eLection '04

Until this week, I've been unconvinced by those who say the U.S. election process needs to be conducted with computers instead of paper, pencil, and punchcards. I've changed my mind. It's time to take a good hard look at our ancient voting system, and bring it up to date. When today's 14-year-olds go to vote in the 2004 elections, will they still take the pencil from the volunteer, slide the punchcard into the molded plastic, and turn the weird knobs? Or will they use the technology they've grown up with?

My change of heart came while listening to an NPR story last night. Election results for one county in Michigan were held up for two hours because some volunteers with ballots were barricaded in the building by a bear. A bear! What century is this?

There are some fair concerns about moving to a more-than-just-dead-trees voting system. We have to consider what the impact will be on voter enfranchisement. A change that makes it possible for the rich to vote by telepathy, for example, while the poor have to drive a hundred miles uphill both ways (to access a non-telepathic voting booth) would not be exactly democratic.

Would it have been fair, in 2000, for the middle class to be able to vote from the comfort of their homes and jobs, while the poor and homeless had to get to a voting booth? I don't know.

But my best guess is that, by 2004, this won't be a question anymore. Plot the percentage of lower-income homes with internet access from 1996 to 2000, and then extrapolate another four years. So if it should be done, how can it be done? There are five key issues to solve: authorization, anonymity, data confidence, UI, and security.

I propose a system in which each voting booth runs a webserver which logs votes (without identification) to two internal media (hard disk and floppy would be good, see below). Once the polls close, each booth's computer can be totalled and sent over the internet to the state's central server.

Meanwhile, any computer that speaks https on the internet would become a voting booth of its own, running slightly different software.

Each state's official results could be in an hour after its polls close. Which beats the ten-day waiting period we have now for our overseas ballots.

Authorization isn't really that hard: When you register to vote, you (by default) get a password delivered by snail-mail a week before the election. Tampering with that mail is a federal offense, of course. On election day you use secure http to sign in from anywhere with your name, address and password. Lose the password? Sorry, you don't get the comfort of home/work; you go to the voting booth with everyone else.

Anonymity is trivial; any logs with identifying information either don't get stored, or get wiped immediately.

Computers crash. Data confidence means the servers write the votes to multiple media: network, hard drive, flash RAM. A dot-matrix printer makes a good emergency backup medium.

This system also needs a dirt-simple GUI for voters connecting from home or work. No butterfly webpages necessary; click a name, and get a confirmation screen that shows you name, party, (importantly) photo, and big "yes" and "no" buttons.

At the voting booth it can be even simpler, using touch-screens.

Security is, of course, always a problem. Secure http effectively eliminates the man-in-the-middle attack, so the main worry are that an attacker will be able to run unauthorized code on a government computer which could (read) correlate my name with my vote or (write) change my vote. I'm going to go out on a limb and say that a completely open-sourced system, from the kernel up, combined with clean-room installations at a secure location, can make these concerns minor by comparison to existing vote-fraud concerns.

(My vote would go to OpenBSD, Apache, and Mozilla, though of course good luck predicting what will be best four years from now.)

Also, net admins overseeing the effort need to have enough access to track and lock out attackers, but obviously they can't have access to change the election results. Lock them in a room for the day with a hundred video cameras tracking everything they do, like the officers on missile-launch duty. Many net admins will find this a relaxed and enjoyable work environment compared to their current jobs.

There are many problems that have to be solved -- please bring up the ones I haven't mentioned here, let's start the debate! My hunch is that they can be solved. And the overriding question must be, will it be an improvement over the current system?

Given that Florida's election is being decided by a 400-vote difference, with 19,000 botched votes thrown out, I'd say the impossibility of clicking on two presidential choices at the same time makes this system a huge win.

The broken user interface on our existing punch-cards system is probably going to give us the wrong President of the United States. How much worse could a digital system really be? I don't claim to have all the answers, but I know what century it is, and the time for Little House on the Prairie nonsense is over. Let's make this happen for 2004.

I'll give my last word to Andre Uratsuka Manoel, a partner at the internet firm Insite, in Brazil. (Props to TBTF for putting Andre and me in touch.)

Brazil has a 100% electronic election. On election day I go my "electoral section," identify myself, sign my name. The "section president" then types in my code and I walk to the booth which is in a corner of the room where no one can see my vote. I then type the number of my candidate, see his/her photo and press "confirm."

The voting machines store the votes in at least three different places: a floppy disk (which is locked), a flash card and the internal hard disk. There are written procedures for any kind of failure I could think of and back-up machines readily available. Those machines can connect to a phone line and send their results to the Election Court of the state.

