NY Legislature Rejects "Microsoft Amendment"

An anonymous reader writes "Finally, some good news on electronic voting. The New York state legislature rejected an amendment proposed by Microsoft's lobbyists which would have gutted New York's requirements for voting machine vendors to turn over their source code to the state Board of Elections. Assemblywoman Barbara Lifton commented: 'The voting machine vendors have known for two years what our laws said. Now they're saying that those parts of their systems using Microsoft software have to be proprietary? It's just wrong.'"

Re:no its not

[bl8n8r]

> I would rather see voting platforms built on microsoft trustworthy computing platforms

Here you are [fisher-price.com]. Point the arrow at your candidate and pull the handle.

Re:Sucks to be MSFT...

[Kalriath]

You sure as hell wont be seeing it. It'll be shown to a couple of high profile professional auditors who will give it the green or red light, and that's that. At NO point will the public see it.

Re:Open Source Voting Machine?

[MightyMartian]

Pen and paper don't seem to have all those issues - why not use those?

It's an awfully good question, and one that I think Americans should have been asking themselves since the 2000 election.

Up here in Canada, federal elections are administered by a single Federal body; Elections Canada. That means the ballot you get in Toronto is identical in structure to the ballot you'll get on Baffin Island. There's a single standard for marking and counting ballots. The provinces have control of their own elections, obviously, but tend to follow standards very close to that set out by Elections Canada. Only at the lower levels can things be a little different. In my city, they have vote-counting machines and those ballots where you color in the selections you want. Still, even with that automated system (which has been in use in many jurisdictions in North America for decades) there is still the key paper trail, so that if the election is contested, you can go back to a good ol' fashioned recount.

The only argument I've seen against pen and paper ballots for the US is that, unlike some countries, a lot of different elections get tossed on top of congressional, presidential or state elections. Various local positions, voter initiatives, referrenda and the like get tossed into the brew, so that paper ballots could get to be quite volumnious, and possibly confusing, and I guess there is some advantage there to an electronic voting system which can make display of such complicated ballots much easier.

Re:Paper ballots

[timmarhy]

thats why you don't trust them, and make them count in pairs with strict oversight, rotating the pairs and doing random checks. clearly you know nothing of how they count ballots.

Re:no its not

[morgan_greywolf]

Mod parent up! MSFT operating systems are simply not secure enough for mission critical applications. That's why you see most mission critical apps running on either big iron, Unix, or a realtime embedded system from companies like WindRiver.

Re:How complicated could it be?

[ChatHuant]

I am not a programmer, so maybe I'm way off base here, but how complicated could this code be?

I can't think of any reasons why Microsoft is being difficult here. I can't think of any complex algorithms you'd have to invent and therefore protect to display and count votes.

If I understand the problem correctly (please correct me if not - but I did RTFA, and went to the source, Bo Lipari's blog as well, and also to his organization's web site), the requirement is not for MS to escrow the code for the *voting* software; MS aren't writing it anyway, Diebold and others are. The requirement is that, since some manufacturers of the above-mentioned voting software wrote it for Windows, MS is supposed to escrow all the *Windows* source code to NYC. This is very silly IMHO (from an engineering point of view), but of course reason needn't apply.

Obviously, MS doesn't want to escrow all the Windows source to a bunch of political hacks. This has been presented on Slashdot as an attack by Microsoft on democracy and mum' apple pie, but what I believe is really hapenning is just a local political maneuver, as follows:
The hullabaloo was started by a certain Mr. Lipari who seems to have a complete dislike for any kind of electronic voting. IMHO, he invented this specific requirement knowing it's totally ridiculous. He presented it as defending democracy, and managed to sell it to the public. His intention is rather, I believe, to torpedo the whole e-voting concept in NY by getting ignorant politicians to vote for impossible requirements. Well, good for him - he seems to have succeeded. And if e-voting companies switch to Linux of FreeBSD or Windows CE (or any OS with available source code) he'll then ask for the BIOS, and the CPU firmware, and so on, until they give up.

Re:Still missing the problem

[tele_player]

I agree completely, and I'll go further. The disadvantages of electronic voting cannot be gotten around - it cannot be trusted. Ever. We don't need it, and it's just another step away from a functional democratic system. We don't need printers and paper trails. We need traditional, diverse, impossible-to-centrally-subvert voting systems. I'm a computer geek - but this is one area where computers do not belong.

Just make the database public

[Solandri]

Read-only access of course. But given the size of computer storage nowadays, it should be pretty simple to make the whole voting record publicly available on the Internet.

The voting machine has a public/private key pair. It generates a random public/private key pair in between votes which stays resident only in memory (is not written to disk). When you vote, your votes are coded. It's then encrypted with the voter's private key and the voting machine's public key. The voter's plaintext vote, an index number, the encrypted vote, his private key, and the voting machine's public key are then printed on a piece of paper the voter can take home. The voting machine then stores the encrypted vote and the voter's public key. Nothing else.

When tallying the votes, each machine runs through its stored votes, decrypting the record of encrypted votes using each voter's public key and the machine's private key. All this information is then sent to a central vote tallying database. The unencrypted votes are used for the official tally. The encrypted votes are used as proof against tampering. The index is used to allow voters to query the database.

Once home, the voter can log into the vote tally web site. He can query the database to make sure it's recorded his vote right. He asks it to send the vote recorded with his index number. It takes the unencrypted vote, encrypts it with the voting machine's private key and the public key associated with that index and sends it to him. His computer then uses the voting machine's public key and his private key to decrypt it. If all went well, it should match what's on his printout.

• The system does not record who voted which way. The only way to link a vote with the voter is via the index number and private key printed on the voter's slip, which he is free to shred, eat, burn, whatever. I think it may even be possible to validate that the votes match by comparing the encrypted votes, without ever looking at the plaintext vote. It's been a while since I did the RSA key pair stuff.
• Nobody can tamper with the votes in the database because the encrypted version is encrypted with the voter's private key, and only he has a copy of that key. If someone modifies his vote, they need to use a new public/private key pair. The voter's private key will no longer work against the returned result when he queries the vote counting database, tipping him off that something fishy is going on.
• The voter cannot tamper with his printout to fake vote counting fraud. To change it so his plaintext vote and the encrypted vote match, he needs the voting machine's private key.
• By virtue of the previous two bullets, if there is a discrepancy, you can localize where the problem occurred. The voter needs the voting machine's private key to alter his vote. The vote tallying people need the voter's private key to alter his vote (the encoded and unencoded vote on his paper would be encrypted with the voting machine's private key, authenticating that his printout is genuine).
• Don't do anything stupid like seed the RNGs in all the voting machines with the same seed, so they all generate the same key pairs. Include something like the millisecond the vote was cast in the seed.

The only way I can think of to commit vote fraud against this system would be by stuffing the ballot box with false votes. And even there you could do a sanity check by comparing the number of votes cast by the number of voters the precinct operators counted (they mark off your name after you vote, so it's fairly easy to count how many names they've marked off).

That's all I can think of off the top of my head.