Slashdot Mirror
Avi Rubin's Thoughts On e-Voting
nazarijo writes "Avi Rubin, a well regarded Johns Hopkins computer science professor and leading critic of e-voting, has written an account of his experience as an election judge on super tuesday. Maryland was experimenting with e-Voting machines. Rubin puts it this way, 'this was one of the most incredible days in my life.' He wrote his experiences immediately after the day was over, capturing his perspective on the subject. A very interesting read."
He was a election judge in Baltimore County, MD. Near the end of his story, Avi writes "My biggest fear is that super Tuesday will be viewed as a big success."
And here's what the local media had to say the next day:
Elections Officials Say Electronic Voting Successful
Is this truly the only Earth I can live on?
(I'm not normally a Karma whore, but the site looks like its normally a low-usage site)
My experience as an Election Judge in Baltimore County
by Avi Rubin
It is now 10:30 pm, and I have been up since 5 a.m. this morning. Today, I served as an election judge in the primary election, and I am writing down my experience now, despite being extremely tired, as everything is fresh in my mind, and this was one of the most incredible days in my life.
I first became embroiled in the current national debate on evoting security when Dan Wallach of Rice University and I, along with Computer Scientist Yoshi Kohno and my Ph.D. student Adam Stubblefield released a report analyzing the software in Diebold's Accuvote voting machines.
Although there were four of us on the project, perhaps because I was the most senior of the group, the report became widely associate with me, and people began referring to it as the "Hopkins report" or even in some cases the "Rubin report". I became the target of much criticism from Maryland and Georgia election officials who were deeply committeed to these machines, and of course, of the vendor. The biggest criticism that I received was that I am an academic scientist and that academics do not "know siccum" about elections, as Doug Lewis from the Election Center put very eloquently.
While I dispute many of the claims that computer scientists working on e-voting security analysis are deficient in their knowledge of elections, I realized that there was only one way to stifle this criticism, and at the same time to perform a civic duty. I volunteered to become an election judge in Baltimore County. The first step was to get signed up. I filled out a form at a local grocery store and waited for a call from the Baltimore County Board of Elections. The call never came. So, I called up the board and spoke with the head of elections and found out that there was a mandatory training session a couple of days later. I got on to the list for the training, and I attended. There, I learned that my entire county would be voting with Diebold Accuvote TS machines, the very one that we had analyzed in our report. It was an eery feeling as I trained for 2 hours on every aspect of using the machine and teaching others how to use them. Afterwards, I received a certificate signed by the board of elections and became a qualified judge. I was supposed to receive a phone call within a few days assigning me to a precinct, but I did not. So, I called up the board of elections and spoke with the same woman, who assigned me to a precinct at a church in Timonium, MD, about 15 minutes from my house.
I reported to my precinct at 5:45 a.m. this morning. Introductions began, and I immediately realized that it would not be a normal day. There are two head judges, one from each party. There were also seven other judges. The head judges were Marie (R) and Jim (D). Both of them mentioned that they read about me in the paper that morning, and were pretty cold towards me. It turns out that the Baltimore Sun ran a story today about my being an election judge. In there, I'm quoted as saying that the other judges in my training were in the "grandparent category" with respect to their age. My colleagues for the day, who were in that category as well, did not appreciate the barb and were ready to spar with me.
There are three types of judges besides the head judges. There are four book judges, one from each party with A-K and one from each party with L-Z. There is one judge assigned to provisional ballots, and a couple of unit judges charged with assigning voters to particular machines. I was the L-Z democrat book judge, along with Andy, a grandfather of many, a staunch Republican, and a fellow I grew very fond of as the day went on. To my left were Anne, the Republican judge married to Andy, and Sandy. Actually, there were two Sandys. One began as a unit judge, but early on switched with the other Sandy to be the democratic book judge on A-K. Bill was the provisional judge, and he is m
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Every 15 minutes or so, the unit judge would take the cards and give them back to us book judges. When a Diebold rep showed up, I asked her about this, and she said that it was done to give the voters a sense that nothing was being kept on the smartcards about their voting session.
The Diebold rep is basically admitting that at least some of the security and privacy promises in electronic voting are based on user perception, not reality.
Trolling is a art,
This is a great article. I don't like E-voting, but not because I fear of fraud or deceit -- I don't like the majority or the form of democracy our country has taken on in the last 100 years or so.
Not wanting to troll or start an argument, I just wanted to remind people that this country was founded on a Constitution that should severely limit what the federal government can do. Some of the Constitution's protection of natural rights extends to limit the individual State powers as well.
E-Voting is just one step towards "complete" democracy, where the majority makes all the rules. This frightens me more than I can explain on paper. The majority should never have any control over the minority (even over a minority of one) property rights or natural rights. If the majority ruled, 51% of the country can take away what 49% own. This is not America. This is not freedom.
