Still working to recover. Please don't edit quite yet.

certification of voting machines

From Anarchopedia
Revision as of 23:07, 8 February 2006 by beta m (Talk | contribs) (article will probably be deleted on wikipedia)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Certification of voting machines[edit]

In the United States, electronic voting machines as used in federal, state, and local elections have come under public scrutiny and controversy. E-voting machines, especially those that do not provide a Voter Verified Audit Trail, potentially allow undetectable, large-scale electoral fraud. As of 2006, most commercial E-voting machines have provided little or no assurance of accuracy and reliability; some have described the use of these machines as Black Box Voting. Various levels of the US government are starting to require certification of voting machines, sparked in part by controversy over voting machine irregularities in the 2004 U.S. presidential election.

This article documents standards set by federal and state governments, and the results of attempts to certify voting machines from various vendors.

FEC and NASED[edit]

In 1984, the Federal Election Commission published Voting System Standards, a report on developing standards for voting machines. With approval and funds from U.S. Congress, the FEC performed a four-year study.

The National Association of State Election Directors (NASED) established a certification process that can be used by state and local jurisdictions for assessing system integrity, accuracy, and reliability.

At this time, NASED comprises 9 US state or federal election officers, FEC representative, 3 software consultants, and one representative from each of IEEE, Wyle Laboratories, SysTest, and Ciber.

To date, seven vendors have submitted twelve full voting systems for testing.

Regulations[edit]

Certification Authorities:

"The national testing effort is overseen by NASED’s Voting Systems Board, which is composed of election officials and independent technical advisors. NASED has established a process for vendors to submit their equipment to an Independent Test Authority (ITA) for evaluation against the Standards. To date, Wyle Laboratories, Inc., CIBER, Inc., and SysTest Labs are certified by NASED to serve as program ITAs for the testing of hardware and the examination of software."


Revised Standards:

"In 1997, NASED briefed the FEC on the necessity for continued FEC involvement, citing the importance of keeping the Standards current in its reflection of modern and emerging technologies employed by voting system vendors."
"Audit Trails - Performance requirements for audit trails are strengthened to address the full range of election management functions..."
"Error rates - errors introduced by the system and not by a voter’s action ... applies to specific system functions, such as recording a vote, storing a vote and consolidating votes into vote totals ... each location where a vote may be entered represents a ballot position ... the Standards set two error rates: Target error rate: a maximum of one error in 10,000,000 ballot positions, and Testing error rate: a maximum acceptable rate in the test process of one error in 500,000 positions ... This system error rate applies to data that is entered into the system in conformance with the applicable instructions..."
"Overall capabilities - ...apply throughout the election process. They include security, accuracy, integrity, system auditability, election management system, vote tabulation, ballot counters, telecommunications, and data retention."


Quality Assurance:

"In the Standards, quality assurance is a vendor function with associated practices that confirms throughout the system development and maintenance life-cycle that a voting system conforms with the Standards and other requirements of state and local jurisdictions."


Test process:

"The qualification test process is intended to discover errors that, should they occur in actual election use, could result in failure to complete election operations in a satisfactory manner."
"The testing process involves the assessment of: (a) Absolute correctness of all ballot processing software, for which no margin for error exists; (b) Operational accuracy in the recording and processing of voting data, as measured by the error rates [above]; ... (c) System performance and function under normal and abnormal conditions."
"System-level qualification tests address the integrated operation of hardware, software (and telecommunications capabilities where applicable) to assess the system’s response to a range of both normal and abnormal conditions in an attempt to compromise the system."


