Doubting Electronic Voting

twitter writes "The NYT is raising the alarm on electronic voting. After citing expert opinion on the need for a paper trail, they then quote election officials and vendors who dismiss that opinion as the ignorant work of dreamers. The reporter titles his article, 'To Register Doubts, Press Here' and seems less than convinced."

It's not about electronic vote casting.

[s20451]

The best idea is not electronic vote casting, it's electronic counting. The most recent Toronto mayoral election used a ballot similar to those used in electronic test-scoring, where you use your HB pencil to fill in a blank. The votes were all counted within a couple of hours after the polls closed.

If you wanted to avoid confusing the easily confusable, you could have a touch-screen system that prints a paper ballot, with the blanks ideally positioned for the electronic counters. Efficiency and a paper trail.

Re:It's not about electronic vote casting.

[CashCarSTAR]

As someone who thought a lot about this BEFORE Florida 2000, I can tell you what the problem is/was.

It's rather simple. Well-to-do areas tend to have voting methods with less % of error than more poor-class areas. Why is this I do not know, although I suspect it has to do with local property value rates, similar to education.

There was a substantial difference in the methods of voting. What needs to be done, is that there needs to be one standard, that is both simple and reasonably verifiable. I go for the pen and paper ballot myself.

Re:Yeah right

[PhxBlue]

If you think politics in the United States is dangerous, check out the political situations in places like Ivory Coast. At least American citizens survive the voting process.

Re:Yeah right

[Ishin]

The main difference seems to actually just be that when someone disappears in the US of A no one knows what happened to them. Being a dissident in any country is dangerous. No less so since the new witch trials began. (all this terrorism stuff) And it gets more dangerously legal everyday with guys like Ashcroft at the country's 'justice' helm.

Mechanical machines had problems also

[asmithmd1]

If you are old enough to remember the all mechanical machines where you flipped small levers to vote and pulled a large arm to cast your vote. The votes were mechanically accumulated and would sometimes get stuck yielding results like 2273 votes for one canidate and 999 votes for the other. What can you do then?

Paper trail: the solution

[cwernli]

The two main points in electronic voting are:

1. It's needed
2. It'll be bug-ridden

The vendor's point of view (unsurprisingly) is that "bugginess" is only a hypothetical threat, and that it in real-life situations no glitches will occur.

This is very clearly horseshit. Every IT-implementation has bugs. Repeat: Every. The question is: how many of them can we tolerate ? If it comes down to a word-processor, or a webserver, or even telecom infrastructure: we can afford quite some. If it comes to medical facilities, nuclear plants, or, as in this case, political decisions, the threshold has to be a lot lower. You wouldn't want George W. Bush to have been elected by a bug, would you ?

The (currently feasible safeguard) solution of the paper trail sounds like an excellent solution:

a) the voter can immediately control if her vote was cast correctly
b) the same rule applies as with financial and legal records (where a paper trail has to be conserved)
c) the "black box" problem that is mentioned in the article is circumvented: the citizen doesn't have to understand how the e-voting booth works, but (see a) can control if her intentions match the outcome.

Re:Yeah right

[Dr.+Bent]

Unfortunately, the US government runs its own elections, rather than a truely impartial third party.

"a truely impartial third party"? Like who? What organization is responsible enough to oversee the elections of the most powerful nation on Earth and yet has no opinion one way or another on how they should go.

There is no "impartial third party". The U.S. electoral process isn't perfect but handing it over to Deloitte and Touche, or the U.N. or any other supposedly 'impartial' body is just going to make it worse. The best way to keep it legit is just to make the counters accountable.

Casting of Risk

[Effugas]

It's pretty simple, really.

The threat model that the voting machine manufacturers want to work with is: "Given a particular system, how likely is it that it will get hacked?".

The real threat model is substantially different: "Given a particular system, how likely is it that it will be accused of having been hacked, and how damaging will that accusation be?" Much different scenario. Accusations, and the credibility they carry, are directly rebutted by evidence to the contrary. The simple availability of an irrevocable audit trail prevents challenges -- "they might be able to prove us wrong, so we better not challenge the results of the election."

No evidence, no risk of accusation, no credibility for the election.

None deserved, too.

Disclaimer: I _am_ a security engineer. This isn't a technical problem, it's a sociological one. Counting is easy.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Poor article...

