Slashdot Mirror
Inside Electronic Voting Machines
Alien54 and several other people wrote in about a couple of stories published in a New Zealand webzine: an examination of an electronic voting system, and some less interesting political speculation about it. Diebold voting systems are in fairly wide use, and apparently provide zero security to keep election officials from writing in whatever election totals they want.
Suddenly hanging chads aren't so silly anymore...
The cancel button is your friend. Do not hesitate to use it.
It should be required that machines use open-source code, and some mechanism be provided for public inspection of the machines to verify the code hasn't been altered, some sort of checksum mechanism.
The short story is that they were all very flashy and glitzy, but all had severe problems with security and/or usability. We eventually decided to run a pilot program in last year's off-year election and try out 5 of the most promising machines in a real-world election. The final winner will be used across the state in 2004.
No more hanging chad, but I think we are going to have a whole new set of problems to deal with.
"Then we can get to work on helping the rest of the world with their troubles."
Maybe if you looked outwards more, at countries who can already run a fair election for example, then p'raps you could get around to helping us all out much quicker!!!
Any computer data can be quickly and easily changed. The best solution I can think of is to print out two paper receipts for each vote, one to go to the election commission (for manual recounts) and one to go to the voter. Each receipt would contain a random code which the voter could then type in on a web site to verify their choices have not been changed. Of course, most people wouldn't bother to verify, but it only takes one person to catch vote fraud.
"Freedom means freedom for everybody" -- Dick Cheney
The only solution I can suggest for an all-electronic voting system would require extensive use of cryptography. Every voter would have to register a public key and every vote would be cryptographically signed. This would require a database of public keys outside of any political influence and it would also require that voters keep their private keys secure, both of which are enormous problems.
Given these drawbacks, an antequated punchcard system doesn't seem quite so bad...
There's plenty of security preventing people from changing the results. Its called exit polling. If the vote tallies are wildly different from the scientific exit polling done by independent 3rd parties, then I'm sure a full investigation would follow.
They could certainly be abused, however, in smaller state and local elections where a small handful of votes can make a huge difference.
The US military wants to make sure that US servicemen/women overseas can vote. That's not a bad thing and there is a US law that requires this.
But there is a bad thing - the system they are promoting runs on MS Windows - including Win 95/98 - using Internet Explorer (5.5 and up) and Netscape.
Somehow they have in their minds that if they run HTTPS and require anti-virus software that the machines will be secure enough so that votes made through those machines won't be buggered.
Oh, and did I mention that the voter registration occurs through the same machines and same web-browser/https mechanisms?
Seems to me that this is a recipie for disaster - I don't consider any operating system safe from tampering, particularly none of the MS products. And these machines will likely be shared by many people, configured by DHCP (itself a security risk), perhaps with programs being loaded over insecure nets from insecure file servers, and crossing the internet via web proxies, "transparent" web caches, WCCP, and who knows what else.
This could make Florida 2000 look like a picnic.
Their article is interesting, but a bit misguided IMNSHO. First they harp on the three sets of ledgers. Well what's the big diff. They say that this somehow allows more leeway to fudge, well actually it doesn't. The fact is that you have to know that there are three sets and exactly which sets of reports get their data from which sets (a very lame attempt at security thru obscurity?). Having a single ledger means that you only have to go to a single place to mess with things.
But the biggest problem with there report is that they spend a lot of time talking about essentiallly one issue, that the tables are available for anyone with the password to edit and manipulate. There doesn't seem to be any type of tiered access and because they use access, a TRUE audit trail can not be created.
I would think that a voting system would be important enough to warrant the extra time to create a custom DB that audits absolutely everything to a file/table that can't be touched by anyone but the app (e.g. only the app can add rows and rows can never be deleted). I assume that Diebold was able to use Access because it made their bid lower and the company that actually had a decently secure system was underbid.
I smell a voter's lawsuit, oh to be a lawyer.