Security overview:

"Security standards - this section describes the essential security capabilities for a voting system, encompassing the system’s hardware, software, communications, and documentation. The requirements of this section recognize that no predefined set of security Standards will address and defeat all conceivable or theoretical threats. However, the Standards articulate requirements to achieve acceptable levels of integrity, reliability, and inviolability. Ultimately, the objectives of the security Standards for voting systems are to:
  • Establish and maintain controls that can ensure that accidents, inadvertent mistakes, and errors are minimized;
  • Protect the system from intentional manipulation and fraud;
  • Protect the system from malicious mischief;
  • Identify fraudulent or erroneous changes to the system; and
  • Protect secrecy in the voting process.
These Standards are intended to address a broad range of risks to the integrity of a voting system. While it is not possible to identify all potential risks, the Standards identify several types of risk that must be addressed, including:
  • Unauthorized changes to system capabilities for defining ballot formats, casting and recording votes, calculating vote totals consistent with defined ballot formats, and reporting vote totals;
  • Alteration of voting system audit trails;
  • Altering a legitimately cast vote;
  • Preventing the recording of a legitimately cast vote,
  • Introducing data for a vote not cast by a registered voter;
  • Changing calculated vote totals;
  • Preventing access to vote data, including individual votes and vote totals, to unauthorized individuals...


Software, Firmware and Telecomms security (Extracts):

The system shall meet the following requirements for installation of software, including hardware with embedded firmware:
  • If software is resident in the system as firmware, the vendor shall require and state in the system documentation that every device is to be retested to validate each ROM prior to the start of elections operations;
  • To prevent alteration of executable code, no software shall be permanently installed or resident in the system unless the system documentation states that the jurisdiction must provide a secure physical and procedural environment for the storage, handling, preparation, and transportation of the system hardware;
  • The system bootstrap, monitor, and device-controller software may be resident permanently as firmware, provided that this firmware has been shown to be inaccessible to activation or control by any means other than by the authorized initiation and execution of the vote-counting program, and its associated exception handlers;
  • Voting systems that use telecommunications to communicate between system components and locations are subject to the same security requirements governing access to any other system hardware, software, and data function.
  • Voting systems that use electrical or optical transmission of data shall ensure the receipt of valid vote records is verified at the receiving station. This should include standard transmission error detection and correction methods such as checksums or message digest hashes.
  • Verification of correct transmission shall occur at the voting system application level and ensure that the correct data is recorded on all relevant components consolidated within the polling place prior to the voter completing casting of his or her ballot.
  • Voting systems that use public telecommunications networks may become vulnerable, by virtue of their system components, to external threats to the accuracy and integrity of vote recording, vote counting, and vote consolidation and reporting processes. Therefore, vendors of such systems shall document how they plan to monitor and respond to known threats to which their voting systems are vulnerable.


Security testing procedures:

[ITAs] shall not rely on vendor testing as a substitute for software testing performed by the ITA.
"The ITA shall design and perform test procedures that test the security capabilities of the voting system against the requirements defined in Volume I, Section 6. These procedures shall focus on the ability of the system to detect, prevent, log, and recover from a broad range of security risks as identified in Section 6, and system capabilities and safeguards claimed by the vendor in its TDP [documentation] that go beyond [these] risks and threats..."
"Regardless of system design and risk profile, all systems are tested for effective access control and physical data security"
"The ITAs shall conduct tests to ensure that the system provides the necessary identity-proofing, confidentiality, and integrity of transmitted data. These tests shall be designed to confirm that the system is capable of detecting, logging, preventing, and recovering from types of attacks known at the time the system is submitted for qualification."
"The ITA may meet these testing requirements by confirming proper implementation of proven commercial security software ... [or] at its discretion, the ITA may conduct or simulate attacks on the system to confirm the effectiveness of the system's security capabilities."
"For those access control features built in as components of the voting system [as opposed to external policies], the ITA shall design tests to confirm that these security elements work as specified. Specific activities to be conducted by the ITA shall include ... specific tests designed by the ITA to verify the correct operation of all documented access control procedures and capabilities, including tests designed to circumvent controls provided by the vendor. These tests shall include ... (2) Performing tests intended to bypass or otherwise defeat the resulting security environment. These tests shall include simulation of attempts to physically destroy components of the voting system in order to validate the correct operation of system redundancy and backup capabilities. This review applies to the full scope of system functionality".
"For systems that use telecommunications to transmit official voting data, the ITA shall review, and conduct tests of, the data interception and prevention safeguards specified by the vendor ... The ITA shall evaluate safeguards provided by the vendor to ensure their proper operation, including the proper response to the detection of efforts to monitor data or otherwise compromise the system. For systems that use public communications networks the ITA shall also review the vendor’s documented procedures for maintaining protection against newly discovered external threats..."

