Slashdot Mirror
Electronic Voting's Fundamental Flaws
phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.
Unfortunately, as long as their are humans involved, corruption will always be there. From the guys paid to write the software, to the DB admins, to our friends at M$ who will undoubtably provide a security-lacking OS to run the system on, voting will always be called into question when it gets as close as it did between Gore and Bush.
I've dirtied my hands writing poetry, for the sake of seduction; that is, for the sake of a useful cause. --Dostoevsky
Michael I think you don't quite know what you're talking about. First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.
You have to remember that most open source software doesn't provide any degrees of assurance other than "it's been used by alot of people". This really isn't an option for vertically integrated solutions such as digital voting. Just how many hobbests are going to "hack on" the GNU Vote system ?
The track record on contribution by the general public to OSS projects is pretty poor. Look at Mozilla, emacs, linux kernel, etc. Most of the significant contribution has been done by a relatively small number of persons. While lots of useful bug reports and patches have been submitted, I think for electronic voting we need a bit more than "lots of people have submitted bug patches."
What she is talking about here is engineered assurance. OSS is a source code policy, not an engineering style.
With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.
The best part is that it uses no complex parts (which, according to Murphy's Law, are prone to failure on election day). Just a paper and pen -- beat that. Add a reasonable amount of physical security (deputies at each location, plus maybe a representative from each major party to observe) and you're good to go.
This is one of those situations where overthinking and overengineering comes back to bite you.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I think her suggested list applies to a lot more than voting. She deserves a lot of credit, because work like hers is the dirty work no one ever wants to do... real nuts-and-bolts stuff that takes lots of thought.
;)
I love it -- Take that all you kiddies who say "duh, how hard could it be? I could do it in perl in an afternoon, i'm so huge!" huge you are!
https://www.accountkiller.com/removal-requested
We only really know how bad the Florida system was because the election was a statistical tie, leading to the recounts and a very close look at the process. I'd suspect that many states have very similar problems, for example Maryland in the current primary, and we simply aren't as aware of them.
Consider a computer supplier that is co-opted by an unscrupulous political party. They create some sort of hardware mod that allows the contents of memory to be arbitrarily modified. Perhaps it can be controlled wirelessly. Suddenly bootable serial numbered CD-ROMS aren't a solution.
The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon. When the vote is nothing but electrons inside a machine, this is much more difficult.
This sig is umop apisdn.
There's so much focus on the tools of voting, that people don't pay much attention to the fact that there are fundamental limits to voting systems themselves.
For example, in 1950 Kenneth Arrow proved that no voting system is fair.
This is know as Arrow's Impossibility Theorem and places fundamental mathmatical limits on what the democratic process is capable of.
Of course, we have the worst of the worst sort of voting system here with its single-member voting districts and "one man - one vote" philosophy.
An improvement would be proportional representation.
This can't overcome Arrow's theorem, but its better than what we have now.
As an improvement to that, in this year elections in Brazil a new system will be tried where the ballot prints the vote on a paper which will be shown to the voter through a transparent window, but will not be otherwise accessible before it's cut loose and drops into a sealed canvas bag. Votes will be counted electronically as before, but the canvas bag will provide a way of auditing the whole ballot, if needed.
I worked for the company that initially developed the device used in Florida. Our company did the UI, for creating ballots, and the reporting system.
Ready to laugh? Target platform was a C++ CGI running on Windows 95 with Personal Web Server, using SQL Anywhere and Crystal Reports.
I wish I could write a full article about it, but it would make a lot of people angry.
And by the way: open code has NOTHING to do with making electronic voting. It's not a code issue. It's not a hardware issue, either. Retirees and people who can't master the 'Start' button run elections. Paper ballots fit their mindset. I know this. I travelled all over the country setting up the system. Most of the places didn't even have networks. And why should they? It was 1998 and they were still running Windows 3.1, or sometimes just DOS (Wordperfect was popular in several precincts).
You want successful electronic voting? Then don't let your grandmother run the voting machines.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
I would say that have two options.
Stick to paper. Maybe scan/count it electronicaly, but keep an audit trail that can't be modified electronicaly.
