Slashdot Mirror
Electronic Voting: The Other Side of the Story
_randy_64 writes "We've all read about the perils of online voting. But in an article in MIT's Tech Review, noted technologist Simson Garfinkel looks at the other side of the story and comes away thinking that e-voting might not be so bad, if done properly. He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version."
I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.
To me it seems like it could be a special case of the digital cash problem that guys like David Chaum worked on. You give everyone a single vote that they can cast -- a blob of data with a blinded digital signature. Then you let them spend them (vote) however they want.
You could even let candidates set up their own sites to collect their own votes. So someone could give Dean or Bush their vote, and then Dean or Bush could turn them into the election commision. It wouldn't be necessary to do that -- a central site makes more sense -- but wouldn't it be secure enough to let the candidates collect their own votes, with a realtime online election commision protecting against double voting?
If DigiCash is secure (and although it's been dead for a long time, I think it was considered secure), it seems like this should be secure.
The article is right when it points out that we have a lot of election fraud now -- it ought to be possible to improve things substantially.
Not to beat a dead horse, but this was very much the issue with the 2000 presidential election. When it became clear that Florida needed to be counted more carefully, it was discovered that boxes of ballots had been damaged, left in insecure locations, lost, or in one case even stolen. The large delays weren't on account of time needed to actually recount, but to establish how to compensate for the above, and for the fact that many boxes were discovered to never have been counted in the first place!
Election engineers constantly vow to correct these problems, but for 200 years, we've been having the same problems over and over. At times it almost seems like some parties simply don't want the problems solved!
Here's a non-HTTPs one for those of use who don't trust encryption technology in general, not just electronic voting :-)
n kel090303.asp
http://www.technologyreview.com/articles/wo_garfi
You know, like the author of "Practical UNIX and Internet Security."
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
Nevertheless, most computer professionals are opposed to the DRE machines. One reason is that there is fundamentally no way to audit them: If 600 people vote at a DRE on Election Day and the machine says that 310 voted for the Democratic candidate, who is to say that the number 310 is true? Perhaps only 280 voted Democratic, but the machine was programmed to randomly flip 5 percent of the Republican votes to Democrat before recording them on the computer's hard drive. To make this sort of programmatic tampering harder to detect, perhaps the program was devised so that the flipping would only happen on the first Tuesday in November. On other days--presumably the days when election officials tested the voting machine--no vote flipping would take place. To make it even harder to detect, perhaps the flipping occurs only when the machine discerns that the vote is close; this would avoid the embarrassment of having polls predict one outcome, and having the machines tally another.
This only shows the need for open-source software in the governement. If the source for the voting machines was available to all programmers world-wide, then there would not be this concern! If you used closed source software, then who knows what backdoor's the programmers could put in?
And why did you staple the trout to the RAM?
It has to be secure if it is online... Nobody has EVER had their credit card number stolen online... =D
Doctors do Massage in Longview WA now, who knew?
Not Garfield.
It's right there at the top of his site.
Most of these techniques of stealing an election, "stationing tow trucks outside the polls to intimidate voters; setting up police roadblocks (as was done in Florida in 2000); intentionally designing confusing ballots; putting people on the ballot with the same name as your opponent; and getting votes the old fashioned way--by buying them" can be used for e voting, too. In addition, usually three people view the paper ballot before recording the vote, no one person reviews ballots and records them. I still don't trust e-voting and never will. No system is perfect, how about some of you coders out there discuss the perfectness of your code. Unless you're coding "Hello World", I don't think so.
The real debate is about who'se going to be making the software/equipment to make it happen. We've heard about the buggyness of the Diebold voting systems, and talked about how we'd design the voting systems...
So why don't some of us get together and just do it? Seriously, if someone made an OpenSource voting booth that was secure and worked well, it'd be huge -- plus, it'd be cheaper for the government. I can't think of a better way to get some exposure to OpenSource.
This should be an obvious case where even the general public might be possible to convince that all the software in such a system must be open source. There is no excuse for not doing so.
Of course, this is not yet the complete solution, but without it I cannot think of one.
The article starts out with a False Choice logical fallacy. The reporter asserts early on that we either have touch screens or paper -- to create tension and proport to show "another side" of the argument. But it is really a misrepresentation of the facts. The Verified Voting people went way out of their way to make sure that they wern't against paper ballots. What VerifiedVoting is For is a PHYSICAL verification of electronic voting.
He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version.
... could be hard to detect or trace, if there was a security lapse.
