Slashdot Mirror
Avi Rubin's Thoughts On e-Voting
nazarijo writes "Avi Rubin, a well regarded Johns Hopkins computer science professor and leading critic of e-voting, has written an account of his experience as an election judge on super tuesday. Maryland was experimenting with e-Voting machines. Rubin puts it this way, 'this was one of the most incredible days in my life.' He wrote his experiences immediately after the day was over, capturing his perspective on the subject. A very interesting read."
He was a election judge in Baltimore County, MD. Near the end of his story, Avi writes "My biggest fear is that super Tuesday will be viewed as a big success."
And here's what the local media had to say the next day:
Elections Officials Say Electronic Voting Successful
Is this truly the only Earth I can live on?
(I'm not normally a Karma whore, but the site looks like its normally a low-usage site)
My experience as an Election Judge in Baltimore County
by Avi Rubin
It is now 10:30 pm, and I have been up since 5 a.m. this morning. Today, I served as an election judge in the primary election, and I am writing down my experience now, despite being extremely tired, as everything is fresh in my mind, and this was one of the most incredible days in my life.
I first became embroiled in the current national debate on evoting security when Dan Wallach of Rice University and I, along with Computer Scientist Yoshi Kohno and my Ph.D. student Adam Stubblefield released a report analyzing the software in Diebold's Accuvote voting machines.
Although there were four of us on the project, perhaps because I was the most senior of the group, the report became widely associate with me, and people began referring to it as the "Hopkins report" or even in some cases the "Rubin report". I became the target of much criticism from Maryland and Georgia election officials who were deeply committeed to these machines, and of course, of the vendor. The biggest criticism that I received was that I am an academic scientist and that academics do not "know siccum" about elections, as Doug Lewis from the Election Center put very eloquently.
While I dispute many of the claims that computer scientists working on e-voting security analysis are deficient in their knowledge of elections, I realized that there was only one way to stifle this criticism, and at the same time to perform a civic duty. I volunteered to become an election judge in Baltimore County. The first step was to get signed up. I filled out a form at a local grocery store and waited for a call from the Baltimore County Board of Elections. The call never came. So, I called up the board and spoke with the head of elections and found out that there was a mandatory training session a couple of days later. I got on to the list for the training, and I attended. There, I learned that my entire county would be voting with Diebold Accuvote TS machines, the very one that we had analyzed in our report. It was an eery feeling as I trained for 2 hours on every aspect of using the machine and teaching others how to use them. Afterwards, I received a certificate signed by the board of elections and became a qualified judge. I was supposed to receive a phone call within a few days assigning me to a precinct, but I did not. So, I called up the board of elections and spoke with the same woman, who assigned me to a precinct at a church in Timonium, MD, about 15 minutes from my house.
I reported to my precinct at 5:45 a.m. this morning. Introductions began, and I immediately realized that it would not be a normal day. There are two head judges, one from each party. There were also seven other judges. The head judges were Marie (R) and Jim (D). Both of them mentioned that they read about me in the paper that morning, and were pretty cold towards me. It turns out that the Baltimore Sun ran a story today about my being an election judge. In there, I'm quoted as saying that the other judges in my training were in the "grandparent category" with respect to their age. My colleagues for the day, who were in that category as well, did not appreciate the barb and were ready to spar with me.
There are three types of judges besides the head judges. There are four book judges, one from each party with A-K and one from each party with L-Z. There is one judge assigned to provisional ballots, and a couple of unit judges charged with assigning voters to particular machines. I was the L-Z democrat book judge, along with Andy, a grandfather of many, a staunch Republican, and a fellow I grew very fond of as the day went on. To my left were Anne, the Republican judge married to Andy, and Sandy. Actually, there were two Sandys. One began as a unit judge, but early on switched with the other Sandy to be the democratic book judge on A-K. Bill was the provisional judge, and he is m
The next site to slashdot will be ready soon, but subscribers can beat the rush and start slashdotting it early!
