Wisconsin Requires Open Source, Verifiable Voting

AdamBLang writes "Previously covered on Slashdot, Wisconsin Governor Jim Doyle today signed legislation that "will require the software of touch-screen voting machines used in elections to be open-source. Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used." Madison's Capital Times reports "the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.""

KISS

[grub]

[T]he machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.

And how do we know that the prinout matches whatever counter is incremented within the computer? Being open source makes it tamper-resistent, not tamper-proof. Would it not be easier to just use a paper ballot in the first place? Then any recount could be performed against the actual ballots cast, not as a spot check against computer (glitches|fraud).

Re:KISS

[McGiraf]

if there is a doubt you ask for a recount and count .... the paper ballots!

duh ..

Re:KISS

[hazem]

What I've always thought would be a good idea would be a computer to help generate the ballot, and then a separate computer to count those ballots.

This offers the advantages of multi-language ballots with brail, audio prompts, etc. And the resulting ballot is standardized so it can be read by both machine and human - and no "hanging chads".

The ballots can then be easily counted by another machine - and human validated as necessary.

The ballot-generating computer never needs to "count" - but it could do so as a spot check against the counting computer.

Re:KISS

[Dutchmaan]

We can only move in the right direction.. This is a positive step to be sure, and as flaws in this system reveal themselves we will take further steps toward refining the process of preserving intergrity in the voting system.

The perfect democracy is a goal and can never really be perfectly attained... but it serves as a compass to keep us going in the right direction.

Re:KISS

[SatanicPuppy]

I'm all about e-voting, but the way it's shaped up, I'm going to have to agree with you. Everybody fills it out with a #2 pencil, fill in the WHOLE bubble Grandma, then put your thumbprint in the corner, and stuff it in the nice locked box.

Even that probably isn't truly secure in our system. The joker who picks up the boxes will lob a couple in the lake on the way to get them counted.

Re:KISS

[grub]

"if". Being that leadership of government is being determined, I'd prefer the actual cast ballots be counted. Canada does it in a few hours with 1/10th the US population (and the public can view the count I believe)

Re:KISS

[cait56]

That's why you also need a write-only audit trail produced
before the voter leaves the booth. A second paper copy is
certainly one form of a write-only audit trail.

Keep in mind that paper-ballots were far from perfect.
Counters could and did vote for people who neglected
to fill in for some contests, and/or create extraneous
marks on the ballot to make it retroactively ambiguous.

A print-out with full candidate names is a lot harder
to alter than a pre-printed form with Xs inside of boxes.

Re:KISS

[kfg]

. . .put your thumbprint in the corner . . .

No.

KFG

Re:KISS

[blazer1024]

Voting systems are only as good as the people administering them. Even with the most super-secure systems, if you pay/kill off enough of the right people, it doesn't matter what the vote really was. Especially if you screw with random polling on television so it *looks* like the vote is going to head in the direction you want it to, as well... nobody's going to question the local news station's informal polls anyway.

If all that fails, just get plenty of dead people to vote. That what they do here in Albuquerque anyway.

Re:KISS

[Rude+Turnip]

To elaborate on kfg's comment..."No. I'd rather not give my employer or corrupt union leader a way of tracing my ballot back to me. I appreciate my status of being employed and only wish to have my bones broken due to a skiing accident."

Re:KISS

[HUADPE]

Agreed. One of the major tenets of democratic voting is the secret ballot. This is in and of itself a problem with electronic voting because the order of votes can be counted as well as the votes themselves. A determined individual can then match the order and time of votes to individuals as they signed in to the polling place. Non-secret ballots can allow for voter intimidation (will the new mayor fire people who voted against him?)

Re:KISS

[hackstraw]

Being open source makes it tamper-resistent, not tamper-proof.

Somebody, probably not me or you will compile the final code to be run on some computer that we don't know the details of anyway. That somebody may know how to alter the code, maybe not.

I know of no way that a computer recount could happen without a paper trail.

Would it not be easier to just use a paper ballot in the first place?

I don't see how this is so difficult. Each voting place I've been to scratches off your name when you show up to vote off of a roster of registered voters, and there should be a total count of those registered which should equal the number of pieces of paper in the ballot box.

There can be simple large scantron type cards that are immediately sorted into something like X party, Y party and Z party, and maybe "other". These can be quickly gone though and if there was an X in the Y party box, something might be fishy. If the Z party box weighs more than the X party box which has more than Y, then Z won. It could counted if mass is that big of a controversy.

In this country, people have the right to anonymously vote for a particular candidate, but not to vote anonymously. It is known when you vote, and for good reason so that dead people don't go around voting over and over again or even live people.

What is so difficult with counting nominal data these days?

Re:KISS

[AKAImBatman]

Mod parent up:

100% Correct
100% American
100% Insightful

Remember that one of the key points in an election is anonymous ballots. The entire point is that someone can't hold a gun to your head (or hold your family hostage, blackmail you, or do millions of other nasty things) to force you to vote the way they want you to. The moment a ballot can be traced back to its owner is the day our entire system will collapse.

