Avi Rubin's Thoughts On e-Voting
nazarijo writes "Avi Rubin, a well regarded Johns Hopkins computer science professor and leading critic of e-voting, has written an account of his experience as an election judge on super tuesday. Maryland was experimenting with e-Voting machines. Rubin puts it this way, 'this was one of the most incredible days in my life.' He wrote his experiences immediately after the day was over, capturing his perspective on the subject. A very interesting read."
This is a great article. I don't like E-voting, but not because I fear of fraud or deceit -- I don't like the majority or the form of democracy our country has taken on in the last 100 years or so.
Not wanting to troll or start an argument, I just wanted to remind people that this country was founded on a Constitution that should severely limit what the federal government can do. Some of the Constitution's protection of natural rights extends to limit the individual State powers as well.
E-Voting is just one step towards "complete" democracy, where the majority makes all the rules. This frightens me more than I can explain on paper. The majority should never have any control over the minority (even over a minority of one) property rights or natural rights. If the majority ruled, 51% of the country can take away what 49% own. This is not America. This is not freedom.
Democracy unrestrained will fold into some sort of socialism eventually, as we have seen in the past 100 years. We need to hit the brakes and return to a strong local government and a weak federal government, and we need to do it now.
It's entirely desirable to fit the tool to the task at hand. There's not the slightest reason some /.ers yapping away needs the same level of validation as a federal election.
The whole concept of Internet Voting frightens the hell out of me.
The Internet has been around for what - 35 years now? And we *still* haven't solved e-mail spoofing and spam. Nor have we found a way to keep 5cr1p7 k1661e5 from busting into National Freaking Defense servers. How many times have we heard about Yet Another Batch Of Stolen Credit Card Numbers?
Still, some folks think those little "speed bumps" shouldn't stop us from using the same technology to select the leader of the free world?
Someone tell me this is just a bad dream. Please.
I love technology. But not for this purpose. And certainly NOT NOW. Not yet...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Unfortunately, it takes a technically-astute person to identify a potential security flaw like this. It also takes a technically-astute person to implement the flaw. To the average person, the whole situation seems alarmist. It's in the same category as astroids striking the earth: Sure, it could happen, but....
Only after a failure of the e-voting system, a failure that's obvious enough for the average person to understand, will the public demand either better controls or removal of the system.
Kucinich got one vote all day. That ballot somehow failed to get into the sealed envelope I returned to the party that night. All in all, 3 points:
I'm going to guess that
But by then you'll probably have ended up joining the Army for lack of better prospects in Bush's economy, so that you can lay down your life ostensibly to protect democracy in Iraq, and surely to protect Halliburton's contracts there.
While I'm sure that somewhere Mr. Jefferson is cringing at your example, please don't feel too bad: Fascists everywhere rely on people just like you; without you they'd never get beyond the Bier-Hall Putsch.
Opinions on the Twiddler2 hand-held keyboard?
eVoting on machines that do not produce auditable paper trails are disasters waiting to happen. As in many other intrinsically dangerous situations, years may, and probably will go by with no apparent problems.
Our lives are full of protections that are seemingly "no needed." How often does an elevator cable actually break, for example? Does that mean we don't need overspeed brakes on elevators?
Or inspectors to see whether the brakes are there and working?
One little-noted contribution by Edward Teller was his almost single-handed insistence that civilian nuclear power plants be enclosed in containment buildings. This is particularly interesting because he was, of course, a strong advocate of nuclear power. And, of course, nuclear reactors are supposed to be safe in the first place, so why go to the huge expense of a containment building that isn't supposed to be needed? Then a Three Mile Island comes along, and we find out why.
Black-box voting is a disaster waiting to happen. The disaster probably won't happen tomorrow, or this year. And when it does happen, it probably won't happen in a district with plenty of careful, well-trained, honest conscientious poll workers.
"How to Do Nothing," kids activities, back in print!
*If you don't like the idea of your party preference being on the rolls you just don't register for one. In my state there is a specific box on the form that says "Do not enroll in a party" -- there's also a separate box for the "Independence Party". If you don't want it to be on the rolls you just check off the "Do not enroll" box -- it's that simple.*
however that(having an option for that) really goes against on why you have a closed ballot in the first place, to prevent people being intimitaded into voting someone they wouldn't(or at least prevent from voting someone) like to vote(by husband, wive, the mobster, boogie man or whoever..).
not that I'm a big fan of a 2 party system with nearly identical parties(that work pretty much as a cartel..). Though maybe I'm just stupid as I don't really see the point in why goverment is paying for elections that are an internal issue of the party(deciding who they should back). Maybe that proves some continuity regardless of who wins(stagnation..)..
world was created 5 seconds before this post as it is.
