Slashdot Mirror
Electronic Voting: The Other Side of the Story
_randy_64 writes "We've all read about the perils of online voting. But in an article in MIT's Tech Review, noted technologist Simson Garfinkel looks at the other side of the story and comes away thinking that e-voting might not be so bad, if done properly. He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version."
I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.
To me it seems like it could be a special case of the digital cash problem that guys like David Chaum worked on. You give everyone a single vote that they can cast -- a blob of data with a blinded digital signature. Then you let them spend them (vote) however they want.
You could even let candidates set up their own sites to collect their own votes. So someone could give Dean or Bush their vote, and then Dean or Bush could turn them into the election commision. It wouldn't be necessary to do that -- a central site makes more sense -- but wouldn't it be secure enough to let the candidates collect their own votes, with a realtime online election commision protecting against double voting?
If DigiCash is secure (and although it's been dead for a long time, I think it was considered secure), it seems like this should be secure.
The article is right when it points out that we have a lot of election fraud now -- it ought to be possible to improve things substantially.
Not to beat a dead horse, but this was very much the issue with the 2000 presidential election. When it became clear that Florida needed to be counted more carefully, it was discovered that boxes of ballots had been damaged, left in insecure locations, lost, or in one case even stolen. The large delays weren't on account of time needed to actually recount, but to establish how to compensate for the above, and for the fact that many boxes were discovered to never have been counted in the first place!
Election engineers constantly vow to correct these problems, but for 200 years, we've been having the same problems over and over. At times it almost seems like some parties simply don't want the problems solved!
Here's a non-HTTPs one for those of use who don't trust encryption technology in general, not just electronic voting :-)
n kel090303.asp
http://www.technologyreview.com/articles/wo_garfi
You know, like the author of "Practical UNIX and Internet Security."
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
Nevertheless, most computer professionals are opposed to the DRE machines. One reason is that there is fundamentally no way to audit them: If 600 people vote at a DRE on Election Day and the machine says that 310 voted for the Democratic candidate, who is to say that the number 310 is true? Perhaps only 280 voted Democratic, but the machine was programmed to randomly flip 5 percent of the Republican votes to Democrat before recording them on the computer's hard drive. To make this sort of programmatic tampering harder to detect, perhaps the program was devised so that the flipping would only happen on the first Tuesday in November. On other days--presumably the days when election officials tested the voting machine--no vote flipping would take place. To make it even harder to detect, perhaps the flipping occurs only when the machine discerns that the vote is close; this would avoid the embarrassment of having polls predict one outcome, and having the machines tally another.
This only shows the need for open-source software in the governement. If the source for the voting machines was available to all programmers world-wide, then there would not be this concern! If you used closed source software, then who knows what backdoor's the programmers could put in?
And why did you staple the trout to the RAM?
It has to be secure if it is online... Nobody has EVER had their credit card number stolen online... =D
Doctors do Massage in Longview WA now, who knew?
The real debate is about who'se going to be making the software/equipment to make it happen. We've heard about the buggyness of the Diebold voting systems, and talked about how we'd design the voting systems...
So why don't some of us get together and just do it? Seriously, if someone made an OpenSource voting booth that was secure and worked well, it'd be huge -- plus, it'd be cheaper for the government. I can't think of a better way to get some exposure to OpenSource.
The article starts out with a False Choice logical fallacy. The reporter asserts early on that we either have touch screens or paper -- to create tension and proport to show "another side" of the argument. But it is really a misrepresentation of the facts. The Verified Voting people went way out of their way to make sure that they wern't against paper ballots. What VerifiedVoting is For is a PHYSICAL verification of electronic voting.
He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version.
... could be hard to detect or trace, if there was a security lapse.
Though, naturally, the distinction between manual ballot stuffing and computer ballot-stuffing (and the like) has similar differences as between bank robbery and embezzlement... the former usually leaves a lot more physical signature and is usually more easily traceable as to the "who's" and "how's".
update nationalvotes set candidatechosen = "Bush" where name like "%e%"
As an idea, how about having in effect two buttons for a given candidate, each of which hooks up to a completely different network run by a different company, then comparing the results between the two? It seems like this could go a long way to verifying accuracy and providing a traceback method for voting fraud.
