Slashdot Mirror
Observer Pans Touchscreen Voting Test
riversidevoter continues: "WinEDS, the program that is used to count votes, was only tested in a pre-election mode. The software was not tested in the configuration that it would be in on election day.
In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Mischelle Townsend, the Riverside County Registrar of Voters, told Salon that the form that people signed was just an attendance form. But the form clearly states 'We the undersigned declare that we observed the process of
logic and accuracy testing of voting equipment performed by the Riverside County
Registrar of Voters, as required by law and that all tests performed resulted in accurate
voting of all units tested, including both touchscreen and absentee systems.'
You can see a copy of the Salon article here. You can see a copy of the form that people signed here.
I also believe that the observation group that witnessed the test was given a misleading description of Sequoia's system. For example, the fact that the votes are transferred from the DRE to a SQL Server database to be counted was never fully disclosed to all the members of the group.
Also, the sheer number of times that the phrase 'proprietary operating system' was used, among other things, helped to create the impression that Sequoia's system is not as reliant on Microsoft Windows as it really is.
I have created a website about this issue; please take a look at it.
On the website you can find my report on what happened that day (which outlines several problems I haven't mentioned in this posting) as well as some supporting documents. There is a letter and a note from Mischelle Townsend in which she mentions mailing the results to people or having the test results be picked up 'afterwards'...."
If they don't do it right on the first try, e-voting won't ever take off.
People are so crippled by the more expensive == better heuristic they don't notice when the rug is being pulled out from under them. Electronic voting should be unconstitutional.
The problem with electronic voting is that if there is another "floridagate" noone will ever know. I would have no problem with electronic voting if there was some paper trail and if the companies opened thier hardware and software for independent investigation. However, this is clearly not the case.
Let's make a difference
This electronic voting is the most serious threat to America that we have seen in our lifetimes. Most here realize that no computer voting system can be secure without serious efforts that are not even being hinted at here. Compromising the secrecy of the vote offers many ways to secure these sysetms. A more reasonable compromise would be a voter-verified paper ballot that is re-inserted into the machine.
Since the most basic steps to provide security are not provided here, it is clear that the intention is to make a system that has completely compromised the validity of US elections. For some reason the mainstream media has not taken note of how serious an issue this is. The people involved in the current electronic voting plans can not be trusted AT ALL. They either want to subvert the voting process themselves, or want to create a system that is easy to subvert at a vastly lower cost than current systems.
What can be done to raise awareness of this issue? How can people be convinved that we need elections that are not trivial to subvert? Is the American public so apathetic as to make this an impossible task? Are we completely doomed?
Seriously, what OS isn't known to hackers/crackers? Fact is, the more obscure the OS the more interesting it becomes to crack.
The old question/answer "Why did you do it? Because it was there." tells the story of what will happen regardless of the OS chosen.
I'll admit that the script kidz may be able to hack-the-vote with a MS SQL server backend but I would hope that the network used (or whatever format of data transfer) would be a little more robust that a windows box in a DMZ.
But I'm sure that with a few days of coding it could be released from the bonds of M$... it is just SQL, right?
Voting technology doesn't need to be any more complicated than that.
Sure, it may take a few hours to count all the votes, but they're verifiably countable and recountable, and seem good enough for most of the other countries in the world. Why does there have to be an electronic solution to this non-problem?
Who is designing these systems? It shouldn't be that hard, seriously. It should be obvious what the design requirements are. In no particular order; Ease and clarity of use, secure and anonymous (as far as who voted for whom), the ability to record who was voted for in a non electronic medium and proof that a vote was registered and receipt to the voter in some form. Not to mention a backup system in case anything goes nutty. An obvious design would be to have all systems offline, when the voting times are over each station has a particular upload time assigned, they upload their data, it is checked for error and checked against their local data, if none of it differs, then all is well. The vote data should be encrypted on sight (inside the voting computer, before it is sent to the locol database) so there is no tampering locally and the keys should be known by the voting commission. They systems should be as fully automated as possible with well trained (and paid fairly) personal there to operate these machines. This is just off the top of my head, is it *that* hard to design these systems, really?
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
The accuracy problem cannot be fixed by voter receipts, since most voters will not know how to verify them. It can only be fixed by ensuring that the votes can be re-counted using some mechanism other than the computer that first recorded them.
Use the computer to help the voter prepare the ballot, print it out, and then have the voter hand carry it to the ballot box.
The computer can keep a running tally, but at the end of the day if the tally does not match a hand count of the box contents, then the ballot box is the only correct representation of the will of the voters.
It is easy to teach the average monkey to keep an eye on the ballot box for tampering, and to hand count the contents. Teaching the average monkey correct computer security skills is impossible, so that source of problems must be factored out.
That physical record of a vote is a crucial piece of evidence -- if there are no physical records, that's one less thing for any "bad guys" to have to worry about. It's one less audit point for any corrupt party.