The results are proclamed extremely fast. On the mayoral run-off elections that happened 2 weeks ago, results were out 2 hours after the election in the city I live in (Sao Paulo, with about 6 million voters) and 6 hours after it in the last city in which there was a run-off. In my home city the results came out a little after the election sites closed and the result was proclamed with the winner having 40 thousand votes more than the second place (0.4% of 1 million votes).

In the first round of elections in Sao Paulo, the third place contestant lost the ticket for the run-off elections by less than 0.1%. The one who lost didn't even think of contesting the results because no one thought there were any kind of frauds.

In the first round, 100 million voters (about the same as the active voters in US) in 5 thousand cities chose their mayors and councelors. All the results were proclaimed 30 hours after the voting closed.

This happens in a country that has a much lower level of literacy, technology-savvy and of money as the U.S. Remember that some mayors were chosen in places hours away from anyplace else (even by plane), i.e. in the middle of the rain forest. Those places don't have electricity.

Of course there were complaints, but not because of the electoral process. Mostly they were due to campaigning on the election day, voter transportation and coercion.

(Updates: Dave Riesz mentioned Riverside County, California, which has an electronic voting system already in place. Their 2000 primary turnout was the highest in 20 years, which may or may not mean anything. That led me to the California Internet Voting Task Force which looks interesting. Don Wegeng pointed me to RISKS thoughts by Douglas Jones. Brian Dunbar points out "Hurrah for Slow Recounts" by the always-interesting Ellen Ullman.

Lee Coursey passes along Elizabeth Ferrill's Discussion of Electronic Voting. James McCann, a programmer at VoteHere.net, says my description is "not terribly far off but very incomplete" -- I'll take that as a compliment -- check out his site and SecurePoll.com too. And finally, a story in Salon that makes my point better than I could: "Confessions of a Florida Poll Worker."

If you have more links or information, emailme.)

Faith in computers... E-commerce != voting.

[Convergence]

I'm a recent graduate in computer science from Carnegie Mellon. *I* have no faith in computers either.

I want voting to have hard records. It's very easy for a software program to add 10,000 to a location in memory. Hard to create 10,000 fake ballots and harder to insert them into the system without them being noticed.

Secondly, you extend the complexity of the system. How do you know the software in the system has no traps or backdoors. (If it's based around windows, how do you know that windows has no special trapdoors for throwing elections?) Secondly, how do you know that the software, when installed, is the same as what was written?

ANother problem, for those who suggest having a printer printing reciepts: If it is computer-readible, how will the user know if what was printed equals what they voted? Why can't the machine count the vote as for candidate X, yet print a recipt as if for candidate Y?

Finally, you have a lot more problems on the client side: Can you imagine a version of Melissa Virus, that's very innocous and tries to stay hidden. It waits till you try to vote. It waits for you to type in your password, then it secretly votes for who IT wants, not who you want. Hell, Windows 2004 might have this feature built into the OS!!

The problem with computers is that a small group of people, or even a single person, can subvert an entire election. That's almost impossible with old-fashioned paper ballots.

These are critical issues. None of the explanation above says how you're supposed to be resistant to these types of fraud.

The opponent (and therefore threat-model) for an electronic voting system is a HELL OF A LOT worse than that for E-commerce. You're describing how to be resistant to credit-card fraud, where there are small transactions and subversion of the system is minimal. Voting is different. Countries are going to want to subvert the system (Russia, China, Iran, France, organized crime..) and THEY have the resources to bribe, blackmail, and subvert the system from within. They're also going to analyze the system for subtle flaws, and they will break it.

Do a search for 'electonic voting' on comp.risks.

Security is HARD. Hasn't Bruce Schiener said that a dozen times before? This is why I hope we do not have electronic voting until we do truly know how to make it secure, a system, standardized by NIST, that's had people trying to break it for 5-10 years. Voting is more critical than AES, it should have the requisit analysis.

Scott

McDonald's Scenario

[twisty]

Here's a method of verification that could bolster the confidence of voters... Imagine, the year is 2036, and you cruise your hoverbug up to the Drive-Thru window at Mickey-D's:

McMicrophone: Retinal identification confirmed... May I take your vote?
Voter: Hmmm... What are the specials today?
McMicrophone: We've got three new parties available... the Darwinist Party Pack, starring Arnold Schwarzenegger Junior... the Posthumanist Party, starring Max Moore... and Martian Party, starring the head of Leonard Nimoy.
Voter: Uh, just gimme a large Green, a medium Democrat, and a Libertarian and NaturalLaw in small.
McMicrophone: Here's your ticket *bwop* , please pull forward to the next window.

You pull forward, and insert your ticket which contains your anonymous voting data. The Display comes up and shows:
You have ordered:
1 small Hagelin
1 small Browne
1 medium REFORM CANDIDATE
and 1 Large SOCIALIST

Hey! That isn't what I ordered!! Gimme the manager!
The Manager apologetically straightens it all out, with a complimentary order of fries.

