US Voting Machines Standards Open To Public

Online Voting writes "The U.S. Election Assistance Commission has published new voting systems testing and certification standards for 190 days of public comment. For all the critics of electronic voting, this is your opportunity to improve the process. This will be the second version of the federal voting system standards (the first version is the VVSG 05). To learn more about these Voluntary Voting System Standards see this FAQ."

I wanted to read it...

[houstonbofh]

I just could not vote for any of the links. We need a strong voting standard to show some leadership.

How about

[SamP2]

- Printed voting receipt
- All code open source, all architecture fully documented and publicly available
- No person-vote information recorded in database (database lists people as "voted" or "not voted", as soon as person enters a vote it changes to "voted" and won't allow another vote, while a separate database increments a counter for a particular candidate. These two databases are NOT linked together.
- No timestamps to ensure manual matchmaking between people and votes are not possible.

Ah hell. I could come up with lots of other reasonable suggestions, but its not like any of this will ever be implemented.

Re:How about

[heinousjay]

I don't like the receipt, and I have a hard time wondering why people would want it. It couldn't be used for anything related to the process because of the ease of counterfeiting.

Re:How about

[Conspiracy_Of_Doves]

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed.

Re:How about

[megaditto]

Receipt is a great idea.
For one, you could get a discount on your union dues with a Democrat on your voter receipt.
Or you could use it to secure your job (since your boss won't fire you if he can see you voted Republican).
Or you could sell it to the highest bidder: exchage your Billary/Osama receipt for a $20 gift card (for example). Buying votes otherwise is a real pain: people take your money but can still vote for the other guy if you don't watch them.

Re:How about

[mOdQuArK!]

Why do you need to print a voting receipt then? If the voter isn't going to take anything with them (not a good idea anyway), and they're going to leave something behind, then the ballot is the voting "receipt".

The only valid reason for checking peoples' IDs at the voting place is try and make sure that each person is eligible to vote, and gets one and only one ballot. Beyond that, there is no reason to keep track of any voter's ID.

Re:How about

[aynoknman]

Yes, print the voting receipt, but don't let the person take it with them. They can see it in the machine to verify that was who they voted for, but it stays in the polling place in case a manual recount is needed. Also, they can't verify who they voted for to a vote buyer.

Re:How about

[mithras+invictus]

No, the receipt should be the ballot, not the other way around. One machine is meant to help the voter produce a human and machine readable vote, the voter can check the produced ballot unassisted and decide whether or not to submit it.

Re:How about

[cheater512]

Reciepts are a bad idea. They kill the point of the secret ballot.

Also there should be timestamps but on the voted database and not the votes database.
So Mr XXX voted at 1:15pm but not who they voted for.

Re:How about

[Drunkinpublic]

IF THAT IS INSIGHTFUL HOW DUMB ARE THE PEOPLE READING IT? OBVIOUS ? PREVIOUSLY SUGGESTED ? YES INSIGHTFUL NO !! THIS IS REDUNDANT (lame filter) asdf asd sadf as dsf dsasdf asdf asdf asdf asdf adsf asdf asdfasdf dfa adsf sdf asfd ads sdf asdf asdsdf asdfsdf asdfasdfasf asd fads fasdf asf adsf asdf asdf asdf sdf asdfasd fsadf asdf asd f

Re:How about

[utopianfiat]

Or how about... a paper ballot?

Re:How about

[wwphx]

I'm looking forward to checking this out when I get in to work, I just finished writing a SQL Server/ASP vote tally/display system for our municipal election next week. I'm hoping that my boss and higher-ups will let me put the code on SourceForge, it's moderately sweet with only three tables: everything is done through queries and two stored procedures.

Re:How about

[Quince+alPillan]

Or you could put the receipt in a ballot box after you're done reading it and it could be counted during a manual recount instead of what the machine counted.

Re:How about

[Rob+the+Bold]

Or you could put the receipt in a ballot box after you're done reading it . . .

Why must you hate our free market? About time the little guy got in on the action.

Re:How about

[Sponge+Bath]

A printed receipt that you drop in a box after visual verification sounds great.

In practice I wonder how that would work for elections where you vote for many different items. I just finished voting on a bunch of proposed constitutional changes on an electronic voting machine in Texas. Even the final verification screen was pretty useless unless you had a reference sheet to compare against. It was just a long list of Prop #1 - No, Prop #2 - Yes, ... Prop #666 - Yes, etc. and no descriptions of individual items. I don't really have an answer for how to briefly summarize a long list for verification on limited visual real estate and still be intelligible.

How would that look on a paper receipt unless it is multiple pages of 8"x11" ?

Re:How about

[mOdQuArK!]

You don't want a ballot that has a separated human and machine-readable codes. The counting machines (if you use them) should be capable of reading the same part of the ballot that the human reads, and vice versa, so there's as little ambiguity as possible between what the machines are looking at, and what the humans are looking at.

Of course, if the essential information is human readable, then you don't need machines to do any counting either - all of the old, time-tested procedures for vote-counting paper ballots can be used, except you'll have nice clean machine-generated ballots to read from.

Re:How about

[Crizp]

...which is what "printed receipt" means in voting-machine-speak...

