Doubting Electronic Voting 485
twitter writes "The NYT is raising the alarm on electronic voting. After citing expert opinion on the need for a paper trail, they then quote election officials and vendors who dismiss that opinion as the ignorant work of dreamers. The reporter titles his article, 'To Register Doubts, Press Here' and seems less than convinced."
Right..... and all financial transactions online.. (Score:2, Insightful)
My bank doesn't seem to have a problem with me transferring thousands of dollars electronically, but this reporter is nervous about voting?
At least there's no chad ... (Score:4, Insightful)
A.M.
I got your chad right here
It's not about electronic vote casting. (Score:5, Insightful)
If you wanted to avoid confusing the easily confusable, you could have a touch-screen system that prints a paper ballot, with the blanks ideally positioned for the electronic counters. Efficiency and a paper trail.
Whatever (Score:3, Insightful)
I agree we need to take some precautions to safegaurd the electorial process...but that dosnt mean we cant use electronic means to poll. Just like there were concerns about the inital voting schemes, there are concerns about this one, but that dosnt mean we cant simply make desgin changes to ensure the integrety of the data. And since when has the government been MORE credible than the private sector? They have had just as many scandals, if not more.
In any event, the answer is to simply design in safegaurds....not go back to older ways just because your scared of technology...please
Greatest scam in history. (Score:1, Insightful)
History will eventually show electronic voting to be the most excellent means for subverting democracy ever invented.
Re:Yeah right (Score:5, Insightful)
If you think politics in the United States is dangerous, check out the political situations in places like Ivory Coast. At least American citizens survive the voting process.
Re:Yeah right (Score:3, Insightful)
Re:It's not about electronic vote casting. (Score:3, Insightful)
Of course, you could always have a human backup for those ones.
No roadblocks, no votes thrown away. (Score:1, Insightful)
Sorry, but the roadblocks thing is a persistent urban legend. If there was anything to it, Gore would have sued over it. He did not.
Ballots thrown out? The only ones tossed out were ballots WITHOUT VOTES.
Confusing arrangement? The Democrats arranged those ballots, and they only confused idiots who did not follow directions.
Paper, what paper? (Score:3, Insightful)
Mechanical machines had problems also (Score:4, Insightful)
Paper trail: the solution (Score:4, Insightful)
The two main points in electronic voting are:
The vendor's point of view (unsurprisingly) is that "bugginess" is only a hypothetical threat, and that it in real-life situations no glitches will occur.
This is very clearly horseshit. Every IT-implementation has bugs. Repeat: Every. The question is: how many of them can we tolerate ? If it comes down to a word-processor, or a webserver, or even telecom infrastructure: we can afford quite some. If it comes to medical facilities, nuclear plants, or, as in this case, political decisions, the threshold has to be a lot lower. You wouldn't want George W. Bush to have been elected by a bug, would you ?
The (currently feasible safeguard) solution of the paper trail sounds like an excellent solution:
a) the voter can immediately control if her vote was cast correctly
b) the same rule applies as with financial and legal records (where a paper trail has to be conserved)
c) the "black box" problem that is mentioned in the article is circumvented: the citizen doesn't have to understand how the e-voting booth works, but (see a) can control if her intentions match the outcome.
Re:At least there's no chad ... (Score:4, Insightful)
The problem wasn't paper voting. It was using another computer technology: punched cards. Punched cards are designed for a machine to read and write. The last election demonstrated that they are not good for humans to write (uncleanly punched holes) or read (no visual feedback).
I see no reason to use any method other than marking a box with a pencil on a piece of paper. Use the KISS principle.
Re:Yeah right (Score:5, Insightful)
"a truely impartial third party"? Like who? What organization is responsible enough to oversee the elections of the most powerful nation on Earth and yet has no opinion one way or another on how they should go.
There is no "impartial third party". The U.S. electoral process isn't perfect but handing it over to Deloitte and Touche, or the U.N. or any other supposedly 'impartial' body is just going to make it worse. The best way to keep it legit is just to make the counters accountable.
Re:It's not about electronic vote casting. (Score:4, Insightful)
It's rather simple. Well-to-do areas tend to have voting methods with less % of error than more poor-class areas. Why is this I do not know, although I suspect it has to do with local property value rates, similar to education.
