Slashdot Mirror
Avi Rubin's Thoughts On e-Voting
nazarijo writes "Avi Rubin, a well regarded Johns Hopkins computer science professor and leading critic of e-voting, has written an account of his experience as an election judge on super tuesday. Maryland was experimenting with e-Voting machines. Rubin puts it this way, 'this was one of the most incredible days in my life.' He wrote his experiences immediately after the day was over, capturing his perspective on the subject. A very interesting read."
This is a great article. I don't like E-voting, but not because I fear of fraud or deceit -- I don't like the majority or the form of democracy our country has taken on in the last 100 years or so.
Not wanting to troll or start an argument, I just wanted to remind people that this country was founded on a Constitution that should severely limit what the federal government can do. Some of the Constitution's protection of natural rights extends to limit the individual State powers as well.
E-Voting is just one step towards "complete" democracy, where the majority makes all the rules. This frightens me more than I can explain on paper. The majority should never have any control over the minority (even over a minority of one) property rights or natural rights. If the majority ruled, 51% of the country can take away what 49% own. This is not America. This is not freedom.
Democracy unrestrained will fold into some sort of socialism eventually, as we have seen in the past 100 years. We need to hit the brakes and return to a strong local government and a weak federal government, and we need to do it now.
It's entirely desirable to fit the tool to the task at hand. There's not the slightest reason some /.ers yapping away needs the same level of validation as a federal election.
The whole concept of Internet Voting frightens the hell out of me.
The Internet has been around for what - 35 years now? And we *still* haven't solved e-mail spoofing and spam. Nor have we found a way to keep 5cr1p7 k1661e5 from busting into National Freaking Defense servers. How many times have we heard about Yet Another Batch Of Stolen Credit Card Numbers?
Still, some folks think those little "speed bumps" shouldn't stop us from using the same technology to select the leader of the free world?
Someone tell me this is just a bad dream. Please.
I love technology. But not for this purpose. And certainly NOT NOW. Not yet...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Unfortunately, it takes a technically-astute person to identify a potential security flaw like this. It also takes a technically-astute person to implement the flaw. To the average person, the whole situation seems alarmist. It's in the same category as astroids striking the earth: Sure, it could happen, but....
Only after a failure of the e-voting system, a failure that's obvious enough for the average person to understand, will the public demand either better controls or removal of the system.
Kucinich got one vote all day. That ballot somehow failed to get into the sealed envelope I returned to the party that night. All in all, 3 points:
I'm going to guess that
But by then you'll probably have ended up joining the Army for lack of better prospects in Bush's economy, so that you can lay down your life ostensibly to protect democracy in Iraq, and surely to protect Halliburton's contracts there.
While I'm sure that somewhere Mr. Jefferson is cringing at your example, please don't feel too bad: Fascists everywhere rely on people just like you; without you they'd never get beyond the Bier-Hall Putsch.
Opinions on the Twiddler2 hand-held keyboard?
eVoting on machines that do not produce auditable paper trails are disasters waiting to happen. As in many other intrinsically dangerous situations, years may, and probably will go by with no apparent problems.
Our lives are full of protections that are seemingly "no needed." How often does an elevator cable actually break, for example? Does that mean we don't need overspeed brakes on elevators?
Or inspectors to see whether the brakes are there and working?
One little-noted contribution by Edward Teller was his almost single-handed insistence that civilian nuclear power plants be enclosed in containment buildings. This is particularly interesting because he was, of course, a strong advocate of nuclear power. And, of course, nuclear reactors are supposed to be safe in the first place, so why go to the huge expense of a containment building that isn't supposed to be needed? Then a Three Mile Island comes along, and we find out why.
Black-box voting is a disaster waiting to happen. The disaster probably won't happen tomorrow, or this year. And when it does happen, it probably won't happen in a district with plenty of careful, well-trained, honest conscientious poll workers.
"How to Do Nothing," kids activities, back in print!
