Login Feature to Track Users

[rrojas350]

RCTab needs the ability to track who's conducting the tabulation for auditing purposes. Ideally, this would involve a user login and password.

Thoughts on the feasibility of including in 1.4?

[tarheel]

Can we just leverage the OS-level user info? I.e. whoever's signed into the machine that the app is running on. It would be pretty weird to create our own parallel user authentication system given that modern OSes have already solved this problem.

[rrojas350]

That seems like a good starting point, since RCTab already collects this info, but the only downside is sometimes tabulation systems are set up with generic logins such as Tabulator 1, Count 1, and etc. Seems like a best practice discussion we'll have to discuss on a user by user basis.

Eventually we may have to come up with something as this is starting to become a growing concern with some jurisdictions. They would like to be able to track who ran the tabulation and when.

[tarheel]

If we were to implement something like this, another concern I'd have is that its capabilities would be ripe for misinterpretation. Unless we offered a whole separate process that allowed a trusted administrator to provision a set of credentials as a one-off that would then be stored in an encrypted file on the machine where the tabulator is running, we wouldn't be able to say with any confidence that our software was guaranteeing the identity of the person running the tabulation. Even then, a really sophisticated attacker could presumably circumvent that logic. If we're not going to rely on the system user, we might be better off just asking the user for their name and trusting their answer instead of offering a password-based solution that's not actually secure.

@benadida, I'm curious whether you've dealt with a challenge like this in your work.

[benadida]

Hi folks. Happy to share our approach.

All VotingWorks equipment is a combination of hardware and software, where production builds are particularly locked down. Authentication is via smartcard, though it doesn't leverage OS users so we can control the UX much more precisely and so we don't expose the complexity of Linux permissions to the end user. Because it's locked down, with trusted boot and dm-verity, it's particularly hard for someone to use the system without authentication.

Thinking a bit more about your use case. Rctab is open source. That means I can use it on my own machine if I want to. So it's not clear to me that you can do much about malicious users, unless you want to implement some kind of public-key infrastructure where users would digitally sign the output of rctab. If you wanted to go this route, you might end up looking at smartcards like we do.

But if your use case is more about honest bookkeeping, then maybe simply prompting the user for their name is all you need.

Hope this helps!

[rrojas350]

Thanks for the your input Ben. It's a tricky balance.

For now I think a good half step would be just asking the user for their name and working off that. It's simple and gives us some form of an auditable trail as to who was behind the keyboard.

[tarheel]

OK, great. That's simple enough.

[ggilber1]

Yes. Keep it simple. Procedural safeguards will always be a critical part of election security no matter how failsafe we attempt to design our systems.

[artoonie]

Any thoughts on when to ask? Before each tabulation? On each launch? Only manually? Trying to strike a nice balance between where it's not too annoying for casual users.

[HEdingfield]

I'd say before each tabulation, but defer to basically everyone else on this.