Friday, July 18, 2008

Can't digital images be faked?

Yes, it's easy to fake digital images.

Here's the process by which we ensure that isn't happening.

Our scanner is not a special piece of elections equipment, it is a general purpose office scanner.

The scanner will be controlled by a computer that is running an open source operating system, (Debian Linux "Etch"). All computer programs that control the scanner are available for inspection by anyone who would like to see how they operate. The counting and sorting software will always be available for inspection as well.

The Linux system is not configured for networking.

The ballot images from the scanner are archived into a single large file. This large file is then digitally signed using a technology known as public key encryption. This generates a small signature file, which can be printed or emailed. Public key encryption works with pairs of keys -- one key is secret and the other is public. The secret key is used to sign the ballot file. To sign the ballot file, a person needs to be in the room with the scanner computer, have the password to the elections account, and know the "passphrase" that unlocks the signature program. The public key is available on the Internet.

Anyone wanting to ensure that the ballot file they've received has not been altered can run a free program called GPG ("GNU Privacy Guard") to validate that the ballot file and signature go together, and that the signature was generated by someone with access to the elections office private key. A change of even one bit in the entire file will prevent the file from being validated.

This gives us a very high degree of confidence that, if you validate our file with GPG, the images
we scanned are the images you get.

Each ballot is imprinted with a unique number just as it enters the scanner. This number is part of the scanned image, and can be used to locate the paper ballot associated with the image. If any questions about our images were to arise, a random sampling of the images, checked against the ballots themselves, would allow anyone to confirm that the images we provide are actual images of the ballots themselves.