Wisconsin Requires Open Source, Verifiable Voting

AdamBLang writes "Previously covered on Slashdot, Wisconsin Governor Jim Doyle today signed legislation that "will require the software of touch-screen voting machines used in elections to be open-source. Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used." Madison's Capital Times reports "the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.""

KISS

[grub]

[T]he machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.

And how do we know that the prinout matches whatever counter is incremented within the computer? Being open source makes it tamper-resistent, not tamper-proof. Would it not be easier to just use a paper ballot in the first place? Then any recount could be performed against the actual ballots cast, not as a spot check against computer (glitches|fraud).

Re:KISS

[McGiraf]

if there is a doubt you ask for a recount and count .... the paper ballots!

duh ..

Re:KISS

[hazem]

What I've always thought would be a good idea would be a computer to help generate the ballot, and then a separate computer to count those ballots.

This offers the advantages of multi-language ballots with brail, audio prompts, etc. And the resulting ballot is standardized so it can be read by both machine and human - and no "hanging chads".

The ballots can then be easily counted by another machine - and human validated as necessary.

The ballot-generating computer never needs to "count" - but it could do so as a spot check against the counting computer.

Re:KISS

[Dutchmaan]

We can only move in the right direction.. This is a positive step to be sure, and as flaws in this system reveal themselves we will take further steps toward refining the process of preserving intergrity in the voting system.

The perfect democracy is a goal and can never really be perfectly attained... but it serves as a compass to keep us going in the right direction.

Re:KISS

[grub]

"if". Being that leadership of government is being determined, I'd prefer the actual cast ballots be counted. Canada does it in a few hours with 1/10th the US population (and the public can view the count I believe)

Re:KISS

[cait56]

That's why you also need a write-only audit trail produced
before the voter leaves the booth. A second paper copy is
certainly one form of a write-only audit trail.

Keep in mind that paper-ballots were far from perfect.
Counters could and did vote for people who neglected
to fill in for some contests, and/or create extraneous
marks on the ballot to make it retroactively ambiguous.

A print-out with full candidate names is a lot harder
to alter than a pre-printed form with Xs inside of boxes.

Re:KISS

[kfg]

. . .put your thumbprint in the corner . . .

No.

KFG

Re:KISS

[Rude+Turnip]

To elaborate on kfg's comment..."No. I'd rather not give my employer or corrupt union leader a way of tracing my ballot back to me. I appreciate my status of being employed and only wish to have my bones broken due to a skiing accident."

Re:KISS

[HUADPE]

Agreed. One of the major tenets of democratic voting is the secret ballot. This is in and of itself a problem with electronic voting because the order of votes can be counted as well as the votes themselves. A determined individual can then match the order and time of votes to individuals as they signed in to the polling place. Non-secret ballots can allow for voter intimidation (will the new mayor fire people who voted against him?)

Re:KISS

[hackstraw]

Being open source makes it tamper-resistent, not tamper-proof.

Somebody, probably not me or you will compile the final code to be run on some computer that we don't know the details of anyway. That somebody may know how to alter the code, maybe not.

I know of no way that a computer recount could happen without a paper trail.

Would it not be easier to just use a paper ballot in the first place?

I don't see how this is so difficult. Each voting place I've been to scratches off your name when you show up to vote off of a roster of registered voters, and there should be a total count of those registered which should equal the number of pieces of paper in the ballot box.

There can be simple large scantron type cards that are immediately sorted into something like X party, Y party and Z party, and maybe "other". These can be quickly gone though and if there was an X in the Y party box, something might be fishy. If the Z party box weighs more than the X party box which has more than Y, then Z won. It could counted if mass is that big of a controversy.

In this country, people have the right to anonymously vote for a particular candidate, but not to vote anonymously. It is known when you vote, and for good reason so that dead people don't go around voting over and over again or even live people.

What is so difficult with counting nominal data these days?

Re:KISS

[oni]

Just off the top of my head, I would say:
Give the voter a receipt that consists of, 1) a long randomly generated ReceiptID, 2) a plaintext record of the vote (as in, "you voted for Kodos"), and 3) a cryptographic signature.