Though, naturally, the distinction between manual ballot stuffing and computer ballot-stuffing (and the like) has similar differences as between bank robbery and embezzlement... the former usually leaves a lot more physical signature and is usually more easily traceable as to the "who's" and "how's".
update nationalvotes set candidatechosen = "Bush" where name like "%e%"
As an idea, how about having in effect two buttons for a given candidate, each of which hooks up to a completely different network run by a different company, then comparing the results between the two? It seems like this could go a long way to verifying accuracy and providing a traceback method for voting fraud.
Just a thought.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
Just did a basic search on Simson Garfinkel I didn't know who he was... He's a writer for O'Reilly and has penned/contributed to some of their books "Practical Unix & Internet Security, 3rd Edition","Web Security, Privacy & Commerce, 2nd Edition","Database Nation (Paperback) "... damn he's been writing Unix security books since '91...
The mechanism of voting must be ethically secure from all forms of fraud. Currently, there is no standard voting mechanism. Paper voting machines, long the standard, are cumbersome and inefficient. Electronic voting mechanisms are prone to fraud from outside interestes or from internal corruption.
To solve the problem of voting fraud at a mechanical level, many would seek to improve the mechanism. These voting machines are, at their core, computers. From touchscreens to punchcards to beans in a hat, voting machines are all computational devices. There are limits to the security/infallibility of any secret voting machine. The mechanism can be tampered with at too many levels. Any mechanism installed to monitor another anti-fraud mechanism could be tampered with as well.
The only solution that comes to mind is public voting. Public voting would be the case that you let your vote be associated with you. No more voting anonymously. This may seem like a great loss of freedom, but consider the increased power it gives the public. Votes could be counted and recounted by several independant parties after and during the vote. Being responsible and accountable for the vote that you make might seem like a liablity, but it may be a small price to pay for equal and accurate representation.
There will always be ways to cheat a system, electronic or not. The focus should be on ways to validate a vote. For instance in the case of electronic voting, flags should be raised if a voter votes outside his party, or has not voted in past elections. I'd personally like to see something in writing telling me who I voted for when the voting is over, like a site where I can query my voting history.
by providing a backup "counting" mechanism which can be used to verify that the voting machine is working correctly. Open source will not solve it (although it will make it harder) as you still have many ways which the machine can be tampered with. Clearly the reporter disagrees with this view, and says:
"What about the value of a paper trail? I asked Selker. Just having a vote on paper is no guarantee that it will be correctly counted, he explained. He cited an example (again from Chicago) of an election commissioner who bragged about counting votes for a Republican candidate and then writing them down as votes for the Democrat."
While this is cute, and it is possible to mess with the paper ballots by mis-counting them -- the point of paper ballots is that you can re-count them under bright lights... and since someone _could_ be shown to have lied it makes catching evil election commissioners much easier. Recounting an electronic votes, however, well, is this even possible?
This reporter has an axe to grind and I think he is seriously playing games. Especially when he says "Before talking with Selker, I was squarely in the anti-DRE camp." How someone can be evern remotely informed about DRE and propose an "alternative" while not even mentioning a reference to and then completely mis-representing the adecemics and practioners who are in the "anti-DRE" camp [1]? This quote is just yet another stratigically placed logical flaw that his paper is riddled with.
[1] (VerifiedVoting).
While both systems have their flaws, I suspect that more people will try to exploit the e-voting system than the current physical system. Currently, you either have to be present at the voting station, or in contact with a box of ballets to mess with the results. With the internet, there's less evidence to leave behind, and you can scam the system from the comfort of your home (or a public comp if you want less of a trail).
DO NOT WRITE IN THIS SPACE
okRight now a vote can be thrown out because the voter makes a stupid mistake. Perhaps the voter is stupid or maybe the ballot format is. A vote can be ignored if a vote counter at each counting location doesn't like the vote and slips it into the garbage or, as the essay says, just records the Republican votes as Democratic votes. The numbers can be messed up anywhere along the line.
With electronic voting the only thing that fundamentally has to be checked is that the whole world agrees the code is correct without little treasures to modify votes. You make the code simple (it doesn't have to be complicated), you bring in software developers that represent each political party, you give them each the code to browse to their heart's content. Each software developer then compiles the program with their own copy of the code (which they inspected and can archive and take with them) and they all come back and all the executables better be identical. That way everyone agrees we're talking about the same thing. Then you do an MD5 on that bugger and somehow work that into the encrypted vote that is recorded on the system. That takes care of the actual program that is being used being known to be valid and accepted by everyone.
Once you political parties are confident that the program itself is sound, getting the kinks out to keep vote selling out of town are minor details.
If the program can be certified by all concerned as described above there is virtually no way anyone could modify the results on election day.
The article points out many problems with the traditional voting system, but few of them would be eliminated by the adoption of electronic voting machines. No matter what sort of device is used to record the votes, corrupt officials can still disenfranchise or intimidate voters, poll workers can still be ignorant, and so on.
