Slashdot Mirror
Schneier On Electronic Voting
Bruce Schneier of security and other fame has posted a web log entry on the problems with electronic voting machines. The post is an excellent one, and does a very good job of covering all of the issues associated with the machines. I think it's fair to say that at some point electronic voting will be ready - but it's not ready now.
November 10, 2004
The Problem with Electronic Voting Machines
In the aftermath of the U.S.'s 2004 election, electronic voting machines are again in the news. Computerized machines lost votes, subtracted votes instead of adding them, and doubled votes. Because many of these machines have no paper audit trails, a large number of votes will never be counted. And while it is unlikely that deliberate voting-machine fraud changed the result of the presidential election, the Internet is buzzing with rumors and allegations of fraud in a number of different jurisdictions and races. It is still too early to tell if any of these problems affected any individual elections. Over the next several weeks we'll see whether any of the information crystallizes into something significant.
The U.S has been here before. After 2000, voting machine problems made international headlines. The government appropriated money to fix the problems nationwide. Unfortunately, electronic voting machines -- although presented as the solution -- have largely made the problem worse. This doesn't mean that these machines should be abandoned, but they need to be designed to increase both their accuracy, and peoples' trust in their accuracy. This is difficult, but not impossible.
Before I can discuss electronic voting machines, I need to explain why voting is so difficult. Basically, a voting system has four required characteristics:
1. Accuracy. The goal of any voting system is to establish the intent of each individual voter, and translate those intents into a final tally. To the extent that a voting system fails to do this, it is undesirable. This characteristic also includes security: It should be impossible to change someone else's vote, ballot stuff, destroy votes, or otherwise affect the accuracy of the final tally.
2. Anonymity. Secret ballots are fundamental to democracy, and voting systems must be designed to facilitate voter anonymity.
3. Scalability. Voting systems need to be able to handle very large elections. One hundred million people vote for president in the United States. About 372 million people voted in India's June elections, and over 115 million in Brazil's October elections. The complexity of an election is another issue. Unlike many countries where the national election is a single vote for a person or a party, a United States voter is faced with dozens of individual election: national, local, and everything in between.
4. Speed. Voting systems should produce results quickly. This is particularly important in the United States, where people expect to learn the results of the day's election before bedtime. It's less important in other countries, where people don't mind waiting days -- or even weeks -- before the winner is announced.
Through the centuries, different technologies have done their best. Stones and pot shards dropped in Greek vases gave way to paper ballots dropped in sealed boxes. Mechanical voting booths, punch cards, and then optical scan machines replaced hand-counted ballots. New computerized voting machines promise even more efficiency, and Internet voting even more convenience.
But in the rush to improve speed and scalability, accuracy has been sacrificed. And to reiterate: accuracy is not how well the ballots are counted by, for example, a punch-card reader. It's not how the tabulating machine deals with hanging chads, pregnant chads, or anything like that. Accuracy is how well the process translates voter intent into properly counted votes.
Technologies get in the way of accuracy by adding steps. Each additional step means more potential errors, simply because no technology is perfect. Consider an optical-scan voting system. The voter fills in ovals on a piece of paper, which is fed into an optical-scan reader. The reader senses the filled-in ovals and tabulates the votes. This system has several steps: voter to ballot to ovals to optical reader to vote tabulator to centralized total.
At each step, errors can oc
sigs, as if you care.
What we need is a SIMPLE mechanism for voting. This leaves fewer chances for something to go wrong. Don't let feature/scope creep factor into designing a voting system, especially when it's a new from scratch system.
...yup...
... that counting poses so much problems if done electronically.
CC.
TaijiQuan (Huang, 5 loosenings)
He brought up one important point then that I didn't see in his blog -- accuracy is the most important thing.
This might seem obvious, but most people seem more concerned with knowing the results of the election on election night than having every vote counted reliably.
In soviet russia, You ask not what country do for you, but what you do for country!
Oh wait...
This isn't a statistical proof anymore. CNN rigged the exit polls to hide the extremely unlikely discrepancy between votes and its published exit poll numbers!!!
1 36
/least/ 462 men say they were for Kerry in the first sample, and the number DROPPED to a maximum of 455 in the second sample!
While this isn't tampering with the vote itself, it shows CNN is trying to help Bush cover the unlikely discrepancy! Perhaps we're living in interesting times and it was a one-in-a-billion discrepancy between votes and exit polls... but since we CAN'T VERIFY THE MACHINES my opinion is that vote tampering is much more likely than not and CNN covered the trail.
http://www.dailykos.com/story/2004/11/3/3646/14
(backup that entire web page please, we never know)
Quote:
"Let's first look at the women. In the first sample, 53% of 1,963 people can be anywhere from 1,030 to 1,050 women in the sample (try punching numbers outside that range into your calculator, it won't round to 53%). In the second sample, 53% of 2,020 people is anywhere from 1,061 to 1,080 women in the sample. So anywhere from 11 to 50 additional women were surveyed.