Democracy unrestrained will fold into some sort of socialism eventually, as we have seen in the past 100 years. We need to hit the brakes and return to a strong local government and a weak federal government, and we need to do it now.
I'm not so sure about this electronic voting thing. I submitted my vote for Kucinich, and the local election board moderated me "-1 Troll".
Also, if you vote for someone more than 30 times in a 24-hour period, you get a "Slow down, Cowboy" warning. Except in Chicago.
Oh yes, totally ironic. How I dread the day when CowboyNeal is illegally modded into the Oval Office.
Moron.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Perhaps the lightest moment in the day came when one voter standing at his machine asked in the most deadpan voice, "What do I do if it says it is rebooting?" Head judge Marie turned white, and Joy's mouth dropped. My heart started to beat quickly, when he laughed and said "just kidding."
Who was it?? I know your reading this!!!
As an non-American I'm baffled by the practise of having voters register which party they prefer in a government database. The basic principle of an election is the secret ballot.
Why is this done? Why isn't it widely condemmed? Why do people cooperate instead of all claiming to prefer the monster raving loony party?
It's entirely desirable to fit the tool to the task at hand. There's not the slightest reason some /.ers yapping away needs the same level of validation as a federal election.
The whole concept of Internet Voting frightens the hell out of me.
The Internet has been around for what - 35 years now? And we *still* haven't solved e-mail spoofing and spam. Nor have we found a way to keep 5cr1p7 k1661e5 from busting into National Freaking Defense servers. How many times have we heard about Yet Another Batch Of Stolen Credit Card Numbers?
Still, some folks think those little "speed bumps" shouldn't stop us from using the same technology to select the leader of the free world?
Someone tell me this is just a bad dream. Please.
I love technology. But not for this purpose. And certainly NOT NOW. Not yet...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Interesting (and worrying) article.
Here in Ireland, there is a major stink being made over the government's plans to introduce e-voting machines in the next election. They will replace *all* paper ballots everywhere in the country.
Some interesting related reading:
Experts warn about timing of e-voting
Pressure group outlines concerns about electronic voting
What worries me most about e-voting is the fact there is no paper trail. There has been talk here of altering the machines so that they also produce a printout of the vote made by an individual, but the government is resisting it citing expense.
I would rather the old reliable and transparent paper ballot system rather than the closed and opaque e-voting machines.
Patriotism - the last resort of scoundrels.
Avi Rubin was on Screensavers (TechTV) the other day showing the vulnerabilities of eVoting. He showed how back doors can be placed in the program and votes can be manipulated. Pretty eye-opening stuff.
100% Insightful
But electronic voting scares me. Voting is the only way we can directly impose our will upon the establishment. In the current system, every vote cast leaves a permanent, tangible, undisputable (unless some kind of hole punch is involved, anyway) record. Electronic voting leaves nothing that can be held or physically counted, just data on a hard-drive somewhere. Even with the most rigorous security, encryption and protocals, I'll never feel confident that the system is entirely honest and invincible.
Of course, paper ballots can be 'lost' or 'miscounted'. But the altering of an electronic election result could potentially leave no evidence: the only things that will been destroyed or altered never existed in the first place.
Unfortunately, it takes a technically-astute person to identify a potential security flaw like this. It also takes a technically-astute person to implement the flaw. To the average person, the whole situation seems alarmist. It's in the same category as astroids striking the earth: Sure, it could happen, but....
Only after a failure of the e-voting system, a failure that's obvious enough for the average person to understand, will the public demand either better controls or removal of the system.
what?
First, it's not about internet voting.
Second, what I don't get, is why can't we use electronics to print out a "ballot" with our selections done in the comfort of home, and just take this "ballot" to a polling place? The ballot would, of course, be something similar to a scantron or other paper form, but would also have human readable form of the contained data. Perhaps bar codes or their successors would suffice?
Such a system allows for a paper trail, quick and supposedly accurrate tally of votes, removes the painful sections of voting, by having people be able to make their selections at home, print the page, and verify their selections (or copy it to a floppy, or perhaps a CD) and such medium (paper, floppy, CD, soemthing else) could be taken to a polling place, quickly read, and the voter could verify their selections very quickly. Much easier than punch cards or voting machine du jour
Yes, those that do not have computers would still have to go through the current onus of voting, but, the lines should be shorter, as many do have computers at home or work.
The cesspool just got a check and balance.
I live in a country where phony elections were common in the last 70 years. Paperless elections are much safer than paper. why? ballots are lost before elections, voting booths get stolen after election day, if they coudn't steal them they use the g'old tactic called the "green vote".
