-------- Mensagem Original --------
Assunto: [Voto Seguro] Wired sobre sistemas de votacao
Data: Thu, 19 Oct 2006 17:45:55 -0200
De: Benjamin <benjamin...
Para: voto-eletronico <voto-eletronic...
Materia muito boa sobre requisitos de um sistema eletronico de votacao
It's been six years since the Florida presidential fiasco launched a
flurry of spending around the country to replace antiquated punch-card
and lever voting machines with expensive new electronic touch-screen
machines. Yet new controversies over the security of e-voting machines
continue to crop up, making it clear that the new machines are just as
problematic as the ones they replaced.
Why can't the voting machine companies get it right?
With election season upon us, Wired News spoke with two of the top
computer scientists in the field, UC Berkeley's David Wagner and
Princeton's Ed Felten, and came up with a wish list of features we would
include in a voting machine, if we were asked to create one.
These recommendations can't guarantee clean results on their own. Voting
machines, no matter how secure, are no remedy for poor election
procedures and ill-conceived election laws. So our system would include
thorough auditing and verification capabilities and require faithful
adherence to good election practices, as wells as topnotch usability and
Here, then, is our nomination for the best voting machine for 2008. Use
the comments tool below to tell us how your perfect voting machine would
Combine the best features of touch-screen and optical-scan machines in a
single device. Touch-screens are easy to use and are flexible enough to
accommodate disabled voters and multiple languages. Optical-scan devices
provide reliable paper trails.
We recommend a third alternative that combines the best attributes of
both -- a ballot marking machine, such as one made by Election Systems
These devices let voters make their choices on a touch-screen. But
instead of directly recording the votes digitally onto a memory card,
the machine prints the votes onto a full-size paper ballot. Voters or
election officials then place the completed ballots onto an optical-scan
reader (.pdf), where the votes are recorded digitally.
This system provides the same level of accessibility to disabled voters
as touch-screen machines, while producing digital votes that can be
The full-size paper ballot serves as a voter-verified paper audit trail
that's far superior to the paper record currently produced by
touch-screen machines outfitted with printers. That's because most
touch-screen printers use thermal paper -- the kind used in many cash
registers -- which produces poor-quality records that tend to curl and
tear easily. The printers also jam and can run out of paper, forcing
poll workers to replace them in mid-election -- problems that are absent
with ballot-marking systems.
Eliminate removable memory cards. Removable memory cards pose an
unacceptable security risk for voting machines and we should do away
with them, advises UC Berkeley's Wagner.
Current systems require election staff or poll workers to install memory
cards into a slot in the voting machine to record the votes. To prevent
someone from tampering with the cards, workers are supposed to place
tamper-evident tape over the memory-card compartment. But workers often
forget to install the tape or take proper action when they discover that
the tape over a compartment has been broken.
Recently, Princeton's Felten showed how it's possible to open locks on
some voting machines using a standard issue hotel minibar key.
Eliminating removable memory cards and compartments would help minimize
risks from physical break-ins.
Barring that, Wagner is also looking at viable ways to store election
data on a voting machine memory card so it can't be deleted or changed
once it's written to the card.
Simplify voting machine software to use minimal lines of code. UC
Berkeley's Wagner says current electronic voting systems are more
complex than they need to be and contain much more code than is needed
to conduct elections. This makes it difficult for certification labs to
thoroughly review the code for defects and security vulnerabilities.
"If you've got 50,000 lines of code, that's approaching the complexity
of the U.S. tax code," Wagner says.
The problem stems from the origin of most voting systems -- they weren't
built from scratch for the specific and narrow purpose of voting but
were built from general-purpose computing systems and software libraries
modified for elections. As such, they have a lot of dormant features
necessary for general-purpose machines, but not for voting. All that
extra code in the software provides camouflage in which to hide
Wagner and his graduate students are looking at ways to edit the systems
to bare essentials. "What we're trying to do is pare this stuff down to
the absolute, minimum capabilities so that it's easy to review and
certify the machines," Wagner says.
Make self-policing software. Princeton University's Felten says an ideal
voting machine would prevent someone from loading software onto the
machines that differs from the version of voting software that was
certified, as Diebold Election Systems was found to have done in California.
Felten recently made headlines when he and his students hacked a Diebold
voting system in a few minutes and installed malicious code on it. He
says a machine that would recognize the hash of a software program could
prevent a program from running on the machine if its hash doesn't match
the approved one. "That is one thing you would want to attend to in the
design of the machine -- something in the architecture of the machine,"
Felten says. Or he would design a machine that could tell officials
reliably what program was running on the system so they would know if
unauthorized software patches or a different software program altogether
had been introduced.
Create transparent code. Once the voting machine code is created, we
would follow Australia's example and make the code transparent and
available to the public so anyone who wanted to read it could see what
was in the system.
In addition, code used in any specific machine would, by law, be made
available for inspection on request if the integrity of an election were
questioned after the fact. In current circumstances, courts have refused
to force voting-machine makers to let parties disputing an election
examine their software code.
"To me this is a basic principle," Felten says, "that the process by
which elections are conducted and votes are counted should be
transparent to voters."
Processes and Procedures
Employ mandatory audits. Poor processes and procedures can undo even the
most secure voting system. Therefore, a trustworthy election requires
good systems for tracking the chain of custody of election equipment and
voting data. Given that election processes and procedures are prone to
human error and negligence, voting machine audits should be required
under law in every jurisdiction. Such audits would include the following:
Random spot checks: Experts agree that parallel monitoring of machines
on election day is essential to make sure the machines are operating
properly and the software hasn't been subverted. This involves taking a
random number of machines out of commission just before polls open on
election morning to run a sample election on them to make sure the
machines are recording and counting votes accurately.
Post-election hand audits: In addition to parallel monitoring, manual
audits after an election ensure that the digital votes were recorded and
calculated correctly. This involves hand counting the paper ballots from
a random sampling of precincts and comparing the tally to the digital
count from those precincts. Officials also need to compare the total
number of votes cast at those precincts to the number of voters who
signed in at the polls to determine if the machines lost any ballots or
if voters cast more than a ballot each.
Post-election voter verification: At the end of an election, all that
really matters is that a voter's choices were included in the final
tally and counted accurately. Election officials can use the most secure
and transparent voting machines with paper ballots and even do parallel
monitoring and hand audits and still lose votes between the time they
collect the votes from machines and issue the final results. So how does
a voter know with certainty at the end of the day that his or her vote
was among those counted in the election results? According to Felten and
Wagner, this is a problem for which there is still no easy solution.
Cryptographer David Chaum has proposed one solution (.pdf) that involves
voters receiving encrypted receipts that they would compare to final
results posted on a website after the election. But the scheme is too
technical for election officials to understand and follow, say Felten
and Wagner, and too burdensome for voters to bother with.
"We're moving slowly toward understanding that problem of 'Was my vote
counted?'" says Felten. "I think someday we may get to the point where
we can provide that kind of verifiability but it will take time."
In the meantime, he says, all we can do is take steps to "reduce the
window of vulnerability (with elections) -- not to zero, but to far
below where it is now."
Hudson Lacerda http://br.geocities.com/hfmlacerda/
microabc -- free software for microtonal music
*NÃO DEIXE SEU VOTO SUMIR! http://www.votoseguro.org/
*Apóie o Manifesto: http://www.votoseguro.com/alertaprofessores/
Yahoo! Acesso Grátis - Internet rápida e grátis. Instale
o discador agora!
PSL-Brasil mailing list
Regras da lista: