Observer Pans Touchscreen Voting Test

riversidevoter writes "I recently observed the Logic and Accuracy 'test' given to the touchscreen voting machines in Riverside CA. Riverside County uses voting machines and software from Sequoia Voting Systems. The voting kiosks do not produce a voter-verified paper trail. As a computer programmer familiar with software testing, I was really disappointed at what I saw." Read on for his critical observations of the demonstration.

riversidevoter continues: "WinEDS, the program that is used to count votes, was only tested in a pre-election mode. The software was not tested in the configuration that it would be in on election day.

In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Mischelle Townsend, the Riverside County Registrar of Voters, told Salon that the form that people signed was just an attendance form. But the form clearly states 'We the undersigned declare that we observed the process of logic and accuracy testing of voting equipment performed by the Riverside County Registrar of Voters, as required by law and that all tests performed resulted in accurate voting of all units tested, including both touchscreen and absentee systems.'

You can see a copy of the Salon article here. You can see a copy of the form that people signed here.

I also believe that the observation group that witnessed the test was given a misleading description of Sequoia's system. For example, the fact that the votes are transferred from the DRE to a SQL Server database to be counted was never fully disclosed to all the members of the group.

Also, the sheer number of times that the phrase 'proprietary operating system' was used, among other things, helped to create the impression that Sequoia's system is not as reliant on Microsoft Windows as it really is.

I have created a website about this issue; please take a look at it.

On the website you can find my report on what happened that day (which outlines several problems I haven't mentioned in this posting) as well as some supporting documents. There is a letter and a note from Mischelle Townsend in which she mentions mailing the results to people or having the test results be picked up 'afterwards'...."

Unfortunate.

If they don't do it right on the first try, e-voting won't ever take off.

Re:Unfortunate.

No, it's more unfortunate than that. It will take off, despite not being done the right way, because it costs less/looks good/is progress. The public won't realize it wasn't done right until something happens. If we're lucky it'll be small. More likely the small problems will be swept under the rug and the first clue the general public has about the problem is when a presidential election is hacked. And there won't be a backup.

Re:Unfortunate.

Mind you, there's no way the current system can be hacked at all. Just ask President Gore.

Re:Unfortunate.

Mind you, there's no way the current system can be hacked at all. Just ask President Gore.

You might want to check the next story's article [why-war.com]:

"a Diebold machine registered

16,022 negative votes for Al Gore [why-war.com] in Precinct 216 in Florida in the 2000 presidential election."

Wooo Whoo e-Voting. NOT!

...but it is certainly not hard to pretend to be someone who died 50 years ago. This has happened before. If they could make a secure E-voting machine...

Yes, a secure voting machine that depends on the motor voter registration system so all the non-resident and undocumented aliens can vote along with all the dead people. You'd most likely jump up and down with glee if they web enabled the registration and voting systems because Secure e-Voting (TM) has to be better. Right?

From what you say you seem to think someone stands in line and votes the graveyard. The Chicago method is to get control of the voter registration rolls for a district and 'add' the graveyard. Then the 'impartial' volunteer election judge checks off the extra names and stuffs the ballot box after the polls close.

Any voting system without a 100% human readable audit trail that is accessible to the voter at the time they place the vote and without a 100% reliable method of matching a ballot to the registration list is vulnerable. What plagues the voting system in the US is we are too cheap to devote the required resources to the system. The UK and many European countries have next day election results using paper hand counted ballots. They however don't try to have only 17 polling places in a city of five hundred thousand, as is the case in so many US cities.

Re:Unfortunate.

What is really unfortunate is that the e-vote will result in no possible investigation of another 2000 election. I wonder which political party is in charge of the voting system. Diebold has strong Republican ties, Can anyone claim indifference?
Maybe use the UN, Canada or Mexico to supervise the election hardware. (never happen)
I believe this system could be another jack boot on the neck of freedom.

Oh Boy....

