Computer Scientists Rally for Reliable Voting System

Kim Alexander writes "Silicon Valley computer scientists, led by Stanford professor David Dill are asking Santa Clara county to purchase a new computerized voting system only if it provides a voter verified paper trail. Their concerns are based on the lack of adequate testing of these voting systems, and the fact that the software is closed-source and proprietary. Requiring a voter-verified paper trail will mitigate many of these problems. Dill's 'Resolution on Electronic Voting' has been endorsed by prominent computer scientists from all over the country, including Ron Rivest. Counties all over California and the US are going through a similar process. Patriotic nerds who want to do something to help protect our fundamental right to vote with confidence that our votes will be counted can help by contacting their state and local reps, writing letters to supervisors and getting informed!"

Yeah a New voting system is good..

[Hott+of+the+World]

...but who's gonna teach Florida how to use them?

Closed-Source?

[Rimbo]

I cannot support any voting system that's closed source. I want to know what the voting system is doing with my vote, and the only reliable way to do that and to maintain a free society is to be able to see the source. That doesn't mean everyone should be a contributor, but we should see what we're dealing with.

Re:Closed-Source?

[GnrcMan]

Well, I think a voting system with a voter-verified paper audit trail is probably actually better than having an open source voting system.

Look at it this way, even if you can see the source code for the voting system, you cannot be assured that it is installed, configured, and working properly in an actual election. Further, most of the population would have no idea what to do if they had the source code. The source code is no substitute for votes being actually recorded to paper, verified by the voter, and dropped in the ballot box, and with actual paper votes, the source code becomes somewhat moot, since you can see what you are voting for.

Re:Closed-Source?

[istartedi]

The electoral system isn't "antiquated". If the founders had intended the electoral college members to be nothing more than courriers, they could have easily done that. They didn't.

Ironicly, the electoral system serves to make sure that people are counted. Without the electoral system, nobody would bother to campaign in New Hampshire. Is it unfair that voters in rural New England have such a disproportionate impact on the election? In a sense, yes. However, it's the price that we pay for not having a country dominated by New York and LA with everybody in the middle pissing and moaning about how the City Slickers run everything, and deciding to secede from the Union.

The system failed once, resulting in a little fight you may remember from history... unless you were taught in a public school or something.

What's really interesting is to look at an electoral map of the 2000 election. Do that, and you see that while the majority of the *people* voted for Gore, the vast majority of the *country* voted for Bush. So, in most parts of the country people are happy. It's just the City Slickers that are pissed, and they aren't allowed to buy guns so who cares? :)

Re:Keep in mind

[The+Dobber]

The reverse could also be said. Those that wish to unseat the incumbent wants something different.

The best way to elect our representatives is not through the use of technology, wiz-bang gadgets, open source software or even legal challenges.

Its gett ing Joe Six-Pack and the rest of the disenchanted voters off thier duffs and out to the polls. Rather than complain, execrcise the right to vote people. Had this been the case in 2000, we would have had a clear winner

If there so worried the voting soft. is closed

[sls1j]

If there so worried the voting software is closed source, why not start and open source project?

The scariest argument against computerized voting

[Lord_Pall]

http://www.bestoftheblogs.com/2003_02_05_bestof.ht ml#90279110

This is an article about Chuck Hagel who is a nebraska representative. He ran for office and won in a very close run off, and controls a large interest in the private company that counted the votes in his runoff election.

The majority of the information in the above blog came from http://blackboxvoting.com/, which is a book about the future of electronic voting.

Just some fairly creepy stuff that's turned me off towards any sort of private computerized voting.

A paper trail is too insecure.

[wackybrit]

The problem here is that a paper trail is too easy to for other people to read.

Elections in Western countries are meant to be by secret ballot, people. That means your vote is anonymous. Why? Because people don't want other people knowing who they voted for. If someone voted for the 'Kill All Geeks' party, that's their right, and you can't condemn them for their vote (although you can certainly condemn them for their actions).

The best alternative solution to a paper trail would be to use a secure database that has public access. That is, members of the public can run a set of limited commands on it.. like

SELECT COUNT() FROM votes WHERE party='republican';

Or

SELECT COUNT() FROM votes WHERE state='alabama' AND sexuality='gay';

That way, the populace can access the database over the net and query it by SQL, checking the validity of the votes.

Preferably you'd use a proprietary database system to store the votes, as then you can be sure security is not compromised. A paper trail just opens up a whole bag of communist ghouls.

Hear hear!

It's not a vote if I can't hold the ballot in my hand, look down and see "Al Buchanan" in the PRESIDENT column and say "1 for Al!".

