Touch Screen Voting Industry Circling Wagons

bhoman writes "Salon has an interesting article/interview with the author of a forthcoming book, Black Box Voting, by Bev Harris, that looks at electronic voting machines, especially Diebold touchscreens. The story includes incriminating internal memos, cease and desist orders from Diebold, transcripts of an industry teleconference where Harris Miller of the ITAA brags of his lobbying experience, and documentation of a backdoor via an Access MDB with no password. This is for software currently being used in 37 states. "

An even realer link

An open invitation to election fraud [salon.com]

The U.S. government seems to me to be becoming more and more corrupt. As David Letterman recently said, "When you make out your check for the Iraq war, there are two Ls in Halliburton."

Money seems to be everything, the health of the country nothing. McCain is right, we need campaign finance reform.

Re:The story becomes more mainstream...

Depends how much they try to overlook it.

Re:The story becomes more mainstream...

I' waiting for this to happend, but it seems americans (USA americans, that is) don't give a damm for basic democratic principles. "The vote is secret" but a black box can record the order in which votes were cast, and *anybody* in the room knows the order in which voters came to the booth. "votes must be independently counted" black-box == !record there is no way for the representants of any party to check by hand. I was born in Costa Rica, the original banana-republic, but every costarrican child can explain to you why electronic voting in its present form is an invitation to electoral fraud. Do you trust the goverment of Florida to count the no-longer-exixting-ballots the right way?

It's a basic principle, all right

No, that's not a basic democratic principle. That's a current principle used to encourage everyone to vote without fear of reprisal, but it's hardly a fundamental aspect of the system.

There are at least two reasons why you want secret balloting, one of them rather subtle. The obvious one is to prevent voter intimidation; the other is to keep people from being able to bring evidence that they voted for a particular candidate outside the confines of the voting booth.

Otherwise, I can park across the street with a sign reading, "$1 Paid For Each Vote for Candidate X" and buy votes from people coming out of the polling place with proof of their vote. Some of the machines being discussed would enable corrupt voters to do exactly that.

You really don't want to have any way to associate individual voters with their votes during or after an election. I'm sure there are tons of potential exploits beyond the few that I've heard of or thought of myself. Dropping the voter-secrecy requirement would be a major step in the ongoing banana-republicization of America.

Re:It's a basic principle, all right

Could you explain why, exactly, this is a problem? If someone chooses to sell their vote, why shouldn't they be allowed to do so? This is a serious question.

Because it undermines the whole notion of voting for a candidate because of the things they promise to do once in power. Bad election practices such as these were common in parts of England until the nineteenth century. "Rotten boroughs" with small numbers of eligible voters could be used to ensure a candidate got into parliament. Even after the widening of the franchise a mixture of bribery and coercion was common, with small farmers and manual labourers expected to vote how their bosses saw fit.

Chris

Re:It's a basic principle, all right

The major flaw in a secret ballot, however, is that the only person who knows for sure how he voted can't verify his vote was counted correctly. The people who can verify the vote don't know what the vote is. There's no check. Even in a simple summation, You can't verify the output without knowing all the inputs.

Take a simple model of a non-secret ballot where everybody's vote is published in a newspaper the day after the vote. John Q. Public can check the paper, verify his vote was recorded correctly, and verify that all the votes add up to the reported total. There's no opportunity for fraud except for the case of vote buying but then the voter is a willing participant, and, in fact, can be done in the existing system through absentee ballots.

What's needed is a method where the voter can verify his vote and the reported totals without sacrificing his anonymity. Then it doesn't matter if the vote is cast on paper, electronically, or by smoke signals. It then becomes an argument over which system is more efficient (less mistakes, faster results, etc.) rather than which system is more open to fraud.

Re:It's a basic principle, all right

What's needed is a method where the voter can verify his vote and the reported totals without sacrificing his anonymity.

Dead simple. Take a SHA1 hash of the voter's name and address, a secret string Joe entered at the polling place and the candidates he voted for. Publish the list of hashes in the paper. Joe Voter calculates the hash himself and looks for it in the list. If it's not there, someone is playng games. You need the secret string because Joe's name and address are public knowledge.

Re:The story becomes more mainstream...

Interesting that you quite correctly acknowlege the fact that every election result has a margin of error, but then fail to apply that fact to the 2001 result in Florida. I believe all the counts in that election were within a 2.6% margin.

The problem with the Florida 2001 election isn't that it got the results wrong. It is that we were forced to accept a statistically suspect outcome because of a lack of procedures for dealing with an extremely close count. Plus, whatever procedures might have been in place appear to have been hijacked by partisan entities. Whether you're Republican or Democrat, this is not a good thing for democracy.

Re:The story becomes more mainstream...

a black box can record the order in which votes were cast, and *anybody* in the room knows the order in which voters came to the booth.

Well, in theory it might be possible to do that, but most precincts have many (10+) booths, and you'd have to do some pretty clever record-keeping to keep track of which booth folks go into. AFAIK, its not legal to videotape voting rooms (basically it is considered intimidating, and thus in violation of the Voting Rights Act or some such thing - I remember reading a news story about it in the '96 election), so somebody's gonna have to keep track of which booth every single person votes in.

There are easier ways to intimidate voters. Indeed, optical scan could hold the same capacity for order-count, since there are multiple booths but only scanner, which will hold the ballots in a stack inside. With only a single scanner per precinct, it would be easier to reconstruct the sequence of voters & votes from that than from the black-box method.

"votes must be independently counted" black-box == !record there is no way for the representants of any party to check by hand.

Now the 'no-record' problem is a stickier wicket. Here's my theoretical solution, that also resolves some of the 'butterfly ballot' issues that were problems in the Florida vote. Basically, after the voter has completed the vote process, the machine would print a copy of their ballot. The voter is then asked to check it for any errors. If they think its OK, they run it through a slot that goes to a bin that stores the hard-copy record of all the votes, and triggers the vote to be counted by the machine. If they made a mistake, then they run the hard-copy through a different slot that shreds the ballot and re-starts the voting process. This gives a hard-copy record for any re-count, and provides for people to check and make sure they didn't vote for Pat Buchannan when they meant to vote for Ralph Nader.

