Domain: notablesoftware.com
Stories and comments across the archive that link to notablesoftware.com.
Comments · 25
-
You misunderstand the paper trail
1. I never said fraud on paper was imposible, or didn't exist, in fact I explicitly stated that fraud using paper ballots is possible. I said it is harder to pull off than purly electronic fraud.
2. As Megaditto pointed out. The idea is the voter sees the paper ballot before it gets put into the locked box. Through your assertion that the voter would get to keep a reciept you have made it abundantly clear that you do not understand the idea being discussed. I suggest you read up on it, you could start here or here. Then you could come back and have an informed discussion on the mater if you still feel as you currently do.
3. Only a fool would assert that you can make any system completely fraud proof, but likewise only a fool would suggest that all systems susseptable to fraud are of equal usefulness. The goal is to make fraud as hard as posible to pull off. -
Misses the pointWhile this article was nicely supportive of open-source software, the author misses the real problem of computerized voting: lack of auditability.
There is a growing consensus that, in order to be trustable, election machines have to produce a paper ballot that can be hand-counted in case a recount is required. See, for example this article for a authoritative discussion of the issues by a recognized expert in the field.
-
Re:Ireland didn't ban e-voting> So, it hasn't been banned, just postponed.
That's the current line from the Irish Government, anyway. They're hoping the commission which damned the e-voting system will come to its senses when they complete more tests, and that they will turn around and give it a big wet seal of approval.
Of course, since they've wasted^H^H^H^H^H^Hinvested over EUR50 million on the system already, and our country is small enough that this isn't small change, they're not exactly likely to own up and admit that they're guilty of misappropriating public funds. At least not until after the elections this June.
But anyway. My advice is to keep pushing the fact that computer security experts are united and unequivocal in rejecting e-voting systems unless they involve a voter-verified paper ballot (also called a voter-verified audit trail). This is what seemed to have the most effect in Ireland. Start with the Association for Computing Machinery, then Dr Rebecca Mercuri, then Bruce Schneier, and so on...
--Adrian.
-
Quick background
The system proposed for use in Ireland and dismissed by the Commission's report today is the Nedap/Powervote system, variants of which are used in the Netherlands and parts of Germany. It's a kiosk-based DRE system which uses glorified memory sticks to store ballot records. It was developed in apparent ignorance of the voter-verification requirement.
Because the developers used the waterfall method, and didn't find out about the audit requirement until customer acceptance testing, they baulked at the idea of going back to the drawing board, and instead bolted on a useless printout-of-ballot-module-contents facility, and called it an audit trail.
Their salesmen are very good, and the Irish Government agreed to buy the system (total cost over 40 million euros) at the height of the Florida debacle in late 2000. Since then there have been reports, objections, and all manner of outcry from IT professionals in Ireland. Even the entire Opposition (elected politicians not belonging to the ruling coalition) opposed the system. The Government maintained a constant mantra: the system is accurate, the system is thoroughly tested, you're all a bunch of Luddites for thinking differently. Eventually the Irish Computer Society joined in, and the Minister promptly accused them of being a front for the anti-globalisation movement.
The writing then being on the wall, the Government then appointed an independent Commission to examine the system and its testing, hoping for a graceful way out of the political corner. The Commission's report, however, is rather more damning than they hoped. In my personal opinion, this has more than a little to do with the fact that noted software expert David Parnas assisted the Commission, and he's a good deal more methodical and careful than Nedap/Powervote seem to have been.
--Adrian.
-
Re:Electronic Voting
You would trust a piece of paper more than an electronic system?
Yes, because I can watch the paper myself, with my own eyes. Anyone can guard the ballot box, too. The electronic system cannot be so carefully guarded against nefarious programming or vote tampering. Paper can tell how it has been produced and handled when inspected closely enough, but bits do not track their history. So yes, I trust paper more.
See Rebecca Mercuri's Statement on Electronic Voting for details. Mercuri was one of the first on the scene after the Florida election glitch in the 2000 Presidential election because she'd already written a Ph.D. dissertation on electronic voting. Few people had expressed interest before then.
In electronic voting, votes are completely orthogonal. You either vote FOR someone or AGAINST someone; there are no hanging chads.
