[EM] Why We Shouldn't Count Votes with Machines

Kristofer Munsterhjelm km-elmet at broadpark.no
Fri Aug 22 05:06:47 PDT 2008


Dave Ketchum wrote:
> You claim that many fragments can be done by specialized machines. 
> AGREED, though I do not agree that they can do it any better than a 
> normal computer - which has equivalent capability.

In a technical capacity, of course not. Since a computer is 
Turing-complete, it can do anything the specialized machines can. 
However, and this is the point I've been trying to make, the specialized 
machines are simple enough that it's possible to formally prove that 
they do only what they're intended to do, and perhaps also to convince 
the voters that this is the case.

It's kind of like the difference between physics and mathematics. Doing 
tests is analogous to the hypothesis testing of physics: you can say 
that this particular machine does not exhibit any flaws that would 
compromise security, within some margin of error. However, if the 
machines are sufficiently simple, then one can use formal proving to 
show, mathematically, that there are no bugs; that the Condorcet counter 
will turn ballot records into Condorcet matrices and no more - that the 
machine with buttons on it will register votes, register them to the 
candidate shown on the display, and no more, and so on.

Now, the analogy is not total. Even a correct hardware system could be 
compromised by vendors adding backdoors to their fabrication (going 
outside of the spec) and so on, but those errors are much harder to 
conceal than simple software tinkering. Even if the software is open 
source (as you've stated that you want), knowing the full limits of the 
hardware keeps hackers out. The more complex the OS, the greater the 
chance that there's a bug: even Linux has had privilege escalation bugs, 
although they appear much less frequently than in closed-source 
software. What I'm saying here is that if you have to have machines, 
have a way of saying to, first, the experts that there is no way there 
can be an error, and second (if possible), the same to the ordinary 
voters as well.

> However, the whole task involves connecting the fragments:
>      One way is via computer capability.
>      You seem to be doing without such, so What do you have other than 
> humans HOPEFULLY correctly following a HOPEFULLY correct and complete 
> script?

That's right - the links are the weak spots. The script can be devised 
just as any programming can be, and it would be quite simple, and 
ideally reminiscent of what one does when having a manual count regime. 
The PROMs or CDs are the ballot boxes, and they're transported from one 
location to another as one would ballot boxes.

That leaves the humans. The humans may do weird things, and the ensured 
limits that the specialized hardware would have would obviously not 
apply to them. But since the script is simple, various parties can 
monitor each other. In the worst case, the transportation and 
aggregation parts of the process are as insecure as they would be for 
manual ballots.
If that is still too risky, the "ballot boxes" could be numbered and 
digitally signed prior to being distributed to the machines for writing, 
so that if any are lost or replaced, it would immediately show up as an 
error. Such a process would add steps to the script, but I think it'd be 
managable.

>> Consider a general computer. Even for general computers, it makes 
>> little sense to have the district joining software - that counts the 
>> results from various districts and sum them up in the case of a 
>> summable method - on the individual units. As such, the 
>> general-purpose computers are already specialized, only in software 
>> instead of hardware.
> 
> ???

That was simply intended to show that you don't need the full powers of 
a computer. It's convenient, but that convenience can tilt in the favor 
of manipulators or hackers as well.

>> That's true. Maybe a compromise could be using cheap computer hardware 
>> with read-only software, standardized components, and have the 
>> software not be a full OS, but instead just enough to get the job done 
>> and be provable. You'd have to rely on that there are no hardware 
>> backdoors, but the existence of such would be very unlikely, and the 
>> entire thing would have to be put inside some sort of tamper-resistant 
>> enclosure so hackers can't attach keyloggers or do similar things.
> 
> Hardware backdoors can be hard to find.  Still, if and when one is 
> found, can there not be an appropriate punishment to discourage such 
> crimes in the future?
> 
> Agreed defense against such as keyloggers is essential.
> 
> I still say OPEN SOURCE!

I was thinking more of hardware keyloggers, such as those that look like 
keyboard extension cords. Thus the computer should be tamper resistant 
so you can't just do these things. Ideally, for the cheap computer 
compromise, you'd use a cryptoprocessor (like banks use to keep their 
keys, but more general purpose) to run the actual software - perhaps an 
IBM 4758, though since I'm not a hardware expert I don't know if that 
one is sufficiently powerful to do what you want. Searching the web says 
that the 4758 has a 486 inside.