Just a thought.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
Just did a basic search on Simson Garfinkel I didn't know who he was... He's a writer for O'Reilly and has penned/contributed to some of their books "Practical Unix & Internet Security, 3rd Edition","Web Security, Privacy & Commerce, 2nd Edition","Database Nation (Paperback) "... damn he's been writing Unix security books since '91...
The mechanism of voting must be ethically secure from all forms of fraud. Currently, there is no standard voting mechanism. Paper voting machines, long the standard, are cumbersome and inefficient. Electronic voting mechanisms are prone to fraud from outside interestes or from internal corruption.
To solve the problem of voting fraud at a mechanical level, many would seek to improve the mechanism. These voting machines are, at their core, computers. From touchscreens to punchcards to beans in a hat, voting machines are all computational devices. There are limits to the security/infallibility of any secret voting machine. The mechanism can be tampered with at too many levels. Any mechanism installed to monitor another anti-fraud mechanism could be tampered with as well.
The only solution that comes to mind is public voting. Public voting would be the case that you let your vote be associated with you. No more voting anonymously. This may seem like a great loss of freedom, but consider the increased power it gives the public. Votes could be counted and recounted by several independant parties after and during the vote. Being responsible and accountable for the vote that you make might seem like a liablity, but it may be a small price to pay for equal and accurate representation.
by providing a backup "counting" mechanism which can be used to verify that the voting machine is working correctly. Open source will not solve it (although it will make it harder) as you still have many ways which the machine can be tampered with. Clearly the reporter disagrees with this view, and says:
"What about the value of a paper trail? I asked Selker. Just having a vote on paper is no guarantee that it will be correctly counted, he explained. He cited an example (again from Chicago) of an election commissioner who bragged about counting votes for a Republican candidate and then writing them down as votes for the Democrat."
While this is cute, and it is possible to mess with the paper ballots by mis-counting them -- the point of paper ballots is that you can re-count them under bright lights... and since someone _could_ be shown to have lied it makes catching evil election commissioners much easier. Recounting an electronic votes, however, well, is this even possible?
This reporter has an axe to grind and I think he is seriously playing games. Especially when he says "Before talking with Selker, I was squarely in the anti-DRE camp." How someone can be evern remotely informed about DRE and propose an "alternative" while not even mentioning a reference to and then completely mis-representing the adecemics and practioners who are in the "anti-DRE" camp [1]? This quote is just yet another stratigically placed logical flaw that his paper is riddled with.
[1] (VerifiedVoting).
While both systems have their flaws, I suspect that more people will try to exploit the e-voting system than the current physical system. Currently, you either have to be present at the voting station, or in contact with a box of ballets to mess with the results. With the internet, there's less evidence to leave behind, and you can scam the system from the comfort of your home (or a public comp if you want less of a trail).
DO NOT WRITE IN THIS SPACE
okThe article points out many problems with the traditional voting system, but few of them would be eliminated by the adoption of electronic voting machines. No matter what sort of device is used to record the votes, corrupt officials can still disenfranchise or intimidate voters, poll workers can still be ignorant, and so on.
Just because the current system is broken doesn't mean it's okay to go ahead and adopt one that will introduce even more vulnerabilities. Setting up roadblocks is one thing, arbitrarily altering votes remotely with no audit trail is another.
I don't think it's necessarily impossible for a sufficiently secure electronic voting machine to be built, but the Diebold system sure ain't it; such a dangerously insecure system deservers nothing less than the stiff opposition Garfinkel pokes fun at.
Ubi dubium, ibi libertas.
Electronic voting systems allow massive tampering across multiple precincts - from thousands of miles away. And you can't narrow the suspects down to two or three people who supervised voting in one precinct - anyone with a modem and technical know-how can be a suspect when electronic voting goes sour.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Who says "the solution" has to include the internet in some or any form?
Put a kiosk in every grocery store, have it dial-up to a central server push/pull whatever it needs to. for practical purposes, you could have it do this every 30 min to save phone lines or something.
Alternately, have the kiosk connected to internet, but "hide" all IPs, this isn't a security through obscurity issue, this is because every stupid script-kiddie would DOS any "central" or even semi-central server.
And just as a side note, at least in Texas, stop w/ this bullshit about having to go to a specific location to vote. I have to drive half way across town to vote in "my district". Put the voter registration on the server as well, when I scan my barcoded AND (wtf?) magstriped DL through it, mark me voted. You can know what to pull up based on my voter registration.
