Slashdot Mirror

Call and get your Local Reps to Co-sponsor the "Voter Confidence and Increased Accessibility Act" or HR2239.

For more information go here: http://verifiedvoting.org/resources/hr2239_volunte ers/hr2239_effort.asp/

Or to read the bill in full: http://www.theorator.com/bills108/hr2239.html

Let's get this passed so we don't have to worry about anyone monkeying around in quite possibly one of the most important elections this country has seen in decades-with two very divergent paths for the American people.

According to this: http://www.verifiedvoting.org/article.asp?id=2449 Democratic Secretary of State Kevin Shelley is being sued by Republican-leaning counties because he blocked the use of these broken machines.

It looks to me that the Democrats did kick off the idea, they realised it wasn't going to fly and tried to stop use of the unverified machines.

Quite what the Republicans' motives are in using an unverifiable voting process I don't know.

But in the U.S., most ballots are much more complicated. We (in the US) have a tradition of wanting the citizenry to speak out/vote directly on a number of different issues, and having seperate local and state elections. It's a pain to setup a poll, and a pain go to a poll, so a voting decision is actually more complicated for US citizenry than a non-US citizen might think. A vote might involve federal election (a President, House member, and a Senator), state election (a state senator / representative / governor), local election (county/town board, mayor, school board, sheriff, judges). It probably also involves multiple bond decisions ("shall the state take out a loan of $X to do Y"), and proposals to change the state constitution in various ways. When I go to a poll, I'd be shocked if there were fewer than 4 choices, and there are usually many, many more.

As a U.S. citizen, I'm used to it, and even like it -- it allows me to participate more directly in various decisions than citizens of some other democracies. And the multi-tiered approach to democracy is deeply embedded in how U.S. politics works. But the more complicated ballots, along with the sheer number of people in the U.S., make it the purely manual approach more painful. It's still possible, of course, but some sort of automation is desirable.

Untrustworthy automation is a terrible idea, of course. Hopefully various organizations like the ACM and Verified Voting will change the system so that we can actually have confidence that our votes are being fairly counted.

Oh, and the problem in the 2000 election wasn't that recounts are illegal. Recounts happen occasionally in the U.S., they're even required in certain cases. As I understand it, the problem was that recount rules are supposed to be consistent and clear before the election, and Florida's setup was revealed to be an absolute travesty. Of course, these unauditable electron-only voting machines have exactly the same problem; there's no consistent and clear way to do a real recount, because there's nothing that can be independently recounted. Instead of creating a recount travesty, they need to make real recounts possible. And a computer-printed (and human-verified) paper vote would eliminate the nasty problems in the Florida 2000 election, where it was incredibly difficult to figure out the voter's intent from a card with multiple hanging chads (with more hanging chads created through handling!).

The VerifiedVoting.org Web site explains the issue of mission-critical computers versus electronic voting machines. Basically, voting machines are not designed and built with the same care as mission-critical systems. Also, voting machines have to be able to resist deliberate tampering in addition to accidental crashes or failure. (Electronic vote tampering could come from inside individuals or those close to the voting systems, as opposed to an attack by someone outside.)

With respect to financial systems, security expert Bruce Schneier has talked about financial transactions versus electronic voting. There is a difference in securing the two because financial transactions have identifiers associated with them but votes have to be anonymous. With respect to electronic financial transactions, both parties know (or can find out) the identity of the other to resolve the issue if something does go wrong.

The ability for votes to be counted accurately and to represent the will of the voters comes close to affecting the existence of a democratic government and freedom for the people.

The VerifiedVoting.org Web site explains the issue of mission-critical computers versus electronic voting machines. Basically, voting machines are not designed and built with the same care as mission-critical systems. Also, voting machines have to be able to resist deliberate tampering in addition to accidental crashes or failure. (Electronic vote tampering could come from inside individuals or those close to the voting systems, as opposed to an attack by someone outside.)

With respect to financial systems, security expert Bruce Schneier has talked about financial transactions versus electronic voting. There is a difference in securing the two because financial transactions have identifiers associated with them but votes have to be anonymous. With respect to electronic financial transactions, both parties know (or can find out) the identity of the other to resolve the issue if something does go wrong.

