Computer Scientists Rally for Reliable Voting System

Kim Alexander writes "Silicon Valley computer scientists, led by Stanford professor David Dill are asking Santa Clara county to purchase a new computerized voting system only if it provides a voter verified paper trail. Their concerns are based on the lack of adequate testing of these voting systems, and the fact that the software is closed-source and proprietary. Requiring a voter-verified paper trail will mitigate many of these problems. Dill's 'Resolution on Electronic Voting' has been endorsed by prominent computer scientists from all over the country, including Ron Rivest. Counties all over California and the US are going through a similar process. Patriotic nerds who want to do something to help protect our fundamental right to vote with confidence that our votes will be counted can help by contacting their state and local reps, writing letters to supervisors and getting informed!"

Patriotic, Schmatriotic

[blair1q]

The first person who writes and validates a working, bulletproof software system for collecting votes wins $$billions.

That's the kind of patriotism we need.

Closed-Source?

[Rimbo]

I cannot support any voting system that's closed source. I want to know what the voting system is doing with my vote, and the only reliable way to do that and to maintain a free society is to be able to see the source. That doesn't mean everyone should be a contributor, but we should see what we're dealing with.

Re:Keep in mind

[The Dobber]

The reverse could also be said. Those that wish to unseat the incumbent wants something different.

The best way to elect our representatives is not through the use of technology, wiz-bang gadgets, open source software or even legal challenges.

Its gett ing Joe Six-Pack and the rest of the disenchanted voters off thier duffs and out to the polls. Rather than complain, execrcise the right to vote people. Had this been the case in 2000, we would have had a clear winner

If there so worried the voting soft. is closed

[sls1j]

If there so worried the voting software is closed source, why not start and open source project?

The scariest argument against computerized voting

[Lord_Pall]

http://www.bestoftheblogs.com/2003_02_05_bestof.ht ml#90279110

This is an article about Chuck Hagel who is a nebraska representative. He ran for office and won in a very close run off, and controls a large interest in the private company that counted the votes in his runoff election.

The majority of the information in the above blog came from http://blackboxvoting.com/, which is a book about the future of electronic voting.

Just some fairly creepy stuff that's turned me off towards any sort of private computerized voting.

A paper trail is too insecure.

[wackybrit]

The problem here is that a paper trail is too easy to for other people to read.

Elections in Western countries are meant to be by secret ballot, people. That means your vote is anonymous. Why? Because people don't want other people knowing who they voted for. If someone voted for the 'Kill All Geeks' party, that's their right, and you can't condemn them for their vote (although you can certainly condemn them for their actions).

The best alternative solution to a paper trail would be to use a secure database that has public access. That is, members of the public can run a set of limited commands on it.. like

SELECT COUNT() FROM votes WHERE party='republican';

Or

SELECT COUNT() FROM votes WHERE state='alabama' AND sexuality='gay';

That way, the populace can access the database over the net and query it by SQL, checking the validity of the votes.

Preferably you'd use a proprietary database system to store the votes, as then you can be sure security is not compromised. A paper trail just opens up a whole bag of communist ghouls.

Hear hear!

[Anonymous Coward]

It's not a vote if I can't hold the ballot in my hand, look down and see "Al Buchanan" in the PRESIDENT column and say "1 for Al!".

The ballot needs to be:

Machine generated from a touch screen like device.
Machine and human readable.
Signed so as to be verifiable.

The ballot reciept, that's placed into the voting machine, is a random private key, handed to the voter before voting that is used to sign the ballot and ensure integrity. The voter can then take the receipt/key with them and use an Id number to check that their vote was actually tallyed.

This allows machine counts of paper ballots. It allows manual, human auditing of ballots and tally. It allows machine and human recounts of the ballots. It preserves the voting record for the election on something besides magnetic media. It allows "quick summary" for those willing to rely upon the stored, machine versions of the votes before physically counting the ballots.