So in other words, I have a peice of paper that I get to take home with me and on that peice of paper is written:
------ Begin PHP Signed Text -----
ReceiptID 243524534523423454345234234
Voted For: Kodos
------ Begin PHP Signatre Block -----
(signature here)
------ End PHP Signatre Block -----
------ End PHP Signed Text -----

After the election, you can publish the ReceiptIDs and vote records on a website. Anyone who wants to verify the authenticity of the election can tally all the votes themselves. If I want to make sure that MY vote counted, I can look it up. If I see that they changed my vote, I can come forward with my reciept. I can't change my receipt because it's crytographically signed. Nobody can find out who I am because my reciept number has nothing at all to do with me, it's just a random unique number.

(why is it that this stuff always seems easy to us slashdotians? Why do corporations always make it so complicated and broken??)

Re:KISS

[mooneyd]

That's exactly how it should be done. Use a touch screen to make your choices, it prints out a op-scannable ballot you can hold in your hand and verify. You then stick it in one of two slots: the scanner slot or the shredder slot. That action will either confirm or reject your vote inherantly. If you reject the ballot, you can go through it again on the touchscreen, otherwise you are done.

And the machines should be developed by national research labratory in a completely open and transparent way. The source code, design plans and manufacturing process would be completely auditable by the public. No corporate control of voting machines. No security through obscurity.

Re:KISS

[hazem]

The problem with a receipt is that it can then be used to make sure you voted a certain way.

corrupt boss: Joe, have fun voting, and be sure to bring back your receipt so I can know how you voted and decide if I'm going to fire you. Oh yeah, and if you don't have a receipt, I'll fire you.

Re:KISS

[sam1am]

As has been mentioned elsewhere; this is a bad idea, because you could be "persuaded" to share your receipt number with someone else, who could use it to verify you voted a certain way.

Guy sets up booth taking receipts that prove a vote for candidate A, you get $10.

Or more insidious, your boss tells you you need to vote for candidate A. In order to obtain your next paycheck, you must show your receipt that you voted for candidate A.

Once you leave the polling place, you should not be able to verify your vote to yourself or anyone else.

(Now, if you took that receipt and dropped it in the ballot box on the way out of the polling place, that's another story)

Re:KISS

[kernelpanicked]

------ Begin PHP Signed Text -----
ReceiptID 243524534523423454345234234
Voted For: Kodos
------ Begin PHP Signatre Block -----
(signature here)
------ End PHP Signatre Block -----
------ End PHP Signed Text -----

I think what you're looking for is 'PGP" signed, but hen again some folks will use php for damn near anything.

Re:KISS

[j.+andrew+rogers]

Something similar is done in Nevada, which is generally regarded as being clueful about preventing fraud in electronic machines thanks to many years of dealing with elaborate attempts at electronic gambling machine fraud. Much of the value of electronic voting machines are that they are inexpensive, fast, and theoretically less error-prone to manage compared to pre-printed paper ballots and other older methods.

While no voting system is fool-proof, the Nevada method is something like this: Electronic voting with a voter-verified paper receipt to ensure that what is on the paper is what was selected electronically by voter. The paper receipts are collected and a few percent of the total paper records are randomly and independently audited to verify the electronic records. The important thing that happens here is that the verification and authentication of the vote is distributed among multiple authorities, providing strong statistical evidence that an election was indeed counted as it was voted while providing no single point of failure or manipulation that is likely to go unnoticed. It also does not have the overhead of manually counting every single paper ballot.

This is actually a more robust voting protocol in many ways than the paper ballots it replaces. I do not know if Wisconsin is doing things precisely this way, but I imagine that they would use some variation of the Nevada protocol.

Re:KISS

[Rich0]

Agreed - the simplest and most efficent solution is full automation with some percentage of completely random auditing.

In each state pick 10 precients at random, and count every last vote in them - they better agree to the automated total.

The proposal to always count them manually amounts to 100% auditing. Sure, it works, but it really isn't necessary. In fact, it is likely to have a higher error rate since there is no value being checked against (unless you have two independant groups count all the votes separately and submit separate counts which are then cross-checked).

Have each machine programmed, assembled, and sealed by an individual who signs some dotted line. If the count turns out wrong, the machine gets a major investigation. If there is fraud, the individual gets sent to prison with an opportunity to somewhat reduce his sentence by singing like a canary.

The EU uses systems like this for drug imports. If you want to certify a lot of manufactured drugs as safe for use in Europe, you have to have an EU citizen sign on the final line. The logic is that there is at least somebody personally accountable for the action who lives in the EU jurisdiction. In the same way, if a megacorp builds a bridge there is still an individual engineer signing each drawing.