The ability for votes to be counted accurately and to represent the will of the voters comes close to affecting the existence of a democratic government and freedom for the people.

That's an interesting point, but the paper ballots are counted in public by public officials following rules created by your state legislature. For elections in Michigan, anybody who wants can observe the election procedure, and can complain if they think it's done poorly; I'd imagine you could do something similar to monitor a vote recount.

The difference here is that the electronic ballots are tallied in secret by secret software written by a private company, with no observation allowed.

For electronic voting to work, it's going to need to use completely open software, where many experts can verify that it will work properly. Since so many people have an interest in the system working perfectly, there will be lots of people reviewing the code, and I think that very few serious bugs would be there for long.

verifiedvoting.org is advocating this same position. I'm not sure if they're actually writing software.

According to this article at Verified Voting this only applies to Diebold's TSx paperless electronic voting system. Apparently:

"The Voting Systems Panel did not recommend against continued use of the Diebold TS electronic voting machines or use of optical-scan voting machines. The GEMs software is also not affected by this decision."

According to this article at Verified Voting this only applies to Diebold's TSx paperless electronic voting system. Apparently:

"The Voting Systems Panel did not recommend against continued use of the Diebold TS electronic voting machines or use of optical-scan voting machines. The GEMs software is also not affected by this decision."

eVACS is open source and has already been used in some Australian elections. I did a research project on electronic voting systems last semester, and eVACS seemed to be the best current system. IMO, it would be much better with a voter-verified paper trail, though.

This is something that is being fought for here in the USA - a voter verifiable paper trail.

Slowly, people are "waking up" to the problem, but it is unclear whether enough will be done or recognized by the November elections (our presidential election time this year).

A voter-verifiable paper-trail is tantamount to running any form of democratic process (whether it is representative based, like here, or otherwise) - there needs to be a way for the voter to know that the machine recorded who they voted for correctly. That way, if there is a question of who won the election, a hand recount of ballots may be made.

With electronic machines (especially ones in which there is no publically auditable source code), though - all is up in the air. Only if a receipt is printed and given to the voter is there a way to really be sure (and this way is open to vote buying fraud, so it really shouldn't be implemented!). How are you to know that the screen and paper match what is really in memory (and/or on disk)? In a close election, unless there is major contestation done afterward, a cheating "winner" could skate by unless the population DEMANDED a recount of the printed record. Even then, who's to say the printer couldn't be controlled to print random "fake" votes not tallied in memory - in case of a recount (hopefully voter rolls would catch this - if open-source code was used, this code could be looked for as well - unless the compiler sticks it in, of course).

My biggest fear is that most voters (and even most votees!) will never understand these issues (and I haven't outlined them all - there have already been recorded "failures" of electronic voting machines, and our "mainstream" media has passed on most of these stories - so the voting constituency has NO CLUE), and the "elections" will continue to go on - and nothing (or everything, to our greatest detriment!!!) will change...

The Campaign for Verified Voting in Maryland has a website at www.truevotemd.org. If you're a Maryland voter or just want to show your support, go there and sign up. If you're going to vote on Tuesday in Maryland's primary, we're organizing a protest to demand paper ballots.

The problem in Maryland is that the officials at the State Board of Elections are in Diebold's pocket. Realize that San Diego and other California counties are getting voter-verified paper trail equipment from Diebold for free, despite paying only 60% as much for the machines as Maryland. Maryland also bought a much larger order. However, since the SBE officials won't go to bat Diebold is trying to charge big bucks for the VVPT. Diebold is also spending heavily in lobbying and contributing to the Maryland Delegates and State Senators who could pass legislation that would force a VVPT.

Some other good sites if you're interested in this topic:

www.verifiedvoting.org
www.blackboxvoting.org

--Paul

Everyone interested in this issue should take a look at the VerifiedVoting Website.

Electronic voting needs to solve two problems: Guarantee that every vote is counted exactly and guarantee that everyone can trust that result.

As Schneier points out, there can be no trust without a paper trail for verification. So it is quite important to support legislation mandating such a paper trail.

I would totally agree for you except for Diebold and their un-auditable machines. Guess what, now even if you do vote, your vote might just be invalidated or part of a massive miscount.