Re:How about

[Touvan]

Even if all the above were in place, and you could come up with the perfect system to run on voting machines, and make it decentralized, etc, etc. How would you know that what was in the source code is what's running on the machine?

If you can't see what's going on in the machine, when you cast your vote, you can't be sure of anything. Elections and voting are too important to leave up to these machines, which are too easy to tamper with, by a very small number of people. It only takes one guy in the right place, who tampers with the binaries that are sent to all voting machines for example - very easy to cheat with that kind of system. Compare that with a large number of individuals who all have to hand count paper ballots. You have to convince quite a few more people (or pay off, etc.) to get the vote tampered with in that kind of system.

The only reasonable effective voting system, involves a great number of people, hand checking paper ballots (possibly with the very limited exception of printing machines for the disabled), combined with very good checks and balances. There is nothing else that can do it fairly.

Re:How about

i am an election judge in Chicago, and most of your ideas were implemented 8 years ago. We use a dual-format system. most people use a paper ballot which is machine-scanned as they leave the polling place. If there are over-votes (two votes for one office) or other anomalies the ballot is rejected and we mark it as spoiled and give them another. We also have a Sequioa touchscreen/audio voting machine in each preceinct. The voter checks in, we verify his signature, and use a device which activates a credit-card sized chip. They insert this into the touchscreen unit and it allows one voting session, and it must be used in 5 minutes from activation. The chip has no identifying information on it. As they vote a paper tape in a sealed cassette is printed, showing through a window. When they are finished they can review the printed vote, and when they log off the paper disappears into the cassette. at the end of the day we remove cartridges from both the scanner and the touchscreen device, and the card activator reads them and transmits the results downtown. Se seal up the cartridges and the cassette and deliver them to a receiving station, sealed in a special carrier.

I certainly much better now!

[e9th]

From the EAC's FAQ:

Q: Will the source code be available to the public? A: No.

Re:I certainly much better now!

[Baricom]

The FAQ makes me believe these standards are essentially useless. No source code, no independent verification (the voting machine manufacturer pays its choice of testing lab), and most importantly, no mandate to adopt these rules for any election.

Re:I certainly much better now!

[Comatose51]

So it's less of a FAQ and more of, say..., a slap across the face? One might even call it a bitch slap. Or perhaps one can call it "Kim Jong-Il's Playbook" instead of a FAQ.

Re:I certainly much better now!

[Tim+C]

Serious question - how would having access to the source code help?

Re:I certainly much better now!

[jack455]

The ridiculous mistakes they keep having merely counting votes could be fixed, or at least people could verify the integrity of the systems.

For example; I'm a lot more worried about MS apps phoning home than linux ones. The real world proves me write with numerous examples available.

Re:I certainly much better now!

[Tim+C]

at least people could verify the integrity of the systems

How would they do that?

Access to the source of the code running on your own PC is an excellent thing. It lets you modify it, confirm that it does only what it claims to do, find and fix bugs, and so on.

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affecting the correct operation of the code.

Your swipe at MS, while predictable, is entirely irrelevant to this discussion. To continue your analogy, you want the source to the code running on your XBox or Playstation because you don't trust it. You don't trust the company providing the code, but they also provide the hardware and yet you do trust that?

You don't trust the system. You need to be able to verify the correct operation of the system. Access to the source to one part of that system does not give you anything but a false sense of security.

Re:I certainly much better now!

[slashqwerty]

The machine could have hardware that computes a cryptographic hash on the data on disk and displays it on the front of the machine. That can be circumvented, but it would be much more difficult. Having the source code (to the whole system) you can compile according to prepared instructions and compute your own checksum to verify they are the same.

Re:I certainly much better now!

[Rob+the+Bold]

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affecting the correct operation of the code.

Amen to that. I worked for a temp firm for a contractor to ES&S when they were prepping the code for audit by a 3rd party under the previous version of the voting machine audit standards. The code needed major cleanup to comply with the coding standards (for readability), and we were in a time crunch, so everyone dropped what he was doing and worked on sanitizing the iVotronic code. After it was done, we had beautiful code. All variables were declared at the top of functions and names that made sense. No more globals. Functions had meaningful names and headers describing purpose, input, output, method, etc., etc., etc. We sent that software off to be audited for use in US elections. Of course, that code was never compiled. And it never made it back into the production s/w vault.

Re:I certainly much better now!

[FigTree]

One could just as easily print the hash of the compiled version one wants you to see instead of real one.

Re:I certainly much better now!

[meatspray]

Security through obscurity only lasts until someone figures it out.

Nothing like having the eyes of every coder on you to keep you honest.

This stuff isn't rocket science.

profit
Take the users id number,
display a list of questions,
record the answer to the questions,
transmit them home securely, (hardest part)
profit

Honestly, there's no reason not to use a generic kernel, ncurses and a flatfile db.
weld the case shut, seal off all ports save fine vents.
pgp crypt the data with the local machines public key.
pass the data out the screen via IR to a portable terminal.
Don't give any indication on site of how many votes were taken or what the outcome was.
send the data from the terminal through phone line to an otherwise offline central collection site.
decrypt the data with the private keys, dump the localized tallies in to a hosted image for public consumption.
concatenate the files, count the results, dump the total in to a hosted image for public consumption.

Re:I certainly much better now!