Re:KISS

[Joe+U]

It would have helped if I actually pointed to a sample.

http://www.tulsacounty.org/documents/Dec13Sample.p df

Re:KISS

[oni]

Just off the top of my head, I would say:
Give the voter a receipt that consists of, 1) a long randomly generated ReceiptID, 2) a plaintext record of the vote (as in, "you voted for Kodos"), and 3) a cryptographic signature.

So in other words, I have a peice of paper that I get to take home with me and on that peice of paper is written:
------ Begin PHP Signed Text -----
ReceiptID 243524534523423454345234234
Voted For: Kodos
------ Begin PHP Signatre Block -----
(signature here)
------ End PHP Signatre Block -----
------ End PHP Signed Text -----

After the election, you can publish the ReceiptIDs and vote records on a website. Anyone who wants to verify the authenticity of the election can tally all the votes themselves. If I want to make sure that MY vote counted, I can look it up. If I see that they changed my vote, I can come forward with my reciept. I can't change my receipt because it's crytographically signed. Nobody can find out who I am because my reciept number has nothing at all to do with me, it's just a random unique number.

(why is it that this stuff always seems easy to us slashdotians? Why do corporations always make it so complicated and broken??)

Re:KISS

[cortana]

Like EVM2K3? :)

Re:KISS

[mooneyd]

That's exactly how it should be done. Use a touch screen to make your choices, it prints out a op-scannable ballot you can hold in your hand and verify. You then stick it in one of two slots: the scanner slot or the shredder slot. That action will either confirm or reject your vote inherantly. If you reject the ballot, you can go through it again on the touchscreen, otherwise you are done.

And the machines should be developed by national research labratory in a completely open and transparent way. The source code, design plans and manufacturing process would be completely auditable by the public. No corporate control of voting machines. No security through obscurity.

Re:KISS

[hazem]

The problem with a receipt is that it can then be used to make sure you voted a certain way.

corrupt boss: Joe, have fun voting, and be sure to bring back your receipt so I can know how you voted and decide if I'm going to fire you. Oh yeah, and if you don't have a receipt, I'll fire you.

Re:KISS

[sam1am]

As has been mentioned elsewhere; this is a bad idea, because you could be "persuaded" to share your receipt number with someone else, who could use it to verify you voted a certain way.

Guy sets up booth taking receipts that prove a vote for candidate A, you get $10.

Or more insidious, your boss tells you you need to vote for candidate A. In order to obtain your next paycheck, you must show your receipt that you voted for candidate A.

Once you leave the polling place, you should not be able to verify your vote to yourself or anyone else.

(Now, if you took that receipt and dropped it in the ballot box on the way out of the polling place, that's another story)

Re:KISS

[skiflyer]

What is so difficult with counting nominal data these days?

It's not difficult to count nominal data these days, it's difficult to verify (to yourself and outsiders) that no one along the way has been able to modify the count. In the paper ballot days, a simple recount is what was offered, this addresses mistakes, and malicious counters who lie about what they tallied. But it doesn't help with ballot stuffing or tossing the box into the river... so then you could have the ballots inspected, and a committee would check for comparisons between vote totals and vote sign ins, and so and so forth.

One of the major difficulties with electronic tabulation is that if you keep it super simple, there's no great way to go back and verify. Everything is at the word of the computer.

As far as your scantron solution, that's great for a single ballot initiative, but last time I voted we had well over a hundred... do I fill out a hundred cards?

Re:KISS

[kernelpanicked]

------ Begin PHP Signed Text -----
ReceiptID 243524534523423454345234234
Voted For: Kodos
------ Begin PHP Signatre Block -----
(signature here)
------ End PHP Signatre Block -----
------ End PHP Signed Text -----

I think what you're looking for is 'PGP" signed, but hen again some folks will use php for damn near anything.

Re:KISS

[j.+andrew+rogers]

Something similar is done in Nevada, which is generally regarded as being clueful about preventing fraud in electronic machines thanks to many years of dealing with elaborate attempts at electronic gambling machine fraud. Much of the value of electronic voting machines are that they are inexpensive, fast, and theoretically less error-prone to manage compared to pre-printed paper ballots and other older methods.

While no voting system is fool-proof, the Nevada method is something like this: Electronic voting with a voter-verified paper receipt to ensure that what is on the paper is what was selected electronically by voter. The paper receipts are collected and a few percent of the total paper records are randomly and independently audited to verify the electronic records. The important thing that happens here is that the verification and authentication of the vote is distributed among multiple authorities, providing strong statistical evidence that an election was indeed counted as it was voted while providing no single point of failure or manipulation that is likely to go unnoticed. It also does not have the overhead of manually counting every single paper ballot.

This is actually a more robust voting protocol in many ways than the paper ballots it replaces. I do not know if Wisconsin is doing things precisely this way, but I imagine that they would use some variation of the Nevada protocol.

Re:KISS

[Rich0]

Agreed - the simplest and most efficent solution is full automation with some percentage of completely random auditing.

