Can America Trust Electronic Voting?

A anonymous reader writes: "The Sacramento Bee wrote an excellent article about the issues surrounding electronic voting. It was written by the Yolo County clerk/recorder and a professor of law at UC Davis. They quote sources such as Peter G. Neumann and Diebold's president Walden O'Dell."

Some paranoia...

[zeux]

Maybe I'll be a little 'off-topic' but I would like to add some reflexion to this article.

E-Voting and its problems are a clear example of what is happening: we are giving to our computers and networks more and more 'power' over our own lives. This wouldn't be a problem if security was some exact science.

We still have big problems with computer security and while we didn't fix them yet (anyway can we really fix them ?) the overall 'value' of the data that goes through our networks is fast increasing.

This, I think, will be even worse in the near future because the software, systems and networks we use will be more and more complex and it will be harder and harder to maintain a good level of security on them.

You could argue that the problems exposed in the article are not related to security. I would say 'not yet'.

But something really interesting is said: "These machines leave no 'paper trail,' that is, no voter-verifiable record allowing a retrospective audit of the votes recorded as cast for each candidate or ballot proposition.".

Everything in these system is 'virtual'. It makes it easier to loose, to replicate (to steal) or to alter information. I'm quite afraid about that.

Maybe the E-Voting system is not connected to Internet, which increase security of course, but maybe one day it will...

California is on the right track...

[tinrobot]

To hopefully fixing this problem. This week, the state mandated that all voting machines print a human-verifiable paper ballot. This is good, but the regulation is supposed to take effect in 2006.

While it's a step in the right direction, it's also ridiculous. A voting technology that is unacceptable in 2006 is also unacceptable today. I certainly hope they push up the deadline to before the 2004 election. There's plenty of time to fix it by then.

If you live in California, please bug the appropriate government officials about this.

Re:Hasn't Australia just mandated a paper trail

[Anonymous Coward]

What sucks is we give up the verifiability of that paper trail in exchange for anonymity.

Voting shouldn't be anonymous.

Re:Redundant, I know

[Shakrai]

So why not just do what we do here in Canada: make the ballot as simple as possible, just mark an X by your candidate. All that's on the ballot is a list of names and a box by each one.

I wouldn't have a problem with that either. Problem is, somebody will point out "Ah, but what if people can't figure out how to use it or they mark it incorrectly?"

Anyway you cut it, voting is not rocket science people. All I want (as a concerned citizen) is someway to verify the process.

Can America Trust Electronic Voting?

[morelife]

Yes, if the greedy corporations are removed from the process, and an OSS solution based on an openly auditable platform like Linux or FreeBSD is adopted. We are not too far away from this eventuality.

Re:Hasn't Australia just mandated a paper trail

[mindriot]

...which brings you back to the question, "what advantage is the electronic system then?" Right now we have a paper trail, and it works well. (OK, maybe you Americans should work on the Usability of your forms :-))

That we will be able to get voting results faster? Well, let's see. In Germany, polls are always on Sunday and the booths close at 6pm. By that time, you already get projected results that usually differ from the final results by less than one percent. By 11pm the final results ("Vorlaufiges amtliches Endergebnis", "preliminary official results") are available. Is it worth spending millions of dollars just to get the results, say, four hours earlier? OK, there's one advantage if the results can be seen in "real time," e.g. over the day, while elections are still running. Because then the knowledge that the current results are very close to each other (think Gore-Bush) might have an influence on who decides to actually go voting later in the day.

And then there's the argument that E-Voting will make it easier for people to vote and thus more people will vote. But on the other hand there have been studies showing that when people had to make more of an effort to go cast their vote, turnouts actually increased.

That being said, www.free-project.org is a good source of pro and contra arguments regarding E-Voting.

Now, really..

[NegativeK]

Granted, I'm not going to vote electronically without an open source system in place, but this _really_ isn't that hard.

As an example implementation.. When you register, you get a plastic card with a magnetic stripe on it. It has two 32-bit numbers on the card, with your name, picture, and address. One of the 32-bit numbers is your personal identifier, and the other is your signing key.