OK,so I'm not American, but that guy is one hell of a great patriot. Amazing how many people hate the guy when he's out to defend America's #1 institution. Oh wait... democracy was replaced by "don't bug me about my quasi-legal business practices" a few years back. Right.
Not at all. The real question is whether or not the e-voting system will be a vehicle for widespread massive one-stop-shopping and completely untraceable fraud as opposed to the small-scale fraud that you seem to feel they will prevent.
But when a bunch of gorillas steal a booth, you can SEE a booth is missing, you can see that a shitload of vote serial numbers aren't accounted for, etc. There is evidence, if not of who commited fraud, that fraud has indeed happened. With electronic stolen elections, it is much easier to cover tracks.
If you think that careers are the most enormous stakes in an election, you're a little too close to the process for your own good. b-)
kind regards,
Jess
I am programmed for etiquette, not destruction!
Except in the great, rebellious state of Georgia.
A republican can walk into the primary, vote the democrat ticket, then in the fall can vote the Republican ticket.
Allows all voters the opportunity to vote in November from the best offerings of the two major parties.
Some folks on both sides switch hit to put up a weak candidate for the opposition. I prefer to do it so that I can have the best from the other side should my party not win.
However, in THIS presidential primary, because a number of honest, highly qualified men did not even make it to "super Tuesday" on the Democratic ticket (Sorry, Joe, I'd have voted for you), there really was no reason to vote the blue ticket. Kerry seems to have things wrapped up. But the party bosses planned it that way. *sigh*
But hey, we got to vote for the lesser of two evil flags in Georgia. Because, after all, FLAGS are so much more FREAKING IMPORTANT then law and order, corporate corruption investigations, and national security!
----- LoboSoft specializes in Digital Language Lab
Large numbers of ballots and ballot boxes going missing would throw serious red flags- the local news would catch serious shenanigans. Ditto burning down warehouses. (And e-voting doesn't solve these problems either: simply disappear the smart cards or machines.)
We already have very fast reporting, so the "Green" vote problem won't crop up either.
Where the US has been vulnerable in the past is voter rolls (Just how many dead people voted for Kennedy in Chicago?) and direct manipulation of voters (How many minority voters were "discouraged" in Florida last election?) E-voting doesn't solve these problems either.
"Seven Deadly Sins? I thought it was a to-do list!"
It is impossible to argue that moving to an electronic system is not inevitable, any more than it is possible to argue in favour of abandoning cell phones and reverting to tin cans and string, or abandoning email in favour of carrier pigeons.
Impossible? To start with, we've already adopted cell phones, whereas we haven't yet truly embraced electronic voting. Moreover, cell phones don't present the kind of threat to our democracy electronic voting does.
It has to be said, over and over again, that once we lose the right to vote, the only way to get it back will be through violence. So it's important that we do everything we can to see to it that the right isn't lost in the first place.
With a corrupt incumbant, people could be intimidated into voting for them, out of fear that the government might quietly (or worse - aggressively) discriminate against anyone who voted for their opponent.
I think that's ridiculous. People register in different political parties all the time, without ill effect.
I would argue in fact that it is vital we publish the ballots that people cast. It is the only way to be certain that an election is on the level. The arguments we always hear against this doing this never stand up to scrutiny.
The only people who benefit from the secret ballot are those who seek to game the election.
Is this truly the only Earth I can live on?
This story reminds me of an article I read (dead-tree) a while back on preventing terrorism.
The article was critical about all of the techno-solutions for preventing terrorism, and very much in favor of the simple solution: Make sure you have good people in the right places keeping an eye on things.
In a nutshell, Avi Rubin's article comes down to the very same thing. He had tremendous respect for and confidence in the people working at the election. He (still) had little respect for the techno-solution.
Yesterday I voted using an optical scanner, which I never truly appreciated until reading all of the e-Voting flap. I've always appreciated the fact that I've always known at least one of the poll workers, and they knew me. After reading this article, I appreciate that fact even more.
The living have better things to do than to continue hating the dead.
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
More sophisticated and educated, but less numerous. The problem with paperless voting as currently implemented is that to tamper with the results you don't need a "horde" of anyone; you just need one or two of those sophisticated people to get the right level of access and abuse it.