The ballot needs to be:

Machine generated from a touch screen like device.
Machine and human readable.
Signed so as to be verifiable.

The ballot reciept, that's placed into the voting machine, is a random private key, handed to the voter before voting that is used to sign the ballot and ensure integrity. The voter can then take the receipt/key with them and use an Id number to check that their vote was actually tallyed.

This allows machine counts of paper ballots. It allows manual, human auditing of ballots and tally. It allows machine and human recounts of the ballots. It preserves the voting record for the election on something besides magnetic media. It allows "quick summary" for those willing to rely upon the stored, machine versions of the votes before physically counting the ballots.

This is the only way. You MUST have a piece of paper you can go back to and find a vote. Anything else is simply unacceptable.

And, no, it's not over the internet, but we know that will never fly anyway.

Re:Keep in mind

[John+Jorsett]

Its getting Joe Six-Pack and the rest of the disenchanted voters off thier duffs and out to the polls.

Personally, I think voting ought to be made as difficult and inconvenient as possible. If voting were like crawling over broken glass, only those who really really were interested would do it, and we'd get a better product. Keep the ignorant and lazy out of the electoral process, I say.

The objection does not go far enough

[originalhack]

The fundamental issue is as follows....

Consider 2 elections. In one, you and I and everyone else have exactly a 75% chance of having their votes counted. In the other, the affluent young technocracy has a 99% chance of having their votes counted and the poor, old, or low-tech population has a 95% chance of having their votes counted. At first blush, the seond electiuon sounds more fair, but it is very clear that the first is totally fair and the second is terribly biased.

The problems in recent elections were not caused by technological failures. Dangling chads and the like are just a smokescreen and the recounts bore that out. The problems in elections are a lack of uniformity within the areas in which votes are pooled. Since the votes for president are done by electoral votes rather than popular vote, it is not necessary to have the entire country have identical machines and ballots, but this does need to happen at the state level. When I walk into my polling place, I should see an identical machine to every other voter in the state (randomly selected from the state pool). All the state ballots should be identical to every other ballot in the state. All the county ballots should be identical to every other ballot in the county, etc....

To do otherwise not only fails to solve the fairness problem, but it disinfranchises people for whom a mouse is a household pest.

Electronic Gambling Machines have more oversight!

[semios]

What scares me is the fact that Electronic Gambling Machines have more oversight than these Electronic Voting Machines. Gambling institutions that provide electronic gaming are subject to random searches where the eeproms will popped out and verified that no tampering has been committed.

However, when it comes to protecting the foundation of democracy we can't even be given access to the source code as it is a "trade secret." Here's an example of this privatization of democracy:

In the West Virginia case [where an election supervisor, a candidate, a prosecutor, a county commissioner, election workers and the voting machine vendor were all sued by a group of candidates who believed that they had been cheated in the election], although the criminal charges were dropped, the judge had not allowed the jury to see a demonstration by the plaintiff's attorneys' computer expert, Wayne Nunn, PhD, a project scientist for Union Carbide who had designed multimillion-dollar computer networks.

After a nine-hour examination of the CES (now Business Records Corporation) computer system in question and in the presence of the CES president, the system's programmer, and others,

"Nunn, with one punch card, added ten thousand votes to the total of one of the candidates in a mock race for president". [ The New Yorker , November 7 th 1988, p. 68]

Nunn subsequently gave a deposition under cross-examination and revealed seven ways in which the system could be deliberately caused to miscount votes, including by manipulation of the toggle switch on the front of the machine to alter vote totals and by inserting a set of secret Trojan Horse commands into the source-code software as described earlier. So it can be done. But can it be detected and prosecuted?

A methodical expert analysis of the company's source-code could have been the key to determining the existence of fraud, but CES officials asked presiding Judge Charles H. Haden II, of the United States District Court, to block Nunn from inspecting their code on the basis that it was a "trade secret". Ultimately, the judge ordered that Nunn alone be allowed to view it, but without the computer he needed for a proper system analysis.

Nevertheless, he discovered "trap doors", "wait loops", and Christmas trees" which could all serve the same end of undetectable vote fraud. According to the New Yorker's Ronnie Dugger, after viewing the code for several hours,

"Nunn was prepared to testify that a ?debugger' in the BT-76 program, while enabling a programmer to make repairs in the program, was also a Trojan Horse; Haden excluded such testimony".

Nunn was allowed to testify that "he had concluded that the program had been altered during the counting".

The jury was also barred from seeing Nunn demonstrate how he could alter the vote count.

