7 Comments

• Andrew Suffield 26th Feb '12 - 5:25pm

  Piffle, we don’t need new breakthroughs. This sort of problem was solved decades ago; the techniques for writing code without this sort of error are known in the field as “formal methods”. They are widely used in fields where there is substantial liability for errors: medical equipment, some critical aspects of aerospace technology (NASA are a major player here), microprocessor design.

  The problem is not that we are unable to fix these issues. The problem is that the people involved are unwilling to do so. It would cost time and money, electronic voting in the US is all about profit margins, and there is no penalty for failure.

  The news article here does not even mention the company responsible for this abject failure, so they don’t even have the fairly weak spectre of reputation damage.

• William J. Kelleher, 26th Feb '12 - 7:38pm

  Mark – If you are interested in other ways to see that story, go to:
  Does the DC Fiasco Damn Internet Voting?
  http://tinyurl.com/DCin2010
  William J. Kelleher, Ph.D.
  Blog: Internet Voting for All
  Twitter: wjkno1

• Matthew Huntbach 26th Feb '12 - 7:56pm

  
  Piffle, we don’t need new breakthroughs. This sort of problem was solved decades ago; the techniques for writing code without this sort of error are known in the field as “formal methods”.
  
  Piffle, formal methods has got nowhere near fully proving systems of this level of complexity. My colleague Peter O’Hearn’s work on separation logic (http://www.eecs.qmul.ac.uk/~ohearn/) is generally considered one of the biggest recent breakthroughs in this area, but they are still only just sorting out basic problems in heap assigned storage.

  If one looks at the paper on this bug, one can see that like most modern systems it ties together code from all over the place. If one wanted to write secure systems, this is not how one ought to do it.

  Of course, even if you really could run a system which mathematically proves it has no openings that could be abused, who proves the proof engine? Do we have all to become experts in separation logic to know for sure our ballots are secure?

  So far as I am concerned, the way in w hich the paper ballot system enables us to track the progress of all ballot papers form voter to count is a valuable safeguard we should NEVER throw away. You do not have to be an expert to see it is safe, no computer program can guarantee the same. Every reputable Computer Scientist I have spoken to on this issue agrees.

• Richard Dean 26th Feb '12 - 8:08pm

  There’s no way that paper ballots are immune from rigging. See many o the world’s poorer countries for many examples, particularly those where there have been recent fi ds of oil or minerals. Talk to Putin for further info!

  One of the problems with software is that it has many layers, with different languages in each layer, and a writer at one level may have no idea at all of how his or her choicees create securiry issues in another.

• alistair 26th Feb '12 - 11:16pm

  Maybe we should postpone flying until we have found ways to prevent planes from crashing.

• Andrew Suffield 27th Feb '12 - 1:25am

  is generally considered one of the biggest recent breakthroughs in this area, but they are still only just sorting out basic problems in heap assigned storage.

  There’s lots of mature techniques that are in widespread use; you’re looking at research rather than practical engineering.

  If one looks at the paper on this bug, one can see that like most modern systems it ties together code from all over the place. If one wanted to write secure systems, this is not how one ought to do it.

  Yes, anybody who knew they were going to verify their system would inevitably design it differently. That’s half the point. We do know how to make this stuff work, and the people who are failing to make it work are not failed heroes, they are scammers.

  Of course, even if you really could run a system which mathematically proves it has no openings that could be abused, who proves the proof engine? Do we have all to become experts in separation logic to know for sure our ballots are secure?

  The idea of everybody in the country understanding how votes are counted and how we attempt to prevent voting fraud is appealing but has never before been true.

  And to answer your question: no, there is no need to understand any of the logics used in order to validate the proof checker. Undergrad math is more than sufficient; a good proof checker uses only primitive and well-understood rules. This is a non-problem, solved a long time ago.

  So far as I am concerned, the way in w hich the paper ballot system enables us to track the progress of all ballot papers form voter to count is a valuable safeguard we should NEVER throw away.

  There is no legitimate or rational reason for building an electronic voting system that did not include this kind of paper trail. So far every system that fails to include one has done so for illegitimate or irrational reasons. Every time you see an electronic voting system without one, you should be immediately thinking that you’re being scammed. Because you are.

  You do not have to be an expert to see it is safe, no computer program can guarantee the same.

  Careful. No paper voting system is safe, and voting fraud happens often. No electronic counting system can do any better, because most fraud happens long before the ballots are counted. We merely attempt to keep the fraud as low as possible.

• Matthew Huntbach 27th Feb '12 - 10:59am

  While I’m aware that paper voting systems can be defrauded, it seems to me the physical nature of the process is a very big part of the protection against fraud. When you can actually see and handle the ballot papers it is much easier to see where things are going wrong or could potentially go wrong than when it is a matter of information being transmitted through the execution of software. Human beings are physical creatures, we have evolved to live in a physical universe – that is why we do not have to be trained experts to gain a good understanding of how paper systems can be manipulated in the way we would if we were to fully understand the protections and any remaining risks of software proof checkers even supposing we could develop fully reliable proof checkers or at least restricted the software to forms where what we have is reliable.

  I write this as someone who develops new research software and teaches computer programming for a living, and has some knowledge and links with the formal methods approach. Sorry, but this stuff is just not as easy-peasy as Andrew is claiming. I have seen the struggle of even reasonably intelligent undergraduates to understand it. While of course I accept that the arcane details of how paper voting systems work are not something your average person knows much about, the barrier of comprehension is very much lower.

  I don’t see the throwing away of the safeguards given by a paper system in return for the convenience of internet voting as doing anything much to counter the malaise in democracy which seems to be an argument for it. To me, it’s just a silly – and potentially dangerous – gimmick, which like many other such gimmicks just works to turn people away from the real problems. The real problems are much more to do with the way politics is played, with its emphasis on top-down centralised campaigning in which ordinary people are seen as having just the role of making a passive choice between competing products, and also to do with the constant denigration of politics by the powerful figures in our society because it is very much in their interest to see the power of the ballot box degraded and the power of the money box enhanced. Every door slammed in your face when you are canvassing with the message “we’re not interested in politics – you lot are just in it for yourself” is a sign of how money boxes are winning out over ballot boxes. It is particularly sad that those who have least money box power tend to have been twisted into holding the most dismissive views of ballot box power.