Slashdot Mirror
Paper Trails Don't Ensure Accurate E-Voting Totals
An anonymous reader writes "In an new report from the Information Technology and Innovation Foundation they say that paper trails increase costs and can actually reduce the chances a voters' choices are accurately counted. Congress is considering a 'Voter Confidence and Increased Accountability Act of 2007,' which would mandate 'voter-verified' paper audit trails."
Who are the "Information Technology and Whatsit Foundation"? Because it wouldn't surprise me in the slightest if they're a lobby group representing Diebold.
The article is totally worthless. It just states that some industry-sponsored organisation doesn't like paper trails. Let me guess, it's sponsored by the voting machine manufacturers or by Buy-An-Election Inc.
As to why paper trails are bad, they don't say, just that they will publish a paper really soon now. News at 11.
Information Week has given itself a black eye by saying nothing at all of any interest or substance about this issue, while hyping a report that it can't even describe adequately. All this means is that a "Black is White, Up is Down" paper will be forthcoming soon from an industry shill. The only news here is that this a self-inflicted reminder not to read Information Week.
... the answer is very simple.
The voter marks the ballot paper with a pencil. The ballots are counted by hand by human beings.
Completely transparent, complete audit trail, safeguards against all the failure modes discovered over the decades, results within hours, recounts within hours if needed.
Oh, and I expect it's cheaper than all this inappropriate mucking around with computers too. Computers aren't the answer to everything. This is one application in which they have no place.
"ITIF wants to spark discussion of how new technology can solve the problems. The report outlines innovations in voting machines that offer "end-to-end verifiability." It explains the cryptography the systems use and says that Congress should pass legislation based on S. 730 and H.R. 2360, which require verifiable audit trails without specifying that paper be used."
1. Not end to end. I can't do cryptography decryption in my head, and the vote verifier at the other end, he can't also do decryptions in his head. So any solution that involved cryptography isn't end to end.
2. One doesn't preclude the other. You can encrypt the electronic vote AND STILL HAVE THE PAPER AUDIT TRAIL to check the machine's cryptographic vote matches the voters intentions.
3. Papertrails, or ballots as we use to call them, have a proven track record of uncovering fraud in voting. To date the fraud in electronic voting is suspect but unproven. It is unlikely that fraud is eliminated in electronic voting, because fraud is *easier* not *harder* to do when votes can be changed so easily and untraceably on mass in a computer. So the lack of uncovering fraud is likely to be a weakness in the auditability of these machines. i.e. we suspect voter fraud because of systematic irregularities in key districts, but nothing can be proved because the lack of paper trail to verify against.
Why does he want unauditable machines? I see from his history that he's a professional technology lobbyists, but I'm curious why the FUD to keep the voting machines unauditable?
A technology company producing a report suggesting that plain old paper may be unreliable?
Im shocked. Really.
Up next - 'Republican Party publish report saying the the Republican Party is better than the Democrats'?
There are those who want us to delay replacing the Diebold (and similar) voting machines, forever if necessary, until we have a perfect solution.
Of course, there is no perfect solution. We only have adequate solutions.
Condorcet voting is mathematically better than simple tallies or "instant runoff" voting. But does anyone except mathematicians comprehend it? Would switching to it increase our confidence in voting or would people be suspicious and trust voting even less?
Paper is adequate. And what's better, it is something that mere mortals understand. And the attack vectors for paper are reasonbly well understood after more than a century of use of the "Australian" ballot style that we all use today.
The proposal by this group opens the door to FUD and infinite delay, and thus infinite retention of flawed DRE voting machines. Diebold would win, democracy would lose.
It is not hard to make a voter-verifiable paper-trail voting system. Publish a database of election results that includes a unique ID generated by the voting machine for each vote. Also print that ID on a paper receipt that the voter can take home after voting. Then the voter can verify via the internet if the vote was tallied with the right party/candidate. And it will also be possible to verify the totals by downloading the full database and doing the sums yourself.