Well, in the first sample, 53% of women went for Kerry, meaning an absolute minimum of 541 (541/1030) women to an absolute maximum of 561 (561/1050) women for Kerry. So in the first exit poll, somewhere between 541 and 561 women were for Kerry.
Now for the second sample. 50% of women going for Kerry means an absolute minimum of 526 (526/1061) to an absolute maximum of 545 (545/1080). So in the second poll, somewhere between 526 and 545 women were for Kerry.
So it is *technically* possible that, say, 542 women went for Kerry in the first sample, and almost all the women they interviewed afterwards went for Bush (say only 2 went for Kerry), and then you'd have 544 women say they're for Kerry. This is actually within reason. If we had the raw numbers, we could tell for sure. Or even percentages to the tenths place.
*BUT*..... With the men, in the first sample there were between 913 to 933 men, and 940 to 959 men in the second sample. So anywhere from 7 to 46 additional men were surveyed. In the first sample, anywhere from 462 (425/913) to 480 (443/933) men were for Kerry. But in the second sample, anywhere from 438 (438/940) to 455 (455/959) men were for Kerry! You had at
THIS IS IMPOSSIBLE. I've allowed for the biggest intervals possible that would still result in the given percentages. Something is very wrong here. This is mathematically impossible."
So can any statistician give us an idea of why that kind of thing could be happening??
Microsoft is pure dog-ma. FreeBSD is pure cat-ma.
And nobody outside the geek community will ever, ever give a shit. I was talking to a nontechnical coworker last week about it, conversation went something like this:
Her: So, turns out your fears about electronic voting weren't anything after all, eh?
Me: Why do you say that?
Her: Well, there were no problems...
Me: Yeah? How do you know?
See, the lovely thing here is that this whole issue is just going to fade away because people by and large aren't sophisticated enough to realize that voter fraud can be taking place unless they see people squinting at punchcard ballots. And the media ain't going to look into it for the exact same reasons.
I'm Skyshadow and I approved this little ray of morning sunshine. Now go about your business.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Seriously guys, we can restart this in another 4 years, or 2 if you actually care about the house/senate.
Don't you think now is the oportunity to improve the system so that when election time comes in two or four years, the system has already been improved. Starting to discuss this again two months before the next election will not allow the system to be fixed/improved.
Oh wait, yeah: vote-selling, retribuition, targetted disenfranchisement, harrassment, intimidation, etc. Forgot about those. But hey, otherwise you make a really great point.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Most of the voting software used during the 2004 Presidential elections were proprietary code by private corporations that have political interests on which candidate winning. It is unimaginable how these votes can be considered as legitimate when there is no method to trace accuracy.
Open source voting software such as this one should be replacing proprietary code from private corporations.
>Since when was [anonymity] important?
Although your post was already rated flamebait by someone else, I'll assume your question is serious, and answer it.
Anonymity is important in voting because without it, there can be two Bad Things: 1) vote buying (I pay you to vote a certain way, but I'll need proof that you really did vote that way) and 2) coercion (You better vote a certain way or else I'll break your mother's kneecaps).
Anonymity in voting provides assurance that for the most part things like this can't happen, because the bad guys have no way of verifying who you voted for.
If we can make ATMs that work well then we should be able to make voting machines that work just as well. In fact, why don't we get the people that Make ATMs to make voting machines as well. Let's see, do ATMs stand up to his four criteria?
Let's take that a bit further, why not turn ATMs into voting machines? They're already part of a large, secure, nation-wide network, they're built for security, and there's bazillions of them. Wouldn't it be great to just go to your bank to vote? That would eliminate the need to go to a polling place and should reduce the lines tremendously.
Sure there might be other problems with this approach, but banks already have years of experience securing and relying on ATMs.
--Not free as in effort, but I'm willing to try it. Free Flat Screens | Free iPod Photo |
infested with jello like fishes no melotron wishes
Does anyone remember how India had elections several months ago and managed to do this with a simple system that can be used by people who can't even read? A billion people all voted using the same system countrywide? How everyone turns out to vote, and the poor people were the ones who decided the outcome of the election? We've been doing this democracy thing for a while, you'd think we'd have it figured out.
america just got pwnd!
I hate to respond to AC Flamebates, but this is important.
Anonymity is important.
Who would think that they had a right to vote if they thought that they might lose their job based on who they voted for ?
Who would think they had a right to vote for whomever they wanted if they thought there was a chance that their life, or the the life of their friends and family, could be in danger if someone knew who they voted for ?
If you don't think it is important, you obviously haven't thought about it.