When ballots are cast in remote locations it's difficult to get the results fast, the votes need to arrive to the accounting facilities where the totals are certified and sent to the central accounting facilities.
When they use the "green vote" (because it originates in rural areas) they take advantage of that delay and claim fake results with the stolen votes and booths. If recounting is needed because of a dispute, accounting facilities and storage can be hijacked or burnt to ground (it's happened a few times).
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
You can't view this article as anything. The headline says it all, "Officials Say evoting a Success". If something does go wrong, those same journalists will gleefully use the quotes from those officials to tear strips from the dumb bastards.
I actually voted in Georgia, and I have to say that, by and large, the judges there were not as well trained as the ones described by Rubin. Regardless, I think this is a threat that will peak over time, and not in the next few elections. Once the procedures get established, and people get sloppy, I think we'll see some instances of fraud.
I have to say one thing though, it actually made voting feel kind of cloak and dagger. I've never spent so much time looking at a voting machine before.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Kucinich got one vote all day. That ballot somehow failed to get into the sealed envelope I returned to the party that night. All in all, 3 points:
If electronic voting is unavoidable, much like Windows it's "easy to use", why not offer a few alternatives.
Open sourcing is always fun, why not a simpler machine based off standard PC hardware. An open source secured program running off of a LiveCD (to prevent permanent modification. If the CD's secure when it goes it, you can't make permanent changes at the station.)
Each vote is electronically signed, so if you want to add in a fake vote, you'd need to create the equivalent of a public key whose matching private equivalent just happens to have been generated, something fairly unlikely.
NO Networking. Besides everyone getting a hard-copy receipt (or digital copy if they feel like it, as long as it's a receipt, I don't feel what form is too much of an issue), all the data is carried by hand, and once more encrypted after voting so that it can only be decrypted at wherever they feel the votes need to be tallied securely. I mean, obviously decryption can be broken, but generally not too quickly if it's good, and unreasonable delays in the delivery of the votes would be a fairly quick sign something was amiss.
I mean, obviously there's no such thing as 100% secure electronic voting, but peer review as well as an electronic at-machine form of voter verification that requires the machine to authenticate a unique per-voter id just seems like common sense.
I'm going to guess that
But by then you'll probably have ended up joining the Army for lack of better prospects in Bush's economy, so that you can lay down your life ostensibly to protect democracy in Iraq, and surely to protect Halliburton's contracts there.
While I'm sure that somewhere Mr. Jefferson is cringing at your example, please don't feel too bad: Fascists everywhere rely on people just like you; without you they'd never get beyond the Bier-Hall Putsch.
Opinions on the Twiddler2 hand-held keyboard?
After hearing about the security issues with the Diebold machines, I had some doubts. I'm no technophobe, but placing the future of our democracy so completely into the hands of a company which has been less than responsive to public critique is something I find rather frightening.
Turns out they didn't check for ID either. I hope I feel safer in November.
eVoting on machines that do not produce auditable paper trails are disasters waiting to happen. As in many other intrinsically dangerous situations, years may, and probably will go by with no apparent problems.
Our lives are full of protections that are seemingly "no needed." How often does an elevator cable actually break, for example? Does that mean we don't need overspeed brakes on elevators?
Or inspectors to see whether the brakes are there and working?
One little-noted contribution by Edward Teller was his almost single-handed insistence that civilian nuclear power plants be enclosed in containment buildings. This is particularly interesting because he was, of course, a strong advocate of nuclear power. And, of course, nuclear reactors are supposed to be safe in the first place, so why go to the huge expense of a containment building that isn't supposed to be needed? Then a Three Mile Island comes along, and we find out why.
Black-box voting is a disaster waiting to happen. The disaster probably won't happen tomorrow, or this year. And when it does happen, it probably won't happen in a district with plenty of careful, well-trained, honest conscientious poll workers.
"How to Do Nothing," kids activities, back in print!
I typed in my own name a a write-in candidate for a state assembly seat that was un-contested (held by Rebecca Cohn). The idea being that I should be able to determine if my vote was counted by examining a list of the write in candidates, and finding my own name (Goodman). I voted in Santa Clara County, CA on a Sequoia Systems electronic voting machine. Do any slashdotters know if detailed election results are available online? Or whom to contact to get such information. So far, I have been unable to verify, but it is still early.
OK,so I'm not American, but that guy is one hell of a great patriot. Amazing how many people hate the guy when he's out to defend America's #1 institution. Oh wait... democracy was replaced by "don't bug me about my quasi-legal business practices" a few years back. Right.
How timely. I recently wrote an essay (read: rant) on why E-Voting is inevitable, and why we should all just suck it up and work to make the system better, instead of fighting it and trying to preserve an antiquated and inadequate pen-and-paper system.