Using purely electronic voting for anything other than informal polls and amusement is very, very dumb. Besides the potential for tampering, there is also the potential failure of the machine in general. ( How'z about a nice big lightning storm hitting and frying all of the machines in a polling station through a power surge. What'll you do, have the election over again? ) After all, one US judge said that the constitution does not state that election results have to be accurate. Just that they *tried* to have a fair election. Funny that he did not define *tried*. If you want to use electronic type systems, it needs to print / punch out a paper ballot of some sort that the person feeds through a reader that displays how the ballot was marked ( to make sure the machine punched it correctly ) then they deposit it into the ballot box, And they keep a numbered receipt that shows who they voted for in each race. The paper ballots are then machine counted a few times to ensure accurate counts. ( Get the same count each time they are checked ).
Fortunately, as someone who has served as an election judge (working the polls) in Minnesota, I can tell you that these concerns are a little overblown. We use the optical scan machines here, and we submit the precinct detail report (list 1 for those who read the article) to the county electronically and in paper format (3 copies). Additionally, we have all the paper ballots that were filled out by the voters carefully stored in the machines during the voting period, and then mailed to the county in sealed envelopes and signed by all the election judges.
Not only is the written process pretty fail-safe, but I worked an election where there was a discrepancy between our ballot count (kept as people vote) and the machine count at the end of the day. We hand-counted all the ballots (they were bubble test style, so no hanging chads or dimples) to make sure the count was accurate. Even if someone had hacked the voting machine, there was little chance for them to bust into the voting machine to steal or alter the ballots.
Additionally, although some nefarious person could hack the machine, I have no idea when they would. Most polling places have a team of election judges present from the time the machine is unlocked until after the results have been transmitted. Judges are not supposed to linger near the voting machine for any length of time. Certainly it's important to implement appropriate safeguards in the software (such as the automatic numbering system that was disabled for the log file), but chances of election fraud due to machine tampering are pretty darn low.
Under capitalism man exploits man. Under communism it's the other way around.
Yeah, their freedom to loot our treasury, make war worldwide, and reward their rich buddies.
It did seem funny that republicans in many races made remarkable surges on election day. I wonder why exit polls were suspended during the 2002 election?
photosMy Photostream
It doesn't have to be the Republicans themselves. Just people who would benefit from them being in power.
It may interest you to check campaign contributions from executives at Diebold. They seem to like to give quite a bit of money to the Republicans. Just a quick taste:
Walden W. O'Dell
Chairman of the Board, President and Chief Executive Officer, Diebold
2/14/01 $2,015.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
1/30/01 $3,950.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
8/16/01 $500.00
VOINOVICH FOR SENATE COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
6/30/00 $1,000.00
DEWINE FOR US SENATE
Yes, Diebold and ES&S are both closely tied to the Republican party, and have been for a long time. If you look at their campaign contributions for the last election, you will see that everyone that gave, gave only to the GOP.
Chuck Hagel still owns stock in ES&S's parent company. He has won every election that used ES&S machines to count the votes.
photosMy Photostream
Why not implement a "paper trail" through punching holes in a metal plate using a laser. Each machine would encode their votes in metal, which would be hard to falsify (the holes will have clear characteristics). The metal plates can then be removed from the machines after voting and kept available for recounts, if needed. Optical scanners could even automate recounts.
Healthcare article at Kuro5hin
I found this gem on alternet:
While we may look at hacking or intentional fraud as one of the only (or few) potential abuses WRT electronic voting, we might forget about structural abuse like we've seen in Florida. It makes me laugh when someone comments on a vote saying "the people have spoken". We should just roll dice instead..."What is the sound of one belly slapping?"
I was one of those reporting this story. What wasn't mentioned was that the source code availability, at
They mention that there is some corruption of some files, and offer
and some are password protected, and recommend:
Personally, as someone who also does configuration management, I found the Motherlode in Vol 2: cvs.tar, which does, indeed, have the entire cvs source code tree. Note that it is damaged, and about 1/3rd of the 72M of code won't untar (though I suspect that someone with a good familiarity with the format of tarfiles might recover some).
