Doubting Electronic Voting

twitter writes "The NYT is raising the alarm on electronic voting. After citing expert opinion on the need for a paper trail, they then quote election officials and vendors who dismiss that opinion as the ignorant work of dreamers. The reporter titles his article, 'To Register Doubts, Press Here' and seems less than convinced."

Right..... and all financial transactions online..

[Anonymous Coward]

So perhaps they've never heard of printouts?

My bank doesn't seem to have a problem with me transferring thousands of dollars electronically, but this reporter is nervous about voting?

At least there's no chad ...

[AlabamaMike]

Doubting electronic voting? After the last presidential election, I doubt paper voting. At least with electronic voting there's no "assuming the intent of the voter." Oh yeah, and we'll never have to hear "hanging chad, pregnant chad, and dimpled chad."
A.M.
I got your chad right here ;)

It's not about electronic vote casting.

[s20451]

The best idea is not electronic vote casting, it's electronic counting. The most recent Toronto mayoral election used a ballot similar to those used in electronic test-scoring, where you use your HB pencil to fill in a blank. The votes were all counted within a couple of hours after the polls closed.

If you wanted to avoid confusing the easily confusable, you could have a touch-screen system that prints a paper ballot, with the blanks ideally positioned for the electronic counters. Efficiency and a paper trail.

Whatever

[the-dude-man]

Whatever, as if it has to be a private company doing the polling, and whats to say the code does not send the data directly, encrypted to a key generated by the goverenment, to the government? In that event the data couldnt be tampered with.

I agree we need to take some precautions to safegaurd the electorial process...but that dosnt mean we cant use electronic means to poll. Just like there were concerns about the inital voting schemes, there are concerns about this one, but that dosnt mean we cant simply make desgin changes to ensure the integrety of the data. And since when has the government been MORE credible than the private sector? They have had just as many scandals, if not more.

In any event, the answer is to simply design in safegaurds....not go back to older ways just because your scared of technology...please

Greatest scam in history.

[Black Parrot]

History will eventually show electronic voting to be the most excellent means for subverting democracy ever invented.

Re:Yeah right

[PhxBlue]

If you think politics in the United States is dangerous, check out the political situations in places like Ivory Coast. At least American citizens survive the voting process.

Re:Yeah right

[Ishin]

The main difference seems to actually just be that when someone disappears in the US of A no one knows what happened to them. Being a dissident in any country is dangerous. No less so since the new witch trials began. (all this terrorism stuff) And it gets more dangerously legal everyday with guys like Ashcroft at the country's 'justice' helm.

Re:It's not about electronic vote casting.

[Bendy Chief]

Well, if you're using an HB pencil, doesn't the old rule apply where you have to fill in the whole space? You might find, given the lack of voting prowess say, the people of Florida exhibit, that a lot of ballots get tossed aside just because of a minor mechanical error like that.

Of course, you could always have a human backup for those ones.

No roadblocks, no votes thrown away.

[Anonymous Coward]

"When people are cut off from voting by police roadblocks, and thousands of ballots are thrown away, or arranged in a confusing way to try to get people to vote for someone that they don't want to, there's more than just a paper trail problem."

Sorry, but the roadblocks thing is a persistent urban legend. If there was anything to it, Gore would have sued over it. He did not.

Ballots thrown out? The only ones tossed out were ballots WITHOUT VOTES.

Confusing arrangement? The Democrats arranged those ballots, and they only confused idiots who did not follow directions.

Paper, what paper?

[gpinzone]

Here in New York, we use a mechanical switch voting booth. Why isn't that considered unreliable, too?

Mechanical machines had problems also

[asmithmd1]

If you are old enough to remember the all mechanical machines where you flipped small levers to vote and pulled a large arm to cast your vote. The votes were mechanically accumulated and would sometimes get stuck yielding results like 2273 votes for one canidate and 999 votes for the other. What can you do then?

Paper trail: the solution

[cwernli]

The two main points in electronic voting are:

1. It's needed
2. It'll be bug-ridden

The vendor's point of view (unsurprisingly) is that "bugginess" is only a hypothetical threat, and that it in real-life situations no glitches will occur.

