A San Jose Mercury News editorial today acknowledged the voting machines problem! The editorial, If voters get a record of their ballot, they can check on the system includes (there’s more),
I know zip about software code, but if I were the supervisors, I’d put a lot of stock in the views of Stanford computer professor David Dill, SRI Computer Lab scientist Peter Neumann and other experts who have spent their careers matching wits with hackers. When they say security is a problem, there’s cause for worry.
The clearest explanation I’ve heard of the security problem with touch screen systems and the commonsense solution to it came from Alan Hu, an associate professor of computer science at the University of British Columbia and a protege of Professor Dill. He offered it during a hearing this month. It’s worth repeating.
Imagine a store, he said, where the clerk shows you the total of your purchases on a handheld electronic calculator. Behind the counter, he enters your purchase amount into a ledger. He shows you the total, then clears the calculator for the next customer.
Suppose the clerk occasionally pockets the cash and “forgets” to enter the purchase in the ledger book. Or maybe he skims off cash and enters a smaller amount than what you purchased.
A computerized voting machine that shows your votes on a display screen only and records your votes internally is like a clerk using a handheld calculator. To reduce the risk of cheating or help catch sloppy errors, you can do a background check on the clerk, just as you can certify a voting machine’s hardware and software. You can have the clerk fill out duplicate ledgers, analogous to redundant hard drives in voting machines. You can encrypt the ledger books to prevent others from forging them — and encrypt data storage and transmission in voting machines. But in both cases, no amount of security or auditing of records will catch cheating or errors, because the cheater is the one preparing the audit record.
The solution to a dishonest clerk is simple. The clerk enters each transaction on a cash register, and the customer sees what is on the cash register tape. If there’s any doubt about the clerk’s accuracy or honesty, you compare what the clerk recorded with the cash register tape.
The solution for the voting machine is essentially the same: You show a printed copy of the ballot for the voter to confirm; if there’s a discrepancy, the voting machine can be shut down. If there’s any doubt about the correctness of the voting machine, you can compare the totals it reports with a separate count of the printed copies.