Slashdot Mirror
Electronic Voting: The Other Side of the Story
_randy_64 writes "We've all read about the perils of online voting. But in an article in MIT's Tech Review, noted technologist Simson Garfinkel looks at the other side of the story and comes away thinking that e-voting might not be so bad, if done properly. He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version."
Not to beat a dead horse, but this was very much the issue with the 2000 presidential election. When it became clear that Florida needed to be counted more carefully, it was discovered that boxes of ballots had been damaged, left in insecure locations, lost, or in one case even stolen. The large delays weren't on account of time needed to actually recount, but to establish how to compensate for the above, and for the fact that many boxes were discovered to never have been counted in the first place!
Election engineers constantly vow to correct these problems, but for 200 years, we've been having the same problems over and over. At times it almost seems like some parties simply don't want the problems solved!
This model should be put to rest and replaced by something more secure, and more tuned to the technology we have today that wasn't available thousands of years ago when paper ballots were first put to use.
If the vote is trackable through the system today, but only by the originating party, then fraud would be rapidly exposed. If the voter's ballot is a key countersigned by the party receiving the vote upon voting, then anonynimity is protected, and all votes are provable in both directions.
Nevertheless, most computer professionals are opposed to the DRE machines. One reason is that there is fundamentally no way to audit them: If 600 people vote at a DRE on Election Day and the machine says that 310 voted for the Democratic candidate, who is to say that the number 310 is true? Perhaps only 280 voted Democratic, but the machine was programmed to randomly flip 5 percent of the Republican votes to Democrat before recording them on the computer's hard drive. To make this sort of programmatic tampering harder to detect, perhaps the program was devised so that the flipping would only happen on the first Tuesday in November. On other days--presumably the days when election officials tested the voting machine--no vote flipping would take place. To make it even harder to detect, perhaps the flipping occurs only when the machine discerns that the vote is close; this would avoid the embarrassment of having polls predict one outcome, and having the machines tally another.
This only shows the need for open-source software in the governement. If the source for the voting machines was available to all programmers world-wide, then there would not be this concern! If you used closed source software, then who knows what backdoor's the programmers could put in?
And why did you staple the trout to the RAM?
The real debate is about who'se going to be making the software/equipment to make it happen. We've heard about the buggyness of the Diebold voting systems, and talked about how we'd design the voting systems...
So why don't some of us get together and just do it? Seriously, if someone made an OpenSource voting booth that was secure and worked well, it'd be huge -- plus, it'd be cheaper for the government. I can't think of a better way to get some exposure to OpenSource.
This should be an obvious case where even the general public might be possible to convince that all the software in such a system must be open source. There is no excuse for not doing so.
Of course, this is not yet the complete solution, but without it I cannot think of one.
The article starts out with a False Choice logical fallacy. The reporter asserts early on that we either have touch screens or paper -- to create tension and proport to show "another side" of the argument. But it is really a misrepresentation of the facts. The Verified Voting people went way out of their way to make sure that they wern't against paper ballots. What VerifiedVoting is For is a PHYSICAL verification of electronic voting.
by providing a backup "counting" mechanism which can be used to verify that the voting machine is working correctly. Open source will not solve it (although it will make it harder) as you still have many ways which the machine can be tampered with. Clearly the reporter disagrees with this view, and says:
"What about the value of a paper trail? I asked Selker. Just having a vote on paper is no guarantee that it will be correctly counted, he explained. He cited an example (again from Chicago) of an election commissioner who bragged about counting votes for a Republican candidate and then writing them down as votes for the Democrat."
While this is cute, and it is possible to mess with the paper ballots by mis-counting them -- the point of paper ballots is that you can re-count them under bright lights... and since someone _could_ be shown to have lied it makes catching evil election commissioners much easier. Recounting an electronic votes, however, well, is this even possible?
This reporter has an axe to grind and I think he is seriously playing games. Especially when he says "Before talking with Selker, I was squarely in the anti-DRE camp." How someone can be evern remotely informed about DRE and propose an "alternative" while not even mentioning a reference to and then completely mis-representing the adecemics and practioners who are in the "anti-DRE" camp [1]? This quote is just yet another stratigically placed logical flaw that his paper is riddled with.
[1] (VerifiedVoting).
I think you've just pointed out the best reason NOT to go for online voting. Surely you're familiar with the voting corruption of Old America--the political machines and of the buying of immigrants (and others) votes. Do you have any idea how much corrupt people would LOVE a situation where you could buy someone's vote and there would be no way to prove this? Something like you advocate would usher in an unprecedented era of vote selling and corruption.
