Punchscan Wins Open Source Voting Competition

An anonymous reader writes "Punchscan emerged victorious at the open source university voting systems competition, VoComp. For their efforts, they will receive the US$10,000 prize provided by ES&S (which has recently been named in a scandal in Florida). The second-place team put up a good fight: 'Per Ron Rivest, one of the contest's judges, the runner-up team, the Pret-a-Voter team from the University of Surrey in the UK, gave Punchscan a tough run for the first-place money until the Punchscan team dug through Pret-a-Voter's source code and found a significant security flaw in their random number generation. Oops.' It will be interesting to see if these systems ever make it into the mainstream. Kudos to ES&S for showing their forward thinking in this area, as the other voting machine vendors, such as Diebold, did not support the competition."

So

A system with a significant flaw in security comes second?

Re:So

[inaequitas]

What do you expect, when one with an undocumented number of security flaws is marked for real-life use?

But an interesting competition. Puts responsibility back in the way people write their code, not license it and hide behind the legalese.

Re:So

Second out of four teams, I wonder how bad the other two were!

Why do they use a random number generator?

[Intron]

Does this explain the last two presidential elections?

Re:Why do they use a random number generator?

[raddan]

Without knowing the specifics of the system, I'd guess it's probably used as some part of an authentication token. You want to make sure that you can verify that the printed paper receipts correspond to a vote, but you don't want to give away the voter's identity, right? Random numbers are frequently used where you need a shared secret or seed for an encryption algorithm to work on, and encrypted secrets or seeds are often a part of an authentication system. Numbers that are "random enough" are difficult to achieve, even for people who know what they're doing, so it's not surprising that the US-Canada team looked there first.

Re:Why do they use a random number generator?

[Reverend528]

No, if the president was truly selected randomly, then a second-party candidate might have won.

How can reciepts ever work?

Take home receipts are vulnerable to exploits that make them seem useless. Any random voter could go home and make a fake receipt to claim the results were tampered with. Sure, you could combat that by keeping record of which ballots, with their identifying numbers, were passed out, but if you're going to tamper with the election results, you could delete the vote from the count and the list, then when the voter complains their vote wasn't counted you could claim they faked their ballot...

Re:How can reciepts ever work?

[InvisblePinkUnicorn]

"Any random voter could go home and make a fake receipt to claim the results were tampered with."

TFA explains how that would be pointless, since the pairing of letters with names is different on each form. The receipt doesn't tell you anything about who you voted for, only what letters you chose. And if their point was to try to change an election, they would need a large group of people to be in on it to guarantee their desired outcome, and the larger the group, the more likely their fraud would be to be exposed.

Re:How can reciepts ever work?

[un1xl0ser]

Well since they used a random number generator, I assume that there is a cryptographic reason that they can't forge the receipt as well ...

Re:How can reciepts ever work?

[Not_Wiggins]

And if their point was to try to change an election, they would need a large group of people to be in on it to guarantee their desired outcome, and the larger the group, the more likely their fraud would be to be exposed.

More to your point, if you could organize that many people to swing the vote a certain way, couldn't you have just gotten those same people to vote your way at the start without any fraud?

Re:How can reciepts ever work?

[Aerion]

Sure, you could combat that by keeping record of which ballots, with their identifying numbers, were passed out, but if you're going to tamper with the election results, you could delete the vote from the count and the list, then when the voter complains their vote wasn't counted you could claim they faked their ballot...

You can make a copy of each receipt at the polling place and give it to one or more trusted third parties (e.g. the League of Women Voters, or the ACLU (supposing for the moment that none of these third parties is in league with The Terrorists)). Then multiple parties can detect that the ballot list was tampered with.

A simpler method is to make the ballots tamper- and forgery-resistant using existing technology found on personal checks.

Or you could encrypt the receipt number and print the resulting ciphertext on the receipt. This prevents anybody from faking a receipt without the encryption secret key. (Alternatively, use a cryptographic hash with a secret salt.) This requires that a trusted third party perform random ballot audits to ensure that the pre-printed receipt number plaintexts and ciphertexts correspond.

The only problem I see with this

[InvisblePinkUnicorn]

The only problem I see with this system, as it was with the hanging chads, is that people with poor vision or low brain power will be easily confused by the way the choices are out-of-order. Maybe they could use colored letters to make it easier to match them up, or even use pictures, e.g. a dog for Clinton, a snake for Giuliani.

Re:The only problem I see with this

[Gothmolly]

And a douche for Hillary?

Re:The only problem I see with this

[techno-vampire]

They were already using that in Shakespeare's time: "The Cat, the Rat and Lovel the Dog, rule all England under the Hog."

Re:The only problem I see with this

[sakasune]

... Maybe they could use colored letters to make it easier to match them up, or even use pictures, e.g. a dog for Clinton, a snake for Giuliani. So, you're saying just use the pictures of the candidates themselves?