On the same paper receipt, the candidate/party that was voted on can be printed. But it is better to hash that information together with the unique ID and encrypt it using a private election key and then print the result on the receipt (e.g. as a hex string). This generates a voting receipt that, when decoded with the public key, is verifyably a receipt of a vote that should have been counted for that election.
"I would have much more confidence in a cryptographic scheme that makes it effectively impossible for a voting machine to cheat. This is not all that difficult to accomplish and the necessary design criteria are widely available in the literature. A paper trail doesn't really help."
There is just one simple, practical, logical rule for machine assisted voting that anyone need remeber:
A machine that prints your choice is at worst a waste of money, a machine that counts your choice is at best a waste of money.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
The likeliness that computers are capable of correctly counting 100,000 perfectly submitted votes more accurately than humans in an ideal world isn't exactly a surprise, but this isn't really the point because the world isn't ideal and it's not realistic.
Even if paper trails are slightly less accurate in the counting (something I'd dispute once factoring in less measurable quantities like corruption of officials and potential hacking), one of the most important advantages of paper trails is that they can be easily understood by virtually everyone who votes. A voter verifies their correct vote is recorded on a slip of paper, places it in a ballot box, and then the votes recorded on the papers in the ballot boxes are counted, with the process being vetted by people who have reasons to make sure it's being done properly. The entire process is completely visible and clear from start to finish.
This is quite different to voting through computer interfaces, where the ability for nearly everyone to understand ends at them pressing a touch-screen. The abstract concepts of what goes on inside the system are very difficult for most people to grasp, unless they have a relatively high education. Furthermore, very few people can verify and confirm that it's working correctly.
Trust of as much of the population as possible is of huge importance in elections, and systems with paper trails are the ones that are easiest for the majority of people to trust.
My opinion is that there is no 'secure' e-voting system.
I also do not see any reason to abandon paper-based voting, which still is not 100% secure, but much more difficult to 'hack' due to transparency by distribution of control.
CC.
TaijiQuan (Huang, 5 loosenings)
A proper voter-verified paper ballot system is as good as it gets when it comes to a combination of accuracy, verifiability, and accountability.
It's real simple: the voter makes his selection using, say, a voting machine. Voting machine spits out paper ballot and shows it to voter. Voter examines ballot to make sure ballot is good. If ballot is good, voter tells machine to accept the ballot and machine drops ballot into sealed box. If not, voter tells machine to reject the ballot and machine allows user to re-select candidates.
At the end of the election, the total number of paper ballots are counted and compared with the total number of people who actually came in to vote. They should match, of course. It's also compared with the total number of votes the machines recorded. That, too, should match.
You can have the machines tabulate the voting results. You can then statistically test the results of the machines by pulling a random (but sufficiently large) set of ballots from the box and manually tabulating them. But you also have the option of doing a full manual count, which is of course what you do if the statistical count shows that the machines were off. And the closer any given race is, the larger the sample has to be to get the statistical error below that of the percentage difference between the closest candidates in the race.
No purely machine-based voting system is sufficiently trustworthy to be suitable for an election. Any machine can be compromised, by the manufacturer if nobody else. That's a risk that isn't worth taking when the freedom of the country is potentially at stake.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Why the fuck do you Americans need to use goddamn voting machines?
Canada gets away just fine with using paper ballots. When you vote, you use a pencil to put a check in a circle next to the name of the candidate you're voting for. The circle is large and the text is large, to allow those with poor eyesight to get a better view of what's on the ballot, thus reducing mistakes.
What's more, the results for Canadian elections are near-instantaneous. They actually have legislation in place to prevent the media from reporting about the final results in the eastern and central provinces while polling stations are still open in the west! Why the fuck can't the US manage that?
Yeah, the American population is 10 times larger than the Canadian population. But that's irrelevant! Use 10 times as many ballot counters, and the system will scale just as well.