I apologize if this is consider trolling, but I submitted this story a couple minutes ago and since it's relevant to this story I'll post it in here (since it probably won't get approved if this one is already up. If it does make it up just mod it offtopic):
... or they would be if this weren't a freaking voting machine!
Technical director Dr. Avi Rubin of the John Hopkins University Information Security Institute (ISI) has made a presentation regarding Diebold's voting machine source code (pdf) to the National Institute of Standards and Technology (NIST has been playing a key role in the improvement of voting systems since 2002.) Turns out, amongst other major security problems, Diebold was using NIST's Data Encryption Standard (DES) to encrypt votes and audit logs. DES was developed in 1976 was proven breakable by a "brute force" system in 1998. NIST proposed revoking DES's certification last July and recommends AES or at least 3DES.
Read from page 13. There are some hilarious comments
Nader calls for US election recounts
A paper trail is not a sure thing....particularly a *machine-printed* paper trail. In certain districts that heavily favor a candidate by a large margin, printing a duplicate paper trail might be trivial. This is particularly true in situations where there might be a long period of time before a by-hand recount.
I think there should be some sort of hashing and/or signing throughout the day, with the hashes periodically given to poll workers and watchers (and perhaps the voters themselves) that could authenticate the paper trail later.
Of course we're so far off from clueful use of cryptography in voting that this point is not relevant yet. But it seems to me that these are the kind of problems cryptography was designed to handle, and it would be smart to start thinking that way.
I never really understood *why* people in the US expect to know results "before bedtime". Do they really?
Keep in mind that the 2000 Bush/Gore race was the first of the television era where the margin of victory wasn't significantly larger than the margin of error in exit polling.
1976's Carter/Ford race, the previously closest race post-WWII, had a spread of 57 electoral votes. In contrast, Bush won in 2000 by only 5 electoral votes.
When the race is so close, it's much harder to accurately predict the winner quickly. It doesn't stop the media from trying, though; fast results are what the public has come to expect.
The main differences I see between the machines in the US and in India is that the machines over in India are *simple* and completely *hardware* based. Also look at the graphic of the machines (in several areas candidate names were replaced by well-known party symbols to cater to the illiterate population, which the picture doesn't show).
In the US, on the other hand, there's been a great deal of corporate lobbying to introduce *complex* machines running a complete *OS* (for Chrissakes!) with some machines even sporting a connection to the Intarweb. Their main argument for these "features" seems to be that they can be used easily by disabled people. It sounds pretty hollow, when you see that most people spouting these justifications either stand to profit from the elections (Diebold, Microsoft) or are getting paid to push them (politicians). And again, there are a zillion other ways to make the elections more "disabled friendly" without having to install the entire OS on it.
Granted, the elections in India were not completely without incident, but for a democracy with an electorate of 600 million people, a million voting machines and 543 constituencies, they were pretty darn effective.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
HUH??? Oh, I keep on forgetting that the range of debate in mainstream American media is so small that they use "left" and "right" in a completely different sense than the rest of the world. Everything is shifted to the right. CNN is definitely right-wing, when compared to something that is *actually* leftist.
I like everything you said, except one problem: 4 candidates per screen with a "more" button. Anyone who designs web pages or newspapers knows that people don't like going "below the fold/crease". A voter who is undecided (or lazy for that matter) is less likely to even see a candidate on the 4th page than one on the 1st page. You get the same problems with touchscreens, but the scrolling may be more intuitive for most people.
;)
Perhaps one solution would be to have the software randomize the order of the candidates, so it would eliminate the crease arguement altogether. You could have your 5 buttons then.
Each machine would still require a printer for our voter-verified paper trail, but coming up with a fast, efficient, inexpensive, and stable (no jams) shouldn't be THAT big of an issue.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
(Sorry, couldn't resist the ad pseudonym.)
Anyway, exit poll numbers are unreliable for a variety of reasons.
First, you don't know who is taking the poll and what their biases are. How were the voters selected - just the pretty girls, or people who looked safe? You never know.
Second, you don't know where the polls were taken. Were they only in urban areas, easily reachable? Were the areas chosen to be representative, or were they chosen with true randomness (out of a literal hat, for example)? Or were they chosen off the top of someone's head? The sites should have been selected at random and with a large enough distribution of sites.
If you don't do it randomly, but you pay careful attention to demographics to get an approximation of the overall population and their likely voting preference, you are still injecting your preconceived bias (that the pre-election polls were accurate) into the process. Garbage in, garbage out.
The sample size of 1000 or so is ok *if* it's an independently drawn sample. That is, the exiting voters should have nothing in common. By virtue of the fact that they all voted at the same time, and they were willing to answer a poll, they obviously have something in common, even if the areas chosen for the sampling were chosen well.
