California to Start Review of Voting Machines

An anonymous reader writes "California Secretary of State Debra Bowen just announced details about the previously discussed 'top-to-bottom review' of almost all voting and counting systems used in the state. The team features big names in e-voting security: David Wagner, Matt Bishop, Ed Felten, Matt Blaze, and Harri Hursti, among others. Vendors have time to submit their machines including documentation and source code until July 1st or face severe restrictions, including decertification, for the 2008 elections. Scheduled to start next week, the review will include a red-team attack and going through the source code."

Some of these machines have been in use since 2000

[CaptainPatent]

...But it's about time that electronic voting machines were beta-tested!

Re:Some of these machines have been in use since 2

[king-manic]

The last 2 elections were the beta.

California should use Certified mail.

Ballot materials are "delivered" without proof. Even the moment to cast a ballot should be a postal duty. So-far, they can't say if mail was delivered or not when using the non-stamped commercial mail-meter rate. Every certified mail delivery of a vote from a person should be counted once by the postal Clerk in Record of the Direct Treasury Account. A network would facilitate a real-time audit of the vote; emphasizing between the debt to cast a vote in one's favor in valuation of their debt: a citizen-subject as opposed to a Citizen, not confused with a denizen or a national.

Not to sound particularly paranoid, but...

[infestedsenses]

Vendors have time to submit their machines including documentation and source code until July 1st or face severe restrictions, including decertification, for the 2008 elections.

How will the state ensure that these machines will be identical to those used on election day? Will random voting machines be checked with similar precision during the elections, or what guarantee do we have that these machines will not have been tampered with through "enhanced" source code? I had a glimpse at the FAQ but could not find any information on this, perhaps someone has some pointers?

For this same reason, Consumer Reports and other reviewers buy products anonymously from stores instead of receiving them from vendors, due to previous cases in which the process (such as that intended with the voting machine review) has been taken advantage of.

Chuck the Lot

[glomph]

Voting machines provide no advantage, other than obfuscation of possible/probable tampering and errors. Code reviews are a waste of time. Bring back paper. Non-tangible bit-flipping to register votes will never be sufficiently accountable.

At VERY minimum, institute scantron (filled in boxes on paper) voting.

Re:Chuck the Lot

[insanecarbonbasedlif]

Paper ballots can be manipulated easily as well. It's just a different set of problems.

I don't want to waste my time writing down possibilities that are going to be ignored, so anybody who's curious can just use their imagination on how to defraud a paper ballot based system.

Electronic voting can be secured as much as modern paper ballots - it's not inherently impossible.

Re:Chuck the Lot

[raehl]

What we have is a case of a good idea implemented very poorly. Honestly something as simple as connecting a drivers license number and name to each ballot would vastly increase accountability and how reviewable an election would be. It's a good idea in need of a huge makeover.

It would also entirely destroy the concept of an anonymous voting system. One of the important parts of voting is knowing the winning candidate won't be able to track down anyone who didn't vote for them.

Re:Chuck the Lot

[mmurphy000]

One of the important parts of voting is knowing the winning candidate won't be able to track down anyone who didn't vote for them.

To quote from the xDebate wiki:

The "politically incorrect" answer is that society should work on fixing the root causes. Anonymity in elections is primarily an issue because of potential retaliation if somebody doesn't vote as they "should" (e.g., loses job, loses limb). The cost of anonymity in elections is in the social aspects of public participation — without visible social pressure from peers to participate in elections, you're left with only broad-brush social norms to try to fend off a "tragedy of the commons"-style shirking of participation. This can be seen in the US in the form of generally falling voter turnout, among other symptoms. Society needs to consider whether the cure (anonymity) is worse than the disease (some percentage of "vote buying" in one form or fashion).

I'm not saying that voter coercion is a good thing, but I think society needs a deeper discussion as to whether anonymous voting is all happiness and puppies. I only ever hear the negative consequences of attributable voting, never any positives. I'm no expert, but I'd sure like the experts to ponder the issue...

Re:Chuck the Lot

[Chandon+Seldon]

Electronic voting can be secured as much as modern paper ballots - it's not inherently impossible.