It's a mixed situation here in Europe. Some of our nations use the sensible Canadian method. Others are stupid, and follow the American scheme with doodad voting machines and all that jibberjabber. But really, we should all just use the Canadian method. It's the best, and safest, there is.
When information is power, privacy is freedom.
American's are not the only ones with long ballots. Germany has long ballots as well because you get to vote twice (your first vote and second vote). Then add in all of the tom-dick-harry parties and ballots become 24 inches long. In Switzerland folks vote every three to four months since it is a direct democracy. My point is the long ballot is not an excuse.
What I think is problematic in the US is that there is this automatic tendency to automate tasks and thus making it difficult for the people to carry out the task. Case in point the ballots with hanging chads. Why on earth is there such a ballot? Oh yeah so that you can save a few bucks on counting the votes. But who cares that the voter has to take a Phd on casting votes.
To put this in context. India in 2004 put in electronic voting machines for 348 million people http://www.kablenet.com/kd.nsf/Frontpage/A109B59D2C4BCBA380256E9400373E62?OpenDocument
I am sure its not perfect, BUT you have to think twice about this. In a country that is mostly poverty stricken and where people can't really read they have a working democratic system and 348 million people can vote electronically. And what was the population of the US? 300 million...
No, the problem here is quite simple the American voting infrastructure. It's not the fault of the people, nor the political system, but the folks who run the voting infrastructure! They need a good "flogging."
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
1) Good luck finding a write instrument, how many have you gone to post office, bank, etc where you need a pen to fill out a form and could actually find a pen? :) Besides you are giving them a printout why not print it on there.
3) How would that printout prove anything on how your vote is recorded, if you really wanted to mess up the machine you would display the correct results and record the wrong. If I wanted to add votes the old ways are still the best ways; get the dead to vote.
4) The giving of extra papers does nothing, except cause a whole bunch of extra receipts to be floating around. If I was forcing/bribing someone to vote my way I would just use early or mail voting and not worry about it; what states do not provide mail in absentee voting for any reason?
5) If you cannot verify what the vote was for what are you adding? Again if I am changing votes in the software I would print out everything as correct and record the vote the way I want it to be.
6) The problem here is you are giving outside people access to the list of voters, even though it is just a random ID assigned to that person. How would use keep that bar code reader up to date with the latest people who voted, wireless, rotating the readers in/out, have them connected to a network? That is a whole bunch of technology that someone would need to setup and manage. Also the main place you would want to check is after all the votes have been turned into the central location. You would be better off with systems like the blood banks use where you can call number enter a private key and get the results.
As for the encryption and giving that to the user, if I can mess up the software I can get your encryption key, and then make as many receipts as I want.
The whole point of this is that paper reciepts taken outside of the voting place are worthless except to make the voter feel good. They could not be used to verify votes, they cause a huge amount of waste and once it leaves the control of the distributing entity it is worthless for anything requiring accountability.
Just vote for the MP?
You think freedom can be reduced to a popularity contest?
Up until recently, America was about voting issues, not people.
Some people find it incomprehensible that an elected representative of the people would find himself trying to implement the will of the people, rather than simply assuming that the election gave him license to implement his/her own ideas. (You do hear me muttering under my breath here, yes.)
This is entirely the point of having the people vote on so much.
It has something to do with the DIY mindset that also used to be rather typical of people from the USA.
joudanzuki
"1) Good luck finding a write instrument, how many have you gone to post office, bank, etc where you need a pen to fill out a form and could actually find a pen? :) Besides you are giving them a printout why not print it on there."
This is not really essential. It's just to protect against a tampered voting machine that basically doesn't record your vote at all. Even paper trails have this same limitation -- if a voter doesn't *look* at the paper, it does no good.
"3) How would that printout prove anything on how your vote is recorded, if you really wanted to mess up the machine you would display the correct results and record the wrong. If I wanted to add votes the old ways are still the best ways; get the dead to vote."