This is very clearly horseshit. Every IT-implementation has bugs. Repeat: Every. The question is: how many of them can we tolerate ? If it comes down to a word-processor, or a webserver, or even telecom infrastructure: we can afford quite some. If it comes to medical facilities, nuclear plants, or, as in this case, political decisions, the threshold has to be a lot lower. You wouldn't want George W. Bush to have been elected by a bug, would you ?

The (currently feasible safeguard) solution of the paper trail sounds like an excellent solution:

a) the voter can immediately control if her vote was cast correctly
b) the same rule applies as with financial and legal records (where a paper trail has to be conserved)
c) the "black box" problem that is mentioned in the article is circumvented: the citizen doesn't have to understand how the e-voting booth works, but (see a) can control if her intentions match the outcome.

Re:At least there's no chad ...

[Waffle Iron]

After the last presidential election, I doubt paper voting.

The problem wasn't paper voting. It was using another computer technology: punched cards. Punched cards are designed for a machine to read and write. The last election demonstrated that they are not good for humans to write (uncleanly punched holes) or read (no visual feedback).

I see no reason to use any method other than marking a box with a pencil on a piece of paper. Use the KISS principle.

Re:Yeah right

[Dr. Bent]

Unfortunately, the US government runs its own elections, rather than a truely impartial third party.

"a truely impartial third party"? Like who? What organization is responsible enough to oversee the elections of the most powerful nation on Earth and yet has no opinion one way or another on how they should go.

There is no "impartial third party". The U.S. electoral process isn't perfect but handing it over to Deloitte and Touche, or the U.N. or any other supposedly 'impartial' body is just going to make it worse. The best way to keep it legit is just to make the counters accountable.

Re:It's not about electronic vote casting.

[CashCarSTAR]

As someone who thought a lot about this BEFORE Florida 2000, I can tell you what the problem is/was.

It's rather simple. Well-to-do areas tend to have voting methods with less % of error than more poor-class areas. Why is this I do not know, although I suspect it has to do with local property value rates, similar to education.

There was a substantial difference in the methods of voting. What needs to be done, is that there needs to be one standard, that is both simple and reasonably verifiable. I go for the pen and paper ballot myself.

Casting of Risk

[Effugas]

It's pretty simple, really.

The threat model that the voting machine manufacturers want to work with is: "Given a particular system, how likely is it that it will get hacked?".

The real threat model is substantially different: "Given a particular system, how likely is it that it will be accused of having been hacked, and how damaging will that accusation be?" Much different scenario. Accusations, and the credibility they carry, are directly rebutted by evidence to the contrary. The simple availability of an irrevocable audit trail prevents challenges -- "they might be able to prove us wrong, so we better not challenge the results of the election."

No evidence, no risk of accusation, no credibility for the election.

None deserved, too.

Disclaimer: I _am_ a security engineer. This isn't a technical problem, it's a sociological one. Counting is easy.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Paper is more tamper resistant.

[Anonymous Coward]

Mr. Terwilliger said that Sequoia was willing to share its source code, provided viewers sign nondisclosure agreements. But he questioned the need for a paper-based audit trail. "What's so great about a piece of paper?'' he said. "I can tamper with a piece of paper with a pencil or pen. All I need is physical access and I can tamper with the election."

Why is he ignoring the obvious: Yes, but you can tamper with paper, but realistically, how long does it take you to modify even 1000 paper votes?

Now, how long does it take you to modify 1000 electronic votes? Or 1000000?

Printout

[Cackmobile]

I think a printout is whats needed. THe touch screen is only there to simplify choices for people so u don't get a mix up like in Florida. Its there to help illterates and others. Its not there to do the actual voting. If u had the touch screen which produced a printout, which the voter checks then puts into the ballot box. Then nothing can has to be stored on the computer. You could make each one stand alone and print onto special paper that changes each time. Of course nothing is perfect but its a start.

Poor article...

[Goonie]

This strikes me as a classic example of how "getting quotes from both sides" does not a fair and accurate article make.

The key points that opponents of electronic voting make are that a) there might be flaws in the system either by error or by design, b) that the machines cannot be easily inspected to check their operations, and c) that without a paper trail there is no way to check after the fact whether the votes were correctly counted or not.

