Slashdot Mirror
Hugh Thompson Answers Voting Machine Security Questions
You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.
1) paper trail?
by ummit
This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.
Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.
There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.
Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.
I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.
2) Re:paper trail?
by Thansal
Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?
Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.
Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.
3) Largest Inherent Flaw?
by eldavojohn
In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"
Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?
One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.
Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.
4) Here is my question...
by Noryungi
Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...
How do you prove that foul play (hacking) has been involved?
Do you even have a plan in place to check the results?
Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.
What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?
Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.
5) OSS?
by Xzzy
Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.
How do you think open source could fit into this issue? Or should it?
Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.
For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.
6) Pen-and-paper voting
by NetDanzr
What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.
Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.
The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.
Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.
Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.
The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.
7) Why is it so hard?
by gorbachev
As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.
Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?
Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.
8) On Open vs. Closed Networks
by the-banker
It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.
As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).
Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?
Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.
I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:
9) The greatest threat to e-voting?
by sharkb8
Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?
Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.
Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.
10) Is the Harm Really that Great?
by logicnazi
I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?
All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.
However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.
But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.
In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?
Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.
The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.
1) paper trail?
by ummit
This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.
Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.
There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.
Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.
I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.
2) Re:paper trail?
by Thansal
Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?
Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.
Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.
3) Largest Inherent Flaw?
by eldavojohn
In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"
Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?
One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.
Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.
4) Here is my question...
by Noryungi
Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...
How do you prove that foul play (hacking) has been involved?
Do you even have a plan in place to check the results?
Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.
What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?
Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.
5) OSS?
by Xzzy
Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.
How do you think open source could fit into this issue? Or should it?
Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.
For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.
6) Pen-and-paper voting
by NetDanzr
What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.
Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.
The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.
Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.
Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.
The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.
7) Why is it so hard?
by gorbachev
As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.
Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?
Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.
8) On Open vs. Closed Networks
by the-banker
It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.
As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).
Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?
Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.
I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:
- What process improvements have you made as a result of vulnerabilities reported in your software?
- What is your patch release (or update) strategy?
- Have you had an external (and reputable) security auditing or penetration testing firm evaluate your system? Can we see a summary of their report?
- Can we have our own security auditing firm evaluate your system?
- Do you have a dedicated team to assess and respond to security vulnerability reports in your products?
- What is your vulnerability response process?
- What training do your development and testing groups receive on security?
- What percentage of your test team is focused on security?
- What are the terms and period of your security support agreement?
- Do you offer security training, documentation or guidance to people that will be operating your system?
9) The greatest threat to e-voting?
by sharkb8
Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?
Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.
Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.
10) Is the Harm Really that Great?
by logicnazi
I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?
All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.
However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.
But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.
In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?
Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.
The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.
....hence, there's no electronic voting fraud. None whatsoever.
When the Republicans win again, it'll be a story again.
I demand a recount!
Problems with paper and electronic voting aside, I think what we really need is secure tallying.
What I'm envisioning is some kind of method where votes can be tallied, and the running tally can be periodically published during the count. I imagine it would have some kind of hashing technology, like PGP, where tallies are perhaps encoded in a string, and the string is published. The hashing token, or whatever mechanism allowed a vote to be legitimately added to the tally, would be passed from one voter to another, after they voted. This puts the power to count votes into the hand of the voters, rather than a poorly-trained election volunteer, a partisan, or a hackable machine. Because of the constraints of the token and hashing, a voter can only vote as they are allowed, without destroying the tally hash string.
Unfortunately, this is [X] a highly technamalogical solution, and while it might be possible, it would be difficult to get people to understand, and thus endorse it.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Very good discussion. This has answered questions that have been itching at the back of my mind for a while.
Comment removed based on user account deletion
I have decided that paper is the most reliable backup/journal mechanism.
I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation. Also, I will print the operation in english so I can verify that it did the right thing.
Then if I have a disk crash, I just just scan in each operation in sequence to restore the disk.
Yes, you probably think I am sarcastic and you will tell me that paper lets you verify the vote and allows spot audits.
I would say that the "paper trail" addresses a media/news issue rather than a technical one.
This demand for paper backup is an odd hope that 100 year old cash register technology is the best.
One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD, and show the image to the voter for verification.
Or if DVD is too high tech, use microfiche,...
Why not have online voting?
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.
Congratulations. Now your vote is tied to your social security number. The whole point of a ballot box is that the votes are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.
As to your other questions? Do you really think stretching out the vote for a week or month will increase accuracy? I have my doubts.
