Thought experiment

[unixronin]

cipherpunk posted yesterday about a paper on the weaknesses of DRE voting machines.  And it got me thinking.

Suppose that every state, when requesting bids for voting machines, were to include a clause like the following in the request for proposals:

"n.  By submitting a bid in response to this request, you grant permission for an independent security audit of the submitted voting equipment prior to completion of the bid process, said audit to be performed by agents including but not limited to an agent or multiple agents appointed by $state, and agree to cooperate fully and in a timely manner with any and all such audits."

I think the results might be interesting.  Discuss.

Comments

[cipherpunk.livejournal.com]

This assumes the state is competent to hold its own audit. I think that's an unwarranted assumption. There are only a handful of institutions that are capable of giving these systems the dissection they deserve: Berkeley, Rice, Stanford, UI, MIT, Johns Hopkins, mostly.

This also leaves the door open for trade secret law to be invoked. The vendors will say "hey, we have no objections to an independent audit, as long as there is no public report released and none of our IP is disclosed, ever." (Don't laugh: governments have done precisely this many, many times.) The vendors then get a security analysis for free, and can rest secure in the knowledge that they will never get a black eye from it.

What we need is transparency in the process. Vendors know this, we've screamed this at them often enough. As a general rule, though, the vendors are not willing to provide transparency. Given the choice between opening up their systems to inspection and simply getting out of the voting machine business, the general tendency is to choose the latter.

A much more interesting set of proposals, I think, is based on the Ansari X-Prize. "$100 million cash, tax free, to whoever comes up with the best DRE system, as evaluated according to these criteria by these people."

Another interesting one would be "$100 million of NSF funding is now available to qualified institutions that want to build their own voting machines." Our current NSF grant explicitly forbids us from doing this, as well as is underfunded. Giving us that charter and the funding to do a couple of generations of DRE design, including actual working hardware, would very quickly lead to some high-quality systems.

The problem isn't that we don't know how to do DRE well--we generally have at least a clue--but there are no market forces right now encouraging the adoption of well-designed DRE.

[unixronin.livejournal.com]

This also leaves the door open for trade secret law to be invoked. The vendors will say "hey, we have no objections to an independent audit, as long as there is no public report released and none of our IP is disclosed, ever."

Yeah, I forgot to stipulate that the bidder may not prevent public release of the audit results. Which is kind of silly, since that was the whole point of my thought: "Would companies like Diebold still try to sell such crappy systems if they knew that trying to do so would mean it would become public exactly how crappy they were?"
My intention in saying "including but not limited to" was both to allow states to ask, say, Berkeley and MIT to perform their audits, but in the event they didn't, to allow Berkeley/MT/et al full access to conduct their own independent audits without the manufacturer being able to interfere.

A much more interesting set of proposals, I think, is based on the Ansari X-Prize. "$100 million cash, tax free, to whoever comes up with the best DRE system, as evaluated according to these criteria by these people."

That, indeed, would be a Good Thing. :) It'd also be interesting and revealing to see, once the prize was won, which states actually adopted the winning system, and which continued to use insecure and exploitable systems...

The problem isn't that we don't know how to do DRE well--we generally have at least a clue--but there are no market forces right now encouraging the adoption of well-designed DRE.

That is, indeed, exactly the problem. And as long as the states care but little about how sound the designs are, the vendors have no incentive to make them better.

(What amazes me is that things have happened as blatant as some Ohio districts in the last election returning more votes for one candidate than the total number of people who voted in that district, and still very few people stood up and said "Hey, we have a real problem here.")

[unix-jedi.livejournal.com]

(What amazes me is that things have happened as blatant as some Ohio districts in the last election returning more votes for one candidate than the total number of people who voted in that district, and still very few people stood up and said "Hey, we have a real problem here.")

Most of us who did were accused of being racist, corrupt, Republicans trying to keep people down.