Wow, Diebold can

Quote from the article: While seeking information last January about a voting-machine company for a book she was writing, she found a Web site "on about the 15th page of Google." The open, unprotected site held some 40,000 files that included user manuals, source code and executable files for voting machines made by Diebold, a corporation based in North Canton, Ohio.

Quotes from the above article:

Quotes from the above article:

No official at Diebold or the Georgia Secretary of State's office has provided any explanation at all about the OTHER program patch files -- the ones contained in a folder called "rob-georgia" on Diebold's unprotected FTP site.

Inside "rob-georgia" were folders with instructions to "Replace what is in the GEMS folder with these" and "Run this program to the C-Program Files Winnt System32 Directory." GEMS is the Diebold voting program software.

Another quote:

- And assume that all 22,000 program patches did exactly what they said they did: Corrected a conflict between Windows CE and Diebold's firmware to prevent screens from freezing up.

Re:Another article by Bev Harris:

Just so you know: I have never "published articles in Conspiracy Planet."

Just as the Salon.com article was picked up here at Slashdot, Conspiracy Planet picks up articles from wherever it wants. It copied an article that was in Scoop Media. The Seattle Times reporter was somewhat misleading, and he was determined to get the word "conspiracy" into the article somehow.

I put him on notice that if he called me a conspiracy theorist, he would have to back that up with facts or I would require the editors to print a correction. Then he said "well, I'll just print what others say about you."

This guy did everything but stand on his head to slant the story, but I blocked most of the efforts. Something he fails to report in his story is that the Microsoft Access hack that is the subject of the Scoop Media article, the Ken Clark memo, and the Salon.com article (and was vetted out right here on Slashdot) -- well, I demonstrated that hack in front of the Seattle Times reporter, the IT guy for the Times, and a Seattle Times photographer, who commented, "Wow. This shows you can rig an election."

The reporter's use of the "Conspiracy Planet" reference was pretty disengenuous, when you realize that he knew damn well my work has also been covered in the Washington Post, AP Wire service, the San Francisco Chronicle, and CNN.

As you can see, I'm getting sick of the "conspiracy" label, since I've broken seven stories in a row on the voting issue and every one of them has checked out and, eventually, been picked up by the mainstream media, albeit haltingly. For a long time I just ignored it, but now, when reporters try to go there, I tell them to back it up or get hit with a correction, and if they don't correct, a libel suit.

Sad that it has to come to this -- printing facts is not the same thing as being a tinfoil hatter. What I do is scrutiny, and my facts check out.

Bev Harris

Access Database?

In a voting system?

I wouldn't use an Access Database as a way of securing my list of CDs, let alone my democracy.

Then again, does Dubya have any more brothers who are governors?

wroooong

Nope. Nobody was "kicked off the list" because of the felon list. In fact, when the USCCR held hearings on the 2000 Florida elections, they couldnt find a single eligible voter that was kept from voting because they were incorrectly identified as a felon (and believe me- the Democrat majority in the commission looked VERY hard).

No, you're wrong. Greg Palast did extensive research [gregpalast.com] into what happened. Don't buy the party line from Fox News, CNN, and others who completely whitewashed what happened in Florida.

Now that Diebold has a lock on voting systems, expect more fraud and even less media acknowledgement of it.

Re:wroooong

Odd. The United States Commission on Civil Rights reports, in a document titled _Voting Rights_in_Florida_2002:_Briefing_Summary
dated August 2002, includes the following:

The agreements, for example, call for county officials to identify and restore the voting rights of people incorrectly removed from voter rolls as a result of errors on the felon lists provided by the state Division of Elections,

If there were no voters purged incorrectly, why is this part of the settlement between the U.S. Government and the counties of Florida?

Why all the reports of African American voters turned away at the polls, as reported by the USCCR?

the only solution...

It to open the source for these "voting machines" so they can continually undergo a public review.

Hell the hardware needs to be open for review also. It's not like there is any secret designs in there (Unless you are trying to hide something illegal)

All it takes is a tiny bit of off the shelf hardware components, a refrence design and the software to make it work easily... anyone could make an electronic voting system.

until it's all open for review by today's IS and IT experts I will not trust it or the companies making them. This isn't some silly toaster or PVR... this is the basis of the United States... voting..

Re:the only solution...

ISO 9001 described manufacturing and processes.

The important thing to remember about ISO9001 is that it's perfectly OK for an ISO9001 shop to fling completed motherboards frisbee style across the warehouse so that it hits the wall and lands in the pile for packaging/shipping as long as that is the written procedure.

It says nothing about quality, it doesn't even assure consistancy (some boards may actually function after the above proicedure, it's random dumb luck). All it really assures is that somebody paid some ISO9001 auditors a hefty chunk of cash.

The real primary goal of ISO9001 is to remove all human thought from the process so that low paid unskilled labor can operate like expensive industrial robots.

Note that the original INTENT was to force a company to think about it's procedures in an organized manner and so make improvements in their process and in the process generate good solid and complete operational manuals. Unfortunatly, that rarely happens due to managers and ISO auditors taking what should be a manual of good ideas and raising it up to the status of holy scripture.

It is cynically amusing to listen to people in an ISO company talking about procedures in the manual. They sound EXACTLY like door-to-door bible thumpers quoting scripture. It's not at all unusual to find walls plastered with posters repeating the same 'inspirational' phrase everywhere. The phrase is so pervasive that it no longer carries meaning, but instead invokes conditioned response, not unlike a particularly dysfunctional religious cult.

It never once occurs to them that the outcome is what is important and that procedures should be re-written if/when they lead to a poor outcome.

Re:the only solution...

It to open the source for these "voting machines" so they can continually undergo a public review.

There are two things you need to secure against tampering: the voting and tallying process, and the resulting data. Open source inspection, while certainly useful to verify the priciples of operation of the voting machines, is not sufficient to prevent tampering with either the tallying process or the resulting data.

You will want to ensure that the machine accurately registers and tallies votes. Verifying the source alledgedly used in all the machines is not sufficient: you'd need to inspect the (sufficiently large) CRC of the binaries on each and every of the voting machines. You'll want to verify that they are indeed running the software that you have inspected, not some doctored version.

Even if all machines produce accurate data, that will do little good if anyone can edit the resulting data file, or if the totals are communicated to a central counting facility through a means which allows easy forgery of the results.