Irrelevant

[Gothmolly]

To quote a now dead, but once very powerful man: "He who votes decides nothing. He who COUNTS the votes decides everything."
It's charming to see people coming up with Open Source voting and other governmental tools, but extremely naive to think that they'll ever be implemented. Even if they make their way into governmental dialog, they'll be co-opted by Diebold, et.al. in the 11th hour before any policy is changed.

Re:Irrelevant

[fistfullast33l]

Even more disturbing...how will we know if they're implementing an open source system? If a voting machine is a black box, it wouldn't exactly be easy to determine whether or not the source code originates from an open source system.

Re:Irrelevant

[AP2k]

Another, once very powerful man, said the Jews were the root of all problems. Yet another said to take everything with a grain of salt.

Re:Irrelevant

[Reverend528]

It's charming to see people coming up with Open Source voting and other governmental tools, but extremely naive to think that they'll ever be implemented.

Well, if users could verify that their vote was accurately counted, doesn't that kind of undermine the purpose of staging an election?

Re:Irrelevant

[shrubya]

Yeah yeah, and we may as well throw in "A witty saying proves nothing" from Voltaire.

In this case, however, the words were backed by real action. Comrade Joe was indeed the one counting the votes, and he did in fact end up deciding everything in his nation.

More publicity for OSS voting machines, please.

[TheDarkener]

We need more than preaching to the choir - everyone should link to this from their blogs, post it as a bulletin to their friends on Myspace, etc. etc. etc.... the more people hear about these things, the more likely it will be that we actually start using OSS-based voting machines on a large scale.

3 2 1, GO!

Re:More publicity for OSS voting machines, please.

[oyenstikker]

Hearing is not caring.

Re:More publicity for OSS voting machines, please.

[TheDarkener]

Hearing is exposure. Don't underestimate exposure. Ever heard of the saying, "Even bad publicity is good publicity?"

Re:More publicity for OSS voting machines, please.

[Kadin2048]

I love OSS as much as the next Slashdotter, but I'm not sure it's a panacea here.

As long as the system relies on software, rather than something that can be physically verified, to actually tally votes, then you are at the mercy of the software. And that is a problem. Even if the code is available, you still have a long way to go. You have to ensure that the code that's running on every one of the voting machines is actually the source code that's available. And you have to have a completely clean, verified, and open-source compiler chain, to prevent someone from just tampering with the compiler and injecting badness into the binaries that way.

It's a step forward, sure, but a step forward towards what? Why are we going down this path at all?

I strongly suspect that with all the money that's been spent developing electronic voting systems -- not to mention all the money wasted on broken systems deployed in many states in the last few years -- we could have just paid humans to manually count the ballots at the next decade's worth of elections, while being observed by independent and partisan watchdogs (and videotaped for later review), and achieve far more confidence, while using a system that's understandable to the average voter.

Re:More publicity for OSS voting machines, please.

[TheDarkener]

Did you RTFA? You can verify your votes at a later time online with your vote tally. This is a major element in verifying election integrity. Sure, it isn't perfect - but what truly is? We're always chasing after a better solution, and this is definitely a better solution than what we have right now.

How about redundancy...I think we can all agree that the more independent, distributed systems that are in place to verify voting integrity, the better. It's hard to hack 10 separate systems to change voting results, especially if you have MD5 checksums (or another verifiable mean) to check your own vote. I personally think this should be a mandatory step in the voting process - verifying your results.

Re:More publicity for OSS voting machines, please.

[KlaymenDK]

Hearing is not caring. How can not hearing ever lead to caring?

Re:More publicity for OSS voting machines, please.

[Yvanhoe]

OSS based machine doesn't solve anything. How can you be sure that the published source is the one being used by the machine ? I am sorry, I see no way of doing this with an electronically programmable machine.

Re:More publicity for OSS voting machines, please.

"As long as the system relies on software, rather than something that can be physically verified..."

Those aren't your only two options. You can also rely on math. And that is what these systems do. They are cryptographic systems and they only use computers as glorified calculators--and even then, the premise is that the computer is going to fuck up and so there are audits to double check the calculations. But your faith is in encryption functions to keep your vote safe not in software.

Re:More publicity for OSS voting machines, please.

[rtb61]

Actually you do not really need to even pay people to do the work, just shift the elections to a Saturday and hold the booths open for 12 hours, so that the majority of people can more readily participate.

Elections and democracy are about people, I absolutely can not understand why some governments are so desperate to get people out of the system, it should be driven as an inclusionary process, is it fundamentally the most important part, the ultimate defining act of any democracy.

Sure you might have electronic voting for less important things, like the approval or disapproval by the public of any and all congressional or senatorial votes, or local government votes but for the main federal and state elections it makes absolutely no sense at all.

The only real reason for electronic voting is so that the system can be more readily corrupted by the ass hats who don't believe in democracy.

public key techonology

[FunkyELF]

I think it was a comment here that once suggested a voting system where users could ensure that their vote counted.
Every registered voter has a public / private key.
Votes are digitally signed by the voters.
Then after the election (or during), the signed messages are posted online.
Voters would be able to see that their vote counted in the right direction, and unless someone else knows your private key, nobody would be able to tell who you voted for.

