Ask a "Star" of HBO's Voting Machine Documentary

Herbert H. Thompson, PhD ("Hugh" to his friends), is one of the people featured in the HBO documentary, Hacking Democracy, that Diebold tried to keep from airing. Hugh is a long-time Slashdot reader who called me to volunteer for this interview — on his own, not through anyone's PR department. Here's a YouTube excerpt from a CNN Lou Dobbs show with Hugh in it. (Find more articles by and about Hugh here. And perhaps check this brand-new MSNBC story about e-voting, too.) Hugh suggests that you give him "your wildest questions about what went on behind the scenes and how safe the e-voting systems actually are." Let's take him up on that challenge, hopefully while following Slashdot interview rules. Note to Diebold and other voting machine companies: We welcome comments and questions from you, same as we welcome them from everyone else. If you feel you are being vilified unfairly by Slashdot readers, please respond and set the record straight.

Will We Ever Get This Right?

[eldavojohn]

Other countries are embracing E-voting despite the massive concern here in the United States. My simple question is, in your opinion, will E-voting ever reach standards rigorous enough to satisfy the American populace? If not, why?

paper trail?

[ummit]

This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.

Re:paper trail?

[Thansal]

It can't just be cost, because they could and would just pass that on to their customers.

Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?

Thanks for doing this also!

Re:paper trail?

[jj00]

Pittsburgh (Allegheny country) had a public review of 4-5 voting systems (Unisys, Sequoia, ES&S, and Diebold) that I attended. Of all the systems I saw, ALL of them had an option to produce a paper trail. Some were inherently better at paper trails than others - such as the bubble-fill versions, but they all had some sort of option.

Most of the salesmen there seemed to steer you away from the bubble-fill devices, stating that they were cheaper up front but would cost more in the long run with paper costs. I still liked them the best. They have multiple ways of recovering from problems - built in paper trail, still work under power outages, and anyone that can play the lottery can use them.

I took some pictures if you're really interested.

Re:paper trail?

[Ungrounded+Lightning]

Yes, such laws do exist. (They're apparently why you can't get the raw voteing machine and punchcard ballot reader output to examine for statistical signs of vote tampering, too.)

But the point of the printed reciept is NOT for the voter to take it home. The point is for him to put it in a ballot box. Then it's no longer in his possession, so the laws to prevent vote-buying don't apply.

The printed "reciept" is actually the official ballot, and subject to recounts and audits. The voting machine becomes simply a ballot marking aid - which can opportunistically take a count as it operates. The machine's count can be used for rapid return reporting, but only becomes the official count if there are no challenges and the precinct doesn't happen to be randomly selected for auditing.

With a spit-out printed ballot added to the voting machines, the rest of the current software can remain in place. With an audit trail any fraud can be detected and corrected. (Further: With random sampling and the inevitable recount requests in close races and those where fraud is suspected, it is LIKELY to be detected.)

In the absense of the ability to untracably corrupt the count, voting macine fraud attempts become much less likely - and a path to prison rather than to political power.

Largest Inherent Flaw?

[eldavojohn]

In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news of having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"

Here is my question...

[Noryungi]

Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...

How do you prove that foul play (hacking) has been involved?

Do you even have a plan in place to check the results?

Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.

What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?

OSS?

[Xzzy]

Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.

How do you think open source could fit into this issue? Or should it?

Re:OSS?

[Speare]

Before I poo-poo the idea, let me say I like the idea of OSS implementations of anything the government does: they pay for this implementation in my dollars, so I might as well get a chance to see how it works. But this does not make the system more secure.

Even with OSS, you're relying on an assurance by some clerk at the polling station that the code you've audited at home is the code that drives your voting choice from fingertip to election commission. You can't SEE software, and as this crowd knows, rootkits can virtualize the whole machine to appear to run one thing while really doing something else.

The only way for an individual to audit their vote is to see their vote on a tangible artifact, be it marks on paper, holes in paper, colored beads or whatever works in your village. It's already bad enough that you can't follow that vote artifact out of the voting booth into the counting center, and watch it every step of the way, but with many eyes from all vested parties along the path, you can have a small sense of security in this process.

Pen-and-paper voting

[NetDanzr]

What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.