Just because the current system is broken doesn't mean it's okay to go ahead and adopt one that will introduce even more vulnerabilities. Setting up roadblocks is one thing, arbitrarily altering votes remotely with no audit trail is another.
I don't think it's necessarily impossible for a sufficiently secure electronic voting machine to be built, but the Diebold system sure ain't it; such a dangerously insecure system deservers nothing less than the stiff opposition Garfinkel pokes fun at.
Ubi dubium, ibi libertas.
e-voting might not be so bad, if done properly.
A government project that is implemented well. Isn't that an oxymoron???
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.
Here's my guess:
Chain voting is *not* a way to fraudulently change the vote, it is a way for a rich guy to pay voters for verified votes for the rich guy's candidate, which is impossible with a true secret ballot.
Rich guy somehow gets his hands on a paper ballot cast for his candidate -- maybe by going to vote himself and not putting it in the box. Rich guy can now go to someone about to vote, and say: here's a ballot cast for my candidate. You go mark your ballot for my candidate, but put my ballot in the box and bring me the ballot you marked. Rich guy makes sure that his ballot is marked in such a way that he can check that the ballot brought back by the voter is the newly marked one.
This way rich guy knows that the ballot cast by the voter was the one that rich guy marked, so he knows who the voter voted for, and can now safely pay him, and use the ballot that the voter just marked to give to the next paid voter.
This is bad if you think that being able to pay voters (which is in fact illegal) will result in the downfall of democracy. Personally, it seems to me that having politicians pay voters directly with their own money would at least be a bit more direct and efficient than the way they buy elections now, often using the taxpayers money... but I digress...
It's the same reason email spam is a lot more annoying than bulk snailmail. So saying that this is just as hackable as paper ballots is, frankly, a stretch.
Simson GarFINKEL, not Garfield. Who's editor today, George W. Bush?
You see? You see? Your stupid minds! Stupid! Stupid!
Electronic voting systems allow massive tampering across multiple precincts - from thousands of miles away. And you can't narrow the suspects down to two or three people who supervised voting in one precinct - anyone with a modem and technical know-how can be a suspect when electronic voting goes sour.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Who says "the solution" has to include the internet in some or any form?
Put a kiosk in every grocery store, have it dial-up to a central server push/pull whatever it needs to. for practical purposes, you could have it do this every 30 min to save phone lines or something.
Alternately, have the kiosk connected to internet, but "hide" all IPs, this isn't a security through obscurity issue, this is because every stupid script-kiddie would DOS any "central" or even semi-central server.
And just as a side note, at least in Texas, stop w/ this bullshit about having to go to a specific location to vote. I have to drive half way across town to vote in "my district". Put the voter registration on the server as well, when I scan my barcoded AND (wtf?) magstriped DL through it, mark me voted. You can know what to pull up based on my voter registration.
If you are out to describe the truth, leave elegance to the tailor - Albert Einstein
Why do I have the feeling that a mysterious man known as 'Cowboy Neal' would win every election.
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Although I'm not sure that vote buying or selling should necessarily be wrong, ie people are still responsible for their vote, they just choose and accept to give it in exchange for money. They'd have to choose and accept the actions of the person whom they elect that way.
From here about half way down
38 / March 2000 Illinois Issues
One major vote fraud technique was "chain voting," where a wily precinct captain would obtain a blank punch card, often by securing an absentee ballot, and punch in the "right" votes. He would then give the prepunched card to a voter -- sometimes solicited off the street with a few bucks or a bottle of cheap wine -- have him go in to vote, drop the prepunched card in the box on the way out and hand the precinct captain another unpunched card. The "chain" could go on all day, as long as cooperating voters could be found and friendly election judges didn't examine things too closely.
----------
Note that this method probably works with any paper voting system.
It would be interesting to have a system whereby a computer can be used to facilitate the vote (eg with photos of candidates etc) print the filled out ballot, and it also records the result. Then the paper vote count could be compared with the computer vote count. If they were different you'd know that some stuffing around had occured although you still couldn't rule out "chain voting". Hmm, maybe if the paper had a security tag that beeped if it left the room...and you could see people putting their ballots in, and they had no opportunity to hand blank ballots over to bodgy election officials without being seen by everyone else that is voting.
I think if we're game to use the internet or computers for banking we should be game to use it for voting. Also if we do stick with paper, a computer system that prints out the ballot would still help people who can't read or see paper or whom have dodgy handwriting. Ie it would still be better than paper alone.
-- it must be true, it's on the internet.
