Slashdot Mirror
Electronic Voting's Fundamental Flaws
phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.
Unfortunately, as long as their are humans involved, corruption will always be there. From the guys paid to write the software, to the DB admins, to our friends at M$ who will undoubtably provide a security-lacking OS to run the system on, voting will always be called into question when it gets as close as it did between Gore and Bush.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
.. if they can't figure out how to vote by now, then maybe they shouldn't be voting.
I'm sick and tired of hearing about Floridians bitching about the voting process. 49 of the other states get it right, so either fix it, hire someone from the other 49 states as consultant to fix your problems or STFU.
I guess the million dollars they spent last year updating their systems didn't help much.
And don't blame Jeb for the problems, the asshole democratic voting nazi leader down there denied his help.
Live web cams
Michael I think you don't quite know what you're talking about. First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.
You have to remember that most open source software doesn't provide any degrees of assurance other than "it's been used by alot of people". This really isn't an option for vertically integrated solutions such as digital voting. Just how many hobbests are going to "hack on" the GNU Vote system ?
The track record on contribution by the general public to OSS projects is pretty poor. Look at Mozilla, emacs, linux kernel, etc. Most of the significant contribution has been done by a relatively small number of persons. While lots of useful bug reports and patches have been submitted, I think for electronic voting we need a bit more than "lots of people have submitted bug patches."
What she is talking about here is engineered assurance. OSS is a source code policy, not an engineering style.
With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.
The best part is that it uses no complex parts (which, according to Murphy's Law, are prone to failure on election day). Just a paper and pen -- beat that. Add a reasonable amount of physical security (deputies at each location, plus maybe a representative from each major party to observe) and you're good to go.
This is one of those situations where overthinking and overengineering comes back to bite you.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I think her suggested list applies to a lot more than voting. She deserves a lot of credit, because work like hers is the dirty work no one ever wants to do... real nuts-and-bolts stuff that takes lots of thought.
;)
I love it -- Take that all you kiddies who say "duh, how hard could it be? I could do it in perl in an afternoon, i'm so huge!" huge you are!
https://www.accountkiller.com/removal-requested
Consider a computer supplier that is co-opted by an unscrupulous political party. They create some sort of hardware mod that allows the contents of memory to be arbitrarily modified. Perhaps it can be controlled wirelessly. Suddenly bootable serial numbered CD-ROMS aren't a solution.
The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon. When the vote is nothing but electrons inside a machine, this is much more difficult.
This sig is umop apisdn.
There's so much focus on the tools of voting, that people don't pay much attention to the fact that there are fundamental limits to voting systems themselves.
For example, in 1950 Kenneth Arrow proved that no voting system is fair.
This is know as Arrow's Impossibility Theorem and places fundamental mathmatical limits on what the democratic process is capable of.
Of course, we have the worst of the worst sort of voting system here with its single-member voting districts and "one man - one vote" philosophy.
An improvement would be proportional representation.
This can't overcome Arrow's theorem, but its better than what we have now.
But it really doesn't mean anything since everyone who points out the problems with elections equipment are routinely ignored.
Purchasing elections systems has nothing to do with quality, trustworthiness or even sanity. It is a political decision made by politicians. There are only two questions for politicians making this decision. Is it cheap enough that I can't get raked over by the cost? Will it help/hurt the people I need to vote/notvote for me in order to hold on to power?
That second question in particular is the true driving force for all election system purchase decisions. Every politician knows if he needs old folks, poor people, rich people, republicans, democrats, dog lovers, cat lovers and an endless list of possible groups. If the elections equipment is harder for old folks, a politician who needs them will never agree.
Which counties would it make more sense for a Republican to sabotage an election? Liberal or conservative ones? And for a Democrat? See?
Since Germany isn't significantly less populated than the US (at least in terms of order of magnitude) I don't quite see why this isn't possible here. Perhaps this whole mess is merely a case of someone violating Donald Knuth's oh so true statement: "Premature optimization is the root of all evil." How about giving good old manual labor a chance?
Let me describe the voting system Canada has: You register much as you do here. You show up at the polling place. They cross your name off the list and hand you a hard to forge ballot. You walk behind a little screen, put an X next to the person you want to vote for and stick it in a box. At the end of the day, representatives from each party and the media open the box and count the ballots. The results are delivered in a tree - local place reports to city, city probably to county, county to province. They add up all the results and they declare a winner.
Nothing about this fails to scale. In other words, a population 10x the size of Canada requires about 10x the number of volunteers which works out to be the same number of volunteers per capita.
This system seems so much more workable to me, there are so many fewer opportunities for breakdown.
- Is it Auditable? Yes, keep the ballots locked up and recount them.
