Avi Rubin's Thoughts On e-Voting
nazarijo writes "Avi Rubin, a well regarded Johns Hopkins computer science professor and leading critic of e-voting, has written an account of his experience as an election judge on super tuesday. Maryland was experimenting with e-Voting machines. Rubin puts it this way, 'this was one of the most incredible days in my life.' He wrote his experiences immediately after the day was over, capturing his perspective on the subject. A very interesting read."
Every 15 minutes or so, the unit judge would take the cards and give them back to us book judges. When a Diebold rep showed up, I asked her about this, and she said that it was done to give the voters a sense that nothing was being kept on the smartcards about their voting session.
The Diebold rep is basically admitting that at least some of the security and privacy promises in electronic voting are based on user perception, not reality.
Trolling is a art,
As an non-American I'm baffled by the practise of having voters register which party they prefer in a government database. The basic principle of an election is the secret ballot.
Why is this done? Why isn't it widely condemmed? Why do people cooperate instead of all claiming to prefer the monster raving loony party?
Very well said. To (mis)quote someone with a sharper wit than mine, "Democracy is two wolves and a sheep voting on what's for dinner."
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Avi Rubin was on Screensavers (TechTV) the other day showing the vulnerabilities of eVoting. He showed how back doors can be placed in the program and votes can be manipulated. Pretty eye-opening stuff.
100% Insightful
But electronic voting scares me. Voting is the only way we can directly impose our will upon the establishment. In the current system, every vote cast leaves a permanent, tangible, undisputable (unless some kind of hole punch is involved, anyway) record. Electronic voting leaves nothing that can be held or physically counted, just data on a hard-drive somewhere. Even with the most rigorous security, encryption and protocals, I'll never feel confident that the system is entirely honest and invincible.
Of course, paper ballots can be 'lost' or 'miscounted'. But the altering of an electronic election result could potentially leave no evidence: the only things that will been destroyed or altered never existed in the first place.
First, it's not about internet voting.
Second, what I don't get, is why can't we use electronics to print out a "ballot" with our selections done in the comfort of home, and just take this "ballot" to a polling place? The ballot would, of course, be something similar to a scantron or other paper form, but would also have human readable form of the contained data. Perhaps bar codes or their successors would suffice?
Such a system allows for a paper trail, quick and supposedly accurrate tally of votes, removes the painful sections of voting, by having people be able to make their selections at home, print the page, and verify their selections (or copy it to a floppy, or perhaps a CD) and such medium (paper, floppy, CD, soemthing else) could be taken to a polling place, quickly read, and the voter could verify their selections very quickly. Much easier than punch cards or voting machine du jour
Yes, those that do not have computers would still have to go through the current onus of voting, but, the lines should be shorter, as many do have computers at home or work.
The cesspool just got a check and balance.
I live in a country where phony elections were common in the last 70 years. Paperless elections are much safer than paper. why? ballots are lost before elections, voting booths get stolen after election day, if they coudn't steal them they use the g'old tactic called the "green vote".
When ballots are cast in remote locations it's difficult to get the results fast, the votes need to arrive to the accounting facilities where the totals are certified and sent to the central accounting facilities.
When they use the "green vote" (because it originates in rural areas) they take advantage of that delay and claim fake results with the stolen votes and booths. If recounting is needed because of a dispute, accounting facilities and storage can be hijacked or burnt to ground (it's happened a few times).
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
You can't view this article as anything. The headline says it all, "Officials Say evoting a Success". If something does go wrong, those same journalists will gleefully use the quotes from those officials to tear strips from the dumb bastards.
I actually voted in Georgia, and I have to say that, by and large, the judges there were not as well trained as the ones described by Rubin. Regardless, I think this is a threat that will peak over time, and not in the next few elections. Once the procedures get established, and people get sloppy, I think we'll see some instances of fraud.
I have to say one thing though, it actually made voting feel kind of cloak and dagger. I've never spent so much time looking at a voting machine before.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
If electronic voting is unavoidable, much like Windows it's "easy to use", why not offer a few alternatives.
Open sourcing is always fun, why not a simpler machine based off standard PC hardware. An open source secured program running off of a LiveCD (to prevent permanent modification. If the CD's secure when it goes it, you can't make permanent changes at the station.)
Each vote is electronically signed, so if you want to add in a fake vote, you'd need to create the equivalent of a public key whose matching private equivalent just happens to have been generated, something fairly unlikely.
NO Networking. Besides everyone getting a hard-copy receipt (or digital copy if they feel like it, as long as it's a receipt, I don't feel what form is too much of an issue), all the data is carried by hand, and once more encrypted after voting so that it can only be decrypted at wherever they feel the votes need to be tallied securely. I mean, obviously decryption can be broken, but generally not too quickly if it's good, and unreasonable delays in the delivery of the votes would be a fairly quick sign something was amiss.