The response from a voting machine manufacturer, however, is classic obfuscation:

"I think the concerns being raised are 100 percent valid," Mr. Terwilliger said. "However, they're being raised by people who have little idea about what actually goes on."

At this point, the question arises - why are these critics wrong? What are they not understanding about the system? Rather than following up on this point, though, the reporter takes a completely different, and totally irrelevant tack, discussing public confidence in the machines. So what? Lots of people probably think that Microsoft invented the Internet. It doesn't make it true. The only conclusion I can come to is that the journalist did not take the time to understand the issue properly, and just got quotes from "both sides" and that was good enough.

Do experts in other fields (if I may be so bold as to count myself an "expert" in it) get as frustrated with journalists, or is it just a particular problem with science and tech journalism?

Using the FOIA to view code?

[Dan Crash]

From the article:

Dr. Dill argued, however, that if voting machines were really secure, then voters would be able to see the insides of their "proprietary" technology. "If someone really has a tamper-resistant machine, they should tell you enough about how the machine works so you can assure yourself that the machine works," he said. "We don't know what the weaknesses are. We don't know who the people are that control that stuff."

Mr. Terwilliger said that Sequoia was willing to share its source code, provided viewers sign nondisclosure agreements.

So if I look at the code, I can't talk about it? Grrrreat.

I'd like to see someone file a Freedom of Information Act [epic.org] request to see the code. The FOIA applies to the following documents:

552. Public information; agency rules, opinions, orders, records, and proceedings

(a) Each agency shall make available to the public information as follows:

(1) Each agency shall separately state and currently publish in the Federal Register for the guidance of the public--

(A) descriptions of its central and field organization and the established places at which, the employees (and in the case of a uniformed service, the members) from whom, and the methods whereby, the public may obtain information, make submittals or requests, or obtain decisions;

(B) statements of the general course and method by which its functions are channeled and determined, including the nature and requirements of all formal and informal procedures available;

(C) rules of procedure, descriptions of forms available or the places at which forms may be obtained, and instructions as to the scope and contents of all papers, reports, or examinations;

(D) substantive rules of general applicability adopted as authorized by law, and statements of general policy or interpretations of general
applicability formulated and adopted by the agency; and

(E) each amendment, revision, or repeal of the foregoing.

I know there are arguments against this, specifically that the code is the intellectual property of a private business, and that it is protected by both US Copyright laws and the Berne Convention, but I'd like to see the courts wrestle with this one just the same. Knowing how our votes are counted is one of the sacred founding principles of democracy, and personally, I think it trumps any other interests in this case.

Unfortunately, this has little to no chance of succeeding while Ashcroft is Attorney General, since he's declared an effective moratorium [alternet.org] on FOIA requests while he is in office.

Re:At least there's no chad ...

[toasted_calamari]

At least with electronic voting there's no "assuming the intent of the voter." Oh yeah, and we'll never have to hear "hanging chad, pregnant chad, and dimpled chad."
Lets take a hypothetical situation: A new computer voting system is implemented. However, one of the towns in which it is set up configures the equipment improperly, the result being that the votes are recorded incorrectly. With a paper ballot, it is easy to see, just by looking at the ballot, whether the equipment is operating correctly. If a computer is used, you only see what the computer recorded, whether it is right or wrong. The problem I see is that you could have thousands of votes tallied incorrectly with noone ever finding out about it.

I do, however, see a computer solution that would be a hybrid of computer and paper ballots:
you walk up to the voting booth and vote on a screen. The results of your vote is printed on a thermal paper ballot. The ballot has a barcode that a computer can tally, as well as a human readable area stating who and what you voted for. you put this into a box, where the barcode is scanned and the ballot stored. The results of the scan are displayed so that you can see that the scan was correct. This system would allow you to tally votes by computer, but the ballots would be stored, so that they could be computer or hand tallyed later. Also, verification would be provided to the voter that his vote had been tallyed.

Re:Get real

[Anonymous Coward]

You must talkt to a bunch of knucklehead pro-war people who have never read his books or seen his movies. He sheds light on some of the dark areas of this country that they would prefer you not see.