As seen here:
Clear Evidence 2006 Congressional Elections Hacked
"We see evidence of pervasive fraud, but apparently calibrated to political conditions existing before recent developments shifted the political landscape," said attorney Jonathan Simon, co-founder of Election Defense Alliance, "so 'the fix' turned out not to be sufficient for the actual circumstances." Explained Simon, "When you set out to rig an election, you want to do just enough to win. The greater the shift from expectations, (from exit polling, pre-election polling, demographics) the greater the risk of exposure--of provoking investigation. What was plenty to win on October 1 fell short on November 7.
"It is a greater offense to steal men's labor, than their clothes"
Any relation to Jack Thompson?
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
The simple reason they don't want you voting at home, is because it's supposed to be a secret ballot. There's no way of knowing that the vote is secret if you are at home.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Comment removed based on user account deletion
Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote.
This is ridiculous! If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted. This is a terrible argument for touch-screen voting.
Think about this for a moment; this means that things like ballot ordering or candidate name has an influence on whether or not your vote will even be counted, and you wouldn't ever know.
I pity the foo that isn't metasyntactic
>Why do we all need to vote on the same day?
I believe the theory behind the law is to avoid gamesmanship and discouraged voters if the results are announced before voting finishes.
>Why do we need to congregate at designated areas?
Because coercion and vote buying is part of the threat model. Go into a booth where nobody can see you vote and both threats are mitigated.
>I can do my banking securely online, why not vote?
You can't, not in the age of phishing. Further answer from Bruce Schneier's blog: One of the dumber comments I hear about electronic voting goes something like this: "If we can secure multi-million-dollar financial transactions, we should be able to secure voting." Most financial security comes through audit: names are attached to every transaction, and transactions can be unwound if there are problems. Voting requires an anonymous ballot, which means that most of our anti-fraud systems from the financial world don't apply to voting. (I first explained this back in 2001.)
>I just don't see security being a huge problem.
Stolen passwords, shared passwords, forgotten passwords, keyloggers, mysterious 500 errors, undue influence applied to vulnerable voters, difficulty in reaching poor or highly mobile voters. I'd go on but I have to run an errand.
The voting period could span several days or weeks, instead of hours.
Oregon uses vote by mail, and other states do have absentee ballots, so this process is (somewhat) available, depending on state law. An interesting side effect is that there is no campaign climax if people are voting over a two week span. Essentially, some people are choosing to vote without all available information, because they're voting before the campaigns are over.
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.
Secret ballots allow two important things: safety from coercion, and a prevention of the selling of ones vote. You can't be coerced if your vote is a secret vote with no receipt, and you can't sell a vote if you can't prove you actually voted the way you sold. There are some cases where people don't vote in secret -- see the question above, as well as instances where people with a handicap (blindness, for example) are assisted with their vote at the polling place. But, the vast majority of votes are cast in secret. Voting online prevents these guarantees, as well as guaranteeing that the person who cast the vote is the same as the person with the right to vote. Admittedly, this guarantee isn't 100% for meatspace voting, but the threshold is generally pretty high, and the chances of getting caught -- with a police officer right outside the door -- are high enough to keep nearly all people from becoming impostors in meatspace.
Furthermore, the diffuse system we use to collect and tally votes helps to prevent a single "hack" swinging an entire election. A single person would have a hard time stuffing a ballot box to swing a major election with paper ballots; a networked election, however, doesn't have that safety.
Finally, voting is a states rights issue -- with the exception of some specific issues like race in Constitutional amendments. Therefore, the US gov't can't make rules or collect votes for the states without each state's consent.
Your last point, that
I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.
has tremendous problems. (1) What if my vote was changed and I claim it was changed? (2) What if my vote wasn't changed but I claim it was changed? (3) How does this guarantee against any other kind of tampering, incorrect addition and subtraction, etc.
Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea.
Support a few technologists in Washington.
Comment removed based on user account deletion
Why do we all need to vote on the same day?
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?
Because the day we have online voting is the day I come to your house, put a gun to your head and demand you vote for George W Bush. At least at the polling place, there are poll workers to ensure that no guns make it in, and no reliable reciept makes it out.
Have a look at Three Ballot Voting. Now, there are several critiques of Three Ballot voting out (I just found them, so I haven't read them) which may turn to point out that three ballot voting isn't a good idea, but the main point is that the paper is simple enough that someone can read it and understand the principles at play in an election.
Not true. Here in Oregon many (most?) people vote by mail. You fill in the ballot, but the ballot in the secrecy envelope, and then put the secrecy envelope in the mailing envelope and mail it.
