Slashdot Mirror
Secrecy of Voting Machines Ballots At Risk
JimBobJoe writes "On Monday, Cnet published the findings I made as an Ohio poll worker regarding a major oversight in my state's election's system: Using a combination of public records, plus the voting machine paper trails, you can figure out how people voted. Though most agree that voting machine paper trails are a necessity, they can cause privacy problems which aren't easily mitigated. 'It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago. Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.'"
And still you don't understand why people are so afraid of saying who they voted for?
Keeping votes secret is one very important way to make sure any democracy works, since humans can easily be forced to vote for something they do not want to vote for, either by threat of violence to your own person or someone in your family, or by money. Secret votes makes sure that someone can vote how they want, not how peer pressure wants.
c++;
That's why I'm changing my name by deed poll to a mysql injection attack string.
;)
Try and combine my vote and a date together in a database you b*****rds!
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
Because there's a bajillion ways to use that information against you, and people are paranoid. (Probably rightly so, most of the time.)
So, you voted against (candidate that won), huh? Well, you must be evil.
So, you voted independent, eh? You must be a communist, trying to subvert our system.
So, you voted for a known communist, eh? You must be a spy.
Yes, there's not a whole lot of logic there. There doesn't NEED to be, because the people that would put those lists together to see who voted what aren't USING a lot of logic.
Anonymous voted should mean that, not 'temporarily anonymous' or 'anonymous unless we want it not to be'.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Just print out a catalog of all the voters that need to vote in that election office. If someone votes, then you mark him as "was voting already" but not recording the time of his vote. At the end of the day you have a list of people that voted and a list of votes, but you can't do any correlation on it.
It looks like they need to save paper because election machines are so expensive and now they just record voters data in the order they appear in the voting office.
I believe you'll find an answer to your question somewhere in a history book. I suggest starting with 15th and 16th century Europe, then move onto American history.
Just because you happen to live in a local and era where you don't have to fear for your life when you voice your support for one person over another doesn't mean it's always been like that or will continue to be like that indefinately.
There is no need for many people to think differently, all you need is one person in situation of power. I wouldn't want to live in a country where I would vote for someone not because I think he is the least bad candidate, but because I fear to be fired or arrested if I don't. Of course, I'm not american.
It's not a matter of how proud you are of who you voted for. It's a matter of being able to vote for someone without the threat of intimidation or reprisal. It's not the matter of feeling a little tension when you're the only guy voting Democrat. It's more the matter voting your way on matters of gay marriage, slavery, and abortion in places there are people who would be openly hostile to your views. For the most part I believe that the developed world is much more civil than that. But, history dictates that sometimes the tide turns the other way.
New! Device Legs: These legs will help your poor OEM installed product escape any hamfistedness it may encounter. Ava
Can somebody explain to me why votes need to be timestamped? The only purpose I can think of is that this allows cross-correlation with the actual votes. You don't even need the info on the order in which people voted, as you could just stand in front of the election place with a watch. This sounds like a definite failure at maintaining basic democratic principles.
Or worse yet, So you voted for X who wants to raise my taxes and regulate the industry we are in, Your fired.
Or maybe even worse yet, I says here that you voted for my opponent in the last election, As mayor of this town, I think the new low income subdivision should go in your back yard. Or maybe it is a speeding ticket that turns into a trip downtown with towing your car and everything to get something sorted out and nobody cares because you voted for the other sheriff or the other mayor candidate.
And yes, those have happed before in American history with the political bosses and such.
Though most agree that voting machine paper trails are a necessity, they can cause privacy problems which aren't easily mitigated.
Umm... Just don't store the list of who voted in any particular order.
We don't need to record voters for the purpose of matching them against their votes, we only need it to stop people from voting more than once.
I'd even go further - Mail every registered voter a bearer-coupon redeemable for one vote, then let them use those in total anonmity. That not only avoids the problem of guaranteeing anonymity, it solves a few other problems as well (for example, you could grant people the right to a proxy vote on your behalf simply by giving them your coupon).
For that matter why should anyone have access to the records of who voted at all?