There was a substantial difference in the methods of voting. What needs to be done, is that there needs to be one standard, that is both simple and reasonably verifiable. I go for the pen and paper ballot myself.
Casting of Risk (Score:4, Insightful)
The threat model that the voting machine manufacturers want to work with is: "Given a particular system, how likely is it that it will get hacked?".
The real threat model is substantially different: "Given a particular system, how likely is it that it will be accused of having been hacked, and how damaging will that accusation be?" Much different scenario. Accusations, and the credibility they carry, are directly rebutted by evidence to the contrary. The simple availability of an irrevocable audit trail prevents challenges -- "they might be able to prove us wrong, so we better not challenge the results of the election."
No evidence, no risk of accusation, no credibility for the election.
None deserved, too.
Disclaimer: I _am_ a security engineer. This isn't a technical problem, it's a sociological one. Counting is easy.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Paper is more tamper resistant. (Score:1, Insightful)
Why is he ignoring the obvious: Yes, but you can tamper with paper, but realistically, how long does it take you to modify even 1000 paper votes?
Now, how long does it take you to modify 1000 electronic votes? Or 1000000?
Printout (Score:1, Insightful)
Poor article... (Score:5, Insightful)
The key points that opponents of electronic voting make are that a) there might be flaws in the system either by error or by design, b) that the machines cannot be easily inspected to check their operations, and c) that without a paper trail there is no way to check after the fact whether the votes were correctly counted or not.
The response from a voting machine manufacturer, however, is classic obfuscation:
At this point, the question arises - why are these critics wrong? What are they not understanding about the system? Rather than following up on this point, though, the reporter takes a completely different, and totally irrelevant tack, discussing public confidence in the machines. So what? Lots of people probably think that Microsoft invented the Internet. It doesn't make it true. The only conclusion I can come to is that the journalist did not take the time to understand the issue properly, and just got quotes from "both sides" and that was good enough.
Do experts in other fields (if I may be so bold as to count myself an "expert" in it) get as frustrated with journalists, or is it just a particular problem with science and tech journalism?
Using the FOIA to view code? (Score:5, Insightful)
I'd like to see someone file a Freedom of Information Act [epic.org] request to see the code. The FOIA applies to the following documents:
I know there are arguments against this, specifically that the code is the intellectual property of a private business, and that it is protected by both US Copyright laws and the Berne Convention, but I'd like to see the courts wrestle with this one just the same. Knowing how our votes are counted is one of the sacred founding principles of democracy, and personally, I think it trumps any other interests in this case.
Unfortunately, this has little to no chance of succeeding while Ashcroft is Attorney General, since he's declared an effective moratorium [alternet.org] on FOIA requests while he is in office.
Re:At least there's no chad ... (Score:5, Insightful)
Lets take a hypothetical situation: A new computer voting system is implemented. However, one of the towns in which it is set up configures the equipment improperly, the result being that the votes are recorded incorrectly. With a paper ballot, it is easy to see, just by looking at the ballot, whether the equipment is operating correctly. If a computer is used, you only see what the computer recorded, whether it is right or wrong. The problem I see is that you could have thousands of votes tallied incorrectly with noone ever finding out about it.
I do, however, see a computer solution that would be a hybrid of computer and paper ballots:
you walk up to the voting booth and vote on a screen. The results of your vote is printed on a thermal paper ballot. The ballot has a barcode that a computer can tally, as well as a human readable area stating who and what you voted for. you put this into a box, where the barcode is scanned and the ballot stored. The results of the scan are displayed so that you can see that the scan was correct. This system would allow you to tally votes by computer, but the ballots would be stored, so that they could be computer or hand tallyed later. Also, verification would be provided to the voter that his vote had been tallyed.
Re:Get real (Score:2, Insightful)
He's not the best comedian and his funny skits often are a little retarded, but the spirit of the skit is dead on.
How about we get informed before passing judgement.