Re :Pen-and-paper voting

[Black+Parrot]

> What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.

The "problem" is that it doesn't shuffle enough of your tax money into corporate pockets.

Re:Pen-and-paper voting

[Arbitor+Elegantorum]

In many jurisdictions, like mine, they do put an X next to somebody's name, and then slide the ballot into a scanning machine which counts the votes. However, the issue of returning to a 1920's style all-manual system is the count, the crucial part of the system. In Canada ballots have only 3 or 4 party names listed. Its easy to count those. In Chicago, we will have nearly 90 names on the ballot. The possibility of mischief or mistakes increases dramatically when you let humans do it.

Re:Pen-and-paper voting

[Mercuria]

One of the big motivations is to allow handicapped individuals to have a private voting process. Until modern systems were put into place, a blind person who came into a polling place was accompanied by someone from the Republican and Democratic parties (cue third-party ranting), and she would tell them which candidates she wished to vote for, and they would mark her ballot accordingly. Thanks to HAVA, she can put on a set of headphones and vote with privacy. Other examples based on other disabilities are pretty easy to come up with.

Re:Pen-and-paper voting

[???]

1. Handicapped access.

It demeans the real challenges faced by individuals with handicaps to suggest that we need to diminish the reliability of our electoral system in order to encourage their participation.

2. Printing costs.

Costs for paper / pencil only systems are significantly less than for electronic systems, particularly when election administration is centralized (see Canadian electoral system costs). This is even before you consider that electronic voting equipment is being amortized over an absurdly long period of time (far longer than their estimated useful life. I would bet there will be a lot of counties writing off systems after the next cycle that still have significant unamortized book value).

3. Storage costs.
Storage costs are increased with electoral equipment. The equipment itself needs to be stored and takes more room than paper ballots. Further, the equipment typically has more stringent environmental requirements (temperature, humidity, etc. control) for the storage facility than paper ballots. Paper ballots need to be stored for less time than equipment. Paper ballots can be destroyed once disputes relating to them have been settled, and only have a useful life of at most one electoral cycle. Equipment must be stored throughout its useful life.

4. People.

It takes candidates' representatives and two officials from the authority conducting the election to count ballots in precinct. These are individuals who are already involved in the process, observing and administering (respectively) the conduct of the voting process of the election.

5. Quicker results.
We know who our Prime Minister is before bed-time EST on election night. How about you? Vote counting is a highly parallelizable activity.

Regardless, is it appropriate to set cost and speed above accuracy and security in elections administration?

Re:Pen-and-paper voting

[CanSpice]

What do hanging chads have to do with marking a box on a piece of paper?

The greatest threat to e-voting?

[sharkb8]

Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting reposiotory/database?

How do we minimise the risk?

[ReallyEvilCanine]

Since many -- if not most -- districts with electronic voting devices have disposed of their older, non-electronic systems, there's no available back-up mechanism other than paper and pencil, something unlikely to be accepted due to impracticality. There's hardly the time and even less impetus to print the millions of machine-readable absentee ballots necessary.

Given that, by law, voting is anonymous and private and necessarily leaves the voter alone with the device, what can be done to minimise the risk of machine tampering?

OT: Republican victory

[everphilski]

... so a republican victory automatically dictates tampering with voting machines? The democrats have a long history of being ahead in polls and losing, before e-voting ever hit the scene. Democrats are democrats and have a tendancy to lose it for themselves as the elections approach (see: John Kerry's recent comments, Alan Hevesi, etc)

Why is it so hard?

[gorbachev]

As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.

Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, shere incompetence, or something else?

Re:Why is it so hard?

[davewill]

As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.

As a software engineer I'm constantly amazed that other engineers think this is simple and easy. The first time I heard about "touch-screen voting machines" I thought to myself, "Now, THERE'S a BAD idea". Voting is much harder to program for than financial transactions are. For one thing, the stakes are higher. If someone steals some money, the FBI investigates, the criminal is caught (or not), and the security hole is fixed. A company is out some money they likely accounted for when weighed the cost/benefit of the system. Witness the recent flap over reprogramming ATM machines to spit out $20 but debit $5. While it was embarrassing and cost some ATM owners money, it was not a national crisis. If someone steals votes, investigation is left to partisan poll watchers, if the fraud is detectable at all. The end result is a crooked politician in power for 2-6 years where we can only hope they do nothing worse than steal money.

