Observer Pans Touchscreen Voting Test

riversidevoter writes "I recently observed the Logic and Accuracy 'test' given to the touchscreen voting machines in Riverside CA. Riverside County uses voting machines and software from Sequoia Voting Systems. The voting kiosks do not produce a voter-verified paper trail. As a computer programmer familiar with software testing, I was really disappointed at what I saw." Read on for his critical observations of the demonstration.

riversidevoter continues: "WinEDS, the program that is used to count votes, was only tested in a pre-election mode. The software was not tested in the configuration that it would be in on election day.

In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Mischelle Townsend, the Riverside County Registrar of Voters, told Salon that the form that people signed was just an attendance form. But the form clearly states 'We the undersigned declare that we observed the process of logic and accuracy testing of voting equipment performed by the Riverside County Registrar of Voters, as required by law and that all tests performed resulted in accurate voting of all units tested, including both touchscreen and absentee systems.'

You can see a copy of the Salon article here. You can see a copy of the form that people signed here.

I also believe that the observation group that witnessed the test was given a misleading description of Sequoia's system. For example, the fact that the votes are transferred from the DRE to a SQL Server database to be counted was never fully disclosed to all the members of the group.

Also, the sheer number of times that the phrase 'proprietary operating system' was used, among other things, helped to create the impression that Sequoia's system is not as reliant on Microsoft Windows as it really is.

I have created a website about this issue; please take a look at it.

On the website you can find my report on what happened that day (which outlines several problems I haven't mentioned in this posting) as well as some supporting documents. There is a letter and a note from Mischelle Townsend in which she mentions mailing the results to people or having the test results be picked up 'afterwards'...."

Accuracy could be easily assured...

[tizzyD]

First, after you vote, a 2-D bar code is printed. That code contains a record of your vote, with an encryption of the machine you voted at and your selected key. Nothing big, 4 digits. The critical part is the hardware key used on the machine.

A copy of this bar code is printed at the same time inside the system.

If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

Thoughts on this approach are very much welcome.

Re:Accuracy could be easily assured...

[PetiePooo]

If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

I am opposed to this. Audits shouldn't involve contacting the general populace. ATMs have internal printers for similar reasons; as a permanent physical audit trail in case of power failure or such.

Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

I oppose this as well for privacy reasons. There is one basic privacy tenant in ballot voting that would need to be upheld by any electronic voting system: plausible deniability.

For example, if I'm being coerced or paid by someone to vote a particular way, I need to be able to tell that person that I voted the way he/she wanted even if I didn't. There CAN NOT be a way to track down who I voted for at a later time. That's not what the paper trail is for. Once a person has the ability to decisively prove to someone else which candidate they voted for, then votes can be forced or sold.

Here is what I would suggest:

A citizen enters the voting center, is authenticated as a registered voter by the volunteer staff, and given a vote card.

The citizen enters a voting booth (behind a privacy screen) and activates the selection kiosk using their vote card.

Once their candidates and referendums have been chosen, the machine prints out a 2D barcode on the vote card and returns it to them.

The citizen exits the voting booth with his completed vote card.

The citizen has the option to verify his barcode using a separate verification kiosk which deciphers and displays the barcode (behind a privacy screen, of course). Once satisfied, the citizen leaves the verification kiosk.

While a staff member watches, the voter deposits his vote card into the official ballot kiosk's card reader.

This kiosk reads the barcode, electronically sends the vote to the regional counting center, and keeps the vote card for future audits.

This method is very similar to conventional voting methods. As far as electronic voting goes, it has several advantages. The selection and verification kiosks are not online, so would be less vulnerable to hacking. The ballot box is the only networked machine, but is under close surveillance by the staff for physical access. In case it is compromised via the network, there is a stack of 2D barcodes underneath or inside it that can be used to audit the results. As the article mentions, audits SHOULD be performed periodically, even on results that aren't suspicious, just to verify that the count is accurate and no tampering has occurred.

The vote cards can be cheap paper mag-stripe cards with signed serial numbers that are overwritten when the barcode is printed. This gives the selection kiosk the ability to reject previously used, non-activated (unsigned), or duplicated cards. If there are no privacy issues (I'd have to think about this more), the card's serial number could become part of the 2D barcode as well. The card reader/writer and printer are all OTC products, which would help keep costs down. The selection and verification kiosks could use commodity PCs with no I/O except a touchscreen and the card unit. In fact, the verification kiosk doesn't need any input other than an eject button.

While such a system would fix usability issues and paper audit trails, it doesn't touch on the issue of voter registration fraud and such. That's a whole 'nother ball of wax.

The next revolution = voting.

[Clinoti]

I'm not a doomsayer or a OMG the world is ending yokel. But with more and more stories surfacing about the lacking credibility and accuracy of the 'new' school of voting....one can only come to see the outrage when people start to connect the idea (perhaps even falsely) that their votes are easily manipulated, miscounted, or simple footnotes catered to the wanted result.