Direct Recording Electronic, internet, and telephone voting (see electronic voting) do not allow for the voter to be ambiguous, but mark-sense and punch card voting both can have problems with ambiguity. There are benefits and drawbacks to each type of voting.Also, the possibility of votes being changed while being transmitted can be reduced to practically nothing by using cryptographic techniches along with well-known channel coding schemes.
This is good - but the real challenge when we start to use cryptographic solutions to voting problems is that most people don't understand how it works. Consider David Chaum's brilliant scheme for allowing you to take a recipt to verify that your actual vote was counted, but to not reveal how you voted unless you happen to have that other piece of paper that you destroyed at the ballot box. It's a beautiful system for verifyability, but it falls flat because a room full of computer scientists don't understand it in minutes - so the average election supervisor surely won't understand it in a few hours.I wouldn't say I have a fear of electronic voting systems. I simply have a fear of trusting my votes to a computer running a program written by a fallable, corruptable human being on a system designed and built by the same sort of human - and depending on all of it to work reliably without any sort of audit trail.
-
Re:No!
It does NOT mean (necessitate) paper audit trails, and this goal is much more easily solved by a purely electronic system anyway.
The audit trail must be fixed in some media. Are you suggesting burning everyone a CD-ROM of their vote?
You slashdotters have this incredible tendency to latch onto an idea without bothering to express concrete reasoning behind it.
Many experts have explained their call for voter verified paper audit trails:
Currently, paper is the most widely used and understood medium for protecting valuable documents and verifying important transactions, such as those dealing with money, property and legal matters. If the permanent ballot record exists in an electronic, rather than paper format, the electronic record can be easily altered after it has been cast and therefore is not permanent. No audit medium is tamper-proof, but a paper audit trail is more permanent and transparent than a digital audit trail that depends on software not readily apparent or understandable to stakeholders, particularly voters.
Or:Various technologies have been proposed to meet this requirement, but to date only one has been used in elections: a paper ballot marked with the voter's votes (including contests not voted), in plain language understandable to the voter. Unless and until a technology is developed that offers equal or superior security at an equal or superior price, CPSR strongly advocates that the votes of every voter be recorded in plain language on paper at the time that the vote is cast, and that the paper ballot be retained in ballot boxes and treated as an official elections document. All DREs should produce a paper ballot that may be inspected by the voter prior to completing the voting act.
Or:* Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated. Any programmer can write code that displays one thing on a screen, records something else, and prints yet another result. There is no known way to ensure that this is not happening inside of a voting system.
You have yet to explain your reasoning.
Do you work for Diebold or something?
-
paper trailFunny that this should appear today. Just a half hour ago, I was sitting in a room listening to a talk by Rebecca Mercuri, one of the big names in Electronic Voting theory. She even talked about the Fairfax situation. You wouldn't believe the horror stories she had to tell about electronic voting.
But anyways, it's not enough that there be a paper trail. The trail needs to be voter verified. That is, the voter must be able to inspect the paper record that the machine creates to make sure it is accurate. Of course, this isn't all. You also want to make sure that the paper is in the vote counting critical path (ie, the machine isn't printing one thing but recording something else which is used to do the counting). One way to do this is to perform all counting using optical recognition on the paper trail. There are other more complicated ways to do this as well, but the simplier the better. After all, your average American needs to be able to trust that his/her vote is counted. With the current crop of black box voting machines, this just isn't possible.
-
Rebecca Mercuri: Electronic Voting ExpertRebecca Mercuri is the foremost expert on Electronic Voting. Her web site is chock-full of useful information, including many of her publications on the topic.
Mercuri has been interested in electronic voting since the 80's. She put up a web site when she noticed the 2000 Presidential election falling into confusion, and within 15 minutes had a call from the Associated Press - who had found her web site. She has testified before Congress and the U.S. Supreme Court about voting systems.
She devised the Mercuri Method of electronic voting, whereby the electronic voting machine prints a paper ballot for the voter to verify after casting the vote.
-
Re:Isn't potential election stealing worrying?
I'm not sure it needs to be open source. At the least I'd like to be able to download a binary image of their entire "vote machine" and play with it on appropriate hardware. Of course, appropriate hardware may also be difficult to come by.
Bottom line: Open source by itself isn't enough. The current process appears far from anything likely to provide solid gaurantes. -
HAVA and voting errors.