If the machine displays the correct results but records it wrong, it has to do one of two things:
1) Provide correct cryptographic proof, in which case the voting machine will have to turn in two votes for every one that goes in. A paper printer can do this too and it would be just as easy to detect.
2) Provide incorrect cryptographic proof, in which case the first poll monitor to get an invalid receipt would immediately know that this is happening.
There may be better ways to handle this. I don't recall in detail.
"4) The giving of extra papers does nothing, except cause a whole bunch of extra receipts to be floating around. If I was forcing/bribing someone to vote my way I would just use early or mail voting and not worry about it; what states do not provide mail in absentee voting for any reason?"
This doesn't affect the choice of in-person voting methods, so it's not an objection or advantage of either system. I do agree that mail in voting and internet voting present problems that are much harder to solve than these.
"5) If you cannot verify what the vote was for what are you adding? Again if I am changing votes in the software I would print out everything as correct and record the vote the way I want it to be."
Then there would be two votes going out for every one going in. The machine would have to do one of two things:
1) Not pass on the votes it printed receipts for. In which case the first poll monitor to see a receipt not in the pass on list would know this was going on.
2) Pass on both votes, in which case the first poll monitor to check the counts would see this.
"6) The problem here is you are giving outside people access to the list of voters, even though it is just a random ID assigned to that person."
How is giving outside people a list of random numbers harmful?
"How would use keep that bar code reader up to date with the latest people who voted, wireless, rotating the readers in/out, have them connected to a network? That is a whole bunch of technology that someone would need to setup and manage. Also the main place you would want to check is after all the votes have been turned into the central location. You would be better off with systems like the blood banks use where you can call number enter a private key and get the results."
You can certainly output the votes wireless or use other kinds of ways to make the voting information either publically available or available to monitors from various agencies. This is already done in most current voting systems. I agree that the type of voting system I'm discussing is not easy to implement.
Maybe you're missing the point. I'm not saying "here's the best voting system ever, let's use this". I'm saying: Here's a voting system that demonstrates a lot of things that people may not realize. For example, it shows that a cryptographic voting system can provide the same assurances a paper trail does. Here's a system that provides voter receipts so voters can be sure their votes are counted but doesn't make it possible to tell how any particular person voted.
So I am saying, your assumptions about voting are broken. If you want to be able to judge voting systems competently, the first thing you have to do is figure out w
is that only the mathematicians really understand what's going on.
We may know that (if and only if the algorithm is implemented correctly) the method works, but for the rest of the citizenry, this is asking them to put their trust in (yet another) technical priesthood.
The system has to be simple enough for anyone to see, and simple enough that anyone willing to comprehend freedom can comprehend it. It has to be visible.
Thus, the stubbed, anonymous paper ballot, the stub and the ballot going in separate, locked boxes, and each voting station accounting for every ballot received, and more than two voting judges, from different parties, present all during the setup, voting, takedown, and initial count.
It is not perfect, but it is visible, and it works.
Nothing in this world is perfect, and when you start playing cryptic cryptographic math games, it just makes part of the process invisible (opaque) to too many voters.
joudanzuki
I am TheRaven on Soylent News
I might be able to prove it's in the final tally. You, too, might be able to prove it's in the final tally. 99% of the voting population, however, have not studied cryptography and would have to rely on an expert to check their vote (and, of course, such a system would have to be designed to make it impossible for the voter to prove to someone else which way they voted).
An election is only democratic if the electorate is able to trust it. If I have a magic wand I wave and then pronounce the results, it doesn't matter if I am 100% accurate, because no one will trust it. And they shouldn't trust it, because there is nothing stopping me from simply making up the result.
In a paper election, anyone who doesn't trust the system can observe the entire procedure. They can watch the ballot box, from the point they enter their vote, watch the counting, and watch the reporting. Verification is not limited to the technorati, it is available to every single voter. This is why paper voting remains superior.