Every 15 minutes or so, the unit judge would take the cards and give them back to us book judges. When a Diebold rep showed up, I asked her about this, and she said that it was done to give the voters a sense that nothing was being kept on the smartcards about their voting session.
The Diebold rep is basically admitting that at least some of the security and privacy promises in electronic voting are based on user perception, not reality.
Trolling is a art,
I'm not so sure about this electronic voting thing. I submitted my vote for Kucinich, and the local election board moderated me "-1 Troll".
Also, if you vote for someone more than 30 times in a 24-hour period, you get a "Slow down, Cowboy" warning. Except in Chicago.
Oh yes, totally ironic. How I dread the day when CowboyNeal is illegally modded into the Oval Office.
Moron.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It was a "primary" election - voters were deciding who should run as the Democrat and Republican candidates in the November election. Only Republicans vote for the Republican Party candidate and only Democrats vote for the Democratic Party candidate.
Very well said. To (mis)quote someone with a sharper wit than mine, "Democracy is two wolves and a sheep voting on what's for dinner."
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Interesting (and worrying) article.
Here in Ireland, there is a major stink being made over the government's plans to introduce e-voting machines in the next election. They will replace *all* paper ballots everywhere in the country.
Some interesting related reading:
Experts warn about timing of e-voting
Pressure group outlines concerns about electronic voting
What worries me most about e-voting is the fact there is no paper trail. There has been talk here of altering the machines so that they also produce a printout of the vote made by an individual, but the government is resisting it citing expense.
I would rather the old reliable and transparent paper ballot system rather than the closed and opaque e-voting machines.
Patriotism - the last resort of scoundrels.
But electronic voting scares me. Voting is the only way we can directly impose our will upon the establishment. In the current system, every vote cast leaves a permanent, tangible, undisputable (unless some kind of hole punch is involved, anyway) record. Electronic voting leaves nothing that can be held or physically counted, just data on a hard-drive somewhere. Even with the most rigorous security, encryption and protocals, I'll never feel confident that the system is entirely honest and invincible.
Of course, paper ballots can be 'lost' or 'miscounted'. But the altering of an electronic election result could potentially leave no evidence: the only things that will been destroyed or altered never existed in the first place.
Unfortunately, it takes a technically-astute person to identify a potential security flaw like this. It also takes a technically-astute person to implement the flaw. To the average person, the whole situation seems alarmist. It's in the same category as astroids striking the earth: Sure, it could happen, but....
Only after a failure of the e-voting system, a failure that's obvious enough for the average person to understand, will the public demand either better controls or removal of the system.
what?
I live in a country where phony elections were common in the last 70 years. Paperless elections are much safer than paper. why? ballots are lost before elections, voting booths get stolen after election day, if they coudn't steal them they use the g'old tactic called the "green vote".
When ballots are cast in remote locations it's difficult to get the results fast, the votes need to arrive to the accounting facilities where the totals are certified and sent to the central accounting facilities.
When they use the "green vote" (because it originates in rural areas) they take advantage of that delay and claim fake results with the stolen votes and booths. If recounting is needed because of a dispute, accounting facilities and storage can be hijacked or burnt to ground (it's happened a few times).
At least with paperless voting you need something more sofisticated and educated that a horde of gorillas that can barely read and write their names
Kucinich got one vote all day. That ballot somehow failed to get into the sealed envelope I returned to the party that night. All in all, 3 points:
If electronic voting is unavoidable, much like Windows it's "easy to use", why not offer a few alternatives.
Open sourcing is always fun, why not a simpler machine based off standard PC hardware. An open source secured program running off of a LiveCD (to prevent permanent modification. If the CD's secure when it goes it, you can't make permanent changes at the station.)
Each vote is electronically signed, so if you want to add in a fake vote, you'd need to create the equivalent of a public key whose matching private equivalent just happens to have been generated, something fairly unlikely.