Tested systems[edit]

Ciber's Certification Report Overview[edit]

Statement of purpose:

"The primary purpose of Software Qualification Testing is to demonstrate compliance with levels of design, performance, and quality claimed for them by manufacturers. The tests are also intended to demonstrate that the system meets or exceeds the requirements of the FEC Voting System Standards. The scope and detail of the requirements for qualification have been tailored to the design and complexity of the software submitted by VoteHere for testing. The qualification test procedure is intended to discover defects in software design and system operation which, should they occur in actual election use, could result in failure to complete election operations in a satisfactory manner. The tests have been designed to evaluate system compliance with the requirements of Sections 2 through 6 of the FEC Voting System Standards."

Functional testing and verification scope:

Software verification - "All software (including firmware) for all voting systems shall include measures to prevent access by unauthorized persons and to prevent unauthorized operations by any person..."
(Firmware is the built-in programs (BIOS) of the computer. The job of the BIOS is the fundamental unsupervised control over access to network, hard disk drives, and other built in systems of the computer)

Security and Penetration testing and verification scope:

"The vendor shall provide a penetration analysis relevant to the operating status of the system and its environment. This analysis shall...identify all entry points and the methods of attack to which each is vulnerable ... the penetration analysis ... shall be part of the escrow deposit"
(In contravention of the FEC law above, certification requirements as stated by Ciber do not verify protection against penetration, nor perform any ITA testing of weaknesses, nor independent vulnerability or penetration testing of voting machines by security specialists. In the case of both reports obtained by BBV no such testing was performed)

Cipher Labs Certification of Diebold GEMS 1-18-15[edit]

System:

GEMS program, ODBC compliant database, Crystal Reports, ABasic, VCPRogrammer, Java, AccuVote-Optical Scan" running on a Dell P2 and Dell P3 using Windows CF.3.0,8/09102 firmware 4.3.13, and Windows NT 4.0.1381.

Functional tests:

Software testing and verification - "Firmware not reviewed"
Security testing and verification - "Not applicable, not reviewed"

Ciber conclusion:

"The functional testing included testing against the functional, overall system performance, software, security ... and audit requirements as specified in the FEC Voting System Standards ... After completing final functional testing, CIBER concludes that GEMS 1-18-15 meets the functional requirements provided by the FEC ... It has been demonstrated through the TDP review, source code review, and functional testing that the GEMS Software ... successfully meets the required acceptance criteria of the FEC Standards for ... Electronic Voting Systems, January 1990. CIBER recommends to the NASED committee that GEMS ... be certified and assigned NASED certification number N0306001 1815."

Source GEMS Certification report page 1, page 2, page 3, page 4


Cipher Labs Certification of VoteHere Election System 3.0.0.33[edit]

System:

VoteHere Election System 3.0.0.7 program running on Red Hat Linux 7.1, MySQL 3.23.36, Apache 1.3.12, Mozilla 0.8, CryptoF, 4.1, Libxml 2.2.1I, Zlib 1.1.3, OpenSSL 0.9.5a, STLPort 4.0, Various Active X controls, on a ProLiant ML330e platform.

Functional tests:

Software testing and verification - "Firmware not reviewed"
Security testing and verification - "Not applicable, not reviewed"

Ciber's conclusion at end of this testing:

"After completing final functional testing, CIBER concludes that VoteHere Election System Version 3.0.0.33 meets the functional requirements provided by the FEC ... It has been demonstrated through the TDP review, source code review, and functional testing that the VoteHere Software ... successfully meets the required acceptance criteria of the FEC Standards of January 1990. CIBER recommends to the NASED committee that VoteHere Election System ... be certified and assigned NASED Certification Number N03080030033."

Source VoteHere Certification report

References and external links[edit]

This article contains content from Wikipedia. Current versions of the GNU FDL article Certification of voting machines on WP may contain information useful to the improvement of this article WP