Slashdot Mirror
Observer Pans Touchscreen Voting Test
riversidevoter continues: "WinEDS, the program that is used to count votes, was only tested in a pre-election mode. The software was not tested in the configuration that it would be in on election day.
In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running. Mischelle Townsend, the Riverside County Registrar of Voters, told Salon that the form that people signed was just an attendance form. But the form clearly states 'We the undersigned declare that we observed the process of
logic and accuracy testing of voting equipment performed by the Riverside County
Registrar of Voters, as required by law and that all tests performed resulted in accurate
voting of all units tested, including both touchscreen and absentee systems.'
You can see a copy of the Salon article here. You can see a copy of the form that people signed here.
I also believe that the observation group that witnessed the test was given a misleading description of Sequoia's system. For example, the fact that the votes are transferred from the DRE to a SQL Server database to be counted was never fully disclosed to all the members of the group.
Also, the sheer number of times that the phrase 'proprietary operating system' was used, among other things, helped to create the impression that Sequoia's system is not as reliant on Microsoft Windows as it really is.
I have created a website about this issue; please take a look at it.
On the website you can find my report on what happened that day (which outlines several problems I haven't mentioned in this posting) as well as some supporting documents. There is a letter and a note from Mischelle Townsend in which she mentions mailing the results to people or having the test results be picked up 'afterwards'...."
If they don't do it right on the first try, e-voting won't ever take off.
Just when you thought FloridaGate 2000 was out of everyone's mind, we bring you CaliforniaGate 2004: Rise of the Machines
People who used the new voting system are believed to have voted for an independent operating system, dispite the fact that the test was on a faux-presidential race.
According to this text Linux was voted into the White House. We suspect Apache will be selected as running mate, though rumors say Samba is also a consideration.
The Good students at have decided this will not stand.
Help fight continental drift.
People are so crippled by the more expensive == better heuristic they don't notice when the rug is being pulled out from under them. Electronic voting should be unconstitutional.
First, after you vote, a 2-D bar code is printed. That code contains a record of your vote, with an encryption of the machine you voted at and your selected key. Nothing big, 4 digits. The critical part is the hardware key used on the machine.
A copy of this bar code is printed at the same time inside the system.
If there was an audit, randomly call people to determine their key. Although you could decrypt it, it's better than just leaving the votes lying around. Then, verify the accuracy.
Since I have a printed record at the time of the voting, I can use it to verify my votes. The local voting office could decrypt it, and then I can verify my votes.
Thoughts on this approach are very much welcome.
...tizzyd
I'll supply the hardware.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
This line: In addition to that, people signed a form that said that they had verified the results of the test before the test had finished running.
Scares the hell out of me.
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
I wish I could get user acceptance sign-off before I started testing.
Pleas join an existing, legitimate effort at http://verifiedvoting.org -
This site, rather than coninually dispairing at the fact that there are problems with electronic voting, has concrete steps that average citizens can take to make change.
This electronic voting is the most serious threat to America that we have seen in our lifetimes. Most here realize that no computer voting system can be secure without serious efforts that are not even being hinted at here. Compromising the secrecy of the vote offers many ways to secure these sysetms. A more reasonable compromise would be a voter-verified paper ballot that is re-inserted into the machine.
Since the most basic steps to provide security are not provided here, it is clear that the intention is to make a system that has completely compromised the validity of US elections. For some reason the mainstream media has not taken note of how serious an issue this is. The people involved in the current electronic voting plans can not be trusted AT ALL. They either want to subvert the voting process themselves, or want to create a system that is easy to subvert at a vastly lower cost than current systems.
What can be done to raise awareness of this issue? How can people be convinved that we need elections that are not trivial to subvert? Is the American public so apathetic as to make this an impossible task? Are we completely doomed?
Seriously, what OS isn't known to hackers/crackers? Fact is, the more obscure the OS the more interesting it becomes to crack.
The old question/answer "Why did you do it? Because it was there." tells the story of what will happen regardless of the OS chosen.