Actually, it is inherently impossible for the security properties that matter most for a voting system. Specifically, every voter needs to be able to understand the security of voting process well enough that they can recognize attempts at voting fraud. That's a property that paper ballots that go in ballot boxes can easily have, but is strictly impossible for software installed on a computer.

Consider a 62 year old florist named Mary who has decided to volunteer as an election observer. As the polling station is set up, she verifies that the ballot box is empty. As each voter votes, she makes sure they vote privately in the booth. She can watch as exactly one ballot is added to the ballot box per voter, and no one messes with it otherwise. When the election day is over, she walks/rides with the ballot box to where the votes will be counted. After observing the counting, Mary *knows* that the election was run securely.

Now consider Mary trying to observe an election run with direct-recording electronic voting machines. She can't even accomplish the "verify that the ballot box is empty" step, much less witness that each voter votes only once and doesn't tamper with the vote counts. Hell, I'm in the third year of my Computer Science degree and I couldn't observe a polling station and determine if fraud had occurred there with machines like that. There's just no way to see that what's happening in the machine is what is supposed to be happening.

Sure, we could come up with some mathematically / cryptographically correct secure voting protocol. We could build hardware from scratch that can be visually authenticated somehow. We can publicly publish software source code that has been thoroughly audited for bugs and security holes. We can come up with a mechanism to allow voters to verify that the correct software is running on the machines. With all that, someone with a masters degree in computer security would be able to observer a polling station and personally know that the election there had been run correctly.

Today's direct recording systems are impossible to trust. With years of engineering effort, we could build systems that experts could trust. Or... we could maintain the basic principle of democratic equality and use a system that *everyone* can understand well enough to personally trust.

Re:Some of these machines have been in use since 2

[Ice+Wewe]

...now introducing ballot V1.0, with enhanced security!

Voting is fun again

[Original+Replica]

Now if we have secure, trustworthy voting (electronic or not) and Maryland's governor gets his way, people might actually feel like their vote means something again.

Maryland Governor Martin O'Malley signed off on legislation [SB 634 materials] Tuesday that will award Maryland's ten votes in the US Electoral College [NARA materials] to the national popular vote winner in presidential elections, instead of the recipient of the most votes in Maryland. The legislation will only take effect, however, if a majority of the states representing the total 538 electoral votes adopt similar laws. The bill's sponsor, state Senator Jamie Raskin, told AP that the move to a popular vote system "will reawaken politics in every part of the country," even Maryland, a state presidential candidates usually sidestep because of the belief that it will always vote for the Democratic candidate.http://jurist.law.pitt.edu/paperchase/20 07/04/maryland-governor-signs-law-changing.php

Uh, no.

[raehl]

Voting machines provide no advantage

Electronic voting machines are in virtually every way superior to paper voting machines.

They prevent you from accidentally submitting an invalid ballot.

They can be updated with a correct ballot much easier than actually printing ballots.

They can more easily accommodate voting by the disabled.

They can randomly display the list of candidates, eliminating the 'first ballot position' advantage.

What does NOT have many advantages, and has several disadvantages, is electronic vote-STORING machines. We definitely don't want any of those. But as long as the voting machine kicks out a voter-readable paper ballot, we don't really even need to know the software it's running. Anything nefarious will be obvious on the ballots.

Re:Uh, no.

[Kandenshi]

"The day after the election, you best have a paper record saying you voted for my man Mr. McFakename.
It wouldd be most ... unfortunate if you were to fall down a flight of stairs repeatedly."

What I'm subtly alluding to is vote buying/intimidation being possible if you take an official record of your voting behaviours home with you.

Re:Uh, no.

[jonnybcivics]

As someone who's done some academic research on voting technology, I'd like to respond.

Electronic voting machines are in virtually every way superior to paper voting machines. Um...

They prevent you from accidentally submitting an invalid ballot. So do precinct count optical scan ballots (i.e. scantron). The way it goes is that you fill out your ballot and then a poll worker scans it through the machine to make sure you have no overvotes or doodles outside of the designated boxes. If you screwed up, your ballot is destroyed and you get a new one and re-vote. This doesn't happen for central count optical scan ballots (where they box them all up and take them to a central location to be scanned) but central count optical scan set-ups are being phased out.

