1. Substandard concrete in, say, bridge construction can be a very, very serious problem. Substandard electronic voting machines no doubt can also be a very, very serious problem. However, we currently have a much better understanding of what constitutes “substandard” for concrete than for voting machines—partly because we have a lot more experience building bridges than conducting electronic elections. Picking holes in Diebold’s voting machines is an important task, as long as those machines are in use, but it sheds little light on the overall question of what would be required of electronic voting machines and their surrounding procedures for us to trust them as sufficiently secure.

2. Of course there are well-known procedures which can compensate for the weaknesses of paper ballots. (Note, though, that those procedures have significant costs—in the form of lots of human oversight and auditing—which we simply take for granted because they’re so familiar.) Whether there are equivalent (or even possibly even simpler and cheaper) procedures that can compensate for the weaknesses of electronic voting machines remains to be seen. I would like to see security researchers concentrate on that question, rather than on the narrower question of whether Diebold’s machines in particular are up to snuff. (There are plenty of less academic types, I believe, who are fully competent to do the work of putting the current crop of voting machines through the ringer, and finding lots of the sorts of security holes that have already been found.)

3. There are several potential benefits to electronic voting machines, including much faster, less labor-intensive tallying, easily adjustable user interfaces to improve ease of use, and fewer moving parts subject to wear. There are also several potential disadvantages, some of which have been discussed here. Whether compensating for those disadvantages is difficult and expensive enough to negate all the benefits is simply unknown at this point. And to be frank, I’ve seen disappointingly little research addressing that question in a serious way.

Very astute – and satirical! Except that ballot papers have serial numbers, which can be matched to their counterfoils. The counterfoils, and the separate checklist of voters, act as a check of the total number of votes. So if you were to stuff a ballot box, a) it would be noticed that only 1500 people had voted at that station, but there were 25,000 ballot papers in the box; b) an investigation would discover that 23,500 of the papers did not have matching counterfoils, and they would be discarded. So your argument doesn’t actually work.

abb1: sounds like Utopia in “Utopia, Ltd.”: a Dictatorship tempered by Dynamite. An absolute monarchy in which every action of the King is observed by two Wise Men; if in their judgement the King becomes a tyrant, the Wise Men instruct the Public Exploder to explode the king.

Given the narrow significance of the Diebold findings, then, why are security researchers so interested—indeed involved—in them? I believe it’s largely because, as I explained, security researchers are powerfully tempted to focus on attacking specific technologies rather than securing systems. And once they do so, they must then justify themselves by claiming broader significance for the attacks than they really deserve.

[from the NYT article]

Computer scientists who have studied the vulnerability say the flaw might allow someone with brief access to a voting machine and with knowledge of computer code to tamper with the machine’s software, and even, potentially, to spread malicious code to other parts of the voting system.

{BEGIN sarcasm}

What a coincidence! I’ve recently uncovered a potentially devastating flaw in paper ballot voting systems. The flaw would allow anyone with brief access to a ballot box to insert large numbers of fraudulent votes, which would then be counted as valid, or to destroy all the previously entered votes, making them unreadable. Obviously, then, every company that has ever marketed paper ballot-based voting materials has been laughably negligent–as has any jurisdiction that has ever used them.

{END sarcasm}

Let me make a few assertions here, and see if we can all agree on them:

1. A voting technology is not a voting system. A voting system is one or more technologies combined with a collection of procedures for using them to run elections.

2. Any voting technology, no matter how carefully designed and implemented, is doomed to be insecure if embedded in a sufficiently broken system. (See, for example, Karlof, Sastry and Wagner.) Conversely, any voting technology, no matter how poorly designed and implemented, is probably securable (though possibly at a prohibitive cost) using sufficiently elaborate surrounding procedures.

3. Older technologies will inevitably seem more secure than newer ones, because the procedures surrounding them have evolved, in response to attacks, to the point where known attacks have generally been mitigated, and novel attacks are unlikely.

4. Therefore, in evaluating new voting technologies, we should treat newly discovered attacks not as refutations of the new technology, but rather as challenges to both the technology designers and the system designers to mitigate them (challenges which they may or may not be able to meet at an acceptable cost).

———

There is an unfortunate tendency in the computer security research community to overplay the significance of new attacks. This weakness is understandable: attacks, unlike claims of security, are empirically verifiable, often using spiffy demos; they can have immediate and substantial real-world impact, whereas new security technologies must first be built, tested, sold, deployed, and so on; and they place security researchers in the enviable role of scolding expert rather than supplicant technology salesman.

But they should remember that their job, first and foremost, is to provide the world with more secure systems–not simply to break things. And while I’m certainly glad that the weaknesses in voting systems like Diebold’s are being exposed, I wish security researchers would exercise a little more perspective each time they find one. After all, all technologies have such weaknesses, and new technologies inevitably have as-yet-undiscovered ones.

The far more interesting question is how the ultimate result of the vulnerability discover-repair cycle for this technology and its surrounding system will end up comparing with systems based on other technologies. Security researchers should have something interesting to say about that question, but so far, I’m sad to say, the community has generated a lot more heat than light on the subject.

dkos folk who are interested in this issue are pooling information at http://groups.yahoo.com/group/election_integrity_and_reform/

Stuart’s assumption that more voters means more spreading out of cost is too idealistic. There is not much money to begin with, and the logistics are made worse by geography and lack of development – if you need to run a voting booth in a remote Himalayan village that is not accessible by road, a briefcase-sized machine is again much easier to handle than boxes of paper.

Because the election fraudsters weren’t organized and entrenched enough to make SURE any new machines would be easy to cheat on, natch.

We’ve known for DECADES of major election fraud in places like Chicago, and of a sort that’s easy to prove. Why hasn’t it been stopped?

It was obvious from the start that voting machines based on general purpose computers were a really bad idea. It went ahead anyway.

There may be a lot of people trying to steal elections in young democracies, but in old democracies they get really good at making sure nothing can be done about it…

http://www.openvotingconsortium.org

Indeed. It may take weeks to the couriers from remote provinces to bring results to the capital.

Really? What are you offerring by way of guarantee and what do you offer as proof of this assertion?