I'll admit that the script kidz may be able to hack-the-vote with a MS SQL server backend but I would hope that the network used (or whatever format of data transfer) would be a little more robust that a windows box in a DMZ.
But I'm sure that with a few days of coding it could be released from the bonds of M$... it is just SQL, right?
Voting technology doesn't need to be any more complicated than that.
Sure, it may take a few hours to count all the votes, but they're verifiably countable and recountable, and seem good enough for most of the other countries in the world. Why does there have to be an electronic solution to this non-problem?
Now, you can debate about whether it's better to use a pull-lever stamping system to write out the ballots, or just marking an X with a plain old pen. The advantage of some kind of a pull-lever system (or press button system) is that you won't get ballots which are unclear (just a printout) and you can have an internal counter on the machine to give you a reasonable idea if your hand-count is correct.
Fundamentally, though, all good systems I've seen are very close to the pen and paper hand counting.
Who is designing these systems? It shouldn't be that hard, seriously. It should be obvious what the design requirements are. In no particular order; Ease and clarity of use, secure and anonymous (as far as who voted for whom), the ability to record who was voted for in a non electronic medium and proof that a vote was registered and receipt to the voter in some form. Not to mention a backup system in case anything goes nutty. An obvious design would be to have all systems offline, when the voting times are over each station has a particular upload time assigned, they upload their data, it is checked for error and checked against their local data, if none of it differs, then all is well. The vote data should be encrypted on sight (inside the voting computer, before it is sent to the locol database) so there is no tampering locally and the keys should be known by the voting commission. They systems should be as fully automated as possible with well trained (and paid fairly) personal there to operate these machines. This is just off the top of my head, is it *that* hard to design these systems, really?
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
Read the diebold memos:
/200207/msg00090.html
/200003/msg00034.html
/200009/msg00109.html
/200101/msg00068.html
/200302/msg00069.html
http://why-war.com/memos/s/lists/
Search the diebold memos:
http://why-war.com/memos/cgi-bin/search.pl
MEMO EXCERPTS
"Elections are not rocket science. Why is it so hard to get things right! I have never been at any other company that has been so miss [sic] managed."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200110/msg00002.html
"I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200110/msg00001.html
"I feel that over the next year, if the current management team stays in place, the Global [Election Management System] working environment will continue to be a chaotic mess. Global management has and will be doing the best to keep their jobs at the expense of employees. Unrealistic goals will be placed on current employees, they will fail to achieve them. If Diebold wants to keep things the same for the time being, this will only compound an already dysfunctional company. Due to the lack of leadership, vision, and self-preserving nature of the current management, the future growth of this company will continue to stagnate until change comes."
source: http://why-war.com/memos/s/lists/announce.w3archiv e/200112/msg00007.html
"[T]he bugzilla historic data recovery process is complete. Some bugs were irrecoverably lost and they will have to be re-found and re-submitted, but overall the loss was relatively minor."
source: http://why-war.com/memos/s/lists/support.w3archive
"28 of 114 or about 1 in 4 precincts called in this AM with either memory card issues "please re-insert", units that wouldn't take ballots - even after recycling power, or units that needed to be recycled. We reburned 7 memory cards, 4 of which we didn't need to, but they were far enough away that we didn't know what we'd find when we got there (bad rover communication)."
source: http://why-war.com/memos/s/lists/support.w3archive
"If voting could really change things, it would be illegal."
source: http://why-war.com/memos/s/lists/support.w3archive
"I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb"."
source: http://why-war.com/memos/s/lists/support.w3archive
"[...] while reading some of Paranoid Bev's scribbling."
source: http://why-war.com/memos/s/lists/support.w3archive
"Johnson County, KS will be doing Central Count for their mail in ballots. They will also be processing these ballots in advance of the closing of polls on election day. They would like to log into the Audit Log an entry for Previewing any Election Total Reports. They need this, to prove to the media, as well as, any candidates & lawyers, that they did not view or print any Election Results before the Polls closed. ***However, if there is a way that we can disable the reporting functionality, that would be even better.***" (emphasis added)
source: http://why-war.com/memos/s/lis
Lead by none other than Martin Luther King III.. cfm?itemid=14993
http://www.workingforchange.com/activism/petition
There are 10 kinds of people in the world; those that understand binary and those that do not.