The case of Wayne Nunn being allowed to examine the proprietary source-code of the CES system is an extraordinary exception. The fact is that very few individuals outside of the computer vendors have ever been allowed to inspect the source-code of that or any other election equipment company. This was confirmed by Eva Waskell, the director of the Elections Project at Computer Professionals for Social Responsibility in a 1993 report entitled "Overview of Computers and Electors".

Many court cases involving allegations of fraud were brought against vendors of electronic systems. There were no convictions. Was there ever any proof of tampering presented? No. Part of the reason for this may be that during the litigation the plaintiffs were never given access to the vote tabulating program, and hence there was no opportunity for anyone to establish evidence to either prove or disprove the allegations. [Emphasis added]

We should point out that even if the court allowed the plaintiff's experts to inspect the source-code, there would be no proof that the code provided to the court was, in fact, the selfsame code used in the particular election in question. Federal election officials say that a few states are mandating that the source-code be placed in escrow so that it could be examined in the event of a particularly "fishy" election result.

Re:Patriotic, Schmatriotic

This seems an appropriate time to remind everyone of this.

http://www.acm.org/classics/sep95/

The wisdom in computerized voting systems is certainly debatable.
Proprietary software, whose code cannot be publicly audited, and whose code cannot be independently tested, should never be allowed near voting booths (or sites)

And a paper trail? Will we visit everyone who voted to check their voting stub? And won't that identify who I voted for specifically in a way that can be checked and directly tied to me, defeating the purpose of a voting booth?

I hope the potential savings don't outshine the potential risks.

A paper trail can be secure

[stripmarkup]

Suppose N people decide to vote on an issue. For simplicity, let's assume that the vote is A or B. You pick a random number that only you know. In order to vote, you add your number and your vote to a list. At the end of the election, the paper trail is shown:

1928787: A
7483978: B
1662656: B
...
etc.

Along with a tally of the votes. Every voter can verify that their number is followed by their vote. You don't know what the other random numbers correspond to, but if yours was 1928787 you know that your vote is there and was counted as 'A'.

This is the basic idea. There's more to it of course, but it can be done.

Re:Anonymous Voting != Secret Ballot

[thogard]

The problem is I can't trace my vote back to where its been counted. Now if an electronic system gives me a vote reciept, then I can go to a web site later and say 'Tell me who "0304756745383834743646374" voted for'. If I've got that ticket in my hand and my votes don't match whats in the database, then I've got reason to complain. This has other problems because its trivial in small towns to figure out which IP address goes with which household but any verificaion system will have massive risks.

What scares me is I used to work for a largeish credit card company. They would lose records from time to to time. Thouse records invovled real money but sometimes they just disappeared without any ability to trace them. Everytime I've audited a system that logged in two places, some records just don't end up in both place. The best ones seem to have about one in a hundred million go missing, but they are still lost. I want the voting system to be at least that good.

grave disappointment....

[3-State+Bit]

...that a resolution "endorsed by computer scientists" does not propose an instant run-off system, whereby each voter ranks the candidates in order of her preference. (She can vote traditionally by ranking only one candidate 1, and no one higher).

The benefits are enormous. The system is much less open to manipulation, and it is basically the only way for minority voices to be heard.

One cannot overemphasize the fact that today a rational voter will always choose the lesser of two evils, without considering candidates that are not evil, based on the mathematics governing her vote.

Let me repeat this: If you believe that a vote for the democratic candidate is a vote for evil, and you believe that a vote for the republican candidate is a vote for evil, and there is a third candidate whose views you agree with precisely, and who you think could fulfill the office perfectly were she elected (but there is zero probability of this, as there was zero probability of Nader's being elected) then under today's system your only rational choice is to forego your preference for the third candidate and vote instead for the lesser of the two evils. That is, you will be rationally impelled to vote for a candidate with whom you do not agree, when a minority candidate exists who could better represent you.

This is no less than mathematical extortion.

You can either participate in a two-party system, or "throw your vote away." It is, in effect, a mathematical equivalent of having a voting booth in which you are to choose betweeen seven candidates by putting your token either into the republican ballot box, the democrtatic ballot box, or the trash.

Everyone who voted for Nader in our last presidential election placed their vote in the trash, since there was zero probability of Nader's winning. (Exception: vote trading.)

Read more about instant run-offs here, or do a google search.

My experience with a new voting system.

[ktakki]

Here in Allston, a neighborhood of Boston, Massachusetts, our votes were cast in a manner similar to many urban areas, with a mechanical voting machine older than I am, the kind that has a big lever that closes a curtain and a myriad small switches for selecting candidates or casting votes for referenda.