[Goonie]

This strikes me as a classic example of how "getting quotes from both sides" does not a fair and accurate article make.

The key points that opponents of electronic voting make are that a) there might be flaws in the system either by error or by design, b) that the machines cannot be easily inspected to check their operations, and c) that without a paper trail there is no way to check after the fact whether the votes were correctly counted or not.

The response from a voting machine manufacturer, however, is classic obfuscation:

"I think the concerns being raised are 100 percent valid," Mr. Terwilliger said. "However, they're being raised by people who have little idea about what actually goes on."

At this point, the question arises - why are these critics wrong? What are they not understanding about the system? Rather than following up on this point, though, the reporter takes a completely different, and totally irrelevant tack, discussing public confidence in the machines. So what? Lots of people probably think that Microsoft invented the Internet. It doesn't make it true. The only conclusion I can come to is that the journalist did not take the time to understand the issue properly, and just got quotes from "both sides" and that was good enough.

Do experts in other fields (if I may be so bold as to count myself an "expert" in it) get as frustrated with journalists, or is it just a particular problem with science and tech journalism?

Using the FOIA to view code?

[Dan+Crash]

From the article:

Dr. Dill argued, however, that if voting machines were really secure, then voters would be able to see the insides of their "proprietary" technology. "If someone really has a tamper-resistant machine, they should tell you enough about how the machine works so you can assure yourself that the machine works," he said. "We don't know what the weaknesses are. We don't know who the people are that control that stuff."

Mr. Terwilliger said that Sequoia was willing to share its source code, provided viewers sign nondisclosure agreements.

So if I look at the code, I can't talk about it? Grrrreat.

I'd like to see someone file a Freedom of Information Act request to see the code. The FOIA applies to the following documents:

552. Public information; agency rules, opinions, orders, records, and proceedings

(a) Each agency shall make available to the public information as follows:

(1) Each agency shall separately state and currently publish in the Federal Register for the guidance of the public--

(A) descriptions of its central and field organization and the established places at which, the employees (and in the case of a uniformed service, the members) from whom, and the methods whereby, the public may obtain information, make submittals or requests, or obtain decisions;

(B) statements of the general course and method by which its functions are channeled and determined, including the nature and requirements of all formal and informal procedures available;

(C) rules of procedure, descriptions of forms available or the places at which forms may be obtained, and instructions as to the scope and contents of all papers, reports, or examinations;

(D) substantive rules of general applicability adopted as authorized by law, and statements of general policy or interpretations of general
applicability formulated and adopted by the agency; and

(E) each amendment, revision, or repeal of the foregoing.

I know there are arguments against this, specifically that the code is the intellectual property of a private business, and that it is protected by both US Copyright laws and the Berne Convention, but I'd like to see the courts wrestle with this one just the same. Knowing how our votes are counted is one of the sacred founding principles of democracy, and personally, I think it trumps any other interests in this case.

Unfortunately, this has little to no chance of succeeding while Ashcroft is Attorney General, since he's declared an effective moratorium on FOIA requests while he is in office.

Electronic voting and air gaps

[Millennium]

The only way you can possibly make electronic voting machines acceptably secure is to not network them at all. This isn't so much a measure to prevent hacking as it is a measure to control the amount of damage a hacker can do; if only one machine at a time can be hacked, then damage remains localized. Here's my idea for such a system:

• The user shows up at the polling place, and is given a token, which will be used to operate the voting machine. The user then goes to one of several voting booths, which can be chosen at random.
• The user presents the token to the machine, which marks that token as used (such that it can never be used to operate another machine). Only then is the user allowed to begin the voting process.
• The user chooses a language for onscreen text and voice instructions. Ideally, instructions should be phrased in such a way that they can be reused between elections.
• The user is presented with a list of candidates, including names and pictures. One by one, each candidate is highlighted; as this occurs, a voice sample is played of the candidate saying his or her name. This is important, because it allows for a person to recognize the proper candidate based on written name, picture, spoken name, and sound of voice. This is pretty much everything that can reasonably be done to ensure that a person knows which candidate is being voted for.
• The vote can be controlled in two ways: by touching the candidate's name onscreen, or by pressing a button as that candidate's name is being read. This latter is a measure to accommodate blind voters., or others who could not effectively use a touch screen.
• Each vote is confirmed twice, onscreen and by voice -again using the sample of the candidate- to ensure that the voter is absolutely certain that this is the proper choice.
• Once the voting process is completed, a paper ballot is printed for the user (there will be strong warnings onscreen and in voice to ensure that the user understands to take the ballot). This ballot is marked with a barcode stating what machine it came from, but no information which could identify the user (this is why it is important to let the user pick a booth at random). The purpose of this barcode is so that if a machine is known to be tampered with, votes cast using that machine can be tracked down.
• The ballot is then taken by the user to a ballot box, where it will be shipped to the usual facilities for counting purposes.