Just think, eventually we'll all be getting pop-up ads telling us who to vote for, while we're in the booths!
Here's an idea to make the process accountable, without requiring a mound of paper at the voting site.
Later on, a text file is made publically accessible with a row for every vote. Each row would have only the hash and the person they voted for. The algorithm for computing the hash would also be published.
Anyone who is interested in confirming that their vote was properly recorded can look up their hash in the text file to make sure it lists the person they voted for.
Anyone who has a spreadsheet can do a recount.
Any third party with a bit of cryptography knowledge can write a web app for people to confirm that their hash was computed properly.
This method has the advantage of remaining completely anonymous and completely accountable.
Any thoughts?
I release this idea into the public domain.
That physical record of a vote is a crucial piece of evidence -- if there are no physical records, that's one less thing for any "bad guys" to have to worry about. It's one less audit point for any corrupt party.
With the input and compilation of data all within the same system of computers now, corruption can happen at any step -- input, processing, reporting, or combination -- with no "independent" physical record to be audited that might expose the corrupt results. Imagine a zealot programmer hacks a kiosk and tells it to re-write the votes after confirming it with the voter. The number of voters on the register would match the number of votes cast, so this would be difficult to discover -- there would be no physical records, which can be re-tabulated independently of computers.
Elections are high security risks, historically. Paper is not inherently evil. Just because paperless systems are possible, doesn't mean they're preferable. The more physical evidence, the better, I say...
Diebold stories have been a constant presence on /. recently. Here's how to help:
1) The students engaging in this civil disobedience are meeting with the Dean of their college Wednesday, October 22nd at 4pm. We need you to email *nice* and *supportive* emails to rgross1 (at) swarthmore.edu and cc them to info (at) why-war.com *before* October 22nd at 4pm EST. Please help Dean Bob Gross understand the importance of this issue!
2) Download the entire memo archive:
http://why-war.com/memos/s/lists.tgz
3) Join the disobedience by hosting the memos
...when a low-tech one will suffice.
Or even: If it ain't broke, don't fix it.
Yeah, that's the one. Cards work good.
Under capitalism man exploits man. Under communism it's the other way around.
is not accuracy, verifiability, safety, ease of use, or any such thing.
It has to do with recounts. The purpose is to have a system that will always give the same result after every recount. Recounts make people unhappy because the result is never the same, so people assume the the mistakes continue to exist and are in favor of the other guy. We want the voters to be happy.
This is what I love about these electronic voting discussions - people always come up with these solutions, and then ignore the fundamental principle of designing voting machines: it must not be possible, under any circumstances, for an outsider to verify your vote independently. Now, that sentence is worded poorly, so I'll give an example of the problem with this proposed system:
1. CREEP announces that they'll give $200 to anyone who votes for person X
2. Joe Public says "OK, I'm in"
3. Joe Public votes for X and remembers his PIN number
4. Joe Public goes to the local CREEP office and tells them their PIN, their VRN, and who they voted for
5. CREEP, using the freely-available hash function, creates their hash using the supplied information
6. CREEP then checks the list and sees if the vote was recorded
7. If yes, $200
Now replace "CREEP" above with "The Mafia" and "$200" with "the life of your family." Now you see the problem.
My proposed solution has always been the following:
-Vote on a computer (with a well-designed interface), which records votes and prints out a receipt with the name of the candidate and a simplified 2D barcode on it.
-Have a poster on the wall inside the boot saying "if you voted for X, your barcode should look like this"
-Deposit the recipt in the ballot box on the way out, as usual.