I suspect that there weren't enough people doing the exit polling. If you had 30 or more sites chosen at random, and then randomly selected people from those sites to ask, you might get a clearer picture. You'd still have error, and it could still all be skewed one way or the other, but at least you'd minimize the risk.
Overall, announcing the results of exit polls before the election is done is a bad idea, if only because it convinces the simple-minded that something is wrong with the system.
sigs, as if you care.
CNN is notoriously left-leaning. Even if you believe they are central, I defy anyone to explain to me why the fuck CNN would change numbers to suit Bush. It is pure insanity.
CNN is notoriously conventional-wisdom leaning and don't-rock-the-boat leaning. That conventional wisdom among the college educated (of whatever political party) is in some aspects "liberal" when compared to, say, that of those with only high school degrees, and the the major media almost exclusively employs college grads (Jennings being the exception) gains it accusations of "leaning left."
But conventional wisdom also says: "They would never rig the voting machines - despite the many ruthless things a side has engaged in, including faking evidence for war and voter suppression, and despite highly partisan hacks running the elections in OH and FL, rigging the vote tabulating machines themselves is just beyond imagination." And don't-rock-the-boat says, "We must make sure the sheep don't develop a fundamental distrust of their shepherds, or we (the current establishment, including particularly Time Warner, GE, Disney, Viacom) are all in trouble."
"with their freedom lost all virtue lose" - Milton
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
I have a friend who semi-jokingly says he doesn't believe that world war 2 happened, because it just sounds too ludicrous.
I mean, seriously... an industrialized nation that is filled with some of the smartest minds in the world (i.e. Einstein was German), goes on a campaign of genocide because they decide all Jews are inherently bad people.
Truth is more outrageous than fiction. Go ahead and keep believing whatever is necessary to keep your faith in authority.
-------
Incite and flee.
Why is it that you are so proud of the popular vote THIS time? Everywhere I go I hear about this supposed couple of percent "mandate". Four years ago you definitely played a different tune when the popular vote was mentioned. Opportunists.
We have this crazy system in Canada...
;p
Voting is done with a pen on paper.
Then we count them.
We must be insane in Canada eh?
Perhaps the exit polling sucked balls? Perhaps the numbers they were showing were not correct and they updated them with the correct data? Perhaps the early voters were Democrats and the later voters were Republican.
/ results2004_lg.jpg
Well, from the 3d election results:
http://www.esri.com/industries/elections/graphics
It looks like most of the areas who voted for Kerry were in urban areas. Now, if the exit polls were conducted in mostly urban areas you can see how the results would be biased in favor of Kerry.
A Human Right
The 2004 election revealed many problems with electronic voting: lost votes, undervotes, overvotes, and votes rolling over into negative numbers. These links are taken from the group blog E-voting experts:
Yes, I'm French... Feel free to ignore this post (but replying by bashing France in general would be off-topic).
I think that the main problem is not the voting technology. It is the electoral system (in the US, and sometimes elsewhere).
The 2-level presidential vote is not really democratic... The people should be able to choose from many candidates. FWIW, in France, the presidential vote is usually a 2 round vote: on the first round, dozens of candidates (with a small limitation: each candidate has to be approved by > 500 county majors or MPs from several regions). On the second round, only the two candidates with the biggest votes (on the 1st one). So in the first tour, you vote for whom you like. In the second one, you vote against whom you dislike the most.
The lack of several (more than 4) realistic candidates at US presidential elections.
Most importantly, the lack of real constraining limits on the budget of each american party. IMHO, there should be a strong legal limit (of about a few dollars per voter) on the electoral budget. Since a campaign costs much more than a billion dollar, each of your candidate has to sell himself to big corporations... There are such limitations in France, but I think they are not severe enough.
I prefer the 2-round system used in France for the presidential election. (and yes, I am ashamed it did not work very well on the last presidential election, when Chirac faced an ultra-right candidate LePen; and Chirac did not understood that he was not really elected by 80% of the voters. He should have resigned immediately after his election, to let start a real vote.).
Anything in a computer can be hacked. Period. And there is no way to tell that it hasn't been hacked. Period.
Paper ballots are plain to read. When you recount a paper ballot where the person marks in ink what their choice is, there is no hanging chad and no concern that the punch card or optical scanner or touch-screen software has a glitch that led the machine to systematically miscount. Most importantly, people can do a recount with paper ballots. If there is a question about the accuracy of the tally, it can be independently verified.
Paper ballots are still prone to election fraud: people can "misplace" them, burn them, etc. But fraud and systematic errors are way easier with a computer. As long as balloting is done by computer, every election will be clouded by deep uncertainty.
http://greenlightwiki.com/lenore-exegesis/Parliame nt_of_Attitudes
False Epiphany: A Grad Student Takes Dictation from the Muse