Now, for the ballot, every candidate also has a 32-bit number. When you want to vote for your candidate, you swipe your card, then select the candidate on the screen. Your pid is appended to the end of the candidates pid, and then it is hashed with your signing key. At the same time, a publicly available signing key from the government signs the 32-bit pid of the candidate. Two slips are then printed out, both with one barcode indicating your hash of the candidate + your pid, and a barcode with the hash of the government signed pid.

One slip is given to the poll people, and you keep the other. Also, a copy of the slip is sent over some network to the vote counting place. If you doubt that your vote has been tallied correctly, all you have to do is search for your signed 64-bit candidate + personal id in some government database.

Paper trail. Verifiability. Randomness. What am I missing? Was t overly complicated? Input, please!

P.S.: Want to vote for someone not on the ballot? Do a write in. They're rare enough that counting by hand isn't an issue.

Re:Can America Trust Electronic Voting?

[argent]

While people were worrying about people who had mistakenly misvoted in Palm Beach County, Diebold delivered -16,022 votes for Gore in Volusia County, Florida. Do you suppose that might have had an effect on the election?

http://blackboxvoting.com/

Re:Now, really..

[Timesprout]

Interesting idea but doesn't this remove the anonymous aspect of voting which would make it a very tough sell.

Re:Redundant, I know

[mog007]

Another issue brought up is that there's no way of being sure that the source isn't tampered before it's installed on the machines. It isn't like you're going to be givin a root account on the machine, allowed to browse the source, then compile it when you're satisfied.

ATM Analogy

[BrynM]

From the article:

"Dollars and cents are 'commensurable.' A bank doesn't care if it loses $200 to a hacker who makes unauthorized withdrawals, so long as it gains back something more than $200 in cost savings from using the ATM that the hacker attacked. There is no difference except in amount between the dollars lost and the dollars gained. Their value is commensurable.

But there is no such commensurability between the false vote tallies that electronic voting systems might yield when things go badly, and the benefits of speed and efficiency that they might offer when things go well.

So the ATM analogy fails."

I don't think that this analogy fails. From my experience, banks tend to think of the money they hold as "their money". Their business is to use the money that they hold to generate income (fees/investments/interest charges on loans). To me this is the major danger of the voting companies. Do they consider the votes they process as "theirs"? Just look at what O'Dell wrote. To me the issue is control and the ATM analogy fits that well. Ever try to prove a fraudulent transaction to a bank? Were they evasive and controlling of the situation? Did they deny culpability? Did they deny a weakness in their process?

I think that the voting companies will eventually lobby to regulate out any scrutiny of their process. Will every attempt to investigate the security of such systems by an average citizen be dealt with as a "hacking" crime eventually? With today's fear of the "terrorists" exploiting things, the time for this type of legislation is ripe.

How's the weather in Ontario? Is rent cheap?

Re:Redundant, I know

[drix]

That's an excellent and most obvious point. Yet you would not believe the institutional resistance to this idea among the three e-voting OEMs (Diebold, ES&S, and Sequoia) to the idea of creating some sort of printed record. They insist on doing it all digital, even though their systems are ridiculously, incredibly insecure [avirubin.com]--probably because, in the event of a recount, a paper trail would provide concrete proof of how poorly their systems perform. There was an excellent overview of all this in Act One of the latest This American Life [thislife.org]. You aren't going to believe your ears when you hear how lame these companies are (esp. Diebold), they to whom we are poised to entrust our most important the most important cornerstone of our democracy.

Re:Now, really..

[djmurdoch]

Your system doesn't preserve the secret ballot.

For example:

I want to be elected, and I want you to vote for me. I offer you a bribe to vote (or threaten to break your legs if you don't). Now I can verify that you did vote for me.

Voting needs to be secure, but it also needs to be anonymous.

Re:Now, really..

[Aguila]

The absentee voter system already opens the door to bribery. I am not a resident of California, but I believe that you can register to be a permanent absentee voter in CA, for no grounds beyond you feel like it. So, if I were a CA resident and wanted to sell my vote, I would register to be a permanent absentee voter. Then, I would fill out the absentee ballot, show it to the person buying my vote, and then drop it in the mail while they watch. They get one confirmed bought vote, and I get my cash...

Therefore, bribery is equally possible under the current system. I don't even need the California law I cited, it just makes it easier to sell my vote election after election instead of having to obtain absentee voter status for each election.