[JoeCommodore]

With closed source you really don't know whats going on changes can be done and you have no clue.

On an open source system, technical professionals, besides average joes, will be able to examine and validate the integrity of the code. To verify it has not been tampered with authorities would compile the public source, get a checksum on the binaries, then compare that to what is installed on the machines, if there is a difference they replace the invalid binaries with the verified.

If there are bugs it can be a mess but it's better then having a bug in closed source and having a last minute patch that included a little bit more than just the bug patch.

In general voting system should not change much at all. They should accurately display/provide choices, record vote properly, produce verifiable paper trail and consistently transmit data with safeguards to ensure it's accuracy upon receipt. It's not really a system that should need constant major updates or radical changes in the base OS.

As with all the hype since the 64s of computers as appliances, just plug it in and you don't need to mess with it, it just works, thats what the voting machines should be like, not be a major money maker for any private institution.

Re:I certainly much better now!

[armareum]

But that's fraud, not just a mistake in the code.

Re:I certainly much better now!

The machine should be hard-coded to compute the hash. The machine should require changes to hardware to make it do what you are suggesting.

Re:I certainly much better now!

[jack455]

How would they do that?

Access to the source of the code running on your own PC is an excellent thing. It lets you modify it, confirm that it does only what it claims to do, find and fix bugs, and so on.

Access to the source of the code running on a machine that you have no control over is useless. You cannot confirm that it is the source of the running code. You cannot confirm that there are no hardware issues - intentional or otherwise - that are affecting the correct operation of the code.

Whether proprietary or opensource, having the wrong software intentionally installed is its own separate problem. And it's proprietary software that is far more likely to accidentally allow changes to the code n a machine. Which are you implying, that I should assume the voting machine companies will defraud the US or that vulnerabilities in the code will be exploited?

Your swipe at MS, while predictable, is entirely irrelevant to this discussion...

It's not like I said I never run Windows. WGA has certainly confirmed the legality of my copy of XP on occasions, but it is a fact that MS lied about the data that is collected. And that sort of practice is certainly inappropriate for voting machine software. ...To continue your analogy, you want the source to the code running on your XBox or Playstation because you don't trust it. You don't trust the company providing the code, but they also provide the hardware and yet you do trust that?

I don't trust my ps2 to what? vote for me? --no. entertain me? --yes. Not all of us think all proprietary code is evil. (One day I would like to install linux on my ps2, though. But not for moral reasons.)

You don't trust the system. You need to be able to verify the correct operation of the system. Access to the source to one part of that system does not give you anything but a false sense of security.

I would correct that by saying that "Access to the source to one part of the system does not give you everything and may give you a false sense of security." To go overboard I guess we could have read access from a bootable disk and verify PGP signatures and sha-sums, but I'm not that distrustful. I'd be satisfied if it was checked at the beginning of the day by a poll worker.

big problem

[ILuvRamen]

Has anyone else noticed that more money and time and effort has been spent trying to make and use good, fair, electronic voting machines than it would have taken to just keep using paper ballots and have them counted like usual? Isn't the point to save money and time and make it more efficient? I think another point was to make elections less riggable and more accurate but Diebold killed that dumb idea behind a long time ago lol.

Re:big problem

[noidentity]

That's my thought. Just take a look at the testing section and it's clear that A) these tests will still let problems slip through, and B) all the effort involved in an electronic version of a piece of paper and pencil is not worth it. Similar effort is put out on electronic financial systems because it's worth the benefits it gives. Electronic voting is probably the best example of technology looking for a problem to solve, and failing that, inventing a problem.

Re:big problem

[mOdQuArK!]

The main advantages of using voting machines is that they can be used to print out a nice, clean ballot which can be easily counted (no misaligned filling-out of ovals or odd marks, don't worry about #2 pencils or color of pens, no hanging chads, the ballot contains only the selected choices so no "they really meant this choice!" type of counting, etc).

They're also good at providing alternative interfaces for the disabled (sound or braille) while still printing out a nice, clean ballot.

The only reason for COUNTING machines is for speed though, and since there's no easy way to make sure the counting machines haven't been compromised, we shouldn't depend on them at ALL except maybe for "preliminary results". For the final official result, we should still stick to the hand counting votes (especially if we have nice, clean, easily-readable ballots).

Re:big problem

[gomoX]

"Classic" voting (aka paper ballot in cardboard box) has many, many problems. We just had elections, and I waited in line for 2:30 hours to vote. A big part of that time was devoted to wondering why the fuck don't they use some sort of electronic system for this.

Some problems that are typical with regular elections:
- missing ballots for a given party make the thing go slooow
- you waste time finding ballots when there are many options (most countries don't have a two-party thing going on but instead have tens of partys)
- long time to cut ballots when you have elections for more than a single position (say, president and senators) - this factor also favors "block voting" for a party
- the signed-envelope system has loopholes that allow people to buy votes anyway
- you need people to supervise the whole thing, and no one wants to volunteer
- the whole process is so troublesome and complicated that people just want to get it done instead of actually thinking about the election they are making

Of course, the electronic counterpart isn't easy to build. But it could be better, it's not really that hard. You need an easy consistent interface, solid machines that won't be easy to break, and some kind of receipt showing that you voted. That's it.