I *also* found a comment in the archive
AVTSCE/TSElection/ResultFile.cpp:
> Modified ElectionArchive to allow user to see all ballot results files
> that match the election-vcenter-dlverion, thereby allowing restoring of
> results from different 'machines'.
Now, there may be a good reason for this...perhaps in testing...but it's not coded as a debugging function, and looks to be in the live code, in what records the tallies.
mark
Look, the republicans are not smart enough to fix an electronic voting machine and the democrats would fix it so that the votes were split between 3 different right in canidates.
Take a gander at this article from the Hill.
Chuck Hagel is the Senator from Nebraska. 80% of its ballots are done electronically. It just so happens that Hagel owns a stake in the company(ES&S) that produced those voting machines. And he failed to disclose as much too.
Searching Google for more information turned up this confidence building bit:
"ES&S's machines are not tampered with. I've seen them in action. They are, in fact, buggier than hell. The software running them is not very stable code, and that's why there is so many problems with the machines."
Scrutiny of the system would scale with the amount of interest in it. If ten isolated people in Florida report their votes miscounted, no biggee. If those ten people get their friends to verify their votes as well and there emerges a pattern of claims, an investigation can begin. A single case of claimed miscounting - whether it be genuine miscounting, voter fraud, or senility - need not trigger an investigation.
Also, any system that lets the voter check their vote also lets someone forcing them to vote one way or another to verify that they've done as commanded.
A possible solution: while in the voting booth, voter can snapshot any speculative set of votes in the dbase with any associated phrase, such as the phrase "This is my real vote", and "This is truly my real vote". Only one of them is marked as the true vote for tally purposes. A user can retrieve any thusly snapshotted set of votes via the web at any time, but can only do so by knowing the key phrase a priori. Most people will only bother putting in their actual votes, but those with an interest in subterfuge can put in more than one.
- First they ignore you, then they laugh at you, then ???, then profit.
A voting machine should produce 4 ballots, one you put in the slot, one you keep, and two you can send to "independant" counting agencies. The ballot itself will have a serial number assigned so the independant agencies can report their tallies to each other and come up with a separate vote count.
Try to reconcile these comments with how the system is secure with the system that was described by Bev Harris... It is full of strawmen. I think my favorite part is that they'll keep it secure by never allowing patches to be applied to the Microsoft Windows OS.
- begin here -
Security in the Georgia Voting System
Britain J. Williams, Ph.D.
April 23, 2003
Introduction: The State of Georgia replaced all voting systems statewide with a computer-based voting system. This system, known as a direct recording electronic (DRE) voting system, was first used in the November 2002 election. This voting system, described in the next section, is computer based. As a result, questions have been raised regarding the vulnerability of the system to attacks by hackers and persons attempting election fraud.
Overall security of any computer-based system is obtained by a combination of three factors working in concert with each other. First, the computer system must provide audit data that is sufficient to track the sequence of events that occur on the system and, to the extent possible, identify the person(s) that initiated the events. Next, there must be in place well defined and strictly enforced policies and procedures that control who has access to the system, the circumstances under which they can access the system, and the functions that they are allowed to perform on the system. Finally, there must be in place physical security; fences, doors, locks, etc.; that control and limit access to the system. This article describes how these factors are incorporated into the election system in the State of Georgia.
Overview of the Georgia Voting System: The computer-based election system deployed in the State of Georgia is classified as a direct recording electronic (DRE) system. The components of the system consist of the following:
Standard personal computers running an executable module known as GEMS, Global Election Management System. This system, called the GEMS computer, is used to define the election, enter the candidates and questions, and format the ballots for the voting devices. This computer also accumulates the votes after the polls close and prints various reports and audits.
Touch-screen voting stations are used for in-person voting.