There should be no question in anyone's mind that electronic voting
is the future. It is impossible to argue that moving to an electronic
system is not inevitable, any more than it is possible to argue in
favour of abandoning cell phones and reverting to tin cans and string,
or abandoning email in favour of carrier pigeons.
The benefits of electronic voting are obvious and numerous: real-time
tallying, greater security (a staffer couriering a box of ballots could
theoretically manipulate them, but a staffer transmitting an encrypted
database is powerless to alter it), elimination of ambiguous selections
(eg., "Hanging/Pregnant Chads"), less time required per voter, fewer
staff required to manage an election, and less paper waste.
No system is without its drawbacks, however, and e-voting's drawbacks
are subtle and insidious. The most obvious weakness of an e-voting
system regards securing the system against manipulation. Elections
hold an enormous amount at stake - indeed, entire political careers -
and thus the temptation for covert meddling is inevitable. The
people designing and implementing the system could be bribed into
embedding backdoors into the software.
A less obvious drawback of e-voting is that it puts at risk one of
the fundamental pillars of a democracy - anonymous voting. In order
to prevent ineligible people from voting, or eligible people from
voting multiple times, their identity would have to be verified
prior to voting. However, in order to support re-counts, the
actual votes themselves would have to be somehow tied to the people
that cast them (otherwise, the tally would simply be an integer that
increments whenever someone votes for them). If the voters weren't
completely confident that their vote was guaranteed to be kept
secret, the entire democracy could be undermined. With a corrupt
incumbant, people could be intimidated into voting for them, out
of fear that the government might quietly (or worse - aggressively)
discriminate against anyone who voted for their opponent.
These problems, and the others related to e-voting are not
insurmountable. The software used to run the system should be
completely public. This would prevent backdoors from being
inserted into the system by allowing anyone with enough
computer-savvy to personally inspect the code controlling the
system. In fact, virtually all software written by the government
should be made freely available anyway, since it is OUR tax
dollars that funded its creation.
The voter anonymity could be guaranteed by assigning eligible voters
a security public/private key pair, with the mappings held in escrow
by a special elections comission. The database would only be
accessible to a non-partisan staff of top-secret-cleared employees,
and would be destroyed after the election results were certified.
The complete widespread adoption of electronic voting is inevitable.
It is not a question of "if," but rather "when." Some jurisdictions
are already experimenting with some systems, with less than
encouraging results. One of their principal mistakes is that they
have contracted out the software for the systems, and the source
code is not being made available for public inspection. Consequently,
there are pockets of the electorate who don't trust the systems,
and indeed, the systems have already exhibited troubling symptoms
of bugs that may have been detected and corrected if the software
had been opened up prior to being deployed.
Like woodworking? Build your own picture frames.
But when a bunch of gorillas steal a booth, you can SEE a booth is missing, you can see that a shitload of vote serial numbers aren't accounted for, etc. There is evidence, if not of who commited fraud, that fraud has indeed happened. With electronic stolen elections, it is much easier to cover tracks.
If you think that careers are the most enormous stakes in an election, you're a little too close to the process for your own good. b-)
kind regards,
Jess
I am programmed for etiquette, not destruction!
Except in the great, rebellious state of Georgia.
A republican can walk into the primary, vote the democrat ticket, then in the fall can vote the Republican ticket.
Allows all voters the opportunity to vote in November from the best offerings of the two major parties.
Some folks on both sides switch hit to put up a weak candidate for the opposition. I prefer to do it so that I can have the best from the other side should my party not win.
However, in THIS presidential primary, because a number of honest, highly qualified men did not even make it to "super Tuesday" on the Democratic ticket (Sorry, Joe, I'd have voted for you), there really was no reason to vote the blue ticket. Kerry seems to have things wrapped up. But the party bosses planned it that way. *sigh*
But hey, we got to vote for the lesser of two evil flags in Georgia. Because, after all, FLAGS are so much more FREAKING IMPORTANT then law and order, corporate corruption investigations, and national security!
----- LoboSoft specializes in Digital Language Lab
While I did not serve in an election judge capacity, I am a Maryland voter and used the Diebold machines yesterday. I was impressed with the professionalism of the election judges and believe that Prof. Rubin is correct that competent, honest, committed election officials provide a vital line of security in what is by its nature (whether paper or electronic) an imperfect process. Today there have been stories of some isolated problems with voting machines, but certainly no widespread failures or security breaches.
When Prof. Rubin notes his mistake in coding the smart card, he provides an interesting illustration. When I reported to my polling place and signed in, I was issued a smart card. When I placed in the machine, an election judge stood nearby reviewing the "orange card" that listed my party affiliation, etc. He specifically asked "does the first screen list your party as XXXXXX?" It didn't - my smart card was improperly coded by the election judge. The judges immediately had me stop so no votes were entered, recoded the card, and ushered me back to the machine to complete my ballot.