Think outside the... Hey, where'd the friggin' box go?
If you are allowed to vote from afar someone else can force you to vote the way they want. Husbands can fill out their wives ballots and make the wife sign it then send it in with their own. When you make everyone come down to the polling place, you verify that they are alive and no one is forcing them to vote one way or another.
Wait, you say, most states already allow voting over serveral months, from anywhere, from people who may not even be alive, with little control over whether the vote was bought, or coerced, through absentee ballots. Well, mail has been around alot longer than the internet, just give it awhile, the web will catch up to voting fraud soon enough. (:-)
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Comment removed based on user account deletion
"Why do we all need to vote on the same day?
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?"
There are some institutions in our society that have a vested interest in lower voter turnout.
As far as your first concern, your best bet would be to start a petition for a constitutional amendment. The US constitution calls for elections on the first Tuesday after a Monday in November, so that needs to be amended to have voting at any time other than the first Tuesday after a Monday in November. You need to rile up enough people to contact either their state or national representatives to call for an amendment. Here's a start for the process:
"Article Five describes the process necessary to amend the Constitution. It establishes two methods of proposing amendments: by Congress or by a national convention requested by the states. Under the first method, Congress can propose an amendment by a two-thirds vote (of a quorum, not necessarily of the entire body) of the Senate and of the House of Representatives. Under the second method, two-thirds (2/3) of the state legislatures may convene and "apply" to Congress to hold a national convention, whereupon Congress must call such a convention for the purpose of considering amendments. As of mid-2006, only the first method (proposal by Congress) has been used."
As far as voting online, it's up to the states to decide how they want to conduct their elections. We already have mail-in voting, so I don't think it would be too much of a jump to get on-line voting.
Computers are useless. They can only give you answers.
-- Pablo Picasso
Comment removed based on user account deletion
So you are against the mail-in ballots that most states have at this point?
Computers are useless. They can only give you answers.
-- Pablo Picasso
Guarantees it. In fact from experience we *know* online banking is insecure but because it still saves the banks money in the end its a cost they are willing to accept. Who is going to guarantee your vote and whats their motivation to protect your interest?
Quack, quack.
Internet voting has been pretty much dismissed for the near future until the security/availability/connectivity issues have been resolved. As it stands now, would you trust it?
The voting period could span several days or weeks, instead of hours.
I've never quite understood this. Between absentee voting, early polling at a central location, which most cities do, and the half-day or more that polls are open, how is it that people don't have the time to vote?
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password.
How can you be completely certain that everyone is who they say that they are and that they should be permitted to vote (not an ex-felon, etc)? And how would I know that the site I'm going to is actually an election site rather than a fraudulent one? It happens with banks now, do think that it'd be any less of a problem with voting sites?
Someone at the federal government could easily create an image of a simple secure OS and browser that could be put on any x86 PC owned by a local library or school.
Hmm, OS wars, anyone? Besides, almost all of the schools and libraries that I know of have a very limited number of computers available for use and generally don't have a whole lot of space for them. Do you propose that we deny students the ability to do work on school computers for a week while balloting takes place? Remember, if what you propose occurs, someone's going to have to come in ahead of time and reload all of the systems with the "secure OS" and voting software. Then they're going to have to come back to restore the systems to their previous configuration. Where do you think that they'll get the people/money to do this?
> Why not have online voting?
In asking all your questions and speculating on how easily you could design a secure voting system, you have forgotten the most important property of free and fair elections.
They are conducted by SECRET BALLOT.
SECRET BALLOTS are ESSENTIAL free and fair elections.
If it is possible to check how somebody has voted, it will become easy to apply pressure on people to vote a certain way. For example, wives will tell their husbands how to vote and check over their shoulder as they cast their votes. They will check again after the election, and savagely beat their husbands if they have dared to change their vote in the meantime.
Another example is that secular progressives and humanists will no doubt send their logins and passwords to their spiritual leaders, and leave them to vote in their stead. They will let their masters vote for them. I can already see Theo de Raadt, a well-known Canadian guru, receiving thousands of voting logins and passwords from his disciples.
> I can do my banking securely online, why not vote?
Well, because banking isn't the same as voting. When banking, you want to have a complete log of all operations. When voting, nobody else must know how you voted after you did - not the government, not your spouse, not your spiritual leader. Only you must know how you voted.
This presents a set of challenges entirely different from banking.
> I just don't see security being a huge problem.
That's okay, very few people can understand why security is so hard. Amateurs who have a few basic notions think they know it all, they think they can solve the hard problems if only people would listen to them. Amateurs think that they have thought of a unique solution to all of our problems.