In each state pick 10 precients at random, and count every last vote in them - they better agree to the automated total.

The proposal to always count them manually amounts to 100% auditing. Sure, it works, but it really isn't necessary. In fact, it is likely to have a higher error rate since there is no value being checked against (unless you have two independant groups count all the votes separately and submit separate counts which are then cross-checked).

Have each machine programmed, assembled, and sealed by an individual who signs some dotted line. If the count turns out wrong, the machine gets a major investigation. If there is fraud, the individual gets sent to prison with an opportunity to somewhat reduce his sentence by singing like a canary.

The EU uses systems like this for drug imports. If you want to certify a lot of manufactured drugs as safe for use in Europe, you have to have an EU citizen sign on the final line. The logic is that there is at least somebody personally accountable for the action who lives in the EU jurisdiction. In the same way, if a megacorp builds a bridge there is still an individual engineer signing each drawing.

The key to law enforcement is individual accountability. No need to waste huge amounts of money counting every vote by hand. You just need to make sure the system fosters accountability. If you check 5% of the precients across the country the chance of any widespread fraud going uncaught is very low. Once widespread fraud is detected you would of course count every last piece of paper three times, and send the bill to the perpetrators...

Re:KISS

[iluvcapra]

Well, if you're using PHP, I know exactly how I'd vote:

Enter your vote below:

Kodos; INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos');INSERT INTO votes ('candidate') VALUES ('Kodos'); INSERT INTO votes ('candidate') VALUES ('Kodos');

Etc...

Re:KISS

[Richard+Steiner]

That might be a thing to do anyway just as a sanity check...

Re:KISS

[gbobeck]

"In this country, people have the right to anonymously vote for a particular candidate, but not to vote anonymously. It is known when you vote, and for good reason so that dead people don't go around voting over and over again or even live people."

You've never dealt with the Chicago Board of Elections. Chicago is the only city in the US where the dead vote on a regular basis.

"There can be simple large scantron type cards that are immediately sorted into something like X party, Y party and Z party, and maybe "other". These can be quickly gone though and if there was an X in the Y party box, something might be fishy. If the Z party box weighs more than the X party box which has more than Y, then Z won. It could counted if mass is that big of a controversy."

Recently, the City of Chicago used a system where voters used punch-card systems (similar to the butterfly ballot used in Florida, but better laid out). Voters, after they finished punching their votes would feed them into a scanner and the vote would be counted. The only problem was that *some* election judges didn't spend the time going to basic training so they ended up telling the voters to re-feed their ballots into the machine numerous times, causing errors in the tallies.

Re:KISS

[AKAImBatman]

Your system really isn't any different than the one in the US. In the US, you must first register to vote. This only needs to be done once, after which the voting place will expect you. As soon as you check in, your name is crossed out and you're given a ballot. That ballor has no identifying information, thus securing your right to a secret ballot. If a recount goes into effect, two things can happen:

1) The ballots themselves are recounted
2) The voters who showed up are verified to ensure that no one voted who shouldn't have. (e.g. Dead people.)

The system is tedious, but it works. The problem that has arisen, however, is that districts want to streamline voting by using electronic ballots. Since it can be difficult to *prove* that a counted vote wasn't changed after the fact, we have various stories like this one pointing out the many problems with E-Voting.

Re:KISS

[deblau]

And how do we know that the prinout matches whatever counter is incremented within the computer?

We don't, other than by inspecting the source. Once we cast our vote using a paper ballot, how do we know it was actually counted? We don't, other than by having observers present. Source inspection is the digital analogue of human election observers.

IMHO, having computers count is more accurate than having people count. Remember, as Stalin may or may not have said, "those who cast the votes decide nothing; those who count the votes decide everything." Florida 2000 and Ohio 2004 showed us that. Computers have no motivation to lie, and I can inspect a computer's source code. I can't inspect the mind of the person counting my paper ballot. To me, computers have more accountability.

Re:KISS

[hackstraw]

I wish I was on a website with computer geeks.

"hanging chads"

Bullshit. Punchcards were first made in the early 1800's and then used more commonly by big computer companies like IBM in the late 1800's. They were not used after the late 70's because they sucked. I work with people that used punch cards to program computers. They never talk about "chads" they talk about things like getting cards out of order, dropping them on the ground and not being able to edit them once made. They don't talk about "chads", those are invented words for the 2000 election well after nobody used punchcards for over 20 years.

I've taken a number of standardized tests for over 20 years that have never, ever used punchcards or had hanging chads. They were all done with standard #2 pencils and a piece of paper that could scan them at remarkable speeds and accuracy. I'm sure somebody could counter with a time that one kid had his SAT score off by a point or two out of 1600 or the 2400 or whatever it is now, but AFAK they are beyond human accuracy, and never, ever have "chad" issues.

So, why all the talk and fuss about this stuff? Are elections routinely rigged? Is this the new terrorist plot? Are the scantron type ballots that I have used rigged or wrong? Are the mechanical vote counters rigged or wrong? Was the President of the United States chosen by popular ballot in 2000? Does it even matter?

