Justin A. Parr - Technologist

-Forward-

I attempted to post this rather verbose response, and it was excluded as “potential spam” on submission.

I feel like the response needs to be heard, I think I am making valid points, and I thought this would make an excellent inaugural post for my “Business of IT” blog. Please read and enjoy… I welcome (appropriate) comments and feedback.

-Justin Parr

This post is in response to the following article:

Sharon Machlis, “Opinion: Let’s impeach e-voting”, ComputerWorld, 9/8/2008
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=325032

Article summary: “It’s time to outlaw any voting machine that doesn’t offer the possibility of a paper-based recount.”

My (unpublished) Response:

First, let me lead with this statement: PAPER IS OBSOLETE.

Second, let me address the topic at hand. My opinion is that the author is completely wrong on a couple key points:

1. Any time a machine has to manipulate paper, there is inherent inaccuracy, risk of mechanical failure, and risk of alteration as a result. When was the last time your printer jammed? Conversely, when was the last time your monitor jammed? Digital is inherently more reliable and more accurate than analog. The minute you commit digital information to printed media, it becomes analog.

2. The problem with the approach to-date is that all of these electronic voting systems are ground-up proprietary systems that don’t use established technology standards and controls that have been common in business, the government, and military for years (or decades, in some cases). The current approach to implementing electronic voting does not provide adequate technology controls, nor attempt to mitigate the proper risks, because the developers are trying to emulate paper using an outmoded paper-based process.

Ideally, an electronic voting system has ONE GOAL: To provide a non-repudiation system for electronic data entry.

Business has been doing this since the 80’s, so my question is: Why can’t we get our collective acts together to update an archaic voting process that no longer meets the needs of its constituents?

Here is a quick list of technology controls that could easily be implemented as part of an electronic voting system, mitigating almost all security risks, and providing “business-quality” reliability:

– Non-repudiation: In digital space, a backup copy is like a witness. Applying the rule of three, you need a primary and two backups in order to PROVE that a digital event actually occurred. These three systems must be physically and logically separated, each with audit logging and appropriate technology controls to insure against tampering.

– Authentication: Use driver’s license databases (already in place) to authenticate. Each driver’s license has a photo as well as an ID number (and in some cases, thumb prints). Facial recognition or fingerprint matching (biometrics) can be used to verify identity, and then authorize the use of the voting system. Using a two-factor system (something you have — the ID, and something you are — your biometrics) brings authentication with a high-level of reliability. This approach as well as these consumer-level technologies are commonly employed throughout the business world today.

– Encryption: Using open standards such as SSL and PGP ensures privacy. Further, encryption’s brethren technologies such as hashing and digital signatures assist with non-repudiation (message authenticity, automatic error correction, and anti-tampering). Certificate-based authentication provides an added level of security, to ensure that votes are accepted only from authorized systems.

– Auditing: EVERY TRANSACTION MUST BE LOGGED. From the time the voter actuates the device until the time the vote is tallied, as well as all access to “vote” data MUST BE TRACKED AND SECURELY LOGGED. There are a number of “one way” logging devices and processes, as well as commercial tamper-proofing that ensures log data is secure.

“Uploading” a vote is a silly concept. If you compare this to e-commerce, which has been around for over a decade now, this would be analogous to “uploading” an order for merchandise. When you buy something on-line, the purchase is executed on a centralized system, not on your local computer. In addition, BOTH the merchant and your credit card company maintain separate logs of the transaction, BOTH of which have to agree with YOUR account of what happened (rule of three). If there is a concern about forging votes, put cameras in the voting booths — store a digital image of the voter AS PART OF the transaction record. This approach provides AIR-TIGHT non-repudiation.

– Change Management: The whole concept of a last minute patch, and then the repudiation surrounding the authorization of that patch screams: “LACK OF CHANGE MANAGEMENT”. There are automated change management systems that can take a snapshot of the entire voting system in order to make sure that its state is consistent with a “known-good” image.

Finally, I would like to put forward these statements in support of impeaching paper:

– Paper has no inherent controls. There is no “ballot authentication” process. If there was, these would have to employ anti-forgery techniques — expensive, inefficient, and only as valuable as the next counterfeit job.

– Paper does not ensure that dead people and non-citizens CAN’T vote. There are widespread historical accounts of both of these types of events happening on a precinct or city-wide scale in the past.

– Paper is subject to interpretation due to its analog nature (e.g. the “hanging chad” problem)

In conclusion, I will make this statement: If I had a choice, I would rather stake my reputation on the authenticity of digitally-encrypted message vs. a $100 bill. There are controls in place to make sure the message is accurate — the $100 bill can be forged.

Digital good, paper bad.