The non-digital analog to this went something like this. Think of it like a system where you write down who you vote for on the top of a piece of paper. Then you tear off the top and place it in a sealed box. The bottom half is your receipt. After the election, you can compare your bottom half to every top half out there until you find the one that matches the tear pattern.

Re:public key techonology

And then after the election, cousin vinnie comes along and says "ok, now you prove that you voted for uncle enzo, or I break your kneecaps". Since you do have a method of proving who your vote was for, you're kinda stuck...

The solution to high-tech fraud is not "make low tech fraud easy". We've seen this sort of low tech fraud in the past; while scale problems make it hard to pull off for president, it's common in smaller-scale elections.

Moreover, a fraudster now just has to be careful to not change votes, but instead just add them; in most districts there are plenty of people who don't vote, so your corrupt poll worker just checks the boxes next to a few people at the end of the day and puts in votes for them.

Re:public key techonology

Your method still allows for others (i.e. employers, or just plain people out to buy votes) to force you to disclose who you voted for, so it is not exactly a secret vote anymore.

Re:public key techonology

[bobdehnhardt]

Voters would be able to see that their vote counted in the right direction, and unless someone else knows your private key, nobody would be able to tell who you voted for.

That "unless" part is the biggest problem with this approach. Digitally signing the ballot eliminates the anonymity of it. On measures that are controversial or highly contentious (stem cell research, gay marriage, abortion, legalization of drugs, to name a few), people need to be able to cast their votes without fear of reprisal or being ostracized be their community. If I'm digitally signing my ballot, that creates a solid link between me and my votes, which may make me reluctant to vote in ways that don't conform with the views of my neighbors.

Of course, the Government has a solid reputation of keeping secrets, so there's no chance that the ballot data could be stolen, hacked or otherwise compromised, or have their contents improperly made available to the general public. And encryption never, ever gets cracked. And the public would never fall for any tricks to get them to divulge their passphrase or surrender their key (for example, a phishing site claiming to be a Voter Verification Portal). Nope, the security here is 100%, nothing to worry about, just go about your business....

Re:public key techonology

[starfishsystems]

Digitally signing the ballot eliminates the anonymity of it

Not so, fortunately. Think about it. You can verify a signed object against a public key without knowing who owns the corresponding private key. There is nothing in the key pair itself which carries identity.

And if you make use of a certificate infrastructure, you can verify that the public half of the key pair was signed by an authority whose identity you do know.

Certificates can be used to carry many sorts of identity, including anonymized identities. It's not the case that they must do so. This property makes them very useful for voting systems.

Re:public key techonology

[DragonWriter]

Every registered voter has a public / private key.
Votes are digitally signed by the voters.
Then after the election (or during), the signed messages are posted online.
Voters would be able to see that their vote counted in the right direction, and unless someone else knows your private key, nobody would be able to tell who you voted for

Someone issued your public/private key combo, and probably required your identity when they provided it to you. That someone knows your private key.

Re:public key techonology

[DragonWriter]

Not so, fortunately. Think about it. You can verify a signed object against a public key without knowing who owns the corresponding private key. There is nothing in the key pair itself which carries identity.

Of course, someone know who owns the corresponding private key, unless identity is not provided in order to have the key issued, or the key and the provided identity are never connected in the process.

Even the threat that they might be connected covertly by government could have a distorting effect on voting, even if the system in fact managed to wall the identity and key off from each other so that they were not associated.

There are ways around this in voting systems, but one must be careful, since they both need to be secure, reliable, and anonymous and be seen to be secure, reliable, and anonymous.

Re:public key techonology

[starfishsystems]

unless identity is not provided in order to have the key issued, or the key and the provided identity are never connected in the process

Exactly, like a double blind.

Re:public key techonology

[MntlChaos]

Someone issued your public/private key combo, and probably required your identity when they provided it to you. That someone knows your private key. Not necessarily. The voting machine can generate the key pair, and sign it with its own certificate. Then it gives you the private key in a printout. The machine doesn't need to know who's voting at it, just that it is some voter.

Re:public key techonology

[ragefan]

Someone issued your public/private key combo, and probably required your identity when they provided it to you. That someone knows your private key. Not necessarily. The voting machine can generate the key pair, and sign it with its own certificate. Then it gives you the private key in a printout. The machine doesn't need to know who's voting at it, just that it is some voter.

As it has been mentioned before in many threads, anytime the ability is given to verify your vote at a later time opens the ability for fraud as well. Examples include a candidate (or supporter) offers cash for every verifiable vote, or an employer requiring proof to keep ones job.

I think the best solution I've heard is that the voting machine does nothing more than prompt for votes and then print the ballot in clear text with the selections marked showing the votes placed that the voter can verify visually before placing in a separate scanner, similar to the punch card scanners. If the voter does not put the printed vote in the scanner then it is not counted and the printed ballot is retained by the scanner so there is still a paper trail for recounts. Certainly the voting machines could keep a tally but it would not be offical.