The more this disinformation keeps us busy, it makes those who really matter in these matters more free to have more room to do whatever they want to do.

I don't believe its any more difficult to count nominal data accurately than it ever was. Its the people that do the counting that are always variable, and will always be.

Re:KISS

[MindStalker]

Traitors is a bit of a strong word.
If your talking about the current system of paper ballots its simply a matter of what was avaiable at the time of creation and the unmobility of the average election council to go with unproven new systems. If your refering to things such as diebold I again point to the untechness of the election coucils. Now diebold themselves, is most likly a combination of lazy employees just trying to earn a buck.... and TRAITORS!

Re:KISS

[Izaak]

And how do we know that the prinout matches whatever counter is
incremented within the computer?

Actually, the count of voters will also be tracked
independent of the machine. Voter registration is
checked before you vote. They check in a hardcopy
voter registration book that your name shows up
at the address you claim to be living at. You
need to show ID or something else with your address.
They then check you off as having voted by writing a
sequence number next your name. The number is not reliable
for determining how you voted because their are multiple
voting stations at each polling place and no way to
know which one you went to after making it through the
registration queue. Nevertheless, the total recorded
in the book must match the totals recorded in the
machines at the end of the night. It would be impossible
for the voting machine to add phantom votes to the paper
tape without it showing up when you check the registration
books.

I live in Wisconsin and have actually been a volunteer
poll observer. I am very happy to see this law, though
I still think optical scan machines are better for a
variety of reasons.

Later,

Thad

Re:KISS

[dfenstrate]

From what I understand, the hanging chads were most likely the result of voter fraud by the election officials in charge.

They would take a stack of ballots, and run an icepick through their preferred candidate's hole.

If their candidate was the same as the voters, the card was unchanged. If it wasn't, a new hole would be made and the vote invalided for multiple voting. Since Icepicks weren't the proper instrument for voting, they left chads hanging.

Of course, who you think the fraudulent election officials were fucking up ballots for depends largely on your party affiliation.

Personally, I only remember one candidate in the 2000 election trying to cherry-pick areas to recount, and these chosen areas became famous for their hanging chads.

Of course, I don't have any substatiation of this, so take it with a grain of salt.

More directly on topic, I'm all for wisconsin's law to be adopted here in New Hampshire for electronic voting machines. The voting machine computer tally could be hand counted (or verified by a machine from a completely different vendor for speed) in maybe 1-3% of the voting districts, randomly chosen after the election, for consistency.

Re:KISS

[VE3MTM]

US Code, Title 42, Chapter 20, Subchapter 1, Section 1971:

(b) Intimidation, threats, or coercion
No person, whether acting under color of law or otherwise, shall intimidate, threaten, coerce, or attempt to intimidate, threaten, or coerce any other person for the purpose of interfering with the right of such other person to vote or to vote as he may choose, or of causing such other person to vote for, or not to vote for, any candidate for the office of President, Vice President, presidential elector, Member of the Senate, or Member of the House of Representatives, Delegates or Commissioners from the Territories or possessions, at any general, special, or primary election held solely or in part for the purpose of selecting or electing any such candidate.

Source: http://assembler.law.cornell.edu/uscode/html/uscod e42/usc_sec_42_00001971----000-.html

Ah, yes, those pesky laws.

Re:KISS

[YetAnotherLogin]

Yeah, but even if it was open source, you'd never really be to trust it unless you compiled it yourself. For example, Ken Thompson was able to bug the compiler so that it installed a backdoor whenever the login(1) program was compiled. For details you should see his paper Reflections on Trusting Trust.

Re:KISS

[AKAImBatman]

TRue. Some states didn't even have voting until a hundred or so years after the United States was founded. There is, in fact, no Constitutional requirement that any State of the Union provide voting to any person or persons. Each state gets its allotted number of electorial votes, then it's up to the state to figure out how to allocate them.

That being said, most states I've lived in require voter registration to prevent fraud. North Dakota probably doesn't because it doesn't need it as much. No offense to you guys, but it's not like there are that many people for each voting station to sort through. Even when I lived in Wisconsin (which *does* require registration), everyone knew everyone well enough to keep fraud out. :-)

Re:KISS

[mrhartwig]

From what I understand, the hanging chads were most likely the result of voter fraud by the election officials in charge.

Bullshit. While I happen to suspect that there was some fraud in the 2000 election (in Florida along with a bunch of other places) this sounds like nothing more than a Conspiracy Theory, knee-jerk, reaction.

We use the same ballot system here in my little corner of Missouri, and I assure you that it's very possible to leave a chad hanging, even with the "approved" punch device that's part of the voting station. No icepick required.

If you did use an icepick in the manner described in the parent, you couldn't do very many cards at once; there would be quite obvious damage around the hole, as the icepick would be significantly bigger than the chad hole. And the wrong shape (round vs. rectangular).