This is the only way. You MUST have a piece of paper you can go back to and find a vote. Anything else is simply unacceptable.

And, no, it's not over the internet, but we know that will never fly anyway.

Re:Keep in mind

[John Jorsett]

Its getting Joe Six-Pack and the rest of the disenchanted voters off thier duffs and out to the polls.

Personally, I think voting ought to be made as difficult and inconvenient as possible. If voting were like crawling over broken glass, only those who really really were interested would do it, and we'd get a better product. Keep the ignorant and lazy out of the electoral process, I say.

The objection does not go far enough

[originalhack]

The fundamental issue is as follows....

Consider 2 elections. In one, you and I and everyone else have exactly a 75% chance of having their votes counted. In the other, the affluent young technocracy has a 99% chance of having their votes counted and the poor, old, or low-tech population has a 95% chance of having their votes counted. At first blush, the seond electiuon sounds more fair, but it is very clear that the first is totally fair and the second is terribly biased.

The problems in recent elections were not caused by technological failures. Dangling chads and the like are just a smokescreen and the recounts bore that out. The problems in elections are a lack of uniformity within the areas in which votes are pooled. Since the votes for president are done by electoral votes rather than popular vote, it is not necessary to have the entire country have identical machines and ballots, but this does need to happen at the state level. When I walk into my polling place, I should see an identical machine to every other voter in the state (randomly selected from the state pool). All the state ballots should be identical to every other ballot in the state. All the county ballots should be identical to every other ballot in the county, etc....

To do otherwise not only fails to solve the fairness problem, but it disinfranchises people for whom a mouse is a household pest.

Electronic Gambling Machines have more oversight!

[semios]

What scares me is the fact that Electronic Gambling Machines have more oversight than these Electronic Voting Machines. Gambling institutions that provide electronic gaming are subject to random searches where the eeproms will popped out and verified that no tampering has been committed.

However, when it comes to protecting the foundation of democracy we can't even be given access to the source code as it is a "trade secret." Here's an example [sweetliberty.org] of this privatization of democracy:

In the West Virginia case [where an election supervisor, a candidate, a prosecutor, a county commissioner, election workers and the voting machine vendor were all sued by a group of candidates who believed that they had been cheated in the election], although the criminal charges were dropped, the judge had not allowed the jury to see a demonstration by the plaintiff's attorneys' computer expert, Wayne Nunn, PhD, a project scientist for Union Carbide who had designed multimillion-dollar computer networks.

After a nine-hour examination of the CES (now Business Records Corporation) computer system in question and in the presence of the CES president, the system's programmer, and others,

"Nunn, with one punch card, added ten thousand votes to the total of one of the candidates in a mock race for president". [ The New Yorker , November 7 th 1988, p. 68]

Nunn subsequently gave a deposition under cross-examination and revealed seven ways in which the system could be deliberately caused to miscount votes, including by manipulation of the toggle switch on the front of the machine to alter vote totals and by inserting a set of secret Trojan Horse commands into the source-code software as described earlier. So it can be done. But can it be detected and prosecuted?

A methodical expert analysis of the company's source-code could have been the key to determining the existence of fraud, but CES officials asked presiding Judge Charles H. Haden II, of the United States District Court, to block Nunn from inspecting their code on the basis that it was a "trade secret". Ultimately, the judge ordered that Nunn alone be allowed to view it, but without the computer he needed for a proper system analysis.

Nevertheless, he discovered "trap doors", "wait loops", and Christmas trees" which could all serve the same end of undetectable vote fraud. According to the New Yorker's Ronnie Dugger, after viewing the code for several hours,

"Nunn was prepared to testify that a ?debugger' in the BT-76 program, while enabling a programmer to make repairs in the program, was also a Trojan Horse; Haden excluded such testimony".

Nunn was allowed to testify that "he had concluded that the program had been altered during the counting".

The jury was also barred from seeing Nunn demonstrate how he could alter the vote count.