They can be updated with a correct ballot much easier than actually printing ballots. Actually, precincts are required to print out backup ballots to use should touchscreen machines go down. So really each precinct is running (and paying for) a backup election with paper ballots even when they use touchscreen electronic voting machines. Even if they spit out a paper trail, a precinct is going to need backup paper ballots in the event of a printer malfunction. This kind of negates the whole argument of being able to change-up a ballot on the fly, because once those back-up paper ballots are printed, the precincts are committed to a set ballot.

They can more easily accommodate voting by the disabled. This is a legitimate argument, but one electronic voting machine per precinct specifically for disabled people makes more sense than buying several to serve all voters. And anyway, optical scan paper ballots can be easily adapted for disabled voters http://www.wired.com/science/discoveries/news/2006 /01/70036

They can randomly display the list of candidates, eliminating the 'first ballot position' advantage. You can also argue that a random listing of names would make candidates harder to find than an alphabetical listing. I don't think this is such a big gain when you consider the cost, security issues, and possible malfunctions that can occur with electronic voting systems. With optical scan, the worst case scenario is that the scanner goes down and ballots have to be saved and scanned once the scanner is fixed. With electronic voting machines, regardless of paper trail, if there is a malfunction, the machine is down and you've just lost a huge part of your ability to serve potential voters. Then you have long lines, people pissed off, people deciding they aren't willing to wait and not voting, etc.

I have yet to hear a reasonable argument for electronic voting machines over tried and true optical scan ballots for any criteria - security, cost, usability, convenience, etc. On election day, you only get one shot to serve all the voters. Best to have a reliable and secure voting system than a bunch of fancy machines that have the real potential to crash. Not to mention, based on some research done by a colleague, electronic voting machines cost over twice as much as an optical scan system per ballot cast. And the serving capacity for an optical scan set-up can be expanded by buying cheap plastic privacy booths rather than another expensive machine. I know slashdotters usually have a boner for technology, but learn a little about running elections before you bring that bullshit to the polling place.

Source code and freedom of information?

[Marcion]

Anyone know what the rules for freedom of information apply here? Could these rules be used to examine the source code for flaws?

Re:Source code and freedom of information?

[Touvan]

Even if you could review the source code, there would still be no way for you to validate that the machines running on election day, are running code that was compiled from the source code you reviewed.

In other words, you can't look in the machine as see what it's doing.

Paper trails are useless, since you can't invoke them unless there is a good enough reason to do so (close enough election usually 1% or so - not a big deal really, just set your machines to steal more than 3%).

At the end of the day, the only difference between hand counted paper ballot voting, and electronic machine counted voting, is how hard the election is to steal. With hand counted paper, you need a lot of individuals all working together, at various levels during the tallying period to do it. With electronic machines, you just need one well positioned operative.

State of California Read This and Save Millions!

[raehl]

I appreciate California's effort to verify that their electronic voting machines work. I have developed an economic process for certifying electronic voting machines.

1) Determine if the voting machine produces a voter-readable, paper ballot.
2) Determine if this ballot is the OFFICIAL voting record.
3) If 1 and 2 are true, then the machine is good. If not, it's not.

There you go. Why do people insist on making easy problems hard?

Re:Diebold won't comply

[koreth]

If they pull out of California because of that, they may as well just quit the election systems game altogether. It's the largest market, and more importantly, when California does significant things, other states very often follow its lead, for better or worse.

Not, mind you, that I'm saying it's a bad thing for Diebold to get out of the market. (Which it's been reported they're considering doing anyway.) Don't let the door hit your ass on the way out, I say to them.

stupid...

[j0nb0y]

There is no need to see the source code for this software.

There is only one specification for a secure voting machine, and it is easy to test. There is no need to see the source code. If the machine meets the spec, it is a secure voting machine. Otherwise, it is not, and should not be certified.