I share the concern about the security of the transmission from the Zero machine to the Bd. of Elections and hope Diebold already has implemented some encryption. But since the machines aren't actively networked during the day, and based on what I saw at my polling place, I'm relatively unconcerned about the security risks.
In the traditional paper system, which was in place for a very, very long time, we never managed to work out the problems of lost ballots, unreadable ballots, etc. Remember - in Florida in 2000, every recount seemed to produce a new "total" number of ballots cast. While there are legitimate security concerns that should be addressed, I can't believe that the system is any worse or less reliable than before.
My hat's off to the Maryland Board of Elections and all of the volunteers that made this work. A committed, honest and professional job was done by everyone I saw and I'm proud of them and grateful for their efforts.
Large numbers of ballots and ballot boxes going missing would throw serious red flags- the local news would catch serious shenanigans. Ditto burning down warehouses. (And e-voting doesn't solve these problems either: simply disappear the smart cards or machines.)
We already have very fast reporting, so the "Green" vote problem won't crop up either.
Where the US has been vulnerable in the past is voter rolls (Just how many dead people voted for Kennedy in Chicago?) and direct manipulation of voters (How many minority voters were "discouraged" in Florida last election?) E-voting doesn't solve these problems either.
"Seven Deadly Sins? I thought it was a to-do list!"
This story reminds me of an article I read (dead-tree) a while back on preventing terrorism.
The article was critical about all of the techno-solutions for preventing terrorism, and very much in favor of the simple solution: Make sure you have good people in the right places keeping an eye on things.
In a nutshell, Avi Rubin's article comes down to the very same thing. He had tremendous respect for and confidence in the people working at the election. He (still) had little respect for the techno-solution.
Yesterday I voted using an optical scanner, which I never truly appreciated until reading all of the e-Voting flap. I've always appreciated the fact that I've always known at least one of the poll workers, and they knew me. After reading this article, I appreciate that fact even more.
The living have better things to do than to continue hating the dead.
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
More sophisticated and educated, but less numerous. The problem with paperless voting as currently implemented is that to tamper with the results you don't need a "horde" of anyone; you just need one or two of those sophisticated people to get the right level of access and abuse it.
I just sent an e-mail to my representative specifically requesting that he push legislation to either remove e-voting or demand a verifiable paper trail and auditable code on voting machines.
The text I sent:
In light of the recent heavy usage of electronic voting machines during the primaries, including many inconveniences, I decided to look into the matter more carefully. Due to many major security flaws in e-voting systems and many straight-forward openings for abuse, I am greatly worried about the current state of e-voting.
It is my hope that a law could be passed which would require the following of e-voting systems:
1) Code review by the NSA (or other governmental agency) to ensure that no backdoors have been added to the programs.
2) Paper trails of all votes cast, so that the ability of computers to change massive amounts of data swiftly could never be applied to the votes which are essential to our democratic system. (These need not be the primary counting method, but should be there as a safeguard in case of fraud)
3) Voter verifiable ballots. Currently, there is no proof for the voter as to how their vote was counted. If the votes were printed (see 2) and then given to the voter to place into a separate ballot box, the voter could easily look at the ballow to determine that the machine actually printed their vote correctly.
None of these requests are especially difficult to have carried out, none of these requests are unreasonable, and all of the requests are essential to the maitenance of our fair and reliable democracy.
It's not much, but it would be if everyone on Slashdot did it.
Hmmm....Slashdotting congress....that would be fun.
OK, I know these things are a bad idea, so do you. Sadly, the mass media and the general level of understanding among the population in general is not going to change what's happening at the moment.
I fear that the only way any of the security concerns, raised by everyone from your slightly savvy Joe Sixpack to experts in the security field, will ever be addressed properly is to actually have someone go ahead and blatantly compromise some of these things.
I'm not an advocate of election fraud or system cracking but there is probably no other way to get the messege thru the spin and media brainwashing to the general populous.
I fear where all this will head. Anyone have an acounting of where all 32,000 keys are? Would having just one turn up missing be enough to invalidate an entire election? What was so bad about paper ballots anyway?
Complicating matters to simplify a process is counter-productive.
I live in a country where phony elections were common in the last 70 years.
Chicago isn't a country.
Amusingly, as a physician, the rules for how I can transmit simple data require both a stricter level of paper-trail (I have to document in the medical record the consent of the patient to release records and where I sent them) and a stronger encryption (sending medical information via unsecured Fax or modem is against HIPPA rules) than people tolerate on their votes.