*If you don't like the idea of your party preference being on the rolls you just don't register for one. In my state there is a specific box on the form that says "Do not enroll in a party" -- there's also a separate box for the "Independence Party". If you don't want it to be on the rolls you just check off the "Do not enroll" box -- it's that simple.*
however that(having an option for that) really goes against on why you have a closed ballot in the first place, to prevent people being intimitaded into voting someone they wouldn't(or at least prevent from voting someone) like to vote(by husband, wive, the mobster, boogie man or whoever..).
not that I'm a big fan of a 2 party system with nearly identical parties(that work pretty much as a cartel..). Though maybe I'm just stupid as I don't really see the point in why goverment is paying for elections that are an internal issue of the party(deciding who they should back). Maybe that proves some continuity regardless of who wins(stagnation..)..
world was created 5 seconds before this post as it is.
Once the procedures get established, and people get sloppy, I think we'll see some instances of fraud.
There already are instances of fraud with paper ballots. Think about it- what would be easier for a dirty candidate to do: print off some bogus paper ballots and get some people on the inside to "stuff" the ballot box, or hack the Diebold code that he/she doesnt have access to to give himself more votes.
The question is not whether or not e-voting machines will prevent all fraud. The question is whether or not e-voting machines will be susceptable to less fraud than the paper ballots, and I think it is obvious that is the case.
OK,so I'm not American, but that guy is one hell of a great patriot. Amazing how many people hate the guy when he's out to defend America's #1 institution. Oh wait... democracy was replaced by "don't bug me about my quasi-legal business practices" a few years back. Right.
Second, what I don't get, is why can't we use electronics to print out a "ballot" with our selections done in the comfort of home, and just take this "ballot" to a polling place?
How do you know that the ballot you are printing is the correct one? Just because it comes from what looks like the official voting web site doesn't mean that it actually is. What happens when scores of people show up with thier home printed ballots that are invalid? Have them vote at the voting station? Why not just have them do that in the first place?
What if, even worse, somebody slightly changes the online ballot to trick people into voting for the wrong person? Perhaps they switch the names, so that when voting for Person A, the scantron machine actually reads it as a vote for Person B. The machine accepts it without error and it looks to the voter like they've voted for who they want. Unless a ballot is given to a voter by an election judge there is no real way of knowing if it is valid and without hidden tricks. Even then there could be doubt about a ballot's validity.
It may sound like I'm being paranoid and overly critical about using technology for elections, but with so much on the line it would seem very likely that somebody with an interest in who gets elected could try to sway an election like this.
I have mod points, but I'm not going to touch this. I should coin a term for the irrational fear of other users getting karma from "whoring".
What? You figure one less easy point to a 'whorer' means potentially one less for something incredibly witty that you might come up with?
Give me a break. I wouldn't log out and back in to post this either, as I could careless if I get the points or not--it's simply the fact the information that might be useful for others. It's the information we are all after. I don't care if it was posted by an AC, you or your mom.
You sir are a WHORAPHOBE. Get a life.
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
Not at all. The real question is whether or not the e-voting system will be a vehicle for widespread massive one-stop-shopping and completely untraceable fraud as opposed to the small-scale fraud that you seem to feel they will prevent.
The mechanism you suggest is hard to implement, because of the requirement that it should be impossible to associate a particular vote with a particular person. The paper trail you want is the one that gives you access to all the legitimate votes, but does not give you any clue as to who made any given vote. This is, of course, to prevent votes from being sold or coerced. Consequently, the transmission path from the person's home to the polling place must be absolutely secure, and if you want individuals to be able to do post-hoc confirmation, it must remain secure indefinitely.
Obviously, this problem is hugely simplified if the person carries their vote to the polling place in their brain, transmits it locally to the counting machine, and does without post-hoc verification.
2*3*3*3*3*11*251
But when a bunch of gorillas steal a booth, you can SEE a booth is missing, you can see that a shitload of vote serial numbers aren't accounted for, etc. There is evidence, if not of who commited fraud, that fraud has indeed happened. With electronic stolen elections, it is much easier to cover tracks.
If you think that careers are the most enormous stakes in an election, you're a little too close to the process for your own good. b-)
kind regards,
Jess
I am programmed for etiquette, not destruction!
Except in the great, rebellious state of Georgia.
A republican can walk into the primary, vote the democrat ticket, then in the fall can vote the Republican ticket.
