On Sun, Feb 18, 2007 at 09:57:04AM +0000, Dieter wrote:
> Would HDCP be a useful security feature for a FLOSS voting machine?
No. I've been doing quite a bit of work on design standards for
voting hardware.
The basic integrity issue is that any voting system has to be open
and verifiable in order for the citizens to trust it. Every part of the
process must be continuously open to public view, to demonstrate that the
final result correctly reflects the intent of the voters.
The vote recording step is particularly critical, because only the
voter is in a position to determine that the votes have been recorded
correctly. That's because the secret ballot is necessary in order to
prevent improper influence on the voters.
The New Hampshire legislature solved that part of the problem by
requiring all votes to be recorded on paper ballots. This ensures that the
physical form of the recorded votes is directly visible to the voter without
the mediation of any mechanical, electronic, or optical devices -- the voter
verifies that the vote is recorded directly with his or her own eyes.
Further, the voter is required to mark the ballot with his or her own hand
with indelible ink -- that eliminates the possibility that some machine
could mis-execute a command to mark it in a particular way. The durability
of the paper ballot ensures that the ballot counters look at the same
physically recorded marks that the voter saw, so that they cannot be altered
between the recording step and the counting step.
The only type of voting machine allowed under New Hampshire law is
an optical-scan ballot counting machine. We are deeply skeptical about the
integrity of our present commercially made machines. Our local volunteer
group, and the N.H. House Election Law Committee, are starting work on
design standards for an optical scan machine that could potentially meet the
state constitution's requirement that ballots be counted in open meeting.
The basic principle is that logical proof must exist in the public record
that the machine's design is correct and free of critical bugs, and that
every possible component failure will result either in correct operation, or
in a safe failure condition -- that is, that it's incapable of delivering an
incorrect result.
Inspectors of election, who are appointed by the opposing political
parties, are a key feature of New Hampshire election law. Along with the
elected moderator, they supervise the polling place and verify compliance
with the laws. With a complete set of peer-reviewed design documents
deposited in the public record and published, they must have means to verify
on-site that the machine is in compliance with its design drawings,
published executable code, and election configuration files. I have a
number of design features in mind to facilitate intrusive on-site
inspection.
Output would be on paper only. This would create a durable,
indelible tally sheet, which could be physically transported to the central
tabulating site -- again, to make absolutely certain that the central
tabulators are working from exactly the same results that the local
officials saw come out of the machine. The provenance of the tally sheets
would be authenticated by the handwritten signatures of the local officials
who printed them out.
The machine would be isolated from outside influence by designing it
without any I/O interfaces other than the dual scan heads and the print
head, and those would be tightly integrated into the electronics design at
the transistor level as part of the fail-safe hardware design. The clear
plastic case would allow the party inspectors to see all internal parts, and
verify that no unauthorized I/O devices or other modifications were present.
So cryptology is beside the point. No secrets of any kind can be
tolerated anywhere in a vote counting system. "Security" in a vote counting
system consists of a documented chain of custody for public records, logical
proof of correctness, comprehensive failure mode effects analysis, and
complete openness at all times.
_______________________________________________
Open-graphics mailing list
[email protected]
http://lists.duskglow.com/mailman/listinfo/open-graphics
List service provided by Duskglow Consulting, LLC (www.duskglow.com)