Electronic voting and air gaps (Score:5, Insightful)
The only way you can possibly make electronic voting machines acceptably secure is to not network them at all. This isn't so much a measure to prevent hacking as it is a measure to control the amount of damage a hacker can do; if only one machine at a time can be hacked, then damage remains localized. Here's my idea for such a system:
The advantages to this system are many:
And one final note, particular to US elections: poll results should be considered classified information until the polls are closed in all fifty states. Timezones being what they are, this exit-poll crap is causing election results in East Cost states to affect West Coast states, however slightly, and that needs to be dealt with. Each state's results must be completely independent of the results of any other state, and measures need to be taken to ensure that.
Re:Touch screens with printouts (Score:3, Insightful)
And how do you ensure that your vote for Joe actually went to Joe? The printed card? Or the code redirection, which sent your vote to Mary instead.
You end up with 2 'votes'. The one printed on the card, and the one actually recorded. With no real way to ensure that they are the same. Even if you can check later. It's only a program telling you what it has been programmed to tell you.
After the election you can enter the barcode and check to make sure the database matches what is printed on the card.
In the collating process, malicious code could be inserted to flip every 25th vote for Joe to Mary. YOUR vote could be checked, and it still might report Joe. Or simply tell you it has recorded Joe. But the main election db could still record Mary.
Electronic Voting Systems should be Open Source (Score:2, Insightful)
Releases of this code should be signed by a non-profit in a manner similar to a key-ceremony used at CAs, and the hardware that runs the software should be auditable and designed to only run software that is signed by the aforementioned signer.
Anything less than this leaves a glaring black-whole where any sort of nastiness may occur.
As much as I hate to say it, a "palladium" style trusted system approach is probably needed to make electronic voting trustable. I'm not in favor of having my hardware in lockdown, but I sure as hell would want it on the equipment that chooses who is going to run my country!
Maybe. (Score:4, Insightful)
It's difficult to overstate the importance of having a fully auditable voting process. That's the main advantage of paper ballots, be they punch cards, "check the box," whatever: you can recount them. Someone else can recount them. We can disagree on the interpretations of those recounts, but we can at least observe the "primary source" and make a call one way or another.
Now, electronic voting would certainly have advantages. If people could walk through a "voting app" where they could see all of the choices for each office, and do a confirmation step before "submitting" their vote, that would be awesome, and way more accurate than what we do now. However, think of the system which will be used to achieve this: if it's good, the designing company will want to sell it everywhere. So the application will become one hell of a valuable peice of "intellectual property." Do you think we'll be allowed to see the code for it? No way! So no error checking that way; we just have to trust that every vote counted was processed correctly. That's a lot of trust. I don't suspect that any voting-machine-manufacurer would insert deliberate bias, but the lack of ability to examine the process for correctness is just unacceptable. It's too important to just trust some private company, whose interest isn't necessarily coincident with accuracy.
An open-source voting app would be somewhat better; any independent person could audit the code for correctness, but to verify its performance on an actual dataset would require re-establishing the same exact platform later, and of course maintaining a digital copy of the inputs.
In either of these scenarios, it seems outright necessary that there be a physical record of votes cast using the system that independent, non-computer-expert people could examine. Ideally, the machine would print a small "receipt" for each vote cast which could be collected and, if necessary, recounted and compared against the digital tally.
Why reliable electronic voting will not happen (Score:5, Insightful)
Obviously this is something that today's rich and powerful would never want to happen, and they would fight long and hard before giving any of this power up.
99% (Score:5, Insightful)
Isn't that the same percentage of people who "voted" for Saddam Hussein in the last Iraq "election". I wonder if the "feedback" was tallied on a Diebold machine.
I work in market research and I have never, ever seen 99% of people polled agree on anything. This 99% of the vote statement should give anyone considering e-lections the willies.
Stalin Said it best (Score:4, Insightful)
-- Stalin (Former leader of the USSR)
So the voting machine manufacturers are now the ones who really run the country.
Great.
Re:Yeah right (Score:5, Insightful)
We all saw what good a paper trail did in Florida in the 2000 USA presidential campaign.
Think that's bad? Imagine being pissed off at the results, absolutely certain you got rooked, but not even having a way to TEST whether the results are valid. At least in FL2000 there was a paper trail to argue about. Don't think there's any possible way 63% of your town voted for Mickey Mouse for Mayor? Sorry, Chuck, but the 'puter got that same exact answer 327 times in complete recounts conducted over the last 6 seconds. What are you going to do: go door-to-door and ask everyone to tell you honestly how they voted?