No system can be perfect, as too much depends on the people running the polling place for it to be.

Re:public key techonology

[Aerion]

And then after the election, cousin vinnie comes along and says "ok, now you prove that you voted for uncle enzo, or I break your kneecaps". Since you do have a method of proving who your vote was for, you're kinda stuck... This is exactly right. I can force you to surrender your private key. What if you refuse? My, eh, associates will break your legs.

How can I verify that the private key you provide is actually yours? Your odds of randomly guessing a valid private key are terrible, but it's trivial to verify that a private key is valid for some ballot. I can brute-force check every signed ballot against your private key.

If one of them does match, and the matching ballot shows that you didn't vote for my guy, my associates will break your legs.

If none of them matches, my associates will break your legs, and then probably give you a good kick in the face for trying to deceive me.

Re:public key techonology

[DragonWriter]

As it has been mentioned before in many threads, anytime the ability is given to verify your vote at a later time opens the ability for fraud as well.

This is true in many cases, but its quite possible to have a system where the voter has the information to verify their vote, but no one else can with any certainty verify the voters vote, even with the voters receipt. Of course, such a system necessarily cannot be used to by the voter to challenge the results if their is fraud, it can only provide personal confidence (which is valuable in itself.)

Re:public key techonology

[RAMMS+EIN]

IIRC, one of the challenges Chaum set himself is to avoid reliance on cryptography, because it would be too hard for users to understand.

Having said that, I'm not sure if his system doesn't suffer from the same problem.

On the other hand, the system you proposed can fail in ways that Chaum's can't. For example, your private key could be obtained by a malicious party, or they could coerce you into proving whom you voted for.

Re:public key techonology

[ydra2]

No public key is needed. You just make up something that you can remember, such as "The quick brown fox" or a single letter or anything you can remember. If it's already been used, you have to change it, by making it all caps, or maybe every second letter capital, or adding something to it, ot whatever to make it unique. When you search online the search will simplly return the ten (or whoever many you chose), closest matches to whatever you enter. Then you find one that voted for uncle enzo and you say "That's my ballot!" You don't even have to remember your secret exactly, just close enough for a fuzzy match to find it. But the strength is, that you don't wirte anything down except on the actual ballot, so you actually have to remember your secret, and you can tell vinnie whatever you want about your secret.

The pushscan system only tells what your ballot looked like, not who you voted for or how your vote was counted. It's totally worthless besides, we all know who we voted for because we were there! It's who our vote was counted for that that we want to know. My system shows the world who everybody voted for, but not who they are.

It's then a simple matter to let anybody on earth search for all results by entering an empty search string and count all the votes themselves. It would be like having a million recounts all at the same time. If we really wanted to make it stronger we could risk cousin vinne's wrath by having every voter take a picture of their ballot on instant film. Then if the final count is wonky, all the voters go back to their polling station and turn in their pictures for a recount. You turn your picture into the side you voted for. They verify that your picture belongs in their box, and eventually they count them up. There is then hard incontrovertable evidence on how everybody intended to vote regardless of what the machine did with it. As for cousie vinnie, call the FBI and say "Come quick, there's vote tampering going on here. See you in five to ten vinnnie."

Oversight

[InvisblePinkUnicorn]

It's called oversight. Punchscan makes it easy for every single voter to ensure that the items they marked are exactly what was entered into the database. People can even download large randomly-selected chunks of the database to help ensure integrity. Read Wikipedia for more of the security features.

Re:Oversight

[Gothmolly]

You must be new here.

Re:Oversight

[fistfullast33l]

I was referring more to a GPL violation, or whatever license the code is distributed under. If you can't see the code, how do you know what system it is?

Was it a fair competition?

[91degrees]

After seeing the machines, the 6 judges cast their votes electronically. The votes were 2 for Pret-a-voter, 3 for Punchscan and 107,345 for Diebold.

what about plain old paper?

It's very reliable and everybody can easily check if there's (large-scale) fraud - even those who don't have a math BSc. Plus, it's really cheap.

mod parent up please

Every single slashdot story on electronic voting has someone advocating voter verification outside the voting booth and they all forget the scenario described above. Voters should be able to verify a paper trail for their vote when it is cast but no one, including the voter, should be able to associate a vote with a voter afterwards.

Re:mod parent up please

[cduffy]

Punchscan handles this scenario. It means you can prove that you voted for A, A, D and C (and validate that this set of votes was counted correctly) -- but you can't prove who option A on item #1 was on your ballot (as opposed to someone else's ballot), so even when knowing that you voted for A on #1, Vinnie can't tell whether you voted for Enzo or not.

Bloody hell, people, learn how this works before you trash it.

Re:mod parent up please

I believe he was responding to FunkyELF's post, not the punchscan implementation.

