Slashdot Mirror
NIST Condemns Paperless Electronic Voting
quizzicus writes "Paperless electronic voting machines 'cannot be made secure' [pdf] according to the National Institute of Standards and Technology (NIST). In the most sweeping condemnation of voting machines issued by any federal agency, NIST echoes what critics have been saying all along, that due to the lack of verifiability, 'a single programmer could rig a major election.' Rather than adding printers, though, NIST endorses the hand-marked optical-scan system as the most reliable."
I voted for Kodos.
you can never be certain when duplicate events can occur.
I'll create an amusing sig when I have something meaningful to post.
Here in Minnesota we use the hand-marked optical scan system, and it's great. There's a high degree of confidence that your vote actually counts for something. That, coupled with a mandated recount in a random sampling of districts in each county after the election.
Now might be a good time to point people in the direction of Punchscan.org, previously chronicled on Slashdot here
More sleight-of-hand. An election can never be 100% verifiable until and unless the complete list of every vote is published for all to see and verify (privacy protected by numbers and codes of course). Profit Makers and Election Riggers will argue differently, no doubt.
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
I *verbally* told them my name and address (I live in MD) ... no photo or other ID required. That has nothing to do with the paper-trail or other verifications that should be built into any voting system. But personally, I think the problem is deeper than paper-vs-electronic.
Que Deus te de em dobro o que me desejas
[May God give you double that which you wish for me]
Having worked as an election judge in Maryland, which is now using Diebold machines, I just don't trust them. I have seen the printed tape shown at the beginning and end of each election, so I know the machine told me that it took X number of votes, and that that total matched my hand tabulated total from who went to each machine, but how do I know that when the button for candidate X was pressed, the machine actually recored it for X. I don't know. No one knows. And furthermore, there is no possible WAY to know after the voter leaves the machine.
It is a stupid system, and I am proud that someone with more authority than me is saying so. I believe all the politicians who decided that touch screen voting was a "great idea" should be voted out of office ASAP.
--David
The Democrats? Republicans? Both?
I remember learning that an effective method of democracy was this, a representative democracy, because of the issue of people not being able to get to a poll to vote, and because people didn't necessarily have the time to learn all of the issues. Certainly information has grown leaps and bounds, and now a lot of us do have the ability to directly represent ourselves. After seeing a special on this very issue about people waiting in line for 5 hours to vote, seeing the corruption of representatives over and over again, and watching the corporations cheat and run america in their best interests, isn't it time that we, as the information community, try to implement a secure, more direct democracy? Just a thought
In my country, we count by vote of hand. Anyone who not raise hand, trying to rig election. Vote not count and they are sent for reeducation. We have had a very very good accounting with this system.
I don't want Karma, I just want to be a smart ass. All in favor, mod me up.
http://yro.slashdot.org/article.pl?sid=06/12/01/01 7230/
From last night.
Unfortunately, the idiots were too stupid to understand the instructions.
So, some good samaritans started the push to adopt e-voting machines as a way to protect people from their own stupidity. Yet, these samaritans lacked the technical good sense to understand the need for a paper trail.
That brings us here today. The old paper ballots were fine. They worked well. There was no need to replace them. More to the point, there is no need to protect a person from his own stupidity. If a person is so stupid that he cannot understand simple instructions, then his vote would likely not have been an informed vote: no vote is certainly better than an idiotic vote.
Okay - this article's a dupe - but really, we can't talk enough about this subject. Blackbox voting really needs to go. It doesn't take a NIST scientist to see that.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Paperless electronic voting machines 'cannot be made secure' [pdf] according to the National Institute of Standards and Technology (NIST).
Oh, they can be made secure. They can be made to secure the election for whomever you want. That's the whole idea.
The theory of relativity doesn't work right in Arkansas.
...I voted for Kerry more than 800 times across 5 precincts.
"A single programmer could rig a major election."
Because all machines are coded by a single person with no error-checking or internal oversight by other members of the machine's design team, yes, sir.
Aside from attacking the technical/business literacy of the publishing organization: The long and short of the issue is that the potential for corruption is identical for paper ballots and electronic ones. The issue with electronic machines is not increased political skullduggery, but increased potential for data loss (1 disk fried = a few thousand votes, one ballot fried = one lost vote). I guess if you sent the data over a public network, that'd be an issue, but that wasn't done in at least the last election in which I participated.
P.S. No, I have no idea why I felt compelled to comment on this.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
Vote buying. We've been over this. If you've got some code that will allow you to determine from the published results how your vote was counted, then I can ask you to tell me your code as soon as you've voted (before the results are published), use it to verify your vote the same way you can, and reward/punish you accordingly. Knowing that I have the ability to do this, people without strong convictions will vote how I tell them in exchange for the reward I offer or to avoid the punishment I threaten.