:)
I'm all for technology when it helps, but my opinion is if you won't expand the effort to send in an absentee ballet (which itself is open to problems) or, god forbid, drive to a local polling place (where they SHOULD check ID's) and place your vote in person, I'd personally rather you didn't vote
Personally the ballets I like best are those recently adopted in my state--there is a candidates name, and a arrow drawn like:
President (PICK ONE)
== ===> George Bush
== ===> Al Gore
and you use a stirdy black marker to fill in the arrow. Very easy, very hard to mess up.
I wouldn't MIND 100% computer voting, but there absolutely has to be a paper trail. Think what would have happened in the Florida election--Gore would have lost by a couple hundred votes, there would have been a huge fuss, and then what? We never would have been able to go back and see that Bush indeed did the higher number of votes. This is a problem.
While both systems have their flaws, I suspect that more people will try to exploit the e-voting system than the current physical system. Currently, you either have to be present at the voting station, or in contact with a box of ballets to mess with the results. With the internet, there's less evidence to leave behind, and you can scam the system from the comfort of your home (or a public comp if you want less of a trail).
DO NOT WRITE IN THIS SPACE
okThe article points out many problems with the traditional voting system, but few of them would be eliminated by the adoption of electronic voting machines. No matter what sort of device is used to record the votes, corrupt officials can still disenfranchise or intimidate voters, poll workers can still be ignorant, and so on.
Just because the current system is broken doesn't mean it's okay to go ahead and adopt one that will introduce even more vulnerabilities. Setting up roadblocks is one thing, arbitrarily altering votes remotely with no audit trail is another.
I don't think it's necessarily impossible for a sufficiently secure electronic voting machine to be built, but the Diebold system sure ain't it; such a dangerously insecure system deservers nothing less than the stiff opposition Garfinkel pokes fun at.
Ubi dubium, ibi libertas.
If no one is paying attention. The example Garfinkel gives of the election official writing down whatever he feels like is a perfect example. OF COURSE if you hand over the ballots to some election official, and he goes into some room by himself, he can come out of that room and say whatever he feels like. He can even show you the ballots, and you have no idea whether those are the ones that went into the room in the first place.
That's why you have to have physical ballots, but then the ballot boxes have to be watched by party representatives every minute from the time the empty box is put in the polling station to the time the ballots are counted, in public. If the votes leave the representatives' sight, they could be tampered with.
That's the whole problem with "black box" electronic voting: it's essentially a room where the ballots leave your sight. Anything could happen to them!
Now, if Americans or the political parties don't care enough about elections to have observers at every step, then we might as well just give up on democracy and go home.
It's the same reason email spam is a lot more annoying than bulk snailmail. So saying that this is just as hackable as paper ballots is, frankly, a stretch.
Electronic voting systems allow massive tampering across multiple precincts - from thousands of miles away. And you can't narrow the suspects down to two or three people who supervised voting in one precinct - anyone with a modem and technical know-how can be a suspect when electronic voting goes sour.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Eh? How, exactly, is it easier to print big fonts on a screen than a piece of paper? I think the cost of paper varies less strongly with size than, say CRT and LCD technology.
There's a graphical trick an electronic screen can do called "scrolling". A single piece of equipment can show data in a series, not just one predetermined thing. One LCD screen, 640x400 pixels, can display 100s of candidates in succession- and in huge fonts (if the voter wishes).
To do that on paper would be expensive not just to print them all, but more importantly because it makes counting the votes that much harder. There's more paper to store, and collating from a stapled packet is much harder than just reading individual cards.
WTF? And computers are less buggy than paper?!?! Help me.
Ok. For data over a certain size, individual sheets of paper are more error-prone than computer files. As you saw in the Florida election, just having the votes in hand doesn't mean you know what the total is. For nations the size of the US, counting votes can be a monthlong procedure- and that's with a significant chance of error on each one (better form design can reduce it greatly- no butterfly+chad). The inabliity to count & recount quickly is itself a kind of buginess.
Many of the ways that a paper vote can be hacked are just allegations- but that's the problem. Because huge stacks of paper are so unwieldy to analyze, we can't be sure how many disputed votes might've really made a difference.
Another paper problem is its fragility- a single saboteur could destroy 10000s of paper votes by fire, but digital votes can be distributed to multiple remote sites immediately as they're cast. Historically, what happens if some ballots are "lost"? Do the authorities redo the whole election? Not on your life.