The problem with any electronic voting system is its intransparency, not of the program source, but of the voting and tallying process. Once the job of vote registration and counting is delegated to a machine, it becomes invisible. It is like handing a box of paper ballots to anyone in the streets and asking him to tally up the votes without any supervision. You'll have no idea of the accuracy of the resulting count, unless you are able to recount yourself... and for that, you need a paper trail.

I firmly believe that any electronic voting needs to be accompanied by a paper trail, and that the counts must be subject to verification of a recount using this paper trail. An electronic voting machine should either produce a paper ballot which the voter can inspect and post in a lockbox, or it should scan a paper ballot on which the voter has indicated his choice by hand. There arer very good reasons to trust paper ballots over electronic ones that are hidden inside some machine:
- The voter has tangible assurance that the vote that is deposited is the one that he has cast
- The counting rersults are verifiable: the counting can take place in a group of people from all stakeholders in the election, who will all watch each other.
- In case of doubt, a recount can take place using the original ballots counted by a different group of people.
- Most importantly: paper ballots are incredibly hard to forge in bulk, and it is very hard to introduce a significant amount of them into the counting process.

Re:the only solution...

It strikes me as incredible that the "technical" people writing these emails are engaged in such Mickey Mouse chatter, and so interested in just cranking out something, anything that will work. I just don't see how electronic voting is really all that hard to engage in...as long as you have your priorities straight.

There are two primary things we want to accomplish with EVotes -- first, we want to make the voting process easier to engage in. Second, we want to make the counting process more efficient (less costly). We would also like to reduce the error rate, to the extent that we are able.

A touch screen voting interface, big and clear and nice, is exactly what we need to help walk people through the process. We can't, though, rely on the software in these machines. One read through the memos above should convince you as to why -- these people just have no idea what they're doing. Basic? Access databases? Windows? My god.

What this says to me is that we simply cannot get away from paper. So what we want is a system that makes paper easier to use, leaves a paper trail for auditing and verification purposes, and provides ample opportunity for error checking by the voter and by election officials.

We use the touch screen to answer questions. At the end of the voting session, the system prints a "vote" and electronically tabulates the results. The voter verifies that his printed vote matches what's on the tabulation screen. The voter then folds his paper vote and deposits it with election officials in a good old fashioned ballot box.

We can then use the electronic tabulation to check quickly on the results -- this is quite efficient. We will also engage in a substantial amount of verification, by counting the paper votes by hand and verifying this against totals learned electronically. The paper always wins, in this system. We do not necessarily need to count all of the paper votes -- we can use random sampling.

It seems like a win in both directions, for me. Risks include unacceptable printout quality (printer wear), and insufficient random verification.

Backdoor

...documentation of a backdoor via an Access MDB with no password.

Well, it is called Access after all.

Land Of The Free (To Enter)

Doesn't it make you glad to be in a country were your democratic views are stored in an unprotected Access Database!

Use open source in government

The solution is simple: use open source software.
Every software in government, which is paid for from citizens taxes, should be open source. So that every citizen (at least the one which is a programmer) could check whether the code is good and fair, especially in elections.

Of course the code actually used in voting machines should be double checked by government professionals, but everyone should have an access to read the code.

Re:Use open source in government

"Every software in government, which is paid for from citizens taxes, should be open source."

Maybe I'm being a little bit picky here, but I'd prefer the best tool for the job (yes, I am a gov't employee).

That's why, when ballots are counted by hand, no one is allowed to look how they are being counted. You see, when the ballots are counted behind closed doors, the result comes back in under a minute, but when people can inspect the counting, and insist upon a "procedure" being drawn up that everyone can rad, manual counting can take an hour!

Many countries prefer to manually count votes behind closed doors with no published counting procedure. For example, Iraq, China, etc. In fact, in these countries the election results are almost always known even before the elections, that's how efficient it is!

Re:Use open source in government

Not when public accountability is a prime concern. It doesn't matter how much better the closed-source voting systems are. I can't audit them; I can't see what's going on.

There is a vast difference between using some proprietary math program down at NASA and using a closed-source voting system. One of them results in a spacecraft that doesn't work; the other results in a government that doesn't work. You pick. :-)

Re:Use open source in government

Maybe I'm being a little bit picky here, but I'd prefer the best tool for the job (yes, I am a gov't employee).

If that happens to be open source, so much the better, but I don't want to be forced to fumble around with an inadequate tool, and waste time and taxpayer dollars, just for the sake of using open source software.

Whether or not some people care to admit it (and there are pleny who still don't), sometimes the only/best tool for the job is closed-source commercial software.

I'm sorry, but you are full of it. The amount of money that the federal government spends on software procurement and maintenance is staggering. In many cases, the federal government is the only customer of some firms. Thus, all Uncle Sam has to do is say, "form now on, if you sell to us, its open source." If they company doesn't like it, then tough, they can find others to sell to (the federal government should not be in the business of propping up other businesses).

In the other case, where the federal government is the only customer, then they stand to lose absolutely nothing by opening the source, unless there is something they are trying to hide.

As far as the best tool for the job: I would hardly call an end-to-end MS desktop, running MS Office, hooked to MS Servers solution that croaks everytime a new virus comes out and paralyzes entire military installations and federal departments, the best tool for the job. I have seen that exact thing happen so many times that I cannot fathom why we still see things like the recent procurement deal the Army signed for ~$900 million that only included MS OSes.

Re:Use open source in government

He got in because of the 'old-sk00l' methods, and how reliable they are

I call bullshit on you.

George W. Bush won the 2000 election under the current American Electoral System. Sure, Gore may have won the popular vote, but that doesn't directly decide who the president is in this country.

The mix-up in Florida was because people couldn't figure out a simple ballot. It was decided by the powers that be that Florida's electoral votes would go to Bush (well, that's a generalization, but the same idea).

The moderators would have a better time with this if there was a Score: -1, Conservative.

Re:Use open source in government

> George W. Bush won the 2000 election under the current
> American Electoral System. ... The mix-up in Florida was because people couldn't figure out a simple ballot.

Oh, is that how it happened?

Even if we ignore the controversial Supreme Court ruling, the issue was much more complicated than that.

Jeb Bush and co. worked to get thousands of black voters disenfranchised by removing their names from the voting rolls if they had a name similar to that of a convicted felon ("Official: Florida disenfranchised minority voters", CNN, March 9, 2001).