He's not the best comedian and his funny skits often are a little retarded, but the spirit of the skit is dead on.

How about we get informed before passing judgement.

Electronic voting and air gaps

[Millennium]

The only way you can possibly make electronic voting machines acceptably secure is to not network them at all. This isn't so much a measure to prevent hacking as it is a measure to control the amount of damage a hacker can do; if only one machine at a time can be hacked, then damage remains localized. Here's my idea for such a system:

• The user shows up at the polling place, and is given a token, which will be used to operate the voting machine. The user then goes to one of several voting booths, which can be chosen at random.
• The user presents the token to the machine, which marks that token as used (such that it can never be used to operate another machine). Only then is the user allowed to begin the voting process.
• The user chooses a language for onscreen text and voice instructions. Ideally, instructions should be phrased in such a way that they can be reused between elections.
• The user is presented with a list of candidates, including names and pictures. One by one, each candidate is highlighted; as this occurs, a voice sample is played of the candidate saying his or her name. This is important, because it allows for a person to recognize the proper candidate based on written name, picture, spoken name, and sound of voice. This is pretty much everything that can reasonably be done to ensure that a person knows which candidate is being voted for.
• The vote can be controlled in two ways: by touching the candidate's name onscreen, or by pressing a button as that candidate's name is being read. This latter is a measure to accommodate blind voters., or others who could not effectively use a touch screen.
• Each vote is confirmed twice, onscreen and by voice -again using the sample of the candidate- to ensure that the voter is absolutely certain that this is the proper choice.
• Once the voting process is completed, a paper ballot is printed for the user (there will be strong warnings onscreen and in voice to ensure that the user understands to take the ballot). This ballot is marked with a barcode stating what machine it came from, but no information which could identify the user (this is why it is important to let the user pick a booth at random). The purpose of this barcode is so that if a machine is known to be tampered with, votes cast using that machine can be tracked down.
• The ballot is then taken by the user to a ballot box, where it will be shipped to the usual facilities for counting purposes.

The advantages to this system are many:

• Every possible method of recognizing candidates is taken into account. This won't totally eliminate confusion -some people are so monumentally stupid that nothing will get through to them- but this minimizes that problem.
• There is a paper trail which can be consulted. The value of this cannot be overestimated.
• There is no single point of failure. Tampering with a single machine cannot in and of itself damage any other machines, so the number of votes which must be considered suspect due to machine tampering is minimized.
• Counting is still done by machines, which are not prone to bias as humans are, but because the ballot os filled out by machine, the process is somewhat more controlled.

And one final note, particular to US elections: poll results should be considered classified information until the polls are closed in all fifty states. Timezones being what they are, this exit-poll crap is causing election results in East Cost states to affect West Coast states, however slightly, and that needs to be dealt with. Each state's results must be completely independent of the results of any other state, and measures need to be taken to ensure that.

Re:Touch screens with printouts

[YrWrstNtmr]

You go to a machine, insert the card. You place your votes on a touch screen. The software confirms your votes. Then it prints the results onto the card.

And how do you ensure that your vote for Joe actually went to Joe? The printed card? Or the code redirection, which sent your vote to Mary instead.

You end up with 2 'votes'. The one printed on the card, and the one actually recorded. With no real way to ensure that they are the same. Even if you can check later. It's only a program telling you what it has been programmed to tell you.

After the election you can enter the barcode and check to make sure the database matches what is printed on the card.

In the collating process, malicious code could be inserted to flip every 25th vote for Joe to Mary. YOUR vote could be checked, and it still might report Joe. Or simply tell you it has recorded Joe. But the main election db could still record Mary.

Electronic Voting Systems should be Open Source

[Corpus_Callosum]

The source code for any software that counts or processes votes should be open source so that everyone who is so inclined can take a look for themselves and evaluate the code.

Releases of this code should be signed by a non-profit in a manner similar to a key-ceremony used at CAs, and the hardware that runs the software should be auditable and designed to only run software that is signed by the aforementioned signer.

Anything less than this leaves a glaring black-whole where any sort of nastiness may occur.

As much as I hate to say it, a "palladium" style trusted system approach is probably needed to make electronic voting trustable. I'm not in favor of having my hardware in lockdown, but I sure as hell would want it on the equipment that chooses who is going to run my country!