Oh well, maybe I should just vote absentee ballot? Oh, did we have problems with those, too??

We're fucked.

Unfortunately, after a fruitless argument with a Democrat Virginia election official at the Fairfax Fair in October, I suspect the problem is massive ignorance. He assured me condescendingly that he could get a printout of local Vote totals any time he wanted, so what was the point of a paper trail.

Unfortunately, such massive ignorance leaves the system open to abuse by unscrupulous individuals of either party.

I have called my representatives in Washington demanding auditable voting (all Republican - Virginia likes to vote Dems locally and Reps nationally). Since the Republicans are in power at the moment, they are key to getting some kind of auditability requirement passed nationally. Notice that a Republican I voted for, Ken Cuccinelli, is trying to address the E-voting disaster in Virginia.

Strict conservatives believe that it is the responsibility of the State Government to address such problems, and that the Federal Government should stay out of it. This does not mean that conservatives want unaudited voting - in fact they blame the Federal mandate following the 2000 debacle for causing the current problem.

About four months ago I was asked by the Irish Department of Environment, Heritage and Local Government to provide a technical assessment of their implimentation plans for our nation wide Local and European Parliamentary elections in June (more in this previous Slashdot Article. In the spirit of openness I should own up to being an IT security specialist for a large US multinational (not MS). It's also worth pointing out for those that don't know that the Irish voting system is both complex (Single transferable Vote - Proportional representation) and extremely well understood by the population - we have it drilled into us virtually from the cradle and we love it.

The Good News (for us Paddy's). The system and plans they presented are generally very good for the type of system that it is. It's not open source but it has had some level of competant independant review. It's non networked, and the tallying systems are also non networked. It has already been trialled in some constintuencies in the last general election here with very favourable voter reactions. It reduces the counting time for a typical constituency from ~24 hours to ~ 2 hours. The bulk of that ~2 hours is the time taken to physically transfer the results from the tally machines (stored in redundant flash modules) back to the central count. Re-counts take minutes rather than days (we had 2 constintuency recounts take more than a week last time round). From a security best practice point of view they showed a sensible approach to securing the devices, the tallying machines and the physical\personel processes involved. An almost identical system (same voting booths but different vote tally code due to our specific electoral rules have been in use in Germany and The Netherlands for a number of years without any evidence of issues that I am aware of (but maybe someone here is). They take voting privacy very seriously - Irish constitutional case law has made it clear that a voting system cannot even theoretically allow an individuals vote to be known, that specific feature has had to be audited independantly

The Bad News (sort of). This system is electronic only - there is no provision for an independantly auditable "paper vote". This has been and is still under consideration but the response I got was that it would compromise the vote privacy ruling. The problem for us is that our voting system has inherent short cuts (ie hacks) in the transfer system that uses sampling to allocate so called surplus votes. This sounds a bit bizarre but it works, we understand it and above all everyone accepts it. The technical details of the problem are outlined well in this thread on www.verifiedvoting.org . Unless the paper votes and the electronic votes are randomised identically then paper vote counts will not tally precisely with the electronic tally. If the resulting vote is very close then the difference could be enough to change the election result. If both are randomised identically then by implication a voters actual vote could technically be identified - which is illegal. Of course the problem would go away if the electoral rules allowed for complete electronic counting (no need for the time saving hacks anymore) but until e-voting is proven that will not happen. It's an interesting dilemma and I was impressed that the government officials understood the problem as well as they did.

I had many other concerns which I voiced but I was far from un-impressed by these guys, particularly since most of them weren't tech heads. They were keen to talk and listen, had researched things very well and took on board much of what I suggested.

In the end they are going with the system more or less as it is but with lots of physical and process security rather than th

Two places which have details on arguments against the current state-of-the-art of electronic voting are verifiedvoting.org and Electronic Frontier Foundation.

I forgot to mention a couple websites that are pushing for a voter verifiable paper trail in MD and nationwide: Campaign for Verifiable Voting in Maryland and Verified Voting - Campaign to Demand Verifiable Election Results

We need to fix this system or they'll "fix" our elections (and not in a good way).

For a good source on the electronic voting issue in general and the push for Rep. HR2239 in particular, see Verified Voting.