Just when you thought FloridaGate 2000 was out of everyone's mind, we bring you CaliforniaGate 2004: Rise of the Machines

Re:Oh Boy....

Don't blame florida, blame the country for sending it's parents/grandparents to retire here :)

In other news...

People who used the new voting system are believed to have voted for an independent operating system, dispite the fact that the test was on a faux-presidential race.

According to this text Linux was voted into the White House. We suspect Apache will be selected as running mate, though rumors say Samba is also a consideration.

Civil Disobedience against DMCA and Diebold

Diebold is trying to hide [theinquirer.net]the problems behind their Voting Machines behind DMCA.

The Good students at have decided this will not stand. [swarthmore.edu]

Re:Civil Disobedience against DMCA and Diebold

Read the diebold memos:
http://why-war.com/memos/s/lists/

Search the diebold memos:
http://why-war.com/memos/cgi-bin/search.pl

MEMO EXCERPTS

"Elections are not rocket science. Why is it so hard to get things right! I have never been at any other company that has been so miss [sic] managed."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200110/msg00002.html

"I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200110/msg00001.html

"I feel that over the next year, if the current management team stays in place, the Global [Election Management System] working environment will continue to be a chaotic mess. Global management has and will be doing the best to keep their jobs at the expense of employees. Unrealistic goals will be placed on current employees, they will fail to achieve them. If Diebold wants to keep things the same for the time being, this will only compound an already dysfunctional company. Due to the lack of leadership, vision, and self-preserving nature of the current management, the future growth of this company will continue to stagnate until change comes."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200112/msg00007.html

"[T]he bugzilla historic data recovery process is complete. Some bugs were irrecoverably lost and they will have to be re-found and re-submitted, but overall the loss was relatively minor."
source: http://why-war.com/memos/s/lists/support.w3archive /200207/msg00090.html

"28 of 114 or about 1 in 4 precincts called in this AM with either memory card issues "please re-insert", units that wouldn't take ballots - even after recycling power, or units that needed to be recycled. We reburned 7 memory cards, 4 of which we didn't need to, but they were far enough away that we didn't know what we'd find when we got there (bad rover communication)."
source: http://why-war.com/memos/s/lists/support.w3archive /200003/msg00034.html

"If voting could really change things, it would be illegal."
source: http://why-war.com/memos/s/lists/support.w3archive /200009/msg00109.html

"I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb"."
source: http://why-war.com/memos/s/lists/support.w3archive /200101/msg00068.html

"[...] while reading some of Paranoid Bev's scribbling."
source: http://why-war.com/memos/s/lists/support.w3archive /200302/msg00069.html

"Johnson County, KS will be doing Central Count for their mail in ballots. They will also be processing these ballots in advance of the closing of polls on election day. They would like to log into the Audit Log an entry for Previewing any Election Total Reports. They need this, to prove to the media, as well as, any candidates & lawyers, that they did not view or print any Election Results before the Polls closed. ***However, if there is a way that we can disable the reporting functionality, that would be even better.***" (emphasis added)
source: http://why-war.com/memos/s/lis

My letter

Greetings,

Recently, there has been a rise in the number of stories in the press surrounding the topic of electronic voting. I live in Oregon where we have chosen to vote by mail. At first, I wondered exactly why my State chose this route because electronic voting seemed to be attractive for a number of reasons.

After reading the various news stories and web postings present on various Internet web sites and forums, I have come to the realization electronic voting in its current incarnation is a highly suspect process.

The majority of voting machine manufacturers today wrap the inner workings of their machines inside contracts and licenses designed to cloak their products in secrecy. These cloaks when combined with the current state of intellectual property law make it difficult for the American people to understand and discuss the nature of the machines and their potential effect on the democratic process.

The American people need to engage this issue with all the facts at hand. The spirit of the law is not in line with the letter of the law in this case. The action of your students is commedable and worthy of your support.