If you are out to describe the truth, leave elegance to the tailor - Albert Einstein
Although I'm not sure that vote buying or selling should necessarily be wrong, ie people are still responsible for their vote, they just choose and accept to give it in exchange for money. They'd have to choose and accept the actions of the person whom they elect that way.
From here about half way down
38 / March 2000 Illinois Issues
One major vote fraud technique was "chain voting," where a wily precinct captain would obtain a blank punch card, often by securing an absentee ballot, and punch in the "right" votes. He would then give the prepunched card to a voter -- sometimes solicited off the street with a few bucks or a bottle of cheap wine -- have him go in to vote, drop the prepunched card in the box on the way out and hand the precinct captain another unpunched card. The "chain" could go on all day, as long as cooperating voters could be found and friendly election judges didn't examine things too closely.
----------
Note that this method probably works with any paper voting system.
It would be interesting to have a system whereby a computer can be used to facilitate the vote (eg with photos of candidates etc) print the filled out ballot, and it also records the result. Then the paper vote count could be compared with the computer vote count. If they were different you'd know that some stuffing around had occured although you still couldn't rule out "chain voting". Hmm, maybe if the paper had a security tag that beeped if it left the room...and you could see people putting their ballots in, and they had no opportunity to hand blank ballots over to bodgy election officials without being seen by everyone else that is voting.
I think if we're game to use the internet or computers for banking we should be game to use it for voting. Also if we do stick with paper, a computer system that prints out the ballot would still help people who can't read or see paper or whom have dodgy handwriting. Ie it would still be better than paper alone.
-- it must be true, it's on the internet.
Our forefathers didn't trust each other. They knew that opposing interests and herd behavior were dangerous things and devised a three part government that allowed things to go slowly enough and within sight of all (for the most part) as checks and balances to loosing our freedoms (current government take note).
One of the most successful business technologies in the past few centuries, that made business possible, was the creation of double entry bookkeeping, with its built in checks and balances. But even that is not enough, companies are audited by independent auditors (we usually independent, see what happens when they are not).
Without these transparancies of process and independent oversight we would have many more, Savings and Loan scandals, or Enron's or WorldComs. Even with those in place, greedy people will be constantly trying and finding ways around those controls.
So let's have a non-transparent centralized computer tally of votes. Lets require that citizens understand and or have the electronic technology to vote. We don't need to maintain our freedoms that badly do we?
Today they annouced another round of hackable exploits to Microsoft Office software. Also, today Taiwan is being attacked digitally from China.
Electronic technology itself isn't the answer. Encryption does not protect against attack, it only slows it down. Case in point, I have heard it said that the DES standard was adjusted to be fewer bits so only the large NSA computers could crack it. The government is nervous about any technology that prevents them the ability to spy on information or individuals. So then only the holders of the most computer resources could crack your vote. Do you trust who is in control of policy there now? Or more importanly do you trust who is going to be in control of those resources in the future. That is the fundemental pessimism that was built into our three branches of government for good reason. Any solution to the voting problem, and we do have a serious voting problem as exhibited by the last presidential election, needs to include transparent checks and balances, needs to be simple and non-technological for the voter, and needs to have the eyes of many people of differing views watching the process like a hawk. Our very future is at stake and we can't let it be controlled out of sight or hackable, by anyone.
If one was created and worked 100% correctly we could get in the media with it. Media connections aren't a problem. If the population knew that there was an alternative that didn't have the opportunity for fraud and it was cheap, they'd be for it. With the masses supporting something that was secure and open, i don't see how they could possibly argue against it.
Our side of the debate would go like this: Our machine is secure, cheap, and works.
Basically, that would be enough. We'd have to elaborate on the 'how is it secure if everyone can see how it works' argument, but that would do it.
Their argument: They want to spend millions on machines that are closed source, proven to be insecure, proven to not work correctly, and have the opportunity to be tampered with.
It really doesn't seem like an argument at all. But it's got to reach the public first. They'll shut it down right away if this just shows up on their desk as a proposal. But if enough people knew it was out there, it'd be impossible for them to ignore it.
You mention Hagel... did you know i was from nebraska or did you randomly choose that one?