HR 2239 is a bill in a House committee right now that Slashdotters should get behind. Also known as the "Voter Confidence and Increased Accessibility Act of 2003," this bill introduces, among others, two major provisions worthy of support.

The first is that every electronic voting machine shall leave behind a verified-by-the-voter paper receipt for recount purposes. This, of course, gives the voters an understandable avenue of recourse in the case of a suspect election.

The second is that all source code for running the machine shall be made available to the public. Not quite open-source, but, shall we say, viewable-source. This would allow security experts to check the code behind the voting-machine companies to make sure that it is secure.

Please check this website to see if your congresscritter is part of the Committee on House Administration and urge them to vote this bill out of committee. Even if they're not, showing support to your congressperson could lead to increased pressure on those in the committee to vote the bill out.

If you want to see a really clever electronic voting system, check out VoteHere. They use paper receipts that basically records a hash of your vote, so your receipt cannot prove to anyone who was not looking over your shoulder when you cast the ballot what that vote was, but still allows you to prove that your vote has/has not been changed after the polls close. As VoteHere points out, authoritative paper receipts really just turn the machine into a very expensive pencil, when they offer the potential to do so much more.

By the way, I have no ties to VoteHere, I've just been studying electronic voting a lot lately.

For more info, see http://www.verifiedvoting.org/

Of course, this system has weaknesses, as will any system which enforces both authenticity and anonymity, but even if it cannot be protected against all attacks, it at least lets you know when an attack is happening, which is a huge step up from most paper and even electronic systems.

We need your help!

HR 2239 is a bill which requires all touch-screen voting machines to produce a paper receipt which the voter can read and verify, then drop in a lock box. The receipts in that lock box are used in a recount. This bill also mandates a recount in 0.5% of districts chosen at random to verify that the touch-screen voting machines are reporting the results accurately.

Sign the online petition to support the bill. Contact your representatives, educate them and demand they support the bill.

We also need legal help with injunctions against the machines, starting with the 37 Diebold states. The organizers of BlackBoxVoting.org have 65,000 documents to make the case.

One subtle problem with online voting is that it's much easier for a third-party to coerce your vote and to check that you voted "correctly". The third-party (an employer, union official, local mob boss, etc) can "encourage" you to make sure you vote at an online facility where they are watching... and there goes the privacy of the polling place and the anonymity of the ballot box.

Of course, in earlier times this was recognized as an issue with absentee voting. The solution that traditional voting systems adopted was to allow the voter to vote in person later at a real polling place, and that vote, (presumably more free of coercion), would invalidate their earlier vote.

I wonder if CanVote provided a similar "vote override" option for Ontario citizens? A polling place vote should always override an alternative-mechanism vote. I hope in the move to online voting we don't lose the non-obvious protections that have been added to our current electoral system over time.

--LP, a programmer who also supports voter-verified paper trails

To know what's going on in your state visit: State Lists

"I don't know what the holdup is," Margaret K. Luca (D), secretary of the county's three-person elections board, said late last night. "I thought we had it covered. We tested all week in the county."

"I don't know what the holdup is," Margaret K. Luca (D), secretary of the county's three-person elections board, said late last night. "I thought we had it covered. We tested all week in the county."

"I don't know what the holdup is," Margaret K. Luca (D), secretary of the county's three-person elections board, said late last night. "I thought we had it covered. We tested all week in the county."

... and talk to your representatives in the house to get them to sign on. HR2239 requires touch-screen voting machines to print a receipt which the voter can read, then drop into a lock-box. This receipt is then used for recounts, and in a mandatory recount of .5% of districts chosen at random to verify the accuracy of the machines.

While you could theoretically build a cryptographic system to do something similar, I'd rather not have a theoretic democracy!

(Petitions are linked to at the bottom of VerifiedVoting.org.)

This petition is the only way to guaruntee that your vote will be counted--it mandates that machine give the voter a human-readable receipt which the voter drops into a lock box in case. In the case of a recount, the paper receipts are counted. It also mandates a manual recount in .5% of districts to verify the accuracy of the machines. The petititions are linked to at the bottom of the VerifiedVoting site.

The HAV act (help amerca vote), created a land rush by mandating a minumum number of touchscreen voting machines by 2004. The stalking horse provision in the bill is that blind people cant use most voting systems without assistance, and people in wheel chairs have difficulties as well. Noble motivation yes, but the cure is worse than the problem.