The key to law enforcement is individual accountability. No need to waste huge amounts of money counting every vote by hand. You just need to make sure the system fosters accountability. If you check 5% of the precients across the country the chance of any widespread fraud going uncaught is very low. Once widespread fraud is detected you would of course count every last piece of paper three times, and send the bill to the perpetrators...

Re:KISS

[AKAImBatman]

Your system really isn't any different than the one in the US. In the US, you must first register to vote. This only needs to be done once, after which the voting place will expect you. As soon as you check in, your name is crossed out and you're given a ballot. That ballor has no identifying information, thus securing your right to a secret ballot. If a recount goes into effect, two things can happen:

1) The ballots themselves are recounted
2) The voters who showed up are verified to ensure that no one voted who shouldn't have. (e.g. Dead people.)

The system is tedious, but it works. The problem that has arisen, however, is that districts want to streamline voting by using electronic ballots. Since it can be difficult to *prove* that a counted vote wasn't changed after the fact, we have various stories like this one pointing out the many problems with E-Voting.

Re:KISS

[deblau]

And how do we know that the prinout matches whatever counter is incremented within the computer?

We don't, other than by inspecting the source. Once we cast our vote using a paper ballot, how do we know it was actually counted? We don't, other than by having observers present. Source inspection is the digital analogue of human election observers.

IMHO, having computers count is more accurate than having people count. Remember, as Stalin may or may not have said, "those who cast the votes decide nothing; those who count the votes decide everything." Florida 2000 and Ohio 2004 showed us that. Computers have no motivation to lie, and I can inspect a computer's source code. I can't inspect the mind of the person counting my paper ballot. To me, computers have more accountability.

Re:KISS

[hackstraw]

I wish I was on a website with computer geeks.

"hanging chads"

Bullshit. Punchcards were first made in the early 1800's and then used more commonly by big computer companies like IBM in the late 1800's. They were not used after the late 70's because they sucked. I work with people that used punch cards to program computers. They never talk about "chads" they talk about things like getting cards out of order, dropping them on the ground and not being able to edit them once made. They don't talk about "chads", those are invented words for the 2000 election well after nobody used punchcards for over 20 years.

I've taken a number of standardized tests for over 20 years that have never, ever used punchcards or had hanging chads. They were all done with standard #2 pencils and a piece of paper that could scan them at remarkable speeds and accuracy. I'm sure somebody could counter with a time that one kid had his SAT score off by a point or two out of 1600 or the 2400 or whatever it is now, but AFAK they are beyond human accuracy, and never, ever have "chad" issues.

So, why all the talk and fuss about this stuff? Are elections routinely rigged? Is this the new terrorist plot? Are the scantron type ballots that I have used rigged or wrong? Are the mechanical vote counters rigged or wrong? Was the President of the United States chosen by popular ballot in 2000? Does it even matter?

The more this disinformation keeps us busy, it makes those who really matter in these matters more free to have more room to do whatever they want to do.

I don't believe its any more difficult to count nominal data accurately than it ever was. Its the people that do the counting that are always variable, and will always be.

Re:KISS

[VE3MTM]

US Code, Title 42, Chapter 20, Subchapter 1, Section 1971:

(b) Intimidation, threats, or coercion
No person, whether acting under color of law or otherwise, shall intimidate, threaten, coerce, or attempt to intimidate, threaten, or coerce any other person for the purpose of interfering with the right of such other person to vote or to vote as he may choose, or of causing such other person to vote for, or not to vote for, any candidate for the office of President, Vice President, presidential elector, Member of the Senate, or Member of the House of Representatives, Delegates or Commissioners from the Territories or possessions, at any general, special, or primary election held solely or in part for the purpose of selecting or electing any such candidate.

Source: http://assembler.law.cornell.edu/uscode/html/uscod e42/usc_sec_42_00001971----000-.html

Ah, yes, those pesky laws.

Re:KISS

[mrhartwig]

From what I understand, the hanging chads were most likely the result of voter fraud by the election officials in charge.

Bullshit. While I happen to suspect that there was some fraud in the 2000 election (in Florida along with a bunch of other places) this sounds like nothing more than a Conspiracy Theory, knee-jerk, reaction.

We use the same ballot system here in my little corner of Missouri, and I assure you that it's very possible to leave a chad hanging, even with the "approved" punch device that's part of the voting station. No icepick required.

If you did use an icepick in the manner described in the parent, you couldn't do very many cards at once; there would be quite obvious damage around the hole, as the icepick would be significantly bigger than the chad hole. And the wrong shape (round vs. rectangular).