And were outshouted by many such who insist - DEMAND - that since almost no prosecutions have taken place, that it's proven that voter fraud doesn't exist.

....

"If it was done successfully (in many cases), how could you even prosecute it? It's a secret ballot, after all?"

"See! No problems!"

It's a particular kind of blindness that really tends to affect those who thinks that they can skew the results their way. I don't think it's easily an "evenhanded" accusation, it affect the Leftish much more than the Rightwards. Most of the right leaners at least pay lip service to the concept of playing by a set, defined set of rules, and not changing them in mid-course.

The leftish sorts don't. In their policy preferences, rules, and guidelines. Leading to all sorts of problems. (In case anybody wants to quibble: Policy Preferences - the vitrol thrown at the FBI when it was discovered that they were "wiretapping" the kidnappers of the American soldiers (still in enemy hands) in Iraq, and upon finding that they'd crossed into the US in terms of wiretapping laws, and they stopped listening and recording. Several prominent Democrats savaged the FBI, demanded names of those agents who dared to obey the law. Rather than deal with exceptions up front, most of the left tend to want to make exceptions on a case by case basis, most notably based upon the "right-thinkingness" of the suspect in question.)

Thus the problem with voting. I've seen many cases of people registered in 2, or even 3 states, and voting. But since they're almost all Democrat, and the illegals voting are voting D, then the left side of the country is going to fight tooth and nail to prevent anything to close those gaps and set up a standard set of rules and checks.

Until, of course, it becomes noticed that all the capitalist corporations that are providing the machinery are all Republican "shills" [sic]...

If you set the system up correctly, it won't matter.

Back to your main point, there's no reason the contract couldn't have that. I've seen several financial system bids with something very similar. Outside audit, results publicly accessible.

In my opinion, it shouldn't be just for voting machines, but any equipment purchased with tax dollars. DUI machines. Blood testers. Red light cameras (aha! they're leased! (just for that very reason)).


But right now, illegal voting definitely benefits one partisan side, and until that's addressed, it's not going to be seen as a partisan attack against them to "deny" them their "advantage".

[unixronin.livejournal.com]

And were outshouted by many such who insist - DEMAND - that since almost no prosecutions have taken place, that it's proven that voter fraud doesn't exist.

By that logic, none of Ted Bundy's victims were a problem until he was actually caught and put on trial. Ditto the Green River Killer or any other serial killer in history.

In my opinion, it shouldn't be just for voting machines, but any equipment purchased with tax dollars. DUI machines. Blood testers. Red light cameras (aha! they're leased! (just for that very reason)).

I'd go along with that.

[ithildae.livejournal.com]

The current generation of Electronic Voting Machines was driven by congress, in panic mode, after the 2000 election. The companies involved convinced our representatives that the best way to fix the vote counting problems was to do it with a computer. Congress promptly allocated $3 Billion and change to large companies to develop such a beast.

What you are suggesting would be a more thoughtful, market driven development cycle. Instead of major companies trying to burn through allocated cash as fast as possible, without consideration of quality, we would be trying to find out what the public needs to ensure a fair and verifiable election result.

I don't think your suggestion will really help matters. It is an attempt to make a silk purse. What we have is a pig. If we want reasonable voting machines, the states and municipalities must be the ones to demand it, creating a market. What we have was a product looking for a market. The consumer base has already been badly burned, I doubt the market will recover anytime soon.

[novel-tharkun.livejournal.com]

I hate to promote the conspiracy theory idea / idiocy, but I'd suggest that for the corporations involved, and for the politicians (appointed & elected both) involved in the decision-making having truly good design is unimportant. Any with power over the choice of machine are likely to be in a position to abuse the mistakes in design. Moreover any particular company that "won" such a competition would instantly have pricing power to charge more and no politician wants to be in a position of having to choose proven trust and reliability at high cost against promises (even proven false ones) of trust and reliability at lower cost. Witness the lengths to which the US of A hides its military & intelligence expenditure breakdowns.