Yes, that would be illegal, and if I'm caught, I'd be in trouble, unless I just got my friends elected to a position where they can get me off the hook.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
We used the optical scan system in my county in Maryland until 2002, and then for some bizarre reason we switched to diebold. And we've been having a hell of a time getting rid of them because the Governor of MD was against them and the woman in charge of the elections had a personal grudge against him. Anyway, he was just voted out, so maybe we'll have a better shot now.
Technoli
Why does the National Institute of Standards and Technology hate trees?
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
I don't understand why optical scanning is any more trustworthy.
If the scanner is hooked up to a crooked counting algorithm, how will you know unless you actually count the paper? If you have to count the paper to ensure that the scanner is honest, why bother with the scanner at all?
The headline of the post makes it seem like the NIST thinks that paper trails are the answer. That is not their conclusion, in fact they say the current paper-trail systems don't work.
"The NIST is also going to recommend changes to the design of machines equipped with paper rolls that provide audit trails.
Currently, the paper rolls produce records that are illegible or otherwise unusable, and NIST is recommending that "paper rolls should not be used in new voting systems."
via http://www.bradblog.com/?p=3860#more-3860
We really should just use optical scan ballots. That is a paper trail voters have to verify, and the ballots can be meaningfully recounted. Then Diebold and the other vendors should be sued for knowingly selling defective products--possibly fraudulently.
I keep reading about "verifiability", but what *exactly* do they mean? *Who* is verifying *what*? In my opinion, if it is possible for me to go to some office somewhere and ask them, "Here's my ID. Tell me what you have that computer for my vote." Then, I can verify my vote. I have no right to verify anyone else's vote and nobody should be allowed to verify my vote without my permission. Are the critics claiming that there should be special people who get to look over everyone's shoulders and see who you're voting for? If so, I am very much against it. But, since these critics fail to give a specific definition of "verifiability", I have no idea what it is they are talking about. Of course, I'm probably the only idiot who doesn't get it.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
Instead of majority rules, we could each hire a representative (or serve as our own if we so chose) so that if we thought our representatvie was corrupt we could just fire them. This would end the two party monopoly on representative government and hopefully people could still manage to elect only a couple thousand unique representatives (with weighted votes depending on how many people they represented.)
Goddam funny that the federal government gets concerned with this just as Democrats are poised to take power in Washington, after several election cycles where it apparently didn't give a damn.
Whatever, it's the right thing to do, finally.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
You think "Congress" back in 2001, when they passed the "Help America Vote Act", might have commissioned some study of the topic, instead of just passing the bill as written by the voting machine lobbyists. But, no. It seems very much like that bunch of idiots and corporate mouthpieces cared very little about the actual effect of their so-called law. God forbid they ask someone with any sense to look into the topic, particularly a useless public servant at NIST who just needs to be downsized anyway.
What a complete fucking waste the last 5 years have been, in *so many* ways.
NIST echoes what critics have been saying all along, that due to the lack of verifiability, 'a single programmer could rig a major election.'
I knew there had to be a reason the Democrats won congress! Hopefully they'll have this fixed by 2008!
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
Because similar technical processes go on in e-commerce, e-banking, e-government services etc.
I guess we just care more about election results.
Are they really saying there is, theoretically,
no mathematically and logically sound cryptographic solution for ensuring
the validity of this kind of process, or just that we don't know how to do that yet?
Where are we going and why are we in a handbasket?
The article you referenced is based on an internetnews.com PREDICTION that the NIST would issue a release saying something like this.
THIS article is based on the actual release, and what the release actually says.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"We" may have been over this before, but that doesn't mean you are correct, and it certainly doesn't mean you should be calling for people to be modded down just because you disagree with them.
Letting the voter verify that their vote was counted as cast, might, as you suggest, make vote buying easier. But it would also, as the GP points out, make stealing an election wholesale much harder. To make a rational choice between the two, you have to consider the relative risks, and doing so does not lead to the conclusion you're advocating. Even with receipts of some sort, vote buying is a very risky proposition, since by its very nature a lot of people would have to know about it before the election. If you want to buy ten thousand votes, at least ten thousand people will have to know about it, including who to vote for and what the payoff or threat is. If even a few of them blab, you're goose is cooked.
Conversely, without receipts, elections can be stolen by a small group of people with no witnesses except for the machines, and they can steal as many votes as they want--a million isn't that much harder than a dozen.
--MarkusQ
1 - Fail-safe. The machine can break, power can go out, etc. The paper ballot still exists and can be easily hand counted.
2 - Inexpensive scaling. Since you mark on paper the polling station can have 20 booths for people which are not much more than a table, curtain, and a pen; yet they can share one or two optical scanners. Touch screen systems require one expensive machine per booth.
Do the math. 20 expensive touch screen machines per polling station, versus 2 less expensive optical scanners.
This cost savings could be used in urban areas where there traditionally have not been enough resources for the election.