IMO there is no difference in the privacy of who you voted for, and the privacy of if you even voted. It is your right to vote or not to vote. I mean - imagine a week after the election, your local busybody comes by your house and asks why you didn't vote. WTF? Whose business is that?
Obviously someone could just watch for you at your local polling station, but they would have to know who you were in advance for that to work.
The only reason I see for recording that information AT ALL is to ensure no one votes twice, and that function is only valid while the election is in progresss, because it is not something you can even audit afterwards.
Therefore once the election is complete that information should be permanently destroyed.
I am not quite as worried about someone knowing how I voted as I am about someone ''changing''/''deleting'' how I voted. I'd say rather than worry about this people should focus more on improving the security of the machines for the upcoming presidential election.
It's the interesting thing about paper voting in the UK currently. It's not perfectly secure, but because it's paper, it's actually very difficult to manipulate a vote (for example) without putting in a lot of very boring effort to do so. It's also one of the problems with electronic voting, in that vote manipulation, if possible, can be scaled much more easily.
In the 1980s (and probably subsequently) it was normal practice for Special Branch to inspect the ballot papers of those who voted for parties which were considered potentially subversive (Communists, BNP, National Front.) They could then match those voting papers to the voters (by dint of the fact that the voter's name was written on a list next to the voting paper number) and keep a handy database of undesirables.
The risks of combining two pieces of information go back a long way. ...
A bishop was celebrating a major aniversary with society friends. He was at one end of the table and was asked what was the first sin he ever had confessed to him, to which he replied "Adultery". A lady at the other end of the table said "I was the first person ever to confess to him".
The people in the middle of the table, who could hear both conversations, put the two snippets of information together
Then that leaves everything in the hands of a potentially corrupt elections board. So a year down the road when investigators suspect shady business they have no idea of knowing how many of the district's voters were registered at the grave yard vs. how many were turned away from the poll, or couldn't even make it to the poll. Corruption adores keeping secrets, and destroying voting records immediately after the fact is a perfect way of keeping secrets. Storing voting records will help keep the system transparent. It is something you can audit afterwards, and it's probably something that should absolutely be audited.
New! Device Legs: These legs will help your poor OEM installed product escape any hamfistedness it may encounter. Ava
No. Your voters card has a unique I.D on it. The ballot paper has a unique I.D on it. The two are in no way correlated. When you show your voters card to the people at the voting station, they will check your name against their list and cross you off. Then they will tear out a ballot paper (Or two, or three, if you have multiple elections) and hand them too you. At no point do they record which ballot paper(s) they gave to you, and at no point do they record any additional information on the ballot paper.
At least in MN, you're not registered in the order you vote - you're registered in the order you ARRIVE. Then you stand in line, and take the next available booth.
Then, you stand at the booth, mull over your unknown, least-hated, or no-competition candidates. It's actually quite rare that people walk away from the voting booths in the exact same order that they went into them.
So yeah, you can use the timestamps + registration to determine who voted how....+/- maybe a half dozen voters, which makes a great deal of difference.
Now, if the voting station turnout is slow when you voted? Then yeah, you are probably identifiable. But this isn't nearly the story it's made out to be, and would be less of a story if more people voted.
-Styopa
The nice thing about putting an "X" on a bit of paper and dropping it in a box is that, whatever inaccuracies *may* be possible, you can trust the box to anonymize your vote without changing it, and most scams can be avoided by the scrutiny of copious cross-party observers without recourse to an "expert witness".
Inability of laypersons to scrutinize computer voting -> demand for audit trail -> loss of privacy.
You can filddle around with the details, but ultimately its pretty inescapable. People won't accept a computerized black box - which is a bit of a bummer when a black box is exactly what you're trying to replicate.
You can't suddenly parachute technology into a system without completely re-evaluating the whole system.
Of course, here in the UK we just have to put one X in one of half-a-dozen boxes - I appreciate that, in the US, the zeroth amendment ("if some is good, more is better") applies to democracy, and if you're also electing the school board, agonizing over who to choose as second assistant dog-catcher and whether to support propositions 4096-8192 inclusive then you may need a voting machine...
