Follow @jack_ganssle

The logo for The Embedded Muse For novel ideas about building embedded systems (both hardware and firmware), join the 25,000+ engineers who subscribe to The Embedded Muse, a free biweekly newsletter. The Muse has no hype, no vendor PR. It takes just a few seconds (just enter your email, which is shared with absolutely no one) to subscribe.

By Jack Ganssle

E-Voting

Published 1/28/2008

Later this year the US will chose a new president. But who will make that choice?

Vermin the world over will exploit any computer weakness to extort tens of thousands of dollars from the unsuspecting populace. Those are pretty puny stakes compared with the presidential election, which will consume over a billion dollars of campaign funds and will shape the direction of the most powerful nation on the planet for at least four years.

So how did we react? By acquiring voting machines with many known security flaws, developed without using best engineering practices, whose code is proprietary, and that use hacker-friendly operating systems. In effect, the government, by making these purchasing decisions, sanctioned a "trust us" appeal to the electorate.

Ironically, the citizenry has never trusted the government less than in recent years (and put down the flamethrowers; that would probably be true no matter who was in DC now).

We know how to build reliable software systems. We know how to build secure software systems. But we decided not to.

How dumb is that?

Project EVEREST in Ohio completed an evaluation of three commercial voting machines last month. On a twelve point scale only one managed anything other than a zero. And it scored 1. Those aren't even flunking grades; it's more like not even showing up for the test.

Democracy is hard. We citizens have to be involved. We need to hold our elected officials accountable, and toss them out when they fail to meet our standards. But that requires we trust the integrity of the ballot box.

Recent e-voting travails are not new; ballot-stuffing is as old as the Republic. The difference is that now it may be possible to stuff millions of votes with a few clicks.

I believe that e-voting holds the promise of eliminating compromised elections. But not with the approaches being discussed now. I'm sickened to read of various commissions demanding that vendors add printers to their machines. That's does nothing to prove that each vote is recorded properly. The printer could show one candidate and record another. And the voting machine itself is not the issue: it's the entire system, including the computers that hold the databases, which are even more attractive targets.

We citizens must demand a system that works. That requires the following:

  • Open source both the software and hardware. Publish the code and schematics on the web. Sure, we can hire a private company to develop and manufacture the equipment, but the IP should be owned by those footing the bill. Us.
  • A dead simple design with minimal features. Prune anything not completely necessary.
  • Use provably-correct components. No proprietary code is allowed.
  • No changes may be made to the design within six months of an election, to give the community time to evaluate the proposed change. If the design is dead simple, few changes should be needed.
  • Certify the code to DO-178B level A
  • Certify the code to Common Criteria EAL7, the highest security standard.

Will this happen? I doubt it. Conspiracy theorists probably feel The Overlords who control the government want to have hackable elections. But I suspect there's more truth in: Never ascribe to malice, that which can be explained by incompetence.