With the input and compilation of data all within the same system of computers now, corruption can happen at any step -- input, processing, reporting, or combination -- with no "independent" physical record to be audited that might expose the corrupt results. Imagine a zealot programmer hacks a kiosk and tells it to re-write the votes after confirming it with the voter. The number of voters on the register would match the number of votes cast, so this would be difficult to discover -- there would be no physical records, which can be re-tabulated independently of computers.
Elections are high security risks, historically. Paper is not inherently evil. Just because paperless systems are possible, doesn't mean they're preferable. The more physical evidence, the better, I say...
...when a low-tech one will suffice.
Or even: If it ain't broke, don't fix it.
Yeah, that's the one. Cards work good.
is not accuracy, verifiability, safety, ease of use, or any such thing.
It has to do with recounts. The purpose is to have a system that will always give the same result after every recount. Recounts make people unhappy because the result is never the same, so people assume the the mistakes continue to exist and are in favor of the other guy. We want the voters to be happy.
This is what I love about these electronic voting discussions - people always come up with these solutions, and then ignore the fundamental principle of designing voting machines: it must not be possible, under any circumstances, for an outsider to verify your vote independently. Now, that sentence is worded poorly, so I'll give an example of the problem with this proposed system:
1. CREEP announces that they'll give $200 to anyone who votes for person X
2. Joe Public says "OK, I'm in"
3. Joe Public votes for X and remembers his PIN number
4. Joe Public goes to the local CREEP office and tells them their PIN, their VRN, and who they voted for
5. CREEP, using the freely-available hash function, creates their hash using the supplied information
6. CREEP then checks the list and sees if the vote was recorded
7. If yes, $200
Now replace "CREEP" above with "The Mafia" and "$200" with "the life of your family." Now you see the problem.
My proposed solution has always been the following:
-Vote on a computer (with a well-designed interface), which records votes and prints out a receipt with the name of the candidate and a simplified 2D barcode on it.
-Have a poster on the wall inside the boot saying "if you voted for X, your barcode should look like this"
-Deposit the recipt in the ballot box on the way out, as usual.
This allows us three counts: the machine, the barcodes, and the names. Any political party can request a count based on the barcodes, and if it's close they can get one based on the names on the ballots. As far as I can tell, this system is - at worst - no more prone to fraud than the current paper-based one. And you can't buy votes, since no personally-identifiable information is stored on the receipts (which voters can't keep anyways).
There's probably a logic gap in my solution: any suggestions?
Cue The Sun...
I think the author is mainly concerned that this particluar system may be poorly designed. He states that it what he saw was a test in "pre-election" mode, which made it sound like more of a diagnostic test, rather than a production test. Really, would you buy a car without taking a test drive? You want to know it works before you take it home, right?
It isn't even necessarily the problem of crackers breaking into the system and tampering with the votes. you don't have to be connected to the Internet to be vulnerable to errors. Maybe you've been lucky and never gotten a BSOD.
Since this system apparently isn't well tested, there is nothing to indicate whether it will fail or not. As an alternative to remaining in the "ignorance-is-bliss" state, he seems to advocate more thorough independent testing, so we can be sure that the machines are capable of what the vendors say they are.
Well, you could look at my take on Jeremiah's experience. Basically, if what he said he saw is indeed what he saw, the test was a complete fraud. See the article on my weblog. You may also want to look at another article I wrote the day before in which I discuss some security issues with respect to the Diebold machines.
What are my qualifications for making these judgements? Well, twenty years of software engineering experience, for one thing. You can look at my resume here if you want more details.
I don't know Jeremiah's qualifications, but in my professional opinion, his conclusions seem sound. At the very least they raise serious questions about the methodology used for these "logic and accuracy" tests, questions that should definitely be answered before the Diebold devices go into service.
Too bad they are already in service. Oops.
(Oh, and thank you to those who have been kind enough to donate to the upkeep of the site. Being out of work makes life a tad complicated and every little bit helps.)
Well, there's no such thing as a perfect system, but it sure makes sense to me that the voter should be allowed to read the ballot as the machine is going to count it, and that those ballots should be stored for verification, if needed. Just printing a receipt is not adequate--it doesn't really matter so much *WHO* voted. What matters is that ALL of the votes are properly counted. Remember Florida?
Some of the Diebold people arguing against printing copies are mumbling about the expense of printing, but that's a load of marlarky. They don't need to print much information, only the candidates that the voter actually selected, and the others can be ignored. In addition, the machines already have printers, because certain reports have to be produced in any case. Ink and paper are really trivial expenses--the big cost is support to make sure the machines keep running properly during the election, and that expense is going to be there no matter what.
Of course, in the case of contested elections, there are some extra costs for checking, but it's crazy to argue that any system is so perfect that there will never be any reason to check it carefully. Especially with something like elections, where the stakes are so high.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Greetings,
Recently, there has been a rise in the number of stories in the press surrounding the topic of electronic voting. I live in Oregon where we have chosen to vote by mail. At first, I wondered exactly why my State chose this route because electronic voting seemed to be attractive for a number of reasons.
