Slashdot Mirror
Electronic Voting's Fundamental Flaws
phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.
Unfortunately, as long as their are humans involved, corruption will always be there. From the guys paid to write the software, to the DB admins, to our friends at M$ who will undoubtably provide a security-lacking OS to run the system on, voting will always be called into question when it gets as close as it did between Gore and Bush.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
http://catless.ncl.ac.uk/Risks/22.24.html#subj1
.. if they can't figure out how to vote by now, then maybe they shouldn't be voting.
I'm sick and tired of hearing about Floridians bitching about the voting process. 49 of the other states get it right, so either fix it, hire someone from the other 49 states as consultant to fix your problems or STFU.
I guess the million dollars they spent last year updating their systems didn't help much.
And don't blame Jeb for the problems, the asshole democratic voting nazi leader down there denied his help.
Live web cams
Michael I think you don't quite know what you're talking about. First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.
You have to remember that most open source software doesn't provide any degrees of assurance other than "it's been used by alot of people". This really isn't an option for vertically integrated solutions such as digital voting. Just how many hobbests are going to "hack on" the GNU Vote system ?
The track record on contribution by the general public to OSS projects is pretty poor. Look at Mozilla, emacs, linux kernel, etc. Most of the significant contribution has been done by a relatively small number of persons. While lots of useful bug reports and patches have been submitted, I think for electronic voting we need a bit more than "lots of people have submitted bug patches."
What she is talking about here is engineered assurance. OSS is a source code policy, not an engineering style.
With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.
The best part is that it uses no complex parts (which, according to Murphy's Law, are prone to failure on election day). Just a paper and pen -- beat that. Add a reasonable amount of physical security (deputies at each location, plus maybe a representative from each major party to observe) and you're good to go.
This is one of those situations where overthinking and overengineering comes back to bite you.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I think her suggested list applies to a lot more than voting. She deserves a lot of credit, because work like hers is the dirty work no one ever wants to do... real nuts-and-bolts stuff that takes lots of thought.
;)
I love it -- Take that all you kiddies who say "duh, how hard could it be? I could do it in perl in an afternoon, i'm so huge!" huge you are!
https://www.accountkiller.com/removal-requested
Consider a computer supplier that is co-opted by an unscrupulous political party. They create some sort of hardware mod that allows the contents of memory to be arbitrarily modified. Perhaps it can be controlled wirelessly. Suddenly bootable serial numbered CD-ROMS aren't a solution.
The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon. When the vote is nothing but electrons inside a machine, this is much more difficult.
This sig is umop apisdn.
Yeah, I'm in favor of having unelected political hacks and the Supreme Court decide who our elected officials should be like last time. After all, voting only takes valuable time away from the important things in life.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
There's so much focus on the tools of voting, that people don't pay much attention to the fact that there are fundamental limits to voting systems themselves.
For example, in 1950 Kenneth Arrow proved that no voting system is fair.
This is know as Arrow's Impossibility Theorem and places fundamental mathmatical limits on what the democratic process is capable of.
Of course, we have the worst of the worst sort of voting system here with its single-member voting districts and "one man - one vote" philosophy.
An improvement would be proportional representation.
This can't overcome Arrow's theorem, but its better than what we have now.
Is it possible? Then why hasn't it been done before? At least in the PC industry, I can't think of a single example of an uncrackable software package... Basically, to develop an immune system would require something on the order of mil-spec hardware and a goverment contract with a single vendor and the mountains of paperwork associated with it. In other words, if the feds aren't going to organize and standardize this project, it will quickly get out of hand.
The main problem here is that people are using a complicated solution to a very very simple problem: counting! I imagine a compromise system: have a computerized voting thingie that simply prints out the completed ballot for you in an OCR (or MICR) compatible format when you're done voting. Then you have a legal record, no more chads, and the results are verifiable by traditional methods. If the government were to standardize this form of computerized paper ballot, that would allot vendors to create systems at their will, since security is no longer an issue. It's much easier to prevent tampering to pieces of paper as opposed to securing bits and bytes here and tere. Also, the public would be more accepting of such a system, and it eliminates human error from the process, and it keeps the nerds happy.
Palladium
oh wait, then we'd have to trust Microsoft.
As an improvement to that, in this year elections in Brazil a new system will be tried where the ballot prints the vote on a paper which will be shown to the voter through a transparent window, but will not be otherwise accessible before it's cut loose and drops into a sealed canvas bag. Votes will be counted electronically as before, but the canvas bag will provide a way of auditing the whole ballot, if needed.
But it really doesn't mean anything since everyone who points out the problems with elections equipment are routinely ignored.
Purchasing elections systems has nothing to do with quality, trustworthiness or even sanity. It is a political decision made by politicians. There are only two questions for politicians making this decision. Is it cheap enough that I can't get raked over by the cost? Will it help/hurt the people I need to vote/notvote for me in order to hold on to power?
That second question in particular is the true driving force for all election system purchase decisions. Every politician knows if he needs old folks, poor people, rich people, republicans, democrats, dog lovers, cat lovers and an endless list of possible groups. If the elections equipment is harder for old folks, a politician who needs them will never agree.
Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated.
This may be true, but what about current systems? What happens to your card after you punch it? Voters have no way of knowing if the card they punch is the one that ends up being counted...it all comes down to trust. I would rather trust a nonpartisan peice of open-source software than a group of human beings.
No electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. Hence, no current electronic voting system has been verified as secure.
True, this is needed. However, I am sure even current systems are more secure than punch cards. A standard A=1 B=2 cypher is more secure than a punch card.
There are no required standards for voting displays, so computer ballots can be constructed to be as confusing (or more) than the butterfly used in Florida, giving advantage to some candidates over others.
She brings up the point that Florida ballots were confusing. Exactly! We ALREADY have this problem with our current methods.
Electronic balloting and tabulation makes the tasks performed by poll workers, challengers, and election officials purely procedural, and removes any opportunity to perform bipartisan checks. Any computerized election process is thus entrusted to the small group of individuals who program, construct and maintain the machines.
An open source voting solution would be checked by everyone who had a mind to do it, and if it was non-partisan, than the actual voting procedure would be non-partisan. I would rather trust a computer to carry out a potentially emotional procedure than some human beings.
Although convicted felons and foreign citizens are prohibited from voting in U.S. elections (in many states), there are no such laws regarding voting system manufacturers, programmers and administrative personnel. Felons and foreigners can (and do!) work at and even own some of the voting machine companies providing equipment to U.S. municipalities.
Whoa...scary. That gets me thinking. What about the companies that make the punch cards? There could be FOREIGNERS printing those cards!
Encryption provides no assurance of privacy or accuracy of ballots cast. Cryptographic systems, even strong ones, can be cracked or hacked, thus leaving the ballot contents along with the identity of the voter open to perusal. One of the nation's top cryptographers, Bruce Schneier, has recently expressed his concerns on this matter, and has recommended that no computer voting system be adopted unless it also provides a physical paper ballot perused by the voter and used for recount and verification. Internet voting (whether at polling places or off-site) provides avenues of system attack to the entire planet. If the major software manufacturer in the USA could not protect their own company from an Internet attack, one must understand that voting systems (created by this firm or others) will be no better (and probably worse) in terms of vulnerability. Off-site Internet voting creates unresolvable problems with authentication, leading to possible loss of voter privacy, vote-selling, and coersion. Furthermore, this form of voting does not provide equal access for convenient balloting by all citizens, especially the poor, those in rural areas not well served by Internet service providers, the elderly, and certain disabled populations. For these reasons, off-site Internet voting systems should not be used for any government election.
Ok, it seems she is grouping electronic systems with internet-based systems. On her site, she says she is opposed to both. I admit I would doubt security of an internet-based approach, but ALL electronic solutions? Todays cryptographic algorithms are very, very secure. Just ask all the distributed computing efforts designed to break them. Once again, compare a modern cryptographic algorithm with a punch card in a locked box. Which is more secure to you? Also, an election only lasts a couple months. Afterwards, votes don't really mean much. People aren't going to crank their supercomputers for 5 years to find out if Mr. Gogfroggls Jones voted for Bush in the next Presidential Election.
I worked for the company that initially developed the device used in Florida. Our company did the UI, for creating ballots, and the reporting system.
Ready to laugh? Target platform was a C++ CGI running on Windows 95 with Personal Web Server, using SQL Anywhere and Crystal Reports.
I wish I could write a full article about it, but it would make a lot of people angry.
And by the way: open code has NOTHING to do with making electronic voting. It's not a code issue. It's not a hardware issue, either. Retirees and people who can't master the 'Start' button run elections. Paper ballots fit their mindset. I know this. I travelled all over the country setting up the system. Most of the places didn't even have networks. And why should they? It was 1998 and they were still running Windows 3.1, or sometimes just DOS (Wordperfect was popular in several precincts).
You want successful electronic voting? Then don't let your grandmother run the voting machines.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
Which counties would it make more sense for a Republican to sabotage an election? Liberal or conservative ones? And for a Democrat? See?
I would say that have two options.
Stick to paper. Maybe scan/count it electronicaly, but keep an audit trail that can't be modified electronicaly.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
On the other hand, it is possible to make a system that is at least as tamper resistant as the current system. In fact, in an earlier posting on a similar topic, I suggested such a system. I haven't done a proper risks analysis, but standard Project Management process would call for one, whether in voting or making a video game.
This system does not allow for internet voting, but I don't really care about people who can't make it to the voting booth. If they have a good reason, they can find another way to vote, and if they're too lazy, they shouldn't vote anyways.
=Brian
There is nothing so good that someone, somewhere, will not hate it.
Yes this is off topic, but I have tried emailing about the flag Icon, but I get no respose., red,white, red,white,red.
/. is in can be difficult to find, but at least take the 10 seconds it would take to look up what it is suppose to look like, sheeesh.
the American Flag has 13 stripes.
red,white,red,white,red,white,red,white
I know Information about the flag the represents the very country in which
The Kruger Dunning explains most post on
If you're interested in real electronic voting (not just replacing the punch card with a keyboard in the voting booth) I suggest you start reading here.
Open source is not the solution. Good crypto is.
-jfedor
Since Germany isn't significantly less populated than the US (at least in terms of order of magnitude) I don't quite see why this isn't possible here. Perhaps this whole mess is merely a case of someone violating Donald Knuth's oh so true statement: "Premature optimization is the root of all evil." How about giving good old manual labor a chance?