Your "obvious" impression is directly contrary to that of pretty much the entire computer security community. Read what Schneier has to say on the subject, for example - stealing a bunch of ballots is one thing, but silently altering the entire result of the election without having to expose yourself by moving a single physical ballot and while leaving absolutely no physical sign that anything might be amiss is quite another.
Xenu loves you!
OK, I know these things are a bad idea, so do you. Sadly, the mass media and the general level of understanding among the population in general is not going to change what's happening at the moment.
I fear that the only way any of the security concerns, raised by everyone from your slightly savvy Joe Sixpack to experts in the security field, will ever be addressed properly is to actually have someone go ahead and blatantly compromise some of these things.
I'm not an advocate of election fraud or system cracking but there is probably no other way to get the messege thru the spin and media brainwashing to the general populous.
I fear where all this will head. Anyone have an acounting of where all 32,000 keys are? Would having just one turn up missing be enough to invalidate an entire election? What was so bad about paper ballots anyway?
Complicating matters to simplify a process is counter-productive.
Amusingly, as a physician, the rules for how I can transmit simple data require both a stricter level of paper-trail (I have to document in the medical record the consent of the patient to release records and where I sent them) and a stronger encryption (sending medical information via unsecured Fax or modem is against HIPPA rules) than people tolerate on their votes.
I my by chance play craps at the craps table. But I will not waste time in any electronic gambling machine.
I feel the same way about voting. Unless the code and the whole process is open sourced, as a transparent government should be, I will not support it no matter how secure they can prove it is.
Why isn't there a project to create a Free Software electronic voting system that fixes all the Diebold issues? Seems to me we need an open system, visable source has proven to be far more secure than closed source, and it would be accountable to the public.
Where are the people willing to start a company that produces an open product with the flaws fixed?
Maybe you are just overthinking it...
Why doesn't each machine print out who each person voted for? That way, a manual recount can occur, any counting errors in the software aren't a major issue, etc.
To me at least, this is the most obvious solution
Doh!
Furthermore, small-scale fraud is pretty much guaranteed to cancel itself out. A corrupt Republican stuffs 20 dead peoples' ballots in one precinct, and a corrupt Democrat gets another 20 corpses to vote in the next precinct. Net effect: ZERO.
Electronic voting practically guarantees that the corrupt side with the best crackers to win. The only proof of electoral fraud in an electronic system is likely to come in the form "A team of hackers for Our Guy knows it stuffed 100,000,000 ballots. We hired them and watched it happen, but the popular vote came out 101,000,000 to 99,000,000 in favor of Their Guy. Obviously, Their Guy also hired crackers to rig the election! We want a do-over!"
Personally, I'm OK with a society in which the Side That Gains The Political Allegiance Of The Best Hackers gets to rule the world. I think a society in which the Democratic candidate campaigns on a platform "We'll execute all RIAA members in exchange for your help in rigging the vote", only to be countered with a Republican candidate running on "We'll execute all RIAA members, and because we're also pro-gun, we'll let you pull the trigger on them in exchange for your help in rigging the vote!" would be pretty fucking cool.
Would it be a free society? Given the influence the techno-elite would have, it might be even more free than our present one. But I'd never pretend to call it a democratic one. I'm OK with that, because I happen to believe that democracy is overrated. The Constitution in its current form differs with me on that point. The one that governs the country in which I live says the society is supposed to be a representative republic in which the votes cast by the people for their representatives count.
Because I also believe in the rule of law , and because that Constitution is the law, however cool a society ruled by h4x0rz might be, I must therefore oppose electronic voting. Pisses me off to be consistent in my beliefs sometimes, but there you go.
I'm not sure Prof. Rubin's right about the smart cards not being a big vulnerability. If someone manufactures altered cards it's easy to come in with one in your pocket, get a legit card, use the altered card to vote and return the legit card. You couldn't stuff the ballot box this way, but you could vote a different ballot than the one you were assigned. This would get caught when checking the voting machine's tally of ballot types against the number of each type issued, but there'd still be no way of correcting the results.