This allows us three counts: the machine, the barcodes, and the names. Any political party can request a count based on the barcodes, and if it's close they can get one based on the names on the ballots. As far as I can tell, this system is - at worst - no more prone to fraud than the current paper-based one. And you can't buy votes, since no personally-identifiable information is stored on the receipts (which voters can't keep anyways).
There's probably a logic gap in my solution: any suggestions?
Cue The Sun...
I think the author is mainly concerned that this particluar system may be poorly designed. He states that it what he saw was a test in "pre-election" mode, which made it sound like more of a diagnostic test, rather than a production test. Really, would you buy a car without taking a test drive? You want to know it works before you take it home, right?
It isn't even necessarily the problem of crackers breaking into the system and tampering with the votes. you don't have to be connected to the Internet to be vulnerable to errors. Maybe you've been lucky and never gotten a BSOD.
Since this system apparently isn't well tested, there is nothing to indicate whether it will fail or not. As an alternative to remaining in the "ignorance-is-bliss" state, he seems to advocate more thorough independent testing, so we can be sure that the machines are capable of what the vendors say they are.
Well, you could look at my take on Jeremiah's experience. Basically, if what he said he saw is indeed what he saw, the test was a complete fraud. See the article on my weblog. You may also want to look at another article I wrote the day before in which I discuss some security issues with respect to the Diebold machines.
What are my qualifications for making these judgements? Well, twenty years of software engineering experience, for one thing. You can look at my resume here if you want more details.
I don't know Jeremiah's qualifications, but in my professional opinion, his conclusions seem sound. At the very least they raise serious questions about the methodology used for these "logic and accuracy" tests, questions that should definitely be answered before the Diebold devices go into service.
Too bad they are already in service. Oops.
(Oh, and thank you to those who have been kind enough to donate to the upkeep of the site. Being out of work makes life a tad complicated and every little bit helps.)
I voted on one of these machines in Riverside County. I was taken aback because I didn't know beforehand that an electronic voting system was in place. Immediately after voting, I had the same concern that no paper trail was created - and therefore no manual way to verify votes in a close election. The visual representation was close to what was mailed to me, but it was not exactly the same - the names were not in the same order... No big deal if you were planning on voting for Schwarzenneger or Boustamante but it took me a while to find the candidate that I intended to vote for. I didn't have the impression that any of the volunteers present were technically proficient enough to resolve any technical problems that might come up. I wonder what would happen if one of the machines crashed? Do you disregard that machine's votes? Do you accept the data on that machine as valid? I'm very concerned about the scripted testing process that was in place. A voting system should go through the most strict level of testing prior to each election. It's plainly not acceptable to lose any votes. What action can I take? Can I bring forth a lawsuit to enforce strict testing? In my mind, the actions of the administrators was fraudulent and criminal at best. A lack of understanding of the technical issues is not an excuse.
Greetings,
Recently, there has been a rise in the number of stories in the press surrounding the topic of electronic voting. I live in Oregon where we have chosen to vote by mail. At first, I wondered exactly why my State chose this route because electronic voting seemed to be attractive for a number of reasons.
After reading the various news stories and web postings present on various Internet web sites and forums, I have come to the realization electronic voting in its current incarnation is a highly suspect process.
The majority of voting machine manufacturers today wrap the inner workings of their machines inside contracts and licenses designed to cloak their products in secrecy. These cloaks when combined with the current state of intellectual property law make it difficult for the American people to understand and discuss the nature of the machines and their potential effect on the democratic process.
The American people need to engage this issue with all the facts at hand. The spirit of the law is not in line with the letter of the law in this case. The action of your students is commedable and worthy of your support.
"Those who cast the votes decide nothing. Those who count the votes decide everything." --Stalin
The right to vote is one of the founding principles behind our great nation. Changes to this process will have nationwide consequences on our society that we might not understand, but for the actions of a few people concerned about preserving the trust inherent to the core of the democratic process. These changes will affect each and every one of us and should not be made lightly or without due consideration of all the facts involved.
I urge you to consider the nature and purpose of the student actions along with the potential issues at hand before rendering your decision.
Respectfully,
( name )
Blogging because I can...