3 - Trustable. Any dispute can be settled by the actual piece of paper I wrote on. Optical scanners are based on technology used by schools to grade for decades and require little more than a motor, light sensor, and a very low end CPU. There is little to go wrong and very little which can hide tricks.
4 - Easy to use. I take a pen and fill in a box. Touch screen systems appear to suffer serious "alignment" issues which can cause votes to be mis-registered and which require frequent realignment in the field.
5 - Robust. There is no screen to be scratched, or broken. The voter never interacts with the scanner except to slide a piece of paper into it. There is no printer to jam, or foul, or have other issues.
... the potential for corruption is identical for paper ballots and electronic ones.
I call bull puckey.
The potential for corruption is massively greater when THERE IS NO WAY TO CHECK FOR IT.
When it can be detected (and is routinely watched for), trying to rig an election stops being a path to power and becomes a path to jail.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
What I'd ideally like is a terminal that you could either use as a touch screen to cast your votes, or feed an optical scan ballot into.
Why use it with an optical scan ballot? There's always part of me that nags at me, wondering if "they" are going to correctly interpret my vote when they scan it in. This way, when the terminal scans it, it can show me what it gleaned from my markings, and if it comes up wrong, I can either issue corrections there (which are specially marked as such on the ballot), or it can reject the ballot back to me, and I fill out a new one. If I accept it, it gets spat into the obligatory secure box - preferably through a transparent tube, so I can see it. Even better, put the paper ballot through one more step, say into a clear box where I can clearly see and verify to myself that it is indeed my ballot, but cannot tamper with it further, before it gets put into the secure box. Of course, at this stage if I notice a mistake it would require the intervention of an election official, but then again, there shouldn't be any intervention needed at this point.
Alternatively, I could use this terminal to cast my vote electronically, after which the terminal would print out a paper ballot with my vote on it. Again, this paper ballot is delivered via the above-mentioned system, allowing me to verify that what is printed is indeed my vote.
Either way, the vote would be counted electronically at the terminal first and foremost. The paper ballots would include encoded information about the time, place and terminal used to cast the vote, primarily to ensure there are no discrepancies, or at least to catch them. Hell, it may seem like overkill to some, but it would be worth it.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
So if the electronic voting was based on an open source system - would that be better or worse?
This is not ture at all. There is a paper trail for all of the things you mention. If I buy something online and it does not arrive I KNOW it does not arrive and I can contact my credit card company about it. If I have been charged too much it shows up on my bank statement. If I renew my vehicle registration online I get my registration card in the mail. If I cast my e-ballot how do I know my vote got counted correctly? I don't. In fact, no one knows and that is what is wrong with the system.
http://vote.nist.gov/DraftWhitePaperOnSIinVVSG2007 -20061120.pdf
Election's over, gents. This would have been much, much more helpful more than 12 months before the election...
One does wonder if the report was held until after the election on purpose- possibly to avoid cuts in funding and such under the then-Republican-majority Congress?
Please help metamoderate.
Paper is no more verifyable than anything else. The best system would be a multi teir receipt system. An informal electronic count and a read only storage mechanism to record raw votes; a recording media which is physically slow to produce.
Second an electronic paper reciept given out to a voter that kind of looks like the bar codes on a lotto ticket. Second an optional electric reciept, with both a physical or wireless connection to record another kind of coded data.
The one major requirement of the system would be that no one could demand to see your receipt and be able to find out how you voted. Maybe an optional system which stores multiple votes but only you know which is valid. Just has to be something that people could voluntarily divulge outside a voting location that can later be verified against the official raw data record.
So what piece of ID would you present? I don't recall there being a National Voters ID card.
Oh, right you're probably thinking "any form of government issued photo ID". Well I'm thinking bullshit. Your driver's license is to operate a motor vehicle, your health card (in Canada) is for presentation at a hospital when receiving medical services, and your Passport is required by foreign governments, not your own. Therefore, either you have to be a licensed driver, have a state run medical plan, or interest in foreign travel to vote? That's not in your constitution.
But our politicians are too scared to come right out and make this just like Nazi-era Germany where you have to present your national papers.
It seems like people in NASA lose their jobs for speaking up for using real science connected to Global Warming. In addition, I know that people at the EPA have lost theirs for speaking against the gutting that has been going on. I would guess that these nice folks will be losing their jobs soon.
I find it kind of strange that this didn't come out BEFORE the elections, but now that the Dems have the house and senate and would be able to do what the republicants have been doing for the last 6+ years there is now a real need for a paper trail. pffft
I must be missing something -- Daley's machine was able to rig election after election in Illinois and yet no one in connection ever got so much as a slap on the wrist. Heck, even today the "machine" in Illinois is up to it's dirty tricks.
SETUP
Before the election starts, connect each device to the server (over a wired connection -- obviously not wired) and turn them all on. Each device creates a random ID key and stores it in ROM. Each device establishes a PGP-encrypted connection with the server and sends its ID key over. The server records all those ID keys in a database.