The zero machine is the big problem. I think it's why Diebold makes such a big deal out of the security of the actual voting process: the zero machine makes the security of the voting itself irrelevant. That one machine tallies all votes, and it gets access to all of the PCMCIA cards that hold the tallies from the other machines. It's in a position to simply discard all the actual results and replace them with whatever it wants, and once it has there's no way to tell it's happened. I can think of several easy ways to keep that code undetected, too. Unverified code loaded at the last minute (after all the testing had been done) to fix a convenient bug, for example. Just disallowing updates won't stop me, though. Prof. Rubin mentioned using PIN 1111 during training but a different PIN when setting the machines up for an election. So, I put the result-replacement code into the zero machine before it's delivered to the state, but put in a check: if the PIN is 1111 then disable the replacement code, otherwise enable it. During training, during test elections, during everything that uses that special PIN 1111 the machine will behave exactly as if no malicious code was present. Set it up for a real election using a real PIN other than 1111, and suddenly code that's never been active before is active and waiting to force the results. Note that it doesn't have to be Diebold loading the code, anyone who can get enough access to the zero machine to load a program update into it could do this. Given Diebold's track record for doing on-the-sly updates to the code, I think there's a non-negligible chance of someone being able to slip their code into an update and have it go through even if we assume Diebold themselves wouldn't (and I'm far from willing to assume that).
The big danger in my opinion isn't so much that this is possible, but that it's possible without leaving any evidence it's happened. The one thing paper ballots do well is give us an audit trail from the actual cast ballots all the way through the final results. The results can be altered, but it's very difficult to alter them while keeping the audit trail intact and consistent. It's not the electronic voting machines that are the major problem, it's the lack of a verifiable audit trail. With paper ballots you don't need to trust the counting process to verify whether the final results are correct. With the current electronic machines this isn't the case.
First, I'm impressed by Avi's candor. His admissions of his own error, his discussion of mitigation of some risks, and so on point to someone, I feel, who is trying their utmost to be forthright and thorough. By the same token, clearly these doing really lessen the great danger of an e-voting machine. We need to stop for a moment and consider the sinister possibilities. When, say, Microsoft buys Diebold, purportedly for technology or such, who's to say they're not buying themselves a congress that will outlaw open source? That's only the most mild of such scenarios.
Second, I wonder if there's a sacraficial lamb out there who'd be willing to hack a Diebold box. If someone could successfully seriously skew the outcome such that people went, "Wait, that's *really* the result?" and then claim credit, that might be the death blow to unaudited evoting.
Third, I'd like to simply point out an analogy that's appropriate when consider that e-voting on super tuesday was "successful". Windows works pretty well when you sit down and use it, most of the time. That doesn't mean it's secure - witness the rash of viruses as of late - and it doesn't mean it isn't *disastrous* when that insecurity is exploited.
Thanks for doing what you can to keep the spotlight on this issue, Avi - America needs you.
Real-time tallying doesn't seem that important -- but perhaps it could be used as an election-protection measure, if every voter got a tally of the total votes after they'd voted. Tallies could be compared to ensure election integrity. As to your other points: there are other ways to eliminate ambiguous selections; staff requirements do not strike me as particularly significant; and paper waste isn't reduced by as much as you'd think. As to time spent voting, most of that time is spent reading the ballot and making a final decision, not physically coding the choices -- at least in my experience. I'll grant the rest. Mmm, skipping good points...
To me the question is not "when," it is "how." Perhaps electronic voting is inevitable -- I don't see it having tremendous advantages over other systems, but given our fondness for gizmos it probably is inevitable. I have no real objection to electronics being used in voting -- provided they are used in a way that is secure and verifiably honest. I think we share this concern.
Freedom isn't free; its price is the well-being of others.
There is a counter example to the feasably of standard 8 1/2" by 11" ballots. In some states of Germany the elections to the local administrations (towns, counties, villages) use the so called "non genuine town part election" (unechte Teilortswahl). After reorganizing towns and villages and regrouping them to larger communities in the early 70ies the former villages got a fixed number of seats in the new town's councils. So the votes are counted in every former village separately to determine which candidates get sent to the town council. On the other hand the complete town council should represent the votes cast proportionally, so if one party wins more seats in the town council per winning them in the town parts than their quote is in the popular vote, then the other parties get a proportional number of seats in the now enlarged town council (those seats are called "Ueberhangmandate", roughly translated to surplus seats). (To make it more easy, groups that get less than 5% of the popular vote are ignored, except if they manage to get more than three direct seats).
On the other hand the voters have so many votes as the orinigal town council has seats. The voter is allowed to put the votes freely on the ballots to whatever candidate she thinks they should go without respect to the party membership of the candidates. If she thinks a candidate should definitely get some votes, she can even cummulate more than one vote (mostly up to three) to a candidate (but then she has less votes left for other candidates). If she thinks that's too complicated she can also cast a single vote to a 'list', a group of candidates for a single party or political group. A list basicly consists of the nominates of a single party for all the seats in the town council.