I am TheRaven on Soylent News
If the receipt doesn't contain how the voter cast their ballot, how does the voter know it was tallied correctly? The big advantage to paper ballots is that they are hard (not impossible) to forge. The fact that they occupy physical space makes it hard (not impossible) to stuff the ballot box with those forgeries. Paper ballots mean that fraud doesn't scale well. Digital ballot fraud does scale well; once you can miscount one vote, you can just as easily miscount them all. The lack of scaling means that a paper-ballot voter only needs to verify their vote if there is gross physical evidence of tampering, while the ease of scaling electronic fraud requires that voters verify every vote that they make; otherwise the system falls apart.
Nothing for 6-digit uids?
And now you can just log into a web site and have it tell you that you voted. Of course, the web site now would just be making it up, but in both situations you would have to trust the person or organisation running the web site. Unless you can personally verify each step of the electoral process, you are relying on trusting someone who has a vested interest to lie to you.
I am TheRaven on Soylent News
Paper voting systems are extremely vulnerable to localized, small scale fraud by a relatively large number of conspirators.
Any hypothetical electronic system, no matter how secure, is vulnerable to basically _universal_, unauditable fraud by a tiny number of conspirators in the right place - as low as 1. Any kind of cryptographic system can be defeated by the guy who actually controls where the actually-compiled source code - and the COMPILER source code - came from. Even in an OSS system, it's awfully hard to prove that's really the source that's being compiled and that it's being done by a fair compiler.
That's a big difference, and it's an innate, immutable difference. Paper is highly decentralized because much of the population can read. ANY computer system is highly centralized - even if you have perhaps 10 sets of voting machines, that's at best 10 major code trees...
Your worst-case scenario with a paper vote can be a conspiracy on the counting side - which is already done by members of both parties together. So the only way to have this work out is if you also stuff the observers of the OTHER party with conspirators.
The other way requires a pervasive box-stuffing campaign across a wide array of precincts right in the face of bipartisan election judges.
In both cases, you can basically only pull this off in an area where the government is pretty much universally and tightly controlled by one group. A good example is the original Daley's regime in Chicago (Daley per se may not have... ) Note, however, that if THOSE people were elected to the part where they tightly control the government, chances are the voting populace would vote for a similar candidate in that area.
And the risk of those conspirators going to jail is still relatively high.
As theRaven64 said - the important thing about a paper vote is that it's transparent to everyone.
I'll go a step further and say that we as a country are not capable at this time of commissioning a fair electronic voting standard - currently we can't even manage a "not-obviously-retarded" electronic voting standard. Asking election officials to manage cryptographic standards is in practice outsourcing our democracy to a handful of large self serving partisan corporations, because that's how technology tasks are done. The government does not have a good track record of accomplishing either security or transparency in tech projects.
Finally, note that THE reason electronic voting is _theoretically_ used is to provide faster counts. If you treat it like it should be - as a precount - it could easily be used to give a really fast estimate of the votes.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
"serious limitations that diminish their ability to effectively verify election results."
Paper trail limitations: they require other equipment or groups of people to count them for audits or recounts.
Other technology: you have to rely on the original equipment to report the results correctly the first time. This is cheaper and more accurate, as your results are always the same.
Microsoft is to software what Budweiser is to beer.
Ok, let's say you receive your crypto token, and can prove at any point that your vote was counted all the way to the grand total.
Also remember that it's not enough to hold on for it for 5 minutes. You must hold on to it all the way to the recounts, at least. If you just prove before leaving that the machine still has your vote, then there's not thing to say someone can't flip the votes in the database later.
The problem is this: any proof of how you voted, can be used for electoral fraud by itself. E.g.:
- Someone else can demand that proof that you voted for their candidate, or else. Let's say Don Corleone, the respectable head of the local mafia group, is running for mayor. If you have your ticket that you can check at a terminal, then so can Don Corleone's goons for you. It makes an electoral racket as simple as a protection racket. You know, you only have one kneecap in each leg, it would be a shame if that were to change. Show your ticket proving that you voted for Don Corleone, and you have our "protection" so it doesn't.