Re:big problem

[zcat_NZ]

You missed another advantage. Since the printed ballot is in a consistent (and preferably standard) format, those votes can be optically counted by a tallying machine built by a completely different vendor. If the preliminary count and independent OCR count agree within some agreed margin (we'll allow for misreading a vote or two per million, OCR isn't perfect). Then we can have a final, trustworthy election result within minutes of the closing of the polls. Accurate, trustworthy, _and_ fast. Wouldn't that be nice!

Re:big problem

[Bert64]

There shouldn't be any errors at all if the votes were printed out by a computer...
You should print the ballot on a machine, verify that it really did vote for what you wanted, and then put it in a ballot box.

Re:big problem

[bVork]

Sounds like the problem is with your country's implementation of paper ballots, and not the general idea itself. Here in Canada, voting takes maybe half an hour at most. You show up, verify your identity, get your ballot, go behind a screen and put an X in the circle next to the candidate, fold it up, hand it to the person working the box, watch them place the ballot in the box, go home.

To supervise the whole thing, we require people from multiple parties to be present at the polling station. It's hard to fiddle with something when it has to be verified by two (or more) opposing people at the same time.

I don't understand your references to multiple ballots. Is each party on a separate ballot or something? Why in the world would it be done like that?

Re:big problem

[CastrTroy]

That's what I was thinking. They must be doing something wrong. Using machines doesn't make the voting process any faster. The only way to move the line along faster would be to have more polling stations. Just as a reference point to any Americans, the average Canadian polling station only handles 352 people. The voting moves along rather quickly. And although it is possible to use ballot stuffing to rig the vote, it is very hard to do that for a large scale election, because the number of boxes you would have to rig would make it very likely you would get caught. Contrast that with electronic voting, where a couple bits changed in a computer chip can change the entire outcome of the election.

Re:big problem

[mOdQuArK!]

I did actually mention counting machines in my post, with the assumption that they were using OCR to read the same ballot results that the human used to verify that their ballot was correct, plus the ballot design & fonts were designed to be easily OCRed with high accuracy.

As I mentioned, however, the only reason for using a machine to do the counting is speed. As long as you're using a "black box" for counting, it becomes very, very difficult to be sure that the votes are being counted the way you intended them to be counted.

There are time-tested & well-understand procedures for handcounting paper ballots, which have many safeguards against the corruption of individual counters & officials. (Unfortunately, it doesn't look like the voting machine-makers either studied or cared about the motivation behind these procedures.) We should keep using those procedures unless we have an absolutely compelling reason otherwise, and speed is NOT one of those compelling reasons.

Re:big problem

[RealGrouchy]

There have been many stories on Slashdot about electronic voting, and I can recall at least one which detailed a polling station where nobody could vote for three hours because the electronic voting machines didn't work, and/or there was nobody on site who could get the to work.

I don't see any of the problems you list about paper ballots that can't also happen with electronic voting.

- RG>

Re:big problem

[YourExperiment]

Here in Canada, voting takes maybe half an hour at most Here in the UK, it takes no more than a couple of minutes. You turn up to find a mostly empty hall, because no-one has bothered turning out to vote. You spend 30 seconds or so wondering why you've bothered, since all of the candidates are lying bastards anyway, and their policies are broadly the same as everyone else's. Then you put a cross in a box next to the name of some guy who has no chance of being elected anyway, and you piss off home again, with a nice warm glow inside from having participated in the democratic process.

Re:big problem

[zestyping]

People keep saying how fast Canadian elections are. (I'm Canadian too.) But they're missing a huge difference.

In Canada you usually have one contest.

This is why hand-counting doesn't work in the United States. Chicago, November 2004: 10 pages, 15 elected offices, 74 judges, one referendum. That's 90 contests.

See more at NIST's ballot collection.

Re:big problem

[ILuvRamen]

what the hell's so hard about building a printer? lol. Don't even make it track the vote. You press a button, NOT a touchscreen, and it prints a slip. Walmart practically has some of those for checkouts lol. They should cut all the operating system and logging and networking and other bullshit and just make it a machine. Don't even put a significant processing capable chip in it. Just make it print your damn pick.

Sweet

[r_jensen11]

Now all we need are some calls that query and listen to when Diebold changes people's votes, then automatically record & report the events to an independent 3rd-party.

With Diebold's incompetence, this shouldn't be too hard to do, should it?

Re:Sweet

[thatskinnyguy]

Several generations of my family have worked for Diebold. They're a fixture in the community of Canton, Ohio. They're really good at physical security. Hell. They make most of the bank vaults and ATMs that you see.

But when it comes to voting machines, the only thing that separates the voting machines from their other products is strong bias. Tamper with an ATM at the factory, sure some FDIC bank will lose a few thousand dollars but the one doing the tampering gains nothing. Tampering with a voting machine, the perpetrator stands to influence an election in ways they see fit.

Re:Sweet

[r_jensen11]

Many banks don't even own the ATM's. They're often owned by 3rd parties who then charge the banks service fees.