Democracy isn't about no one telling you what to do. It's about everyone telling you what to do.
In my voting place there were no problems with the voting.
Some points that I observed: the machines take 1 full hour to "warm up" as they were calling it here (boot). That seems like a long time, specially since in many places the people in charge were LATE at opening the doors, so the machines were not ready by 7am. Some acusations of boycot on this (about 50 poll workers were late by 1 full hour).
The code is propietary, cannot be audited, and the
voting machines DO NOT make a backup paper print of every vote.
In some polling places the workers unplugged the machines BEFORE they were shut down, so the data was LOCKED and it took almost a day for the company technitians to retrieve.
There was a severe thunderstorm in some areas that nocked off power and disrupted the voting... remember the machines take 1 hour to boot.
I am more worried about the lack of paper printouts as backup than about the organization problems. The later can be solved eventually, the former is not noticeable until you have a catastrophe of sorts...
Just some observations from down here for everybody to consider.
~~~Please pass the salt, I hate unsalted MD5s
Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick.
Um, how exactly? (the most obvious question is why you need a hologram, or a CD rom for that matter)
Of course, since you didn't even provide a process to knock down, just some techno babble it would be impossible to tell you exactly why you're wrong.
autopr0n is like, down and stuff.
I think the biggest problem you'd have in adopting a digital voting system would be making it simple enough so that most people could understand it.
I'm assuming that most US citizens (myself included) would probably not be confident in, or willing to adopt, a system that they can't easily understand and trust.
A pencil-and-paper system is simple enough that anyone can get it - check the box, a human counts it, there's your vote. Even our wacky electoral college system is probably within most people's grasp. But once you start talking about public-key encryption or digital signature algorithms, only a tiny percentage of citizens are going be able to keep up. (and most of that tiny percentage will be white males - providing endless ammunition for politically correct fear-mongering =).
A digital voting system of the necessary sophistication would be beyond most people's understanding, and thus subject to claims of manipulation. (regardless of the system's actual resistance to fraud)
Well, eleven months ago Douglas Jones submitted an article to the RISKS digest pointing to an longer online article that explained in detail how all the spoiled Gore votes arose . It turns out the debacle was completely predictable. It was due to a known artifact of those particular voting machines. One which had caused a scandalous shortfall in those same counties, in a Senate election in 1988.
Briefly, Jones disassembled an example of the votomatic machines in question. He found that there was a structural bar behind the slots through which the chads were to be poked. Jones's investigation proved that candidates whose holes were to be punched over those bars were practically guaranteed to jam. Whoever designed the ballots laid them out so Gore's chads were directly over that bar.
Slashdot editor Michael's comment on voting reliability and trustworthiness strikes me as naive. Don't worship the technologoical fix! Michael addresses providing an audit trail for the vote casting and tabulation software. This is not as important as providing an audit trail of the actual votes cast.
In another comment in this thread I cite definitive proof that the hanging chad problem was due to a known, predictable artifact of the voting machines. So, was the problem merely "stupid people" as cscx suggests? Or were the inability of some Democratic political appointees exploited by the cunning of shrewder or better informed Republican political appointees?
When world-wide attention was focussed on the hanging chad problem the Republicans outcry rang false with me. Florida Republicans kept saying "But Democrats also sat on the committee that approved the ballots! Democrats also reviewed the voting machines! Democrats also signed off on the voting procedures!"
I voted in the Tuesday primary and amazingly enough, I managed to do so with a minimum of fuss. It surprises me that we didn't actually have many more problems. After many years of using punch card voting, the state has inflicted a new computer voting system on us. The majority of the poll workers are elderly people who tend not to be very comfortable with new technology. The Miami Herald reported today that most of the poll workers received minimal training and it consisted of watching a video. If you were going to implement such a system, wouldn't you try it out or test it in a wide scale first?
