Slashdot Mirror
Electronic Voting's Fundamental Flaws
phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.
Yeah, and the question remains - WHY even open ourselves up to this kind of risk ?
Simple analysis shows that the morons who run these shows can even screw up simple paper-based systems that have been around for eons. And we expect to wave the "magic of open source" over them and have them turn into gurus who can build an unprecedentedly secure and massive electronic system that supports arguably the most important single process in the country ??
Maybe if:
[x] auto-moderate all posts by this user as insightful
As an improvement to that, in this year elections in Brazil a new system will be tried where the ballot prints the vote on a paper which will be shown to the voter through a transparent window, but will not be otherwise accessible before it's cut loose and drops into a sealed canvas bag. Votes will be counted electronically as before, but the canvas bag will provide a way of auditing the whole ballot, if needed.
Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated.
This may be true, but what about current systems? What happens to your card after you punch it? Voters have no way of knowing if the card they punch is the one that ends up being counted...it all comes down to trust. I would rather trust a nonpartisan peice of open-source software than a group of human beings.
No electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. Hence, no current electronic voting system has been verified as secure.
True, this is needed. However, I am sure even current systems are more secure than punch cards. A standard A=1 B=2 cypher is more secure than a punch card.
There are no required standards for voting displays, so computer ballots can be constructed to be as confusing (or more) than the butterfly used in Florida, giving advantage to some candidates over others.
She brings up the point that Florida ballots were confusing. Exactly! We ALREADY have this problem with our current methods.
Electronic balloting and tabulation makes the tasks performed by poll workers, challengers, and election officials purely procedural, and removes any opportunity to perform bipartisan checks. Any computerized election process is thus entrusted to the small group of individuals who program, construct and maintain the machines.
An open source voting solution would be checked by everyone who had a mind to do it, and if it was non-partisan, than the actual voting procedure would be non-partisan. I would rather trust a computer to carry out a potentially emotional procedure than some human beings.
Although convicted felons and foreign citizens are prohibited from voting in U.S. elections (in many states), there are no such laws regarding voting system manufacturers, programmers and administrative personnel. Felons and foreigners can (and do!) work at and even own some of the voting machine companies providing equipment to U.S. municipalities.
Whoa...scary. That gets me thinking. What about the companies that make the punch cards? There could be FOREIGNERS printing those cards!
Encryption provides no assurance of privacy or accuracy of ballots cast. Cryptographic systems, even strong ones, can be cracked or hacked, thus leaving the ballot contents along with the identity of the voter open to perusal. One of the nation's top cryptographers, Bruce Schneier, has recently expressed his concerns on this matter, and has recommended that no computer voting system be adopted unless it also provides a physical paper ballot perused by the voter and used for recount and verification. Internet voting (whether at polling places or off-site) provides avenues of system attack to the entire planet. If the major software manufacturer in the USA could not protect their own company from an Internet attack, one must understand that voting systems (created by this firm or others) will be no better (and probably worse) in terms of vulnerability. Off-site Internet voting creates unresolvable problems with authentication, leading to possible loss of voter privacy, vote-selling, and coersion. Furthermore, this form of voting does not provide equal access for convenient balloting by all citizens, especially the poor, those in rural areas not well served by Internet service providers, the elderly, and certain disabled populations. For these reasons, off-site Internet voting systems should not be used for any government election.
Ok, it seems she is grouping electronic systems with internet-based systems. On her site, she says she is opposed to both. I admit I would doubt security of an internet-based approach, but ALL electronic solutions? Todays cryptographic algorithms are very, very secure. Just ask all the distributed computing efforts designed to break them. Once again, compare a modern cryptographic algorithm with a punch card in a locked box. Which is more secure to you? Also, an election only lasts a couple months. Afterwards, votes don't really mean much. People aren't going to crank their supercomputers for 5 years to find out if Mr. Gogfroggls Jones voted for Bush in the next Presidential Election.
It's the auditing that matters.
There are enough conspiracy theorists and paranoids among the coders out there that they would audit every line of code without necessarily contributing any code. That is where an open solution works - people know that the code is good because nobody's got valid paranoid rants about it.
--- http://foo.ca
I would say that have two options.
Stick to paper. Maybe scan/count it electronicaly, but keep an audit trail that can't be modified electronicaly.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
All this hair-splitting about security comes from a simple-minded attitude that a) open-source is a magic wand that detects all software and hardware defects and b) constantly invoking a) covers the entirety of concerns about computing choices.