This land rush was led by diebold with a first-to-market system. they acheived this by using off the shelf components and OS and DB. THe system has not proven reliable or safe. I wont regurgitaete the accusationsof fraud, except to mention that any time elections differ by 6 sigma from poll results someting reeks. Unfortunatley other companies ESS and Sequoia tried to keep pace. the ESS systems at least have the benefit of actually failing to boot so often that florida has abandoned them! THe Sequoia system is the best of the lot but still has its own flaw. At least the sequoia people, when pushed, seem to be trying to respond to the demand for voter verified balloting.

The good news is that After pressure by california's santa clara county (19 million dollar
contract), Sequoia voting system has agrees to implement (at no cost) a
voter verified, recountable, paper ballot in addition to the touch
screen systems.
(see here )

Already the House of representatives has a bill pending ( The Voter
Confidence and Increased Accessibility Act of 2003) that will require
all touch screen voting systems to be voter verifiable.
(see here )

Indeed the entire country of brazil, which has 400,000 electronic
voting machines has decide to replace them with voter verifiable
systems.
(see here )

A 95 page caltech and MIT study surveying many years of voting reports
that among all voting methods, the method with the single largest
average error rate is electronic voting, which is senate and
gubenatorial elections has almost TWICE the error rate of optical scan voting. This means that by enfranchising blind people we disenfranchise far more people. a bad trade.
(see here page 21 )

Indeed reality is much worse since that's just an average, since
electronic voting errors tend to be both non-random and clustered in
catastrophic events.

For example, Bernalio county in Albuquerque reported 48,000 voters went to the polls
but only 36,000 votes were registered on Sequoia voting systems.
(see here )

Similarly, many votes were lost in the latest election in florida
counties using Sequoia voting systems. Janet reno is investigating
cases where heavily democratic counties registered ZERO votes for any
democrat. Sequoia systems has presented Los Alamos FALSE information
of Seqouia systems. For example, they claimed it did not run on
windows OS. In fact WinEDS their database collection system is based
upon microsoft OS, and uses a Microsoft-based SQL DB, and the password for
this system is "password" (really!).
(see here )

You can in fact obtain this very minute on CD rom a program which will
break into any diebolds MS ACCESS based database and change results then erase all log
entries of the intrusion. It's easy to imagine that SQL can nbe attacted too either by security hoiles or user admin mistakes in the table grants.

Sequoia's Glowing reviews in florida, santa
clara and Lousianna counties are somewhat marred by the fact that the
Luosianna county agent who reviews them highly is now under indictment
for a payoff from seqouia, like wise the santa clara and florida
registrar have both been (publicly) paid off by the

See the Verified Voting web site.

There you can learn about HR2239 and see where your Congressional Representative stands on the issue. Links to Representatives and Senators are included so you can contact them and let them know how you feel. Let's do something other than sit around and complain about Diebold!

Also, if you have a web site, display a Verified Voting banner on it.

VerifiedVoting.org appears to be down, coincidentally. You can go directly to the HR2239 petition.

The only way to make sure that your vote counts is a voter-verified paper trail for use in recounts and mandatory recount in a small percentage of districts chosen at random (to verify that the equipment is working). This is the only way to have meaningful recounts.

HR 2239 does just this (and was written by a physicist, no less)!

Sign the petition supporting HR 2239, there's a link to it at the bottom of VerifiedVoting.org!

The Voter Confidence and Increased Accessibility Act (H.R. 2239) has been introduced in the House of Reps that would require a paper audit trail.

More info: verified voting - fiar elections

and don't forget about blackboxvoting.org, another site for resources on this issue. It's currently down due to bogus spam complaints and the .com was shut down by diebold.

How to hack an election 1.12: Diebold tries to silence incriminating evidence : Diebold, maker of proven-to-be hackable voting systems, plays global whack-a-mole, in effort to scare ISP's into taking down websites with incriminating material. They used the DCMA to shut down BlackBoxVoting.org.