Why isn't there a project to create a Free Software electronic voting system that fixes all the Diebold issues? Seems to me we need an open system, visable source has proven to be far more secure than closed source, and it would be accountable to the public.
Where are the people willing to start a company that produces an open product with the flaws fixed?
Toronto used them in the last several local elections, and I was a scrutineer (election judge) on the first.
The ballots are a large card, with a table of jobs and cantidates printed on them. The voter colors in the sharft of a broad arrow betwen cantidate and the position.
The cards are carrid in a folder to the recorder, who puts them face-down in the reader, which reads and totals them, and feeds them face-down into a box. The box is kept, for manual and electronic recounts.
At the end of the day, a printout is made for each scrutineer, another for the records and then the results are sent by cell phone to the master polling station.
By the time I got back to the cantidate's office, the results were on TV, by polling station, and they matched my printout.
--dave
davecb@spamcop.net
The laws on that vary from state to state. In Ohio, where I voted yesterday, it's seperate "ballots" (we were using Diebold systems, too). In other states, it's all the same ballot.
There is no 'i' in team, but there is in fiasco...
I'm not sure Prof. Rubin's right about the smart cards not being a big vulnerability. If someone manufactures altered cards it's easy to come in with one in your pocket, get a legit card, use the altered card to vote and return the legit card. You couldn't stuff the ballot box this way, but you could vote a different ballot than the one you were assigned. This would get caught when checking the voting machine's tally of ballot types against the number of each type issued, but there'd still be no way of correcting the results.
The zero machine is the big problem. I think it's why Diebold makes such a big deal out of the security of the actual voting process: the zero machine makes the security of the voting itself irrelevant. That one machine tallies all votes, and it gets access to all of the PCMCIA cards that hold the tallies from the other machines. It's in a position to simply discard all the actual results and replace them with whatever it wants, and once it has there's no way to tell it's happened. I can think of several easy ways to keep that code undetected, too. Unverified code loaded at the last minute (after all the testing had been done) to fix a convenient bug, for example. Just disallowing updates won't stop me, though. Prof. Rubin mentioned using PIN 1111 during training but a different PIN when setting the machines up for an election. So, I put the result-replacement code into the zero machine before it's delivered to the state, but put in a check: if the PIN is 1111 then disable the replacement code, otherwise enable it. During training, during test elections, during everything that uses that special PIN 1111 the machine will behave exactly as if no malicious code was present. Set it up for a real election using a real PIN other than 1111, and suddenly code that's never been active before is active and waiting to force the results. Note that it doesn't have to be Diebold loading the code, anyone who can get enough access to the zero machine to load a program update into it could do this. Given Diebold's track record for doing on-the-sly updates to the code, I think there's a non-negligible chance of someone being able to slip their code into an update and have it go through even if we assume Diebold themselves wouldn't (and I'm far from willing to assume that).
The big danger in my opinion isn't so much that this is possible, but that it's possible without leaving any evidence it's happened. The one thing paper ballots do well is give us an audit trail from the actual cast ballots all the way through the final results. The results can be altered, but it's very difficult to alter them while keeping the audit trail intact and consistent. It's not the electronic voting machines that are the major problem, it's the lack of a verifiable audit trail. With paper ballots you don't need to trust the counting process to verify whether the final results are correct. With the current electronic machines this isn't the case.
First, I'm impressed by Avi's candor. His admissions of his own error, his discussion of mitigation of some risks, and so on point to someone, I feel, who is trying their utmost to be forthright and thorough. By the same token, clearly these doing really lessen the great danger of an e-voting machine. We need to stop for a moment and consider the sinister possibilities. When, say, Microsoft buys Diebold, purportedly for technology or such, who's to say they're not buying themselves a congress that will outlaw open source? That's only the most mild of such scenarios.
Second, I wonder if there's a sacraficial lamb out there who'd be willing to hack a Diebold box. If someone could successfully seriously skew the outcome such that people went, "Wait, that's *really* the result?" and then claim credit, that might be the death blow to unaudited evoting.
Third, I'd like to simply point out an analogy that's appropriate when consider that e-voting on super tuesday was "successful". Windows works pretty well when you sit down and use it, most of the time. That doesn't mean it's secure - witness the rash of viruses as of late - and it doesn't mean it isn't *disastrous* when that insecurity is exploited.
Thanks for doing what you can to keep the spotlight on this issue, Avi - America needs you.
If you are worried about the insecurity of e-voting, and you are wondering what to do, join EFF. They are working hard to educate the public and our politicians on this subject.