Maybe.

[rkent]

OK, the parent post sounds kind of hysteric, but it could be (sort of) true.

It's difficult to overstate the importance of having a fully auditable voting process. That's the main advantage of paper ballots, be they punch cards, "check the box," whatever: you can recount them. Someone else can recount them. We can disagree on the interpretations of those recounts, but we can at least observe the "primary source" and make a call one way or another.

Now, electronic voting would certainly have advantages. If people could walk through a "voting app" where they could see all of the choices for each office, and do a confirmation step before "submitting" their vote, that would be awesome, and way more accurate than what we do now. However, think of the system which will be used to achieve this: if it's good, the designing company will want to sell it everywhere. So the application will become one hell of a valuable peice of "intellectual property." Do you think we'll be allowed to see the code for it? No way! So no error checking that way; we just have to trust that every vote counted was processed correctly. That's a lot of trust. I don't suspect that any voting-machine-manufacurer would insert deliberate bias, but the lack of ability to examine the process for correctness is just unacceptable. It's too important to just trust some private company, whose interest isn't necessarily coincident with accuracy.

An open-source voting app would be somewhat better; any independent person could audit the code for correctness, but to verify its performance on an actual dataset would require re-establishing the same exact platform later, and of course maintaining a digital copy of the inputs.

In either of these scenarios, it seems outright necessary that there be a physical record of votes cast using the system that independent, non-computer-expert people could examine. Ideally, the machine would print a small "receipt" for each vote cast which could be collected and, if necessary, recounted and compared against the digital tally.

Why reliable electronic voting will not happen

[targo]

The main reason is actually political, not technical. Imagine a world where we have really foolproof and very convenient electronic voting (like everybody just voting from home over the Internet, provided that a good and secure protocol is invented for it). Elections would be hundreds of times cheaper because of lesser staff and organization costs. As a result it would become possible to have people vote for many more issues than just who is going to be a president (think Switzerland where almost everything is decided by popular vote). We would never have DMCA or any of the other strange laws pushed through by special interest groups and hurting the general public. Congress would suddenly lose 90% of its importance, becoming just a law-drafting institution without too much decision power.
Obviously this is something that today's rich and powerful would never want to happen, and they would fight long and hard before giving any of this power up.

99%

[linuxwrangler]

"...a feedback card in the August 2002 statewide primaries found that 99 percent of voters were pleased with their Diebold machines."

Isn't that the same percentage of people who "voted" for Saddam Hussein in the last Iraq "election". I wonder if the "feedback" was tallied on a Diebold machine.

I work in market research and I have never, ever seen 99% of people polled agree on anything. This 99% of the vote statement should give anyone considering e-lections the willies.

Stalin Said it best

[doublem]

"Those who cast the votes decide nothing. Those who count the votes decide everything."

-- Stalin (Former leader of the USSR)

So the voting machine manufacturers are now the ones who really run the country.

Great.

Re:Yeah right

[Asprin]

We all saw what good a paper trail did in Florida in the 2000 USA presidential campaign.

Think that's bad? Imagine being pissed off at the results, absolutely certain you got rooked, but not even having a way to TEST whether the results are valid. At least in FL2000 there was a paper trail to argue about. Don't think there's any possible way 63% of your town voted for Mickey Mouse for Mayor? Sorry, Chuck, but the 'puter got that same exact answer 327 times in complete recounts conducted over the last 6 seconds. What are you going to do: go door-to-door and ask everyone to tell you honestly how they voted?

My biggest fear with electronic voting systems, however, is the ease with which their automation can be made universal.

If you assume that everyone gets their voting systems from the same 2 or 3 vendors, you can rig an election if you figure out how to electronically compromise 2 or 3 systems, and you can do it with much smaller numbers of tampered votes in each district because the software only needs to tamper where the voting is tight. A few here, a few there and BAM, Dennis Kucinich is your president.