But the incriminating data just keeps popping back up on the Net, and Gun-and-Voting rights activist Jim March calls the bluff and challenges Diebold "Diebold: You are cordially invited to bite me. Bring it on. Make my day.. March has created a legal strategy/toolkit for voting rights activists who want to fight Diebold, a company which has knowingly - for 10 years - sold security-compromised voting technology, and whose CEO, an aggressive Republican fundraiser, has said he is he is committed to helping Ohio deliver its electoral votes to the president next year. In internal memos published by Scoop, Diebold's officials admit that their voting records database is (and has been for a long time) hackable ( [anyone can] access the GEMS Access database and alter the Audit log without entering a password ) but that this isn't necessarily a problem because It has a lot to do with perception. Of course everyone knows perception is reality. For background to this story, see my summary of Mefi posts on the Voting Fraud story, from this thread. Diebold's funky voting systems are in the process of being Certified, in Maryland and elsewhere, by SAIC, a company convicted of major frauds within the last decade and which has extensive ties to the Bush Administration, the CIA, and which proudly lists DARPA in its annual report as one of its prime clients., and owns Network Solutions, Inc. SAIC has not, it seems, noticed the GEMS database story (see main link). If Diebold systems win certification, we can expect an awful lot of This sort of thing.

Computer security expert Dr. Rebecca Mercuri has some pointed analysis on the subject.

You can join the effort to demand truly secure voting systems at VerifiedVoting.Org

HR 2239 is a bill in the House which requires exactly this: a voter-verified paper ballot usable for manual recounts. It also requires manual recounts to verify accuracy in some small percentage of districts (like .5%), chosen at random. Please visit this site and sign the online petititons.

The solution is a voter-verified paper trail which would allow actual recounts, plus mandated recounts at random in a small percentage of districts (like .5% I think). HR 2239 is a bill in the house which proposes to do that. Sign the online petitions to support it and get more information at VerifiedVoting.org.

I got this in my inbox yesterday:

Voter Verification Newsletter - Vol 1, Number 11

David L. Dill (elections@chicory.stanford.edu) September 21, 2003 http://www.verifiedvoting.org

For previous newsletters, see http://www.verifiedvoting.org/news.asp

It's been over three weeks since my last newsletter! Lots of things have been happening, but I haven't had time to write about them. Here are a few of them.

IEEE VOTING SYSTEM STANDARD
---

A seemingly obscure standards subcommittee of IEEE may determine whether we have trustworthy voting systems or not. And things are not going well.

IEEE is the "Institute of Electrical and Electronics Engineers." It is a highly respected organization with a huge number of electrical engineers, many of whom have substantial expertise in computer-related topics. It is reasonable to expect that IEEE involvement in voting technology would be a good thing.

There is an IEEE standards committee (called P1583) that is writing standards for voting systems, including security standards for DREs. (http://grouper.ieee.org/groups/scc38/1583/) Although this committee may seem obscure, this standard may very well be the basis for future Federal regulation of voting equipment.

Recently, several voter-verifiable-audit-trail advocates with strong technology credentials have joined the P1583 committee in an effort to ensure the standard requires an adequate level of security. I am one of them.

Unfortunately, many of the current members on the committee are working very hard to prevent us from contributing to the standard. As we have gotten more involved, the tactics have become more extreme. The standard is now being rushed to a vote by the Standards Association, in an apparent attempt to freeze it before our most important suggestions can be incorporated. Many of the suggestions we HAVE made are dismissed for the flimsiest of reasons, and rules seem to be made up on the fly to exclude us from the standards-writing process.

So far as I can see, the committee is controlled by voting companies -- the chair of the committee works for ES&S, and even the IEEE standards people on the committee, including the president of the Standards Association, voted with them as a block in a teleconference earlier this week.

The Electronic Frontier Foundation (EFF) has taken an interest in e-voting and in the behavior of the P1583 committee as well. They issued a press release on Friday (see http://www.eff.org/Activism/E-voting/20030919_eff_ pr.php), along with an action alert for IEEE members (http://www.eff.org/Activism/E-voting/IEEE/). You can send a letter expressing your views, too (it will be especially effective if you are an IEEE member).

There will be more updates on this topic, no doubt.

