DRE systems can't be trusted???

[Guy Lancaster <glanca@gesn.com>]

[ -- How I would like to respond if I could post this publicly. :-} ]

Dear Lorrie:

While Eva's argument may be true, it needs a little perspective. (**)


> ----- Original Message -----
> From: "Eva Waskell" <ewaskell@safevote.com>
> To: "Lorrie Faith Cranor" <lorrie@research.att.com>
> Sent: Wednesday, December 13, 2000 5:38 PM
> Subject: Michael Shamos' DRE Challenge
>
> Dear Lorrie,
>
> The DRE challenge issued by Michael Shamos misses the
> critical point about these systems: How do you know that
> the true voter choices were the ones actually recorded by the
> DRE? (The answer is: You don't and can't know.)

 True, you may never be able to prove in an absolute sense that the
reported results accurately reflect the voters' choices.  However, all
practical election systems suffer this risk.  The question should
therefore be to what degree can we trust DRE systems relative to other
voting systems?

> If there were
> a piece of hidden code in the software that only surfaces during
> the election period, changes the votes to a pre-determined outcome,
> and then self-destructs, it would be impossible to detect such
> manipulation.

  Actually this would be far harder to do than suggested here.  Consider
the many possible checks to catch just this kind of attack.  The simplest
is to compare the code that is used to a master copy.  This can be done by
computing hash values and/or by a bit-by-bit comparison.  Thus, if the
code changed, it would be easily caught.

  Second, the hidden code would need to be triggered by something so that
it wouldn't affect any of the counting tests that must be performed on
such software.  Assuming that the software has access to the real time, it
could be triggered by the polling hours but this could be exposed by
resetting the clock during testing or by performing tests on backup
systems during the election.  Thus I propose that any possible attack can
be detected if appropriate checks are in place.

> This was just one of the questions raised (and not
> satisfactorily answered) by Peter Neumann, Rebecca Mercuri, Ronnie
> Dugger, myself and MANY others back when New York City was considering
> purchasing thousands of DREs. I refer you to Ken Thompson's article
> "Reflections on Trusting Trust" at   http://www.acm.org/classics/sep95
>
> Until THIS issue is resolved, any other challenge/test is irrelevant.
>
> Eva Waskell
> Safevote, Inc.
>

  Elections are complicated to run due to the large number of conflicting
requirements that we try to meet.  Any system that concentrates on being
able to prove that the results reflect voter intent must necessarily
compromise privacy.  After all, how could you possibly be certain unless
each voter publicly declares his or her intent?  The best that you can do
is to run different test scenarios until you finally accept that the
results are indeed accurate.  If you have any nagging suspicions or any
new ideas on possible ways that the system could be compromised, you run
more tests.  I wish that it was this easy to test the people involved in
operating the system. :-)

  We must always seek to find the best possible balance between security,
accuracy, privacy, and cost.  One size will not fit all so there will be
times when we will have to re-adjust the balance for different
situations.  The point is that you can analyze any system and find
weaknesses but, after all, our airplanes still fly.  We know that there
are vulnerabilities so we need to make sure that we stay diligent and that
we investigate any suspicious incidents to see if we should be modifying
our system.

Guy Lancaster
Global Election Systems Inc.
---
** These comments are my own and may not represent those of my employer or
its agents.