I've waited a week or so to write about the recent Diebold voting machine news, and I've waited because I wanted to take the time to digest it all, see the news items settle down, and think about just how I wanted to respond. References are at the bottom; you might want to go there first to review the situation.
A couple of notes, first, about what I said in May. My main point was that voting by computer could be far better and far more secure and tamper-proof than what we have now, but only if it were "properly designed, constructed, and checked." I observed that the Diebold system does not qualify there, and "[w]e should right now be working on designing a proper system — I suggest one where the source code is openly available, for all to review and validate."
But the Diebold situation is quite the opposite of that. The New York Times article gives an arrogant — and dangerous, if we're to continue using these machines — company policy:
Mark G. Radke, director for marketing at Diebold, said that the AccuVote machines were certified by state election officials and that no academic researcher would be permitted to test an AccuVote supplied by the company.The ironically named machines were "certified" by "state election officials", who have no expertise in computer security, so what assurance does that give us that anything is correct about the machines? Apart from that, "certified" is surely the wrong word here; more likely, they were "accepted" by these officials, who likely read something they were given by Diebold, and then signed off on it.
So in reality, the machines were certified by Diebold itself. That may comfort someone, but it doesn't comfort me. We need independent certification by experts in the technology. Far from restricting what some "academic researcher" should be permitted to do, we should welcome, and in fact demand more eyes, more hands, more analysis, more testing.
Avi Rubin isn't comforted either. Professor Rubin spent the day of the Maryland primary elections working as an election judge, something he's done twice before. This time, he did them with the Diebold machines, and his experience with that, as reported in his blog, is something you must read. Professor Rubin teaches computer security and privacy at Johns Hopkins University, and he is an expert in the technology. While Diebold plays down the importance of security of the software, stressing how the physical security is key to the integrity of the overall system, Professor Rubin points out a number of problems with the physical access to the machines, even down to the confirmation that the machines had the correct ID numbers (happily, in this case they did not use the machines in question).
And it's not just the academics or the ACLU, or the Carter Foundation, or some other left-wingers who have a problem with this. The Washington Post reported that Maryland Governor Ehrlich wants to go back to paper ballots, and, while the state's board of elections administrator thinks it's crazy to switch at this late time, "her staff would 'work around the clock' to correct the problems that plagued the primary." On the other hand, we have some indication that Ms Lamone is among those state election officials who don't understand computer technology (, and note the part where she's asked about the reliability of computer systems). Further:
She vowed that her office would help local election boards retrain judges, recruit new ones and force Diebold Election Systems to fix the problems that caused some of its machines to malfunction.She'll "force" them? How? They haven't yet; why does she think they can be "forced" to change anything if there's no threat of having the machines pulled from the election? Lawsuits? Maybe, but good luck.
On the other hand, lawsuits are ultimately one answer to this: hold those responsible accountable for what they're doing to the election system. The problem, though, is that this isn't just causing confusion, delays, and difficulty at election time. It is doing that, but it's also damaging the confidence people have that elections are properly and fairly run, and that will likely result in lower turnout in the future — even if they don't actually manipulate the election results.
OK, there are the complaints and the problems. What can we do about them; how can we fix them? We can, as Governor Ehrlich suggests, go back to paper (or mechanical voting machines, as we use in New York). But that's not the right answer (though it's certainly all we can do by November 2006). If I'm right that computer voting can be so much better than what we have now, we should be making it better. How?
Design a system that works with the realities of how people go to vote. Design in the sorts of reasonable overrides that we know we need, that we can anticipate because they happen all the time, and make sure that the overrides keep proper audit trails so we can validate them later, when there are any questions. Make sure the system does the right thing in the event of computer or network failures. Make sure we can fix legitimate human error, and track what happened afterward.
Design a system with multiple isolated copies of the voting information. Make sure that there is no single point of failure, and, further, that there is no single point where tampering can be done effectively and without detection. Store the information securely, and, again, keep an audit trail.
Design a system that uses signed software modules, and refuses to use software modules that do not have valid signatures. This ensures that the software came from the right source and was not tampered with. Similarly, sign (and encrypt) the data produced by the system.
Design the system and then have the design reviewed by an independent panel of experts. Implement the design and then have the implementation reviewed by an independent panel of experts. Design operational procedures and have the procedures reviewed. Have everything reviewed and vetted at every step in the process, and make the process open, so that anyone who wants to check it... can. Make it so that everyone can assure herself — either first hand or by proxy — that it's been done correctly and secured.
Finally, have it certified independently of the company, and give the signing keys only to the certification body. Make sure those who are certifying it are qualified to certify computer software in general and security-related software in particular. Since they, and only they, hold the signing keys, everything has to go through them. Make sure they can do this and that they inspire trust in the public, who will be using these machines to cast their votes.
As I said in May, I don't believe this is an intractable problem. We trust computers to deal with many billions of dollars, and each of us trusts them with our own life's savings. They can work, and they can work reliably. But we have to make sure they do.
 My earlier analysis of what computer voting could give us, and what assurances we'd need in order to properly deploy them.
 Avi Rubin's blog entry, "My day at the polls - Maryland primary '06", which describes his first-hand experience with the problems with the Diebold machines.
Two Wasington Post articles about the backlash from officials in Maryland:
 "Ehrlich Wants Paper Ballots For Nov. Vote"
 "If Paper Ballots Restore Trust In Elections, Let's Switch"
 A New York Times business-section article, "The Big Gamble on Electronic Voting".