When you start to understand how complex those security issues really are, you see that a single man cannot solve it all, and that there are no easy answers. I do not claim to have a solution. However, I say that if it were so easy to do, there would be a good solution out there already. Since there isn't, I assume that it's a hard problem, that will require huge efforts to solve, and in the end, the solution will be imperfect.
Don't we have techniques for storing data without making certain connections?
I.E. store my vote, but never attach my vote to my name in a way that is visible to anyone, unless it is necessary due to allegation of fraud or mistake?
So is it attached, or isn't it? If it is, then I have to trust my government -- a government I may be trying to vote out of office -- to not look at how I voted and take reprisals. If it isn't attached, then how can it be audited? If it can't be audited, that throws out an advantage of the proposed system.
Federalism:
I'm arguing policy, not law. A constitutional amendment can quickly change the law, nevermind voluntary adoption by all 50 states.
You can't have the policy without the legal framework, and no constitutional amendment can be adopted quickly, by design. Furthermore, I'd argue that the diffuse, states-rights system we have now is superior to a federal voting system, precisely because it does help prevent the federal government from undermining the democratic process itself.
"What if my vote wasn't changed but I claim it was changed?"
Then you are a liar, and we will look up the records and see. Fraud = prison.
So if my vote gets changed, I blow the whistle, and I can't prove it... then *I* go to prison. This seems like a perfect system for a totalitarian government. You vote the way *we* said you did, and if you say otherwise, to the gulag!
"Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea."
This is the only argument you make that I am at all persuaded by.
But I still think we can make it work. The likelihood of an UNDETECTED hack is low if you have webservers run by skilled people, right?
Low isn't good enough, if one hack can wreck massive havoc on an election. The distributed, non-networked system we have now would require a massive conspiracy to have significant odds of changing the outcome of a presidential election. State elections have similar protections because each town has a different counting system, unlinked. A networked system requires you to trust that the sysadmins are always superior to all outsiders, and are above being influenced. I'm not so sure I'm happy about that system, especially given that most people simply don't know enough about systems administration to have faith in the entire framework. Most people do know how to count, which means that they can audit a paper trail ballot even if they can't be sure the initial count is correct.
Support a few technologists in Washington.
The simple answer is "Vote Selling".
I think we should switch to optical scan ballots EVERYWHERE. Yes, the "voter filled in both candidates" problem still exists, but do we really want people that stupid influencing our political decisions anyway? If they invalidate their own ballot and don't even notice, screw 'em, that vote doesn't count. It's not like the 'hanging chad' thing where a reasonable attentive voter might not notice their ballot is invalidated.
With optical scan systems, there's always a paper trail that one can go back to. Yes, the scanning systems and vote tabulating systems are still vulnerable to attack, but at least it's POSSIBLE to do an accurate manual recount if it becomes necessary.
Why do we need a voice recognition machine that disabled people can use? That's why we have POLL WORKERS, so someone can help a disabled voter. Illiterate voters? Um... how did they vote before there were voice recognition systems? They have to either trust a poll worker or trust the voice recognition system, and if I was illiterate I think I'd rather trust a poll worker.
include $sig;
1;
Haven't there already been several instances of claims of this kind? Isn't it the case that systematic problems with exit polling (and other polls) make it very difficult to make strong, credible claims about election results?
It seems like 10% is a fairly significant margin in most races, so I'm not sure why one would treat this as though it were a small thing. I do appreciate the point that somehow this may not change the structural correcting force arising from elections, but I do think that it can cause a situation where you have tyranny of the majority (or even a large minority). If a politician has a buffer zone of 10%, that may allow him to pander to one particular consituency while completely ignoring all others, as long as the buffer zone is enough to have him safely reelected. Persumably, in the fair election a politician has to aim to satisfy not just a majority of constituents but a sizable enough majority to ensure victory. So, it seems like such a vote buffer might still really lead to very significant qualitative change. If nothing else, one can look to how differently a legislature operates when the majority party has a margin of a few percent of seats versus when they have a margin of, say, 10%. In the latter case, one often sees compromise all but disappear.