USER INTERFACE
Each device has a small LCD screen and a number pad.
The LCD screen shows a list of candidates and corresponding numbers next to them. The voter will read the screen and choose a number. He will enter the number in using the keypad and press the SUBMIT button. The device will show a confirmation screen, where the user can affirm or deny his choice. When it is affirmed, the device sends a command to the server.
RECORDING EACH VOTE
Whenever a device records a vote, it sends a command to the server -- probably an SQL INSERT statement. This information, along with its ID key, is encrypted and sent to the server. The server decrypts the message sent to it by the device, checks the sent key against the ID key list, and, if it's valid, runs the INSERT command.
There can be a paper trail by having the device spit out a vote slip into a basket behind the machine.
TALLYING THE VOTES
After the election is over, the staff turns off each device. Since the devices don't actually store any data, just take input from the user, no elaborate memory card-removing ritual is needed; the staff can just pull the plug.
The staff presses a button on the server, signaling it to print out a paper slip with the vote totals recorded in its database. This also causes the server to reset its ID key database.
ADVANTAGES
DISADVANTAGES
SOLUTIONS TO DISADVANTAGES
CONCLUSION
I may be missing something, but I don't see why Diebold (and all the other voting machine manufacturers) are having so much trouble making a secure system.
I suspect that the real problem in Diebold's system is that it's possible to "hack" the election if you are a staff member, or you have unrestrained access to the machines prior to the election. This is solved by the last point in Solutions to Disadvantages, and by the paper trail mentioned in Recording Each Vote.
Works in Maine just fine. Recounts are manageable, The ballots are fairly indisputable, and I there have been two ties I'm aware of for state offices. Those were settled by coin toss. Really. I would have preferred a Jell-O wrestling match, but that's not what the law says.
Our governor a few years back when a close election was being recounted asked the Secretary of State what he could do to help with the process. The answer, correctly, was 'Nothing, Sir'. Not in the law.
It's not so much about electronic voting or paper, as it is about rational and good election laws. And common sense. Watching the HBO special, you saw election officials with their pants down, either committing felonies or just plain lying. Picking the receipts out of the trash was priceless. The stack of sorted 'random' ballots nearly so.
I suspect Ohio has election problems for the same reasons Florida does, and so many other states are about to - very poor judgement.
Blame either party. In a contentious election, we can get up about fraud and electronic failures when the winning margin is 10%, or even >30%. Software can switch THOUSANDS of votes. I'd bet that in that scenario, the pre-election polls would be dismissed as just plain wrong. And we'd never really know.
Receipts at the minimum. Paper ballots preferred. Just do it.
-rick
deleting the extra space after periods so i can stay relevant, yeah.
Paperless electronic voting machines 'cannot be made secure' [pdf] according to the National Institute of Standards and Technology (NIST)
This conclusion brought to you by the same people who commissioned and instituted the AES encryption standard.
If they say paperless electronic voting can't be made secure, I'd believe 'em!
i think the electronic machines should update a public database in near-real-time. we should see how each county/district is going across the day. if it seems slow or low-turnout, local news can prod people a little harder. participation needs a kick in the butt. plus, this is the first step to online voting anyway.
the 1st trail is to take home. the 2nd, duplicate receipt is to drop in a manual recount box. the receipts say plainly who you voted for, so you can protest if you like (and a key to extract the vote from the system on-the-spot if need be, and re-vote).
the receipts are also identical, so you can choose which one to put into the manual ballot box. this prevents any machine from hacking the electronic and the manual recount, but the receipt is not hacked to avoid suspicion from the voter.
more eyes on the results, instant feedback, and 3 layers of recounting (only 2 are summable, since the home receipts cannot be really collected again).
counting paper trails would be mandatory in each district, up to a random 50%. if the results seemed vastly skewed compared to the electronic results, the county uses the paper entirely, machines audited, people sued, etc.
obvious idiocies.
Number one, the ATM only handles money. If your ability to vote a valid vote is not more valuable than money, you don't have a proper appreciation of freedom.
Number two, the ATMs do leave a paper trail. Even if you tell the bank you don't want to see it every month, you can check your account to see if it matches what you've put in and taken out. If you don't keep track of your account balance, you deserve to have your bank account 0wn3d by script kiddies.
Number three, I avoid using ATMs, especially in foreign countries.
Number four, I've probably just been trolled, and even the person who marked the parent post insightful was probably doing so in the ironic sense.
I program marketing research surveys. My company is international and well respected. We consider paperless electronic voting to be a joke security wise. There are just too many things that can go wrong. Programming the ballots would be very easy, though.
I have solved this problem. (Please don't laugh.) However, I have no idea who to contact about this.