Allows all voters the opportunity to vote in November from the best offerings of the two major parties.
Some folks on both sides switch hit to put up a weak candidate for the opposition. I prefer to do it so that I can have the best from the other side should my party not win.
However, in THIS presidential primary, because a number of honest, highly qualified men did not even make it to "super Tuesday" on the Democratic ticket (Sorry, Joe, I'd have voted for you), there really was no reason to vote the blue ticket. Kerry seems to have things wrapped up. But the party bosses planned it that way. *sigh*
But hey, we got to vote for the lesser of two evil flags in Georgia. Because, after all, FLAGS are so much more FREAKING IMPORTANT then law and order, corporate corruption investigations, and national security!
----- LoboSoft specializes in Digital Language Lab
Large numbers of ballots and ballot boxes going missing would throw serious red flags- the local news would catch serious shenanigans. Ditto burning down warehouses. (And e-voting doesn't solve these problems either: simply disappear the smart cards or machines.)
We already have very fast reporting, so the "Green" vote problem won't crop up either.
Where the US has been vulnerable in the past is voter rolls (Just how many dead people voted for Kennedy in Chicago?) and direct manipulation of voters (How many minority voters were "discouraged" in Florida last election?) E-voting doesn't solve these problems either.
"Seven Deadly Sins? I thought it was a to-do list!"
It is impossible to argue that moving to an electronic system is not inevitable, any more than it is possible to argue in favour of abandoning cell phones and reverting to tin cans and string, or abandoning email in favour of carrier pigeons.
Impossible? To start with, we've already adopted cell phones, whereas we haven't yet truly embraced electronic voting. Moreover, cell phones don't present the kind of threat to our democracy electronic voting does.
It has to be said, over and over again, that once we lose the right to vote, the only way to get it back will be through violence. So it's important that we do everything we can to see to it that the right isn't lost in the first place.
With a corrupt incumbant, people could be intimidated into voting for them, out of fear that the government might quietly (or worse - aggressively) discriminate against anyone who voted for their opponent.
I think that's ridiculous. People register in different political parties all the time, without ill effect.
I would argue in fact that it is vital we publish the ballots that people cast. It is the only way to be certain that an election is on the level. The arguments we always hear against this doing this never stand up to scrutiny.
The only people who benefit from the secret ballot are those who seek to game the election.
Is this truly the only Earth I can live on?
So whom do you fear most: someone who is evil and stupid, or someone who is evil and smart?
It's not a pack of commie-terrorist-hacker anarchists hijacking the vote that I fear. It's corruption from within the system that rigs the vote to keep itself in office. E-voting allows for a more centralized point of attack that can be manipulated by insiders.In the article there was no mention of how the local election officials could know whether the machines were tallying accurately. Maybe every third vote for Edwards was credited to Kerry. How would they know?
If the group in power were to conspire with the machine manufacturer to rig the next election, how would anyone know? Especially if they didn't screw up as they did in Watergate.You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
This story reminds me of an article I read (dead-tree) a while back on preventing terrorism.
The article was critical about all of the techno-solutions for preventing terrorism, and very much in favor of the simple solution: Make sure you have good people in the right places keeping an eye on things.
In a nutshell, Avi Rubin's article comes down to the very same thing. He had tremendous respect for and confidence in the people working at the election. He (still) had little respect for the techno-solution.
Yesterday I voted using an optical scanner, which I never truly appreciated until reading all of the e-Voting flap. I've always appreciated the fact that I've always known at least one of the poll workers, and they knew me. After reading this article, I appreciate that fact even more.
The living have better things to do than to continue hating the dead.
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
More sophisticated and educated, but less numerous. The problem with paperless voting as currently implemented is that to tamper with the results you don't need a "horde" of anyone; you just need one or two of those sophisticated people to get the right level of access and abuse it.
Your "obvious" impression is directly contrary to that of pretty much the entire computer security community. Read what Schneier has to say on the subject, for example - stealing a bunch of ballots is one thing, but silently altering the entire result of the election without having to expose yourself by moving a single physical ballot and while leaving absolutely no physical sign that anything might be amiss is quite another.