(*shudder*)

It's much, much more difficult to do that sort of thing without e-voting because each voting district makes its own rules, and implements its own counting system. You'd need to plant spies in each district you thought MIGHT be candidates for tampering, and even if you guessed right, you'd have to hoodwink Ethel in each one (she's been counting votes in this district as a volunteer since the 60's and has breakfast with the City Council every Tuesday as a concerned citizen.) You'd need to study and compromise **MANY** districts to significantly rig an election in this way.

Don't get me wrong, it can be done, but it is difficult to inflict damage beyond a few isolated districts because the voting systems themselves aren't universal. Compromising a vote tally in Florida cannot automatically compromise a tally in California - they are separate systems, even if they use the same equipment. IMHO, Some things NEED to be slow and sloppy and messy. Proponents of electronic voting are ignorant of the capabilities and limitations of technology, and **grossly** **negligent** in their lack of understanding of the fundamentals of system design.

That or they're "gettin' paid".

Re:Electronic voting and air gaps

[Jonathan_S]

Each vote is confirmed twice, onscreen and by voice -again using the sample of the candidate- to ensure that the voter is absolutely certain that this is the proper choice.

And everyone in the voting station will know who that person voted for becuase the machine just read the names of the selected candates out loud.

Votes are suppost to be private. There should be no way that even someone standing outside the voting booth can tell who you just voted for.

Re:Touch screens with printouts

[swillden]

One can then bring the card home. After the election you can enter the barcode and check to make sure the database matches what is printed on the card.

Any system which allows the voter to verify that their vote has been recorded correctly also allows someone else to coerce the voter into voting a particular way.

I'd like to see this statement disproven, but I don't think it's possible.

I read it a little differnt than you did.

[twitter]

At this point, the question arises - why are these critics wrong? What are they not understanding about the system? Rather than following up on this point, though, the reporter takes a completely different, and totally irrelevant tack, discussing public confidence in the machines.

I dissagree, the article was beautifully constructed to alarm the reader:

• Expert Opinion crying for a paper trail with a link to more information
• insulting and vauge official dissmisal of concerns
• insulting and vauge vendor dissmisal of concerns
• public ignorance and willingness to be screwed
• more expert opinion, just in case you forgot

It gave you the gist of the problem, no paper trail for audit, and told you that you should be alarmed because your elected officials, backed by vendors "experts", vaugly dissmiss the problem without proof and that the public is ready to buy into it. References were given that you should follow as a responsible voter. If there was any flaw it was in not persuing the reasons for dissmisal. Calling your opponents ignorant dreamers is not very convincing.

Another poster has done a nice job of explaining one large problem with a paperless voting system. [slashdot.org]

Re:It's not about electronic vote casting.

[MsGeek]

Literacy tests had been used since Reconstruction to screen out black voters. The 1960s Voting Rights Act finally put a stop to them. Not a good idea since it can be abused.

Re:Why reliable electronic voting will not happen

[salesgeek]

Elections would be hundreds of times cheaper because of lesser staff and organization costs.

And less democratic and trustworthy. Personally, I like the fact that the polls are run by ordinary citizens, not by the state's IT department. There's a whole level of abuse that this system makes difficult. The more centralized the voting process becomes the easier it is to corrupt.

As a result it would become possible to have people vote for many more issues than just who is going to be a president

I'm for this. Who wouldn't like to be able to pass unlimited spending and cut taxes to 0? Representative government prevents a lot of this. Look at California and Arizona where ballot initiatives have totally hosed their state budgets.

As a result it would become possible to have people vote for many more issues than just who is going to be a president

Actually, the rich would like this because it would be easier to influence, corrupt and control it.

Re:Touch screens with printouts

[Zak3056]

I've been up all night so this probably has holes in it, but what do you think of the overall process?

FWIW, I agree with you--I think your solution (which is almost identical to one I've thought about in the past) is probably the best solution to a real problem.

I think the biggest hole in it though is the number you take home. We have a secret ballot for a reason--someone can put pressure on you to vote a certain way, but only YOU know how you actually voted. With a receipt that has a RECORD of your vote, the someone who is pressuring you can demand to see your barcode and lookup the results themselves.

I can't think of any sensible way around this, save to do it the way they handle blood donations (i.e. you get TWO barcodes, one of which prodvides the real results, and the other returns entirely opposite results, and only you know which is real and which is fake.)