Another good article...

[dgreenwood]

at http://www.securityfocus.com/columnists/198 [securityfocus.com]

Electronic Voting Debacle

Grave concerns over the security of electronic voting machines in the United States means the heart of American democracy is at risk.

[snip]

"...The Big Issue: Security

So, how do you know that the machine actually counted your vote? You don't! Oh sure, you may see a screen at the end of the process that shows you what you selected ... but how do you know that those choices are actually tabulated? The answer: trust the companies that make the machines. But that attitude, if it ever made sense, has been shown to be not just wrong but foolhardy in the past several months... "

Why have electronic voting at all?

[Anonymous Coward]

While dozens of /. readers are busy spinning theories, touting the presumed superiority of open-source voting systems, and arguing over the relative advantages and/or disadvantages of various electronic voting schemes, we seem to have forgotten to ask ourselves a simple question: what's the point of it all? Why not just use paper ballots?

The answer is, to a great extent, impatience. We've been conditioned to think that it's important to know the election results before we go to bed on election night. It isn't. TV networks cover elections with the maximum of hoopla they can muster: pundits, talking heads talking to pundits, statistics, counts, partial results, and forecasts based on partial results. All of it meaningless to the democratic process. Feeding this hoopla is one of the reasons that we have electronic systems - election officials decided to spend money on unproven systems simply to get results faster to keep reporters off their necks.

What's wrong with paper ballots, marked with a rubber stamp and counted by volunteers supervised by other volunteers? Nothing.

The yankees have it backwards.

[Pig Hogger]

You guys are having it backwards.

Since 2000, municipal elections here are counted with a mark-sense reader.

Voters get a letter-sized ballot, and they mark their vote with a sharpie. Then, they insert the ballot in a carrier-envelope.

Each ballot has a detachable stub with a sequential serial number, which is initialed by the scrutineer. When the voter returns, he tears-off the stub, and hands it to the scrutineer; this way, everyone can be sure it's the same ballot that was given (instead of a telegram, where you put in a pre-marked ballot, and prove you did it by bringing back the blank ballot).

The ballot is then passed though a mark-sense reader which tallies the counts, and drops into a sealed box, along with the other ballots.

This way, the results are known within seconds when the polls close, AND you STILL HAVE the paper ballots to be recounted, if the need arises.

The machines are not open-source, but starting tomorrow, I am pursuing the matter with the authorities.

Demand House Judiciary Hearing

[Anonymous Coward]

On Friday, U.S. Representative Dennis Kucinich from Ohio requested that the House Judiciary Committee take notice of Diebold's misuse of the DMCA:

From Kucinich's press release [house.gov]:

Congressman Dennis J. Kucinich (D-OH), today, sent a letter to the Chairman and the Ranking Member of the House Judiciary Committee requesting that the Committee hold a hearing to investigate abuses of the Digital Millennium Copyright Act (DMCA) by Diebold Inc., one of the nation's largest electronic voting machine manufacturers.

Write your own Congressman, and ask him or her to call for this hearing!

Answer: Make e-voting have a paper trail

[egarland]

I propose that a record should be kept in a database of every single vote that is cast. This record should have a unique identifier that is assigned when the vote is cast that can be used to access the record of the vote if and when that becomes appropriate. As we have today, the voting machine should not know who is in front of it and should have no way to determine who voted for what. What it should do is offer to print out a "vote recipt" for everyone who requests one. These vote recipts could be used by the voters themselves to access the total collected results of the voting to make sure that the vote they cast, was actually counted in the total.

Furthermore, each voting system should have a secret key. On the recipt there should be a hash (ala MD5) of the information and the secret key. A recipt with this hash would be *proof* that a vote was cast, on which machine it was cast, and what you voted for. This way there would be no way for someone to come in later and change votes in the database without that change being evident. Voters could punch in their recipt code into a web interface and have the system automatically check that their vote was cast and counted correctly.

The central votes database would need to record:

1. What voting machine cast the vote
2. The unique ID of the vote
3. What was voted for

Things not recorded in the central votes database:

1. What time the vote was cast (this would be too easy to tie to who came in and voted when)
2. Weather the recipt was printed (If that was in the DB someone could go in and only change votes where there was no proof of what the original vote was for)
3. The voting machines secret key (this should be a well guarded secret.)