One might ask -- wouldn't it be a good idea to wait a few days until it's clear what went wrong in Florida before analyzing the situation? Not at all, because it's easier to pretend it's just another IE security hole and announce that "the community" could fix everything, if only given the chance.
What I'm listening to now on Pandora...
Let me check my vote with a key via the net after the poles close.
Let me download all the votes and tally them for myself.
Response swiftly to any reported inconsistancies between a voters actual vote and recorded vote, if you get enough then something is fishy (see next line).
AND smack any voter falsely reporting an incosistancy with a large frozen pike, south florida exempt and ignored.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
What is it about the US system that demand an automated system? Computerized, punch cards, touch screens, OCR -- any of them -- why are they needed?
In Canada, we use a simple paper and pencil ballot, that you mark off, and deposit into a ballot box. At the end of the day, they open the box, and count ballots. Within an hour votes start coming in, and within a couple of hours enough have usually come in that the winner can be accurately predicted. By the end of the night, all are counted.
This is a secure, auditable, verifiable, robust system. During counting, each candidate has the right to have a representative verify the count. If there is a dispute about how a ballot is marked, it can be put aside for review by a judge. And in any event, you can always recount. You don't have to worry about hanging chads, or OCR, or layouts not matching up with the location of buttons.
Why doesn't this work in the States? It can't be the population difference -- since there are 10 times as many people, there should be 10 times as many volunteers to help count. It can't be security (or what ever) -- you can't tell me that an opaque machine is more secure than having both (or more) sides looking over my shoulder as I count.
I know this is heresy for the Slashdot crowd, but why go for costly, problem riddled, high-tech solutions when perfectly good, simple low-tech ones work as well, if not better?
elsilver.
In the year 2000, Florida had some problems with their election returns (tho nothing as massive as the problems of the September, 2002, primary).
Statistical Information
In November, 2000, Union County had about 5000 voters distributed amongst 11 precincts, which meant that on average they had about 450 people per precinct. (This is similar to the large county where I live, except that we have far more precincts.)
By way of comparison, in September 2002, Dade County had 754 precincts; the number of voters and intended voters is uncertain, but it appears to have been fewer than 300000, or about 400 per precinct.
History in Union County
During the November, 2000, election, Union used a system where each voter got a piece of paper and a marker. The paper had lists of candidates together with empty check-boxes next to the names. Voters marked their preference and deposited the papers in ballot boxes.
When the polls closed, the workers opened the ballot boxes, sorted the papers according to the marking for the first race, and counted them. They then shuffled the papers back together, sorted them according to the markings for the second race, and counted them. This sorting and counting was done for each race.
In November, 2000, the people in Union were in bed by midnight. No one doubted the correctness of their results.
In September, 2002, Union County employed a system known as ``iVotronic'', details of which are unclear. Unfortunately, only about 2000 people voted in the Democrat primary.
In September, 2002, Union County had results by 21.00 (9 p.m.) the day after the election. Scale this to a general election (5000 as opposed to 2000 voters), and one can reasonably expect results by Friday afternoon.
It is not clear that electronic ballot counting is in fact beneficial.
Part of the September, 2002 delay in Union was due to the fact that the machine counted everyone as a Republican. It was necessary to count ballots by hand. Fortunately, the system did provide for a paper ballot which could be counted.
Insupportable Speculation
For Dade, Broward, and Palm Beach, a system of electronic voting which does not produce any paper has several advantages, not least of which is the speed with which a re-count can be done. The same incorrect totals from each machine may be read and re-added in minutes, and no time-consuming counting of ballots is required.
A properly programmed machine also offers better assurance about the outcome of the election. Dade in particular appreciates this, though there are other counties where voters have made mistakes. In Volusia, for instance, it was necessary in 1996 for the Sheriff to have his deputies correct absentee ballots where the voter had voted for the wrong candidate.
Much safer, if one wants to affect the out-come in a close race, is to specially program only a few of the machines. The chance of detection is minimal, because testing only selects a very small number of units. The candidate that arranges for the machine to correct 30% of the votes for his opponent, but only on 10% of the machines, and only after the machine has been running for 2 1/2 hours, will be very unlikely to get caught. He's also going to win an otherwise close race.
The system used in Union in 2000 does not admit of such automatic ballot correction: if a precinct had a certain number of voters, and the ballot box does not contain that number of papers, then you know that Something Happened.
Knowing that Something Happened is of course not, without more, sufficient. The Sheriff in 1996 received the benefit of the corrected absentee ballots, which were essential to the outcome. I might argue that the knowledge did make a difference: he saw the hand-writing on the wall, and did not run again in 2000.
Not knowing that Something Happened is of course essential to the security of those who must needs have election results adjusted.
