The VIP "Trap Door" Protocol
What is a Trap Door?
A "trap door" is a feature hidden in the security system of a software or hardware device. Its purpose is to allow the designer of the security system or someone who knows how to operate the trap door to bypass the normal security features of the device. As an example, a systems administrator might create a hidden account on the computer system he administers. Long after he has quit his job and the password to the main administrative account has been changed, he can still use his trap door to gain access - perhaps to steal information or even to directly sabotage his old employer.
What does this have to do with elections?
For some time, rumors have abounded in election circles of "trap door" programs placed within election equipment software that can be used to transfer votes to a particular candidate or party. Not only are such rumors difficult to prove, since trap doors are hard to detect, but they destroy confidence in election outcomes. Voter turnout is directly linked to voter confidence, and election fraud is easier to perpetrate with low voter turnouts. Thus, the issue of trap doors needs to be addressed if only to ensure that voters can be confident of election outcomes in their community.
What is the VIP Anti-Trap Door Protocol?
VIP does not take a position on the likelihood or prevalence of trap door programs. However, we are concerned about voter confidence and its impact on voter turnout and election fraud. Since The Voting Integrity Project believes that a primary reason for low voter turnouts is lack of voter confidence in election integrity, we have devised a suggested protocol for communities to safeguard themselves from such a trap door program in election equipment.
The protocol, as presented here, is quite basic and has not yet been tested, but we believe may offer value in certain situations. We caution, however, that in order to be used to provide real security, similar protective models must be devised for every link in an election - not just for the voting machines. For example, tabulators are frequently tested with a limited number of ballots prior to use in an election. Such a test would not detect a trap door program designed to assert itself after a large number of ballots had been counted.
How does the VIP Anti-Trap Door Protocol Work?
Since a trap door program could be designed to trigger in several ways, VIP feels that the only way to detect such a program is to vote an identically programmed machine in real time.
Thus the program depends on the willingness of the Elections Division in question to prepare and program one extra machine for each voting jurisdiction. At a given time just prior to the election, an independent group would randomly select and segregate one of the machines for that jurisdiction and designate it as the "control" machine. The group would then vote the machine in real time - the same exact time frames as the election is occurring - using real ballots and in volumes to replicate actual voting experience in that jurisdiction. The ballots could then be compared with the machines results at the end of the election, and would quickly reflect whether the machine was accurately portraying how the ballots had been cast.
Why do you need to do it in real time?
If a program trigger was time-sensitive, merely voting a replicate number of ballots would not necessarily reveal an "11th hour" program that, for example, flipped 10% of the Democrat votes to the Republican column two minutes before the polls were scheduled to close.
Would such a control machine detect all such attempts to thwart an election?
No. There are many ways to construct such triggers, and it is important to note that utilizing this protocol could give a community a false sense of protection. A program trigger could be linked to certain volumes of votes cast during certain times of day - typical of most voting jurisdictions. If the control machine was not voted in that fashion, and produced accurate results, it could miss such a trap door. There are other such scenarios.
What about tabulators?
An election division usually has just a few tabulators. It may not be economically feasible to conduct similar "control" tabulating.
Isn't this expensive?
Yes, it could be, because to ensure randomness, one additional machine would have to be programmed for each ballot configuration. In some communities this may be prohibitively expensive, unless a system could be devised to ensure randomness even though only some ballot configurations were used in control. However, with just barely 1/3 of Americans voting today, any system which can result in increased voter confidence and greater voter turnout without jeopardizing election integrity, should be encouraged."
Would such a protocol work with all equipment types?
This protocol is untested, and we are still "working the bugs out." We invite comment on this proposal from election officials, vendors and others knowledgeable about the problem. VIP would also be willing to work with any community willing to test such a protocol.
Copyright © 1998 Voting Integrity Project. All rights reserved.
Questions or comments pertaining to this site? Email .