After reading the various news stories and web postings present on various Internet web sites and forums, I have come to the realization electronic voting in its current incarnation is a highly suspect process.
The majority of voting machine manufacturers today wrap the inner workings of their machines inside contracts and licenses designed to cloak their products in secrecy. These cloaks when combined with the current state of intellectual property law make it difficult for the American people to understand and discuss the nature of the machines and their potential effect on the democratic process.
The American people need to engage this issue with all the facts at hand. The spirit of the law is not in line with the letter of the law in this case. The action of your students is commedable and worthy of your support.
"Those who cast the votes decide nothing. Those who count the votes decide everything." --Stalin
The right to vote is one of the founding principles behind our great nation. Changes to this process will have nationwide consequences on our society that we might not understand, but for the actions of a few people concerned about preserving the trust inherent to the core of the democratic process. These changes will affect each and every one of us and should not be made lightly or without due consideration of all the facts involved.
I urge you to consider the nature and purpose of the student actions along with the potential issues at hand before rendering your decision.
Respectfully,
( name )
Blogging because I can...
The citizen has the option to verify his barcode using a separate verification kiosk which deciphers and displays the barcode (behind a privacy screen, of course). Once satisfied, the citizen leaves the verification kiosk.
If you can't trust the main voting system, what makes you think you can trust the verifying system? Surely they could lie in concert?
Votes have to be human readable first, and computer readable second.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
"This line: In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Scares the hell out of me."
Depending on the legal implications of falsifying that record, it might ought to be scaring some pretty big fish. It depends on how official that document is, and what sort of rules that state has to govern such things.
Let's hope it's some ridiculously harsh prison sentence for the highest authority who knew or should have known the results were forged. We already have some names. I think the Attorney General should be getting bags of mail on this already.
-fb Everything not expressly forbidden is now mandatory.
I find it remarkable how silent the mainstream media is on this issue. When even the New York Times fail to mention any of the controversy over Diebold in a recent article on voting machines you know this is going to be an uphill battle.
However, if these machines are already in use, the next step would surely be legal action? Someone with the right to vote in an election should demand the right to cast their vote by means where there is proof their vote will be counted.
Although they do 95% of their voting using a more reliable technology (optical scan machines and paper ballot cards), they use the Diebold touchscreen units for accessibility reasons - it supports audio-only voting for visually impaired voters using a numeric key pad for navigation, etc.
So, here's how a Diebold engagement works for the touchscreen units. They send a representative up to program the units with the appropriate races, candidates, etc. They use a plain old windows workstation and an application that appears to be Visual Basic. This application stores election metadata in a MS Access or SQL Server database. This metadata is then transferred to the touchscreen units over a LAN. It appears to me that the touchscreen units are Microsoft CE boxes. Can't be sure about the database format they use on the touchscreen unit to store this metadata and the actual votes but I suspect they use Microsoft Access.
The Diebold staff provide a few hours of training for the staff who have to manage the machines. During the election, Diebold staff are not on hand, although they do show up at the end, when it is time to aggregate results from all of the touchscreen units. Diebold staff download the data from all of the touch screen units to a central aggregation point for which takes on the responsibility of totaling the results. Now, I know what all of you conspiracy theorists are thinking but note that election supervisors can print paper aggregate totals from each machine before this happens.
My observations:The touchscreen units do not have an administrators manual that election supervisors can use for the purpose of understanding how to manage these machines. When prompted about this, the Diebold representative replied that there were no manuals and that you shouldn't need them - "the machine is intuitive."
One of the things that the Diebold representative expected was within the realm of capability for non-technical staff:
- Put a PCMCIA Network card in the touch screen units & attach the appropriate ethernet cabling
- Assign the touchscreen unit an IP Address (FYI: DHCP was mispelled in their UI, I think it was 'DCHP')
- Specify the network address of the host machine (i.e., the workstation that has the election metadata)
- Provide the path name on the host machine to the election metadata file
- Download the election meta data to the touchscreen unit
I didn't actually fully execute this use case - it wasn't clear to me how this part would work & I wasn't prepared to do anything serious without a manual. Anyway, that, in my opinion, goes way beyond what a non-technical person is capable of doing themselves without a manual.That matter aside, my view is that machine is in general, not intuitive, as the Diebold rep claims. Although machine only supports somewhere in the neighboorhood of 9 use-cases for the supervisor user and none them involves more than a 2 step flow, it took me about an a couple of hours to figure out how to manage an election on it. Further, I wouldn't have been able to do it if it weren't for some of the cryptic notes that one of the election workers scribbled down about programming voter cards when the Diebold rep was running the training session.
My point: We need to trust election results. One important factor is that we have to have confidence that election supervisors are capable of properly administering this equipment. My view: limited training + no manuals + non-technical administrators = potential for disaster.