I don't remember if I'm making this up, but I believe our instructions include a step having you check to make sure all the chads have been totally punched out. If we do have such an instruction, I don't know if it was there before 2000. But I've always checked, instruction or not; it's not that complicated. :-)

Also to add an on-topic comment; Wisconsin's law is a great step, but I agree with other posters that a much better system would be to make the vote generation device separately from the vote counting device.

That's great, but

[LodCrappo]

unfortunately you will still have to vote for either a republican, a democrat, or someone who will lose.

ABOUT GODDAMN TIME!

[Mattness]

Paper receipts should be a no brainer, as should be open source software for voting machines. Too bad this isn't occurring in every state, yet. Or is it? I am an ignorant person about this topic. Someone enlighten me.

Re:ABOUT GODDAMN TIME!

[General+Fault]

Nor should a voting system require a multi-function operating system like windows nt. Really, do we need something with more power than nasa had 10 years ago just for the ++ op of voting? See the solution that India came up with. Cheap, simple, verifiable and easy to copy. Honestly, how many Mhz do you need to count a vote and how many MB do you need to store a tally?

Unfortunately,

[Sheetrock]

There's also a provision that the voting machines be made out of cheddar.

Uh oh! I see the next calamity approaching!

[mister_llah]

So instead of people who can't figure out how to punch the proper hole, now we'll have people pushing the wrong button, accidentely pushing the "Are you sure?" prompt's "OK" ....

Oh wait, whew, Wisconsin, not Florida...

This is amazing

[TubeSteak]

Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used.

This isn't like North Carolina requiring that the source be placed in escrow, they're actually requiring it be available to the public.

I can't wait to see what http://www.blackboxvoting.org/ has to say about this one.

It means they won't have to jump through fucking hoops just to test the machine (like in California)

Nonsense

[bheading]

It hardly matters if it is open source. Who will compile it before it is uploaded to the machine ? Who will check that the correct software is loaded ? Who will check the guy doing the checking ?

Automated vote counting of any kind - electronic or mechanical - makes fraud considerably easier, puts a mystery shroud around the counting process and as such is incompatible with democracy. In the UK we count all the votes in our elections within 12 hours including the odd recount. Why are Americans obsessed with diluting their democracy by using machines to do it ?

Re:Nonsense

[killmenow]

Why are Americans obsessed with diluting their democracy by using machines to do it ?

Shhh! It's easier to control the populace this way. Now shut up!

Re:Nonsense

[AeroIllini]

I don't get why you guys are coming off with this kind of response KNOWING how in Florida 2000 we all got to see how it did NOT work, and how people got confused or thrown off by their poor understanding of how it DID work. Through what may be deliberate fiddling, or more likely incompetence, the ballot paper in parts of Florida made it potentially unclear to some people who they were voting for, and unclear to those counting the votes who the voter had actually voted for. That is what I call a total farce, and it couldn't have happened if the election had been conducted using a simple sheet of paper with a handwritten X scrawled next to the chosen candidate.

I agree with you whole-heartedly, but there are several factors keeping things from being that simple.

The ballots here in the US usually contain a huge number of elections. In the last presidential election, we were asked not only to vote for the president, but also for congressmen, judges, city councilmen, county board members, and other various municipal elected officials, not to mention the three to five different local resolutions on each ballot. The butterfly ballot system (which became famous in Florida in 2000 for the Pat Buchanan situation) is simply a way to condense a large amount of information in an anonymous way onto a small ballot card. These things are literally books, usually with ten or more pages of elections to vote for. It's not a perfect system, certainly, but putting all the same information on a single sheet of paper with room for marking a candidate, clearly delimiting the various elections taking place, allowing for instructions in both English and Spanish, and making the text large enough to read makes for a rather large sheet of paper. And asking people to read candidates off one sheet and mark their choice on another sheet creates all the same confusion and problems people had with the butterfly ballots.

I think our best bet in the US for paper ballots is to create printed booklets with instructions and a single election on each page. The actual listed candidates and boxes for marking a vote would be contained on a perforated sheet like a coupon, which the voter rips out and stuffs in the ballot box. The voter would keep the booklet after voting. The creation of these booklets could be automated without much fuss; each municipality could retrieve their booklets as a PDF file and have them printed and stapled before the election. It's not like ballots are secret until the day of the election.