The advantages to this system are many:

• Every possible method of recognizing candidates is taken into account. This won't totally eliminate confusion -some people are so monumentally stupid that nothing will get through to them- but this minimizes that problem.
• There is a paper trail which can be consulted. The value of this cannot be overestimated.
• There is no single point of failure. Tampering with a single machine cannot in and of itself damage any other machines, so the number of votes which must be considered suspect due to machine tampering is minimized.
• Counting is still done by machines, which are not prone to bias as humans are, but because the ballot os filled out by machine, the process is somewhat more controlled.

And one final note, particular to US elections: poll results should be considered classified information until the polls are closed in all fifty states. Timezones being what they are, this exit-poll crap is causing election results in East Cost states to affect West Coast states, however slightly, and that needs to be dealt with. Each state's results must be completely independent of the results of any other state, and measures need to be taken to ensure that.

Maybe.

[rkent]

OK, the parent post sounds kind of hysteric, but it could be (sort of) true.

It's difficult to overstate the importance of having a fully auditable voting process. That's the main advantage of paper ballots, be they punch cards, "check the box," whatever: you can recount them. Someone else can recount them. We can disagree on the interpretations of those recounts, but we can at least observe the "primary source" and make a call one way or another.

Now, electronic voting would certainly have advantages. If people could walk through a "voting app" where they could see all of the choices for each office, and do a confirmation step before "submitting" their vote, that would be awesome, and way more accurate than what we do now. However, think of the system which will be used to achieve this: if it's good, the designing company will want to sell it everywhere. So the application will become one hell of a valuable peice of "intellectual property." Do you think we'll be allowed to see the code for it? No way! So no error checking that way; we just have to trust that every vote counted was processed correctly. That's a lot of trust. I don't suspect that any voting-machine-manufacurer would insert deliberate bias, but the lack of ability to examine the process for correctness is just unacceptable. It's too important to just trust some private company, whose interest isn't necessarily coincident with accuracy.

An open-source voting app would be somewhat better; any independent person could audit the code for correctness, but to verify its performance on an actual dataset would require re-establishing the same exact platform later, and of course maintaining a digital copy of the inputs.

In either of these scenarios, it seems outright necessary that there be a physical record of votes cast using the system that independent, non-computer-expert people could examine. Ideally, the machine would print a small "receipt" for each vote cast which could be collected and, if necessary, recounted and compared against the digital tally.

Why reliable electronic voting will not happen

[targo]

The main reason is actually political, not technical. Imagine a world where we have really foolproof and very convenient electronic voting (like everybody just voting from home over the Internet, provided that a good and secure protocol is invented for it). Elections would be hundreds of times cheaper because of lesser staff and organization costs. As a result it would become possible to have people vote for many more issues than just who is going to be a president (think Switzerland where almost everything is decided by popular vote). We would never have DMCA or any of the other strange laws pushed through by special interest groups and hurting the general public. Congress would suddenly lose 90% of its importance, becoming just a law-drafting institution without too much decision power.
Obviously this is something that today's rich and powerful would never want to happen, and they would fight long and hard before giving any of this power up.

99%

[linuxwrangler]

"...a feedback card in the August 2002 statewide primaries found that 99 percent of voters were pleased with their Diebold machines."

Isn't that the same percentage of people who "voted" for Saddam Hussein in the last Iraq "election". I wonder if the "feedback" was tallied on a Diebold machine.

I work in market research and I have never, ever seen 99% of people polled agree on anything. This 99% of the vote statement should give anyone considering e-lections the willies.

Stalin Said it best

[doublem]

"Those who cast the votes decide nothing. Those who count the votes decide everything."

-- Stalin (Former leader of the USSR)

So the voting machine manufacturers are now the ones who really run the country.

Great.