No! Do the opposite

[vlax]

Electronic voting will never be fully trusted. Much of the confusion in the current election is simply because computers tabulate paper ballots.

Do the opposite. Go to paper balloting with big print and boxes that have to be marked with a big 'X'. Then, these ballots need to be counted by hand in each ward. This is what is done in the overwhelming majority of countries.

An even better reform: stop holding elections for everything on the same day. It's not genuinely convenient to anyone. Compel state and local government to hold elections on a day other than the second Tuesday in November of even numbered years. This would shrink the size of the ballot enough to make paper balloting and manual counting easier. In Federal elections, there would never be more than 3 offices to vote for: a Presdient, a Senator and a Rep.

Even better, have three different election days, all at different times during the 2-year election cycle. One for the feds, one for states, one for local government. That way, there are only three things to vote for in Federal election, three in state election (except for Nebraska) plus state referenda, if any, and one day for local government, which usually means one or two candidates in county races, one or two in municipal races, a school board election, in some places a hospital and/or public transit board election plus county and municipal referenda.

Furthermore, make the FEC final arbiter of all elections. Take local government out of the process of deciding on voting methods. I think this would minimise corruption rather than make it more likely.

And, if you really want to bring American voting into the modern world, use Condorcet voting and/or proportional representation.

Here would be my reform - if I had the dictatorial power to impose it:

1) Austrailian-style manditory voting. No more griping about people who didn't register, or registered but didn't vote. It costs more, but it's worth it.

2) A paid half day off on election day. Give everyone a chance to get to the polls.

3) Condorcet voting for Presdents, Senators and Governors.

4) Allocate seats in the House to each state rather than drawing districts. If a state has only one House Rep, use Condorcet voting. If it has two, divide the state into two electoral districts and use Condorcet voting. For more than that, use party proportional representation to allocate seats, but also guarantee that any party or independent that gets at least the fraction of votes in the state equal to the number of votes divided by the number of seats in the House gets one seat.

That way, all Reps still represent a state, rather than being 'at-large' national Reps as the Germans have, but the number of seats in the House is still apportioned more reasonably according to voters demands.

5) Move all states to unicameral legislatures like Nebraska. There is no need for state government to replicate the silliness of the Federal government. This way, state elections are for a Governor, one Rep and whatever referenda are going on, and judges in those states where state judges are elected. Also, make state legislatures mixed district/proportional voting on the German model. States are small enough to support 'at-large' representation.

6) Elect a single board for county government by at-large voting for multiple candidates. This means your ballot lists all the qualified candidates and asks you to vote for as many as their are seats on the county board. County supervisors are chosen by the elected board.

7) Do the same for school boards, hospital boards and public transit boards, where such things are elected.

8) Do the same for municipal governments, unless they are elected on the "New Plan", where city commissioners are elected instead of appointed by the municipal government and there is no city council. In that case, go back to Condorcet voting.

9) Stop electing every damn office under the sun, especially judges!!! Elections for judges force judges to be biased. It is a travesty of law to do it this way. In California, we elect offices like state treasurer and insurance commissioner and this is stupid. These offices were less corrupt when they were appointed. I haven't seen anything brilliant come out of elected hospital boards or public transit boards either, and the first thing I would do to reform education is get rid of local school boards.

These reforms would bring the US in line with - in fact ahead of - most other countries in terms of sane, modern, reliable, unambiguous voting systems.

The problems are...

[Millennium]

...well, the main one is assuring anonymity while also taking out any chance of fraud.

In addition to the suggestions you recommend, I would add this:

A voter comes up to the front of the line. They provide the necessary ID, and the electoral official marks their name off of the list (computerized, of course). Then the official gives the user some kind of token, perhaps a cheap smartcard-like device, with no identifying information.

This done, the user steps into the voting booth. The first thing they have to do is insert the token into a reader. This is why I prefer the smartcard approach; the reader can take the token completely into the machine, where the user cannot get it back by force without attracting a great deal of attention.

The user then punches in their vote and confirms it, like you said. Once they confirm, the token is rendered invalid (for example, a magnetic signature could be wiped) and then given back to the user. Because the token is now invalid, it cannot be used to vote again. And because you must get the token from an electoral official, who knows whether or not you've already gotten one, this prevents people from sneaking into the booth for another vote while preserving the secret ballot.