Re:mod parent up please

[CastrTroy]

So if all I can verify is that I voted for A, A, D, and C, then how can I actually verify that my vote was counted correctly. I'm not sure of all the details of the system, but it seems to me like it would be possible to show someone a scanned image of their sheet showing A, A, D, C while recording something completely different in the database. Also, am I the only one who thinks that understanding the voting process shouldn't require a PHD in computer science? I like the pen-and-paper-human-counted system because I completely understand how it works. With electronic voting machines, there's some organization saying, trust us, it works, don't worry about how it works, it just works. Diebold says the same thing about their systems, why should I believe one organization over another? What's wrong with a system that's simple enough for everyone to understand.

Re:mod parent up please

[cduffy]

So if all I can verify is that I voted for A, A, D, and C, then how can I actually verify that my vote was counted correctly.

Read the wikipedia article describing Punchscan; my previous post was an oversimplification. Punchscan actually creates two components to a vote's record; the voter can select either one to be used to count them (and act as their receipt), whereas the other one is shredded. Both pieces tell whether the voter selected the first, second, third or fourth punch; one additionally tells which candidates are A, B, C and D, while the other additionally tells which of the first, second, third and fourth punches corresponds with A, B, C and D (but not which candidates are A, B, C or D); in either case, one piece of information needed for the voter to sell their vote is missing, but the choice of which piece this is is left with the voter.

The voter can then take home the piece they chose, which (in either event) has two of the three pieces of information needed to prove whom they voted for. After the election, they can then compare that physical token which they hold with the publicly available, scanned versions of the non-shredded tokens which were counted.

So -- the way voter validation is done is very easy for anyone to understand, without a heavy cryptography background available. Also, notably, there's no computer needed at all to implement the actual voting process (which is typically implemented with nothing but paper)... though the generation and validation of the ballots is a different matter.

The only thing that requires computers to implement, and a cryptographic background to understand, is the secret kept back at the voting organization describing the item orderings used for the ballots. Now, the election organization can't change these after the fact -- because of the implementation (getting into crypto here) any change to it would effectively randomize the orderings on every ballot in existence, and the 1/2 of people who decided to record and keep the half of their ballot containing that ordering information would notice, making such an attempt futile.

The worst that a corrupt election authority can do under the Punchscan system is release the ordering information to some colluding group, thus allowing a third party to tell how individuals voted; they cannot miscount your vote without being detected. (Without knowing the serial numbers on individuals' ballots, they still could not identify the votes -- so while a corrupt election authority could allow a third party to identify how you voted, they could only do so if you were compelled to show that third party the serial number on your receipt). Compared to a corrupt election authority being able to completely throw an election, this is an extreme and dramatic improvement, and it answers your question (why should I trust one group over another?) in that any election authority implementing the Punchscan doesn't need to be trusted -- the system itself provides for transparency and public oversight.

PunchScan is principally implemented on paper, and adds dramatically to the security and auditability of preexisting paper systems. If I've done a bad job of explaining it, you can walk through the process of voting with PunchScan (or counting the votes) here, here and here.

Re:mod parent up please

[CastrTroy]

I'm still trying to wrap my head around all this and fully understand how the punchscan system really works. And I have a University degree in software engineering. How do we expect the citizens with maybe only a highschool or lesser education to understand the system. Maybe the system is perfect (except that they can figure out who voted for who), but personally, I don't see why they need to make it such a complicated process that the average voter can't understand the details of how it works. I can understand every aspect of how pure paper voting works, and so can everyone else. I've gone through the punchscan site and all the demostrations of counting and auditing. I still don't really understand it fully. I understand the process, but I don't really understand how it makes voting any more secure.

Re:mod parent up please

[cduffy]

How do we expect the citizens with maybe only a highschool or lesser education to understand the system.

Well, I guess that's where the "appeal to authority" approach kicks in. Your average high-school-education individual doesn't need to know how it works; they need to know that it works, and how to do their part in validation (if they're so incined). (The whole "university degree in software engineering" doesn't go that far with me, btw -- when spending time in the ivory tower myself, I was astounded at the incompetence level of some of the folks working on their masters' degrees, never mind half of the professors).

For the complex parts, this thing won a contest where Ron Rivest was one of the judges. It's been audited by some seriously big names. For the simple parts, which is everything but the way the sequencing is generated and the votes are actually counted (as opposed to the slower way which requires knowing the sequences for each ballot)... they really should be intuitively understandable. I explained it to my wife, and she has no computing background whatsoever. (Mind you, though most of the explanation she was looking at me like I was on crack, but eventually it all fit together).

Here's the thing: You may understand how existing paper ballots work, but that doesn't mean they have adequate security guarantees. They're a whole lot better than some of the existing electronic systems, without question, but there are still plenty of cases of voter fraud going on where paper ballots are in use.

Punchscan provides mathematically provable guarantees (with quantifiable but very small allowance for error) that an election cannot be tampered with. The exact allowance for error depends on the percentage of voters who choose to verify their ballots after-the-fact, but in any event it makes election rigging an activity which is much more likely to be successfully detected after-the-fact than it has been at any point in history.