Test 1 2 3 4
There is a counter example to the feasably of standard 8 1/2" by 11" ballots. In some states of Germany the elections to the local administrations (towns, counties, villages) use the so called "non genuine town part election" (unechte Teilortswahl). After reorganizing towns and villages and regrouping them to larger communities in the early 70ies the former villages got a fixed number of seats in the new town's councils. So the votes are counted in every former village separately to determine which candidates get sent to the town council. On the other hand the complete town council should represent the votes cast proportionally, so if one party wins more seats in the town council per winning them in the town parts than their quote is in the popular vote, then the other parties get a proportional number of seats in the now enlarged town council (those seats are called "Ueberhangmandate", roughly translated to surplus seats). (To make it more easy, groups that get less than 5% of the popular vote are ignored, except if they manage to get more than three direct seats).
On the other hand the voters have so many votes as the orinigal town council has seats. The voter is allowed to put the votes freely on the ballots to whatever candidate she thinks they should go without respect to the party membership of the candidates. If she thinks a candidate should definitely get some votes, she can even cummulate more than one vote (mostly up to three) to a candidate (but then she has less votes left for other candidates). If she thinks that's too complicated she can also cast a single vote to a 'list', a group of candidates for a single party or political group. A list basicly consists of the nominates of a single party for all the seats in the town council.
If she agrees with none of the candidates, she can also write the names of her own candidates in a free list.
Because the parties and groups have to nominate candidates for every seat to allow this list voting, the ballots can get extremly large. There once was an election for a town council in Southwest Germany where the ballots were about 4ft by 3ft (DIN A0), because about 20 groups had sent in lists for the 40 seats of the council.
After calculation all the proportions and giving underrepresented groups and lists the surplus seats the town council grew to 132 seats.
Normally such a complicated way of voting would call for an electronic voting system. But nothing beats the opportunity for the electorate to come to the voting booths after the booths have closed for voting, and watch the voting staff crew to open the sealed boxes and count the votes manually. This is controlling the democratic process at its finest. The local voting result will be announced to the autitorium before the votes get sealed again in a box and sent to the central election offices. The so called preliminary voting result (vorlaeufiges amtliches Endergebnis) is determined by adding the local results, and then the central election offices open the sealed boxes and again count the votes while the electorate has the chance to watch.
This is my greatest issue with electronic voting: You can't watch the count. From my experience nothing beats watching the count. In the former GDR (East Germany) the population knew the elections were rigged because enough people showed up at the election offices and watched the officials counting. Even though the people then only knew the local result, they could easily see the difference between the local result and the officially anounced one. If the official result announced for instance a 98,85 percent result for the ruling party in a town of 10,000 people, and you knew that your local office had counted at least 120 votes cast against them, then you saw the result being rigged. This showing up during the counting and collecting the results was done throughout the whole GDR in the last communal elections on May 6 1989, and the public uproar after the officially anounced result was contradicting the results the people were calculating themselves triggered the inner tensions the GDR didn't survived but for another half year.
My lessons are: However you vote, whenever you vote: Make sure you are able to watch the count!
Closed source is fine when all that's at risk is your shopping list, or what pr0n sites you view, but national elections are another thing. For this, the mechanism for voting has to be user-verifiable.
Take a look at Brazil. 100% (I believe) electronic voting, using an OPEN SOURCE voting solution. There, if you have any doubts about the system, you just pull up the entire source code and look for the $republicans++ line or whatever.
Electronic voting could be the best way to defend democracy, but it has to be achieved in a democratic fashion. It can't be controlled by someone looking to make money from it. There have to be NO conflicts of interest. Just a single conflict of interest and the whole integrity of the system comes into doubt, and therefor the outcome.
Having electronic voting that's run by 3 companies spread across the US is a really, truly horrible idea. It puts the ballot paper in the pocket of the politician - surely exactly what it shouldn't be doing.
I'm done ranting now. I want electronic voting to be global. I just want it to come from the people, not some guys in suits trying to get more money.
If you can make sense of that, you're a better man than me :-P
Sorry, but comparing electronic voting with the French manual voting system, I must disagree with most of your post... BTW, I have served as a vote-counter, so I know what I am speaking about ;)
The benefits of electronic voting are obvious and numerous: real-time tallying,
Results of French elections are usually known a few hours after the votes, and after-voting polls usually give the result right at closure time.
greater security (a staffer couriering a box of ballots could theoretically manipulate them, but a staffer transmitting an encrypted database is powerless to alter it)
Votes are counted by groups of six persons with representatives of parties checking. Any voter can demand to take part. Results are then communicated by phone to the Interior Ministry, where they are published voting by voting center. Any of the dozens of persons having taken part in the counting can check that they match.
, elimination of ambiguous selections (eg., "Hanging/Pregnant Chads")
Voters are handed a slip of paper per candidate and an envelop. They vote by placing one of the slip inside the envelop. If there is none or more than one, the vote is invalid. I have yet to see an "ambiguous selections"
less time required per voter,
Voting takes less than a minute on average. I doubt an electronic system would be much faster.
fewer staff required to manage an election, and less paper waste.