- Is it anonymous? Yes, at least as much as touch screen voting.
- Is there any software / printers / touchscreens / whatever to fail? No.
Why do we need millions of dollars of development and plenty of technology to fail when a bunch of pieces of paper and some pens would do fine?The one thing electronic voting will never be able to overcome is that there is always the possibility that ANY electronic system could be either cracked, hacked, or subverted by a corrupt programmer -- AND THERE WOULD BE NO WAY TO FIND OUT!!! .
... the paper stays the same.
With paper, or some other physical object, even if some hacker corrupts the computerized counting machine, you can always do a manual recount. Plus, if power goes out and the computer loses count
Sure, in 2000 Florida showed us that paper isn't perfect either -- but with electronic voting, there could be just as many foulups, but never a recount.
Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick.
Um, how exactly? (the most obvious question is why you need a hologram, or a CD rom for that matter)
Of course, since you didn't even provide a process to knock down, just some techno babble it would be impossible to tell you exactly why you're wrong.
autopr0n is like, down and stuff.
I think the biggest problem you'd have in adopting a digital voting system would be making it simple enough so that most people could understand it.
I'm assuming that most US citizens (myself included) would probably not be confident in, or willing to adopt, a system that they can't easily understand and trust.
A pencil-and-paper system is simple enough that anyone can get it - check the box, a human counts it, there's your vote. Even our wacky electoral college system is probably within most people's grasp. But once you start talking about public-key encryption or digital signature algorithms, only a tiny percentage of citizens are going be able to keep up. (and most of that tiny percentage will be white males - providing endless ammunition for politically correct fear-mongering =).
A digital voting system of the necessary sophistication would be beyond most people's understanding, and thus subject to claims of manipulation. (regardless of the system's actual resistance to fraud)
Well, eleven months ago Douglas Jones submitted an article to the RISKS digest pointing to an longer online article that explained in detail how all the spoiled Gore votes arose . It turns out the debacle was completely predictable. It was due to a known artifact of those particular voting machines. One which had caused a scandalous shortfall in those same counties, in a Senate election in 1988.
Briefly, Jones disassembled an example of the votomatic machines in question. He found that there was a structural bar behind the slots through which the chads were to be poked. Jones's investigation proved that candidates whose holes were to be punched over those bars were practically guaranteed to jam. Whoever designed the ballots laid them out so Gore's chads were directly over that bar.
Slashdot editor Michael's comment on voting reliability and trustworthiness strikes me as naive. Don't worship the technologoical fix! Michael addresses providing an audit trail for the vote casting and tabulation software. This is not as important as providing an audit trail of the actual votes cast.
In another comment in this thread I cite definitive proof that the hanging chad problem was due to a known, predictable artifact of the voting machines. So, was the problem merely "stupid people" as cscx suggests? Or were the inability of some Democratic political appointees exploited by the cunning of shrewder or better informed Republican political appointees?
When world-wide attention was focussed on the hanging chad problem the Republicans outcry rang false with me. Florida Republicans kept saying "But Democrats also sat on the committee that approved the ballots! Democrats also reviewed the voting machines! Democrats also signed off on the voting procedures!"
As it turns out, open code and "thoroughly examined hardware" do not a secure system make. The problem is that the code has to get compiled, and it has to run on an operating system, and that has to run on a computer. Even if the code and hardware (if one can examine the microcode) appears to be entirely pristine, Ken Thompson explained in his classic 1984 essay "Reflections on Trusting Trust" (available online, do a Google search) that the compiler that compiled all of that code can be rigged such that malicious code can be concealed. For example: Since the dates of US National Elections are fixed to infinity (they are always the 1st Tuesday in November) and since many voting systems (as well as computer systems) rely on real-time clocks, it is certainly plausible to create a hardware trap that only goes off on election day. And that trap doesn't have to be in the voting system either, there's tallying devices, reporting software, and so on. It's a nightmare. The only sane solution is to rely on a voter-verified physical audit trail that can be READ BY HUMANS in case of the necessity for a recount. There's a lot of ways this can be performed (including one by David Chaum that allows the voter to verify that their ballot actually was entered into the final tallies), and true improvements in voting systems will only occur when this is recognized and the "trust us" mentality (including one that says we should trust the people who will supposedly verify all the open code) is abandoned. Please read the extensive writings on Rebecca's website www.notablesoftware.com/evote.html as well as Peter Neumann's for more information on the subject. And for those of you who are convinced, PLEASE encourage all communities who happened to purchase fully-electronic voting systems to have them retrofitted with printers BEFORE the November general election. Brazil is doing just that, right now, with 3% of the 400,000 voting machines they purchased back in 2000 (more may follow).