"Those who cast the votes decide nothing. Those who count the votes decide everything." --Stalin

The right to vote is one of the founding principles behind our great nation. Changes to this process will have nationwide consequences on our society that we might not understand, but for the actions of a few people concerned about preserving the trust inherent to the core of the democratic process. These changes will affect each and every one of us and should not be made lightly or without due consideration of all the facts involved.

I urge you to consider the nature and purpose of the student actions along with the potential issues at hand before rendering your decision.

Respectfully,

( name )

Oh man...

People are so crippled by the more expensive == better heuristic they don't notice when the rug is being pulled out from under them. Electronic voting should be unconstitutional.

Re:Oh man...

People are so crippled by the more expensive == better heuristic they don't notice when the rug is being pulled out from under them. Electronic voting should be unconstitutional.

Who moderated this statement as "Flamebait"? It's absolutely true and I hope you get metamodded to hell.

Newer does not always equal better. Touch screen voting is not even a solution looking for a problem. It's a problem posing as a solution looking for a problem. It's so absurd. Advances in technology are not automatically a good idea. They should solve more problems than they create.

Is there really a need for computerization here? People who would scoff at the idea of robotic prostitutes will blindly accept the idea of computerized voting simply because it gets computers involved in the election process. Why is this automatically considered a good thing? People see pretty colored lights and they think it means their vote is safe and secure. It doesn't. It merely implies that the votes can be tallied more quickly than before- at the cost of a greater risk of fraud. But elections are held in November. Elected officials take office in January. This gives us two months to count votes, which means we should be optimizing for accuracy, simplicity, reliability, and verifiability. Not convenience. Not speed. Computers should stay the hell away. People perceive this strange need to make elections "modern" to avoid disenfranchising voters, and it makes no sense.

Is it such a hardship to live in a country that counts its votes slowly? What was wrong with punched cards? They actually performed very well in Florida, which was an extreme test of any electoral system- to a resolution of a few hundred votes. Most elections don't fall that close to a tie. And you certainly didn't need to worry that someone stole your vote. Touch screens are devices for disenfranchising voters. The original poster was right. Electronic voting should be unconstitutional.

Some things do not need to be optimized for speed and efficiency above all other concerns. Sex is one of them. Elections are another.

Re:Oh man...

Yes, but with a media that treats elections as game of red versus blue, getting the votes counted fast is much more important than getting it done right. Americans won't wait two weeks for a basketball score, and it just doesn't seem like an election if we can't see the tearful concession speech over the final swig of beer and last congealed nacho. Instant replays just slow the game down, they gotta go. I think the best voting system would be sticking it to a robot prostitute that looks like your candidate. It's perfect because they'll be sticking it to you for the next four years.

Accuracy could be easily assured...

First, after you vote, a 2-D bar code is printed. That code contains a record of your vote, with an encryption of the machine you voted at and your selected key. Nothing big, 4 digits. The critical part is the hardware key used on the machine.

A copy of this bar code is printed at the same time inside the system.

If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

Thoughts on this approach are very much welcome.

Re:Accuracy could be easily assured...

The accuracy problem cannot be fixed by voter receipts, since most voters will not know how to verify them. It can only be fixed by ensuring that the votes can be re-counted using some mechanism other than the computer that first recorded them.

Use the computer to help the voter prepare the ballot, print it out, and then have the voter hand carry it to the ballot box.

The computer can keep a running tally, but at the end of the day if the tally does not match a hand count of the box contents, then the ballot box is the only correct representation of the will of the voters.

It is easy to teach the average monkey to keep an eye on the ballot box for tampering, and to hand count the contents. Teaching the average monkey correct computer security skills is impossible, so that source of problems must be factored out.

Re:Accuracy could be easily assured...

If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

I am opposed to this. Audits shouldn't involve contacting the general populace. ATMs have internal printers for similar reasons; as a permanent physical audit trail in case of power failure or such.

Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

I oppose this as well for privacy reasons. There is one basic privacy tenant in ballot voting that would need to be upheld by any electronic voting system: plausible deniability.