I don't remember if I'm making this up, but I believe our instructions include a step having you check to make sure all the chads have been totally punched out. If we do have such an instruction, I don't know if it was there before 2000. But I've always checked, instruction or not; it's not that complicated. :-)

Also to add an on-topic comment; Wisconsin's law is a great step, but I agree with other posters that a much better system would be to make the vote generation device separately from the vote counting device.

That's great, but

[LodCrappo]

unfortunately you will still have to vote for either a republican, a democrat, or someone who will lose.

ABOUT GODDAMN TIME!

[Mattness]

Paper receipts should be a no brainer, as should be open source software for voting machines. Too bad this isn't occurring in every state, yet. Or is it? I am an ignorant person about this topic. Someone enlighten me.

Re:ABOUT GODDAMN TIME!

[SilverspurG]

will require the software of touch-screen voting machines used in elections to be open-source.

Likely, the moment the lobbyists get their move on this, open source will be redefined to be source code printed on punch cards submitted to the state archives under an NDA to be kept in a vault next to Hoffa's shoes and The Ring of Power.

The printed receipt is fine. Governments have known how to manipulate those for centuries.

Re:ABOUT GODDAMN TIME!

[General+Fault]

Nor should a voting system require a multi-function operating system like windows nt. Really, do we need something with more power than nasa had 10 years ago just for the ++ op of voting? See the solution that India came up with. Cheap, simple, verifiable and easy to copy. Honestly, how many Mhz do you need to count a vote and how many MB do you need to store a tally?

Thank you very much

[stevenm86]

This is exactly what people have been saying all along. It is not a good idea to trust the numbers that the machine keeps track of electronically somewhere. Some sort of paper trail is definitely a good idea. Even a simple line printer that sits in the back of the room somewhere, printing a short summary of every cast ballot would work because it provides a paper trail that can be verified by a human.
Question is, why aren't other states doing this?

Unfortunately,

[Sheetrock]

There's also a provision that the voting machines be made out of cheddar.

Uh oh! I see the next calamity approaching!

[mister_llah]

So instead of people who can't figure out how to punch the proper hole, now we'll have people pushing the wrong button, accidentely pushing the "Are you sure?" prompt's "OK" ....

Oh wait, whew, Wisconsin, not Florida...

Re:Uh oh! I see the next calamity approaching!

[sucker_muts]

This one?
Link.

This is amazing

[TubeSteak]

Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used.

This isn't like North Carolina requiring that the source be placed in escrow, they're actually requiring it be available to the public.

I can't wait to see what http://www.blackboxvoting.org/ has to say about this one.

It means they won't have to jump through fucking hoops just to test the machine (like in California)

Doesn't precude bar codes

[justanyone]

There seems to be (happily) no preclusion of printing bar codes indicating the choices underneath the names of the candidates. This should allow for rapid and accurate scanning and counting. Ballots can be verified by hand or other (possibly 3rd party) means to prove that the bar codes equal the name on the ballot.

This will speed up and make more accurate the counting vs. OCR of the candidates' names.

Nonsense

[bheading]

It hardly matters if it is open source. Who will compile it before it is uploaded to the machine ? Who will check that the correct software is loaded ? Who will check the guy doing the checking ?

Automated vote counting of any kind - electronic or mechanical - makes fraud considerably easier, puts a mystery shroud around the counting process and as such is incompatible with democracy. In the UK we count all the votes in our elections within 12 hours including the odd recount. Why are Americans obsessed with diluting their democracy by using machines to do it ?

Re:Nonsense

[Whafro]

the board of elections in your local municipality (depending on state, etc) is responsible for choosing the machines and the software. These are either elected officials or are appointed by elected officials, and therefore responsible for representing your interests.

The Board of Elections is responsible for ensuring that the correct software is loaded, and you, as a voter, will check the Board of Elections.

Elections don't just happen, they are overseen by people you put there, directly or indirectly.

The open source element just ensures that even if the Board of Elections has no idea about what the computer code is actually doing, that the greater community will be able to make that check and balance.

With a punch card or even a mechanical voting machine, you can see and understand how it works. By making the code for these machines open source, that same consumer/voter check and balance is being provided-- or, at least, that's the idea.

This does not address the other tampering that can happen. If you want to ensure that your elections are clean and untampered, then make sure you pay attention next time your local board of elections is up for appointment or election.

Re:Nonsense

[killmenow]

Why are Americans obsessed with diluting their democracy by using machines to do it ?

Shhh! It's easier to control the populace this way. Now shut up!

Re:Nonsense

[bheading]

the board of elections in your local municipality (depending on state, etc) is responsible for choosing the machines and the software. These are either elected officials or are appointed by elected officials, and therefore responsible for representing your interests.

Presumably they're elected in a vote which will be counted by one of the electronic machines they've bought ? What makes you convinced that corruption or (more realistically) incompetence cannot interfere with the result of an election ? Do you think your elected representatives would have the skills to, say, recompile code or get checksums to confirm that the correct load had been installed, and that no tampering had taken place ?