I guess another way to look at it is that policy difference can be quite large, even between relatively similar political candidates. People thought, for example, that Bush and Gore were pretty similar, and in many of their policies they were (when compared to the larger spectrum of political ideologies, compare with people like Bernie Sanders or Pat Buchanan). If you believe, however, that the Iraq war would not have happened under a Gore presidency (seems at least plausible), then we're talking about thousands of U.S. soldiers dead, tens of thousands wounded, tens or hundreds of thousands of Iraqis dead, hundreds of billions of dollars spent, and the fate of an entire nation radically changed. No matter your feelings about the Iraq war, my point is only that this is, indeed, quite signficant. I'd have a hard time trying to argue to the families of all those dead and wounded that it isn't.
I appreciate the point that people aren't voting based on perfect (or, perhaps, even good) information anyway, and there are many other ways to steel elections, but it's hard to see how you can face up to facts like those just mentioned and not at least try. In any case, as Dr. Thompson alluded to, it's a false dichotomy. It's not as though you have to choose to fight only one source of fraud, and it will take different people with different expertise to combat each.
"You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
If the hacker can alter the tallies in the machine -- why can't he also alter the tallies that the machine prints out? I mean, once data enters a computer, whomever 0wn3d the computer also owns the data coming out of it. A paper trail won't help.
Maybe machines that create or mark paper ballots from our input, and we can then compare that to the original.
Dear Sir,
We regret to inform you that due to a recent systems error, your voting account information has been lost. In order to prevent your removal from the system and inability to vote, we sincerely ask you that you verify your identity by reply to this email with your full name, voting account number (Social), your voting password, and your address.
Thank you, Voting Accounts Administration Department
i agree with you, one point people havent made is that if you can vote by phone or mail, then it should be available via the internet, as they all would carry the same "vulnerabilities" such as risk of a vote being coerced. Jefferson said we need to review the constitution every 20 years, because our forefathers new countries change, people change, culture changes, and the laws need to change too. vote by internet, verifiable with a paper print out for the user (encoded so forgeries are not easy to do) and if bank transactions are easy to do online because you can trace them back to the person, then how do i we verify our current votes with our current voting practices, perhaps with our new methodology we can make this an advantage of the new world voting schema.
Actually here in Toronto we had a type e-Voting system done up for the municipal elections.
:)
You are actually given a paper ballot to fill out. You take the paper ballot to the ballot box which is then put into what looks like a scanner of some sort and it put into a taped up box. The scanner detects if your ballot is valid or not and I presume if it isnt the give you another ballot (since if it was invalid it wouldnt be counted on a manual recount). After that I think its just a matter of calling in the results to wherever the central office is and telling them who gets to celebrate.
The beauty of this system is that it works on the same principles we've used for the last 100+ years in elections. Paper ballots, technology that people are comfortable with using. If any problems arise you can always pull out the paper ballots and count them by hand. As any security professional will tell you having back-ups is always good.
Also I'm sure the machines in the US that use hard drives could all be given 2 Hard Drives and a RAID1 on them. That way both drives would have to fail for anything bad to happen. We all know that in the 24 or so hours that these machines are going to be in operation that the odds of both hard drives failing at the same time would be minimal unless someone dropped it, then again you could always do like the OLPC project and put internal USB drives in there since its not likely you need more than 2 GB to record down a few thousand votes
Picture this if you will... (i rip off tool lines ok..)
.....
I'm using this past Nov. election as example.
Current: You go to vote. You sign the registrar, go over and get your e-voting ticket, and head to an open e-voting machine. Type in e-voting ticket number & choose your candidates, and hit the big red button(vote).
Future: You go to vote. You sign the registrar, move over to get your e-voting ticket, which is also a flash print paper, for vote comparison( think about the size of a scantron, or smaller...). You go to open e-voting machine, insert the paper into an imager cover on the right. You place your ticket in there, close latch. Once it seems it has the ticket, an e-voting number is now assigned and burned into the paper. Now you proceed to choose your candidates. You double check then hit the red button (vote). This does 2 things: 1 submits all choices to normal voting database, and also burns an image of all elections, and the candidate names you chose onto the scantron, flash paper. No printing. The image is burned on, and easily readible, IN ENGLISH!!!!!!!!! T Once finished, you lift the latch, remove your ticket. You proceed to leave the booth, tearing at the perferation halfway down, to put your ticket into a ballot box, to be counted and compared against the electronic voting database. The bottom half is an exact visual copy of the top, which is for your own record. It contains your e-voting number assigned by the system and the list of candidates you chose. The same thing that will be used for the hand count.
