Sunday, September 10, 2006

Areas of expertise

There is a story in today's Baltimore Sun about electronic voting and the upcoming primary in Maryland on Tuesday. In the story, Donald Norris, director of the National Center for the Study of Elections at the University of Maryland, Baltimore County, is quoted as saying:

    "Computer science guys are able to get away with what I consider to be shameless scare tactics that don't take into account everything else that goes on in an election."

So, I looked up Dr. Norris on google. He has bachelors degree in History, and an MA and Ph.D. in Government. I would never take it upon myself to critize his understanding of government or history, and I find it surprising that he's willing to criticize computer scientists' understanding of the security issues in electronic voting systems. Sure, there are procedures for handling the voting machines and auditing them in Maryland, but I don't think Donald Norris appreciates the extent to which DRE voting machines are vulnerable, independent of whatever else goes into securing the election.

It is a fact that every single study by security professionals, including my research team, RABA, SAIC and Compuware and Inofsentry, have uncovered serious security vulnerabilities. It is a fact that there has never been a study conducted by computer security professionals that has concluded otherwise. None of the safeguards mentioned by Norris in the article, locks and tamper tape on the machines, accuracy tests before and during the election, and vigilance by poll workers, address the three primary concerns that I have, namely transparancy, auditability, and recovery.

Say that a bug in the voting system software that has never been triggered before causes thousands of voting machines to fail halfway through the election during the primary. What would we do? Seriously, what would we do? Nobody, not Dr. Norris, not myself, and not any comptuer scientists that I know can guarantee that a Windows-based system, running a 50,000 line application will not fail in a new and unexpected way when subjected to a load not possible during testing. So, it's 2 p.m., and half of the people have voted, and suddently all the machines start to crash. I've seen systems where this happens before. What do we do?

I know what we would do. I am a poll worker, and the instruction manual would tell me to notify the chief judge, who would call the board of elections. What would they do if they started receiving calls that the machines were failing and couldn't be rebooted? They would not know what to do.

This kind of failure is not that uncommon, due to bugs and accidents. What if somebody, say a foreign government, wanted this to happen? Would it be hard for them to cause such failures? I don't think so. It's hard enough to get big computer systems running reliably without such adversaries.

My request of Donald Norris is to stick to what he is an expert in, and to leave it to computer scientists to give opinions about computer systems. I would not argue Physics with a Physicist, and I would not correct a German professor's German. I don't think Donald Norris should be criticising the computer experts' opinion. But it's worse. He's criticising us for giving our opinions and not just criticing our opinions.