Elections don't just happen, they are overseen by people you put there, directly or indirectly.

You're talking as if elected representatives are infallible and incorruptible. They aren't.

In the UK, if I am a candidate in an election I can watch each vote being counted, right there in the countroom. I don't have to trust a bureaucrat who doesn't know what he is doing to make sure the count is done properly. Because I can see the votes, and they are not hidden in the bowels of a machine or of a computer, I can be personally assured that no attempt has been made to disenfranchise my voters. How can you even begin to provide that guarantee with automated vote counting ?

With a punch card or even a mechanical voting machine, you can see and understand how it works.

I don't get why you guys are coming off with this kind of response KNOWING how in Florida 2000 we all got to see how it did NOT work, and how people got confused or thrown off by their poor understanding of how it DID work. Through what may be deliberate fiddling, or more likely incompetence, the ballot paper in parts of Florida made it potentially unclear to some people who they were voting for, and unclear to those counting the votes who the voter had actually voted for. That is what I call a total farce, and it couldn't have happened if the election had been conducted using a simple sheet of paper with a handwritten X scrawled next to the chosen candidate.

Re:Nonsense

[P3NIS_CLEAVER]

...and what if the hardware is hacked? Detecting this would be much harder than checking on the code, which could be verified by checksum.

Re:Nonsense

[AeroIllini]

I don't get why you guys are coming off with this kind of response KNOWING how in Florida 2000 we all got to see how it did NOT work, and how people got confused or thrown off by their poor understanding of how it DID work. Through what may be deliberate fiddling, or more likely incompetence, the ballot paper in parts of Florida made it potentially unclear to some people who they were voting for, and unclear to those counting the votes who the voter had actually voted for. That is what I call a total farce, and it couldn't have happened if the election had been conducted using a simple sheet of paper with a handwritten X scrawled next to the chosen candidate.

I agree with you whole-heartedly, but there are several factors keeping things from being that simple.

The ballots here in the US usually contain a huge number of elections. In the last presidential election, we were asked not only to vote for the president, but also for congressmen, judges, city councilmen, county board members, and other various municipal elected officials, not to mention the three to five different local resolutions on each ballot. The butterfly ballot system (which became famous in Florida in 2000 for the Pat Buchanan situation) is simply a way to condense a large amount of information in an anonymous way onto a small ballot card. These things are literally books, usually with ten or more pages of elections to vote for. It's not a perfect system, certainly, but putting all the same information on a single sheet of paper with room for marking a candidate, clearly delimiting the various elections taking place, allowing for instructions in both English and Spanish, and making the text large enough to read makes for a rather large sheet of paper. And asking people to read candidates off one sheet and mark their choice on another sheet creates all the same confusion and problems people had with the butterfly ballots.

I think our best bet in the US for paper ballots is to create printed booklets with instructions and a single election on each page. The actual listed candidates and boxes for marking a vote would be contained on a perforated sheet like a coupon, which the voter rips out and stuffs in the ballot box. The voter would keep the booklet after voting. The creation of these booklets could be automated without much fuss; each municipality could retrieve their booklets as a PDF file and have them printed and stapled before the election. It's not like ballots are secret until the day of the election.

But truly, in any voting system, accuracy boils down to the skill of the people recording the votes. In paper voting, that means the people counting, the people recording the votes, the people calling in the numbers to state headquarters, and the people assisting voters with questions. In computerized voting, that means the people who designed and built the hardware, the people who wrote the firmware, the people who wrote the software, and the people in charge of the networks doing the reporting to a central agency. Mistakes will be made, and recounts will happen. If automation does not help fix the mistakes that are made, and in fact creates many more problems, then it is not worth the trouble.

PAPER RECEIPTS ARE BAD!

[justanyone]

There are two meanings for "paper receipts":
1. paper ballot which is the actual ballot, kept by the county clerk / election officials;
2. paper receipt, kept by the voter, proving they've voted and indicating who they voted for.

The latter concept is VERY BAD. It would encourage the ability of someone to buy an election by paying money or favors to someone in exchange for their receipt proving they voted for someone in particular.

This is the reason we have secret ballots - to make vote-buying quite difficult if not impossible.

buried in the legalese

[revery]

the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.

Of course buried in the legalese was the rest of the bill:

The vote-tallying software shall be closed source and shall be owned in whole by Diebold. As such, the printed ballot shown to elector may have no bearing on actual vote recorded. Names may be substituted based on (1) party of candidate (2) intelligence of choice (3) corruption in district (4) time of day (5) OR if you live in Palm Beach or Broward County, pure whimsy. Additionally, elector may be fined or audited based on vote case, or in extreme cases, placed on the National Do-Not-Fly list and scheduled for investigation by the Department of Homeland Security.

Democracy run amok!

[second+class+skygod]

They're acting as if they want to avoid rampant abuse and fraud. While it sounds great, I don't think America is ready for such a radical notion.

-- scsg

Federal Mandate Time

[Kefaa]

Can someone explain why we can standardize street signs and the amount of sugar allowed in school lunches but we cannot get a standardized election system?