Xenu loves you!
OK, I know these things are a bad idea, so do you. Sadly, the mass media and the general level of understanding among the population in general is not going to change what's happening at the moment.
I fear that the only way any of the security concerns, raised by everyone from your slightly savvy Joe Sixpack to experts in the security field, will ever be addressed properly is to actually have someone go ahead and blatantly compromise some of these things.
I'm not an advocate of election fraud or system cracking but there is probably no other way to get the messege thru the spin and media brainwashing to the general populous.
I fear where all this will head. Anyone have an acounting of where all 32,000 keys are? Would having just one turn up missing be enough to invalidate an entire election? What was so bad about paper ballots anyway?
Complicating matters to simplify a process is counter-productive.
Good article.
I voted yesterday and it all went quite smoothly.
But I still object to e-voting because it replaes a process which is very simple technologically speaking, with one that is complex. Also, it's in the hands of a private company, and easily leaves open plenty of room for conspiracy theories if an election is close at all (especially since there's no paper trail).
I do not know the costs involved but it also seems like it would be a lot more expensive.
The Diebold rep is basically admitting that at least some of the security and privacy promises in electronic voting are based on user perception, not reality.
Companies have marketers, and that's all these folks do.
When you buy a car, how much actual reality is involved, and how much user perception?
May we never see th
Amusingly, as a physician, the rules for how I can transmit simple data require both a stricter level of paper-trail (I have to document in the medical record the consent of the patient to release records and where I sent them) and a stronger encryption (sending medical information via unsecured Fax or modem is against HIPPA rules) than people tolerate on their votes.
Immediate problem with receipts - vote selling.
An organization (political, commercial or other), could print out the ballots. People looking for a few bucks could pick one up, fill it out while the entity makes sure the proper votes are collected. A provided shuttle bus then takes people to the polling place where the vote is dropped off. The receipt you so generously provided is then given to the entity who pays you off.
-- Ravensfire
"But we decide which is right, and which is an illusion"
I my by chance play craps at the craps table. But I will not waste time in any electronic gambling machine.
I feel the same way about voting. Unless the code and the whole process is open sourced, as a transparent government should be, I will not support it no matter how secure they can prove it is.
Why isn't there a project to create a Free Software electronic voting system that fixes all the Diebold issues? Seems to me we need an open system, visable source has proven to be far more secure than closed source, and it would be accountable to the public.
Where are the people willing to start a company that produces an open product with the flaws fixed?
Maybe you are just overthinking it...
Why doesn't each machine print out who each person voted for? That way, a manual recount can occur, any counting errors in the software aren't a major issue, etc.
To me at least, this is the most obvious solution
Doh!
Furthermore, small-scale fraud is pretty much guaranteed to cancel itself out. A corrupt Republican stuffs 20 dead peoples' ballots in one precinct, and a corrupt Democrat gets another 20 corpses to vote in the next precinct. Net effect: ZERO.
Electronic voting practically guarantees that the corrupt side with the best crackers to win. The only proof of electoral fraud in an electronic system is likely to come in the form "A team of hackers for Our Guy knows it stuffed 100,000,000 ballots. We hired them and watched it happen, but the popular vote came out 101,000,000 to 99,000,000 in favor of Their Guy. Obviously, Their Guy also hired crackers to rig the election! We want a do-over!"
Personally, I'm OK with a society in which the Side That Gains The Political Allegiance Of The Best Hackers gets to rule the world. I think a society in which the Democratic candidate campaigns on a platform "We'll execute all RIAA members in exchange for your help in rigging the vote", only to be countered with a Republican candidate running on "We'll execute all RIAA members, and because we're also pro-gun, we'll let you pull the trigger on them in exchange for your help in rigging the vote!" would be pretty fucking cool.
Would it be a free society? Given the influence the techno-elite would have, it might be even more free than our present one. But I'd never pretend to call it a democratic one. I'm OK with that, because I happen to believe that democracy is overrated. The Constitution in its current form differs with me on that point. The one that governs the country in which I live says the society is supposed to be a representative republic in which the votes cast by the people for their representatives count.