NO Networking. Besides everyone getting a hard-copy receipt (or digital copy if they feel like it, as long as it's a receipt, I don't feel what form is too much of an issue), all the data is carried by hand, and once more encrypted after voting so that it can only be decrypted at wherever they feel the votes need to be tallied securely. I mean, obviously decryption can be broken, but generally not too quickly if it's good, and unreasonable delays in the delivery of the votes would be a fairly quick sign something was amiss.
I mean, obviously there's no such thing as 100% secure electronic voting, but peer review as well as an electronic at-machine form of voter verification that requires the machine to authenticate a unique per-voter id just seems like common sense.
I'm going to guess that
But by then you'll probably have ended up joining the Army for lack of better prospects in Bush's economy, so that you can lay down your life ostensibly to protect democracy in Iraq, and surely to protect Halliburton's contracts there.
While I'm sure that somewhere Mr. Jefferson is cringing at your example, please don't feel too bad: Fascists everywhere rely on people just like you; without you they'd never get beyond the Bier-Hall Putsch.
Opinions on the Twiddler2 hand-held keyboard?
After hearing about the security issues with the Diebold machines, I had some doubts. I'm no technophobe, but placing the future of our democracy so completely into the hands of a company which has been less than responsive to public critique is something I find rather frightening.
Turns out they didn't check for ID either. I hope I feel safer in November.
eVoting on machines that do not produce auditable paper trails are disasters waiting to happen. As in many other intrinsically dangerous situations, years may, and probably will go by with no apparent problems.
Our lives are full of protections that are seemingly "no needed." How often does an elevator cable actually break, for example? Does that mean we don't need overspeed brakes on elevators?
Or inspectors to see whether the brakes are there and working?
One little-noted contribution by Edward Teller was his almost single-handed insistence that civilian nuclear power plants be enclosed in containment buildings. This is particularly interesting because he was, of course, a strong advocate of nuclear power. And, of course, nuclear reactors are supposed to be safe in the first place, so why go to the huge expense of a containment building that isn't supposed to be needed? Then a Three Mile Island comes along, and we find out why.
Black-box voting is a disaster waiting to happen. The disaster probably won't happen tomorrow, or this year. And when it does happen, it probably won't happen in a district with plenty of careful, well-trained, honest conscientious poll workers.
"How to Do Nothing," kids activities, back in print!
OK,so I'm not American, but that guy is one hell of a great patriot. Amazing how many people hate the guy when he's out to defend America's #1 institution. Oh wait... democracy was replaced by "don't bug me about my quasi-legal business practices" a few years back. Right.
It was a "primary" election - voters were deciding who should run as the Democrat and Republican candidates in the November election. Only Republicans vote for the Republican Party candidate and only Democrats vote for the Democratic Party candidate.
Here in ole Virginny we have open primaries. Anyone can show up and vote in the other party's primary. So, effectively, there was nothing stopping every Republican from showing up to vote for Al Sharpton or someone they'd love to see win last month's Democratic primary, especially since they wouldn't be wasting a vote at all since there was nothing else to vote for. It's really too scary of a system. It made it easy for me (a newly former Republican) to vote in it...too easy.
Not at all. The real question is whether or not the e-voting system will be a vehicle for widespread massive one-stop-shopping and completely untraceable fraud as opposed to the small-scale fraud that you seem to feel they will prevent.
I think Robert A. Heinlein put it best in a few different ways.
"A dictatorship is based on the assumtion that one man is smarter than a million men. One Question: Who Decides?
A Democracy on the other hand is based on the assumtion that a million men are smarter than one man. How's that again?"
(Time enough for love)
Then also of course
"At the end of the 20th century, the people realized that in a demoracy they could vote themselves bread and circuses, and the world went to hell afterwards"
(Beyond the sunset)
Though personally I like the observation that in any group of people the total intellegance is the lowest intellegance devided by the number of people in the group.
I will not give in to the terrorists. I will not become fearful.
If you think that careers are the most enormous stakes in an election, you're a little too close to the process for your own good. b-)
kind regards,
Jess
I am programmed for etiquette, not destruction!