This, the last paragraph, is the only one worth reading, and interestingly it contradicts some of the earlier statements with which I took issue
The whole point of the article was to support electronic voting. It just laid out the typical objections first- but the subtitle of the page clearly telegraphed what the conclusion would be. How the last paragraph contradicts (or even addresses) much else in the article escapes me.
PS. I generally do not approve of this guy's reportage.
Our forefathers didn't trust each other. They knew that opposing interests and herd behavior were dangerous things and devised a three part government that allowed things to go slowly enough and within sight of all (for the most part) as checks and balances to loosing our freedoms (current government take note).
One of the most successful business technologies in the past few centuries, that made business possible, was the creation of double entry bookkeeping, with its built in checks and balances. But even that is not enough, companies are audited by independent auditors (we usually independent, see what happens when they are not).
Without these transparancies of process and independent oversight we would have many more, Savings and Loan scandals, or Enron's or WorldComs. Even with those in place, greedy people will be constantly trying and finding ways around those controls.
So let's have a non-transparent centralized computer tally of votes. Lets require that citizens understand and or have the electronic technology to vote. We don't need to maintain our freedoms that badly do we?
Today they annouced another round of hackable exploits to Microsoft Office software. Also, today Taiwan is being attacked digitally from China.
Electronic technology itself isn't the answer. Encryption does not protect against attack, it only slows it down. Case in point, I have heard it said that the DES standard was adjusted to be fewer bits so only the large NSA computers could crack it. The government is nervous about any technology that prevents them the ability to spy on information or individuals. So then only the holders of the most computer resources could crack your vote. Do you trust who is in control of policy there now? Or more importanly do you trust who is going to be in control of those resources in the future. That is the fundemental pessimism that was built into our three branches of government for good reason. Any solution to the voting problem, and we do have a serious voting problem as exhibited by the last presidential election, needs to include transparent checks and balances, needs to be simple and non-technological for the voter, and needs to have the eyes of many people of differing views watching the process like a hawk. Our very future is at stake and we can't let it be controlled out of sight or hackable, by anyone.
I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.
:-)
:-).
;-).
:-)) Grand Cayman, there was this panel session where various famous, and mostly liberal, academic cryptographers were beside themselves, in front of an audience of people mostly of the same mind -- pissed off and liberal, not famous -- about how to do a cryptographic voting protocol in light of Bush "stealing" the election in Florida.
:-). I noted that not once in the entire three hours had they talked about financial voting (equity, remember?) at the world's only financial cryptography conference. If, say, the conference was your idea, or something, it might even make you want to terminate the academic discount, or something... :-).
.sig, below, I define cryptography into two kinds. (There are two kinds of people, those who think in dichotomies, and -- well, you get the idea...) The first kind of cryptography is political cryptography. That is, these days, at least, cryptography used for and against nation states, since empires mostly don't exist, feudal ones, anyway. Political cryptography is the stuff involved in, say, your "rights" (see, "rights" below), online.
It's real simple.
The paradox of internet voting is that you can't vote on the net without being able to sell your vote.
That's because blind signatures -- certainly the most secure, and probably the cheapest way to do things, especially since the patent expires in a year -- create bearer financial instruments.
Can you say, "equity", boys and girls? I knew you could...
In other words, blind signatures, right out of the box, create a secure anonymous vote, but it is, by definition, a vote you can buy or sell. In bearer form. For the most part, anonymously. For cash, in bearer form. That is, anonymous cash.
In fact, without a mondo-draconian is-a-person, gimmie-a-sperm-sample biometric identity scheme (say, voting in meatspace like we do now), you can't vote on the net. The paradox again.
For us anarcho-capitalists, buying and selling votes is a feature, not a bug. It's even a god-given right. But for you *statists*, on the other hand, that's a problem, yes?
Seriously. At the 2001 Financial Cryptography conference in (where else?
They started this panel at 10-ish, and one "yeah, what he said" lead to another, and they fulminated all the way through lunch before they finally took questions from the floor.
I was first in line.
One of the reasons that this got up my nose is, as you might have guessed by my
All the rest, for lack of a better term, is financial cryptography. I mean, sooner or later it all boils down to money, right? I'd even shoehorn Schneier's "your kid sister" in here too, just to be ornery, except that sibling rivalry is politics, if there ever was any.