For example, if I'm being coerced or paid by someone to vote a particular way, I need to be able to tell that person that I voted the way he/she wanted even if I didn't. There CAN NOT be a way to track down who I voted for at a later time. That's not what the paper trail is for. Once a person has the ability to decisively prove to someone else which candidate they voted for, then votes can be forced or sold.

Here is what I would suggest:

A citizen enters the voting center, is authenticated as a registered voter by the volunteer staff, and given a vote card.

The citizen enters a voting booth (behind a privacy screen) and activates the selection kiosk using their vote card.

Once their candidates and referendums have been chosen, the machine prints out a 2D barcode on the vote card and returns it to them.

The citizen exits the voting booth with his completed vote card.

The citizen has the option to verify his barcode using a separate verification kiosk which deciphers and displays the barcode (behind a privacy screen, of course). Once satisfied, the citizen leaves the verification kiosk.

While a staff member watches, the voter deposits his vote card into the official ballot kiosk's card reader.

This kiosk reads the barcode, electronically sends the vote to the regional counting center, and keeps the vote card for future audits.

This method is very similar to conventional voting methods. As far as electronic voting goes, it has several advantages. The selection and verification kiosks are not online, so would be less vulnerable to hacking. The ballot box is the only networked machine, but is under close surveillance by the staff for physical access. In case it is compromised via the network, there is a stack of 2D barcodes underneath or inside it that can be used to audit the results. As the article mentions, audits SHOULD be performed periodically, even on results that aren't suspicious, just to verify that the count is accurate and no tampering has occurred.

The vote cards can be cheap paper mag-stripe cards with signed serial numbers that are overwritten when the barcode is printed. This gives the selection kiosk the ability to reject previously used, non-activated (unsigned), or duplicated cards. If there are no privacy issues (I'd have to think about this more), the card's serial number could become part of the 2D barcode as well. The card reader/writer and printer are all OTC products, which would help keep costs down. The selection and verification kiosks could use commodity PCs with no I/O except a touchscreen and the card unit. In fact, the verification kiosk doesn't need any input other than an eject button.

While such a system would fix usability issues and paper audit trails, it doesn't touch on the issue of voter registration fraud and such. That's a whole 'nother ball of wax.

Easy solution to this issue.

Let's just hold a vote to decide this issue and get it over with!

I'll supply the hardware.

The next revolution = voting.

I'm not a doomsayer or a OMG the world is ending yokel. But with more and more stories surfacing about the lacking credibility and accuracy of the 'new' school of voting....one can only come to see the outrage when people start to connect the idea (perhaps even falsely) that their votes are easily manipulated, miscounted, or simple footnotes catered to the wanted result.

This line: In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running.

Scares the hell out of me.

Way cool..

I wish I could get user acceptance sign-off before I started testing.

http://verifiedvoting.org

Pleas join an existing, legitimate effort at http://verifiedvoting.org -

This site, rather than coninually dispairing at the fact that there are problems with electronic voting, has concrete steps that average citizens can take to make change.

this is the most serious threat to America

This electronic voting is the most serious threat to America that we have seen in our lifetimes. Most here realize that no computer voting system can be secure without serious efforts that are not even being hinted at here. Compromising the secrecy of the vote offers many ways to secure these sysetms. A more reasonable compromise would be a voter-verified paper ballot that is re-inserted into the machine.

Since the most basic steps to provide security are not provided here, it is clear that the intention is to make a system that has completely compromised the validity of US elections. For some reason the mainstream media has not taken note of how serious an issue this is. The people involved in the current electronic voting plans can not be trusted AT ALL. They either want to subvert the voting process themselves, or want to create a system that is easy to subvert at a vastly lower cost than current systems.

What can be done to raise awareness of this issue? How can people be convinved that we need elections that are not trivial to subvert? Is the American public so apathetic as to make this an impossible task? Are we completely doomed?

Re:this is the most serious threat to America

The beauty of electronic voting (to a subversive type) is that computers aren't machines to most people: they're magic. And magic isn't meant to be understood by anyone but the magician.

