Voting Black Boxes Bleg

My bleg: does anyone know of academic work defending the right of voting machine manufacturers to keep their machines from being independently tested for security?

At one point it may have been possible to dismiss concerns about voting machine security as paranoia from the Fahrenheit 911 crowd. But as one reads more and more pieces like this, the worries are impossible to ignore. Consider the following “black box” justification for black box voting:

[Researchers like Ed Felten] demonstrated the machine’s vulnerability to an attack by means of code that can be introduced with a memory card. . . . Every 15 seconds or so [this] rogue program checks the internal vote tallies, then adds and subtracts votes, as needed, to reach programmed targets; it also makes identical changes in the backup file. The alterations cannot be detected later because the total number of votes perfectly matches the total number of voters.
***
Mark G. Radke, director for marketing at Diebold, said that the AccuVote machines were certified by state election officials and that no academic researcher would be permitted to test an AccuVote supplied by the company. “This is analogous to launching a nuclear missile,” he said enigmatically, adding that Diebold had to restrict “access to the buttons.”

I persisted. Suppose, I asked, that a test machine were placed in the custodial care of the United States Election Assistance Commission, a government agency. Mr. Radke demurred again, saying the company’s critics were so focused on software that they “have no appreciation of physical security” that protects the machines from intrusion.

When I’ve voted (in Jersey City, New Haven, and Boston), physical security largely seemed to consist of a gaggle of befuddled and bleary-eyed poll workers.

At this point, I can’t understand any opposition to a demand that voting machines, like ATMs, give voters a receipt for their ballot that mirrors an unalterable internal system of vote counting. Am I missing something?

2 thoughts on “Voting Black Boxes Bleg

  1. Giving a voter a receipt is technically tricky. You have to (a) give them a a receipt that doesn’t actually list their votes (or they could use it to sell their vote), and (b) give them a receipt that is comprehensible enough that they trust accurately reflects their vote and isn’t just a bunch of random gibberish. Doing (a) and (b) at the same time require serious cryptography; even if it’s working correctly, the voter may not believe that it is.

    Voter-verified paper trails (as opposed to voter receipts) are a more robust solution, because the voting machine keeps the piece of paper (which can therefore show the actual names of the votes). The voter confirms that the paper correctly indicates her vote, but the ballot workers can then have a separate independent mechanism to count from in case of dispute.

    The answer to your question, then, is that the secrecy of the ballot booth creates some requirements for less than complete transparency. Those requirements, however, don’t translate into a similar requirement that the source code of the voting machines be secret. That’s just ill-advised security by obscurity.

  2. I’ll post this for Michael Carrier, whose comment got caught in the spam filter:

    There is in fact a testing and certification process. The problem is that it is not robust. The companies complete the process in secret and refuse even to discuss it. Also of concern, the “independent” testing laboratories are chosen and paid by the vendors, with the consequence that they are “under enormous pressure to do reviews quickly, and not to find problems.” Editorial, Who Tests
    Voting Machines?, N.Y. TIMES, May 30, 2004, § 4, at 8.

    I have written about the dangers of electronic
    voting here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=792324

Comments are closed.