Tilt at windmills. Occasionally one will fall over out of sheer surprise.
too much emphesis on preventing fraud, as if voting fraud is somehow a new phenomenon unique to electronic voting
Of course it isn't, but the idea is that it might actually be viable to prevent fraud with electronic voting... although I suspect that, as geeks, we can't poke as many holes in an electronic system as you can in a paper system.
With proper security, however, the bar gets raised a lot higher.
I think the best system is still a card system
Well, perhaps... except that even with arrow systems you wind up with cards that are invalid because someone mismarked them, didn't mark hard enough, the graphite wears off with enough recounts, etc. And even with these systems the recounts never produce the same numbers, and they take a considerable amount of time.
Electronic systems have the potential of eliminating all of these issues (note trolls - I said potential, not absolute). The system will prevent you from entering a ballot that is invalid. You won't accidentilly vote for two different candidates in the same race - just not possible. And barring fraud (see above), the vote won't be questionable, it won't decay with recounts, and the recount will be nearly instantaneous (depending on how long system verification takes) and will add up the same every time (if it doesn't, you're in the land of fraud again).
Eventually we might be able to do online voting, which would be pretty nice if done properly (big if). Sure as hell won't get that with a paper ballot. Of course, 80% of the reason to go to Internet voting could be solved just by getting into the 20th Century (yes, 20th) and allowing voting for more than 12 hours on a single workday. Come on -- week long voting shouldn't be an issue. If it's a cost problem, then a Saturday would still be better than Tuesday.
That said, you're very right about Murphy's Law and KISS.
Mabye I'm just dumb but I can't work out what problems electronic or mechanical voting solves. In Australia we have a more complicated voting system (preferential and in some states optional preferential) and use paper ballots. We still manage to count most of the primary vote the night of the election.
Having been a scrutineer on such elections, I don't see how they would be any easier to defraud than electronic or mechanical systems. The ballot boxes are watched like hawks by the scrutineers and the scrutineers are present while the votes are counted, keeping a sharp eye out for fraud.
So what do these mechanical or electronic systems actually achieve that is different? Obviously the electronic systems would give a result as soon as polling closes, but is that really worth the expense and risk of implementing an entirely separate system that only gets used once every few years?
I know for a fact that you do not know what you are talking about. I work for Election Systems and Software. There are many components and software applications that make up a complete registration, tally and reporting system for voting. It is a lot harder than some of you are making it out to be.
The iVotronic that was used in the election does use a proprietary OS, and not Windows 95 as you are suggesting; the OS needs to be tight and compact. There is no web server, Crystal Reports and SQL Anywhere running on this machine. I simply presents a ballot (graphic or text) to the voter and utilizes complex voting rules to ensure that the voter does not over vote. They cannot vote until they have gone through the review screen, which allows them to go back and change any under votes or mistakes they made earlier.
There are over 700 voting precincts in Dade County, and each ballot could be different from the one in the next precinct because of different items on the ballot. Oh, did I forget to mention that the ballot has to be presented in 3 languages and allow them to vote for the party of their choice in the primary. In California, the election will require 7 languages including Chinese, Japanese, Vietnamese, which are not Roman languages.
I have been reading these articles and have come to the conclusion that most of the people who seem to be responding are more eager to spout off than do a little research. Could you build one? Well if you guys are half as good as you sound, then surely you could be part of the team. But, don't think you are going to crank one out in an all-nighter.
Actually, had the machines been allowed to complete the process of loading the ballots (6 minutes for normal machines, and 23 for machines that presented the ballot in audio form for visually impaired), they ran extremely well considering that we had 7,200 units just in Miami Dade County alone and a major thunderstorm that knocked out power to several poll locations. Our battery backups in each machine were designed to keep the machines up for about 3 hours, but the power was out for longer than that at some places. The effect of the poll worker yanking the PEB out before the ballot was loaded, is the same as yanking the floppy out when loading any other application or data. I don't know think many systems and applications, open or closed, handle that kind of user error very well.
Can we make improvements? We are and we will, just like you would on any of your projects. But, you are wrong about the information you are providing to the readers of this site. In fact, there has been a whole lot of miscommunication on this site, which does not speak well for our profession as a whole. We give the press a bad time about not getting the facts right, but you guys are supposed to be able to speak knowledgably about these things, and do some research when you don't know.
You can read more about the machine by going to our website and selecting the products link.
Like when Bush and pals purposefully used technological miscalculations to remove thousands of Democratic Florida voters from the voting pool. That's what I call corruption on a DB admin level.
Zodiac Survey