The main difference is that the ATM is there for convenience. They're everywhere and can fit in places that banks can't. They also are available 24/7. Meanwhile, voting machines are much less convenient than absentee ballots, as you have to go to the voting precinct, rather than having them sent to you, resulting in you being able to fill them out anywhere and deposit in those seemingly ubiquitous (and somehow, surprisingly, absent when you need them) mail drops. And unlike the ATM, which you can pass on and go to the bank's branch, the only way to pass on voting machines is to send in a request form weeks in advance and wait for the processing time. Then you have the option to either mail it back or have it dropped off at the local precinct. You still have the paper trail, btw, and you have as much evidence as possible that your vote will be counted properly (since you can ask a court to be able to have a separate group recount after the results are reported)

Re:Sweet

[cloricus]

Diebold ATMs are new to Australia though we seem to be getting the latest all singing dancing 'make it harder to do you banking' models that match web 2.0. Comically enough the other week I was thinking about the joke every one had here when they switched to windows for their OS tasks a good few months back. About three days later I walked past one that had a lovely blue screen of death just happily sitting there; I honestly have never fallen over laughing in my life before, let alone in the middle of a busy shopping centre.

So I thank your family and diebold for really uplifting my month. :)

I for one....

[edwardpickman]

prefer our Diebold Overlords. It takes all the guesswork out of the voting process. There's something comforting knowing the outcome of an election months before the day.

Re:I for one....

Yes, indeed, I heartily agree. I had a good laugh and would mod you funny too. Not meaning to burst the happy bubble, but such foreknowledge has a darker side too.
It's not so "comforting" to know that regardless of which candidate or party Diebold selects, we can all rest assured in foreknowledge that the USA will: continue the genocidal punishment of the Cubans and equally genocidal elimination of the Palestinian people, ignore preventable humanitarian crises in favor of reinforcing corporate hegemony over the commons we all require to exist, continue to spend more on weapons (and selling/giving them to allcomers) than the rest of the world combined, continue to imprison their own people for victimless crimes, and spew gazillions of tonnes and litres of crap into the world environment, continue the American crime wave of ignoring international treaties and any law that doesn't line the pockets of the increasingly corrupt body politic, and pump out endless "reality" entertainment and "instant" food in the modern version of bread and circuses. Yes, sir, we're all really comforted to know these things in advance, we nihilists. It affirms our belief in the inherent inutility of the human species and the worthy demise of a sickness that the rest of the planet's species could well do without.
What's my rant all about, you ask? The votes don't count for SHIT. This tiresome pursuit of technological measures for counting nothing-of-any-value boggles the mind.
Now, please, someone mod me troll or off-topic, because what's important is obviously finding excuses to ignore the elephant in the room by concentrating on molecular analyses of the fecal matter the presumed and unimportant mammal has deposited that makes our burgers and coke smell funny.
 
Slashdot slogan on the top of the page: Politics for nerds. Your vote matters.
 
Er, no, it doesn't.

Re:I for one....

I have voted against all of the Bush's. I voted against Reagan. I voted against Mitch. I voted against many others. I was an outspoken opponent to the Iraq invasion. I was an outspoken opponent to the Patriot Act. I have been and will continue to be an opponent to many things done by our government (US) in the name of protection. But, after GW, I will be much less outspoken.

Anon for obvious reasons where I live

What a bunch of crap

[rastoboy29]

Too bad neither of the "major" political parties has the country's interests at heart, or we would have real, open standards for the machines themselves, and not just a voluntary fucking testing process.

Counterfeiting voting receipt

[Harmonious+Botch]

It could be PGP tagged.

Re:Counterfeiting voting receipt

[N3WBI3]

Actually a great idea, maybe encrypted text? With a key only known by the election board?

Re:Counterfeiting voting receipt

[Mr.+Freeman]

There will be too many people with these receipts to safely assume that no one will crack it. Cracking most stuff is damn near impossible, but when you're talking about double-digit percentage of the populous with the will to discover the key, I'm pretty sure they'll come up with something. You don't need more than about 1-10 people that happen to have access to a university supercomputer and are willing to legitimately or illegitamately use it to brute force the key.

Re:Counterfeiting voting receipt

[N3WBI3]

People don't get the encrypted receipts... Maybe Just a POT receipt for them and the encrypted one goes in a bin to which only election officials have the keys.

Why the continued paranoia?

[grahamsz]

Where does this fear of opening source code come from? Is there really a concern that some competing software vendor will copy their "tally up the votes" routine. I can see why banks and private companies want closed source, but why here?

The only answer I can see is that the machines are badly programmed or they have been rigged in some way.

Re:Why the continued paranoia?

[cheater512]

Its more likely to be a fear of people not contributing.
They could find flaws and then exploit them at the next election to make their candidate automatically win.

Of course its nonsense,
If it went through a standard *nix development cycle with alphas, betas and release candidates along with a x86 compatible testing program and allowing (audited) patches then it would be very secure.
Many people (especially conspiracy nuts) would be reading over the code.

Problems, not solutions

[michaelmalak]

You've violated the golden rule of specifying requirements:

- Printed voting receipt

The requirement is:

1. Individual vote verifiable by the voter's unassisted eye at the time of voting as to the vote selection and whether or not it has been tampered.
2. All votes verifiable by auditors' unassisted eyes after voting is complete as to the vote selections and whether or not they have been tampered.