Optical ballot scanners are used for absentee and provisional voting.
Each county election office in the State is equipped with a GEMS computer. This computer is used to define elections and format the ballots for both the touch-screen voting stations and the absentee (paper) ballot scanners. The system also produces files that can be sent directly to a printer to print the absentee and provisional ballots.
When the election definition is complete, the GEMS system produces PCMCIA cards, also called PC memory cards, which are used to program the touch-screen voting stations and the ballot scanners. One card is produced for each voting station and ballot scanner.
While still in the county warehouse the voting stations are arranged by precinct and the PC cards are inserted. In the days just before the election a series of tests called Logic and Accuracy tests are conducted. These tests are designed to confirm that the voting stations have been properly prepared for the election and that they correctly register all votes cast. These tests are open to the public. At the completion of the Logic and Accuracy tests the voting stations are sealed and delivered to the precincts.
On the morning of Election Day the Precinct Manager and Assistant Precinct Manager break the seals and prepare the voting stations for the election. The first step in this process is to print out a 'zero totals tape'. This tape verifies that no votes have been recorded on the voting stations prior to the opening of the polls. As the voters cast their ballots on a touch-screen voting station their choices are recorded on the PC memory card. The absentee ballots and provisional ballots are processed through ballot scanners and their votes are r
So, you're implying that Fox News is the only news service that doesn't report 'the truth' as you know and believe it, eh?
It's surprising, though, to hear a lockstep liberal using the word 'evil.'
Shouldn't the term be 'ethically different.'
Now we have big flatscreen computers - backlit screens with huge fonts and a color behind each candidate's name. There's no curtain, no closet, and the screen is aimed back where anyone in the room can watch you vote. This not only hurts people who want to vote against what most in their community support, it lets the old ladies who run polling places keep their own unofficial tally of the results (if they want to). That would facilitate fraud, wherein you just keep up with your preferred candidate and then go vote a few extra times if you notice he's falling behind.
Additionally, I have personally met our county registrar, and deal with her on a regular basis in matters not related to the government. She's not qualified for the job, and wouldn't know a case of computer fraud from a hole in the ground if it ever happened on her watch.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
I live here so I voted in the last election using the diebold "system". It's the most BLATANT phony vote system you can imagine. There is ZERO way to account for the tally, any "official" can slide in a disk and change the results, there's no way for any local poll watcher to verify a count, because all you can do ishave the machine run it's same program again, so if it's been monkeyed with, you'll get the same monkeyed results. I made an offical protest after I voted, it lead to nothing, just an exasperrated and computer illeterate older lady poll official who couldn't understand why I wouldn't trust the machine,how it could be tampered with, then she transferred me to some person at the other end of a telephone who insisted the machines were fair, accurate and honest. I disputed that, said there was no proof, there was no proof of the vote that any poll watcher could verify, and I demanded the code, of course refused. I just wanted there to be an official protest, so I did it. Before we had a plain wooden box, paper ballots, you could look inside the box at poll opening, verify it empyty, sit there at poll closing time and watch the count. the potential for verification is VERY high with such a system and good ole mark I human concerned eyeballs. I like computers, but I got no use for these "systems". And I remember BEFORE I voted, a big Drudge headline about large numbers of "irregularities" showing up during the vote in georgia, I came back from voting and that story POOFED off his page and there was little of it at any other big georgia sites like ajc.com. That's some JUICE to be able to do that, and yes, biggest upsets since civil war reconstruction, defying all pre and post polling, so much so all the news orgs stopped even reporting the polls or that story.
That election was RIGGED, and it was the test case for nation wide rigging, that's my opinion, and the test worked, 99.999% of the people just sucked it up. To be fair, there was a big anti barnes vote over the flag issue, but still... too many races had completely bogus results. And BOTH PARTIES have endorsed these "systems", which means they are "in" on it at the top party levels.
It's a JUNTA. The vote was marginally useful before, now it's about useless.