I mean, obviously there's no such thing as 100% secure electronic voting, but peer review as well as an electronic at-machine form of voter verification that requires the machine to authenticate a unique per-voter id just seems like common sense.
After hearing about the security issues with the Diebold machines, I had some doubts. I'm no technophobe, but placing the future of our democracy so completely into the hands of a company which has been less than responsive to public critique is something I find rather frightening.
Turns out they didn't check for ID either. I hope I feel safer in November.
It's called the Constitution. If you really are frightened, you should try giving it a read. The checks and balances put in place to limit the actions of the government also limit what any majority can do, even if there were ever such a thing as direct elections. If you don't understand how the federal government is structured, we elect a president, we elect representatives, and judges are appointed by the president and approved (or not) by the representatives. There is no structure or mechanism for direct elections at the federal level, and I'm not sure where they'd fit in even if there were.
Now, the state level is another story -- especially if you live somewhere with idiotic laws like California. Referedums (i.e., direct democracy) are possible at the state level, and probably not a good idea except for very, very limited purposes. However, even if a measure wins with 90% of the vote, that does not mean it will become law. It still must pass the test of being constitutional. If the measure violates either the state or federal consitution, it is invalid and unenforceable. And at the federal level, judges are appointed for life and so are largely immune to political pressure. The US Constitution, and most state constitutions, provide protections to the minority and very strict controls on how anything can be taken by the government.
So while I agree that majority rule often == mob rule, and is something to be worried about, I have no idea how you equate electronic voting with what you call "complete democracy." Since the founding of the colonies, there has been direct elections at the local level, with representative democracy for the larger political units. Whether the ballots are made of pulped wood or ones and zeroes does not change the structure of government in the least.
And I am really confused by your statement regarding "the majority or the form of democracy our country has taken on in the last 100 years or so." One, I don't think the structure of our democracy has changed greatly in the last 100 years, but even more importantly I think the issues you claim to be worried about were worse 100 years ago than they could ever get today. Slavery and the horrendous treatment of the Native Americans, of the working class, and of every ethnic minority (e.g., Italian, Irish, Chinese, Africans, etc.) were possible 100 years ago, but are not today.
The real problem with electronic voting is the ease in which it can be manipulated without anyone ever knowing, not some imaginary bogy of mob rule.
The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
How timely. I recently wrote an essay (read: rant) on why E-Voting is inevitable, and why we should all just suck it up and work to make the system better, instead of fighting it and trying to preserve an antiquated and inadequate pen-and-paper system.
There should be no question in anyone's mind that electronic voting
is the future. It is impossible to argue that moving to an electronic
system is not inevitable, any more than it is possible to argue in
favour of abandoning cell phones and reverting to tin cans and string,
or abandoning email in favour of carrier pigeons.
The benefits of electronic voting are obvious and numerous: real-time
tallying, greater security (a staffer couriering a box of ballots could
theoretically manipulate them, but a staffer transmitting an encrypted
database is powerless to alter it), elimination of ambiguous selections
(eg., "Hanging/Pregnant Chads"), less time required per voter, fewer
staff required to manage an election, and less paper waste.
No system is without its drawbacks, however, and e-voting's drawbacks
are subtle and insidious. The most obvious weakness of an e-voting
system regards securing the system against manipulation. Elections
hold an enormous amount at stake - indeed, entire political careers -
and thus the temptation for covert meddling is inevitable. The
people designing and implementing the system could be bribed into
embedding backdoors into the software.
A less obvious drawback of e-voting is that it puts at risk one of
the fundamental pillars of a democracy - anonymous voting. In order
to prevent ineligible people from voting, or eligible people from
voting multiple times, their identity would have to be verified
prior to voting. However, in order to support re-counts, the
actual votes themselves would have to be somehow tied to the people
that cast them (otherwise, the tally would simply be an integer that
increments whenever someone votes for them). If the voters weren't
completely confident that their vote was guaranteed to be kept
secret, the entire democracy could be undermined. With a corrupt
incumbant, people could be intimidated into voting for them, out
of fear that the government might quietly (or worse - aggressively)
discriminate against anyone who voted for their opponent.
These problems, and the others related to e-voting are not
insurmountable. The software used to run the system should be
completely public. This would prevent backdoors from being
inserted into the system by allowing anyone with enough
computer-savvy to personally inspect the code controlling the
system. In fact, virtually all software written by the government
should be made freely available anyway, since it is OUR tax
dollars that funded its creation.