I have devised a system which permits the following:
*Non-forgeable secure voter receipts
*Receipts do not revel vote choices
*Receipts can prove you voted and for whom if necessary
*Not vulnerable to single-point software/hardware exploits
*Supplies a verifiable electronic (and paper if need be) trail
*Permits voters to verify that their vote was counted correctly without revealing who they voted for
*Paper trail does not compromise privacy
*3rd party verification
*Voter privacy
*Recounts/Auditing possible
*Voter fraud can be detected
I have even written up a draft paper on it describing the system. Now what?
The machine I voted on in NC this year had a paper tape to the left of the screen that scrolled with each vote. I could verify my vote as I went. Simple and effective.
Professional Politicians are not the solution, they ARE the problem.
There are at least two very credible schemes that allow you to determine whether your vote was counted correctly (although perhaps not from a 'published result'). Two of them are David Chaum's Punchscan system, and Ron Rivest's Triple-Ballot System. There are another three or four I could mention, but the authors lack the immediate name recognition of Chaum or Rivest.
Please do basic research before making statements like this in the future.
(Why, yes, I am an NSF-funded voting security researcher. Obligatory disclosure: I know both Rivest and Chaum. They're part of the voting security research group I'm on.)
When the election turnout is such a small proportion of the electorate and there is no physical, human readable, and verifiable record of a person's vote, it's pure and simple fantasy to imagine that the US is ruled by the will of the people for the people.
In my country, New Zealand, the turnout usually approaches 80 to 90 percent and every ballot has an obscured serial number and a counter-foil with the voter's roll number written on it by the poll clerk. OK, it's not a completely secret poll, but revealing the serial numbers requires a court order and the people involved are sworn to secrecy. This means that proof of irregular or duplicate voting is easy to establish, and is a prison term offence. Counting is by hand.
Currently, everyone is saying only re-count when there is a question.
I say we should plan reduncancy: count by machine to get a quick count, then always count by hand afterwards in every precinct, to check the machine.
If the discrepancy will alter the result, or if it is large, start an audit, and once the audit is complete and all ballots classified as valid, invalid, and unknown, count them all by both hand and machine and let a judge straighten it out.
then paper would be no more verifiable, I suppose. Maybe.
There are mathematical ways of using strong encryption (digital signatures and all-or-nothing encodings and the like)
to prove that all the votes got included in the count, and for an individual, if they have an encrypted receipt code,
to submit that code to a process that can verify that that vote, as entered, was included in the final result.
So then we have the complaint: "But I wouldn't understand how that worked so I wouldn't trust it."
What if all the code
- including the encryption code and
- the all-or-nothing proving code
- and of course the code that proves which version of the vote gathering and counting software
was running throughout the election
were open source and inspectable by anyone?
What if you were given access to an online forum where only people with masters degrees or phds in math, logic,
computer engineering, or computer science could supply the answers to general or specific questions posed by
each other and by any voter about the integrity of the system?
I think the combination of open source code and clever use of encryption for verification, should be able to
make systems that are trustable by rational people.
I suppose now the problem is to convince all of the irrational people. Now that's a problem.
Where are we going and why are we in a handbasket?
Don't come crying to us when the cylons disable your planetary defenses with a trojan.
What ballot system would support instant runoff voting? That's the method in which the voter ranks candidates and then, if no candidate attains a majority, the least popular candidates are eliminated and the voters' second choices counted [1,2]. It prevents third parties from spoiling elections, like Ralph Nader was accused of taking votes from Al Gore in 2000 or Ross Perot from George Bush in 1992.
With instant runoff voting, it's safe to vote for third parties since you can choose a major party as your second choice. I think the emergence of viable third parties would really improve politics and governance.
But how do you actually collect appropriate ballots? I don't know of a simple way that "connect the arrow" paper ballots would work. One of the advantages of electronic ballots is that they could theoretical handle instant runoff voting elegantly. However, I doubt that the electronic voting system manufacturers are designing for that ability, especially since they seem to be funded by the two major parties.
AlpineR
a year ago, they set the delivery date as July 2007.
: www.ss.ca.gov/elections/vstsummit/presentations/gu ttman_barbara.PPT+eac+tgdc+timeline&hl=en&gl=us&ct =clnk&cd=3&client=firefox-a
see http://64.233.187.104/search?q=cache:R6KUf_0jaakJ
or http://tinyurl.com/vvn6t
"Even if you're on the right track, you'll get run over if you just sit there" - Will Rogers
So, where are all of the cries of voting machine election fraud that caused the Democrats to win Congress?
Anyone?
Anyone?
[crickets]
...for injecting some facts into the discussion!
Of course my mod points just ran out a couple of days ago...
San Francisco values: compassion, tolerance, respect, intelligence
This person is responding with facts to a posting that was largely based on opinion.
Too much of American public discourse is becoming a shouting match of opposing opinions, instead of being a rational debate about facts.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
As the parent post mentions, most people will simply not have the time to become familiar with the details of the propositions on the ballot.
However, the people that will tend to be familiar with the details and ramifications of a particular proposition will be special interest groups. This will be especially true if a referendum occurs outside the normal election cycle.