Bush worked to maximize the number of overseas ballots in counties he won, he also worked to disenfranchise military ballots in counties Gore had won ("How Bush Took Florida: Mining the Overseas Absentee Vote", New York Times, July 15, 2001).

Of course, the problem was exasperated by Gore deciding to only have recounts in counties he won, rather than across the whole state.

So, the real issue was not just a complicated voting ballot, but also the way the votes were counted. And it's easier to verify how votes are counted (and recounted if necessary), if there's a paper trail. It doesn't help that Diebold's system is insecure.

Consider the fact that Diebold CEO Waldon O'Dell is a Republican who said in a fundraiser letter that he was committed to ""committed to helping Ohio deliver its electoral votes to [George W. Bush] next year." It is all the more important to make sure the way votes are cast and counted are transparent to the voters themselves.

And before I get lambasted by conservatives, consider the following: how would you react if you heard that the CEO of the company supplying voting equipment wrote in a Democratic fund raising letter that he was committed to helping Hillary Clinton win the presidency in 2004? You'd be a little nervous, and a lot pissed.

Re:Use open source in government

> NO! First of all, when the (Democrat majority) USCCR
> held hearings on the Florida election, they were not able
> to find a single person that was disenfranchised by the
> felon list.

You linked to the dissenting opinion, and not the original report. The majority opinion was 6-2. The U.S. Commission on Civil Rights found that the 2000 presidential race in Florida was marred by "injustice, ineptitude and inefficiency" that disenfranchised minority voters.

The report concluded that :

* "countless unknown eligible voters" were wrongfully turned away from the polls or purged from voter registration lists because of procedures and practices used by election officials.

* criticism of an an effort to purge convicted felons and other ineligible voters from registration roles. Lists of ineligible voters, compiled by a private firm, had an error rate of at least 14 percent, and black voters had a "significantly greater chance" of appearing on the inaccurate lists than white voters

* black voters were nine times more likely than white voters to have their ballots rejected during the counting process. Faulty voting systems were more likely to be used in areas with higher percentages of minority voters, but even in counties where the voting systems were the same, black voters still had a higher rejection rate than white voters

(Source: "Civil Rights Commission Approves Report Assailing Florida Vote", CNN, June 8, 2001.)

The sentence you cited from the New York Times article was incomplete and out of context. It was talking about the Democrats' accusation that the Republicans had organized an effort to seek votes after the deadline: "The Times study found no evidence of vote fraud by either party. In particular, while some voters admitted in interviews that they had cast illegal ballots after Election Day, the investigation found no support for the suspicions of Democrats that the Bush campaign had organized an effort to solicit late votes."

Earlier in the article, "the Republicans mounted a legal and public relations campaign to persuade canvassing boards in Bush strongholds to waive the state's election laws when counting overseas absentee ballots. Their goal was simple: to count the maximum number of overseas ballots in counties won by Mr. Bush, particularly those with a high concentration of military voters, while seeking to disqualify overseas ballots in counties won by Vice President Al Gore. ... In an analysis of the 2,490 ballots from Americans living abroad that were counted as legal votes after Election Day, The Times found 680 questionable votes. Although it is not known for whom the flawed ballots were cast, four out of five were accepted in counties carried by Mr. Bush"

Silly, Silly, Silly

I love high tech as much as anyone on Slashdot, but paper ballots make a whole lot more sense: with even a modicum of security you have the originals for recount (recounts being actually pretty straightfoward Florida FUD not withstanding).

Receipts should be treated as ballots for audits

Not necessarily. The idea would not be for the voter to take the receipt with him, but to put it into a locked "ballot box" where it would provide an independent audit trail. Machines would be randomly audited after each election to ensure that fraud did not take place.

I would say that the system could be made even better this way: separate out the voting and tallying machines, using the paper as a medium of transfer.

It would work like this:

(1) Voter makes choices on the voting machine.
(2) Voting machine prints out paper ballot with text and barcode representation of the votes.
(3) Voter confirms that text matches his wishes; if so he places the vote in the tallying machine which scans the bar code, puts it into a database, prints the database serial number on the ballot and deposits it into a locked box. If the ballot is unreadable,the machine spits the ballot back out and the voter can try a different machine. If for some reason the tallying machine will not accept a voter's ballot, the ballot is placed in a separte locked box for manual tallying.
(4) After the election, database records are randomly audited to compare with paper ballots; paper ballots are likewise randomly audited to ensure that the bar codes correctly. The locked "ballot boxes" should have a mechanical counter which indicates the number of times they are opened; a proper log should be kept every time of every time the ballot box was opened and why.

Such a system would have the auditability of a paper system, with an electronic system's rapid and accurate tallying and ability to handle complex balots.

Re:Silly, Silly, Silly

Interesting idea.

Perhaps the voting machine's purpose should be 2 fold - to do an electronic tally at the time of vote selection as well as print out a hard copy ballot recording the person's vote. Basically, the computer becomes a electronic front end to the usual system of voting with pen and paper, just replacing the pen, not the paper. This copy should be human readable so the voter can chack that the machine did indeed register his desired choices, as well as machine scannable to facilitate electronic re-counts. Heck, human readable means manual re-counts are available too. Technology has progressed far enough to do this reliably, hasn't it?

Nothing like a hard copy audit trail...

Soko

Re:Silly, Silly, Silly

Nuclear power plants dump a line on a printer for every event that happens. At the steel mill I worked at, the massive forge shat telemitry out to a WORM drive. The running joke in the air force is that that a plan can't fly until the paperwork exceeds that weight of the aircraft. Law firms dump email into giant logs for litigation.

And yet "industry" doesn't seem to grock record keeping. Methinks' not. They just don't like keeping records about what they don't think is important.

Electronic voting scares me

You can have fraud using any medium, but when you throw computers into the mix it's a heck of a lot easier to have fraud on a grand scale.

-Jeff

So many databases

What is the fascination with Access? Why does every company seem to use Access for important data when there are so many other databases that are not only higher quality, but less expensive at the same time?

There is nothing funnier than companies that try to use Access as the database for 150,000-pageview-a-day websites. Middle management at its most entertaining.

Re:Seattle Times Artcile

Why is this so hard to do? I mean, really, if you're gonna provide a link, at least make it a link! [nwsource.com]

Fingerprints ?

