NIST: paperless e-voting systems are fundamentally flawed
Paperless electronic voting systems are fundamentally flawed and insecure.
This statement comes as no surprise to anyone who has spent much time thinking about or researching the issue. But it's not just me (and hoardes of computer security and voting rights activists) saying it anymore. Today, it's also the National Institute of Standards and Technology. Hat-tip to Daily Kos for breaking this story today.
When NIST speaks, people listen. This is the government agency whose job it is to determine what we use as the official standards for, well, basically anything relating to science, technology, or engineering. They're the ones who research the heck out of an issue (e.g. flame retardants for children's clothing) then decide how exactly to measure the thing in question (e.g. how quantify actual fire-proofedness into some sort of useful and general scale), and publishes guidelines that manufacturers can use to make their stuff and that consumers can use to make apples-to-apples comparisons between products (e.g. which jammies will my kid be less likely to burn to death in).
So, when NIST releases a draft report saying that they have found paperless electronic voting systems to be a fundamentally bad idea, that carries some weight. As well it should.
First, let me say I would encourage everyone to go read the draft. It's only 13 pages, and there's a lot of bureaucratic junk at the beginning you can skim right over before you find the good stuff. But to summarize:
NIST's analysis consists, mainly, of trying to determine whether various types of purely electronic or hybrid electronic/paper systems can meet a test of "software independence." NIST defines a "software independant" voting system as one in which errors in the voting software cannot produce errors in the final vote count that are un-detectable in a subsequent audit.
NIST's major finding is that paperless "DRE" systems cannot meet this test. Period. And, conseqently, NIST is recommending that such systems, ones which directly record votes onto electronic media and produce no paper trail, be de-certified by election officials nationwide. Here's the money quote, in typically scientific language:
Translation: "basically it's our job to produce testable requirements for the standards we define, but we can't for the life of us figure out a test that would actually tell whether a DRE system had screwed up or not. Hence, we conclude that these things are un-testable black boxes and you just have to trust whatever numbers they tell you at the end of the election. We say to hell with that!"
Stick that in your pipe, Diebold, and smoke it.
NIST makes this finding because DRE systems produce absolutely no election records that are not directly dependent on the software of the DRE system itself. Undetected errors in the software may lead to bogus electronic records, but because the systems produce nothing at all besides those electronic records, there's nothing to use as the basis for an audit. The systems are not, fundamentally, independent of the software inside them.
NIST's next major finding (which, really, is quite obvious to even a casual observer) is that optical scan systems are great, because they start with a voter-verified paper record (namely, your ballot), which can always be used as the basis for any sort of audit you like. If you think the counting machines messed up, you've always got the paper ballots to fall back on.
The rest of the draft is a discussion of various systems that can be tested for security, including paper-based optical scan systems, hybrid systems that use a touch-screen style input but produce a paper trail, and paperless electronic systems that are based on cryptographically verifiable protocols. It's interesting reading, and again, I would encourage everyone to take a look.
This statement comes as no surprise to anyone who has spent much time thinking about or researching the issue. But it's not just me (and hoardes of computer security and voting rights activists) saying it anymore. Today, it's also the National Institute of Standards and Technology. Hat-tip to Daily Kos for breaking this story today.
When NIST speaks, people listen. This is the government agency whose job it is to determine what we use as the official standards for, well, basically anything relating to science, technology, or engineering. They're the ones who research the heck out of an issue (e.g. flame retardants for children's clothing) then decide how exactly to measure the thing in question (e.g. how quantify actual fire-proofedness into some sort of useful and general scale), and publishes guidelines that manufacturers can use to make their stuff and that consumers can use to make apples-to-apples comparisons between products (e.g. which jammies will my kid be less likely to burn to death in).
So, when NIST releases a draft report saying that they have found paperless electronic voting systems to be a fundamentally bad idea, that carries some weight. As well it should.
First, let me say I would encourage everyone to go read the draft. It's only 13 pages, and there's a lot of bureaucratic junk at the beginning you can skim right over before you find the good stuff. But to summarize:
NIST's analysis consists, mainly, of trying to determine whether various types of purely electronic or hybrid electronic/paper systems can meet a test of "software independence." NIST defines a "software independant" voting system as one in which errors in the voting software cannot produce errors in the final vote count that are un-detectable in a subsequent audit.
NIST's major finding is that paperless "DRE" systems cannot meet this test. Period. And, conseqently, NIST is recommending that such systems, ones which directly record votes onto electronic media and produce no paper trail, be de-certified by election officials nationwide. Here's the money quote, in typically scientific language:
"NIST does not know how to write testable requirements to make DREs secure, and NIST’s recommendation to the STS is that the DRE in practical terms cannot be made secure."
Translation: "basically it's our job to produce testable requirements for the standards we define, but we can't for the life of us figure out a test that would actually tell whether a DRE system had screwed up or not. Hence, we conclude that these things are un-testable black boxes and you just have to trust whatever numbers they tell you at the end of the election. We say to hell with that!"
Stick that in your pipe, Diebold, and smoke it.
NIST makes this finding because DRE systems produce absolutely no election records that are not directly dependent on the software of the DRE system itself. Undetected errors in the software may lead to bogus electronic records, but because the systems produce nothing at all besides those electronic records, there's nothing to use as the basis for an audit. The systems are not, fundamentally, independent of the software inside them.
NIST's next major finding (which, really, is quite obvious to even a casual observer) is that optical scan systems are great, because they start with a voter-verified paper record (namely, your ballot), which can always be used as the basis for any sort of audit you like. If you think the counting machines messed up, you've always got the paper ballots to fall back on.
The rest of the draft is a discussion of various systems that can be tested for security, including paper-based optical scan systems, hybrid systems that use a touch-screen style input but produce a paper trail, and paperless electronic systems that are based on cryptographically verifiable protocols. It's interesting reading, and again, I would encourage everyone to take a look.