The case of Wayne Nunn being allowed to examine the proprietary source-code of the CES system is an extraordinary exception. The fact is that very few individuals outside of the computer vendors have ever been allowed to inspect the source-code of that or any other election equipment company. This was confirmed by Eva Waskell, the director of the Elections Project at Computer Professionals for Social Responsibility in a 1993 report entitled "Overview of Computers and Electors".

Many court cases involving allegations of fraud were brought against vendors of electronic systems. There were no convictions. Was there ever any proof of tampering presented? No. Part of the reason for this may be that during the litigation the plaintiffs were never given access to the vote tabulating program, and hence there was no opportunity for anyone to establish evidence to either prove or disprove the allegations. [Emphasis added]

We should point out that even if the court allowed the plaintiff's experts to inspect the source-code, there would be no proof that the code provided to the court was, in fact, the selfsame code used in the particular election in question. Federal election officials say that a few states are mandating that the source-code be placed in escrow so that it could be examined in the event of a particularly "fishy" election result.

Why are people making this so complicated?

[403Forbidden]

They arn't looking for ways to detect rigging, they are just looking for a way to idiot proof it.

The udder simplicity of this problem, and how complicated people are making it, is staggering... A simple touch screen which returns who the voter wants, then print in the name on a piece of paper in a specified font so another computer can read it. Of course the typical "are you sure" messages are thrown in there somewhere and vola! computerized voting...

Re:Keep in mind

[anubi]

If voting were like crawling over broken glass, only those who really really were interested would do it, and we'd get a better product.

Well, thats what we have right now as far as getting laws passed. Note how much its like "crawling over broken glass" [slashdot.org] to submit those forms they presented to contest the DMCA. See where that is getting us?

Re:Anonymous Voting != Secret Ballot

[thogard]

The problem is I can't trace my vote back to where its been counted. Now if an electronic system gives me a vote reciept, then I can go to a web site later and say 'Tell me who "0304756745383834743646374" voted for'. If I've got that ticket in my hand and my votes don't match whats in the database, then I've got reason to complain. This has other problems because its trivial in small towns to figure out which IP address goes with which household but any verificaion system will have massive risks.

What scares me is I used to work for a largeish credit card company. They would lose records from time to to time. Thouse records invovled real money but sometimes they just disappeared without any ability to trace them. Everytime I've audited a system that logged in two places, some records just don't end up in both place. The best ones seem to have about one in a hundred million go missing, but they are still lost. I want the voting system to be at least that good.

Paper still best

[teeth]

Here in the UK we have a ballot system with an excellent paper trail and a near perfect validation protocol.

Each voter is given a (numbered) balot form with one column of candidate names and one (mathcing) column of empty boxes into which may be entered an apropriate mark ("X" or numerically ordered preference) to indicate voting preference.

The votes are sorted, and the sorted votes counted. This is done manually.

Any disputed votes are examined by the returning officer and representatives of the candidates and assigned or discarded by cocsensis.

Whilst the numbering of the ballots, and the recording by hand on the master copy of the voters roll at the polling station of which ballot is given to which voter, may slightly compromise anonimity, it provides no convenient way to decern the vote of any individual.

The cost of the occaisional employment of large numbers of tellers is almost certainly less than that of the various "automated" polling systems and the audit trail far superior.

Re:Privacy...

[mmol_6453]

lol. I wasn't old enough to vote yet. My first voting experience was the November after.

It was funny, too. I hadn't been handed a privacy sleeve for my ballot, and the directions said that I should place my ballot in one. I asked for one, (got one), and learned she was absolutely delighted that I had asked for one, since it meant I had to have had read all of the directions to find that I was supposed to have one.

You have to remember that most of the voting facilities (At least in West Michigan) are manned by people who experienced Pearl Harber and whose beliefs in America's freedom was reenforced by America's role in WWII.

My experience with a new voting system.