Today I got this follow-up & correction:

There is a correction to the Voter Verification Newsletter emailed last night. I was writing about the IEEE P1583 voting equipment standards committee. Here is what I said:

So far as I can see, the committee is controlled by voting companies -- the chair of the committee works for ES&S, and even the IEEE standards people on the committee, including the president of the Standards Association, voted with them as a block in a teleconference earlier this week.

In fact, the president was not in the teleconference and, so far as I know, is not a member of the committee. The individual in question, Don Heirman, is a CANDIDATE for president of the Standards Association in the IEEE election that is currently underway.

Sorry,
David Dill

I got this in my inbox yesterday:

Voter Verification Newsletter - Vol 1, Number 11

David L. Dill (elections@chicory.stanford.edu) September 21, 2003 http://www.verifiedvoting.org

For previous newsletters, see http://www.verifiedvoting.org/news.asp

It's been over three weeks since my last newsletter! Lots of things have been happening, but I haven't had time to write about them. Here are a few of them.

IEEE VOTING SYSTEM STANDARD
---

A seemingly obscure standards subcommittee of IEEE may determine whether we have trustworthy voting systems or not. And things are not going well.

IEEE is the "Institute of Electrical and Electronics Engineers." It is a highly respected organization with a huge number of electrical engineers, many of whom have substantial expertise in computer-related topics. It is reasonable to expect that IEEE involvement in voting technology would be a good thing.

There is an IEEE standards committee (called P1583) that is writing standards for voting systems, including security standards for DREs. (http://grouper.ieee.org/groups/scc38/1583/) Although this committee may seem obscure, this standard may very well be the basis for future Federal regulation of voting equipment.

Recently, several voter-verifiable-audit-trail advocates with strong technology credentials have joined the P1583 committee in an effort to ensure the standard requires an adequate level of security. I am one of them.

Unfortunately, many of the current members on the committee are working very hard to prevent us from contributing to the standard. As we have gotten more involved, the tactics have become more extreme. The standard is now being rushed to a vote by the Standards Association, in an apparent attempt to freeze it before our most important suggestions can be incorporated. Many of the suggestions we HAVE made are dismissed for the flimsiest of reasons, and rules seem to be made up on the fly to exclude us from the standards-writing process.

So far as I can see, the committee is controlled by voting companies -- the chair of the committee works for ES&S, and even the IEEE standards people on the committee, including the president of the Standards Association, voted with them as a block in a teleconference earlier this week.

The Electronic Frontier Foundation (EFF) has taken an interest in e-voting and in the behavior of the P1583 committee as well. They issued a press release on Friday (see http://www.eff.org/Activism/E-voting/20030919_eff_ pr.php), along with an action alert for IEEE members (http://www.eff.org/Activism/E-voting/IEEE/). You can send a letter expressing your views, too (it will be especially effective if you are an IEEE member).

There will be more updates on this topic, no doubt.

Today I got this follow-up & correction:

There is a correction to the Voter Verification Newsletter emailed last night. I was writing about the IEEE P1583 voting equipment standards committee. Here is what I said:

So far as I can see, the committee is controlled by voting companies -- the chair of the committee works for ES&S, and even the IEEE standards people on the committee, including the president of the Standards Association, voted with them as a block in a teleconference earlier this week.

In fact, the president was not in the teleconference and, so far as I know, is not a member of the committee. The individual in question, Don Heirman, is a CANDIDATE for president of the Standards Association in the IEEE election that is currently underway.

Sorry,
David Dill

by providing a backup "counting" mechanism which can be used to verify that the voting machine is working correctly. Open source will not solve it (although it will make it harder) as you still have many ways which the machine can be tampered with. Clearly the reporter disagrees with this view, and says:

"What about the value of a paper trail? I asked Selker. Just having a vote on paper is no guarantee that it will be correctly counted, he explained. He cited an example (again from Chicago) of an election commissioner who bragged about counting votes for a Republican candidate and then writing them down as votes for the Democrat."

While this is cute, and it is possible to mess with the paper ballots by mis-counting them -- the point of paper ballots is that you can re-count them under bright lights... and since someone _could_ be shown to have lied it makes catching evil election commissioners much easier. Recounting an electronic votes, however, well, is this even possible?

