Analysis of an Electronic Voting System
Johns Hopkins Information Security Institute Technical Report TR-2003-19, July 23, 2003
- Authors
- Tadayoshi Kohno
- Adam Stubblefield
Aviel D. Rubin
Dan S. Wallach
- Paper:
PDF
Questions you can ask of vendors
Several people have asked us what questions they should be asking voting
system vendors with regards to security. Here are some useful ones. These
questions are taken from our
response to Diebold.
- Has your system been reviewed by a large number of outside security
experts?
- If so, who?
- What are their credentials?
- Do their areas of expertise cover a wide area of specialties
within the discipline of cryptography and computer security?
- Can we see an executive summary of their reports?
- Do you allow the public to review the security and reliability of your voting system's
source code?
- Is the security of your system dependent on your source code
being secret?
- If so, how do you address the fact that the source code could
leak to the public (or to well-funded adversaries)?
- And how do you address the fact that an attacker might
be an insider who knows the source code?
- Would you be willing to have a panel of outside security experts
review the source code for your system?
- Would you allow them to publish an executive summary of their
findings?
- If not, why not?
- Who designed and developed the source code used in your systems?
- What are their credentials with respect to cryptography and
computer security?
- Where were they trained?
- Have these developers worked on cryptography and computer
security in other systems outside of voting software?
- How confident are you in the security and reliability of your product?
Will you "certify" the security and reliability of your product?
- Will you offer a full refund, plus "damages," if somebody
purchases your equipment and later find that it is vulnerable to
certain types of attacks? (Which types of attacks?)
- Will you offer a full refund, plus "damages," if after an
election it is determined that more votes were collected than
people who voted (on a given terminal), but that it cannot be
determined which were the legitimate votes?
- Will you offer a full refund, plus "damages," if after an
election it is determined that your machines reported an
inaccurate total (either because of an attack or a system
glitch)?
- Will you offer a full refund, plus "damages," if after an
election it is determined that voters' anonymity was compromised,
allowing votes to be bought and sold?
- Under what other situations would you offer a full refund,
plus "damages?"
- In your system, what can voters do if they feel that their votes
were not recorded properly?
- Are there any mechanisms for voters to verify their votes are correct?
- What happens in the case of a dispute?
- Is a manual recount (i.e., not requiring any computer software) possible?
- Does your system conform to the requirements of the Holt bill?
Details can be found at http://holt.house.gov/issues2.cfm?id=5996.