It is not possible to "verify" the correct function of any program or hardware beyond the simplest of machines. Punch card ballots come closest to being "verifiable" than anything electronic used for voting. No electronic voting system could ever be proven to be 100% correct O.S. or not.
Though we live with unverified and unverifiable systems all the time, planes, cars, every PC ever made, they work well enough. But the bottom line is, less complexity means less unreliability. And for that, the punch cards win hands down over ANY electronic voting system.
Fix the damn buttterfly ballot books, but otherwise the punch card system has been working amazingly well for a long time. It is NOT broken, it does NOT need to be "fixed" with complex and unreliable technology.
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
accusations of election fraud happen every election. Of course, it's difficult to argue any given case because if it works, the cheater is in office, and if it failed, no one cares. However, these accusations come from all sides, all parties, all philosophies and there are many individual cases which are tried and withstand airing in the courtroom.
An example of gaming the system.
-pyrrho
> To protect privacy, each ballot is identified by a single-use,
> random identifier known only to the voter. That way each voter can
> personally verify from the public data that his or her own votes
> were correctly recorded
There's still a weakness there that isn't present in existing systems:
One of the things we need from a voting system is to make it impossible
for other people to force you into voting the way they want you to. eg. an
employer firing you if you don't vote for their uncle, or something.
The way the current system works is to give no way for anyone else,
even if they're holding a gun to your head, to ever find out who
you voted for.
To me, that's one of the most important features of a democratic election.
If you can verify that your vote was recorded successfully from
outside the ballot area, so can someone holding a gun to your head.
- MugginsM
Many of the criticisms of off-site electronic voting systems, while completely valid in general, are moot in Oregon. We have vote-by-mail here. Thus, most of the putative problems with electronic off-site voting are already here, but at least folks mis-mark ballots and the post office loses things.
I have always thought that putting a properly-written open-source voting package on a Knoppix CD and instructing voters to boot their PC off it would solve most of the problems. The advantages would be automatic tabulation of a large percentage of the vote, saving a bunch of p-mail, and clearer, easier-to-mark ballots. Those who couldn't make this solution work could always vote by mail as they do currently.
For state-run voting kiosks, this also seems a sensible solution. A printer could be added to the system to provide an audit trail.
What am I missing here? None of this seems hard, and the security risks seem less severe than those of the current non-electronic systems, which as we know suffer from frequent failures and occasional serious fraud. Is it just a question of insufficient experience with "new-fangled" systems? Or is there something deeper?
My daughter, who has lived in Iowa, tells me that there they use a hybrid system: a simple computer system walks the the user through candidate selection, but punches a card itself. There's still a physical record of the voter's choices, but without hanging chads or overvotes.
The hybrid system seems to be the best solution. The computer assists the voter, but it does not actually cast the ballot itself. To this lifelong resident of Cook County, Illinois, it sounds like a much better system than either hand-punched cards or a purely electronic system.
[this
Naturally it occured to me. If you read my comment carefully, I was NOT stating there was sabotage. I was only pointing that the fact those are liberal counties and the fact that Governor is a Republican is an argument for the sabotage theory, not against it as you implied.
Let me check my vote with a key via the net after the poles close.
Let me download all the votes and tally them for myself.
Response swiftly to any reported inconsistancies between a voters actual vote and recorded vote, if you get enough then something is fishy (see next line).
AND smack any voter falsely reporting an incosistancy with a large frozen pike, south florida exempt and ignored.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
I've lived in several places that used hand-counted paper ballots -- mostly small towns in Colorado and Nevada. Make your mark, drop the paper in the box, and come back in the evening or early morning to see the results tacked to the front door of the court house.
Given the huge unemployed population, the number of retirees in Florida (where circumstances have caused me to unhappily live these days), I can not understand why they won't use paper ballots and human labor.
But then again, we Americans do tend to worship technology; the media bombards us with images of the latest and greatest, as if not having a PDA or a new car is the lowest of lows. I ignore such drivel, but it does seem to influence the buying habits of most people.
All about me
Look what Google turned up... An Open Source (GNU) electronic voting initiative
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
Let me describe the voting system Canada has: You register much as you do here. You show up at the polling place. They cross your name off the list and hand you a hard to forge ballot. You walk behind a little screen, put an X next to the person you want to vote for and stick it in a box. At the end of the day, representatives from each party and the media open the box and count the ballots. The results are delivered in a tree - local place reports to city, city probably to county, county to province. They add up all the results and they declare a winner.
Nothing about this fails to scale. In other words, a population 10x the size of Canada requires about 10x the number of volunteers which works out to be the same number of volunteers per capita.
This system seems so much more workable to me, there are so many fewer opportunities for breakdown.
- Is it Auditable? Yes, keep the ballots locked up and recount them.
- Is it anonymous? Yes, at least as much as touch screen voting.
- Is there any software / printers / touchscreens / whatever to fail? No.
Why do we need millions of dollars of development and plenty of technology to fail when a bunch of pieces of paper and some pens would do fine?Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated.
How can I verify this under the current system?
JET Program: see Japan, meet intere
Governor Bush did not deny "his help" as you so wonderfully state... in fact, he is spitting nails over this latest debacle.
I said that the guy who was in charge of fixing the voting process [democrat], denied Jeb's help [Republican].