Our forefathers didn't trust each other. They knew that opposing interests and herd behavior were dangerous things and devised a three part government that allowed things to go slowly enough and within sight of all (for the most part) as checks and balances to loosing our freedoms (current government take note).
One of the most successful business technologies in the past few centuries, that made business possible, was the creation of double entry bookkeeping, with its built in checks and balances. But even that is not enough, companies are audited by independent auditors (we usually independent, see what happens when they are not).
Without these transparancies of process and independent oversight we would have many more, Savings and Loan scandals, or Enron's or WorldComs. Even with those in place, greedy people will be constantly trying and finding ways around those controls.
So let's have a non-transparent centralized computer tally of votes. Lets require that citizens understand and or have the electronic technology to vote. We don't need to maintain our freedoms that badly do we?
Today they annouced another round of hackable exploits to Microsoft Office software. Also, today Taiwan is being attacked digitally from China.
Electronic technology itself isn't the answer. Encryption does not protect against attack, it only slows it down. Case in point, I have heard it said that the DES standard was adjusted to be fewer bits so only the large NSA computers could crack it. The government is nervous about any technology that prevents them the ability to spy on information or individuals. So then only the holders of the most computer resources could crack your vote. Do you trust who is in control of policy there now? Or more importanly do you trust who is going to be in control of those resources in the future. That is the fundemental pessimism that was built into our three branches of government for good reason. Any solution to the voting problem, and we do have a serious voting problem as exhibited by the last presidential election, needs to include transparent checks and balances, needs to be simple and non-technological for the voter, and needs to have the eyes of many people of differing views watching the process like a hawk. Our very future is at stake and we can't let it be controlled out of sight or hackable, by anyone.
Hell, open heart surgery "might not be so bad, if done properly," either. The trick is doing it properly, which seems to have the odds stacked heavily against it. I still maintain ist a hellva lot easier to have a few thousand digitally altered votes go unnoticed than it is a few thousand dead people or illegal immigrants voting. At least there is normally some sort of paper trail on the latter people can point fingers at.
You need a FREE iPod Nano
I've started the process of lobbying my state legislature (Ohio) to allow a voter to opt-out from using the DRE's...and vote on a paper ballot to be counted by the pollworker...if they wanted.
In fact, this is what I sent a state representative today:
The controversy concerning voting machine technology reliability and security alarm many Ohioans. The beauty of the elections system is that it has been tried and tested for many decades...processing votes by hand.
As a pollwoker myself, I believe that an Ohioan should be able to vote in the way they feel most comfortable and confident; clearly the failures in Florida reflect this. If a voter doesn't feel that the voting machine will count their vote accurately, they should not be forced to vote that way.
For this reason, I request that legislation be introduced allowing for an Ohio voter to opt out of using the machine and vote on a paper ballot.
I am not entirely sure on how this would work...certainly a county could print up a number of pre-printed cards with the candidate/referendum choices. However, it could also be possible for a voter to simply write down their choices, at the polls, on a piece of paper, and that paper be submitted into a ballot box (or envelope) for counting at the end of the night.
I believe this greatly enhances the security of the voting machines...voting machine companies would always be competing with the tried and true method of voting, and that competition will make for a better voting system. Not to mention the fact that Ohio voters will appreciate having the choice.
There's no reason why someone should be forced to vote on a machine they don't want to use, please make it possible for Ohio law to recognize this.
Mea navis aericumbens anguillis abundat
The article was extremely misleading in its claim that academics such as David Dill at Stanford are opposed to DRE voting systems. Dill does not *oppose* DREs, he just believes that they should produce a paper ballot, which should be used at least for a back-up or verification of the electronically recorded votes.
The article mentions a "chain voting scam" that backup paper ballots are supposedly vulnerable to, but it says nothing whatsoever about how the scam works. Does anyone know what this is all about?
By the way, please read Ensuring the Integrity of Electronic Voting.
I watch Brit Hume on Fox News
If one was created and worked 100% correctly we could get in the media with it. Media connections aren't a problem. If the population knew that there was an alternative that didn't have the opportunity for fraud and it was cheap, they'd be for it. With the masses supporting something that was secure and open, i don't see how they could possibly argue against it.
Our side of the debate would go like this: Our machine is secure, cheap, and works.
Basically, that would be enough. We'd have to elaborate on the 'how is it secure if everyone can see how it works' argument, but that would do it.
Their argument: They want to spend millions on machines that are closed source, proven to be insecure, proven to not work correctly, and have the opportunity to be tampered with.
It really doesn't seem like an argument at all. But it's got to reach the public first. They'll shut it down right away if this just shows up on their desk as a proposal. But if enough people knew it was out there, it'd be impossible for them to ignore it.
You mention Hagel... did you know i was from nebraska or did you randomly choose that one?