(Here, though, the fun is over postal - and maybe internet - voting, which some politicos seem to think will encourage people to vote but - surprise surprise - has proven vulnerable to ballot stuffing...)
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
By the way, I encourage everyone to try their hand at working the polls for several reasons:
If you have paper-trails that are shown to the voter-- even unmarked and nonsequential paper-trails-- there is a physical record that the voter can verify and "throw a flag" on if it comes out incorrect. That, and pre-testing and examination of the process can make voting secure enough that anonymity need not be given up.
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
The privacy issue he's discussing could possibly be limited only to Ohio. I've voted in Ohio and they're checking ID and manually writing down on a sheet of paper who votes in the order they walk in the door. The machine spits out vote results in the same order. Duh.
This "problem" has nothing to do with a "machine paper trail". It's not even related. I hope this argument isn't used to stall the progress we're making in fixing the vote system.
In Georgia where I'm at now a list of voters, in the order they vote, doesn't exist. In my county they check your ID then line through your name on a print-out. Who voted in what order cannot be determined. A machine paper trail wouldn't change that.
This is an Ohio problem not a voting machine paper trail problem.
-[d]-
Just because you have two timestamped lists doesn't mean you can just merge the two! For example, if voter A arrives at 5:15 and voter B arrives at 5:17, but voter B knows all about voting and blows through the ballot in 1 minute while voter A has never voted before and takes 4 minutes to carefully read everything over then merging the order of voters with the order of actual vote tallies would mix up the results of Voter A and Voter B. Not trying to be offensive, but anyone trying to use this information to determine voting habits is a complete moron.
Get a web developer
We just ran a story here a few weeks ago about PunchScan, whose method solves that problem, and more. If you recall, they won a contest for the best Open Source Voting Systems Competition.
/.
Links: Recent headline about winning the competition PunchScan's website original mention on
For that matter why should anyone have access to the records of who voted at all?
The reason that data is public is because it's useful for politicians and their campaigns. For instance, if only 20% of registered voters show up to vote for the odd-year city council races, then the data of which 20% show up is invaluable. The city council candidates only need to send out campaign materials to those voters who reliably vote at those elections and can ignore people who only show up for the presidential elections.
Another example is that the poll workers (at least here in Ohio) maintain several lists of voters who voted during the day (it's a slight pain in the ass actually because someone has to be assigned to the boring job of checking off on two or three lists who came in to vote.)
Those lists are posted periodically during the day...I want to say the first one is posted at 11am.
So at 11am, a list of all the registered voters in the precinct is posted, with check marks next to the names of the voters who voted.
During the presidential election, people working for the campaigns come down and look at the lists. If they know that John Smith is a registered Republican voter (party registration is another public record) and they see he hasn't voted by 11am, they might give him a call to make sure he comes by. If he hasn't voted by 4pm (which I believe is the posting of the last list) then they might send someone over to his house because they know he is an older gentlemen who has voted consistently Republican for decades now and his vote will be invaluable.
I find those voter lists postings a terrible pain, particularly because they're an obligation of the poll workers but their purpose is to help the candidates themselves, not the integrity of the voting process itself.
Look up "boss tweed", and the "political bosses" or "political machines". You will find more examples then I want to cite.
They owned everything and controlled the elections by virtue of negetive actions when they weren't elected.
what is wrong with the system used in the UK?
you walk in, give your name and address (or polling card, if you remember to bring it), you name is crossed off the list of voters for that ward/constituency/region, you get handed your ballot paper(s), walk into a booth - and *using a pen* make an 'X' on the candidate who you want.
the votes are counted by hand (normally it is council workers, bank tellers and post office workers who do the count as they are fast and accurate) - the candidates are allowed to watch the count, and if the result is very close can demand as many recounts as needed to identify the winner.
what advantage is there to voting machines? What do they bring to the democratic process above pen and paper?
echo $SIGNATURE
If you can verify that your vote was recorded correctly, then you can verify it to someone. Someone who can then make good on his promise to kill your kid if it turns out that you didn't vote the way he demanded--a demand he never would have bothered to make if he had no hope of verifying how you voted.