Ok, I admit it, I really thought of fingerprints when I say touchscreen voting. Would anyone care to tell me what kind of screens are used for these touchscreens ? Would anyone with a little will be able to capture your fingerprint on the screen ? I mean, someone comes in, votes, wipes the screen real clean, you come in and vote, next guy comes in and uses that powder the police uses on the screen ? I see no real use for this informations, but still, privacy is privacy ...

screensavers

and these touchscreens can have marquee screensavers saying, "This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls. If you're using these numbers to do anything important, you're insane."

why are they fighting a printing machine?

If the touch screen prints out a ticket that confirms your vote and you put half of the ticket into a locked box all the votes are completely auditable. The ticket could even have a long random number on it that you could use to confirm your vote was counted correctly. If there is a re-count they put all the neatly printed, voter confirmed ticket stubs through an optical reader. No pre-preinted ballots are needed, just a roll of ballot stock. Something is fishy here, must business want to supply a materials to a customer on an ongoing basis. Here they are fighting the customer telling them you don't want to mess with paper.

Re:why are they fighting a printing machine?

You can't have voting receipts... because that would make it too easy to corrupt the voting process.

Imagine a candidate with 'connections', who insists that you provide him with the opportunity to view your receipt the day after the vote - and if you don't show him a receipt with his name on it, his 'connections' hurt you, your family, or your property.

You can have voting receipts

Tell two of your friends about vreceipt [vreceipt.com], and have them tell two of their friends, etc. We need to have everybody asking their congressmen not only "Why are we implementing easily tampered with voting systems?", but "Why are we implementing them instead of mathematically verifiable alternatives?"

There's a lot to the white paper at that link, but here's the part that makes voting receipts possible: The receipts are given out and are identical to an entry in the published "first stage" election results, so you can verify that your vote was counted. The receipts have been repeatedly encrypted with different election officials' public keys, so nobody who wants to buy/blackmail your vote can tell who you voted for (but you can, by examining the original "2-ply" receipt which you pull apart before leaving the booth). Election officials scramble the order in which results are published after each decryption stage, so nobody can trace your vote from first stage to final cleartext results, but half of the published decryptions are randomly checked so any corruption on the part of the election officials will be caught. You still need to have poll watchers to make sure that a polling site doesn't report more votes than there were voters (since the vreceipt process protects against lost or altered votes, but not illegitimately added votes), but that's much easier than attempting to make sure that even an open source voting machine is doing it's job right.

Flame Away...

How about a program that not only places the votes in a secure database, but also creates a PDF (an open format) and stores it on the local disks (RAID). Include all details of the vote, such as voter ID, etc. All the same stuff we keep on paper today.

After voting is complete, another program could open the PDFs and parse them out (is this possible?) and compare the results with the database. I don't know what to do in case of a discrepancy, haven't thought that through.

Oh, and whatever happens, no Windows allowed.

no system checks?

What really got me was the bit where one of their "engineers" was explaining how the "system test" is merely the normal POST. I'm currently in the process of writing a very simple inventory / cash flow management system for my employer, and I started building strict integrity checks and reports into it as one of my first steps. Meanwhile, the people making our voting machines can't be bothered?

I would never trust a machine...

... for anything important such as voting. I'm a programmer, I do that for a living I've *never* seen a software project that didn't include quick hacks, known vulnerabilities by the dev team, ,a lazy programmer and a PHB.

The fact the matter is, EVERY software project has stuff like that.

I wouldn't trust a software (much less a closed source software) written by anyone (including NASA, govs, whatever) to do anything like this. And personally, I can't believe anyone who has worked in the industry would.

And that is, regardless of the project management techniques, reviews, whatever.

Re:I would never trust a machine...

No, there are projects that aren't like that. Critical systems are engineered to a higher standard. Thats why they take so long, cost so much, and are infrequently updated. You can do a fully verified design where you control all teh hardware, all the I/O paths, etc. You make sure everything woks together as expected, check all I/O, test and retest and so on. You see this sort of thing in life saving devices like in hospitals, important communication devices like satalites, and for large cirticial finincial systems and so on.

However you can't do this on normal comodity systems. You have to control everything about the design, including all hardware and software to make sure no un expected interations occur. You have to test to the extreme, which means a slow dev cycle, and because of all the time and money and control, you can't release new versions often.

So an electronic voting system could be designed to that level of relibility. I mean think about the electronic banking systems. You just can't fuck up when billions of dollars are at stake. However there is a difference, with banking there is plenty to keep people honest. There are multiple banks, and they are overseen by governments. Any backdoors would hurt only the bank who implemented them. With a voting system, this isn't the case. There would be an intrest for the developers to be able to get in and manipulate the system, even (or perhaps espically) if the developer was the government for which it would vote.

Bigger Than Watergate?

these people [scoop.co.nz] think so.

Seminole County Florida

I live in Seminole County Florida and we used optically scanned paper ballots, like those answer sheets in school that required a number 2 pencil (of course for voting pens are used). They are easy to use with the names on the ballot right next to the box you fill in. The results are read instantly when inserted in the box that holds the ballots, when a recount was ordered they just ran all of the ballots through again and had the results ready in a few hours. We have had this system for years (at least 10) and have had no problems, it is an easy answer to all of the issues that we are seeing with low-tech and high-tech voting machines. It provides a physical record and does not produce hanging chads.

There seems to be a prevading impression that....

throwing technology and computerization at the problem will necessarily make the system more secure. Not that these aren't good things, but my experience has been that, from a security standpoint, adding complexity can often increase opportunities to compromise a system.

I'm not saying that a state-of-the-art computerized, hi-tech voting booth can't be rock-solid secure. However, I do see the potential for companies to sell hi-tech voting machine soley on the *impression* that the added technology automatically makes them more secure.

I think the focus should be solely on the standard of security. Whatever system can meet that; be it punch card, touch screen, whatever, is the system we use. Sadly, I suspect such a standard will put internet voting a long way off.

When The Usual Lousy Programming Makes Headlines

I'm glad for this article and for people raising red flags on electronic voting.

The truly sad part is that, from what I can tell, even if there's nothing suspicious in the realm of vote-fixing, we're still dealing with terrible software design and security.

And, sadly, that terrible design and security is all too common.