And it's actually 32 million if we're splitting hairs
If I didn't see that asshole, Tom Daschle, today talking shit about how he's scared as fuck going into Iraq, I probably wouldn't even have started this thread.
Hi, I have a huge stick up my ass
No offense.
Live web cams
Actually, it seems like you're the one not clear on the issues.
The purpose of open source voting software is peer review, and more basically, adherence to the notion that elections should be conducted in a fair, public and well-understood fashion.
There's no reason to keep the election-booth code secret and every reason not to. Notice I didn't say that the voting booths should be powered by "free software" - a whole other fish altogether.
It's abundantly clear from the article that the vendor of the FL voting machines refused to allow meaningful inspection of their equipment and software, both to the ACM (who volunteered to audit the devices) and to parties in an election-related lawsuit (!). It's also obvious why: clearly, from the magnitude of problems experienced, had such inspection taken place, the vendor's, and the government purchaser's, rank incompetence would have been more rapidly exposed.
Want to Know How to Cheat the GPL? Read On!
In my voting place there were no problems with the voting.
Some points that I observed: the machines take 1 full hour to "warm up" as they were calling it here (boot). That seems like a long time, specially since in many places the people in charge were LATE at opening the doors, so the machines were not ready by 7am. Some acusations of boycot on this (about 50 poll workers were late by 1 full hour).
The code is propietary, cannot be audited, and the
voting machines DO NOT make a backup paper print of every vote.
In some polling places the workers unplugged the machines BEFORE they were shut down, so the data was LOCKED and it took almost a day for the company technitians to retrieve.
There was a severe thunderstorm in some areas that nocked off power and disrupted the voting... remember the machines take 1 hour to boot.
I am more worried about the lack of paper printouts as backup than about the organization problems. The later can be solved eventually, the former is not noticeable until you have a catastrophe of sorts...
Just some observations from down here for everybody to consider.
~~~Please pass the salt, I hate unsalted MD5s
In reality, we don't really need electronic voting. The system as it stands now (manual counting of votes) works just fine.
The problem is in who we allow to vote. The problems in Florida stemmed from an inability by some of the electorat to be able to properly read instructions.
From that, we can assume that either A: These people are very stupid, or B: These people are unwilling to take the time to make sure they are casting a proper ballot (double check your votes, ask an election offical if you need help, and so on.)
In either event, these people should not be extended the privlidge of taking part in our democratic process. I'm not saying that we should limit who gets to vote on intellegence, but I do say that somebody must have a basic level of compantancy.
If, on the other hand, we are going to make concessions for those unwilling to learn basic skills (like punch a hole NEXT to the arrow for the canidate you want), then we need to make concessions for everybody. I missed this last election because I was called out of town at the last minute for business. I had Internet access, and would have loved to vote online.
But somehow it's perfectly fair to jump through hoops to accomidate some retired person with pleanty of time and very little personal responsibility, but it's 'unfair' (as has been stated in some objections to online voting) to accomodate busy young people with jobs.
The Internet is generally stupid
What is it about the US system that demand an automated system? Computerized, punch cards, touch screens, OCR -- any of them -- why are they needed?
In Canada, we use a simple paper and pencil ballot, that you mark off, and deposit into a ballot box. At the end of the day, they open the box, and count ballots. Within an hour votes start coming in, and within a couple of hours enough have usually come in that the winner can be accurately predicted. By the end of the night, all are counted.
This is a secure, auditable, verifiable, robust system. During counting, each candidate has the right to have a representative verify the count. If there is a dispute about how a ballot is marked, it can be put aside for review by a judge. And in any event, you can always recount. You don't have to worry about hanging chads, or OCR, or layouts not matching up with the location of buttons.
Why doesn't this work in the States? It can't be the population difference -- since there are 10 times as many people, there should be 10 times as many volunteers to help count. It can't be security (or what ever) -- you can't tell me that an opaque machine is more secure than having both (or more) sides looking over my shoulder as I count.
I know this is heresy for the Slashdot crowd, but why go for costly, problem riddled, high-tech solutions when perfectly good, simple low-tech ones work as well, if not better?
elsilver.
IMHO the best way to make an all-electronic voting system would be to use some sort of smartcard system. If there were a smartcard available that could sign stuff transmitted to it with the user's private key, the voting machine would not be able to change the votes. (the card would have to have an lcd display to verify what you were signing). The machine would still be able to throw votes out, but this could be overcome by a paper list of who voted (much less obnoxious than a paper ballot) or a counter of people entering the voting booth, separate from the main system.
Such a smartcard would actually be useful for other purposes. It would function nicely as a credit card: you could sign the bill. Nobody could steal your cash without your actual card (or with, if it had a PIN). Nobody could change the charges afterward.
It would also be great for signing other things, like legal documents.
That said, such cards are a long way off, unless public-key crypo dramatically improves or smartcard hardware advances rapidly. A 6805 or the like just couldnt handle it.
I hereby place the above post in the public domain.
The one thing electronic voting will never be able to overcome is that there is always the possibility that ANY electronic system could be either cracked, hacked, or subverted by a corrupt programmer -- AND THERE WOULD BE NO WAY TO FIND OUT!!! .
... the paper stays the same.