Consider this hypothetical situation: A particular interest group puts forth a motion for referendum. The society as a whole is used to frequent referendums, and has grown weary of the constant voting. When the referendum occurs, the turnout for the interest group is extremely high, while the turnout for the general population is relatively low. The referendum motion passes without broad public support. A small but vocal interest group has succeeded in foisting its policy on the public.
Admittedly I can see referendums as being useful in certain circumstances. If the referendums are on important issues on which the public is engaged, I can see them as a good way of ensuring that the will of the public is carried out. But if they are too frequent, and concern issues that are extremely specific, then I believe that they are a recipe for government by special interests. In other words, having too many referendums is undemocratic.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
You are presuming a dichotomy between 1) stealing the election wholesale or 2) identifiable votes. This assumes there is one or more points of failure that lets the election being stolen wholesale.
The false choice between those two options can be escaped by looking at the voting process as a distributed endeavour. Several simple checks and precautions can be added to ensure the total adds up and is based on correct numbers. The first is that the ballot itself is easily understandable. The second is that it should be dead simple to see the difference between a valid and an invalid ballot. The third is that in the local communities, the counting process should be open for inspection by representatives of any candidate. The fourth is that the local community makes the totals available for anyone to check. The rest is simple arithmetic.
The problem arises when networked and central computers and counting devices enter the picture. Verification of the vote cannot be done by anyone except the person who cast it - enter your fallacy.
When I walk away after having cast my vote, I feel no need to have a receipt with me. I trust the traditional process of manual counting (which we still do where I live) enough that I see no need as an individual to verify that my vote was correctly counted.
Furthermore, I have my doubts whether e-voting is really cheaper than paper ballots hand counted by officials. The machines need after all to be produced, transported, stored, verified and certified for them to even pretend to deliver what they promise - fast, efficient voting. I don't know the going rate for a voting official's time, nor the overhead with traditional ballot boxes, but it can hardly cost that much more.
In conclusion, I believe that when e-voting can't deliver all the things traditionally held as important regarding voting, we should sacrifice the machines rather than the voting process.
If a voter is given some sort of receipt that proves how they voted, even if only the voter can access the nature of the vote, then that receipt could be presented to an interested party as evidence of a vote for a particular party. The interested party could then pay the voter a particular sum of money for that vote. With paper ballots, the vote is dropped into a box and loses any association with the voter, and could thus not be used in a vote buying scheme.
This and no other is the root from which a tyrant springs; when first he appears as a protector - Plato (423 to 327 BC)
I've looked at the Punchscan system, and I'm a bit confused. I can see that it would prevent vote buying, but beyond that, it looks like the only thing it really verifies is that my vote was physically scanned correctly, which is something I'm not currently worried about. I still have to trust that the machine correctly remembers which candidate was associated with the hole I stamped, and there's still no chance for a manual recount. So, compared to current paperless electronic voting machines, I can be assured that SOMETHING was counted, but I have to put up with the confusing aspect of not having the hole I stamp line up with the name of the candidate I want.
Of course, I can trust that once my vote is correctly scanned, it will be correctly counted, because the software is open source. But if paperless electronic voting machines were open source, I would trust them just as much, even if I couldn't log on to verify which side of a blank piece of paper had my stamp.
Am I missing something?
Will other voters be as confused by this idea as I am?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
First, the Punchscan system really refers to a family of systems, not just one system. So it's inaccurate to talk about "the Punchscan system", much like it's inaccurate to refer to "the UNIX operating system". Not that this prevents us from using the inaccurate terminology--but you should be aware that something is being handwaved with that language. You'll see an example of this in a bit.
The manual recount is simple. The mapping between letters and numbers is a function requiring the ballot serial number and secret information which only the counting authority possesses. This is fairly basic cryptography. If you want a manual recount, no problem. Look at the original ballot halves--a paper record--and then, for each ballot, apply the mapping function to (ballot id, secret information) to figure out which candidate was voted for. Record votes manually for the appropriate candidates. Done.
(Please note that this possibility is not in the Punchscan Flash demo. However, it's not hard to imagine a Punchscan system where the counting authority keeps the original for recount purposes, and you go home with a photocopy. Like I said, Punchscan is a family of technologies, not one specific one, per se.)
You don't have to trust the machine to remember which candidate maps to which element. It's a mathematical transformation, and all of the necessary information is either on the ballot or in the hands of the counting authority. You don't have to trust the machine. If you voted for B and the published log shows you as recording B, then there is a deterministic one-to-one mapping present. The computer doesn't 'remember' which element maps to which.
Finally, open source voting software is not the panacea you seem to think it is. Australia has had GPLed election software for a few years now, and it's only marginally less cruddy than everything else. You cannot make a voting system trustworthy simply by sprinkling it with DFSG/OSI/FSF Software Licensing Fairy Dust.