After the 2000 election debacle, we had money thrown at the states to "fix the problem." So we ended up with 35 different solutions.

A simple federal mandate - the voter must be verifiable, their vote must be able to be able to be authenticated after they leave the booth, in the event of a recount and the system can be fully audited. Instead, we have systems with no paper trails, questionable vendor operations, and seemingly contradictory election results.

We can make millions of secure stock sales, bank transfers and on-line purchases daily, and we cannot get a vote counted and auditable? The people who produced these machines should be fired for stupidity and forced to return our money.

Re:Federal Mandate Time

[User+956]

After the 2000 election debacle, we had money thrown at the states to "fix the problem." So we ended up with 35 different solutions.

Only 35 solutions? I'm pretty sure we have more states than that... Are you using wikipedia for reference again?

Not really Open Source

[hweimer]

From TFB:

5.91 (19) The coding for the software that is used to operate the system on election day and to tally the votes cast is publicly accessible and may be used to independently verify the accuracy and reliability of the operating and tallying procedures to be employed at any election.

This is somewhat less than what is usually meant by the term "Open Source". But it seems that at least voting machines running a completely closed operating systems are ruled out.

Not the count, but the recount that's important...

[Ramses0]

"""How do you recount? Election results must be reproduceable by a human afterwards, especially if a virus or spyware got into the election results (either on purpose, or with malicious intent). Open Voting has this part figured out by producing a paper ballot that can be validated without the use of a computer, or you can use a computer to check it faster."""

http://www.robertames.com/blog.cgi/entries/links/v ote-hacking-2004.html

Links have broken with time, but here's an updated link to Open Voting...

http://www.openvotingconsortium.org/modules.php?na me=FAQ&myfaq=yes&id_cat=11&categories=Security%2C+ Resiliency%2C+Integrity%2C+Reliability

Their systems are reallly neat and they've had a lot of smart people looking at the problem. I've not been involved in it, but have read some of their documentations, and promised myself that I'd speak up and give them google-juice anytime voting came up. Some highlights:

    - Commodity hardware / software

    - Open source code

    - Paper "receipts" that can be verified by:

        * Sight

        * Barcode

        * Audio / Visual

        * Separate "reader / recounter"

    - Accurate computer counts (ie: select count(*) from votes group by person)

    - Paper trail for recounts (re-count manually or computer assisted the receipts), with useful information hidden in the water-marked receipts (kindof like scantron stuff, where both computers and humans can read it). ...all in all it seems like a pretty good system and like I said they've done a lot of thinking about it.

--Robert

There isn't a voter name on the receipt, RTFP

[Medievalist]

Although that would work on incredibly stupid voters, simple intimidation usually works on them anyway.

Voters with half a brain cell copy, forge or borrow a receipt to show to the boss.

There's no voter name on the receipt, thus no way for the boss to know how YOU voted.

Not Open Source

[John+Hasler]

> Wisconsin Governor Jim Doyle today signed legislation that "will
> require the software of touch-screen voting machines used in
> elections to be open-source."

The law does not require that the software be Open Source. It merely requires that voters be able to examine and test it.

BIG PROBLEM

[goombah99]

The problem here is that there are no open source voting machines on the market at this time. So what is going to happen?
In most cases they can't be since the OS is closed source. Moreover, federal certification is no longer just for stand alone voting machines but requires the whole "system" of vote counting and vote merging software to be certified. So even when the vote counters could be open source the vote databases may not be. Diebolds run on windows CE, ES&S ivotronics probably run on windows CE, ES&S opscans run on Qnix, sequoia touchscreen kiosks run on some undisclosed proprietary software and the ballot database software runs on windows. No word what Sequoia Optek/insights run on but again the ballot data bases run on windows.

thus these companies can't open their source since it's not theirs to open.

Accupol is built on linux and java so it could in principle be open source at their discretion. But because the accupols are cobbled together from mainly commodity components the company investors is averse to open sourcing their only real IP.

Not sure about avante and harte and unilect but it appears they contain windows software.

OVC is the only system truly designed with open source in mind. But it's not ready for sale yet.

Re:This should not be news.

[Spy+der+Mann]

...but sadly, it is.

AH! But then it's GOOD NEWS! :)

I wouldn't give Doyle credit....

[daemonenwind]

This from the same guy who feels that you should not have to prove your identity before voting.

I would expect this is only a ploy to make it seem like he cares about the voting irregularities which occurred in WI during the 2004 Presidental election, causing several leading Milwaukee Democrats to be investigated.

Reading the requirements, not only does no one currently offer such a machine, but most machines in the state wouldn't live up to it today.