The HAV act (help amerca vote), created a land rush by mandating a minumum number of touchscreen voting machines by 2004. The stalking horse provision in the bill is that blind people cant use most voting systems without assistance, and people in wheel chairs have difficulties as well. Noble motivation yes, but the cure is worse than the problem.
This land rush was led by diebold with a first-to-market system. they acheived this by using off the shelf components and OS and DB. THe system has not proven reliable or safe. I wont regurgitaete the accusationsof fraud, except to mention that any time elections differ by 6 sigma from poll results someting reeks. Unfortunatley other companies ESS and Sequoia tried to keep pace. the ESS systems at least have the benefit of actually failing to boot so often that florida has abandoned them! THe Sequoia system is the best of the lot but still has its own flaw. At least the sequoia people, when pushed, seem to be trying to respond to the demand for voter verified balloting.
The good news is that After pressure by california's santa clara county (19 million dollar
contract), Sequoia voting system has agrees to implement (at no cost) a
voter verified, recountable, paper ballot in addition to the touch
screen systems.
(see here )
Already the House of representatives has a bill pending ( The Voter
Confidence and Increased Accessibility Act of 2003) that will require
all touch screen voting systems to be voter verifiable.
(see here )
Indeed the entire country of brazil, which has 400,000 electronic
voting machines has decide to replace them with voter verifiable
systems.
(see here )
A 95 page caltech and MIT study surveying many years of voting reports
that among all voting methods, the method with the single largest
average error rate is electronic voting, which is senate and
gubenatorial elections has almost TWICE the error rate of optical scan voting. This means that by enfranchising blind people we disenfranchise far more people. a bad trade.
(see here page 21 )
Indeed reality is much worse since that's just an average, since
electronic voting errors tend to be both non-random and clustered in
catastrophic events.
For example, Bernalio county in Albuquerque reported 48,000 voters went to the polls
but only 36,000 votes were registered on Sequoia voting systems.
(see here )
Similarly, many votes were lost in the latest election in florida
counties using Sequoia voting systems. Janet reno is investigating
cases where heavily democratic counties registered ZERO votes for any
democrat. Sequoia systems has presented Los Alamos FALSE information
of Seqouia systems. For example, they claimed it did not run on
windows OS. In fact WinEDS their database collection system is based
upon microsoft OS, and uses a Microsoft-based SQL DB, and the password for
this system is "password" (really!).
(see here )
You can in fact obtain this very minute on CD rom a program which will
break into any diebolds MS ACCESS based database and change results then erase all log
entries of the intrusion. It's easy to imagine that SQL can nbe attacted too either by security hoiles or user admin mistakes in the table grants.
Sequoia's Glowing reviews in florida, santa
clara and Lousianna counties are somewhat marred by the fact that the
Luosianna county agent who reviews them highly is now under indictment
for a payoff from seqouia, like wise the santa clara and florida
registrar have both been (publicly) paid off by the -
Re:Paper receipts might not matter
You need to distinguish a paper receipt (which, as you point out, is wastepaper or worse) and a paper ballot that gets counted. Using the same word, 'receipt", for such different concepts, is a bad mistake.
This is what Rebecca Mercuri describes as the Voter Verified Balloting concept. She discusses it in her dissertation, and in a RISKS digest article.
-
Re:Paper receipts might not matter
You need to distinguish a paper receipt (which, as you point out, is wastepaper or worse) and a paper ballot that gets counted. Using the same word, 'receipt", for such different concepts, is a bad mistake.
This is what Rebecca Mercuri describes as the Voter Verified Balloting concept. She discusses it in her dissertation, and in a RISKS digest article.
-
Re:A quick review of known Diebold problems
Also see Rebecca Mercuri's site for in-depth (and rather academic, not a bad thing when talking about this topic) articles. This was also linked to here, before.
-
does the public know or care?
I think most here would agree that electronic voting systems are a waste of time without a physical audit trail, but as far as the public's concerned, hi-tech is better...as long as I have a nice GUI where I can go File>Vote>Undo I'll be happy to click and then shuffle out of the voting booth with a confident but bewildered smile on my face.
She's done a fair amount of research on electronic voting systems. -
Open Source doesn't solve this problem!
"Why isn't this code open source by law?"