My biggest fear with electronic voting systems, however, is the ease with which their automation can be made universal.
If you assume that everyone gets their voting systems from the same 2 or 3 vendors, you can rig an election if you figure out how to electronically compromise 2 or 3 systems, and you can do it with much smaller numbers of tampered votes in each district because the software only needs to tamper where the voting is tight. A few here, a few there and BAM, Dennis Kucinich is your president.
(*shudder*)
It's much, much more difficult to do that sort of thing without e-voting because each voting district makes its own rules, and implements its own counting system. You'd need to plant spies in each district you thought MIGHT be candidates for tampering, and even if you guessed right, you'd have to hoodwink Ethel in each one (she's been counting votes in this district as a volunteer since the 60's and has breakfast with the City Council every Tuesday as a concerned citizen.) You'd need to study and compromise **MANY** districts to significantly rig an election in this way.
Don't get me wrong, it can be done, but it is difficult to inflict damage beyond a few isolated districts because the voting systems themselves aren't universal. Compromising a vote tally in Florida cannot automatically compromise a tally in California - they are separate systems, even if they use the same equipment. IMHO, Some things NEED to be slow and sloppy and messy. Proponents of electronic voting are ignorant of the capabilities and limitations of technology, and **grossly** **negligent** in their lack of understanding of the fundamentals of system design.
That or they're "gettin' paid".
Re:Electronic voting and air gaps (Score:3, Insightful)
And everyone in the voting station will know who that person voted for becuase the machine just read the names of the selected candates out loud.
Votes are suppost to be private. There should be no way that even someone standing outside the voting booth can tell who you just voted for.
Re:Touch screens with printouts (Score:3, Insightful)
One can then bring the card home. After the election you can enter the barcode and check to make sure the database matches what is printed on the card.
Any system which allows the voter to verify that their vote has been recorded correctly also allows someone else to coerce the voter into voting a particular way.
I'd like to see this statement disproven, but I don't think it's possible.
I read it a little differnt than you did. (Score:3, Insightful)
I dissagree, the article was beautifully constructed to alarm the reader:
It gave you the gist of the problem, no paper trail for audit, and told you that you should be alarmed because your elected officials, backed by vendors "experts", vaugly dissmiss the problem without proof and that the public is ready to buy into it. References were given that you should follow as a responsible voter. If there was any flaw it was in not persuing the reasons for dissmisal. Calling your opponents ignorant dreamers is not very convincing.
Another poster has done a nice job of explaining one large problem with a paperless voting system. [slashdot.org]
Re:It's not about electronic vote casting. (Score:3, Insightful)
Re:Why reliable electronic voting will not happen (Score:3, Insightful)
And less democratic and trustworthy. Personally, I like the fact that the polls are run by ordinary citizens, not by the state's IT department. There's a whole level of abuse that this system makes difficult. The more centralized the voting process becomes the easier it is to corrupt.
As a result it would become possible to have people vote for many more issues than just who is going to be a president
I'm for this. Who wouldn't like to be able to pass unlimited spending and cut taxes to 0? Representative government prevents a lot of this. Look at California and Arizona where ballot initiatives have totally hosed their state budgets.
As a result it would become possible to have people vote for many more issues than just who is going to be a president
Actually, the rich would like this because it would be easier to influence, corrupt and control it.
Re:Touch screens with printouts (Score:3, Insightful)
FWIW, I agree with you--I think your solution (which is almost identical to one I've thought about in the past) is probably the best solution to a real problem.
I think the biggest hole in it though is the number you take home. We have a secret ballot for a reason--someone can put pressure on you to vote a certain way, but only YOU know how you actually voted. With a receipt that has a RECORD of your vote, the someone who is pressuring you can demand to see your barcode and lookup the results themselves.
I can't think of any sensible way around this, save to do it the way they handle blood donations (i.e. you get TWO barcodes, one of which prodvides the real results, and the other returns entirely opposite results, and only you know which is real and which is fake.)