[ktakki]

Here in Allston, a neighborhood of Boston, Massachusetts, our votes were cast in a manner similar to many urban areas, with a mechanical voting machine older than I am, the kind that has a big lever that closes a curtain and a myriad small switches for selecting candidates or casting votes for referenda.

I know that these machines have many drawbacks: they cost a lot of money to maintain, store, and "program", though I've always assumed that to "rig" these machines too commit wholesale fraudulent voting would be to time consuming and complex to pull off. Hence, I had a certain amount of faith that the lever I'd pull would actually correspond to the name on the paper strip, and my desired vote would be tallied. I know also that this faith was rooted in sentimentality; I'd accompanied my parents into machines just like that when I was a kid, back in the Sixties.

Two elections ago, however, during a primary vote in September, there was a man at the polling place who was demonstrating a new system, produced by LHS Associtates of Methuen, MA, the "Accu-Vote" system. It used paper ballots, with small circles like on a standardized multiple choice test (like SATs, except without the need for the No. 2 pencil). There was an optical scanner that looked somewhat like a paper shredder, the kind that fits on top of a wastepaper basket. You fed the ballot through the scanner and it read the marks, ejecting the paper out the other end, into a bag, thus preserving a paper trail in case of a recount.

I filled out one of these sample ballots. There were "joke" choices on the ballot, and I intentionally mis-voted, to see how fault-tolerant the system was. Under "Mayor", I placed a check mark in the box next to "Fiorello LaGuardia". For "Board of Cartoon Characters", I put a tiny dot next to "Bugs Bunny". Under "Superhero Committee", I filled in the box for "Wonder Woman", intentionally overfilling the mark, and for "Sports Authority" I filled two boxes, "Babe Ruth" and "Jackie Robinson".

I went over to the company representative who was showing the demo system and handed him my ballot. He fed it into the machine and it was spit out the other side. Though I'd intentionally cast a faulty ballot, there was no indication that anything was wrong, and I showed him the marks I'd made, pointing out my screw-ups.

"Well, this is just a demonstration," he said.

"So, all this does is roll the paper through the mechanism?" I asked.

"Um, well, it's just a demonstration."

"You mean it's not a real machine?"

"Right," he replied.

"So the real machine would reject this ballot, right?"

"I assume that this will be the case." He didn't sound too sure. At this point, the police who work the election detail started paying attention to our conversation. I guess election detail is pretty boring for them.

"So who audits the code that runs this machine?" I asked him.

"I don't know, maybe the Board of Elections," he said. "I can give you the name of the project manager. Maybe he can answer your questions." He wrote a name on the back of a business card. I took it and thanked him for his time. I called a few times but never got a callback, and I doubt I'd get a satisfactory answer.

My fear is that it's trivial for this sort of machine to register a vote for Foo to actually be tallied as a vote for Bar. With the old mechanical machines, this sort of fraud would take days, considering the hundreds or thousands of machines and the dozens of people from the Board of Elections that set them up. However a "black box" system like Accu-Vote need only be programmed with fraudulent code once, after which that code is distributed to hundreds or thousands of EEPROMS or Flash cards or whatever the Accu-Vote uses to store its programming. The barrier to entry for wholesale voting fraud has been lowered, and if the winning margin is large enough, there will never be a recount.

The Accu-Vote system was deployed for the November 2002 elections here in Boston. If there was a public hearing about this change from mechanical systems, I never heard about it, and I read the Boston Globe every day without fail.

k.

We also need to change the voting system-

[Christ0ph]

We are using the least accurate of possible voting systems, the plurality system. That is one of the reasons why the last election went the way it did. Our system is the worst possible, the one most likely to produce anomalies that do not reflect the will of the people. We need a preference-weighted voting system that prevents votes from being wasted if one's first choice candidate does not win. Like the "Borda Count" method. Many other countries are going this way. Most scientists and mathematicians agree.