Because I also believe in the rule of law , and because that Constitution is the law, however cool a society ruled by h4x0rz might be, I must therefore oppose electronic voting. Pisses me off to be consistent in my beliefs sometimes, but there you go.
I'm not sure Prof. Rubin's right about the smart cards not being a big vulnerability. If someone manufactures altered cards it's easy to come in with one in your pocket, get a legit card, use the altered card to vote and return the legit card. You couldn't stuff the ballot box this way, but you could vote a different ballot than the one you were assigned. This would get caught when checking the voting machine's tally of ballot types against the number of each type issued, but there'd still be no way of correcting the results.
The zero machine is the big problem. I think it's why Diebold makes such a big deal out of the security of the actual voting process: the zero machine makes the security of the voting itself irrelevant. That one machine tallies all votes, and it gets access to all of the PCMCIA cards that hold the tallies from the other machines. It's in a position to simply discard all the actual results and replace them with whatever it wants, and once it has there's no way to tell it's happened. I can think of several easy ways to keep that code undetected, too. Unverified code loaded at the last minute (after all the testing had been done) to fix a convenient bug, for example. Just disallowing updates won't stop me, though. Prof. Rubin mentioned using PIN 1111 during training but a different PIN when setting the machines up for an election. So, I put the result-replacement code into the zero machine before it's delivered to the state, but put in a check: if the PIN is 1111 then disable the replacement code, otherwise enable it. During training, during test elections, during everything that uses that special PIN 1111 the machine will behave exactly as if no malicious code was present. Set it up for a real election using a real PIN other than 1111, and suddenly code that's never been active before is active and waiting to force the results. Note that it doesn't have to be Diebold loading the code, anyone who can get enough access to the zero machine to load a program update into it could do this. Given Diebold's track record for doing on-the-sly updates to the code, I think there's a non-negligible chance of someone being able to slip their code into an update and have it go through even if we assume Diebold themselves wouldn't (and I'm far from willing to assume that).
The big danger in my opinion isn't so much that this is possible, but that it's possible without leaving any evidence it's happened. The one thing paper ballots do well is give us an audit trail from the actual cast ballots all the way through the final results. The results can be altered, but it's very difficult to alter them while keeping the audit trail intact and consistent. It's not the electronic voting machines that are the major problem, it's the lack of a verifiable audit trail. With paper ballots you don't need to trust the counting process to verify whether the final results are correct. With the current electronic machines this isn't the case.
First, I'm impressed by Avi's candor. His admissions of his own error, his discussion of mitigation of some risks, and so on point to someone, I feel, who is trying their utmost to be forthright and thorough. By the same token, clearly these doing really lessen the great danger of an e-voting machine. We need to stop for a moment and consider the sinister possibilities. When, say, Microsoft buys Diebold, purportedly for technology or such, who's to say they're not buying themselves a congress that will outlaw open source? That's only the most mild of such scenarios.
Second, I wonder if there's a sacraficial lamb out there who'd be willing to hack a Diebold box. If someone could successfully seriously skew the outcome such that people went, "Wait, that's *really* the result?" and then claim credit, that might be the death blow to unaudited evoting.
Third, I'd like to simply point out an analogy that's appropriate when consider that e-voting on super tuesday was "successful". Windows works pretty well when you sit down and use it, most of the time. That doesn't mean it's secure - witness the rash of viruses as of late - and it doesn't mean it isn't *disastrous* when that insecurity is exploited.
Thanks for doing what you can to keep the spotlight on this issue, Avi - America needs you.
If the voting machine is rigged, it can generate signed fake votes as easily as signed real votes.
The main point here is there is no way to count the votes without a computer intepreting them for you. Thus, there is always software than can be tampered with to change votes en masse.
It is important a real paper trail that can be hand verified is created. I also feel it is important the voter can do so himself at the polling place if he so wishes. This is easy with scantron sheets or the chad machines. It cannot be done with the electronic machines, as no one can see the bits on the card.
I voted electronically, and just doing it you can easily see that there is no way to know if my vote was even put onto the smartcard at all, let alone accurately. And then, there is no evidence that it was moved from the smart card into the small accumulator machine at all, let alone accurately. And has been said many times, there is no way to do a meaningful recount from the source ballots, as they don't exist.