With paper, or some other physical object, even if some hacker corrupts the computerized counting machine, you can always do a manual recount. Plus, if power goes out and the computer loses count
Sure, in 2000 Florida showed us that paper isn't perfect either -- but with electronic voting, there could be just as many foulups, but never a recount.
In the year 2000, Florida had some problems with their election returns (tho nothing as massive as the problems of the September, 2002, primary).
Statistical Information
In November, 2000, Union County had about 5000 voters distributed amongst 11 precincts, which meant that on average they had about 450 people per precinct. (This is similar to the large county where I live, except that we have far more precincts.)
By way of comparison, in September 2002, Dade County had 754 precincts; the number of voters and intended voters is uncertain, but it appears to have been fewer than 300000, or about 400 per precinct.
History in Union County
During the November, 2000, election, Union used a system where each voter got a piece of paper and a marker. The paper had lists of candidates together with empty check-boxes next to the names. Voters marked their preference and deposited the papers in ballot boxes.
When the polls closed, the workers opened the ballot boxes, sorted the papers according to the marking for the first race, and counted them. They then shuffled the papers back together, sorted them according to the markings for the second race, and counted them. This sorting and counting was done for each race.
In November, 2000, the people in Union were in bed by midnight. No one doubted the correctness of their results.
In September, 2002, Union County employed a system known as ``iVotronic'', details of which are unclear. Unfortunately, only about 2000 people voted in the Democrat primary.
In September, 2002, Union County had results by 21.00 (9 p.m.) the day after the election. Scale this to a general election (5000 as opposed to 2000 voters), and one can reasonably expect results by Friday afternoon.
It is not clear that electronic ballot counting is in fact beneficial.
Part of the September, 2002 delay in Union was due to the fact that the machine counted everyone as a Republican. It was necessary to count ballots by hand. Fortunately, the system did provide for a paper ballot which could be counted.
Insupportable Speculation
For Dade, Broward, and Palm Beach, a system of electronic voting which does not produce any paper has several advantages, not least of which is the speed with which a re-count can be done. The same incorrect totals from each machine may be read and re-added in minutes, and no time-consuming counting of ballots is required.
A properly programmed machine also offers better assurance about the outcome of the election. Dade in particular appreciates this, though there are other counties where voters have made mistakes. In Volusia, for instance, it was necessary in 1996 for the Sheriff to have his deputies correct absentee ballots where the voter had voted for the wrong candidate.
Much safer, if one wants to affect the out-come in a close race, is to specially program only a few of the machines. The chance of detection is minimal, because testing only selects a very small number of units. The candidate that arranges for the machine to correct 30% of the votes for his opponent, but only on 10% of the machines, and only after the machine has been running for 2 1/2 hours, will be very unlikely to get caught. He's also going to win an otherwise close race.
The system used in Union in 2000 does not admit of such automatic ballot correction: if a precinct had a certain number of voters, and the ballot box does not contain that number of papers, then you know that Something Happened.
Knowing that Something Happened is of course not, without more, sufficient. The Sheriff in 1996 received the benefit of the corrected absentee ballots, which were essential to the outcome. I might argue that the knowledge did make a difference: he saw the hand-writing on the wall, and did not run again in 2000.
Not knowing that Something Happened is of course essential to the security of those who must needs have election results adjusted.
Tilt at windmills. Occasionally one will fall over out of sheer surprise.
Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick.
Um, how exactly? (the most obvious question is why you need a hologram, or a CD rom for that matter)
Of course, since you didn't even provide a process to knock down, just some techno babble it would be impossible to tell you exactly why you're wrong.
autopr0n is like, down and stuff.
A pure electronic voting system is always going to have problems, since there's no 'physical' or unchangeable data storage. Entries in a database can always be changed.
What I would do, if I were in that situation, would be to have the system print out a receipt after you're finished voting. The voter would then be expected to look over the receipt to make sure its correct, and then put in a box. If they're not happy with the receipt, they could put it into a shredder and start over again.
The counting would be done via scanners, which would be separate from the machine.
Alternatively, you could just use paper 'fill in the bubble' ballots in the first place.
There's no reason to use computers simply because they're 'cool'. Bubblesheet ballots work well and have little error. Using a touch screen computer is a waste of money and causes more problems then it solves.
autopr0n is like, down and stuff.
I think the biggest problem you'd have in adopting a digital voting system would be making it simple enough so that most people could understand it.
I'm assuming that most US citizens (myself included) would probably not be confident in, or willing to adopt, a system that they can't easily understand and trust.
A pencil-and-paper system is simple enough that anyone can get it - check the box, a human counts it, there's your vote. Even our wacky electoral college system is probably within most people's grasp. But once you start talking about public-key encryption or digital signature algorithms, only a tiny percentage of citizens are going be able to keep up. (and most of that tiny percentage will be white males - providing endless ammunition for politically correct fear-mongering =).
A digital voting system of the necessary sophistication would be beyond most people's understanding, and thus subject to claims of manipulation. (regardless of the system's actual resistance to fraud)
We in Brazil are proud to have one of the world's oldest, largest electronic voting systems.