According to the best research we have today, paperless systems will be insecure and subject to many different kinds of catastrophic failures. Open source, disclosed source, Free Software or proprietary code is all irrelevant.
Finally: it's 4:25am as I write this and I've been up for 22 hours. Please do not take this as an authoritative, considered statement. At best, you should take it as a roadmap for your own inquiry.
Punchscan would work, but my personal feeling is that the downsides (it's a bit confusing to the voter - I'm a Slashdotter, and I needed further explanation - and manual recounts involve cryptography) outweigh the advantages (each voter can verify that their vote was recorded correctly). The system I like is a friendly electronic voting machine that prints a human-readable paper ballot, which is then optically scanned as it is inserted into the ballot box. The voting machine gives you all the user-interface advantages like error checking, ability to go back and fix a mistake, an audio version for the blind, translations to other languages, etc. The printout lets the voter verify that their ballot was printed correctly. The scanner gives an instant count at the end of the election. The ballot box stores the actual ballots that were scanned, and recounts are easy and can be done by anyone (no cryptography required).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Imagine that when you cast your ballot, you have a little old lady recording your ballot serial number, as proof that the ballot was cast. When you cast your ballot, the ballot receipt (the half which is left with the counting authority) has a scratch-off panel on it. On top of the scratch-off panel is the ballot serial number. When you turn your ballot in, the little old lady checks to make sure the panel is intact. If it's not, then you get sent back to the booth to fill another ballot. You receive a photocopy of your ballot. Your photocopy has your letter selection and the serial number on it.
At the counting authority there are two teams operating under public scrutiny. The first team is not allowed to bring in any paper, pencils, PDAs, cell phones, whatever, and the public is allowed to stand over their shoulders if they so wish. The first team's only job is to check ballots as they come in, to make sure the serial numbers match the records of ballots cast.
Once the ballot is certified as "yes, this ballot was actually cast", the ballot is handed off to a blind person with a nickel. The public is allowed to watch the blind person very closely, but not to get so close they can read the ballot. The blind person uses the nickel to remove the scratch-off panel, and hands the ballot to the second team.
The second team is again operating under close public scrutiny. Now that the scratch-off panel is removed, the mapping between symbols and candidates is revealed. "Okay, so 'B' is really a vote for the Libertarian Party... okay, gotcha."
Store all the ballots. Need a recount? Just skip the ballot serial number check and the blind person with a nickel.
Using Punchscan isn't confusing to the voter. Watch the Shockwave Flash video and presto, you know how the system works. Can you read? Can you use a highlighter pen? Great, you're ready to vote. By comparison, electronic voting machines are absolutely Byzantine in the complexity of their user interfaces.
What's confusing you are the questions of "so how do I know Punchscan really works?" And look: Punchscan is so simple that J. Random Slashdotter--me--can explain it to you in just a couple of messages. Now imagine if you were to ask "so how do I know Diebold's AccuVote TSx machine really works?" Imagine how many millions of messages that would take to explain all the code in it. And even then, you wouldn't have much in the way of assurances.
I'm blanking on the name of the vendor, but one vendor used a version of Windows for their DRE product. Their DRE product was actually reasonably good. You clicked on a checkbox to select a candidate, clicked "Continue", your vote was cast and the checkboxes were cleared, etcetera. Then Microsoft released a new version of Windows. MS declared that it was a bugfix release and there were no API changes, so the vendor applied the patch and sent it off to their clients.
It was then discovered that it was a bugfix and UI release. Particularly, the checkbox appearance had changed. When clicking on a checkbox, Windows would draw a small box around the checked element. This small box didn't vanish once the checkbox was deselected--it only went away by picking something else.
So the upshot of it was that the next voter in the booth could see how the voter previous to them voted. The entire secrecy of the ballot destroyed, because of a trivial change in UI. [*]
Given a choice between a fancy elec
Say what? It would be easier to convince people that an election had been tampered with if they couldn't see that their vote was counted correctly? That some how it's easier to convince people that everything is on the up-and-up if they aren't allowed to confirm that their vote was counted at all?
To be blunt, that makes no sense.
Anyone wanting to launch a FUD campaign could do so under the present system just fine. In fact, it is easier under the present system, due to all the dark corners in which nasty things might be hiding (and who can prover they're not?) than it would be with voter verifiable records.
Uh, yeah. It's more plausible that people are cheating if they show you all the votes and give you (and everyone else) the ability to see that their vote is in there and was counted correctly. 'cause doing things in secret with no records is a much better way to gain the people's trust.
How on earth can you conclude that?!? You're just going to trust Saddam's count? It is just as plausible that almost everyone voted their true feelings and when the results were announced a large percentage of the people were surprised to find that they and their friends were in the 1% minority that voted against Saddam. And then they probably railed privately against their fellow countrymen for failing to stand up and vote him out.
More realistically, to assure there's no need to pressure them, since you can just say the count was whatever you like and everyone has to take your word for it.