Re:Problems, not solutions

[SamP2]

Your second option is not possible (as stated) unless the database links individual people to individual votes, which in turn violates ballot secrecy (with traditional voting, when you enter a ballot, you don't write your name on it, and while the auditor can count the number of votes, they can never know who voted for them).

The digital voting controls should be similar to traditional voting (count how many people entered/left and compare to number of votes), but NEVER record the voters identity on the ballot. Auditor or not, this knowledge is reserved for the voter and nobody but the voter.

Re:Problems, not solutions

[peragrin]

um with the 1930 electonric voting machines you could do both of those with out comprimising data personal data.

It means the voter doesn't log into the voting booth. the voter should only walk up to the both press a few buttons get a confirmation receipt and then stick said receipt in another box. The voting machine then is reset for another voter.

Electronic voting should only make counting faster not a complex database system that records everything about the voter.

Indeed a regular computer system is a waste in such a case. no more than powerful than the newton, or early palm is needed, no full oS is needed. the least complex the better.

Re:Problems, not solutions

[Catbeller]

Or just use the damned paper to count the vote. Computer printed receipt != what actually transpires.

Can someone please...

[graviplana]

Tag this story as "inaccurate", "badtitle", or "badsummary"? If the source code isn't open to the public then this is basically a dog & pony show, IMO.

Re:Can someone please...

[Envy+Life]

No, it's not misleading at all. It says the "standards are open to public", which doesn't have to imply source code. If, for example, the standard is to do all counting with a paper ballot, does it matter if the source code for the computer which generates the paper ballot is open (as long as the paper ballot is verifiable by the voter)?

Re:Can someone please...

[graviplana]

Yes it is misleading, IMO. The _Intent_ of open voting is that there aren't weak links in the chain where monkey business can happen. Closed Source Code is a huge part of the entire Deibold Voting Machine Debacle, for example which is what has gotten us to where we are now. :D So again, the whole thing is misleading - a dog and pony show.

Why hack a voting machine?

[jihadist]

...When you can simply bombard the numb populace with expensive television advertising, purchase stories in the "news entertainment media," bribe them by appealing to their greedy special interests, and manipulate them through churches and synagogues?

They don't have to hack the voting machines. They've already hacked the voters. Just as Plato predicted they would!

Re:Why hack a voting machine?

[largesnike]

Well, if you want a particular government in and they're 10% behind, your voter hacking might bring them within 5%, which is about the margin by which you could rig the voting process. I mean, if you relied solely on hacking voting machines, then your election outcomes would be so different from the polls, so regularly, that people would suspect that the hacking is taking place. This way, you get only slight irregularities, and surer outcomes. Of course having a USA PATRIOT act that, effectively allows the electoral college to seize ballot boxes, without scrutiny or explanation, helps a real lot.

Re:Why hack a voting machine?

[unitron]

Of course having a USA PATRIOT act that, effectively allows the electoral college to seize ballot boxes, without scrutiny or explanation, helps a real lot.

This is the first I'm hearing about anything in the USA PATRIOT act that has anything to do with the Electoral College. Would you have any links to a fuller explanation of these added powers you seem to think the College has been given?

Re:Why hack a voting machine?

[TheMeth0D]

Don't overlook the millions on welfare and the many recipients of government support. They will always vote themselves a "raise".

Of course with our two card monty, er, party system it doesn't really matter anymore anyway.

Vote counting research

[slashqwerty]

Dear grahamsz,

In response to your question, "Is there really a concern that some competing software vendor will copy their 'tally up the votes' routine", we here at Diebold take great pride in the quality of our product. Our "tally up the votes"TM routine is a prized trade secret developed through extensive research and experimentation. If our competitors could simply copy our unique technique for counting votes they could develop the same product without incurring the significant costs of researching how to count.

I'm sure you can appreciate the sensitive technical know-how at the core of our product. Only a few vendors have discovered the secret to counting votes. If this knowledge became public anyone could count see how we count votes which would take away our incentive to create a much valued product which serves to protect democracy.

God Bless America,
Tom Swidarski
CEO of Diebold, Inc.

Re:Vote counting research

[mistralol]

The future of voting needs to be open with pen and paper. If you hide the process away you have lost what you are voting for already so what is the point in voting. Modern democracy needs and option to say "i don't agree with the voting system" when voting. Kind of like a "none of the above" option where if that option wins new people are encouraged to stand.

I live in the UK i have been British all my life. My Vote does not count in this country for the people who run this country !. Many people are not aware that the votes from N.Ireland do not influence who becomes the prime minister.

Software independence is required.

[zestyping]

For those of you who have wanted voter-verifiable paper records, the new VVSG says:

Software independence means that an undetected error or fault in the voting system's software is not capable of causing an undetectable change in election results. All voting systems must be software independent in order to conform to the VVSG.

See section 2.4 for a discussion of "software independence." The draft guidelines present "independent voter-verifiable records" (IVVR) as one method of achieving "software independence," though it leaves the door open for other innovative ways of achieving the same goal (such as end-to-end cryptographic verification).

I definitely recommend reading the guidelines. There's a lot of stuff in there.

Open-ended vulnerability testing.

[zestyping]

It is interesting that the guidelines propose Open-Ended Vulnerability Testing, which is essentially described as a red-team exercise. This is a new and significant addition.