If she agrees with none of the candidates, she can also write the names of her own candidates in a free list.
Because the parties and groups have to nominate candidates for every seat to allow this list voting, the ballots can get extremly large. There once was an election for a town council in Southwest Germany where the ballots were about 4ft by 3ft (DIN A0), because about 20 groups had sent in lists for the 40 seats of the council.
After calculation all the proportions and giving underrepresented groups and lists the surplus seats the town council grew to 132 seats.
Normally such a complicated way of voting would call for an electronic voting system. But nothing beats the opportunity for the electorate to come to the voting booths after the booths have closed for voting, and watch the voting staff crew to open the sealed boxes and count the votes manually. This is controlling the democratic process at its finest. The local voting result will be announced to the autitorium before the votes get sealed again in a box and sent to the central election offices. The so called preliminary voting result (vorlaeufiges amtliches Endergebnis) is determined by adding the local results, and then the central election offices open the sealed boxes and again count the votes while the electorate has the chance to watch.
This is my greatest issue with electronic voting: You can't watch the count. From my experience nothing beats watching the count. In the former GDR (East Germany) the population knew the elections were rigged because enough people showed up at the election offices and watched the officials counting. Even though the people then only knew the local result, they could easily see the difference between the local result and the officially anounced one. If the official result announced for instance a 98,85 percent result for the ruling party in a town of 10,000 people, and you knew that your local office had counted at least 120 votes cast against them, then you saw the result being rigged. This showing up during the counting and collecting the results was done throughout the whole GDR in the last communal elections on May 6 1989, and the public uproar after the officially anounced result was contradicting the results the people were calculating themselves triggered the inner tensions the GDR didn't survived but for another half year.
My lessons are: However you vote, whenever you vote: Make sure you are able to watch the count!
You're not thinking outside the box (the ballot box in this case).
In your example, maybe it's a wash. But, at a larger level (states), it is *very* significant. Why? Because you don't really vote for President. And since two given states may not have the same number of electoral votes, a fix in one state that is balanced in another state does not wash out.
So, a supposed 'small fraud' can actually have very large effects. See Florida.
You are being MICROattacked, from various angles, in a SOFT manner.
You've obviously never lived in a small town. Or been part of a labor union. But there are plenty of people who would be professionally or physically damaged if their vote wasn't along the lines of what was expected of them. We are just lucky to live in a country were its not quite as obvious, probably because of the secrecy of our ballots.
Closed source is fine when all that's at risk is your shopping list, or what pr0n sites you view, but national elections are another thing. For this, the mechanism for voting has to be user-verifiable.
Take a look at Brazil. 100% (I believe) electronic voting, using an OPEN SOURCE voting solution. There, if you have any doubts about the system, you just pull up the entire source code and look for the $republicans++ line or whatever.
Electronic voting could be the best way to defend democracy, but it has to be achieved in a democratic fashion. It can't be controlled by someone looking to make money from it. There have to be NO conflicts of interest. Just a single conflict of interest and the whole integrity of the system comes into doubt, and therefor the outcome.
Having electronic voting that's run by 3 companies spread across the US is a really, truly horrible idea. It puts the ballot paper in the pocket of the politician - surely exactly what it shouldn't be doing.
I'm done ranting now. I want electronic voting to be global. I just want it to come from the people, not some guys in suits trying to get more money.
If you can make sense of that, you're a better man than me :-P
One argument is that if you leave the polling place with something that shows how you voted then vote buying is more possible. Another is that you can be threatened or coerced.
The short answer is that it is probably illegal because it allows you to prove to a third party how you voted and thus violates the secret ballot principle. Read the intro to Secret Secret-Ballot Receipts and Transparent Integrity where he describes a different type of receipt.
Test 1 2 3 4
Think "$EMPLOYER says you're fired if you don't vote for $CANDIDATE and bring him the paper to prove it" or "hey, I'll give you $50 for every voting receipt proving a vote for $CANDIDATE"
"I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it."
Right. If I shot you through both your femoral arteries, you'd know within a second that you were bleeding to death. There's nothing you could do about it, but at least you'd know.
In a close election, all you'd have to do is identify those precincts where your opponent had a strong lead. Find a way to screw up the vote on the Diebold machines. Demand that those votes be thrown out. Demand a recount. Sue all the way to SCOTUS if those votes are included. Lather, Rinse, Repeat. Watch the republic turn into an empire.