You Can't Patch An Election
from the but-that-won't-stop-them-from-trying dept
Tim Lee points us to e-voting security researcher Avi Rubin talking about how California Secretary of State Debra Bowen took part in a workshop on e-voting this week, right after the whole decertification/recertification of e-voting machines in California. Rubin notes that Bowen made some insightful comments about how the traditional voting machine certification process doesn’t make any sense when it comes to software. Certifying an old mechanical voting machine was pretty straightforward, because you tested it out and if it did what you needed it to do, you expect it to pretty much do that every time. However, we all know that software doesn’t quite work that way, and software is always being changed, patched and upgraded, especially as new vulnerabilities are found. Unfortunately, that doesn’t work so well with the old certification process. Of course, that leaves open the question of what do you do about it. It’s unclear from the wording of the post whether the following statement is from Rubin or Bowen, but it’s worth repeating either way:
“Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software. Since we cannot change the nature of software, the certification process for voting machines needs to be radically revamped. The dependence on software needs to be eliminated.”
However, perhaps the best insight into this comes in the simple statement that Tim Lee used as the headline for his post on the subject, which was so good that we’re reusing it here as well: You Can’t Patch An Election.