![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
how to do voting machines right
Mar. 12th, 2020 06:20 pmI think a good first step would be *requiring* the software and hardware designs to be publicly available for criticism. anything less is "security by obscurity" which rarely ends well.
This would require companies to copyright their stuff rather than play the trade secret game. But *because* of the public availability of the software and hardware designs, piracy would be trivial to prove.
I'd like to see voting machines treated the way control systems for nuclear reactors and other "must not have bugs" systems are treated.
There are CPU designs that have been mathematically analyzed to make sure they only do what they are supposed to do. And the masks for the ICs and the actual ICs are gone over with similar care, including testing to make sure they match the design.
Next the assemblers and compilers for them are likewise analyzed and tested. That's to avoid things like "built-in" back doors can be implemented in such software (shown as a possibility decades ago).
Yeah, that's expensive. Thing is *it's already been done*, so the only new bit is writing the software for voting. Which should o through similar "provably correct" analysis.
Designing the hardware (and drivers for it) would need similar care.
All of this takes lots of extra time and effort. But the results would be as bombproof as it's possible to be.
They *would* meet the specifications. Period.
Getting the specs right, that's why you make them available for public analysis. and BTW, failures in the specifications rather than failure in implementing them is the most common source of *bad* bugs.
Now, mind you, the CPus involved decades behind "state of the art". So what. Voting machines don't have to do anything that complicated. The user interface is the most complicated part.
I favor voting machines that will show the voter their choices, then create a human readable hard copy that the voter will place in the ballot box. And there should be a procedure to invoke if the hard copy doesn't match the screen.
The hard copy should be machine readable for speedy processing. And the machines that do that will require the same sort of design and manufacturing processes s the voting machines.
Also, there should be a dual key setup for accessing the inside of the machines. That is it'd require two different people using different keys turned at the same time to open them. That makes messing with insides a lot harder.
Have some sort of data module in the machines that also records the votes cast. Write once media would be a good choice for that. Serialize the media so you can go "disk XXX was in machine YYY"
Those get removed at the end of the night using the dual keys, plus witnesses. They'll be transported to election headquarters via a different courier and route than the ballot boxes.
So you can get really fast results (from the disks). verify them by scanning the actual ballots, and if there are questions, you can hand count the ballots.
Oh yeah. The "ballot info" (ie what candidates and the text/layout that go with them) should be in ROMs or the like. Something that gets done at a central location, with witnesses, then secured and transported to the machines, where you again have witnesses verifying what they got was what was sent, and that it was placed in the machine it was for.
Yeah, there are still ways to mess with things. But it'd be orders of magnitude harder than it is currently.
Vote by mail like we have here in Oregon would "only" need the secured scanning machines.
I'll note that vote by mail has several aspects which make it hard to disenfranchise people.
First off, if you don't get a ballot when you are supposed to, you can go down to the county elections office and get a new one.
If there's an issue with your registration, you still have time to clear it up and get a ballot and vote (and if you are at the elections office anyway, you can just vote in a booth there and drop it in a locked ballot box to be counted on election night).
So voter suppression gets a lot harder without getting dangerously overt about it.
That makes it a lot hard to play switcheroo games with either.
This would require companies to copyright their stuff rather than play the trade secret game. But *because* of the public availability of the software and hardware designs, piracy would be trivial to prove.
I'd like to see voting machines treated the way control systems for nuclear reactors and other "must not have bugs" systems are treated.
There are CPU designs that have been mathematically analyzed to make sure they only do what they are supposed to do. And the masks for the ICs and the actual ICs are gone over with similar care, including testing to make sure they match the design.
Next the assemblers and compilers for them are likewise analyzed and tested. That's to avoid things like "built-in" back doors can be implemented in such software (shown as a possibility decades ago).
Yeah, that's expensive. Thing is *it's already been done*, so the only new bit is writing the software for voting. Which should o through similar "provably correct" analysis.
Designing the hardware (and drivers for it) would need similar care.
All of this takes lots of extra time and effort. But the results would be as bombproof as it's possible to be.
They *would* meet the specifications. Period.
Getting the specs right, that's why you make them available for public analysis. and BTW, failures in the specifications rather than failure in implementing them is the most common source of *bad* bugs.
Now, mind you, the CPus involved decades behind "state of the art". So what. Voting machines don't have to do anything that complicated. The user interface is the most complicated part.
I favor voting machines that will show the voter their choices, then create a human readable hard copy that the voter will place in the ballot box. And there should be a procedure to invoke if the hard copy doesn't match the screen.
The hard copy should be machine readable for speedy processing. And the machines that do that will require the same sort of design and manufacturing processes s the voting machines.
Also, there should be a dual key setup for accessing the inside of the machines. That is it'd require two different people using different keys turned at the same time to open them. That makes messing with insides a lot harder.
Have some sort of data module in the machines that also records the votes cast. Write once media would be a good choice for that. Serialize the media so you can go "disk XXX was in machine YYY"
Those get removed at the end of the night using the dual keys, plus witnesses. They'll be transported to election headquarters via a different courier and route than the ballot boxes.
So you can get really fast results (from the disks). verify them by scanning the actual ballots, and if there are questions, you can hand count the ballots.
Oh yeah. The "ballot info" (ie what candidates and the text/layout that go with them) should be in ROMs or the like. Something that gets done at a central location, with witnesses, then secured and transported to the machines, where you again have witnesses verifying what they got was what was sent, and that it was placed in the machine it was for.
Yeah, there are still ways to mess with things. But it'd be orders of magnitude harder than it is currently.
Vote by mail like we have here in Oregon would "only" need the secured scanning machines.
I'll note that vote by mail has several aspects which make it hard to disenfranchise people.
First off, if you don't get a ballot when you are supposed to, you can go down to the county elections office and get a new one.
If there's an issue with your registration, you still have time to clear it up and get a ballot and vote (and if you are at the elections office anyway, you can just vote in a booth there and drop it in a locked ballot box to be counted on election night).
So voter suppression gets a lot harder without getting dangerously overt about it.
That makes it a lot hard to play switcheroo games with either.