Now, getting back to a simplified version of how it makes an election more secure:

You can validate that your ballot is part of the archive of recorded ballots which is made accessible to the public (so you can be confident that your ballot was recorded when cast -- this itself is a big improvement), and that 2/3 of the data involved hasn't been tampered in such a way as to change your vote. (Understanding how tampering with the other 1/3 is prevented means getting into the math; however, while I haven't studied this implementation well enough to grok it, I know enough similar ways of getting to the same end that I trust [with the level of expert and competitive review involved] that they didn't FUBAR it. I prefer to think of it as using a value stream off a single, established PRNG key -- which is close enough for completely nonprofessional horseshoes, though it doesn't explain some of their nifty properties [such as being able to perform and verify the count based only on the publicly released data without seeing the mappings which represent the hidden ballot piece]).

Individuals can validate that their own ballots made it into the counted data (as this is published to the public), and 3rd parties can validate the count itself off this published data using some magic. There you are -- oversight, and a massive improvement over what traditional election methods have to offer.

UMBC FTW

[Arathon]

Just wanted to mention that one of the graduate students behind Punchscan, Richard Carback, was/is a grad student in Computer Science at the University of Maryland, Baltimore County. Way to get UMBC mentioned on Slashdot, Rick!

Re:UMBC FTW

[Arathon]

This is why you're supposed to think before you post... But anyway, to add to his praise (and my previous comment), apparently Rick was the one who spotted the security hole in the other group's system. The judges were reported to have been very impressed. =)

And let me guess

[WindBourne]

It was a pharoh who said to take everything with a grain of salt?

But...

[AntsInMyPants]

How did they count the votes to determine who won?

I wish I had heard about this earlier

[John+Sokol]

I would like to have had the chance to put my mailclad.com idea into the running on that one.

Anyhow I need to actually get my code up on sourceforge first I guess.

Anyone want to help get this thing off the ground.

John

This is Not^w Just an exercise....

[darkonc]

In the North Carolina case, ES&S attributed the problem to a software glitch that caused the machines to falsely sense that their memories were full. Although the machines allowed voters to continue to cast ballots, the votes were not recorded.

I guess they figured that, for PR reasons, it was better to silently throw out votes than inform the voter that the ballot box was stuffed^w full.

OSS is the *only* option for this

[sydbarrett74]

For something that is literally the heart of democracy, i.e., voting, proprietary systems are anathema. May Diebold act in accordance with its name, dying a bold and noble death, in searing flames....

Diebold Afraid to Compete vs Superior Products

[CodeBuster]

as the other voting machine vendors, such as Diebold, did not support the competition.

Of course they didn't support it. The first or second place projects in the competition are both better than the crappy voting system marketed by Diebold and they are *free*. If your competition is free and it is better then you are in a world of hurt. Diebold is the classic example of a company which didn't make a very good transition of expertise in physical real world security products to software products.

Re:Diebold Afraid to Compete vs Superior Products

[bugs2squash]

Seems to me that this raises two clear points in favour of these systems being open to inspection... 1) Univ. of Surrey's entry was presumably strong except for the random number generator, now that's been highlighted it should be easily fixed. So in a roundabout way, Surrey should be grateful that the problem was found, and we should all be grateful that there are two strong contenders for an OSS voting system. 2) It looks like the most direct way to find these issues is to look at the source, If Diebold were genuinely interested in making the best voting system available, wouldn't they want as many reviews of the source as they could get ? Finally; I don't see why the people who've put all this effort into making a reliable voting system shouldn't reap some reasonable financial reward ? I'm sure the makers of the hardware will. I see why ot shoudl be open, but I don't see why it should be free in the monetary sense.

Color me unimpressed

[Phoenix+Rising]

While the Punchscan system appears to resolve the problems of auditability and vote tampering quite well, the issuance of a ballot receipt - no matter how indirect - allows verifiable vote buying.

The system also does not resolve one of the key points of HAVA - which, while deeply flawed, addresses some very deeply held concerns of disabled voters. That problem is one of ballot access - Punchscan is not disabled-friendly.

Re:Color me unimpressed

Actually, if you had read about punchscan at all you would know that it specifically does not allow vote verification. The voter takes a receipt home with them yes, but when they go to verify that their vote has been counted they see the scanned image of the receipt they hold in their hands. These two identitical halves cannot be used to show how one voted, only that their vote was received as expected.

Re:Color me unimpressed

[TimTheFoolMan]

Thank you for posting one of the more coherent comments in this thread.

Even more unimpressive is the dramatic lack of understanding of the complexity of various state's laws with regard to voting (for example, many states require specific and repeatable candidate ordering), and the lack of understanding of how easily the average voter is overwhelmed by the least complexity (many voters are barely able to follow the simplest instructions such as "Vote for One," and "Mark only in the oval").