The second chapter of the introduction provides a good rundown of the new material in the guidelines.

scantron

[HaMMeReD3]

Scantron and a #2 pencil.
It doesn't even need to be modified. Actually, it should be in the guidelines that it is encased in a solid unbreakable enclosure and not have any custom software, the same scantron software they use in high schools.

Maybe a second system to check who has voted and to prevent doubles (not connected to the scantron machine in any way)

No input problems
Very accurate counting
No link between voter and vote
Accurate, tamper proof paper trail (given that votes aren't thrown away, but they should match a electronic tally)

See the problem is when you input on a computer screen it's bound to have errors/crashes hardware defects etc. The computer also serves as a filter, possibly misprinting the paper ballot, or registering the electronic vote incorrectly.

And how does diebold manage to fuck up the machines so badly, they sound like a failed cs11 project, distributed access unencrypted access databases?

Re:scantron

Oklahoma uses a different scantron type ballot. You are given a marker (sharpie?) to complete the arrow of the person or item voting for. You place into electronic reader and you are done. Human and machine readable.

No light pencil marks, no manual counting, human readable, very quick.

Re:scantron

[Catbeller]

#2 pencil, boxes marked "check here", and manual counting overseen by reps from both parties when the boxes are opened. Simple. Unhackable by external third parties. Infinitely auditable. Cheap, 'cause the monitors work for free.

Scantrons can be hacked as well. The false assumption is that the manufacturer is pure of heart. They ain't.

Canada uses the #2 pencil and paper system, and they finish national elections in hours. With no room for cheating. And they can do recounts. Easily. There is no reason, NONE, for introducing useless automation into the system other than opening the door to hacking the totals. Convenience is not an reason, it's an excuse.

Re:scantron

[Catbeller]

Diebold didn't fail. They did precisely what they wanted to do. Deliver a compromised system that could deliver the votes to the Republican party without too much fuss. They stonewalled every investigation, and got away clean. We can hold a politician to account, you see, but corporations are designed to be a fog impervious to criminal charges.

My opinion on "software independence."

[zestyping]

Now for the subjective part of my comment. The concept of "software independence" is a laudable goal -- and achieving "software independence" as defined in the guidelines is certainly an improvement. Voting systems that fail to meet the guidelines' definition of "software independence" deserve little confidence, given what we know about bugs and complexity in software.

My problem with the term "software independence" is that it is misnamed. The guidelines give a definition of "software independence" that does not actually mean the election's correctness will be independent of software. Their definition is much narrower -- to achieve what they call "software independence," all that is necessary is a software-free way to audit the count of recorded votes. This has two big weaknesses:

1. Altering recorded votes is not the only way to tamper with an election. For example, this definition ignores the preparation and presentation of the ballots to voters. What about votes that are wrongly recorded, or never recorded at all? What if software failures are biased toward a particular group of voters?
2. It describes a vote count that is less than fully dependent on software. A voting system that is vulnerable to software bugs in 99.9% of realistic situations still counts as "software independent," as long as it's not 100% dependent. A system can technically be called "software independent" matter how vanishingly small the chances are of detecting a software error, and no matter how much work it would take to detect the error, as long as someone can conceive of a procedure that would detect it.

I think this is kind of sad, because it means we can no longer say "software independent" to describe voting systems that are actually independent of software, as in not dependent on software, i.e. what most people would think the term means.

Its not that freaking hard people

I worked on the old mechanical voting machines in the early 90s. They were hard programed for with little keys that controlled the voting levers for each question. At the end, a giant summary sheet was printed out and totals were hand checked against number of people who voted and totals on the summary sheet. After the election was certified the machines had all the keys removed.

So how freaking hard is it to burn one PROM with the questions/canadates names to be displayed on the screen and a second PROM to contain the "Voting Control Keys"?

1) Certify the serial numbered PROMs
2) Seal the machines
3) Have the election
4) Certify the machine, print the summary sheet.
5) recover and process the machines results.
6) verify automated results vs summary sheets totals.
7) Certify the election
8) Wait whatever time needed for recount appeals
9) Break seals and pull PROMs and put in sealed storage.

Copyright (c) by the human race.

Re:Its not that freaking hard people

[Vidar+Leathershod]

You've actually come up with the answer without stating it explicity: Keep using mechanical voting machines! With levers! We have these in NY, and they are freaking solid as heck, and don't require electricity, near as I can tell. No power outages to worry about. No mass-scale software editing to mess things up (being realistic, this could be more likely to happen as a result of bug or error than someone trying to fix the election.

Adding complexity to a functioning system only benefits the producers of said complex system. After all, I am sure they are not going to perform the myriad repairs for free. Backup-battery units, if they are installed, will not stay fresh forever. And people will make a stink if there is a power outage during the election that lasts long enough to drain the batteries (this happened in a upstate NY city a few years back; the lever machines kept operating. If they had been computer based, they probably wouldn't have lasted the hours that they would have needed to.)

Re:Its not that freaking hard people

[Rob+the+Bold]

So how freaking hard is it to burn one PROM with the questions/canadates names to be displayed on the screen and a second PROM to contain the "Voting Control Keys"?