As an addition, the user can cancel their vote at any time before confirming it. In this case, the token is not rendered invalid. This gives the user the opportunity to request help from an official, perhaps because the "ballot" is not offered in any language the user can understand. Once you've confirmed the vote, though, there are no second chances.
----------

voting from the comfort of your own home -bad

[locust]

Being able to vote from anywhere creates situations where people with a vested interest in how you vote (your boss, on an anti corporate measure) demand that you vote in thier presence, where they can watch your vote. This preasure can have adverse effects on your career, and your personal relationships. Imagine if there is something you don't agree with your wife on, and know if its brought up there will be an argument. Now one or the other can be considerably upset at a vote that they've seen. Another example pertains to registered rep/democ voters in the us. I could easily see the parties demanding that thier registered members vote at a party installation where they are watched, and harassed if they don't vote the party line. Further, because most voting places will not be secure (it s easier to secure a polling stations) your voting history can easily be recorded and used against you.

Technology is not the solution to all problems. --locust

Problems with the system

[DoomHaven]

1) Given a identifying password
Just means I can go to X computers, and type X different passwords, and vote. Guess passwords would not be very hard; either they would be like a CD-Key/serial-number, and be generated, or they would even be simpler to guess:

Adams, Doug: abcdefg
Adams, Dougie: abcdegh
Adams, Douglas: abcdefi

2) As well, because the mail-delivered passwords are the only identifying feature, they could be bought, sold, traded, etc. Maybe not by me, but what if you are low-income, no HMO, little daughter is sick, etc. How much is the going price for a vote?

3) After voting electronically, going to a voting station, and saying, "I lost my password, ring me in!".

The best way would be the electronic touch-screens at the voting booths. That way, you don't need even to be literate to vote, just touch the picture of the candidate, and voila - you're too stupid to read, but now you have voted in an election. Voting still has to be done at a voting booth regardless of the electronic security you could put together, simply because of the ease of social engineering attacks.

Punchcards == Computers

[twisty]

Since we're already using computers in the regards that we punch mechanically tallied cards, it's time we started using computers right!

Authentication Issues
Passwords are one of the flimsiest forms available. At least with a signature there is a little real-time originality. It seems to me it is necessary that people shuld still physically visit the polls:
1. There is the opportunity to eye-witness the actions of the voter as (s)he presents ID, signs hte book, and proceeds to the booth.
2. There is no question as to what transpired at the poll, whereas a vote from the privacy of your own home invites the danger of mistakes (or accusations of mistakes) where no eye witnesses can verify anything.
3. Issues of equipment failure, verification of choices, answers for questions, are all kept public. Likewise, any imposters or similar frauds would have played out their actions before witnesses, making detection and reaction easier.

Computers used Right
1. Photo-confirmation of the Presidential-pick is a great idea. Those punchholes in Palm Beach couldn't be an issue, even if the choices exceed the ten that Florida dealt with.
2. Weighted Votes would be great: Rank the picks from top to bottom. The Computer could summarize your top pick, but also distribute the weighted results of the popular vote (i.e. Checking Nader, then Gore, then telling the others to smegg off). ;-)
3. We could view the web results not only by county, but by district. If a district htinks they have been misrepresented, they could check with their neighbors and contest the results.

That last one has a funny tie-in with this Florida thang... Even though two-thirds of America would like to disban the Electoral College, it was the very thing that drew the attention to Florida's irregularities. Ironic. Yet, we can only guess how much of this goes on in the other 49 states and D.C.

From election official

[thesparkle]

On ABC this morning they asked roughly the same question "Why don't we have a national standard for voting?".

The election official cited gave two reasons:
1) Different systems in different states and counties ensures that the vote cannot be tampered with at a national level. A single system runs into the possibility of a single means to affect the vote by tampering with the single system.

2) Money. As stated, local governments have to pay for the systems themselves. They do the best they can with the money they have but even well off large areas (such as NYC) as still using 40 year old voting booths because nobody wants to spend the money.

Slashdot aside, there are still large numbers of Americans who have little or no faith in computer systems - especially after this years' number of DOS attacks. The conspiracy theories regarding the "real winner" of a computer tabulated race would abound. Consider this: the punch card system, such as used in Florida, was first used in the US in 1892; the voting machine, (push the handle to the right of the candidate), was first used in 1896. We obviously adapt to new technology slowly in the world of elections.

No physical ballots = No meaningful recount

[plastickiwi]

The problem with eliminating physical ballots is that it leaves us with no recourse when an error occurs.

Look at the mess in Florida, and imagine that the voting there had been done 100% by electronic means. How would you deal with people who claim to have voted for the wrong candidate because the ballot was confusing?

Even worse, how would you deal with a hacked voting station? Security only goes so far; eventually a precinct would be hacked. With e-voting, there'd be no way to recount the ballots, no way to sort "good" ballots from "bad" ones, no way to identify which votes were bogus -- because there wouldn't be votes, just data.

Now, look at the precincts in Florida who finished their recounts within a few hours. What did they use? Good old fill-it-out-with-a-#2-pencil OPSCAN forms, just like you use with the SATs. Sure, the ballots are counted by machine, but there are ballots to be counted.

Food for thought.