I'm hoping articles like this turns peoples eyes towards the fact that we've got lots of terribly made computer systems, applications, databases, websites, and so on doing very vital roles. In my IT career I've seen hospitals brought to a crawl by lousy patient software, websites with databases so bad that they had to be shut down for maintenance reguarly, simple applications delayed for months by bad planning and inappropriate technology, and far more.

So, sadly, in the area of voting, it's business as usual. But business as usual is pretty bad for the usual business as is . . .

EFF.org petition for electronic voting standards

The EFF is organizing a petition to encourage IEEE to set trustworthy standards for electronic voting. Read about it and join the petition here:

http://www.eff.org/Activism/E-voting/IEEE/ [eff.org]

"EFF supports the IEEE in taking on the issue of setting standards for electronic voting machines. We also support the idea of modernizing our election processes using digital technology, as long as we maintain, or better yet, increase the trustworthiness of the election processes along the way. But this standard does not do this, and it must be reworked."

Open Source isn't the answer

Predictably, a bunch of /. responses focus on the fact that the source isn't available for public review as the primary problem, but that's irrelevant, and Bev Harris explained the correct solution quite clearly in the article.

Open source wouldn't be a bad thing, mind you, but why bother auditing the code? What you really want is to audit the *results*, and the easiest, best solution to that is also the simplest: Have the touch screen machines print paper ballots with a nice list of races and selected candidates. Then the voter can verify that they actually voted the way they wanted to, and the paper ballots can be counted and compared with the computerized tallies by anyone who wants to question the system.

As Harris points out, the fact that the manufacturers sem so dead-set on avoiding paper printing seems almost sinister... the solution is so obvious, and so simple that it makes you wonder what their true motivations are. They make a lot of noise about printers being too error-prone and difficult to operate, but that's just silly. Take a look at the thermal printers used by retail systems -- they work day in and day out for years with no more maintenance than replacing rolls of paper. Designing a workable printer for a voting booth wouldn't be trivial, but neither would it be an impossibility. The requirements are very simple: Be able to run for an entire day without jamming or running out of consumables, and print paper ballots that are easy to read and remain clear and legible for at least three years.

There are various minor improvements that can be made to this idea, such as a machine-readable section of the ballot to make automated verification easier, etc., but at bottom paper achieves a level of transparency and reliability that no purely automated system can ever achieve, no matter how many geeks have pored over the code.

Keep the touchscreens, but...

Instead of storing the vote electronically, have the voting machine print off your ballot once you've voted, which you would then place into the ballot box. Increased accessibility and usability, no spoiled / ambiguous ballots, and no chance for loyal party members to control the electronic voting.

Open Source Is Not THe Answer

Not the whole answer, at least.

We need to check, not only that the software has no obvious backdoors, but that

• The source code that is used corresponds to the source code that is audited (no "last minute fixes")
• The object code that is linked corresponds to the source code
• The executable that is in the machine is the same as the code that has been autited
• The compiler hasn't been screwed with
• The system libraries haven't been screwed with
• The OS hasn't been screwed with
• The BIOS hasn't been screwed with
• The hardware hasn't been screwed with
• There isn't any extra info hidden in any nonvolatile memory

I'm not that paranoid; there are probably any number of other things that could be screwed with and still have the code pass any kind of review with flying colors.

Paper ballots are the only answer.

Voting Machine Requirements

Obviously these people are masters at gathering and implementing requirements from the various governmental entities that would use this.

Requirements:
1: Allow government to edit results
2: Make sure logs can be altered
3: Provide false sense of security

About access control....

I can't believe the Diebold folks actually said this:

Note however that even if we put a password on the file, it doesn't really prove much. Someone has to know the password, else how would GEMS open it. So this technically brings us back to square one: the audit log is modifiable by that person at least (read, me). Back to perception though, if you don't bring this up you might skate through Metamor.

There might be some clever crypto techniques to make it even harder to change the log (for me, they guy with the password that is). We're talking big changes here though, and at the moment largely theoretical ones. I'd doubt that any of our competitors are that clever.

I seem to recall that, back in the Dark Ages of the 70s, RACF was able to handle this kind of access control quite nicely. To say a log file can't be protected from the sysadm is either dishonest or incompetent. Either reason should be enough to disqualify a company employing someone like that in that position from anything requiring the public trust.

This is really going to be the acid test, I think.

--As to just how sleepy America currently is.

I mean, Bush himself recently declared that there were no WMD's in Iraq, but it only made news deep within the covers of the various big journals which even bothered carrying the little item.

But this one, voting corruption in the world flagship of 'Democracy', is going to be the real indicator.

I mean, it seems this voting machine problem is in fact well known and understood by millions. People have time to raise a proper stink and prepare. I very much look forward to seeing if America will DO something about it or if they'll just grunt and roll over to a new sleeping position.

Unfortunately, it doesn't really matter very much in a political sense. At this point, it doesn't matter who gets into office. They're all a bunch of dangerous bastards who can be expected to play ball to the New World Order agenda. Those who can actually make a difference have a strange tendency to die tragically in King Air A-100 plane crashes.

I had no idea that Arnie was royalty! He's married to a Kennedy, his mom is married into high-level Austrian politics, and his pappy was in the SS. The boy terminator declared himself the loyal friend of a convicted Nazi war criminal, no less. --Oh yes, and the all-white, all-male, all-billionaire Bohemian Club which has a habit of determining who gets to be the president of the United States, (among other things), has agreed to make Arnie a king of some standing, possibly THE king. Sheesh. Thank goodness California put the brakes on when they did!

My only hope is that if America does manage to wake up enough to fix this voting machine horseshit, that it'll take the next step and realize that the current administration, and all current potential administrations, are corrupt to the core, put ALL of them in jail, and start fresh. I mean, sure, they'll have no functioning government for the next year, and people will panic, and the dollar will vaporize, and the really evil bastards will all hide out until everything blows over, but. . .

Who am I kidding?

More likely? This voting machine problem will be looked and:


1. People ignore it, and what difference does it make after that?

2. People 'fix' the problem and then wait patiently to see which monster gets properly elected to continue the destruction of the universe.


Americans don't have the awareness or the spine for a real revolution.

-FL

mechanical voting!

I don't know how you guys do it, but in my district we use these large mechanical voting machines. There is a wide board of switchs, you flip the switches for the candidates you want and then pull a big lever that resets all the switches to a neutral position and records your vote.

