Glass Box Voting

Let noone say Prime III isn’t patriotic:

I referenced David Brin’s book The Transparent Society earlier, and finally published a link to Bruce Schneier’s writing on voting technology last night. They have recently had a back and forth on some very interesting topics.

In The Transparent Society, Brin observes that the powers of state and corporate surveillance are growing exponentially, and that citizens should be able to have similar levels of scrutiny into the practices of governments and companies. I don’t do his overall thesis justice, go buy the book to learn more.

Bruce Schneier’s article, The Myth of the Transparent Society (also posted on his blog), points out that mutual transparency fails to protect citizens because of the power imbalance between individuals and institutions. The marginal value of each information transaction benefits the institutions more, because it can be correlated to their already huge information store.

Brin’s response builds on Schneier’s critique in an interesting way.

Bruce Schneier’s recent column on Wired.com pokes a short-sharp critique toward my 1997 book, The Transparent Society, and its argument that freedom is best served when all citizens have enough knowledge to hold each other reciprocally accountable.

Schneier, a noted commentator on internet security, begins by positing, almost as an axiom, that any civilization based upon general, reciprocal openness would be a major departure from our present social contract. Something “different than before.”

Alas, that premise is false right out the gate. For we already live in the openness experiment, and have for 200 years. It is called the Enlightenment — with “light” both a core word and a key concept in our turnabout from 4,000 years of feudalism. All of the great enlightenment arenas — markets, science and democracy — flourish in direct proportion to how much their players (consumers, scientists and voters) know, in order to make good decisions. To whatever extent these arenas get clogged by secrecy, they fail.

An interesting back and forth. I still need to find the time to blog more about transparency with relation to voting machines and voting administration.

Found at Marco Ramilli’s blog.

I have read Bruce Schneier’s blog for years, it’s a excellent source of information about cryptography and security. I appreciate his Snake Oil Alerts in particular, because they educate you on what to look out for. A common claim by vendors, for example, is that 2048 bit RSA keys are “better” somehow than 256 bit AES keys, which just isn’t the case.

On the topic of voting, I would start with The Problem With Electronic Voting Machines.

Prime III is a system developed at Auburn U. The reviewer says:

At first eye the system appears really well designed. The voter may vote by touch screen and/or by voice in a very intuitive way. If the touch screen has been compromised the voter uses the microphone to express her will. None can understand what the voter is doing because the Prime III links randomly the candidate’s names with number of BEEP that the voter may use to cast the ballot. So for example if there are two voters at the same time that wanna vote for the same candidate they will speak different sequences of BEEP. Moreover Prime III utilizes a dynamic imposter file organization which dynamically generates random signed ballot file into a complex folders system, where only one is the correct one. The real vote folder is determined by an input key set by the election administration official. The whole system runs on SELinux versions where takes the logs informations if necessary.

I will need more information to determine how secure this really is. The Prime III page (click “visual examples”) says, “Each file, whether real or an imposter, is encrypted with Triple Data Encryption Standard (Triple-DES), Advanced Encryption Standard (AES) or other encryption algorithms. The encryption method used for the imposter files are pre-assigned and may vary from precinct to precinct.”

Use of encryption is dandy, but the above statement tells us nothing about how this encryption is achieved and how it protects anything. I need more information on their key management practices before I buy their claim that encryption actually does something in their system.  It sounds like their system requires long term symmetric keys, which can have terrible consequences if compromised, and yet must be retained for the duration that the system is operating.

The randomized folder names strikes me as security by obscurity, which is worthless against a determined attacker.

I wonder how the dummy votes are generated - if those are random, can the real votes be distinguished from the random ones by statistical analysis of the contents?

Their process of “voter verifiable video audit trails” as a way of achieving software independence is interesting. I hope their video logs are hard to alter (displaying time on the UI would prevent replay attacks, for instance).

In Iowa, disputes over control of voting equipment purchases.

Gov. Chet Culver wants more oversight of the purchase of voting machines by Secretary of State Michael Mauro.

Culver says Mauro should work with the Department of Administrative Services on the purchase of the machines. The department’s director, unlike Mauro, reports directly to Culver.

The governor’s request will be included in an amendment to a Senate bill that outlines Mauro’s plan to buy the machines. The $8.5 million plan calls for the state to pay for the new equipment so every county has machines with paper ballots that could be recounted if necessary.

Culver spokesman Brad Anderson said the governor, who was secretary of state before Mauro, wanted the added oversight to make sure the state got the best deal possible.

Instant-runoff voting in Minneapolis unlikely in 2009

Minneapolis probably won’t be ready to use a new voter-approved multiple-choice voting system in next year’s election, the city’s top election official said Friday.

“I don’t believe that the city of Minneapolis will be ready for a ranked-choice voting election with equipment in 2009,” said Election Director Cindy Reichert in an interview after giving the City Council a status report.

The system, also called instant-runoff voting, allows voters to rank three candidates for an office in order of preference. City voters approved it in 2006 for use in 2009, unless the council adopts an ordinance that spells out why the city isn’t ready.

The lengthy schedule for getting the equipment bought, certified by federal and state authorities and delivered makes instant-runoff voting unlikely in 2009, Reichert said.

 In real Diebold news:
United Technologies Makes Bid for Diebold

Update

I wonder how this news will affect the bid.

Four people forwarded this to me, haven’t had a chance to post until now:
Diebold Accidentally Leaks Results Of 2008 Election Early

Not happy with their eSlate machines, considering paper or opscan options.

Same as it ever was:

County officials say the machines — manufactured locally by Austin-based Hart InterCivic Inc. — are superior to paper ballots because they are faster, save time and money, are easier for people with disabilities to use, and erase doubts about “voter intent” that made the hanging chads of the 2000 U.S. presidential election so infamous.

But with a high profile, high-turnout primary just a week away, critics say computer glitches on electronic systems could lead to errors in vote totals and, without paper records, make real recounts impossible.