First, you eliminate the need for people printing something. Nothing is printed at the registrar table, it is all done at the voting machines. And, its not actually printed, its flash scanned onto the paper. No moving parts. It uses light, and light-reactive paper. Second, you have 2 counting measures here: electronic, and ballot. Third, you have a visually verifiable record of the manaul count ballot for yourself that you can
A) take home
B) submit to 3rd party independent vote trackers
This type of system, with 2 count types, and a voter able to retain a record, for possible submission to 3rd party independent vote tracking, would ease most of my worries about the count. Oh, did I mention if there is a greater than 0.001% discrepency between the electronic and paper ballots, the vote is redone???
I find it hypocritcal, yet all to American that voting has been sold out to capitalism, all under the approval and support of our elected officials. I think the irony in our democratic process just exploded. Don't you?
A bit off-topic, but when it comes to longevity, paper records are hard to beat (with the possible exception of stone tablets). Check out this interesting article :Paper Trail - Can Digital Media Match The Longevity Of Plain Old Print?
Support Right To Repair Legislation.
I have decided that paper is the most reliable backup/journal mechanism. I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation.
Actually, I think Slashdot covered a story on this a couple years back, with a company that had developed a way to store around 1GB of data on a standard 8.5x11 page. 256-bit color 2D barcode at 1200dpi would do it, I guess. More seriously, I was told by a chap at the Corning Glass works that the most important material for backup there (financials data, IIR) gets printed direct to microfiche.
Alas, this seems irrelevant to voting issues.
//Information does not want to be free; it wants to breed.
Dude, it is not the unarmed 98-year old WW1 veteran at the polling place that prevents gun-wielding maniacs from forcing people to vote a certain way.
Of course it is. Because the 98 yo vet has to put his signature on your ballot, and he's not going to do that if there's hanky-panky going on.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
Where I vote, there is an armed uniform officer. You give your name to and address* to an election judge, they hand you a ballot and cross your name off the voter role. The ballot is paper and you mark your selections by filling in ovals with a black felt tip marker. After you come out of the booth, you give your name to to the officer who crosses you off a second list. Then you insert your ballot into the ballot box which has a built in optical scanner.
The whole process took 10 minutes from walking in the front door to walking out again. I didn't have to show ID. I can see the utility of computerized systems for giving independence to disabled voters, but I don't understand the mad rush to implement it for the general populace.
* If you are homeless, you can describe or draw where you spend most of your time on the voter registration form. I don't know how they find you in the roles, presumably there's a "none" heading under addresses.
Pregnant chads. Don't you remember?
I cannot believe that this PhD's only concerns over paper trails and voting is the cost factor. THE biggest issue with paper trails is that they are reciepts of a voter's record. If voters are allowed to leave the polling place with an official record of how they voted in their posession, they are vulnerable to both bribery and extortion. The opportunity for groups to apply pressure to voters to make certain ballot choices and then present the proof afterwards for either a cash reward or a guarantee of safety from physical harm is not only possible but almost guaranteed if this were to happen. A paper trail is important, and can be done under one and only one situation. Voters make their choices and sumbit their ballots. A paper record is produced. The record details their votes and has a code which links it directly with the vote cast. The voter examines their ballot, agrees that it is a correct representation of their choices, then places this ballot in a sealed and locked ballot box. Without that paper ballot's existance, the voter's vote is invalidated. Issues still remain with this system. Something similar to the old style ballot submission method must be done. The paper ballot must be placed into a container which allows the ballot to be identified as true, and to be scanned to be verified as matching with an existing cast ballot. The container must hide the ballot record from the eyes of handlers. This way the voter can present the ballot to a volunteer. The volunteer can identify the ballot is real, and scan it. Once scanned, the ballot must be transferred to the ballot box to be kept in case a manual recount is ordered. Unless these steps are taken, paper reciepts of voters choices are a liability rather than a safeguard to the system. That this supposed expert didn't say anything about this is extremely disheartening to me.
>I can do my banking securely online, why not vote?r _atm_hack/
thats been the argument about diebold, and your response is correct: even the ATM isn't all that immune from simple attacks.
http://www.theregister.co.uk/2006/11/18/mp3_playe
but, casting your ballot by US mail has to be a greater concern than casting your ballot by internet. Despite all the 3 envelops, signed sealed... that introduces 10 ways to disqualify/discard/... a ballot, with no notice if/why feedback to the voter.
it does seam obvious a seperation of the vote from the voters ID has to occur at some point. Currently that is done physically, because that is easy to verify by the voter, ie I check my name off, and I walk off with a dozen people to vote minutes later, with something that appears annonymous dropped before I exit. Of course that isn't fool-proof, with cameras everywhere, simply adding a time stamp when inserted into the machine and comparing to video exiting the poles would easily break that anonymity, so at some point, even with the current system you just have to trust the system at some point.