- Outright buying votes. Let's say I've won the lottery jackpot and want to be governor. Or just mayor. It's as this: everyone who shows me a ticket proving that they've voted for me, gets 100$, no questions asked. (And I'll store the crypto token on a database of my own, of course, so several people can't come with the same ticket.) In fact, let's turn up peer pressure a notch: if you can also prove that your spouse (if applicable) and at least one parent or child of voting age also voted for me, you get an extra 100$. You know, just to have old retired moms call their sons and do the "you won't even do that for me?" sobbing act.
- Pure social pressure. E.g., if you're a student still living with your parents, whoppee, they can control who you voted for. You know, under the old principle of, "as long as you're in _my_ house, you'll do what _I_ say, young man. Now let's go to a terminal and you'll prove to me that you voted as I told you to." E.g., if you want to keep working at my office, better "voluntarily" prove that you voted for my favourite candidate.
Etc.
Yeah, I'm sure _you_ would bravely stand your ground, stick to your ideals, and never betray the sanctity of the free democratic voting. Maybe. But considering that elections have been won by a 0.1% lead before, the funny thing is: you don't need to get _everyone_ to cooperate.
Some of those aren't even easy to legislate against. E.g., how would you legislate against parents demanding to see their 21 year old son's ticket?
So, no. Please don't do that. The important thing about votes isn't just that they're counted, but also that they're secret and hard to influence. The moment all that remains is that they're counted, but someone can easily influence the voters and/or check what they voted... well, you might as well not bother pretending it's a democracy any more.
A polar bear is a cartesian bear after a coordinate transform.
Worse. Not to launch into a conspiracy tirade, but who says the machine prints out the user's selection? In a perfectly—or even halfway competent—world, all it would take is one dishonest group of people (Diebold?) to code the system with two result columns. The first stores the user's actual vote, the one it can print out on request given an encrypted value, or present on a confirmation screen for the user. The other stores the desired vote; maybe on a statistically weighted basis for a specific candidate or party as to make the slant non-obvious. The second column is used for tallies.
Suddenly your printed receipt is absolutely worthless. Sure, you can rest easy the system correctly registered your vote, but it's the master counting system, and the values it receives, that matters.
Paper ballots require a massive concerted effort with hudreds, or even thousands of conspirators. With Electronic voting, since the code is closed (and even if it was open, we can't ensure that's the code they used in the final machine), it takes one manager with an agenda and a handful of hand-chosen coders to implement it.
There may be a way around this, but I sure as hell don't know what it is.
Read: Rabbit Rue - Free serial nove
We use it here in Oregon, and it works well.
Anybody registered to vote, gets checked, then mailed their ballot to their address on file. Signature checks, collected at the DMV, are used to validate votes. Votes are mailed in a double secret envelope that allows verification but does not tie votes to voters.
The counting system is optical scan, is done in one location with security in place there. Audits are performed, and most importantly:
-the voter can verify their own vote
-said vote is human and machine readable
-casting of votes is distributed over time and space.
Blogging because I can...
The answer to that is to collect the receipt in ballot boxes after the voter has verified it is correct. It gives a paper trail that is a lot harder to fix and even harder to fix to match the electronic count. Then you do as others have suggested and do samples of the paper trail. If the samples and the electronic vote doesn't agree, you have two choices: accept the paper votes, or do another election.
I wonder if, perhaps, anonymous voting is going to have to go away. People register with their Social Security Numbers or RealIDs, vote, then can review their vote on a website along with everyone else's.
Of course, as with paper or e-voting, what the final tally shows may not reflect the paper/button press you submitted. Electronic or paper, you still need to trust the vote counters OR be able to verify your vote later.
Congress should have power. Congresspeople should not.