I don't have a verifiable paper trail, but I've never worried about something "hacking" a big box of gears, "bugs" in the gears, the big box of gears going on the fritz, or the gears being made to somehow fit some nefarious purpose. You can't "patch" the gears remotely.

I see no ways that this system is inferior to a touch screen system. THEY SHOULD USE WHATEVER VOTING SYSTEM WORKS THE BEST, NOT THE ONE THAT'S THE MOST "ADVANCED" AND EXPENSIVE.

Thank you.

An interesting article on all of this

An excellent article [tmtmetropolis.ru]
...from the moscow times. Oh the irony.
Also, has an extensive bibliography of other links at the bottom.

This is just a way for some companies to profit.

When I lived in Massachusetts, for the last couple of election cycles, the ballots were printed out on a flat white sheet of paper. We used a thing called a BLACK MARKER to complete a line for the candidate we were voting for. This neat piece of paper was fed into a nifty machine.

So, the actual paper ballot was retained if a recount was necessary...and the electronic part was just scanning the marks I made on the ballot. Granted, write-in candidates needed to be verfied manually.

That's all that needs to be done for ANY electronic voting system. None of this touchscreen bullshit, source code fiasco, or questions of verification. The miracles of OCR are something not to be overlooked!!

Diebold memos explanation of minus 16,022 votes

There is a sort of whack-a-mole activity going on with Diebold; so far it has filed six cease & desist orders but the entire stash of 15,000 memos keeps popping up. For the latest link, visit www.blackboxvoting.org [blackboxvoting.org] and judge for yourself. Thought you'd be interested in this exchange:

Sent: Wednesday, January 17, 2001 8:07 AM

"Hi Nel, Sophie & Guy (you to John), I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb".

"I would appreciate an explanation on why the memory cards start giving check sum messages. We had this happen in several precincts and one of these precincts managed to get her memory card out of election mode and then back in it, continued to read ballots, not realizing that the 300+ ballots she had read earlier were no longer stored in her memory card . Needless to say when we did our hand count this was discovered.

"Any explantations you all can give me will be greatly appreciated.
Thanks bunches,
Lana
"

followup:

Date: Thu, 18 Jan 2001 15:44:50 -0500

"There are two separate issues/problems that are getting combined in this stream.

"- a check sum error occurred which the poll worker reset and continued counting the card "did not" require downloading before be reset. She never reran the previously counted ballots and this resulted in some negative PR post election. So that is Lana's primary question, how did this happen? Ken explanation sounds like a good one and will not require a line for VTS if we can ever get to GEMS.

"- the negative numbers on media display occurred when Lana attempted to reupload a card or duplicate card. Sophia and Tab may be able to shed some light here, keeping in mind that the boogie man may me reading our mail. Do we know how this could occur? "

NOTES
Sophia was the Diebold tech involved with the San Luis Obispo vote tally that appeared on the Internet five hours before poll closing.

Sophia is also the King County tech rep -- note the Ken Clark alter the audit log memo, talking about doing "end runs" around the voting system -- "King County is famous for it"

followup: possibility of "unauthorised source

Date: Thu, 18 Jan 2001 13:31:04 -0800

"John,

"Here is all the information I have about the 'negative' counts.

"Only the presidential totals were incorrect. All the other races the sum of the votes + under votes + blank votes = sum of ballots cast. The problem precinct had two memcory [sic] cards uploaded. The second one is the one I believe caused the problem. They were uploaded on the same port approx. 1 hour apart. As far as I know there should only have been one memory card uploaded. I asked you to check this out when the problem first occured but have not heard back as to whether this is true.

"When the precinct was cleared and re-uploaded (only one memory card as far as I know) everything was fine.

"Given that we transfer data in ascii form not binary and given the way the data was 'invalid' the error could not have occured during transmission. Therefore the error could only occur in one of four ways:

"Corrupt memory card. This is the most likely explaination for the problem but since I know nothing about the 'second' memory card I have no ability to confirm the probability of this.

"Invalid read from good memory card. This is unlikely since the candidates results for the race are not all read at the same time and the corruption was limited to a single race. There is a possiblilty that a section of the memory card was bad but since I do not know anything more about the 'second' memory card I cannot validate this.

"Corruption of memory, whether on the host or Accu-Vote

Apparently the Diebold machines screwed up in FLA

lifted from a blog [blogspot.com]:

A remarkable exchange concerning Diebold's voting machines in Volusia County, Florida. On January 17, 2001, Lana Hines, a county elections official sends out an inquiry as to how Al Gore ended up with a vote-count of -16,022. That's NEGATIVE 16,022--which just happens also to have been the total number of votes cast for various independent and third-party candidates who also ran. (It was the largest number of such votes cast in Volusia County's history.)

Pay close attention to the final entry, from "Tab"--that is, Talbot Iredale, Vice President of Research & Development at Global/Diebold. The most troubling of his statement is in bold below. Iredale writes: ...the error could only occur in one of four ways:

1.Corrupt memory card. This is the most likely explaination for the
problem but since I know nothing about the 'second' memory card I have
no ability to confirm the probability of this.

2.Invalid read from good memory card. This is unlikely since the
candidates['] results for the race are not all read at the same time and
the corruption was limited to a single race.There is a possib[ili]ty that
a section of the memory card was bad but since I do not know anything
more about the 'second' memory card I cannot validate this.

3.Corruption of memory, whether on the host or Accu-Vote. Again this is
unlikely due to the localization of the problem to a single race.

4.Invalid memory card (i.e. one that should not have been
uploaded). There is always the possib[i]lity that the 'second memory card'
or 'second upload' came from an un-authorised source.

And that's only the tip of the iceberg.

When will this all-important story break out in the US mainstream press?

And Diebold has been sending cease-and-desist letters out to people who have covered this. This particular mistake looks like a screw-up rather than fraud, but either way I want no part of it.

Rant: Time to Start a Blacklist

I want the names of all the Diebold technical personnel involved with these machines so I can add them to our hiring blacklist.

Perhaps I've been living in an idyllic career vacuum, where everyone is competent and of good character -- and perhaps that's why I'm completely, jaw-droppingly astonished beyond words after reading Scoop's copy of the internal Diebold memos. With the possible exception of $(MUMBLE_SALTPILE_MUMBLE), I've never witnessed such opaque incompetence. These "engineers" not only don't know what they're doing, they clearly don't want to know what they're doing.