>> A chip with just enough transistors to do this task. I'm not a 
>> hardware expert, but I think it could be done by the use of a HDL like 
>> Verilog.
> 
> The chip needs to be able to find its data.

Yes. For the sake of simplicity, I'll assume a PROM format - a CD 
interface would need an IDE translator.

Then the PROM could be set up like this:

header:
  uint32 number_of_candidates

then, for each ballot
  uint32 rank_number[number_of_candidates].

which means that if rank_number[0] < rank_number[1], then candidate 0 is 
ranked ahead of (better than) candidate 1.

Then assume that addresses contain 32-bit values. That is, you have 
something like
   0                                1         < address
   12345678901234567890123456789012 123456... < bit

First read off address 0. This gives you the number of candidates. Then 
for addresses 1 to number_of_candidates, inclusive, do the Condorcet 
counting algorithm. After you're done, go to address 1 + (number of 
candidates) to count the next ballot. Repeat until all ballots have been 
counted.

> No matter what you do, errors can happen.  Proper target is to minimize 
> them, which I claim can best be via using computers for what computers 
> can do well.

I think you can minimize further by removing the slack that could be 
used for trickery, as you can't twist something that isn't there. Hence 
my idea.

>> I'll grant the point, though, regarding malicious machines. If the 
>> entire standard is public, and the machines can be rigorously tested 
>> to be sure no tricks are being done by the manufacturers, then 
>> deliberately malicious holes should not exist. I still hold that one 
>> should engineer defensively and as simple as possible, so that the 
>> system is transparent to as many people as possible, and so that bugs 
>> either are fixed very quickly or (preferrably) don't have the room to 
>> exist at all.
> 
> Looks like what I am trying for.
> 
> Simple is a good word, as is defensively.

See above.

>>
>>> I want:
>>>      Display completed ballot, for voters to review and redo any 
>>> problems.
>>>      Record ballot on CD-R.
>>>      Open source, so the programs SHOULD be 100% correct.
>>
>> (Just a note: if the programs are simple enough, one can *know* they 
>> are correct. With provisions for unexpected OS bugs unless the OS 
>> itself is equally simple, and so on.)
> 
> When you mention OS, remember my insistence on open source.

Yes, but try proving Linux (which is what I mean by *know*). At multiple 
million lines of code, that's going to be quite a task.

The compromise option could have an open source software system that is 
simple enough, and thus would get around the problem. It wouldn't be a 
traditional OS, though (but perhaps it would lead to a formally secure 
microkernel, something that would be very interesting in "ordinary" OS 
development as well).

>> Granted, if the machine isn't hacked due to an unexpected bug. 
>> Printout-based machines could be useful even if we have provably 
>> correct machines (strongest sense of security) if the voters are very 
>> distrustful. Counting only based on the printout ensures the voter 
>> that nothing fishy is going on - because nothing fishy *can* be going on.
> 
> Our sorry history justifies distrust.
> 
> I DO NOT like printout-based machines.  To start some thinking, how about:
>      All machines have identical valid code,
>      Some have video cameras recording the ballot as the voter submits it.
>      Voters choose which machines to vote on.
>      Audit that tapes prove 100% correctness of those machines taped - 
> BETTER be.

If you use this in real elections, be prepared for voters with privacy 
complaints. If you let the voters decide which machine to use, the great 
majority would use the untaped ones. Also, the cameras would add to the 
cost of the machine. If the videotape is publically available or it's 
possible to identify voters, that could leak information to vote-sellers.

If you use it for verification purposes only, you have to be sure that 
the voters don't act differently than in the real election (so the test 
is representative). I suppose you don't need exact correspondence since 
"probabilistic flipping" algorithms would easily be detected, but it 
would fail to catch things like election-day hacking.

In any case, instead of using a literal tape, I think you'd have to 
record the video on a write-once storage medium so that it can't be 
tampered with afterwards. You would have to compress the video stream 
very heavily to fit.

What, in your opinion, is the problem with printout-based machines?

>> Use a LED with a photoresistor on the other (logging machine) end. No 
>> data can move from the voting machine to the logging machine, and so 
>> would reduce complexity significantly. Or have two in different 
>> colors, one of which is always on to detect broken cables.
>>
>> There'd still be some code to verify, though: make sure that the 
>> voting machine don't leak ballot data to the logging machine, for 
>> instance.

Oops, that should have been "No data can move from the logging machine 
to the voting machine". Of course data would have to move from the 
voting machine to the logging machine, or there would be nothing to log.



More information about the Election-Methods mailing list