Real-time tallying doesn't seem that important -- but perhaps it could be used as an election-protection measure, if every voter got a tally of the total votes after they'd voted. Tallies could be compared to ensure election integrity. As to your other points: there are other ways to eliminate ambiguous selections; staff requirements do not strike me as particularly significant; and paper waste isn't reduced by as much as you'd think. As to time spent voting, most of that time is spent reading the ballot and making a final decision, not physically coding the choices -- at least in my experience. I'll grant the rest. Mmm, skipping good points...
To me the question is not "when," it is "how." Perhaps electronic voting is inevitable -- I don't see it having tremendous advantages over other systems, but given our fondness for gizmos it probably is inevitable. I have no real objection to electronics being used in voting -- provided they are used in a way that is secure and verifiably honest. I think we share this concern.
Freedom isn't free; its price is the well-being of others.
There is a counter example to the feasably of standard 8 1/2" by 11" ballots. In some states of Germany the elections to the local administrations (towns, counties, villages) use the so called "non genuine town part election" (unechte Teilortswahl). After reorganizing towns and villages and regrouping them to larger communities in the early 70ies the former villages got a fixed number of seats in the new town's councils. So the votes are counted in every former village separately to determine which candidates get sent to the town council. On the other hand the complete town council should represent the votes cast proportionally, so if one party wins more seats in the town council per winning them in the town parts than their quote is in the popular vote, then the other parties get a proportional number of seats in the now enlarged town council (those seats are called "Ueberhangmandate", roughly translated to surplus seats). (To make it more easy, groups that get less than 5% of the popular vote are ignored, except if they manage to get more than three direct seats).
On the other hand the voters have so many votes as the orinigal town council has seats. The voter is allowed to put the votes freely on the ballots to whatever candidate she thinks they should go without respect to the party membership of the candidates. If she thinks a candidate should definitely get some votes, she can even cummulate more than one vote (mostly up to three) to a candidate (but then she has less votes left for other candidates). If she thinks that's too complicated she can also cast a single vote to a 'list', a group of candidates for a single party or political group. A list basicly consists of the nominates of a single party for all the seats in the town council.
If she agrees with none of the candidates, she can also write the names of her own candidates in a free list.
Because the parties and groups have to nominate candidates for every seat to allow this list voting, the ballots can get extremly large. There once was an election for a town council in Southwest Germany where the ballots were about 4ft by 3ft (DIN A0), because about 20 groups had sent in lists for the 40 seats of the council.
After calculation all the proportions and giving underrepresented groups and lists the surplus seats the town council grew to 132 seats.
Normally such a complicated way of voting would call for an electronic voting system. But nothing beats the opportunity for the electorate to come to the voting booths after the booths have closed for voting, and watch the voting staff crew to open the sealed boxes and count the votes manually. This is controlling the democratic process at its finest. The local voting result will be announced to the autitorium before the votes get sealed again in a box and sent to the central election offices. The so called preliminary voting result (vorlaeufiges amtliches Endergebnis) is determined by adding the local results, and then the central election offices open the sealed boxes and again count the votes while the electorate has the chance to watch.
This is my greatest issue with electronic voting: You can't watch the count. From my experience nothing beats watching the count. In the former GDR (East Germany) the population knew the elections were rigged because enough people showed up at the election offices and watched the officials counting. Even though the people then only knew the local result, they could easily see the difference between the local result and the officially anounced one. If the official result announced for instance a 98,85 percent result for the ruling party in a town of 10,000 people, and you knew that your local office had counted at least 120 votes cast against them, then you saw the result being rigged. This showing up during the counting and collecting the results was done throughout the whole GDR in the last communal elections on May 6 1989, and the public uproar after the officially anounced result was contradicting the results the people were calculating themselves triggered the inner tensions the GDR didn't survived but for another half year.
My lessons are: However you vote, whenever you vote: Make sure you are able to watch the count!
All this is very odd to me, in both the process and the execution.