Okay, I don't mean that literally, but there is a world of difference between knowing that something is a machine and having any idea of how it works and how it interacts with other machines, and how that interaction may affect you, personally. How many individuals do you know that are perhaps computer literate to a degree, but depend entirely upon someone else to handle the inner workings of their systems? They have no choice but to accept the word of their local computer expert. Unfortunately, when that "expert" is on TV singing praises for the latest, greatest electronic voting system people will be inclined to accept what he says.

You and I and the majority of Slashdot readership may understand the fundamentals of computer and network security, but the vast majority of Americans do not. This doesn't make them stupid, it just means that they aren't computer experts. There is simply no reason that citizens should be required to be expert in such an arcane field of knowledge just to be confident that they are casting their votes the way they think they are. It is an affront to ask Americans to risk giving up one of their most cherished rights in exchange for speedier election returns. I mean ... what's the rush? If voting is worth doing at all, it is worth doing right.

My feeling is that with something this vital to our future, we should simply stick to basics, to something that Joe Citizen does understand and accept. After all, this isn't a nation of technojocks, it is a nation of all kinds of people, people that have a right to cast their vote and have it be counted (properly!) A paper ballot may be low-tech, but it does the job perfectly well, and is a damn sight harder to subvert than any electronic voting system will ever be.

The voter should cast a human-readable paper ballot as he has done for over two hundred years. It works, its been time-tested, and I've not yet heard a government official give a definitive answer as to why we need to change. If it is proven desirable to have an "electronic voting system" involved in the proceedings, the system should scan the vote already officially cast (and recorded!) on the paper ballot. In other words, the computer should simply be a tabulator, not the official legal repository of our votes. They can keep their touch-screens.

Known OS to hackers

Seriously, what OS isn't known to hackers/crackers? Fact is, the more obscure the OS the more interesting it becomes to crack.
The old question/answer "Why did you do it? Because it was there." tells the story of what will happen regardless of the OS chosen.
I'll admit that the script kidz may be able to hack-the-vote with a MS SQL server backend but I would hope that the network used (or whatever format of data transfer) would be a little more robust that a windows box in a DMZ.
But I'm sure that with a few days of coding it could be released from the bonds of M$... it is just SQL, right?

A piece of paper and a big X

Voting technology doesn't need to be any more complicated than that.

Sure, it may take a few hours to count all the votes, but they're verifiably countable and recountable, and seem good enough for most of the other countries in the world. Why does there have to be an electronic solution to this non-problem?

Seriously

Who is designing these systems? It shouldn't be that hard, seriously. It should be obvious what the design requirements are. In no particular order; Ease and clarity of use, secure and anonymous (as far as who voted for whom), the ability to record who was voted for in a non electronic medium and proof that a vote was registered and receipt to the voter in some form. Not to mention a backup system in case anything goes nutty. An obvious design would be to have all systems offline, when the voting times are over each station has a particular upload time assigned, they upload their data, it is checked for error and checked against their local data, if none of it differs, then all is well. The vote data should be encrypted on sight (inside the voting computer, before it is sent to the locol database) so there is no tampering locally and the keys should be known by the voting commission. They systems should be as fully automated as possible with well trained (and paid fairly) personal there to operate these machines. This is just off the top of my head, is it *that* hard to design these systems, really?

Petition on voting machines

Lead by none other than Martin Luther King III.
http://www.workingforchange.com/activism/petition. cfm?itemid=14993 [workingforchange.com]

Eventually

Just think, eventually we'll all be getting pop-up ads telling us who to vote for, while we're in the booths!

A method for electronic voting accountability

Here's an idea to make the process accountable, without requiring a mound of paper at the voting site.

1. Vote at the machine
2. The machine asks you for a PIN number.
3. The machine concatenates your voter registration number with the person you voted for and your PIN number, and computes a SHA-1 hash of the result.
4. The machine prints out your vote, your voter registration number, your chosen PIN and the hash on a reciept and gives it to you.