It is impossible to argue that moving to an electronic system is not inevitable, any more than it is possible to argue in favour of abandoning cell phones and reverting to tin cans and string, or abandoning email in favour of carrier pigeons.
Impossible? To start with, we've already adopted cell phones, whereas we haven't yet truly embraced electronic voting. Moreover, cell phones don't present the kind of threat to our democracy electronic voting does.
It has to be said, over and over again, that once we lose the right to vote, the only way to get it back will be through violence. So it's important that we do everything we can to see to it that the right isn't lost in the first place.
With a corrupt incumbant, people could be intimidated into voting for them, out of fear that the government might quietly (or worse - aggressively) discriminate against anyone who voted for their opponent.
I think that's ridiculous. People register in different political parties all the time, without ill effect.
I would argue in fact that it is vital we publish the ballots that people cast. It is the only way to be certain that an election is on the level. The arguments we always hear against this doing this never stand up to scrutiny.
The only people who benefit from the secret ballot are those who seek to game the election.
Is this truly the only Earth I can live on?
Your "obvious" impression is directly contrary to that of pretty much the entire computer security community. Read what Schneier has to say on the subject, for example - stealing a bunch of ballots is one thing, but silently altering the entire result of the election without having to expose yourself by moving a single physical ballot and while leaving absolutely no physical sign that anything might be amiss is quite another.
Xenu loves you!
Amusingly, as a physician, the rules for how I can transmit simple data require both a stricter level of paper-trail (I have to document in the medical record the consent of the patient to release records and where I sent them) and a stronger encryption (sending medical information via unsecured Fax or modem is against HIPPA rules) than people tolerate on their votes.
Why is chosing [sic] the person that stands as a candidate for the Democrats the business of the states? Why is it the business of anyone except the Democratic party in that state? Why doesn't the party decide - how come it gets the states to run elections for it?
Because America political parties are not as cohesive as European political parties, and a big part of the reason for that is that America has neither a Parliamentary system -- where the executive is a member of the legislature -- and because America doesn't have proportional voting.
For America readers: most European governments are Parliamentary system, so the leader of the government is the leader of the party in power, and the party in power is the party with a majority (or plurality and a coalition) in the legislature. As such it's impossible to have a situation in which the legislature is controlled by one party and the executive is controlled by another party. This allows the government to be less dead-locked, and it was precisely for this reason that America's founding Fathers rejected such an arrangement.
Realizing the tyrannical potential of string central governments -- having just won independence from Britain -- and wishing to ensure the power of individual states under the Federal Constitution, the Founders made sure that it was possible for the legislature -- Congress - to be controlled by a different party than the party of the executive -- the President. This was consciously engineered by the Founders to promote either dead-lock or moderation of opinion and vote trading, in either case keeping the central government weak except in those cases where there existed a true consensus of all parties. (Other features of American constitutional structure also reflect this desire to obtain dead-lock or consensus: the original provision of selection of senators by state legislatures rather than popular vote, allowing filibusters in the Senate, and the requirements of super-majorities in both the national legislature and a super-majority of state legislatures in order to amend the constitution).
Another feature, perhaps less consciously built into the american plan was a weakening of the Party system itself. In European countries (and Israel, but not Britain) with the system of proportional representation, political parties, prior to an election, make an ordered list of all their candidates. Voters vote for the party, not any particular candidate, and the party seats a number of candidates proportional to their vote, starting from their most visible candidates at the front of their lists. So if the legislature has 100 seats, and the Green Party gets 5% of the total vote, the Green party gets to fill five seats, and it must fill those seats with the first five persons on the (previously published) Green party list. The party has a lot of control over candidates in this system, as it can simply tell a candidate to tow the line or be put at the bottom of the list -- or taken off the list altogether.
America fills the legislature by geographically bound Districts, with the winner in each District the candidate with a plurality (except in Louisiana) of the vote -- Europeans frequently refer to this as "First Past the Post" voting, because the first candidate to get enough votes -- like a racehorse nosing out its opponents -- wins. In America, especially in the last ten years, most Districts are generally crafted to contain a majority of voters sympathetic to one party or the other, making most seats relatively uncontested. But the corollary of that is that one district can be a sure thing for one party, the District next to it a sure thing for the other Party.