So trusting a web app, that is certified, and verified, and with verifiable source code is not (in reality) taking on a significantly greater trust, it just appears much different.
I am sure a good statistion will generate a public key/ private key algorithm that allows the voter to generate proof their id was verified with a couple public key choices made by a voter after id verification, and not traceable to the original identity, and mathematically proveable.
Internet voting would be a great concept if implemented correctly, but if they can't get e-voting right, imagine what they'd do with internet voting.
Not only that. If you shifted the vote by a huge amount (say, 100% to 0%), that would go a long way to undermining the voting system and producing panic in the population.
I don't like the internet solution very much. You have an anonymity problem that people have already mentioned, you have fairly serious security concerns too, and the computer access issues. Just like what Hugh mentioned above. A central server containing all this information has the flaw of being an entrance to mass fraud. And what happens when something does go wrong with counting? They report it and have to give up their anonymity to allow the recount of their ballot.
And of course you end up with alienating people who don't own computers or don't know how to use them. The purpose of the current system is to allow full accessibility. And if you have trouble using a machine, guess what, there's attendants there to assist you.
It's really not that hard to walk a few blocks to your polling place. So far, atleast in my state of Pennsylvania, they've done a great job of making our process accessible and easy. If there's a problem in your state/county, I'd recommend sending a letter to your DoE but I don't think internet voting is the way to go.
Bullish Machine Tzar
I agree that open source is only part of the process. But certainly open source is visible to anyone that cares to view the code. So if we assume that a visible process is required, doesn't it follow that the source code needs to be visible to an auditor? What is open source if not visible? It seems to me that open source is a consequence of having a visible process, so a claim that open source has nothing to do with the openness of a ballot process is contradictory.
Think global, act loco
The bottom line is that democracy is a farce. It's not the machines, or the voters. It's just like any other system, arranged from the top down. The person at the top has the real power. The people at them bottom entrust him with the power. How is this different than a king and serfs? It's not.
The only real difference is in our minds. We think that voting serves the same purpose that armed rebellion used to serve back in the day. We think that we can replace our leaders by voting if we don't like them. But really they are all from the same stock, multiple generations of the same families, over and over. If they aren't in government this year, they'll be in business and vice versa.
The fathers of this country knew this. It's built into the system. America is still very young but it was built to last forever. The system of checks and balances helps smooth out the instability over time. The problem is when a fluke (or fraudulent activity) arises (ie: 00 and 04) and one very small group gets ultimate power over all three branches, and has favors to cash in. A lot of great men have said that it only takes the right major crises to bring fascism... and it's for good reason. You need strong, powerful leadership during times of crisis. When most people are crying at home, depressed and unable to do anything, you need someone to stand up and make the hard decisions.
But when those decisions are mistakes, such as the decision to create a permanent state of war, etc. it seems pretty hopeless. We can only hope that some new great leader will arise and right the wrongs. It will happen eventually, somewhere. Maybe Europe will arise to be the new world leader? Maybe it will be China whom the world looks to for hope and guidance? The momentum the U.S. got from WWII is nearly played out. The baby boom will retire and we're going to be faced with the biggest economic crisis ever trying to feed 80 million vegetables. And we're worried about terrorists............
Cool! Amazing Toys.
voting security is all about the storage medium:
* paper is readable by the human eye and a voting machine can't change it once it's printed.
* computer memory can only be written and read with a computer, so the voter has to trust the hopefully not manipulated software to store and read his vote as he intended, he has no chance to check it himself. also computer memory can be changed in an instant without leaving a trace.
that's the two big reasons why voting machines without paper should be discarded as cars without safety belts or x-raying without lead-cover.
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
I completely disagree with this ridiculous waste of money we've been spending in the US on electronic voting. The best solution by far is to do what Oregon does or what any voter can choose to do in California (and perhaps other states) which is get a ballot a month or so in advance and fill it out with a pencil. You don't have to mail it in, you can drop it off at the polling place last minute (usually the case for me).