The idea of the government paying for the counting of votes about internal party issues is unthinkable here - I'd go so far as to say it would almost certainly be illegal for our tax money to be used to pay for that. Can anyone set up a political party and demand that the US Government counts votes for their candidates?
The whole concepts of a 'voting machine' is alien to me. What's wrong with paper and a pencil? Sure there are procedural exploits that are theoretically possible, but no more or less so than with the machines, and we don't have any of this chad-dangling nonsense.
More importantly, the main reason we will not have voting machines here is simply cost. Why pay for something that is going to cost more than pencil and paper?
A pizza of radius z and thickness a has a volume of pi z z a
You're not thinking outside the box (the ballot box in this case).
In your example, maybe it's a wash. But, at a larger level (states), it is *very* significant. Why? Because you don't really vote for President. And since two given states may not have the same number of electoral votes, a fix in one state that is balanced in another state does not wash out.
So, a supposed 'small fraud' can actually have very large effects. See Florida.
You are being MICROattacked, from various angles, in a SOFT manner.
You've obviously never lived in a small town. Or been part of a labor union. But there are plenty of people who would be professionally or physically damaged if their vote wasn't along the lines of what was expected of them. We are just lucky to live in a country were its not quite as obvious, probably because of the secrecy of our ballots.
Closed source is fine when all that's at risk is your shopping list, or what pr0n sites you view, but national elections are another thing. For this, the mechanism for voting has to be user-verifiable.
Take a look at Brazil. 100% (I believe) electronic voting, using an OPEN SOURCE voting solution. There, if you have any doubts about the system, you just pull up the entire source code and look for the $republicans++ line or whatever.
Electronic voting could be the best way to defend democracy, but it has to be achieved in a democratic fashion. It can't be controlled by someone looking to make money from it. There have to be NO conflicts of interest. Just a single conflict of interest and the whole integrity of the system comes into doubt, and therefor the outcome.
Having electronic voting that's run by 3 companies spread across the US is a really, truly horrible idea. It puts the ballot paper in the pocket of the politician - surely exactly what it shouldn't be doing.
I'm done ranting now. I want electronic voting to be global. I just want it to come from the people, not some guys in suits trying to get more money.
If you can make sense of that, you're a better man than me :-P
The NSA is actually a well-chosen organization for verifying voting software.
Remember that their job includes securing our own government's computers and communications. Their changes to DES, which they refused to explain at the time, later turned out to strengthen it against differential cryptanalysis.
They're also one of the few places where there's expertise in defending against a threat model of well-funded attackers with large organizations behind them. I'm not necessarily qualified to secure a voting system against the $YOURLEASTFAVORITEPARTY dirty tricks squad. The NSA has decades of real-world experience securing networks against national intelligence agencies.
NIST might be another choice but I'd rather have it done by someone who knows what dirty tricks to look for.
is the code in the machines?
One argument is that if you leave the polling place with something that shows how you voted then vote buying is more possible. Another is that you can be threatened or coerced.
The short answer is that it is probably illegal because it allows you to prove to a third party how you voted and thus violates the secret ballot principle. Read the intro to Secret Secret-Ballot Receipts and Transparent Integrity where he describes a different type of receipt.
Test 1 2 3 4
Think "$EMPLOYER says you're fired if you don't vote for $CANDIDATE and bring him the paper to prove it" or "hey, I'll give you $50 for every voting receipt proving a vote for $CANDIDATE"
You vote. Out pops a slip of paper with a random unique number on it and your vote and a URL http:/e-votingsomething.gov
The problem is that, in some areas, people can be intimitated, assaulted, or even killed for how they voted (or even for voting in the first place). Yes, even here in the US. It doesn't happen as often as it used to, but still does, and, more importantly, could.
Human-readable paper reciepts, or anything that can easily be converted to tell someone's vote, enable this sort of voter intimidation.
After reading the article and viewing the comments so far, I conclude that the ONLY thing that made the voting process described above secure was the process used by the judges. These people were dedicated to making sure things ran correctly, and without those people and the methods they used the voting process WILL be tampered with.