This wouldn't fix the problem of faulty(by design) hardware, lack of audit trails, and no trust in the delivery method.
Sure with open source we can see the code, but that doesn't help if it is compiled by a compiler that you can't see the code for, run on microchips that you can't see the code for, and administered by people you can't trust.
The ``but it should be open source'' comment that gets thrown around in every single story about electronic voting does not take into account everything that happens to the code _AFTER_ we would be able to see it.
Anyway,
here is a link to a page on Electronic Voting:
Dr. Mercuri's Page on Electronic Voting
--xPhase -
Eletronic voting in the real world
The Brazilian government converted to fully electronic voting in 2000, deploying over 400,000 kiosk-style machines. Although our elections are often compared to those in the US, they are actually quite different because the voters cast ballots by using numbers assigned to each candidate (this is necessary because of a high degree of illiteracy here).
Concerns regarding accuracy of the self-auditing systems caused the legislature to mandate a retrofit of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the "Mercuri Method" -- described more fully here "A Better Ballot Box?").
These paper-trail machines were successfully used during the October 6, 2002 election, and it is hoped that their other machines will eventually be retrofitted as well. Further discussion on this subject can be found in the article: "The importance of recounting votes" by Michael Stanton (originally published in Portuguese as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13, 2000, http://www.estadao.com.br/tecnologia/coluna/stanto n/2000/nov/13/194.htm). There is also an informative website: Brazilian Electronic Voting Forum by Amilcar Brunazo Filho.
-
Two Web Sites (there are many others)
Before anybody applauds the idea of electronic voting, it would be wise to take a look at the following two web sites, and the links therein:
Notable Software
Black Box Voting
Then feel free to start talking about the merits of a rush to e-voting... -
You don't know what you're talking about
Find out why a computer science professor who has forgotten more about computers than you are capable of learning leads the opposition to electronic voting machines with audit trails existing only in your imagination here.
-
Re:Electronic voting ... where's the code?
Does anyone have any information on how (and to what extent) voting machines are audited?
Basically, they're not. Not only that, but they're typically being designed in other countries; and they're protected by the DMCA from anyone to even attempt to audit them by opening the voting machines up and taking a look around inside (including the government itself!).Rebecca Mercuri did her CS PhD thesis on this very topic. Here is her summary. She's often quoted on this topic.
-
Rebecca MercuriRebecca Mercuri has a checklist which asks several questions which must be answered for an electronic voting system to be secure, accurate, and trustworthy.
The bar is set pretty high, so unless each question can be answered, electronic voting is a poor solution.
- What means is used to separate voter identity from voted ballot?
- How is the balloting process secured such that voter submissions can not be observed, or recorded in any way that is traceable to the individual voter?
- What actions on the system are audited?
- How is the auditing process precluded from associating voters with cast ballots?
- How is the audit trail accessed and used?
- Who is permitted to access the system (through all aspects of handling)?
- What facilities are provided for recount purposes?
- How are voters authenticated and authorized to cast ballots?
- What access controls are in place to ensure single ballot per voter per election?
- If multiple systems are deployed, how are voters tracked so the same person does not vote in different formats?
- What controls are used to ensure that the correct ballot is provided to the voter?
- What controls are provided to ensure that each ballot item is voted properly?
- How are all forms of tampering detected and prevented?
- How is vote confirmation provided without ballot-face receipt?
- How is the voter prevented from retaining a copy of the cast ballot?
- How does the system assure that each ballot has been correctly recorded?
- How does the voter know that a cast ballot has been accepted?
- How is vote tabulation correctness assured?
- What features are employed to ensure operability of the voting system throughout the election?
- How are downtimes handled in the event that they do occur?
- What alternative balloting system is available for voters when the system is down?
- How do the poll workers and system administrators know that the system is operating correctly?
- How is the voting system precluded from use when deemed inoperable?
-
Re:Holy moly!
I'd really like to know why private business has so much sway over government in these sorts of things.
See, there's this thing called "bribery". It'a a major factor in this other thing called "corruption".
You're forgetting Hanlon's Razor. Having done some contracts for government, the truth is often simpler.