This reporter has an axe to grind and I think he is seriously playing games. Especially when he says "Before talking with Selker, I was squarely in the anti-DRE camp." How someone can be evern remotely informed about DRE and propose an "alternative" while not even mentioning a reference to and then completely mis-representing the adecemics and practioners who are in the "anti-DRE" camp [1]? This quote is just yet another stratigically placed logical flaw that his paper is riddled with.

[1] (VerifiedVoting).

The article starts out with a False Choice logical fallacy. The reporter asserts early on that we either have touch screens or paper -- to create tension and proport to show "another side" of the argument. But it is really a misrepresentation of the facts. The Verified Voting people went way out of their way to make sure that they wern't against paper ballots. What VerifiedVoting is For is a PHYSICAL verification of electronic voting.

"iRights" - Voting Machine Analysed, Found Wanting.

From the linked site:

The authors have done a security analysis of Diebold code that was downloaded from an open FTP site earlier this year. While the paper is technical, significant portions of it can be read easily by a non-computer scientist.

From the conclusion of the paper, Analysis of an Electronic Voting System, emphasis mine:

Using publicly available source code, we performed an analysis of a voting machine. This code was apparently developed by a company that sells to states and other municipalities that use them in real elections. We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process....

The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate....

And finally, the text of the Voter-Verifiable newsletter I received regarding this issue, which should appear on this page sometime (July 24, 2003):

"iRights" - Voting Machine Analysed, Found Wanting.

From the linked site:

The authors have done a security analysis of Diebold code that was downloaded from an open FTP site earlier this year. While the paper is technical, significant portions of it can be read easily by a non-computer scientist.

From the conclusion of the paper, Analysis of an Electronic Voting System, emphasis mine:

Using publicly available source code, we performed an analysis of a voting machine. This code was apparently developed by a company that sells to states and other municipalities that use them in real elections. We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process....

The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate....

And finally, the text of the Voter-Verifiable newsletter I received regarding this issue, which should appear on this page sometime (July 24, 2003):

"iRights" - Voting Machine Analysed, Found Wanting.

From the linked site:

The authors have done a security analysis of Diebold code that was downloaded from an open FTP site earlier this year. While the paper is technical, significant portions of it can be read easily by a non-computer scientist.

From the conclusion of the paper, Analysis of an Electronic Voting System, emphasis mine:

Using publicly available source code, we performed an analysis of a voting machine. This code was apparently developed by a company that sells to states and other municipalities that use them in real elections. We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process....

The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate....

And finally, the text of the Voter-Verifiable newsletter I received regarding this issue, which should appear on this page sometime (July 24, 2003):

David Dill is rasing the alarm about voter verification. Granted he's not part of the gummint, but he's asking the right questions.

If these EVM's model the voting machines used in the United States, this is clearly a bad idea. Anyone who read the report released earlier by researchers at Rice and Johns Hopkins about fraud concerning electronic voting machines has ,at least, serious reservations about not using them. If we throw into the mix India's huge populace, then it is safe to say that vote rigging and election stealing is far from over.

What is the solution to India's voting problems? I am far from qualified to present a solution. But, electronic voting systems is certainly not a solution.The reason for this is that it is very, very difficult to ensure that the software that is used for such systems is extremely secure. In other words, it is nearly impossible to ensure that no cheating will be carried out by the voters, the poll workers, the election officials, the software developers, etc.

The only known solution to this problem is to use a voter verifiable audit trail, that is a paper account of the voting. By doing this, we no longer care about the accuracy of the software. The software is simply a blackbox that accepts the input of the user and prints it out to paper, which the voter can verify. The point is that the only possible proper use for an EVM is as a user-interface.The machine can help people who are visually or hearing impaired or it may display voting options in different languages, etc. There are innumerable user interface hacks that can help the population. But no matter what, it is nearly impossible to verify security if the EVM's are used as anything other than exclusive user interfaces.

Holding electronic elections is a sign of a backwards country, not an advanced one. Electronic elections are more prone to fraud and breakdown unless done with great care. See this site for details.

There's also a new group working to ensure a "Voter Verifiable Audit Trail" with the advent of electronic/Internet voting. Many people in the field of computer science (including myself) have endorsed their effort. This has nothing to do with Luddism, but rather a full understanding of the technical issues involved. Nothing short of integrity of our democratic results is at stake.