As a consequence, America elections are decided more locally, and the Party has less power to control the candidate. Indeed, the candidate may depart from his Party's ideology in order to get elected in a District more congenial to the other party, and his Party will be able to do little, as it wants the seat in order to
Opinions on the Twiddler2 hand-held keyboard?
Toronto used them in the last several local elections, and I was a scrutineer (election judge) on the first.
The ballots are a large card, with a table of jobs and cantidates printed on them. The voter colors in the sharft of a broad arrow betwen cantidate and the position.
The cards are carrid in a folder to the recorder, who puts them face-down in the reader, which reads and totals them, and feeds them face-down into a box. The box is kept, for manual and electronic recounts.
At the end of the day, a printout is made for each scrutineer, another for the records and then the results are sent by cell phone to the master polling station.
By the time I got back to the cantidate's office, the results were on TV, by polling station, and they matched my printout.
--dave
davecb@spamcop.net
Furthermore, small-scale fraud is pretty much guaranteed to cancel itself out. A corrupt Republican stuffs 20 dead peoples' ballots in one precinct, and a corrupt Democrat gets another 20 corpses to vote in the next precinct. Net effect: ZERO.
Electronic voting practically guarantees that the corrupt side with the best crackers to win. The only proof of electoral fraud in an electronic system is likely to come in the form "A team of hackers for Our Guy knows it stuffed 100,000,000 ballots. We hired them and watched it happen, but the popular vote came out 101,000,000 to 99,000,000 in favor of Their Guy. Obviously, Their Guy also hired crackers to rig the election! We want a do-over!"
Personally, I'm OK with a society in which the Side That Gains The Political Allegiance Of The Best Hackers gets to rule the world. I think a society in which the Democratic candidate campaigns on a platform "We'll execute all RIAA members in exchange for your help in rigging the vote", only to be countered with a Republican candidate running on "We'll execute all RIAA members, and because we're also pro-gun, we'll let you pull the trigger on them in exchange for your help in rigging the vote!" would be pretty fucking cool.
Would it be a free society? Given the influence the techno-elite would have, it might be even more free than our present one. But I'd never pretend to call it a democratic one. I'm OK with that, because I happen to believe that democracy is overrated. The Constitution in its current form differs with me on that point. The one that governs the country in which I live says the society is supposed to be a representative republic in which the votes cast by the people for their representatives count.
Because I also believe in the rule of law , and because that Constitution is the law, however cool a society ruled by h4x0rz might be, I must therefore oppose electronic voting. Pisses me off to be consistent in my beliefs sometimes, but there you go.
First, I'm impressed by Avi's candor. His admissions of his own error, his discussion of mitigation of some risks, and so on point to someone, I feel, who is trying their utmost to be forthright and thorough. By the same token, clearly these doing really lessen the great danger of an e-voting machine. We need to stop for a moment and consider the sinister possibilities. When, say, Microsoft buys Diebold, purportedly for technology or such, who's to say they're not buying themselves a congress that will outlaw open source? That's only the most mild of such scenarios.
Second, I wonder if there's a sacraficial lamb out there who'd be willing to hack a Diebold box. If someone could successfully seriously skew the outcome such that people went, "Wait, that's *really* the result?" and then claim credit, that might be the death blow to unaudited evoting.
Third, I'd like to simply point out an analogy that's appropriate when consider that e-voting on super tuesday was "successful". Windows works pretty well when you sit down and use it, most of the time. That doesn't mean it's secure - witness the rash of viruses as of late - and it doesn't mean it isn't *disastrous* when that insecurity is exploited.
Thanks for doing what you can to keep the spotlight on this issue, Avi - America needs you.
If you are worried about the insecurity of e-voting, and you are wondering what to do, join EFF. They are working hard to educate the public and our politicians on this subject.
Test 1 2 3 4