Do the math:

http://www.princeton.edu/~matalive/VirtualClassr oo m/v0.1/html/lab6/lab6.html

http://www.ctl.ua.edu/math103/Voting/4popular.ht m

Or do a search for Borda Count on Google:

http://www.google.com/search?q=%22Borda+Count%22 &b tnG=Google+Search&num=200

Read the explanations above and then..Write your elected representatives..

Re:Closed-Source?

[GnrcMan]

Nope, the kiosk prints a ballot, which is inspected by the voter and deposited in an official ballot box. The kiosk *might* transmit priliminary results, but the official vote is the printed one.

Re:Requirements of a voting system

[Anonymous Coward]

*clap* *clap*

You just reiterated what the constitution demands.

Anonymous, reliable, accountable. Imagine that. The government needs more redundant thinking like yours, please pursue a career in civil service.

Open Source, Closed Network

[BadlandZ]

Ok, your point is we should be able to review the code for the polling booths, or we can't trust it. And you give ONE reference. But no solution?

This is a very serious accusation you're making. Unfortunately, a single accusation by someone on Slashdot will not make a difference, even though it has been mod'ed to +5.

Why not just outline what needs to be done, in a reasonable logical list, as clear and short as possible? Like (IMHO);

Polling Booth: A) System is to be un-networked, for security. Only networked WITHIN the polling location, not to the "internet." B) all polling booths will use minimal hardware (save money for taxpayers, simple to code because of legacy code base, hard to hack because there isn't enough RAM for an exploit to be loaded). C) After minimizing RAM for prevention of exploits, checksum code after each vote is cast to insure security?

Polling Station Logs: A) Polling Booth "checks in" digitally date/time/unit stamped vote into database for polling station. B) Check-in's are done to a single, CHEAP (but reliable) PC running open source database like PostgreSQL. C) Backups are done to removable media frequently (USB drives every half hour?) D) Backups are IMMEDIATELY taken MANALLY to central database to update voting. (Bypassing internet hacks, and "physical hijacks" of data are ruled out because the next delivery will show that there is a substantial error). E) Digital Forensics is used to investigate any accusations of "ballot stuffing" where every backup drive, every polling booth, every poling location PC, and every central database that receives manual updates can be instantly checked both physically, and against each other, as well as by looking at low-level info that was "quickly erased" from all storage media.

Now THAT'S an idea. Just one off the top of my head in 2 minutes. Sure, there are better ideas, but my point is; take 2 minutes to come up with them rather than the typical 10 seconds to poke holes in them and criticize. Why not come up with ideas rather than trash those that exist? Anyway.... Rant Over...

Attending Libertarian Party of CA convention

[zcollier]

I am a representative to the Program Committee and will definitely be bringing this up tomorrow. Last year in committee I was among a contingent that argued that regardless of the kind of voting system we adopt, there must always be a papertrail so as to prevent the rigging of elections.

This is definitely coming up tomorrow.

If you're interested in seeing a small-party convention and have the time, it's taking place Sat/Sun/Mon, Feb 15-17 in Ontario, California. (as opposed to that other "Ontario, CA")

http://www.ca.lp.org/conv/2003/

e-Voting

[krouic]

The company I work for is currently preparing a bid for pilot project that will allow the citizens of the largest Swiss state to vote via Internet and mobile phone, along with the usual paper method.

The main driver of the project is to increase turnover, especially for young citizen that are supposed to be more prone to vote via these "new" technologies.

Our (swiss) laws already incorporate specific requirements regarding e-Voting, including the ability to audit the process, the security of the whole system and the secrecy of the votes.

Swiss citizens usually have to vote or elect several times a year and the voting process is considered as mature, every step being supervised by committees containing members of different parties/lobbying groups.