I know that these machines have many drawbacks: they cost a lot of money to maintain, store, and "program", though I've always assumed that to "rig" these machines too commit wholesale fraudulent voting would be to time consuming and complex to pull off. Hence, I had a certain amount of faith that the lever I'd pull would actually correspond to the name on the paper strip, and my desired vote would be tallied. I know also that this faith was rooted in sentimentality; I'd accompanied my parents into machines just like that when I was a kid, back in the Sixties.

Two elections ago, however, during a primary vote in September, there was a man at the polling place who was demonstrating a new system, produced by LHS Associtates of Methuen, MA, the "Accu-Vote" system. It used paper ballots, with small circles like on a standardized multiple choice test (like SATs, except without the need for the No. 2 pencil). There was an optical scanner that looked somewhat like a paper shredder, the kind that fits on top of a wastepaper basket. You fed the ballot through the scanner and it read the marks, ejecting the paper out the other end, into a bag, thus preserving a paper trail in case of a recount.

I filled out one of these sample ballots. There were "joke" choices on the ballot, and I intentionally mis-voted, to see how fault-tolerant the system was. Under "Mayor", I placed a check mark in the box next to "Fiorello LaGuardia". For "Board of Cartoon Characters", I put a tiny dot next to "Bugs Bunny". Under "Superhero Committee", I filled in the box for "Wonder Woman", intentionally overfilling the mark, and for "Sports Authority" I filled two boxes, "Babe Ruth" and "Jackie Robinson".

I went over to the company representative who was showing the demo system and handed him my ballot. He fed it into the machine and it was spit out the other side. Though I'd intentionally cast a faulty ballot, there was no indication that anything was wrong, and I showed him the marks I'd made, pointing out my screw-ups.

"Well, this is just a demonstration," he said.

"So, all this does is roll the paper through the mechanism?" I asked.

"Um, well, it's just a demonstration."

"You mean it's not a real machine?"

"Right," he replied.

"So the real machine would reject this ballot, right?"

"I assume that this will be the case." He didn't sound too sure. At this point, the police who work the election detail started paying attention to our conversation. I guess election detail is pretty boring for them.

"So who audits the code that runs this machine?" I asked him.

"I don't know, maybe the Board of Elections," he said. "I can give you the name of the project manager. Maybe he can answer your questions." He wrote a name on the back of a business card. I took it and thanked him for his time. I called a few times but never got a callback, and I doubt I'd get a satisfactory answer.

My fear is that it's trivial for this sort of machine to register a vote for Foo to actually be tallied as a vote for Bar. With the old mechanical machines, this sort of fraud would take days, considering the hundreds or thousands of machines and the dozens of people from the Board of Elections that set them up. However a "black box" system like Accu-Vote need only be programmed with fraudulent code once, after which that code is distributed to hundreds or thousands of EEPROMS or Flash cards or whatever the Accu-Vote uses to store its programming. The barrier to entry for wholesale voting fraud has been lowered, and if the winning margin is large enough, there will never be a recount.

The Accu-Vote system was deployed for the November 2002 elections here in Boston. If there was a public hearing about this change from mechanical systems, I never heard about it, and I read the Boston Globe every day without fail.

k.

Re:Trail?

[zcat_NZ]

Exit polls are like the canary in the coal mine.

Your canary's just dropped dead, and you're telling me "well, you know canaries don't always live that long. Perhaps it was just old."

Times like this I'm glad I live in a country that still has hand-counted paper ballots.

e-Voting

[krouic]

The company I work for is currently preparing a bid for pilot project that will allow the citizens of the largest Swiss state to vote via Internet and mobile phone, along with the usual paper method.

The main driver of the project is to increase turnover, especially for young citizen that are supposed to be more prone to vote via these "new" technologies.

Our (swiss) laws already incorporate specific requirements regarding e-Voting, including the ability to audit the process, the security of the whole system and the secrecy of the votes.

Swiss citizens usually have to vote or elect several times a year and the voting process is considered as mature, every step being supervised by committees containing members of different parties/lobbying groups.

The voting registers are held at the local level, and are continuously updated every time a citizen moves in or out of the city, reaches the voting age or dies, and are crosschecked by the higher authority. Voting material and voting cards are automatically sent several weeks in advance to the possible voters, they do not have to register themselves or require anything. So by design, we have no dead people voting or minorities prevented to vote because they did not register themselves due to lack of information.

e-Voting is considered here as a good thing, as it allows to streamline the counting process and should increase (our low) turnover by not requiring voters to physically present themselves to the voting booth (in some states, the majority of voters already use the generalized absentee (snail mail) voting process).

I find it quite surprising that a large majority of the US "geeks" has such a mistrust in the electronic vote in particular, and the ability of their authorities to conduct a fair and lawful election in general. Aren't the USA supposed to be the most democratic country in this world ?