Here is the specification:

1. The voter votes on the machine.
2. The machine prints out a ballot.
3. The voter checks the ballot for accuracy, then deposits it in the ballot box.
4. Ballots in the box are tallied for the official vote count.

Simple, easy, secure, reliable, and recountable. There is no need to see any source code.

A voting machine which doesn't meet this spec is not secure. It doesn't matter how many times you check the source, the machine will still not be secure. An "open source" voting machine which does not meet this spec is not secure. /.ers like to equate secure voting machines with open source. I like open source, but trying to inject it in this issue is foolish. It is irrelevant whether the voting machine uses open source software. Either it meets the spec, or it doesn't.

Re:Diebold won't comply

[OWJones]

As one of the people involved in the crafting of the North Carolina law and supporting Joyce's lawsuit, I can clarify a bit. We suspect Diebold pulled out of North Carolina not because of the source code escrow issues (which they claim to have complied with in Georgia) but because the CEO of each voting company had to sign a legally binding document saying that the source code his company installed on our machines was the same code that would be placed in escrow and provided to the examiners. On the day this document was due Diebold pulled out of the state, sending a "helpful" letter to the State Board of Elections offering to help "reform" our newly-passed law.

-jdm

FOIA doesn't apply

[commodoresloat]

FOIA requires access to public records. It's possible that source code could be defined as a public "record," though it might be stretching the definition. "Records" are defined as tangible documents, which could certainly include computer files, but it seems to me that the govt would argue that voting documents and results are "records," but source code is part of the process by which the records were created rather than the records themselves. Besides, wouldn't this open up all source code used by federal agencies, including MS Word, assuming they use that to generate documents that are "records"?

Another problem is that the law only applies to federal agencies, though states may have their own laws that require similar public access. Since voting machines and procedures are the responsibility of state governments, the federal legislation wouldn't apply.

Frankly, I think we need new federal legislation here.

Re:State of California Read This and Save Millions

[Nursie]

Hmm. One could almost do this with a piece of paper!

If only there was a way to mark a piece of paper with the candidate's names and then have a box next to each!

And perhaps some sort of paper marking implement to be given to the voter such that they may indicate their choice...

I fear such technology may be beyond us.

Re:I don't think you understand how this works.

[mOdQuArK!]

You can make a very nice vote-printing machine (rather than a vote-counting) machine, with all kinds of standards to make sure the questions are easy to read (or hear), that the answer that you put down is actually associated with the question that is on the screen, and that you can only put down ONE answer per voting question.

The resultant ballot sheet should contain a list of the items that you voted on, with your answer easily readable next to each item (using a machine AND voter-readable font, since having a separate machine-readable code would make the voter-verification worthless).

If anything looks fishy, the voter tosses the ballot into the shredder & gets a new blank one.

Manual recounts would be a helluva lot easier (no hanging chads, no wondering what a stray mark covering two ovals means, etc).

As the grandparent says, there's quite a few benefits that are possible by designing a solid system for printing votes, but using the computers to count the votes is really problematic.

Re:Debra Browen

[billstewart]

wikipedia ref on Debra Bowen.

Secretary of State is an elected position in California, and Debra Bowen got elected last November, so she hasn't been in place long. Previously she was in the state assembly and then state senate, where she was one of the influential people on open government, open records, and privacy issues, and made a big issue of doing something about the voting machine problems. I gather there are other issues where some people passionately hate her, but for the most part she's been viewed as an honest politician rather than one of the machine players. She's also an advocate of voting alternatives such as Instant Runoff and proportional representation in general.

Re:I don't think you understand how this works.

[Chandon+Seldon]

using a machine AND voter-readable font

Machine counting of votes is also sketchy. The big controversies in the 2004 election weren't about direct-recording machines, they were about the automated ballot counting machines. Unless you have a policy in place to require that the paper ballots be retained after scanning (rather than being destroyed) and a way to force a manual recount if *anyone* suspects machine tampering, you really haven't gained anything.

Someone on Slashdot once suggested separating ballot sorting from ballot counting. Put the ballots in a sorting machine and then use a dumb counting machine to count the sorted stacks. That's a much better plan (as long as the counter checks the stack to verify that it's sorted).