You have a point there, though since all of the "staffs" are volunteers the high manpower requirement of the French system is not a financial problem. However this seems to me to be a minor point compared to security and confidentiality.
I am not against electronic voting per see, but it would have to be extremely secure and tested - and the current systems proposed are NOT. And it would have to leave a paper trail - voters who do not have the CS skills to understand electronic security must known that there is a way they can understand to recount votes.
In the meantime, I will gladly stick to a tried and tested system with no sever flaws over shaky electronic systems, even if the latest are "cooler". I find your second paragraph on how we must use electronic voting because everything else is going back to the middle-age worrying BTW - elections are much too important to endanger with a "newer is better, we need the latest gadget" approach.
What do you know about World Politic? Find out in this quiz
One argument is that if you leave the polling place with something that shows how you voted then vote buying is more possible. Another is that you can be threatened or coerced.
The short answer is that it is probably illegal because it allows you to prove to a third party how you voted and thus violates the secret ballot principle. Read the intro to Secret Secret-Ballot Receipts and Transparent Integrity where he describes a different type of receipt.
Test 1 2 3 4
Think "$EMPLOYER says you're fired if you don't vote for $CANDIDATE and bring him the paper to prove it" or "hey, I'll give you $50 for every voting receipt proving a vote for $CANDIDATE"
*******
I wanted to share my voting experience with you in order to assist you in providing even better service for the voters.
This morning I voted using the new Diebold voting machines. I had several unnerving experiences.
First of all, as I touched the NEXT buttons the screens didn't seem to want to move to the next screen. It took several tries to get the screen to go to the next section. However, the more disturbing issue was when I voted NO on prop 56 the vote registered as YES. I kept trying to touch the NO vote and it wouldn't change my selection back to NO. I had to call over a poll volenteer who helped me cancel my ballot, reset my voter card and try again on a different machine.
On this new machine I was able to vote although it also seemed to have difficulty with the NEXT button. I then validated that my votes were registered correctly and tried to confirm my ballot. The confirm ballot button would not register my touches. I could hear a double chirp sound when I touched the confirm ballot button but it would not actually confirm. I had to call over the polling worker for a 2nd time. When she touched the screen it did confirm my vote.
I must say that during all of this I ended up asking if I could have a paper ballot. When the machine voted YES after I touched NO I no longer felt confident that my vote was being registered correctly. Proposition 56 in particular is vastly important as a YES vote would allow our government to raise our taxes with only a simple majority instead of a 2/3 vote. To have the machine accidentally change my vote from NO to YES is really disturbing. I'm glad I noticed it before I confirmed my incorrect vote.
Thank you for looking into these issues. My polling place was [deleted for my privacy]
******
The response from the California Registrar of voters was this:
Please contact San Deigo County.
That was it. Why would the California Registrar of Voters send me to my County government? Arn't they responsible for the voting machines? Overall I didn't walk away with a good feeling that my votes would be accuratly counted. I'm sure it all worked out, but had I not been paying attention I would have missed that my NO vote became a YES vote.
We had another issue with the GUI. With a paper ballot the layout of the sample ballot you get in the mail exactly matches the layout of the punch card ballot. With the voting machines the layout of the screens did not match the layout of the sample ballot. You had to be very careful that the proposition you were looking at in your sample ballot was the one you thought you were voting for with the voting machine.
The last issue we had in San Diego county was that there were several polling places that were unable to accept votes because when the voting machines were turned on they showed a Windows ME startup screen and nothing else. The polling volenteers decided (and properly I think) that rather than them trying to start the proper program they would redirect people to other polling sites that had working machines. Several people were unable to get to this last minute alternate site and were unable to vote.
So that's what happened in San Diego yesterday. I expect it was fairly typical of the experience across the country.
"I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it."
Right. If I shot you through both your femoral arteries, you'd know within a second that you were bleeding to death. There's nothing you could do about it, but at least you'd know.
In a close election, all you'd have to do is identify those precincts where your opponent had a strong lead. Find a way to screw up the vote on the Diebold machines. Demand that those votes be thrown out. Demand a recount. Sue all the way to SCOTUS if those votes are included. Lather, Rinse, Repeat. Watch the republic turn into an empire.
In the report, Rubin mentions his real fear: the predesignated zero machine.
I *have* downloaded the code from NZ, a year ago, and skimmed through it. I posted this then, and I'll reiterate: within two hours, I found a function, commented, that *appeared* to be going into the *production* code, not just test, that *says* its purpose is to "install total files" from another system.
This is a far simpler, and more dangerous attack, than fake smartcards.
mark "yes, I can find the function again,
on request"