Dade and Broward counties, where most of the problems occurred, are also two of the most populated counties in Florida with the highest numbers of elderly and poor people. Imagine implementing a whole new voting system without doing a wide scale dry run. The kind of massive problems that we witnessed here where to be expected. What also wasn't addressed where the kind of organizational details like having enough poll workers of both political parties at each polling place. That meant that some polling places could not open. We still had the usual record keeping problems, registered voters not appearing in the voter rolls and poorly trained poll workers. What is inexcusable is that with a new system being tried out for the very first time they did not have enough techs available to handle the inevitable problems. They didn't even have a good way to communicate to all polling places to stay open an extra 2 hours. Never mind that many of the voting machines were not ready on time and were sent out to the polling places without the right programming. Then strangely enough, the voting machines would not boot properly. Why weren't the machines tested before sending the out on the field? We are not counting girl scout cookies here! What kind of moron would take brand new untested technology and put it out to be managed by poorly trained technophobes and expect less that a complete disaster?
Before you start giving the poll workers a hard time consider the fact that they had to be at the polling place by 6:00 AM and that they would have to stay till poll closing time. There is only one set of people working the polling sites. There is no second watch. You go home after the polls close. After the last person votes you get to break down the machines and collect the votes and so forth. So conservatively, if the polling window is not extended like it was, the earliest you'd get out would be 8:00 PM. Thats 14 hours minimum. Then you add an extra 2 hours and you have to stay around till 10:00 PM. All this and you only had lunch around noon sometime. By 11:00 PM some of these old folks must have been hypoglycemic!
The problem is not only with the closed, non-auditable, poorly explained, even worse implemented voting system. Its with the people who picked it and the people picked to organize its implementation. To begin with the Florida government has to be the biggest group of imbeciles you could ever hope to put together in one room (that includes our esteemed governor, Jeb Bush). Their main purpose in life seems to be making other "more progressive" states like Alabama, Arkansas and Mississippi look good in comparison. The only thing more screwed up than our voting systems is our child foster care system, which is also managed and organized by the same group of geniuses in Tallahassee.
My problem with a closed implementation of a voting system is that I have no way of knowing that the machine recorded my actual vote. I have no way of knowing that the machine simply didn't make up a vote or just make believe it never existed. I know no voting system can ever be completely tamper proof and fraud free. You may not need computers to tamper with an election but they make doing so much more efficient. Some of the polling places with the most problems where in poor black neighborhoods. At some of these only one vote out of thousands cast were recorded. All the other votes vanished into the ether.
All I want to know is how come Afghanistan, a 4th wold nation in complete ruins, managed to have an election and we cannot.
Alex
As it turns out, open code and "thoroughly examined hardware" do not a secure system make. The problem is that the code has to get compiled, and it has to run on an operating system, and that has to run on a computer. Even if the code and hardware (if one can examine the microcode) appears to be entirely pristine, Ken Thompson explained in his classic 1984 essay "Reflections on Trusting Trust" (available online, do a Google search) that the compiler that compiled all of that code can be rigged such that malicious code can be concealed. For example: Since the dates of US National Elections are fixed to infinity (they are always the 1st Tuesday in November) and since many voting systems (as well as computer systems) rely on real-time clocks, it is certainly plausible to create a hardware trap that only goes off on election day. And that trap doesn't have to be in the voting system either, there's tallying devices, reporting software, and so on. It's a nightmare. The only sane solution is to rely on a voter-verified physical audit trail that can be READ BY HUMANS in case of the necessity for a recount. There's a lot of ways this can be performed (including one by David Chaum that allows the voter to verify that their ballot actually was entered into the final tallies), and true improvements in voting systems will only occur when this is recognized and the "trust us" mentality (including one that says we should trust the people who will supposedly verify all the open code) is abandoned. Please read the extensive writings on Rebecca's website www.notablesoftware.com/evote.html as well as Peter Neumann's for more information on the subject. And for those of you who are convinced, PLEASE encourage all communities who happened to purchase fully-electronic voting systems to have them retrofitted with printers BEFORE the November general election. Brazil is doing just that, right now, with 3% of the 400,000 voting machines they purchased back in 2000 (more may follow).
Like when Bush and pals purposefully used technological miscalculations to remove thousands of Democratic Florida voters from the voting pool. That's what I call corruption on a DB admin level.
Zodiac Survey