--MarkusQ
Part of my confusion was around "how do I know it really works?" but more of my confusion is around "why do we need this?" We've had elections for centuries in which there was no way to verify that a specific ballot was recorded correctly, and for the most part things have gone fine. Using the kind of electronic machines I described doesn't fundamentally change the process.
Now imagine if you were to ask "so how do I know Diebold's AccuVote TSx machine really works?" Imagine how many millions of messages that would take to explain all the code in it. And even then, you wouldn't have much in the way of assurances. Apparently they print your vote on a piece of paper and show it to you, then if you say that's OK, they count your vote electronically. This is slightly better than the same thing without the "paper trail", but it requires voters to look at a tiny printout through a magnifying glass, makes it possible to associate voters with votes (due to the sequence of votes being maintained on the roll of paper), and gets confusing if a voter disagrees with the printout and wants to fix it. Voters are not encouraged to examine the printout. The solution I described would encourage voters to examine the printout, because that printout would be their ballot, that they themselves have to cast after holding it in their hand.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I'm not being sarcastic. To the best of my knowledge, there is no such theoretical framework. Likewise, there's also no theoretical framework showing that it can't be done. This question is a giant unresolved one in the field. For some tasks, a piece of paper and an ink pen is a really, really hard combination to beat. (Which is as it should be. Over 2,138 years of paper balloting, we've learned a little about how to do paper elections passably well.) For some tasks, DRE makes a lot more sense. This is why most respectable modern systems are hybrids, attempting to get the best of both worlds.Such as...? What systems are you talking about? Are there actual prototypes to test, or is it just a paper design that has yet to be tested in real-world environments? Who are their designers?
In the FOSS world the mantra is "shut up and show me the code". I'm asking you to put forth your own list of designers you feel are competent, why you feel they're competent, and what about their systems is such an improvement over the existing state of the art. Compare and contrast to Chaum's Punchscan, Rivest's triple-ballot, and the various mixin and visual cryptographic schemes.
As for the hardware working, the potentially problematic components in the machines I described are 1) the computer itself, 2) the touchscreen, 3) the printer, and 4) the scanner.
Finally, I see no reason why paper-and-pencil ballots couldn't be used as well. Make pre-printed ballots available, and let voters fill in the bubbles by hand instead of using the touchscreen if that's what they prefer. Feed it into the same scanner, and you still get your instant count, minus the benefits of a computerized user interface (input validation/error checking, alternative interfaces for the disabled, translations for non-English speakers, no eraser smudges, etc.). This option could always be available, even when the machines are working perfectly, for voters who prefer it.
And if the scanner jams, you just keep the ballots in a locked box and count them later. This shouldn't happen, but if it does, it's not a catastrophe. In the FOSS world the mantra is "shut up and show me the code". I'm asking you to put forth your own list of designers you feel are competent, why you feel they're competent, and what about their systems is such an improvement over the existing state of the art. Compare and contrast to Chaum's Punchscan, Rivest's triple-ballot, and the various mixin and visual cryptographic schemes. How do you feel about the Open Voting Consortium? They suggest printing a barcode on each ballot alongside the human-readable vote, which I don't agree with, but aside from that, I think they have some good ideas.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Touchscreens have repeatedly failed when put into practice. The literature is replete with accounts of touchscreens being poorly aligned, so that voters who touch for candidate A wind up voting for candidate B instead. This is a catastrophic failure of the interface. Look into New York State and their Board of Elections for more details. At present, touchscreen technology needs to be considered extremely problematic; more reliable designs are needed.
Comparison to restaurants are inappropriate. Those machines are used every day, and machines used every day tend to be more reliable than ones only used once every couple of years. Moreover, the people who use the systems are intimately familiar with them from long experience. Most voters are almost entirely unfamiliar with the DRE systems they use.
With respect to whether a good DRE interface should be easier to use than paper and pencil, I can't talk intelligently about it. Ask Rice University, which is currently doing a lot of research into the human factors of voting. I will tell you, though, that this is a subtle field and the psychology grad students down there are getting some good research papers out of it, so I'd be suspicious of saying anything was obviously true. If it was obvious, we wouldn't need to do basic research.
With respect to printers, we are already seeing widespread reports of printer failures in elections--from VVPAT systems running out of ink (and nobody noticing), to print heads not working, to the wrong kind of paper being stockpiled, to... etcetera.
History strongly indicates that it is not as simple as you're making it out to be.
How do I feel about Open Voting? Well, I know some of the people involved, and they seem like decent sorts. On the other hand, their system exists only on paper. There are no prototypes to test. Almost any system can look like a good idea on paper. As soon as they actually implement it, I'm quite certain we'll discover the Open Voting model doesn't live up to all of its promises.
At this point, I'm finished with the thread. I'd strongly suggest that if you want to talk to others about electronic voting, that you first do research. Don't make claims without having either academic papers you can point to, real-world systems you can refer to, real-world election officials and election experiences, etcetera.