OSS isn't enough

[gcauthon]

That's great that their system will be open source, but that isn't quite enough. There are a few things that I think would make the systems more trustworthy in addition to the open source requirement:

• Secure hashes on every single file on the system. A technician should be able to take a voting system and quickly determine if any files were modified (programs, shared libs, data, etc).
• Reliable network security. No modems or network connectivity of any sort. Find some other way to tabulate the votes that doesn't compromise the integrity of the system.
• More testing and absolutely no changes between testing sign-off and election day.
• Other than voting, the system should be completely read-only. The voting should have some sanity checks as well. For example, votes can not decrease and only one vote can be made within a certain period of time.
• The certifications themselves and testing results should be made public.
• Any information should be available through the FOIA and should have a clear and concise retention policy. No more showing up at the election polls only to find workers forming an ant trail to the dumpster.

Where is an open-source voting machine?

[epaulson]

Is there a non-profit out there that has produced an open-source voting machine? Either software that converts a regular PC into a voting machine, or maybe even take it a step further and is willing to build the hardware and sell it at cost to governments.

Why is this "open source"?

[mykdavies]

I don't see any sign that this bill requires the code to be open source. The bill requires it to be made public, but does it actually require the state to make it available under an open source licence?

The WIS quote only says that "the coding for the software that is used to operate the system on election day and to tally the votes cast is publicly accessible and may be used to independently verify the accuracy and reliability of the operating and tallying procedures to be employed at any election". For them to call this open source is bad enough, but for Slashdot to repeat this misunderstanding of the term is ridiculous.

Voting System Proposal

[fossa]

Based on suggestions I've read in the comments, how about this:

Voter enters polling place, name scratched off list as usual. Voter enters booth. For each office up for election, voter types* a name or names+ into the voting machine. A blank vote or "Nobody" would indicate no vote for that office. Referendums etc. could be indicated with some predefined response (preferably more than a simple "yes" or "no" in order to avoid Windows-dialog-box-style confusion). When finished, the voting machine prints out the completed ballot. The format is importantly both human readable and machine readable via OCR. Surely if the machine knows the font beforehand, OCR can be fairly quick and highly accurate...? A ballot would essentialy be a list like:

President: John P. Doe
Senator: Jane T. Smith
Representative: Joe G. Johnson
Increase taxes for schools?: Do not increase

A ballot may contain special marks to help a machine reader align the text, but the actual vote info must be human readable (i.e. not a barcode). The voter reviews the ballot and either destroys it and creates a new one, or submits it to the ballot box. Ballots are then machine tallied after all ballots are collected (it is important to not tally instaneously for the sake of voter anonymity). Hand recounts may be conducted as necesarry.

The good parts about this are 1) machine countable, 2) human countable, 3) transparent (voter puts physical paper ballot into box rather than bits into a database), 4) tamper resistant (difficult to invalidate votes by marking or tampering with the ballot after the fact) 5) anonymous.

One problem is: how to type a candidate's name. Keyboard? What about those with disabilities? I'm not really familiar with alternate text entry systems, but surely some exist.

* The biggest problem is, of course, determining who is meant by "John P. Doe", since there may be many John P. Does in America. I don't really like the idea of requiring people to "get on the ballot" because anyone who doesn't know who to vote for will almost certainly pick a candidate who is on the ballot. But I don't really have a solution for an all-write-in system. Please address this as a separate issue. In lieu of requiring a typed name, the system could easily offer a selection of candidates as is common now. (How do write-in votes work now? I assume they are silently ignored unless it's clear that a majority of votes are not for someone on the ballot which almost surely never happens).

+ Some offices may allow multiple candidates. Some voting systems may allow multiple votes, possibly ranked, for a single final winner. This voting method lends itself well to these alternative (surperior IMO) methods.

Discuss.

Re:Condorcet, not IRV

[metamatic]

The existence of preference cycles in condorcet results is a pretty serious problem. Frankly, it makes it a non-starter as far as I'm concerned.

Wikipedia lists seven different algorithms for resolving cycles. Can you imagine TV news explaining to the average American how the set theory behind the Schwartz set method determines the President?

IRV may be flawed, but it's easily understandable, and a huge improvement on FPTP.

This is the one state...

[dimension6]

...whose senator actually voted against the Patriot Act.

This seems to be a BS political move

Sorry folks. As someone who knows Wisconsin state IT (and posting anonymously). The voter registration server and apps (SVRS) are CITRIX based. And the papers are already publishing complaints about that application. It is failing to poor project management by state workers with a history of poor project management. The state CIO is a linux advocate (Matt M.), but even he had to bow to pressure for a high profile project and go with HP UX. And our efforts to get rid of MS Exchange had been fairly difficult, and may yet hit the papers. (Even the governor's office hasn't attempted the email conversion despite Larry Ellison's visit...Oracle is trying to help replace MS). The governor can sign anything he wants in to law, but how will it be implemented? And how will the municipalities feel about further requirements to get voters registered and voting, when SVRS works so poorly? It sounds like the average Wisconsin citizen is not going to be very happy with what the state government dictates. From my point of view, too many state IT management folk are jumping on the open source bandwagon because of the CIO, rather than practising good IT. Sounds like the governor signed into law a feel good law without thinking about the consequences. Do I have the answers? Nope, just know this will be a great idea, poorly implemented.