-----
Score 3? For what? Being wrong, at length? - smirkleton
During the election fiasco of 2000, Bruce Schneier went into the security side of this in great detail. You need human verifiable voting slips, but it can be done, at least for the most part.
sigs are a waste of space
Well, eleven months ago Douglas Jones submitted an article to the RISKS digest pointing to an longer online article that explained in detail how all the spoiled Gore votes arose . It turns out the debacle was completely predictable. It was due to a known artifact of those particular voting machines. One which had caused a scandalous shortfall in those same counties, in a Senate election in 1988.
Briefly, Jones disassembled an example of the votomatic machines in question. He found that there was a structural bar behind the slots through which the chads were to be poked. Jones's investigation proved that candidates whose holes were to be punched over those bars were practically guaranteed to jam. Whoever designed the ballots laid them out so Gore's chads were directly over that bar.
Slashdot editor Michael's comment on voting reliability and trustworthiness strikes me as naive. Don't worship the technologoical fix! Michael addresses providing an audit trail for the vote casting and tabulation software. This is not as important as providing an audit trail of the actual votes cast.
And that's why they should develop a machine that asks the user for their chosen candidate and engraves it into a wooden ball. The unique grain patterns on the ball prevents it from being replaced by a fraudulent ball. This makes the process foolproof, and will undoubtedly be used in other applications in the future.
Silly question, but why is it important that votes be anonymous?
In another comment in this thread I cite definitive proof that the hanging chad problem was due to a known, predictable artifact of the voting machines. So, was the problem merely "stupid people" as cscx suggests? Or were the inability of some Democratic political appointees exploited by the cunning of shrewder or better informed Republican political appointees?
When world-wide attention was focussed on the hanging chad problem the Republicans outcry rang false with me. Florida Republicans kept saying "But Democrats also sat on the committee that approved the ballots! Democrats also reviewed the voting machines! Democrats also signed off on the voting procedures!"
Unlike usage of the average random piece of software, *everyone* votes, and many feel it to be personally important, so I suspect quite a few people may hack on this particular system.
Curtains for windows?
From& ncid=5 14&e=2&cid=514&u=/ap/20020913/ap_on_el_gu/florida_ governor:
http://story.news.yahoo.com/news?tmpl=story
"Florida was plunged into its latest political cliffhanger Tuesday when polling stations opened late and elections workers had myriad problems with the new touchscreen voting machines. Many voters were confused by new precinct boundaries.
In some places, ballots were chewed up by optical scanners and others were modified by hand. One Broward County precinct worker took ballots home after he couldn't reach elections officials.
Florida had enacted new laws and spent $32 million to reform its election system, eliminating paper chads altogether and hoping to avoid other problems that held up the 2000 presidential election for seven weeks.
Instead, hundreds of people complained they were turned away from the polls and many problems were reported in Miami-Dade and Broward counties, which were considered key by Reno's campaign. "
I really hate Dan Patrick.
Like I said yesterday, here's my solution:
1. Increase the size of the ballot to 8.5" x 11".
2. The ballot is inserted into what looks like a larger version of the Votematic machine.
3. When you mark off the ballot, instead of punching out holes in the ballot you mark off your selections with a small permanent ink stamp.
4. The ballot is turned into the voting station worker at the voting site, where the ballot is read electronically (but without telling the worker what selections were made) to make sure all the ink marks are in the right locations; this will detect the possibility of overvotes, undervotes and improper marking of the ballot.
5. Once the voter verifies that the selections are what they want, the ballot is turned in and the voter gets a receipt of voting at the voting site.
The advantage of a ink-marked ballot is that not only are they machine-readable, but they can be easily read by hand counts as a backup. It's not completely perfect but it's way better than the punch card ballot and electronic balloting, both of which can be tampered with.
Quite. So perhaps the solution is not to try to devise the perfect error-free system, but rather institute a rule that says that if the election is close enough to be within the margin of error, a run-off election must be held.
I don't care if it's 90,000 hectares. That lake was not my doing.
I voted in the Tuesday primary and amazingly enough, I managed to do so with a minimum of fuss. It surprises me that we didn't actually have many more problems. After many years of using punch card voting, the state has inflicted a new computer voting system on us. The majority of the poll workers are elderly people who tend not to be very comfortable with new technology. The Miami Herald reported today that most of the poll workers received minimal training and it consisted of watching a video. If you were going to implement such a system, wouldn't you try it out or test it in a wide scale first?
Dade and Broward counties, where most of the problems occurred, are also two of the most populated counties in Florida with the highest numbers of elderly and poor people. Imagine implementing a whole new voting system without doing a wide scale dry run. The kind of massive problems that we witnessed here where to be expected. What also wasn't addressed where the kind of organizational details like having enough poll workers of both political parties at each polling place. That meant that some polling places could not open. We still had the usual record keeping problems, registered voters not appearing in the voter rolls and poorly trained poll workers. What is inexcusable is that with a new system being tried out for the very first time they did not have enough techs available to handle the inevitable problems. They didn't even have a good way to communicate to all polling places to stay open an extra 2 hours. Never mind that many of the voting machines were not ready on time and were sent out to the polling places without the right programming. Then strangely enough, the voting machines would not boot properly. Why weren't the machines tested before sending the out on the field? We are not counting girl scout cookies here! What kind of moron would take brand new untested technology and put it out to be managed by poorly trained technophobes and expect less that a complete disaster?