There may be ways around the problem, but none of them involve publishing the results on the web in any form.
WTF is with all this "report your boss" BS on /.? They may never even talk to you about it! They might suggest 3 months beforehand that they're "afraid" of the opposing candidate being bad for their business and then just let you go when business slows down after finding out you voted for them.
"Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on."
The authors of TFA have never seen people take longer to vote than others? You know, the ones who are standing in their booth when you walk in and still standing there reading the names on the first page, when you leave? Or the person who comes in with small children and spends half an hour juggling them as she marks the ballot. And then there's the small crowd of folk who have signed in, standing with ballots in hands, waiting for a booth to come free, and the ones who have time to spare let the ones in a hurry go ahead of them.
It's not a FIFO buffer in this precinct.
There are good reasons to have timestamps for actual votes cast made public.
But I'm not aware of any reason that the list of people who voted has to be delivered to the public in voting order.
So, sort the damn list alphabetically before handing it out. There are already going to be security measures around pulling the data, just add a simple sort to those procedures. In fact, I bet the staff who do this just "click on a button" so you can script it in without even changing any existing procedure or depending on humans to care about their jobs. Done, next problem please.
I hereby transfer all my rights to this business process to the public domain!
We want paper ballots, and very advanced pens.
Here's the way modern voting should work:
1) Show up, 'prove' (in the definition of whatever state you're in) you're an eligible voter, receive ballot.
2) Go to electronic voting machine. Place ballot in machine.
3) Enter your votes in the touch screen.
4) Once you are satisfied with your votes, press the 'Print Ballot!' button.
5) Machine prints your votes on the ballot in human-readable and machine-readable form.
6) Take ballot. Review your votes on the ballot. If your votes are correct, place ballot in ballot box. If not, take your ballot to an election worker, where it is marked void and you get a new ballot and try again.
If you want to be REALLY cool, make it so that each ballot can be filled out by hand as well, so if you have a technical failure in the voting machines, or an insufficient number of voting machines, you can continue the voting the old-fashioned way.
At the end of the election day, feed the ballots through your vote counting machines. In case of doubt, count the ballots by hand.
See, that wasn't that hard, was it?
paintball
I hope you can read Barcode or whatever gets printed as machine-readable on the ballot? How else would you know what the machine printed on it, never mind what the human-readable part says.
Why would you hope that? It doesn't matter.
Think of it this way. What if we recorded your vote in English and German (assuming for a moment that an average American can read the english vote record and not the german vote record), and then we had Germans count the German vote record.
So we run our election, give the ballots to the Germans in groups of 1000, and the Germans give us a count of votes for each group.
Now we want to check that the count the Germans gave us is accurate. So what do we do? We pick a few of those groups of 1,000 and we count the English records on those ballots and make sure they match the count the Germans gave us. Setting aside the issue of whether what's written on the ballots in German matches what is written in English, this audit is the only way to make sure the Germans aren't lying when they give us the final count. And looking at the issue of the German votes matching the English votes, while each voter can't check this, it would be pretty obvious to someone who knows English and German that the ballots were wrong with casual observation.
Now, lets say that instead of having Germans count German vote records, we just had Americans count the votes? Then what would we do to make sure the vote count was accurate? The same thing: We'd give the votes to the counters in groups of 1,000, then pick a couple groups and recount them to make sure they match.
In this analogy, the bar code (or whatever) is the vote record in German, and the Germans are the vote counting machines. It doesn't matter that the voter can't verify that the German written on their ballot is accurate, because the voter can't verify that the Germans themselves are accurate either, just like the voter can't verify that the vote counting machines are accurate. The only way to verify that is to do an audit and make sure that the totals of hand-counted English voting records match the totals of machine-counted machine-coded voting records.
So, it doesn't matter if every voter can verify that the machine-readable record matches their human-readable record, as long as both are on the ballot. A quick check by someone who can read the human and machine readable portions of the ballots will make it obvious if they don't match, and separate from that, you have to do other checking to verify that the counting machines are accurate anyway, and that check will also detect any ballots where the machine records don't match the human-readable records as well.
paintball