I find it remarkable how silent the mainstream media is on this issue. When even the New York Times fail to mention any of the controversy over Diebold in a recent article on voting machines you know this is going to be an uphill battle.
However, if these machines are already in use, the next step would surely be legal action? Someone with the right to vote in an election should demand the right to cast their vote by means where there is proof their vote will be counted.
...but it is certainly not hard to pretend to be someone who died 50 years ago. This has happened before. If they could make a secure E-voting machine...
Yes, a secure voting machine that depends on the motor voter registration system so all the non-resident and undocumented aliens can vote along with all the dead people. You'd most likely jump up and down with glee if they web enabled the registration and voting systems because Secure e-Voting (TM) has to be better. Right?
From what you say you seem to think someone stands in line and votes the graveyard. The Chicago method is to get control of the voter registration rolls for a district and 'add' the graveyard. Then the 'impartial' volunteer election judge checks off the extra names and stuffs the ballot box after the polls close.
Any voting system without a 100% human readable audit trail that is accessible to the voter at the time they place the vote and without a 100% reliable method of matching a ballot to the registration list is vulnerable. What plagues the voting system in the US is we are too cheap to devote the required resources to the system. The UK and many European countries have next day election results using paper hand counted ballots. They however don't try to have only 17 polling places in a city of five hundred thousand, as is the case in so many US cities.
Although they do 95% of their voting using a more reliable technology (optical scan machines and paper ballot cards), they use the Diebold touchscreen units for accessibility reasons - it supports audio-only voting for visually impaired voters using a numeric key pad for navigation, etc.
So, here's how a Diebold engagement works for the touchscreen units. They send a representative up to program the units with the appropriate races, candidates, etc. They use a plain old windows workstation and an application that appears to be Visual Basic. This application stores election metadata in a MS Access or SQL Server database. This metadata is then transferred to the touchscreen units over a LAN. It appears to me that the touchscreen units are Microsoft CE boxes. Can't be sure about the database format they use on the touchscreen unit to store this metadata and the actual votes but I suspect they use Microsoft Access.
The Diebold staff provide a few hours of training for the staff who have to manage the machines. During the election, Diebold staff are not on hand, although they do show up at the end, when it is time to aggregate results from all of the touchscreen units. Diebold staff download the data from all of the touch screen units to a central aggregation point for which takes on the responsibility of totaling the results. Now, I know what all of you conspiracy theorists are thinking but note that election supervisors can print paper aggregate totals from each machine before this happens.
My observations:The touchscreen units do not have an administrators manual that election supervisors can use for the purpose of understanding how to manage these machines. When prompted about this, the Diebold representative replied that there were no manuals and that you shouldn't need them - "the machine is intuitive."
One of the things that the Diebold representative expected was within the realm of capability for non-technical staff:
- Put a PCMCIA Network card in the touch screen units & attach the appropriate ethernet cabling
- Assign the touchscreen unit an IP Address (FYI: DHCP was mispelled in their UI, I think it was 'DCHP')
- Specify the network address of the host machine (i.e., the workstation that has the election metadata)
- Provide the path name on the host machine to the election metadata file
- Download the election meta data to the touchscreen unit
I didn't actually fully execute this use case - it wasn't clear to me how this part would work & I wasn't prepared to do anything serious without a manual. Anyway, that, in my opinion, goes way beyond what a non-technical person is capable of doing themselves without a manual.That matter aside, my view is that machine is in general, not intuitive, as the Diebold rep claims. Although machine only supports somewhere in the neighboorhood of 9 use-cases for the supervisor user and none them involves more than a 2 step flow, it took me about an a couple of hours to figure out how to manage an election on it. Further, I wouldn't have been able to do it if it weren't for some of the cryptic notes that one of the election workers scribbled down about programming voter cards when the Diebold rep was running the training session.
My point: We need to trust election results. One important factor is that we have to have confidence that election supervisors are capable of properly administering this equipment. My view: limited training + no manuals + non-technical administrators = potential for disaster.