Before you start giving the poll workers a hard time consider the fact that they had to be at the polling place by 6:00 AM and that they would have to stay till poll closing time. There is only one set of people working the polling sites. There is no second watch. You go home after the polls close. After the last person votes you get to break down the machines and collect the votes and so forth. So conservatively, if the polling window is not extended like it was, the earliest you'd get out would be 8:00 PM. Thats 14 hours minimum. Then you add an extra 2 hours and you have to stay around till 10:00 PM. All this and you only had lunch around noon sometime. By 11:00 PM some of these old folks must have been hypoglycemic!
The problem is not only with the closed, non-auditable, poorly explained, even worse implemented voting system. Its with the people who picked it and the people picked to organize its implementation. To begin with the Florida government has to be the biggest group of imbeciles you could ever hope to put together in one room (that includes our esteemed governor, Jeb Bush). Their main purpose in life seems to be making other "more progressive" states like Alabama, Arkansas and Mississippi look good in comparison. The only thing more screwed up than our voting systems is our child foster care system, which is also managed and organized by the same group of geniuses in Tallahassee.
My problem with a closed implementation of a voting system is that I have no way of knowing that the machine recorded my actual vote. I have no way of knowing that the machine simply didn't make up a vote or just make believe it never existed. I know no voting system can ever be completely tamper proof and fraud free. You may not need computers to tamper with an election but they make doing so much more efficient. Some of the polling places with the most problems where in poor black neighborhoods. At some of these only one vote out of thousands cast were recorded. All the other votes vanished into the ether.
All I want to know is how come Afghanistan, a 4th wold nation in complete ruins, managed to have an election and we cannot.
Alex
Aw, now my feelings are hurt.
The people of Florida decided on election law and then voted in people they trusted to make decisions. These people then appointed Harris, who implemented a sub-par system and then leapt to certify questionable results when her candidate won.
Long and short of it: The people involved with the election didn't do their best to be sure that the person voted for the most times won. In fact, they didn't give a flying fuck so long as it benefitted the guy they were backing. This is analogous to having NFL refs refuse ("apon further review") to overturn bogus calls in the Superbowl because they have money riding on one team or the other.
And, frankly, your "this is how the system is, so it must be right" attitude is sickening.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
As it turns out, open code and "thoroughly examined hardware" do not a secure system make. The problem is that the code has to get compiled, and it has to run on an operating system, and that has to run on a computer. Even if the code and hardware (if one can examine the microcode) appears to be entirely pristine, Ken Thompson explained in his classic 1984 essay "Reflections on Trusting Trust" (available online, do a Google search) that the compiler that compiled all of that code can be rigged such that malicious code can be concealed. For example: Since the dates of US National Elections are fixed to infinity (they are always the 1st Tuesday in November) and since many voting systems (as well as computer systems) rely on real-time clocks, it is certainly plausible to create a hardware trap that only goes off on election day. And that trap doesn't have to be in the voting system either, there's tallying devices, reporting software, and so on. It's a nightmare. The only sane solution is to rely on a voter-verified physical audit trail that can be READ BY HUMANS in case of the necessity for a recount. There's a lot of ways this can be performed (including one by David Chaum that allows the voter to verify that their ballot actually was entered into the final tallies), and true improvements in voting systems will only occur when this is recognized and the "trust us" mentality (including one that says we should trust the people who will supposedly verify all the open code) is abandoned. Please read the extensive writings on Rebecca's website www.notablesoftware.com/evote.html as well as Peter Neumann's for more information on the subject. And for those of you who are convinced, PLEASE encourage all communities who happened to purchase fully-electronic voting systems to have them retrofitted with printers BEFORE the November general election. Brazil is doing just that, right now, with 3% of the 400,000 voting machines they purchased back in 2000 (more may follow).
I think of it more as a way to streamline work between lower-level local bureaucracies. It would never work, really... The real solution would be to divide the larger states into more managible units until they were all the side of Delaware (good news for Rhode Island!).
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
As mentioned previously on /. there's open-source e-voting code available on-line.
To recap the message:
Zoe Brain - Rocket Scientist
These sorts of things used to be common in certain parts of the United States that were run by political machines. Whenever a corrupt political organization runs an election, you can expect them to try to manipulate the results, no matter what technology is used for voting.
Today, there are widespread problems with felons and non-citizens voting, non-residents voting, and people casting multiple ballots. Absentee ballots have been abused by people who request them on behalf of the voter, who may be incompetant or dead, and then "help" the voter fill out the ballot.
Mea navis aericumbens anguillis abundat
Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Mr. Dave Barry. He's been studying voting systems for many years, and has developed some well-considered positions.
The American electoral system seems to me to be obsessed with mechanical and/or electronic voting systems.
Here in Australia, we use good ol' pencil and paper. It leaves a difficult-to-forge audit trail.
You go into a polling station, and there are a row of electoral staff behind tables. You go up to one, give them your name, and they cross you off a paper printout of the electoral roll. (Later, they will collate these crossings out to check for people who voted twice, or zero times. Voting is compulsory in state and federal elections. The paper roll is only printed out for your seat, but if you find yourself outside your seat , there is procedure to cover this.)
The elctoral staff give you two ballot papers, one for each house (plus a ballot for a referendum, if there is one). You walk to the voting booths, which are made of cardboard so that at the end of the day they can be folded and stowed for next year.