The voting registers are held at the local level, and are continuously updated every time a citizen moves in or out of the city, reaches the voting age or dies, and are crosschecked by the higher authority. Voting material and voting cards are automatically sent several weeks in advance to the possible voters, they do not have to register themselves or require anything. So by design, we have no dead people voting or minorities prevented to vote because they did not register themselves due to lack of information.

e-Voting is considered here as a good thing, as it allows to streamline the counting process and should increase (our low) turnover by not requiring voters to physically present themselves to the voting booth (in some states, the majority of voters already use the generalized absentee (snail mail) voting process).

I find it quite surprising that a large majority of the US "geeks" has such a mistrust in the electronic vote in particular, and the ability of their authorities to conduct a fair and lawful election in general. Aren't the USA supposed to be the most democratic country in this world ?

Re:Keep in mind

[man2525]

If voting were like crawling over broken glass, only those who really really were interested would do it, and we'd get a better product.

That's one economic argument. Here's another: Concentrated beneficiaries hold a natural advantage over dispersed stakeholders. For example, insurance companies have a specific agenda to pay out as little as possible. Therefore, by putting a few thousand dollars into fancy dinners and presents for your state legislature, they can get a number of different state laws restricting any halfway fun activity passed. Can you imagine how much effort it then takes people dispersed throughout the population to organize against it? Voting should be made easier to offset special interests, not harder to encourage it.

Re:It's closed source, and nearly unauditable

[Anonymous Coward]

Regarding (1), this is about control of the most powerful nation in the world. The stakes are high enough to involve more than one person.

Regarding (3), if a paper were printed immediately after voting that the voter himself could stuff into a ballot box (as was done for centuries), secrecy is preserved. By comparison, the voter has no way of knowing if the machine also recorded his fingerprint while he was voting electronically.

Regarding (4), you could have have each party conduct their own count of the votes.

GNU.FREE - Heavy-duty Internet Voting

[cowbutt]

It seems as though a lot of work has been put into GNU.FREE [free-project.org], a package to enable Internet voting. I find it particularly interesting that the lead developer has essentially abandoned it after coming to the conclusion that Internet voting cannot be done in a way that's sufficiently safe enough to be entrusted with our democracies (or whatever they are these days...)

--

Re:Closed-Source?

[aziraphale]

> That that margin of error might have been a deciding factor in the race was extremely unusual--very few races are that close.

But the only time when it matters to keep the margin of error to a minimum is when the race is that close. If you're going to give all the spoils to the victor, damn straight the margin of error had better be less than the margin of victory. If that means counting every ballot repeatedly until you're absolutely sure every single one has been correctly counted, so your margin of error is less than the five vote margin of victory, then so be it.

"I'm sorry your vote wasn't counted, but it was part of an overall margin of error that's calculated into the system, so it all balances out in the end" is not exactly the embodiment of the democratic spirit...

Re:Electronic Gambling Machines have more oversigh

[Anonymous Coward]

...a few states are mandating that the source-code be placed in escrow so that it could be examined in the event of a particularly "fishy" election result.

This is a good idea, but it does not go far enough. How would they know that the machine code was compiled from this version of the source code? What they need to do is get an image of the hard drive on the machine that the votes are tallied on. That way, they can examine that if fraud was suspected.

Solution

[InfinityEdge]

1 - Voter checks in with a volunteer who checks off their name like they do now then tares off a random number from another sheet (numbers are given out on a first come first serve basis and are only assigned to poll locations)

2 - Voter goes to machine and punches in their number that they were given by the volunteer.

3 - Voter votes.

4 - Machine spits out a random number on paper that the voter can then take as their recipt.

5 - All votes are listed in plain text on a public internet server. The votes are arranged by the random number spit out to the voter.

This way there is anonyminity as there is several layers of obsfucation. Even if you controlled the software, the best you could do is associate a vote with a polling location. More importantly, there is checks and ballances: the voter can check the website and see if their random number is there and that it is associated with what they voted, and all the votes add up. If someone's number wasn't there, you'd know something was fishy. If the votes didn't add up or were different than what was reported you'd know something was wrong.