I noted several further potential security flaws from the description given above, but once Mr.Rubin gets some time to sleep and think a bit I am sure he will notice them as well. The biggest flaw I noticed was the instance of the "zero machine" phoning it's results in, or more particularly not phoning in and connecting. That is the weakest point, and it would be possible to phone in false results from a completely separate machine. With no paper trail to verify the vote, the false results could be taken as correct, or at least have all votes from that precinct thrown out if they were questioned.
Anyone who has worked around computers for any length of time will tell you how important a backup is. Yet the described method of e-voting has no backup. This is not a trustworthy or competent system.
I posted this comment yesterday, but probably too late and too deep to be noticed:
The system designed by TruVote takes into account all of these considerations. It prints out two receipts: one the that the voter keeps and the other that the voter verifies which is then dropped into a sealed box for later count. The voter verifies this receipt from behind a piece of Plexiglas so that it cannot be tampered with and so additional fake votes cannot be inserted into the box (which could probably be made difficult or impossible with a cryptographic hash verification system anyway).
The receipt given to the voter contains an ID and pin number that can be used to verify the status of the vote (counted, uncounted, chosen candidates, etc...) on a voting Web site. This ensures voter confidence.
By having both an electronic count and a manual count, the validity of the poll can be easily demonstrated. Of course, the manual count must be performed by a different organization than that which controls the automated count. Manual counters feel added pressure to do the job right because their count must be reasonably close to that given by the automatic count. The same holds true for the electronic count. This prevents hacking or malicious tampering with the electronic count (as well as just plain error).
If the results don't match (within reasonable confidence levels), the voter receipt helps determine the problem. Voters can be asked to verify their votes again on the Web site to validate the electronic count. If this count is validated, then the manual count comes under scrutiny.
In my mind, this system is about as perfect and tamper-proof as it gets. Of course, the legislation doesn't require paper trails for voting machines yet.
As a side note, I find it curious that Diebold makes ATM machines which all give paper receipts for transactions, but their voting machines do not.
---- Just another spud server.
"I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it."
Right. If I shot you through both your femoral arteries, you'd know within a second that you were bleeding to death. There's nothing you could do about it, but at least you'd know.
In a close election, all you'd have to do is identify those precincts where your opponent had a strong lead. Find a way to screw up the vote on the Diebold machines. Demand that those votes be thrown out. Demand a recount. Sue all the way to SCOTUS if those votes are included. Lather, Rinse, Repeat. Watch the republic turn into an empire.
There's only one problem: the only thing you could scrutinize would be the counts emitted by the machines. There's no other record to look at. If the exit polls say 90% of the voters voted A and the machines say 90% voted B and you think that's just not plausible, you're stuck because the only record of what the votes actually were is the count reported by the machine. You can ask it to repeat that number, but the original votes no longer exist to recount.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
I would argue in fact that it is vital we publish the ballots that people cast. It is the only way to be certain that an election is on the level. The arguments we always hear against this doing this never stand up to scrutiny.
In Zimbabwe, voters were handed a blue and a red sheet of paper with the candidates names and platforms printed on each one. They were then allowed to go behind a screen and secretly place one of the sheets of paper into the voting box. Then they went outside and handed the red sheet of paper to the men carrying machine guns standing outside the polling station.
Similar scenarios have played out to prevent blacks from voting in the US within the last forty years. You really want to go back to that?
Votes have to be anonymous. If my vote is published in any way that can be tied to me, I can no longer vote my conscience. If I owe Guido money, Guido may decide that it's important to my kneecaps for me to vote a certain way. If my vote is truly anonymous, I can vote how I like and lie to Guido to make him leave me alone. If Guido or I can find out how I voted, I will vote exactly how Guido wants me to vote. Not very democratic, now is it?
What you're proposing is Zimbabwe democracy writ small and large. Vote-buying, as it's called, requires some external verification of the vote, like publishing who voted for whom. Without external verification, vote-buying becomes really impractical. Therefore, publishing the ballots that people cast is a really, really awful idea which deserves no consideration as a serious way to improve our democracy.
But I guess that doesn't hold up to scrutiny? This isn't rocket science, your proposal simply doesn't work, though it has been tried many times (with those in power liking your idea the most).
Regards,
ross