As we all know well, the more security you add to a system, the less user friendly it tends to be. This is a major problem when the general public is REQUIRED to use the device (unlike ATMs where use is voluntary) and when you face the fact that so many poll workers are part-time or casual volunteers.

In financial transactions, auditing is carried out by credentialed professionals that are experts in the field and in the systems they audit. They can take any resonable period of time required and can demand access to almost any part of the process. They can review detailed logs of transactions, and query database records in various fashions to bring irregularities to light. Elections are "audited" by non-professional observers and poll watchers on election day. Ballot secrecy endlessly complicates the problem. As a very first step, the identity of the voter must be separated from the actual votes themselves. The only data typically available after the election is finished are the tabulated vote totals, and the original ballots (oops, many of the electronic systems don't have those!) As the 2000 and 2004 elections showed us, recounts are nearly impossible to carryout politically anyway, so the count REALLY has to be correct the first time.

Yeah, this is REALLY easy.

Re:Why is it so hard?

[0xABADC0DA]

Bad software engineers pick the most complicated solution and complain about how impossible the task is. Good ones find the nugget of truth that makes complicated problems easy. Same here... electronic voting is actually a very very easy problem if you realize the truth: secure systems are not needed at all.

1. You have a computerized vote selection system. This does not need to be secure at all, because it will print out the selected votes onto paper in a human readable form. It can be written in TCL/TK if you want, or Flash, or anything.

2. Voter takes his paper ballot and puts it in a box. This is secure because anybody that wants to can stick around and watch the box all day until counting.

3. When polls close the workers open the boxes and run them through a computerized scanner where the observers see how the ballot is marked, watch a ballot go in and watch the individual tallies change by one. This does not need to be secure because you have citizen observers watching and/or videotaping the process. If you see one for Gore go in and you see his count go down by ten you put your video of it on YouTube.

4. Poll workers call in the results to the the central office, who posts them on the internet listed by individual polling location.

5. Citizens for each polling location verify that their local total is correct.

Simple, effective, fast, and with essentially zero need for security at any step. If there is even ONE concerned citizen per polling location then the results are guarenteed accurate. Contrast this to the current system in at my polling location:

1. select vote on computer

2. read in paper who won

Where it would take a mythical perfect security to have any confidence whatsoever that the counts were accurate. This is NOT a hard problem technologically. It IS a hard problem politically because the corrupt want a corruptable system.

On Open vs. Closed Networks

[the-banker]

It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.

As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are litterally thousands of ballot boxes that would have to be compromised for any sort of advanagte (on a state or national scale).

Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?

A simple solution?

[Brickwall]

To me, the only 'benefit' of e-voting is the speed of counting after the polls close, which seems pretty small compared to the problems that have surfaced. That said, I wonder what you think of this possible solution:

After the voter makes his selection on the e-voting machine, the machine then prints out a piece of paper with the voter's choice on it. The voter reviews it, makes sure it's correct, and then exits the booth and deposits the paper ballot in an old-fashioned ballot box. When the polls close, we have an instant count but if the result is challenged, we have the old-fashioned system to do a recount. Note that "hanging chads" and other such nonsense wouldn't apply, as the machine would print the voter's choice - no question of "unclear marks" or "multiple selections", or other problems that exist with manual ballots today. It seems to me this would satisfy both camps, without requiring a massive rewrite of the software, and minimal physical changes. (These machines must have a port somewhere that a printer could be connected to.) Any thoughts?

Is the Harm Really that Great?

[logicnazi]

I saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system.

All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.

However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray to far from what the people want. Or to put it in political science terms what does all the work is the tendency of all candidates to shift to the middle in the long run who actually wins each race isn't so important.

But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the poling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.

In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?

Re:The problem isn't E-Voting

[kybred]

The problem is diebold and their machines. Take a look at my country (Brazil) and our latest election. Voting ended at 5:00pm and we knew who won the election by 7:00pm.

That's nothing. Diebold executives can tell you who will win before the election starts! :-)