Dead-man mats and fleeing customers

| Comments (1) | SYSSEC Voting
Ed Felten writes about the problem of fleeing voters:
Well designed voting systems tend to have a prominent, clearly labeled control or action that the voter uses to officially cast his or her vote. This might be a big red "CAST VOTE" button. The Finnish system mistakenly used the same "OK" button used previously in the process, making voter mistakes more likely. Adding to the problem, the voter's smart card was protruding from the front of the machine, making it all too easy for a voter to grab the card and walk away.

No voting machine can stop a "fleeing voter" scenario, where a voter simply walks away during the voting process (we conventionally say "fleeing" even if the voter leaves by mistake), but some systems are much better than others in this respect. Diebold's touchscreen voting machines, for all their faults, got this design element right, pulling the voter's smart card all of the way into the machine and ejecting it only when the voter was supposed to leave -- thus turning the voter's desire to return the smart card into a countermeasure against premature voter departure, rather than a cause of it. (ATM machines often use this same trick of holding the card inside the machine to stop the user from grabbing the card and walking away at the wrong time.) Some older lever machines use an even simpler method against fleeing voters: the same big red handle that casts the ballot also opens the curtains so the voter can leave.

I was at the Fidelity office in Palo Alto today and I noticed an ingenious solution to a related problem: fleeing customers. Their investment terminals have dead-man switches, well mats:

The way that this works (apparently) is that there's a pressure sensitive mat in front of the terminal, positioned so that you need to (or at least it's really inconvenient not to) stand on the mat in order to use the terminal. When you step off the mat to walk away, the terminal logs you out, so there's only a minimal window of vulnerability where you're logged in but not present. Now, obviously, a real attacker could tamper with the mats to keep you logged in, but this seems like a pretty good safeguard against simple user error being exploited by subsequent customers. You could imagine building a similar safeguard into voting machines, where the machine rings some alarm if you step away.

UPDATE: Fixed blockquote...


So I guess you could say that the terminal "flushes" your login session when it detects you stepping away, right? Very hygienic...

Leave a comment