The voter anonymity could be guaranteed by assigning eligible voters
a security public/private key pair, with the mappings held in escrow
by a special elections comission. The database would only be
accessible to a non-partisan staff of top-secret-cleared employees,
and would be destroyed after the election results were certified.
The complete widespread adoption of electronic voting is inevitable.
It is not a question of "if," but rather "when." Some jurisdictions
are already experimenting with some systems, with less than
encouraging results. One of their principal mistakes is that they
have contracted out the software for the systems, and the source
code is not being made available for public inspection. Consequently,
there are pockets of the electorate who don't trust the systems,
and indeed, the systems have already exhibited troubling symptoms
of bugs that may have been detected and corrected if the software
had been opened up prior to being deployed.
Like woodworking? Build your own picture frames.
I think Robert A. Heinlein put it best in a few different ways.
"A dictatorship is based on the assumtion that one man is smarter than a million men. One Question: Who Decides?
A Democracy on the other hand is based on the assumtion that a million men are smarter than one man. How's that again?"
(Time enough for love)
Then also of course
"At the end of the 20th century, the people realized that in a demoracy they could vote themselves bread and circuses, and the world went to hell afterwards"
(Beyond the sunset)
Though personally I like the observation that in any group of people the total intellegance is the lowest intellegance devided by the number of people in the group.
I will not give in to the terrorists. I will not become fearful.
While I did not serve in an election judge capacity, I am a Maryland voter and used the Diebold machines yesterday. I was impressed with the professionalism of the election judges and believe that Prof. Rubin is correct that competent, honest, committed election officials provide a vital line of security in what is by its nature (whether paper or electronic) an imperfect process. Today there have been stories of some isolated problems with voting machines, but certainly no widespread failures or security breaches.
When Prof. Rubin notes his mistake in coding the smart card, he provides an interesting illustration. When I reported to my polling place and signed in, I was issued a smart card. When I placed in the machine, an election judge stood nearby reviewing the "orange card" that listed my party affiliation, etc. He specifically asked "does the first screen list your party as XXXXXX?" It didn't - my smart card was improperly coded by the election judge. The judges immediately had me stop so no votes were entered, recoded the card, and ushered me back to the machine to complete my ballot.
I share the concern about the security of the transmission from the Zero machine to the Bd. of Elections and hope Diebold already has implemented some encryption. But since the machines aren't actively networked during the day, and based on what I saw at my polling place, I'm relatively unconcerned about the security risks.
In the traditional paper system, which was in place for a very, very long time, we never managed to work out the problems of lost ballots, unreadable ballots, etc. Remember - in Florida in 2000, every recount seemed to produce a new "total" number of ballots cast. While there are legitimate security concerns that should be addressed, I can't believe that the system is any worse or less reliable than before.
My hat's off to the Maryland Board of Elections and all of the volunteers that made this work. A committed, honest and professional job was done by everyone I saw and I'm proud of them and grateful for their efforts.
I just sent an e-mail to my representative specifically requesting that he push legislation to either remove e-voting or demand a verifiable paper trail and auditable code on voting machines.
The text I sent:
In light of the recent heavy usage of electronic voting machines during the primaries, including many inconveniences, I decided to look into the matter more carefully. Due to many major security flaws in e-voting systems and many straight-forward openings for abuse, I am greatly worried about the current state of e-voting.
It is my hope that a law could be passed which would require the following of e-voting systems:
1) Code review by the NSA (or other governmental agency) to ensure that no backdoors have been added to the programs.
2) Paper trails of all votes cast, so that the ability of computers to change massive amounts of data swiftly could never be applied to the votes which are essential to our democratic system. (These need not be the primary counting method, but should be there as a safeguard in case of fraud)
3) Voter verifiable ballots. Currently, there is no proof for the voter as to how their vote was counted. If the votes were printed (see 2) and then given to the voter to place into a separate ballot box, the voter could easily look at the ballow to determine that the machine actually printed their vote correctly.
None of these requests are especially difficult to have carried out, none of these requests are unreasonable, and all of the requests are essential to the maitenance of our fair and reliable democracy.
It's not much, but it would be if everyone on Slashdot did it.
Hmmm....Slashdotting congress....that would be fun.
In the report, Rubin mentions his real fear: the predesignated zero machine.
I *have* downloaded the code from NZ, a year ago, and skimmed through it. I posted this then, and I'll reiterate: within two hours, I found a function, commented, that *appeared* to be going into the *production* code, not just test, that *says* its purpose is to "install total files" from another system.
This is a far simpler, and more dangerous attack, than fake smartcards.
mark "yes, I can find the function again,
on request"