Slashdot Mirror

← Back to Stories (view on slashdot.org)

Observer Pans Touchscreen Voting Test

Posted by timothy on from the oh-they're-only-votes dept.

riversidevoter writes "I recently observed the Logic and Accuracy 'test' given to the touchscreen voting machines in Riverside CA. Riverside County uses voting machines and software from Sequoia Voting Systems. The voting kiosks do not produce a voter-verified paper trail. As a computer programmer familiar with software testing, I was really disappointed at what I saw." Read on for his critical observations of the demonstration.

riversidevoter continues: "WinEDS, the program that is used to count votes, was only tested in a pre-election mode. The software was not tested in the configuration that it would be in on election day.

In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Mischelle Townsend, the Riverside County Registrar of Voters, told Salon that the form that people signed was just an attendance form. But the form clearly states 'We the undersigned declare that we observed the process of logic and accuracy testing of voting equipment performed by the Riverside County Registrar of Voters, as required by law and that all tests performed resulted in accurate voting of all units tested, including both touchscreen and absentee systems.'

You can see a copy of the Salon article here. You can see a copy of the form that people signed here.

I also believe that the observation group that witnessed the test was given a misleading description of Sequoia's system. For example, the fact that the votes are transferred from the DRE to a SQL Server database to be counted was never fully disclosed to all the members of the group.

Also, the sheer number of times that the phrase 'proprietary operating system' was used, among other things, helped to create the impression that Sequoia's system is not as reliant on Microsoft Windows as it really is.

I have created a website about this issue; please take a look at it.

On the website you can find my report on what happened that day (which outlines several problems I haven't mentioned in this posting) as well as some supporting documents. There is a letter and a note from Mischelle Townsend in which she mentions mailing the results to people or having the test results be picked up 'afterwards'...."

5 of 278 comments (clear)

  1. Accuracy could be easily assured... by tizzyD · · Score: 5, Interesting

    First, after you vote, a 2-D bar code is printed. That code contains a record of your vote, with an encryption of the machine you voted at and your selected key. Nothing big, 4 digits. The critical part is the hardware key used on the machine.

    A copy of this bar code is printed at the same time inside the system.

    If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

    Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

    Thoughts on this approach are very much welcome.

    --
    ...tizzyd
    1. Re:Accuracy could be easily assured... by PetiePooo · · Score: 4, Interesting
      If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.

      I am opposed to this. Audits shouldn't involve contacting the general populace. ATMs have internal printers for similar reasons; as a permanent physical audit trail in case of power failure or such.

      Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.

      I oppose this as well for privacy reasons. There is one basic privacy tenant in ballot voting that would need to be upheld by any electronic voting system: plausible deniability.

      For example, if I'm being coerced or paid by someone to vote a particular way, I need to be able to tell that person that I voted the way he/she wanted even if I didn't. There CAN NOT be a way to track down who I voted for at a later time. That's not what the paper trail is for. Once a person has the ability to decisively prove to someone else which candidate they voted for, then votes can be forced or sold.

      Here is what I would suggest:

      A citizen enters the voting center, is authenticated as a registered voter by the volunteer staff, and given a vote card.

      The citizen enters a voting booth (behind a privacy screen) and activates the selection kiosk using their vote card.

      Once their candidates and referendums have been chosen, the machine prints out a 2D barcode on the vote card and returns it to them.

      The citizen exits the voting booth with his completed vote card.

      The citizen has the option to verify his barcode using a separate verification kiosk which deciphers and displays the barcode (behind a privacy screen, of course). Once satisfied, the citizen leaves the verification kiosk.

      While a staff member watches, the voter deposits his vote card into the official ballot kiosk's card reader.

      This kiosk reads the barcode, electronically sends the vote to the regional counting center, and keeps the vote card for future audits.

      This method is very similar to conventional voting methods. As far as electronic voting goes, it has several advantages. The selection and verification kiosks are not online, so would be less vulnerable to hacking. The ballot box is the only networked machine, but is under close surveillance by the staff for physical access. In case it is compromised via the network, there is a stack of 2D barcodes underneath or inside it that can be used to audit the results. As the article mentions, audits SHOULD be performed periodically, even on results that aren't suspicious, just to verify that the count is accurate and no tampering has occurred.

      The vote cards can be cheap paper mag-stripe cards with signed serial numbers that are overwritten when the barcode is printed. This gives the selection kiosk the ability to reject previously used, non-activated (unsigned), or duplicated cards. If there are no privacy issues (I'd have to think about this more), the card's serial number could become part of the 2D barcode as well. The card reader/writer and printer are all OTC products, which would help keep costs down. The selection and verification kiosks could use commodity PCs with no I/O except a touchscreen and the card unit. In fact, the verification kiosk doesn't need any input other than an eject button.

      While such a system would fix usability issues and paper audit trails, it doesn't touch on the issue of voter registration fraud and such. That's a whole 'nother ball of wax.

  2. The next revolution = voting. by Clinoti · · Score: 4, Interesting
    I'm not a doomsayer or a OMG the world is ending yokel. But with more and more stories surfacing about the lacking credibility and accuracy of the 'new' school of voting....one can only come to see the outrage when people start to connect the idea (perhaps even falsely) that their votes are easily manipulated, miscounted, or simple footnotes catered to the wanted result.

    This line: In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running.

    Scares the hell out of me.

    --

    Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep

  3. A method for electronic voting accountability by rednox · · Score: 5, Interesting

    Here's an idea to make the process accountable, without requiring a mound of paper at the voting site.

    1. Vote at the machine
    2. The machine asks you for a PIN number.
    3. The machine concatenates your voter registration number with the person you voted for and your PIN number, and computes a SHA-1 hash of the result.
    4. The machine prints out your vote, your voter registration number, your chosen PIN and the hash on a reciept and gives it to you.

    Later on, a text file is made publically accessible with a row for every vote. Each row would have only the hash and the person they voted for. The algorithm for computing the hash would also be published.

    Anyone who is interested in confirming that their vote was properly recorded can look up their hash in the text file to make sure it lists the person they voted for.

    Anyone who has a spreadsheet can do a recount.

    Any third party with a bit of cryptography knowledge can write a web app for people to confirm that their hash was computed properly.

    This method has the advantage of remaining completely anonymous and completely accountable.

    Any thoughts?

    I release this idea into the public domain.

  4. Re:Unfortunate. by An+Anonymous+Hero · · Score: 5, Interesting
    Mind you, there's no way the current system can be hacked at all. Just ask President Gore.

    You might want to check the next story's article:

    "a Diebold machine registered 16,022 negative votes for Al Gore in Precinct 216 in Florida in the 2000 presidential election."