The recipt should have:

1. The id of the voting machine used
2. The unique ID of the vote
3. The MD5 of what was voted for, the uniqe ID, and the secret key
4. (Voter Optional) A printout of what the votes were cast

The voting machines would need to disable themselves if for some reason it's printer didn't work. The key to not being able to tamper with the votes is that verification must be possible. Without that, votes could be altered with impunity.

It's Quite Simple

[Steve B]

The issue reduces to two questions:

1. Does the system generate a printed record?

2. Does the printed record supersede the electronic tally if the two disagree?

Either the answer to both of the above questions is "YES", without exception or qualification, or the system is not to be trusted.

benefits of speed and efficiency??

[IM6100]

But there is no such commensurability between the false vote tallies that electronic voting systems might yield when things go badly, and the benefits of speed and efficiency that they might offer when things go well.

Why are there benefits to speed and efficiency?

My understanding is that the people who work at the Polls are either volunteers or temporary employees who earn a 'civic duty' stipend for providing their services. Efficiency is something you worry about at a hamburger stand, not at a polling place.

As to speed: why the hell does it matter that we get a 'speedy' result. The whole obsession over 'speed' seems to be driven by the 'news' media and their incessant need to report results. In actuality, it is always weeks or months before the result of the election is put into action.

Screw speed. Screw efficiency. Let a bunch of community volunteers tally the paper ballots. Fine any news organization that 'reports' official results before they're posted by elections officials. The vision I get of a group of old ladies saying 'hold on and we'll have the numbers in a few hours' to some yuppie fuck journalist is wonderful, and should be the reality.

non-competition agreements for public officials?

[scorilo]

In the private sector, those dealing with IP or competition sensitive issues are usually required to sign non-competition agreements, whereby they promise not to join a competitor after termination of their contract. Yet, as the article has shown, there's nothing stopping a public official from joining a private business he was auditing while serving the taxpayer...

One may argue that the public has only to gain if the public official brings his expertise into the private sector. My concern is, however, that the public official will use his expertise in side-stepping regulations or choosing the way of minimal resistance, to maximize profits at the expense of following rules and regulations.

Kind of like a hardware vendor optimizing their wares for benchmarks as opposed to real life situations!

Re:Redundant, I know

[Peter Simpson]

In my town, we have electronic OCR ballot *counting* machines. The ballots themselves are pieces of paper with ovals on them (just like in school). The counting machines are, in fact, Diebold "AccuVote" products [I love the name...sounds like something out of "The Simpsons"]. The point is that all the machines do is count the votes. The ballots are paper and remain the final (anonymous) documents recording each vote. They can always be recounted by hand if the machine totals are in doubt, or the machine malfunctions before the end of voting.

You will never convince me that touch screen machines provide the same combination of security, accuracy and speed. I have nothing against Diebold, but sometimes, we all need to step back and remember the KISS principle and not to make a solution more complex than it needs to be...

Re:More badly-researched rhetoric on voting machin

[Joe Decker]

If you're in California, then that's pretty interesting.

Note page 15 of this PDF'd election manual. [sf.ca.us] (The document is an election workers manual from the County of San Francisco, I've worked polls in Santa Clara County myself.) Note that it does not state that ID is illegal to ask for, but does say that "Voters are NOT required to provide proof of identity or residence."

I will add that many voters do bring their voting booklet, or present an ID, and it definitely helps poll workers when you do that, it's somehow just slightly quicker to look something up when you have a nicely printed version fo what you're searching for, particularly with hard-to-spell names.

Here is [ca.gov] the text of a proposed law, from February 2003, to require IDs to be checked by precinct workers.

I can't, in the few moments I've looked today, find an explicit prohibition, although I believe I've seen one, I'm willing to drop the assertion that it's directly illegal until I can find direct proof of that statement. I will note, however, that if it's not required, it'd be a pretty bad idea to demand it of voters, since it'd be a direct opening to charges of discriminatory, selective checking of IDs.

On the other hand, a mistake by a polling worker on this point is far more likely to be a mistake than a serious attempt at fraud, poll-workers don't get a ton of training.