Consider the typical bureaucrat, a lifer whose main skills are political. You've got a person who is risk-averse, ignorant of the outside world, and in charge of something important. They write up a nice request for proposal (RFP), and three months later they get back a bunch of proposals. They immediately throw out all the ones from small or new outfits, because even if they are innovative, they might not be around long enough. Then they pick the safest, shiniest one and send them a big ol' check.
If the bureaucrat is smart, dedicated, and careful, this system works pretty well. And honestly, a surprising fraction of them are. But generally a good marketroid can run rings around the bureaucrats.
To my mind the main problem is that bureaucrats say, "Gosh, I am a smart and broadly educated person; I can understand all this." But they don't, and so they get suckered.
Note that geeks are not immune to this. During the 2000 Election foofaraw, I can't count the number of people who said, "Gosh, I could hack together something much better than this paper ballot thingy." But electronic voting has a metric shitload of subtle, unresolved issues; some pretty smart people say it's either impossible or just very, very hard to do right.
So look it as a combination of naive geeks and naive bureaucrats, with some pretty ordinary businesspeople in between. The result is the same, with no bribery needed. -
Expert Mercuri, founder of NotableSoftware views
The expert ("Rebecca Mercuri, a computer science professor at Bryn Mawr College in Pennsylvania") that testified in this matter founded NotableSoftware.com and has this statement
"I am adamantly opposed to the use of fully electronic or Internet-based systems for use in anonymous balloting and vote tabulation applications."
here. Go there for lots more information and links. -
Expert Mercuri, founder of NotableSoftware views
The expert ("Rebecca Mercuri, a computer science professor at Bryn Mawr College in Pennsylvania") that testified in this matter founded NotableSoftware.com and has this statement
"I am adamantly opposed to the use of fully electronic or Internet-based systems for use in anonymous balloting and vote tabulation applications."
here. Go there for lots more information and links. -
Pentagon tried this, too.Pentagon tried this, without apparently testing sufficiently the security at the user end of the voting, Yahoo article from the 10th (I submitted an article but it was 86'd) It would be interesting to see how the Pentagon's $6.2 million project fares if they invite all the pesky would-be crackers who are always assailing their servers. Give 'em a carrot, say, if you can bust it you get an M1A1 for a weekend.
Rebecca Mercuri's "Why it won't work" statement on online voting.
-
More information about why this is BAD......can be found at Rebecca Mercuri's site, http://www.notablesoftware.com/evote.html.
Quoting from her site: (Read the rest, it's worth it!)
I am adamantly opposed to the use of fully electronic systems for use
in anonymous balloting and vote tabulation applications. The reasons
for my opposition are manyfold, and are expressed in my writings as well
as those of other computer security experts (many papers are linked below).
To briefly summarize my opinion (based on a decade of research) on this
matter I state the following:
-
- Fully electronic systems do not provide any way that the voter can truly
verify that the ballot cast corresponds to that being recorded, transmitted,
or tabulated. Any programmer can write code that displays one thing
on a screen, records something else, and prints yet another result.
There is no known way to ensure that this is not happening inside of a
voting system. - Electronic balloting systems without individual print-outs for examination
by the voters, do not provide an independent audit trail (despite manufacturer
claims to the contrary). As all systems (especially electronic) are
prone to error, the ability to also perform a manual hand-count of the
ballots is essential. - No electronic voting system has been certified to even the lowest level
of the U.S. government or international computer security standards, nor
has any been required to comply with such. Hence, no electronic voting
system can be called secure (despite manufacturer claims). - There are no required standards for voting displays, so computer ballots
can be constructed to be as confusing (or more) than the butterfly used
in Florida, giving advantage to some candidates over others. - Electronic balloting and tabulation makes the tasks performed by poll workers,
challengers, and election officials purely procedural, and removes any
opportunity to perform bipartisan checks. The election process is
entrusted to a small group of individuals who program and construct the
machines. - Internet voting provides avenues of system attack to the entire planet.
If the major software manufacturer in the USA could not protect their own
company from an Internet attack, one must understand that voting systems
will be no better (and probably worse) in terms of vulnerability. - Off-site Internet voting creates unresolvable problems with authentication,
leading to possible loss of voter privacy, vote-selling, and coersion.
These systems should not be used for any government election.
Also, the RISKS Digest has several articles in recent issues about this; it's archived at http://catless.ncl.ac.uk/Risks -