ConFigures

Configuration Management and Electronic Voting

As a configuration manager, I have found unapproved software changes checked in by accident, by miscommunication, and in one unfortunate case, by malice. The more tightly integrated the change-tracking software was with the version control software, the easier it was to catch these errors, but in some cases the risk was not deemed to be worth the time and expense of tight control. Even with the best tools and tightest controls, however, without auditing, it’s difficult to show that the process has ensured that only the correct changes have gone in. The more independence the auditors and audit designers have had from the process they’re auditing, the more faith one can have in the audit results.

Note the emphasis on auditing the process there, not just the software. If one wants to know how well a process involving software works, it’s not enough just to look at the software, especially when one wants to be really, really sure about the process. What controls are in place to make sure that the right software is being used? Even assuming good faith, mistakes can happen, especially if one is in a rush to deploy a bug fix. Are there other elements that need controls, such as hardware elements … data devices that may be moved around, such as cards? Are all these elements uniquely identifiable? What logging is in place to be able to check that the controls are working? How accident- and tamper-resistant are the logs?

The more complex a system is, the more difficult it is to ensure that everything is functioning as expected. Electronic voting systems are complex, and it’s not just about the software. Others have written about specific issues with specific elections in the past, machines that were certified that never should have been, and so on.  Some electronic voting critics have acted as election judges to get a first-hand look (particularly after counter-claims involving ivory towers and lab conditions), and have written about their experiences.

I wanted to help out with elections this year, and get a closer look at what I’d read about. I went to my first Election Judge training last week, to be a Closing Judge for Montgomery County (Maryland) last week. The trainers did their best with us in two hours, but I’m going to just have to hope I get things right, with the help of the Chief Judge and more experienced judges there (we have a meeting at my precinct Monday night). It didn’t help that the trainers did not follow our written documentation (they explained they were skipping stuff because they knew the system cold, and we had to get done in time to clear the room for the next class), and did not always agree with each other about the training machines. Whatever Diebold had under the covers, the elements we were working with (tape, data cards, keys, printouts that had to be torn at just the right time or that machine’s results were invalidated, etc.) were complex enough that, given our insufficient training, it’s hard to see how we could pass an audit next week. I’m not blaming the trainers — there was too much to cover. Electronic voting (as opposed to using machines to fill out and print out the actual ballots to be counting) is complicated, and that complexity makes it difficult to maintain a secure voting process. I want a voting system at least as secure as good old paper ballots. We don’t have that right now.