frank’s angry denunciation that he had nothing to do with the claims that he was involved in any way with Universal Voter Registration, to Mr Fund’s retraction of the claim, to more links than you can shake as stick at about the topic.

Anyway as usual I am johnny come lately. Phew. My original thought though was about the original post. You see, John Hall, being a “computer programmer” makes it sounds simple:

Voila! Why make mandates on all those state agencies and dragoon all that manpower entailed by UVR when a computer program can register everyone? A competent programmer could write the extract program in his sleep.” (from The Alternative to Universal Voter Registration)

Any description of this that starts with “Voila” and ends with “in his sleep” is … well let’s just say, it must be a bit of a simplification….

For example I would imagine that there would be major privacy concerns about sending information out of the social security systems out to each of the states. I am not sure that the states registration records even include social security information. And what about all the voters who don’t have social security numbers, there must be some, or many? And how quickly are the social security databases updated when people die?

Yes: security is hard

I came across this article, “NIST-certified USB Flash drives with hardware encryption cracked.”. The money quote:

“The real question, however, remains unanswered – how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps – what is the value of a certification that fails to detect such holes?” (fromNIST-certified USB Flash drives with hardware encryption cracked.”.)

I was quite intrigued by this article given that we talk blithely about using encrypted, write-once media to transfer information between various components of a voting system. I hadn’t followed up with folks who know more about this than me, but I have a hard time understanding exactly encrypted, write-once media are or how they work or don’t work.

You should draw your own conclusions about the significance of the linked article. I am actually not sure who “H-Security” is and what their particular angle or grindable axe might be. Also, Whether the security hole they report is big news or old hat among the cognoscenti. Stay tuned.

Tim Bray on the way Enterprise Systems are built (compared to open source)

Tim Bray is one of the main people behind XML so he has some serious cred in the world of building and deploying systems. So it with interest (and some palpable butterflies) that a recent missive of his: “Doing it Wrong”.

I don’t know how much of what he says is relevant to what we at TrustTheVote are doing and how we are doing it, but it makes for interesting and highly relevant reading. I do know that many of his examples are very different from elections technology, in fundamental ways, and for many many reasons. So there’s no one-to-one correlation, but listen to what he says:

“Doing it wrong:Enterprise Systems, I mean. And not just a little bit, either. Orders of magnitude wrong. Billions and billions of dollars worth of wrong. Hang-our-heads-in-shame wrong. It’s time to stop the madness.” (from “Doing it Wrong” from Tim Bray)

and:

“What I’m writing here is the single most important take-away from my Sun years, and it fits in a sentence: The community of developers whose work you see on the Web, who probably don’t know what ADO or UML or JPA even stand for, deploy better systems at less cost in less time at lower risk than we see in the Enterprise.” (from “Doing it Wrong” from Tim Bray)

and:

“The Web These Days · It’s like this: The time between having an idea and its public launch is measured in days not months, weeks not years. Same for each subsequent release cycle. Teams are small. Progress is iterative. No oceans are boiled, no monster requirements documents written.” (from “Doing it Wrong” from Tim Bray)

and:

“The point is that that kind of thing simply cannot be built if you start with large formal specifications and fixed-price contracts and change-control procedures and so on. So if your enterprise wants the sort of outcomes we’re seeing on the Web (and a lot more should), you’re going to have to adopt some of the cultures and technologies that got them built.” (from “Doing it Wrong” from Tim Bray)

All of these quotes are from “Doing it Wrong” from Tim Bray. I suggest reading it.

Open Source e-Voting article in Network World

I came across an interesting article in Network World, “Open Source: How e-voting should be done”, by Paul Venezia of InfoWorld. It’s a good survey and review of some of the arguments in favor of Open Source in the management, conducting and tallying of elections, so I recommend reading it.

A couple of thoughts. Paul says:

“Another problem of current e-voting systems is that many still in operation provide no paper trail. Americans can’t fill up their cars or access their bank accounts from an ATM without being prompted to print a receipt, but in many voting precincts, we can vote with nothing tangible to show for it.”  (from Open Source: How e-voting should be done)

I have to say that I agree with this (at least for the next few decades.) It seems to me that with all the questions – some more legitimate than others – about election results, we need to preserve a brain-dead-simple way of doing a recount that everyone can understand, and it would seem that a piece of paper that can be re-counted is the way to go. Caveat: I know it’s not really brain-dead-simple, and that conducting a recount of paper ballots can be extraordinarily complicated with lots of possible gaps and mistakes.

Paul further says:

“But the key to securing e-voting resides in making its systems open source. […] It’s time for us to make good on the promise of open elections and open our e-voting systems as well — no black boxes, no intellectual property protections, no obfuscation, and certainly no backdoors. Doing so would require a federal mandate, one that would eliminate the use of closed source devices” (from Open Source: How e-voting should be done)

I (obviously) believe in the open source philosophy, and think it’s an important way that we can improve confidence in our elections. But I don’t think it’s a panacea, or “the key” in any shape or form.

In fact I don’t think in terms of ‘the key.’ There’s a lot of room for improvement for sure. But there’s also quite a lot more to even the technology side of elections than the software inside an optical scanning device.No doubt it’s a complex, decentralized (both technically and in the way it is managed, operated and deployed.)

Check out the article and let us know your reactions too.