A system that results a piece of paper, whether that paper is optically scanned or hand-counted, and doesn't contain any other extraneous marks or numbers, holds the most promise for achieving something meaningful. In the meantime, there is so little voter angst over DRE (and what angst exists is frequently accompanied by conspiracy theories galore, which sound plausible, but are much less common in the real world than simple stupidity), and so much love for the systems within the various state legislatures, we're not likely to see changes of any magnitude for a long time.

BTW, systems that just print a receipt that the voter can hand-carry out of the polling place are strictly prohibited in some states, regardless of the technology you use to dress it up.

Tim

Re:Color me unimpressed

Whose "dramatic lack of understanding" are you talking about? The winning system allows candidate names to be in a fixed order and the system uses a paper ballot which is optically scanned (this conversion to data removes any marks). The receipt the voter walks out with is half of the ballot they voted on, not some print out from a DRE. The only reason I know this is because I took all of thirty seconds to scan the wikipedia article--which also explains why the receipt can't be used for vote buying.

Come on people. RTFWA.

Re:Color me unimpressed

[Aerion]

The system also does not resolve one of the key points of HAVA - which, while deeply flawed, addresses some very deeply held concerns of disabled voters. That problem is one of ballot access - Punchscan is not disabled-friendly. It's no less unfriendly than current pen-and-paper systems, and is almost as easily adapted. Nothing prevents Punchscan from using Braille or some other method for assisting the visually-impaired.

Re:Color me unimpressed

[CastrTroy]

If the punchscan system doesn't allow me show other people who I voted for, then how does it allow me to show myself who I voted for? Sure their scanned in copy looks the same as mine. Now, prove to me that showing me a scanned document proves that it was actually tallied correct (ie. the computer read the ballot as I would have), and that the same information was sent to the database.

Re:Color me unimpressed

[PulpSpy]

Actually Punchscan is very disabled friendly. For example, if you are unable to physically mark a ballot and need an aide, that aide would typically see how you vote. With Punchscan, you can show one ballot half to the voter and the give the other half to the aide. The voter can tell the aide to mark "a" or "b" or whatever, and the aide will have no idea who the vote is being counted for. With the visually impaired, you can use braille or you can use audio ballots. Check out the Punchscan page for more: http://punchscan.org/disabled.php http://punchscan.org/DetailedDisabilities.php

Re:Color me unimpressed

[Phoenix+Rising]

A bit late on the response, but I thought I should get back to you...

Punchscan does not address physical handicaps; people with CP, MD and other severely disabling diseases cannot use paper systems - they have to have computer-assisted voting if they want to vote on their own without assistance.

Braille doesn't assist with ballot verification. How do you know your ballot was just marked? Ballot receipts are not a secure answer, and they only work if you check up after the election is over.

Call me cynical, but ...

[Bob-taro]

... my first thought was, "So what kind of voting machine did they use to count the votes for best voting machine? Was is the Punchscan machine?"

Re:Call me cynical, but ...

[mkavanagh2]

good post you really added something to the world with that groundbreaking comment

Re:Call me cynical, but ...

[Shadow-isoHunt]

My, that's such a thought! What would the code auditors say if they would have thought of this possi- oh wait, your comment is useless.

Re:Call me cynical, but ...

[Bob-taro]

good post you really added something to the world with that groundbreaking comment Ouch! I've had my point of view criticized plenty of times here, but I was unprepared for angry replies to a silly comment. For future reference, what's this about? Did I break some /. rule, or was it just not funny enough?

And remember...

[randolph]

...if your vote didn't matter, the weasels wouldn't try so hard to mess with the count. Votes matter--never doubt it.

What's wrong with good ol paper ballot?

Seriously. Does it take too long for people to count the ballots? It's several months between election day and inauguration day. There's plenty time. It also gets people more involved in the process, even if it's just vote counting.

Re:What's wrong with good ol paper ballot?

[lynx_user_abroad]

Does it take too long for people to count the ballots?

A point well made, but not made nearly often enough.

People will complain that it's impossible to individually count ballots, by hand, on a single day, using nothing more than volunteer labor, despite the fact that they are all individually cast, by hand, on a single day, using nothing more than volunteer labor.

Re:What's wrong with good ol paper ballot?

[CastrTroy]

We do it in Canada, and since counting ballots scales perfectly well, no matter how many people you have, there are no problems. The more ballots you have to count, the more people you have to count the votes, the more people you have to watch the counting, to ensure that it's done properly. I don't understand why we need any other way. For hundreds of years (if not longer) paper voting has worked just fine. Why all of a sudden are we trying to fix something that was never broken.

Re:What's wrong with good ol paper ballot?

[Lars+Clausen]

Hear, hear! Denmark has manual counting from paper votes, too, and it just works. We get the results the same evening. Importantly, the counting (and re-counting next day) are both open to the public. I see *absolutely* no need for machinery.

Link to more info (in English).

Re:What's wrong with good ol paper ballot?