Now, addressing Hugh's points to this question:
1] Disabled voters: Why in the world does it matter for disabled voters to cast their ballot using the same mechanism? With that logic, every stall in my workplace bathroom should be wheelchair accessible. Of course machines need to be available for disabled voters to vote, but these should only spit out a marked paper ballot that is identical to everybody else's and then get pushed into the same counting mechanism. This way the machines need no networking software, (ok, they need a printer, at least there wouldn't be that many of them)
2] Ambiguity: I just can't accept the idea it is difficult to make optical scanning machines that literally NEVER make an error an anything resembling a reasonable mark on a ballot, stray marks or not. How hard is it to compare the count on the number of black pixels (below a certain threshold of reflectivity) and award the vote to the circle with the most number of black pixels? Sure, there will always be voters too stupid to follow directions and will fill in two circles. I'm willing to optimize the ballot design for these people (i.e., no poorly designed butterfly ballots), but not to use them as justification for giving up on pen and paper.
3] Counting efficiency: I suspect this is a false economy. I need the overall cost it took to tally Oregon's votes vs. what other states have spent on machines. Then there is the wasted time of my legislators dealing with this stupid problem as well as the media covering it when they could be covering any number of other important issues.
We need improvements to the pen and paper system perhaps: uniform ballot design for the whole US, and a ballot that can accept ranked voting schemes such as for San Francisco's mayor, but I'm completely unimpressed by the effort to move to electronic voting machines.
Dara
The following applies to my personal experience in California's most recent election using electonic Diebold machines with register-roll paper trail.
and if a person is completely blind, how in the name of whatever Deity you believe in is a touch screen that they can't see going to help?
A Diebold HAVA-capable machine audibly reads the whole ballot and choices to the blind voter using a headset. The voter presses their choices into a keypad with a dimple on the #5 key. While the process takes much much longer than someone who can use the touchscreen, it is designed to work for someone who cannot see at all. They can go backwards, forwards, change their vote selection, review their ballot, change the speed of the speaker to be faster or slower, etc.
and just how disabled are you if you can't put an X in a 1.25" circle? even if you have tourette's or something and you screw up your ballot, you can get another one as many times as you need to until you get it right.
There's "legally blind" (someone's grandma), and then there's totally blind (nothing but black). The latter can't vote with an "X" without someone to "help" them. The latter still has a right to vote (with privacy, without "help").
faster? results before you go to bed (well, results when you wake up if you live in the east) isn't fast enough for you?
Electronic voting saves all poll workers about 30-45 minutes of time not having to count all of the paper ballots, so the results get to the central counting facility much sooner. It certainly isn't enough to make a huge difference to most people who get the results the next day. While there would be a huge media benefit and convenience to "modem in" preliminary results (get 95% reporting by 10pm), there aren't enough safeguards (yet) to prevent tampering with that process in CA.
http://leparlement.org/
Distributed Democracy. P2P, PGP signatures, electoral lists.
Vote from anywhere, anytime, on anything.
It's all part of the sinister plot by the Republicans, or someone, to subvert the democratic process, you see. The Dems won this time just allow the perception that the system isn't rigged. Ha, Ha, only serious.
All "tinfoil-hat" "kidding" aside, what Thompson doesn't appear to address is the same 2000 lb gorilla everyone else is ignoring: whether a handful of of vendors and their employees can be trusted ultimately not to rig elections and buy and sell the vote. In my state a single vendor has the contract for every single machine. The machines are manufactured in another country. No one at all appears to be the slightest bit concerned about this, just whether they can get a paper receipt for their one vote, like an accurate paper recount would ever happen in the real world of logistics.
The only solution I see is open software, open hardware, and many eyeballs scrutinizing the operations and results. Not just probate judges, deputies, and election officials. Publicly broadcast the vote from each machine (random delay like mixmaster relays) over WiFi or WiMax, EVDO, whatever. Everyone that wants run their own count. The holy grail of a paper trail only compromises vote secrecy and doesn't do a damn thing for security or trustibility.
Does this statement hold true if a single company manufactures a large percentage of voting machines?
:-)
There are few companies making a significant majority of voting machines in tUS, which is a problem. However, many of those machines do have paper trails, either via optical scans, paper-trailed electronic machines, or otherwise. So long as those paper trails can be audited, the chance of a single entity (in this case, the voting machine manufacturer) swinging an election is extremely low.
This is, of course, why paper trails are so vital.
Especially when the code they run is not open to public scrutiny?
Generally speaking, it's far more important that the voter can physically look at a paper trail to confirm that his vote is recorded in meatspace (and hence audit-able) than the code itself be open to public scrutiny. While I do believe that open sourced voting code is better, I believe its far more important that the machines, open or closed source, are fully audit-able by physical count (so longs as those audits are actually happening with sufficient frequency).
Does it hold true in Florida?
I would hope so, but Florida still seems to be having substantial voting problems.
Support a few technologists in Washington.
Comment removed based on user account deletion