That whole "explanation" as to why a password on the database would be "pointless", since GEMS needs a password to add vote records... <*shaking head*> It's crystal-fscking-clear that they want an anonymous database user/account (the voter) that can only append records (votes) to the database; it must not be allowed to read or modify records. Read-only accounts are given to the vote counters and, if you really need to, a single strongly-passworded read-write account is given to the election commissioner. Once you establish these requirements, you then look for software that will do this for you. If MSAccess won't do it, junk it and move on. If no existing databases will do it, then My God, you're going to have to do some actual engineering! .

These idiots are trying to fudge the requirements because, apparently, they don't want to have to use any software they can't scoop up at Fry's (and, apparently, writing their own software is an anathema). I mean, yeah, their incompetence has placed the integrity of the Republic at risk, yadda yadda yadda, but am I the only person who sees their behavior as a kind of disinterested laziness? I can sort of understand people who are disinterested in the act of voting because the hiring roster has been stacked. But I mean, for God's sake, what kind of self-respecting person -- never mind software engineer -- would demonstrate such a profound lack of interest and respect in designing a fundamental instrument of democratic principles? If it were me, I'd be lying awake at night, worrying that I wasn't dilligent enough, wasn't smart enough to take on work of such profound importance. It would probably eat me alive, because any screw-up could be disasterous, because doing an excellent job would be so absolutely critical . But no, these guys are just phoning it in, tossing aside crucial security concerns with utterly stupid aphorisms such as, "Passwords actually don't matter much..."

Blacklist them. The software screwup you avoid may be your own.

Schwab

DIEBOLD: Cease & Desist THIS:

Diebold objected to publishing a link to a foreign web site which in turn published links to the Diebold memos, and our ISP caved. More on this here [blackboxvoting.com], and you'll find the letter from the Diebold attorney [thoughtcrimes.org] here -- and for a small hoot, please notice that the letter, which is not copyrighted, includes the link (three times) which they object to, and therefore republishing the letter telling people not to publish the link actually serves to publish the link.

Here is what I have been doing all day:

Reporter: Why is Diebold sending cease and desists?
Me: Because they don't want anyone to see their memos
Reporter: Oh. What is in the memos?
Me: Oh, things about security flaws and using uncertified software and using cell phones to intercept and transfer votes and discussions of how to fake things...
Reporter: Wow. Where can I download these?
Me: At this web site [211.117.160.48]
Reporter: Okay I'm going there now, okay, it's downloading, when I'm done will you give me a guided tour?
Me: Sure. And here is a neat little web page [globalfreepress.com] where you just enter any search term and it instantly searches and find you the Diebold memos that match
Reporter: What search terms should I start with?
Me: Try "boogie man" and also "hack" "cel phone" "broken" "fake" and one of my personal favorites, "What good are rules"
Reporter: I'll try that "what good are rules" one. Found it. Gosh, what is he doing? Is that legal?
Me: No.

And so it goes. Excellent plan, Diebold. Yes, shut down a web site, that'll help.

Besides reporters, the memos were downloaded today by the U.S. House of Representatives.

This is ludicrous

You can check fingerprints on paper too you know. And with paper, you have the ability to say "This ballot was held by X and he voted for Y", whereas with a screen with some 5000 people touching it in 1 day, good luck finding any useable prints.

Re:This is ludicrous

Not to mention that someone only need pull their sleeve over their finger if they're really that paranoid.

MDB? Are these people serious? They think Access has a chance of holding this number of records? I bet a single machine would be crawling by the end of a day.

And if they're going to export to a more suitable db anyway, why not just stick postgres or mysql on there to start? They need only be configured once, same as Access.

Not to mention the incredible drop in required hardware resources, which times all the voting machines to be used is tax money much better spent.

It seems to me that these voting systems should be given to a bidder, and then whatever system they consider can be scrutinized. Faster, cheaper, better, safer...

Re:PORKY PIG DAVIS CLINTON BLACK HELICOPTER

I'm inclined to agree with you on the punch card issue delaying the CA election. However, I think punch card systems should be replaced with better systems if possible.

Pray that Queen Hillary the First doesn't make it into the white house in 2004, because if that happens who knows, we may see judges deciding elections from now on.

Isn't that what happened in the last presidential election? As a Democrat, I'm not bitter about it. The bottom line is that FL was a statistical tie; the margin of victory was smaller than the margin of error for ballot tallying. Nobody really knows what the intent of the electorate was with sufficient precision to state with true confidence who "actually won". Both parties were playing games with recount methods to try the skew the results in their favor. The irony is that subsequent analysis suggests that both parties were wrong about which method would have supported their candidate best.

I take away some different lessons from FL than most.

(1) The electoral college has some usefulness. The president is elected by electors, not popular votes. Therefore there is no question that Bush received the electoral votes of FL and that therefore he is the legitimately president of the US. There is a question whether the electors voted as they ought to have; however they are not really bound to vote in any particular way. If they voted with what was, in their opinion, the plurality of the electorate, then they really can't be criticized.

(2) Electronic voting machines would have helped, provided there was no fraud. The problem is of course it is impossible with current generation machines to prove this. There is no doubt that in the absence of fraud electronic machines would provide a more precise count. However,

(3) Concern about precision of tallying is misplaced. The real problem is that the method of the election, plurality voting, is so bad. Suppose Bush won the plurality of voters; this is by no means certain, but it doesn't really matter. Gore would have won by a clear margin in a head to head race, but Nader spoiled the election for him. I don't want to get into an argument about whether Nader should have taken this into account. No candidate should ever have to take the possibility of election spoiling into account, because we should have an electoral system which handles multi-way races better.

In short, electronic voting machines are a "quick fix" to a broken system; however they're fixing an aspect of the system that really is not so terribly bad. Even if they were perfectly secure, auditable and accurate, which they are definitely not, they wouldn't make much difference at all, especially in the CA recall election.

The real reason that the CA recall election should not go forward is that plurality elections with over a hundred candidats are nearly bound to produce a capricious result. Virtually the only system that is workable in this scenario is approval voting. Under approvial voting voters would check off all the candidates they would consent to have as governor. The candidate most widely approved of wins. Approval voting is simple to understand, requires only a single round, doesn't require the voters to rank candidates in an enormous field where they may not be familiar with most of them.