[yuna49]

Denmark and Canada have parliamentary democracies where ballots often contain only one race, that for the national legislature. In the United States, most elections includes half-a-dozen or more races at a time, not to mention ballot measures. In most presidential years, voters are choosing in at least a presidential and a legislative election (the House of Representatives) and sometimes a third election for Senate. In "off"-years, there won't be a presidential election, but there could easily be races for a dozen or more different state and local officials. On top of this there could be half-a-dozen or more ballot "questions" (referenda) to tabulate as well. Hand-tabulating results for all these races takes time.

The evidence on voting machines I've read (projects at CalTech, MIT, Berkeley, and Stanford, for instance) usually find that traditional paper ballots and optical-scan ballots are among the most reliable technologies. Both offer post-election physical ballots for recounting, and optical scanning addresses the problem of tabulating multiple offices quickly.

Civic duty?

[msimm]

The if the fear of the unlikely chance of voter key compromise is reason enough to put you off on voting freely we've already lost.

What exactly was the point?

[neitzsche]

So, the free and open source solution has won a competition. Is the point now to somehow compel Diebold to seriously consider actually using this open source solution?

Re:What exactly was the point?

[Aerion]

So, the free and open source solution has won a competition. Well, the competition was only open to free and open source solutions. So that's not the important part.

Is the point now to somehow compel Diebold to seriously consider actually using this open source solution? Presumably, the point is that the publicity will let everybody know that a free, open source solution actually exists. It doesn't matter if Diebold adopts it, or somebody else, so long as somebody does.

Re:What exactly was the point?

[RAMMS+EIN]

I think that one of the points was to go beyond whining about how much existing voting machines suck, by actually providing a better alternative.

Re:What exactly was the point?

[aadvancedGIR]

The whole point of OSS alternative is to prevent a shady corp to introduce untrustworthy elements into the final product, so an OSS based Dielbolt voting machine would still be as suspect as their current closed source ones.

Significant Security Flaw

[RAMMS+EIN]

``a significant security flaw in their random number generation''

Inquiring minds want to know: what was the flaw?

Re:Significant Security Flaw

[man_ls]

A detailed analysis of the flaw in the random number generator, along with source code example, can be found here: http://xkcd.com/221/

Open source, crypto, and random numbers

[Stochastism]

Well, this flaw found in the second place team's code is the perfect example of why e-voting software should be open source. If it was hidden, odds are that flaw would never be discovered; and might not require a deliberate attack to cause problems in the future.

There is a strong correspondence between e-voting and encryption technology. The assumption for all encryption technology is that evesdroppers will always know your method (i.e., the source code), so instead you make that knowledge useless by using encryption that require a secret key.

One reason an e-voting system would need a random number is to generate some kind of key sequence. So a flawed random number generator is serious indeed.

New technology from Finland

Oh you people and your voting MACHINES.

We have this new technology in Finland that we use in voting:
A piece of folded paper and a pen! And we put that paper in a box!

ES&S

A private company should have nothing to do with voting, or competitions about voting systems, or anything remotely related to it. Fuck off, we don't want your prize money.

Open-source voting created by the people is, IMHO, the only valid system.

When Lousiana upgrade our voting machines...

[Dareth]

When Louisiana upgraded our voting machines, we sold our old voting machines to Mexico. Let me tell you, the Mexicans were really pissed when Edwin Edwards won the election for President of Mexico!

Don't believe all the bad things you have read about Lousiana politics. In all reality, it is much much worse!

Counting Methods

[bill_mcgonigle]

To quote a now dead, but once very powerful man: "He who votes decides nothing. He who COUNTS the votes decides everything."

Quite true. At least we can get a fair count with this system, or a verifiable count. I expect an OSS system would be first used by small towns in low tax areas. Chaum's desire for licensing revenue could scuttle the whole ship, though. Can somebody please give him a grant to keep him happy? He's done good work, but a patent on this kind of think can do bad things for democracy.

Speaking of democracy, and the reason I bothered to hit reply, I see lots of folks talking about OSS systems, but nobody talking about how those systems count votes. We have a very primitive system in place with lots of people trying to game a broken system. Since our countries were founded, better counting systems have come about, specifically the Condorcet method. The basic idea is this.

Say in our next election the votes break down like this:

    44.88% - Barak Obama
    44.87% - Newt Gingrich
      8.2% - Mike Bloomberg

OK, so who's the President? Barak Obama. What percent of the population care for that? 28% if we have a high-side-of-average turn-out. Fewer if Obama voters really would have rather voted for Kucinich or Nader, but were gaming the system.

Now, imagine instead of having a 'pick one' system we have a Condorcet ballot:

Please rank the candidates in the order of your preference

Now, then, 44.88% of the people may list Barak Obama first, and 44.87% of the people may list Newt Gingrich first, but, wait, what's this? 72.5% of the people put Ron Paul down in the #2 spot (and so on). Now who best represents the person the most people would really want to have in the Oval Office? Even voters in Palm Beach County can see what the right choice is.

Math and CS geeks will want to check out the Schulze method for resolving ties and optimizing fairness. This particular variant is only 10 years old, so it's not like Jefferson could have implemented it, but it's about time we bowed out for the Renaissance era.