And, I would say, even after USElection2K -- and 9/11, especially after 9/11, where the stock market was almost taken out, if they'd waited an hour or two for a few hundred million shares in un-cleared and un-settled trades to build up, because *that* would have caused more pure hell and hardship than even 3000 deaths could cause-- financial cryptography is *still* the only cryptography that matters.
Finally, that paradox, that the only secure vote on the net is voting a share of mostly anonymous digital bearer equity in exchange for mostly anonymous cash is probably proof of my political/financial crypto dichotomy if there ever was one. Why? Because it points, some day, to efficient, competitive markets for force and the collapse of force monopoly, which is the very foundation of what the average statist would call "government". All cops and soldiers become rent-a-cops, in other words, reporting to their shareholders and customers like everyone else in the economy.
Secure voting, indeed. Efficient markets are the most secure, anonymous votes there are.
"When the hares made speeches in the assembly and demanded that all should have equality, the lions replied, "Where are your claws and teeth?" -- attributed to Antisthenes in Aristotle, 'Politics', 3.7.2
---------- Financial Crypto is the Only Crypto That Matters
Hell, open heart surgery "might not be so bad, if done properly," either. The trick is doing it properly, which seems to have the odds stacked heavily against it. I still maintain ist a hellva lot easier to have a few thousand digitally altered votes go unnoticed than it is a few thousand dead people or illegal immigrants voting. At least there is normally some sort of paper trail on the latter people can point fingers at.
You need a FREE iPod Nano
More incentive? I'd say not. Power seems very desirable, to judge by the number of already wealthy who seek it.
One advantage financial transactions have over electoral transactions is verifiability. Each pair of parties in a transaction will ensure their end happens properly. And stays that way. A vote is cast into the void, with no good way to ensure that it stays cast.
WTF? And computers are less buggy than paper?!?! Help me.
Generally, I agree with you. But this statement... well, yeah, computers are less buggy than paper.
You might be thinking of the thing on top of your desk as a computer. It is, but there are a lotta types of computers in this world. Dedicated machines do pretty well. When's the last time your digital watch crashed? Ever have to re-boot your microwave in mid-cooking? You think currency counters make many mistakes?
Sure, if you want a flexible user interface, Plug n' Pray, Quake III, and a set of interoperable office applications, you're gonna get problems. But if you want something that just counts stuff, you can't beat silicon.
Mea navis aericumbens anguillis abundat
tens of thousands of people were removed, some apparently in error.
Oh no, the felons couldn't vote. Whatever shall we do? Jeebus, I think I know the case in question, and the "some apparently in error" were 2 people with repeatedly rejected appeals. Not pending appeals mind you, flat-out rejections for appeal -- though apparently the felons claimed that was unfair. this is not the sort of election hacking that worries me.
Didn't you read the portion that you copied where it said "tens of thousands of people were removed?" The point isn't that felons couldn't vote, the point is that they used inaccurate lists of felons to purge the voting voting records in Florida. These lists included people who had had their voting rights restored and those who had never been convicted of felonies. This is exactly the kind of election hacking that should worry us all.
Actually, speed of count is in no way related to country size, because you should really be counting on a distributed local level and counting in parallel. Despite using entirely paper-based, hand (not machine!) counting, the UK manages to deliver final election declarations for the majority of the country within 12 hours of close of poll. For very rural areas it takes up to 24 hours.
It seems to me that the US has less need of rapid counting than the UK. Our national administration changes as soon as the result becomes clear - it would matter very little if a US presidential election took 48 or 72 hours to count (can't comment on other US elections). I can't see why it need take any longer than that if there was the willpower there to do it!
It seems that there is pressure to make voting cheap. If you think that election of the president of the USA is of some importance, (and is an infrequent event) maybe it's not so bad to spend some money on it.
If one was created and worked 100% correctly we could get in the media with it. Media connections aren't a problem. If the population knew that there was an alternative that didn't have the opportunity for fraud and it was cheap, they'd be for it. With the masses supporting something that was secure and open, i don't see how they could possibly argue against it.
Our side of the debate would go like this: Our machine is secure, cheap, and works.
Basically, that would be enough. We'd have to elaborate on the 'how is it secure if everyone can see how it works' argument, but that would do it.
Their argument: They want to spend millions on machines that are closed source, proven to be insecure, proven to not work correctly, and have the opportunity to be tampered with.
It really doesn't seem like an argument at all. But it's got to reach the public first. They'll shut it down right away if this just shows up on their desk as a proposal. But if enough people knew it was out there, it'd be impossible for them to ignore it.
You mention Hagel... did you know i was from nebraska or did you randomly choose that one?