This line: In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running.

Scares the hell out of me.

Agreed

[metroid+composite]

Yep. Sure United States is larger than Canada or Australia, but 10x the people means 10x the vote counters.

Now, you can debate about whether it's better to use a pull-lever stamping system to write out the ballots, or just marking an X with a plain old pen. The advantage of some kind of a pull-lever system (or press button system) is that you won't get ballots which are unclear (just a printout) and you can have an internal counter on the machine to give you a reasonable idea if your hand-count is correct.

Fundamentally, though, all good systems I've seen are very close to the pen and paper hand counting.

A method for electronic voting accountability

[rednox]

Here's an idea to make the process accountable, without requiring a mound of paper at the voting site.

1. Vote at the machine
2. The machine asks you for a PIN number.
3. The machine concatenates your voter registration number with the person you voted for and your PIN number, and computes a SHA-1 hash of the result.
4. The machine prints out your vote, your voter registration number, your chosen PIN and the hash on a reciept and gives it to you.

Later on, a text file is made publically accessible with a row for every vote. Each row would have only the hash and the person they voted for. The algorithm for computing the hash would also be published.

Anyone who is interested in confirming that their vote was properly recorded can look up their hash in the text file to make sure it lists the person they voted for.

Anyone who has a spreadsheet can do a recount.

Any third party with a bit of cryptography knowledge can write a web app for people to confirm that their hash was computed properly.

This method has the advantage of remaining completely anonymous and completely accountable.

Any thoughts?

I release this idea into the public domain.

Re:Oh man...

No, he is completely correct. For every "problem" that electronic voting solves it brings ten more problems in baggage. It's not like we're talking about keeping computers out of the DMV or IRS or something. Rather this concerns a relatively infrequent governmental function (2-3 elections a year max) that really has to be absolutely transparent for us to trust it.

When you sit down and begin enumerating all of the potential problems with electronic voting, ones that are inherent and systemic and cannot be overcome no matter how much testing or oversight you have, it's clear that this is not a viable application of computer technology.

And this is under the best of circumstances. When you look at in the light of how it is being implemented in reality it is horrific. The level of opaqueness involved where people are getting sued for defamation and hacking for bringing legitimate problems to light, where statistical analyses suggest that serious abuses have already taken place in a number of counties, and where the cost that we are paying as taxpayers for this violation will only mount as the years go by.

The inability to distinguish when and where specific technologies are well applied makes you the opposite of a Luddite, and just as wrong as a Luddite would be.

I voted on one of these machines

[Evets]

I voted on one of these machines in Riverside County. I was taken aback because I didn't know beforehand that an electronic voting system was in place. Immediately after voting, I had the same concern that no paper trail was created - and therefore no manual way to verify votes in a close election. The visual representation was close to what was mailed to me, but it was not exactly the same - the names were not in the same order... No big deal if you were planning on voting for Schwarzenneger or Boustamante but it took me a while to find the candidate that I intended to vote for. I didn't have the impression that any of the volunteers present were technically proficient enough to resolve any technical problems that might come up. I wonder what would happen if one of the machines crashed? Do you disregard that machine's votes? Do you accept the data on that machine as valid? I'm very concerned about the scripted testing process that was in place. A voting system should go through the most strict level of testing prior to each election. It's plainly not acceptable to lose any votes. What action can I take? Can I bring forth a lawsuit to enforce strict testing? In my mind, the actions of the administrators was fraudulent and criminal at best. A lack of understanding of the technical issues is not an excuse.

Re:Unfortunate.

[An+Anonymous+Hero]

Mind you, there's no way the current system can be hacked at all. Just ask President Gore.

You might want to check the next story's article:

"a Diebold machine registered 16,022 negative votes for Al Gore in Precinct 216 in Florida in the 2000 presidential election."

Wooo Whoo e-Voting. NOT!

[BobBoring]

...but it is certainly not hard to pretend to be someone who died 50 years ago. This has happened before. If they could make a secure E-voting machine...

Yes, a secure voting machine that depends on the motor voter registration system so all the non-resident and undocumented aliens can vote along with all the dead people. You'd most likely jump up and down with glee if they web enabled the registration and voting systems because Secure e-Voting (TM) has to be better. Right?

From what you say you seem to think someone stands in line and votes the graveyard. The Chicago method is to get control of the voter registration rolls for a district and 'add' the graveyard. Then the 'impartial' volunteer election judge checks off the extra names and stuffs the ballot box after the polls close.

Any voting system without a 100% human readable audit trail that is accessible to the voter at the time they place the vote and without a 100% reliable method of matching a ballot to the registration list is vulnerable. What plagues the voting system in the US is we are too cheap to devote the required resources to the system. The UK and many European countries have next day election results using paper hand counted ballots. They however don't try to have only 17 polling places in a city of five hundred thousand, as is the case in so many US cities.