On the lower house ballot, you number all the boxes (we use a preferential voting scheme). The upper house ballot is more complicated, because we use a somewhat zany (but still quite nice) proportional system of electing people. But it's still philosophically straightforward for the voter to fill in.
Although all the ballots are paper, counting is quite fast -- lower house approximate results are available that night, and any close race results are usually available the following day. The upper house results usually take a bit longer, due to the way in which parts of votes get redistributed, which is a complete pig to do by hand. Despite this delay, doing everything on paper is totally worth it, because it makes the electoral system simple enough for any voter to understand, and makes the methods by which fraud might be perpetrated equally obvious. (Other posters have mentioned Ken Thompson's Reflections on trusting trust.)
Another poster mentioned Arrow's Impossibility Theorem. Of all the possible voting schemes, I like preferential best; because the voter's best strategy is always to vote for the candidates he wants, in the order he wants them. This is in contrast to the American first-past-the-post scheme, in which voters must decide whether to vote for the candidate they truly want, and "throw their vote away".
NASA spends millions developing a pen which works in zero gravity.
Other astronaughts use pencils.
Mabye I'm just dumb but I can't work out what problems electronic or mechanical voting solves. In Australia we have a more complicated voting system (preferential and in some states optional preferential) and use paper ballots. We still manage to count most of the primary vote the night of the election.
Having been a scrutineer on such elections, I don't see how they would be any easier to defraud than electronic or mechanical systems. The ballot boxes are watched like hawks by the scrutineers and the scrutineers are present while the votes are counted, keeping a sharp eye out for fraud.
So what do these mechanical or electronic systems actually achieve that is different? Obviously the electronic systems would give a result as soon as polling closes, but is that really worth the expense and risk of implementing an entirely separate system that only gets used once every few years?
I think there's too much emphesis on preventing fraud, as if voting fraud is somehow a new phenomenon unique to electronic voting. While security is naturally important, I think it's equally vital to have a reliable, easy-to-audit and hard-to-break system.
Well, I agree on the paper ballot, but I disagree on the issue of security.
Consider by analogy the idea of on line banking. Bank theft, of the stick up variety, has been with us as long as there has been banks. Does this mean we don't pay any special new attention to security when we allow on-line banking? Of course not. The set of threats is new. A robber no longer has to risk his body, or even going to jail if he initiates his attack outside the jurisdiction of the local law enforcement. He may be able to cover his tracks so his theft is not detected for a long time.
There are three aspects or phases to security: prevention, detection and response. I think it is correct to say that it is possible and common to worry too much about the prevention phase. This is because at some point you will be foiled by your inability to imagine every attack an infinite number of hostile monkeys will come up with.
While a modicum of prevention is necessary, the cornerstone of real world security is detection. If you are a computer sys admin, you understand that looking at logs and modification times of key system components is important. If you are concerned with preventing financial fraud, while you may structure things to make it hard to accomplish without collusion, your most important tool is regular auditing. If you are voter, you need to be able to see that your vote was recorded properly.
I would go so far as to say that any voting system that doesn't provide the voter with an immutable physical ballot which he can inspect with his own senses is intrinsically unauditable. Even the providing voters with a cryptographic key as michael suggests doesn't do the trick; once the key has been provided to the machine, the machine can sign any kind of vote it wishes. Unless we give up the idea of a secret ballot (something I personally think that is not such a bad idea), we have no audit trail.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Trying to secure an individual workstation is pointless and impossible. Trying to validate that the data stored in one place is correct is also pointless. You cannot secure one instance of the data. You can, however, secure and verify a distributed, replicated store of information.
The essential steps are:
1. Separate the validation of identity from identity codes. An agency can validate who you are...a private key is used to encode your identity into the voting system.
2. Use one part of a distributed system to enter a valid vote. The vote is replicated to all interested observing parties.
3. Use another part of a distributed system to verify that vote. Verification can be done against any observation point.
4. Continuously allow any group that wishes it to verify the contents of their replicated result set against any other set. Any discrepancies trigger analysis to determine the source of the fault.
If you disagree with an assertion made in an article, post it as a comment like the rest of us do.
I'm sick of the habit of some Slashdot editors, most egregiously yourself, Michael, to use their role as editors as a proselytizing pulpit. Your job is to focus our attention on the articles, not to draw attention away from them and onto yourself.
I mod you down -1, Offtopic.
Like when Bush and pals purposefully used technological miscalculations to remove thousands of Democratic Florida voters from the voting pool. That's what I call corruption on a DB admin level.
Zodiac Survey
People already have to deposit their vote in a box under the watchful eye of a worker, to avoid people from dumping crap in the box to spoil a bunch of votes. People seem to manage this so far.
To avoid fake votes, where someone takes one home, prints up a bunch of dupes, and hands them to someone else to take in and drop in the box, you use some form of public-key encryption (likely PGP because it's well known) and the machine signs the vote, the time, and its serial number, with it's private key. If you duplicate the paper you're left with two identical votes which can't be valid because the machine can't generate votes that fast.
So the vote-tally machine makes SHA1 (or whatever) sums from the votes, checking to see if it's got a duplicate. If it does, it buzzes and people investigate. Perhaps it's the one-in-a-googleplex chance that it would really happen by chance, but likely it's attempted fraud.