Later on, a text file is made publically accessible with a row for every vote. Each row would have only the hash and the person they voted for. The algorithm for computing the hash would also be published.

Anyone who is interested in confirming that their vote was properly recorded can look up their hash in the text file to make sure it lists the person they voted for.

Anyone who has a spreadsheet can do a recount.

Any third party with a bit of cryptography knowledge can write a web app for people to confirm that their hash was computed properly.

This method has the advantage of remaining completely anonymous and completely accountable.

Any thoughts?

I release this idea into the public domain.

Anonymous? Hell no...

This is what I love about these electronic voting discussions - people always come up with these solutions, and then ignore the fundamental principle of designing voting machines: it must not be possible, under any circumstances, for an outsider to verify your vote independently. Now, that sentence is worded poorly, so I'll give an example of the problem with this proposed system:

1. CREEP announces that they'll give $200 to anyone who votes for person X
2. Joe Public says "OK, I'm in"
3. Joe Public votes for X and remembers his PIN number
4. Joe Public goes to the local CREEP office and tells them their PIN, their VRN, and who they voted for
5. CREEP, using the freely-available hash function, creates their hash using the supplied information
6. CREEP then checks the list and sees if the vote was recorded
7. If yes, $200

Now replace "CREEP" above with "The Mafia" and "$200" with "the life of your family." Now you see the problem.

My proposed solution has always been the following:

-Vote on a computer (with a well-designed interface), which records votes and prints out a receipt with the name of the candidate and a simplified 2D barcode on it.
-Have a poster on the wall inside the boot saying "if you voted for X, your barcode should look like this"
-Deposit the recipt in the ballot box on the way out, as usual.

This allows us three counts: the machine, the barcodes, and the names. Any political party can request a count based on the barcodes, and if it's close they can get one based on the names on the ballots. As far as I can tell, this system is - at worst - no more prone to fraud than the current paper-based one. And you can't buy votes, since no personally-identifiable information is stored on the receipts (which voters can't keep anyways).

There's probably a logic gap in my solution: any suggestions?

Paper and Risk Assessment...

Electronic voting without a paper trail is never going to be secure to my liking.

That physical record of a vote is a crucial piece of evidence -- if there are no physical records, that's one less thing for any "bad guys" to have to worry about. It's one less audit point for any corrupt party.

With the input and compilation of data all within the same system of computers now, corruption can happen at any step -- input, processing, reporting, or combination -- with no "independent" physical record to be audited that might expose the corrupt results. Imagine a zealot programmer hacks a kiosk and tells it to re-write the votes after confirming it with the voter. The number of voters on the register would match the number of votes cast, so this would be difficult to discover -- there would be no physical records, which can be re-tabulated independently of computers.

Elections are high security risks, historically. Paper is not inherently evil. Just because paperless systems are possible, doesn't mean they're preferable. The more physical evidence, the better, I say...

Re:Paper and Risk Assessment...

It's not a paper receipt in the hands of a voter that counts -- as a matter of fact, that *is* worthless.

It's a piece of evidence that has to be stored by a process and made retrievable to the public. If any step of the process is violated (say, by someone trying to tamper with or destroy the evidence of the votes themselves), it points to the responsible party. That's what a good process does.

Demand optical scan machines

I have no idea why there is so much fantasizing over touchscreen voting. I've seen studies suggesting that its accuracy is actually worse than other existing technologies (optical scan) and is no better than the infamous punch card ballots. To top it off, optical scan machines are cheaper and leave a lovely paper trail (called a ballot) stored right inside the machine.

Media silence

I find it remarkable how silent the mainstream media is on this issue. When even the New York Times fail to mention any of the controversy over Diebold in a recent article on voting machines [nytimes.com] you know this is going to be an uphill battle.

However, if these machines are already in use, the next step would surely be legal action? Someone with the right to vote in an election should demand the right to cast their vote by means where there is proof their vote will be counted.