But truly, in any voting system, accuracy boils down to the skill of the people recording the votes. In paper voting, that means the people counting, the people recording the votes, the people calling in the numbers to state headquarters, and the people assisting voters with questions. In computerized voting, that means the people who designed and built the hardware, the people who wrote the firmware, the people who wrote the software, and the people in charge of the networks doing the reporting to a central agency. Mistakes will be made, and recounts will happen. If automation does not help fix the mistakes that are made, and in fact creates many more problems, then it is not worth the trouble.

buried in the legalese

[revery]

the bill requires that if a municipality uses an electronic voting system that consists of a voting machine, the machine must generate a complete paper ballot showing all votes cast by each elector that is visually verifiable by the elector before he or she leaves the machine.

Of course buried in the legalese was the rest of the bill:

The vote-tallying software shall be closed source and shall be owned in whole by Diebold. As such, the printed ballot shown to elector may have no bearing on actual vote recorded. Names may be substituted based on (1) party of candidate (2) intelligence of choice (3) corruption in district (4) time of day (5) OR if you live in Palm Beach or Broward County, pure whimsy. Additionally, elector may be fined or audited based on vote case, or in extreme cases, placed on the National Do-Not-Fly list and scheduled for investigation by the Department of Homeland Security.

Democracy run amok!

[second+class+skygod]

They're acting as if they want to avoid rampant abuse and fraud. While it sounds great, I don't think America is ready for such a radical notion.

-- scsg

Federal Mandate Time

[Kefaa]

Can someone explain why we can standardize street signs and the amount of sugar allowed in school lunches but we cannot get a standardized election system?

After the 2000 election debacle, we had money thrown at the states to "fix the problem." So we ended up with 35 different solutions.

A simple federal mandate - the voter must be verifiable, their vote must be able to be able to be authenticated after they leave the booth, in the event of a recount and the system can be fully audited. Instead, we have systems with no paper trails, questionable vendor operations, and seemingly contradictory election results.

We can make millions of secure stock sales, bank transfers and on-line purchases daily, and we cannot get a vote counted and auditable? The people who produced these machines should be fired for stupidity and forced to return our money.

Not really Open Source

[hweimer]

From TFB:

5.91 (19) The coding for the software that is used to operate the system on election day and to tally the votes cast is publicly accessible and may be used to independently verify the accuracy and reliability of the operating and tallying procedures to be employed at any election.

This is somewhat less than what is usually meant by the term "Open Source". But it seems that at least voting machines running a completely closed operating systems are ruled out.

BIG PROBLEM

[goombah99]

The problem here is that there are no open source voting machines on the market at this time. So what is going to happen?
In most cases they can't be since the OS is closed source. Moreover, federal certification is no longer just for stand alone voting machines but requires the whole "system" of vote counting and vote merging software to be certified. So even when the vote counters could be open source the vote databases may not be. Diebolds run on windows CE, ES&S ivotronics probably run on windows CE, ES&S opscans run on Qnix, sequoia touchscreen kiosks run on some undisclosed proprietary software and the ballot database software runs on windows. No word what Sequoia Optek/insights run on but again the ballot data bases run on windows.

thus these companies can't open their source since it's not theirs to open.

Accupol is built on linux and java so it could in principle be open source at their discretion. But because the accupols are cobbled together from mainly commodity components the company investors is averse to open sourcing their only real IP.

Not sure about avante and harte and unilect but it appears they contain windows software.

OVC is the only system truly designed with open source in mind. But it's not ready for sale yet.

This is the one state...

[dimension6]

...whose senator actually voted against the Patriot Act.

This seems to be a BS political move

Sorry folks. As someone who knows Wisconsin state IT (and posting anonymously). The voter registration server and apps (SVRS) are CITRIX based. And the papers are already publishing complaints about that application. It is failing to poor project management by state workers with a history of poor project management. The state CIO is a linux advocate (Matt M.), but even he had to bow to pressure for a high profile project and go with HP UX. And our efforts to get rid of MS Exchange had been fairly difficult, and may yet hit the papers. (Even the governor's office hasn't attempted the email conversion despite Larry Ellison's visit...Oracle is trying to help replace MS). The governor can sign anything he wants in to law, but how will it be implemented? And how will the municipalities feel about further requirements to get voters registered and voting, when SVRS works so poorly? It sounds like the average Wisconsin citizen is not going to be very happy with what the state government dictates. From my point of view, too many state IT management folk are jumping on the open source bandwagon because of the CIO, rather than practising good IT. Sounds like the governor signed into law a feel good law without thinking about the consequences. Do I have the answers? Nope, just know this will be a great idea, poorly implemented.