You're suggestions mitigate tampering by a 3rd party, but don't necessarily prevent fraud on the part of the manufacturer. This is a concern to many in the US, due to ties between the DVR makers and politicians. E.g. Diebold with the Republic Party and ES&S with (former) US Senator Exon, just to name some of the known associations.

Ok, that's step one..

But what to do ones you notice "irregularities"? Will you ask everyone from the county, who voted, to come over and hand out the printout? And then, who is to guarantee that those printouts can't be tampered with?

You can also review the full document...

[DingoTango]

in PDF Format.

Why not start with an open standard?

[MosesJones]

Wouldn't it be better to start with an open standard around the election process for information exchange and the like? This Already Exists and is "recommended" by the US Government. Why only recommended? Surely this exactly the sort of thing that should be enforced as a basic requirement. Its not like the US Government could claim "we can't enforce that standard as vendors might not want to use it" its the US frigging Government legislate is what they do.

So a good start on the standards but it would be good to see compulsion come in.

Re:Why not start with an open standard?

[simong]

Hmmm, let me think... it's probably recommended by the US government for countries that aren't the USA.

Still no access to source code

[simong]

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

Re:Still no access to source code

[swillden]

Bzzt. Thanks for playing. The United States of America is still a banana republic. What is so difficult about full and open scrutiny? The first principle of any electronic voting system is that it should be open. There can be no proprietary code. It doesn't matter if Joe Six-pack can't read it, as long as someone who is independent from the government and the contractor can.

The reason that's not a requirement is that if the other requirements are defined correctly, access to the source code is irrelevant. If the other requirements are not defined correctly, access to the source code is also irrelevant, because there's no practical way to be sure what code is actually running on the voting machines.

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how malicious the software. It should be possible to contract the software development to Halliburton and let them keep all of the code top secret, and *still* have no worries that voters ballots aren't counted exactly as the voters intended.

Tall order? Not really. A voter-verifiable paper trail accomplishes this rather easily. If you want to get really serious about it, David Chaum's punchscan system provides every voter with the ability to verify their vote was recorded correctly, but without enabling them to prove how they voted to anyone.

Of course, I have no objection to open source voting machines. In fact, I think it's a really good idea for economic reasons. But in terms of eliminating election machine-driven election fraud, open source is neither necessary nor sufficient. It's irrelevant.

Re:Still no access to source code

[zestyping]

No -- a voter-verifiable paper trail, while useful, does not make source code irrelevant.

Voter-verifiable records only help ensure that votes are counted as recorded. They don't fully address problems that occur before the votes are recorded: votes can still be recorded incorrectly due to ballot presentation errors, or never recorded at all due to software failures.

Think of an election as a scientific measurement. In order to get an accurate result, the polling mechanism has to be free of bias. If the software crashes more often in one district than another, or sometimes skips contests, or fails to display certain candidates, that's going to bias your result. So it's essential to verify the whole software-controlled polling process.

And of course paper trails only matter when jurisdictions order a recount, and even then only for voters who carefully checked their printouts. So it's still quite possible that a vote could go misrecorded or miscounted due to bad software, despite the presence of a paper trail.

And finally -- what is responsible for printing the paper trail? Why... software. It's not hard to write software that produces misleading or confusing paper records. So again there is a vulnerability to software.

In short, if software is involved in ballot presentation, vote recording, or audit trail production, the software matters. I'm not saying paper trails are bad, just that they don't solve the whole problem. Source code inspections are essential.

Re:Still no access to source code

[swillden]

Perhaps you're understanding something different than I mean when I say "voter-verifiable paper trail".

What I mean is that the voting machine's sole purpose is to print out a paper ballot. That ballot is the real vote, and it is easily human readable and verifiable. The voter can, and should, verify that the printed ballot correctly represents their selected choices. If a voting machine generates ballots that disagree with the user's selections (i.e. system error, not user error), then the system should be removed from service.

Note that it is not necessary for all voters to check their ballots to catch a bad machine, only for a small percentage of them to check it. Suppose that the Halliburton-written machines shifted 1% of the votes to the Republical candidate, and suppose that only 1% of the voters check their ballots. Given those (low) rates, any election with more than 60,000 voters has a 95% chance of detecting the fraud during the election, not to mention any pre-election testing. 100,000 voters gives a 99% probability of detection, and larger elections are essentially guaranteed to detect the fraud.

In reality, I'd expect that most voters would check their ballots, so any election with more than a few hundred people would detect a 1% fraud rate.

Think of an election as a scientific measurement. In order to get an accurate result, the polling mechanism has to be free of bias.

Mmmm, no. The mechanism has to be free of *undetectable* bias. The system (which includes the mechanism) must attempt to detect bias/error in measurement. Such detection is both easy and well-understood.

And of course paper trails only matter when jurisdictions order a recount, and even then only for voters who carefully checked their printouts.

Nope. Even if the ballots are counted electronically, precincts should be randomly selected for a recount to verify the voter-verified count against the electronic counts. Ideally, the ballots should be machine-readable as well as human-readable, to allow a large percentage of the precincts to be fully recounted without excessive cost. A subset of those should also be manually recounted.

Finally, all of these counting processes can and should be tuned against the margin of the tightest race in the election. It's a very simple statistical calculation to determine how much verification must be done in order to assure that the possible system error is less than the tightest win margin.

Given a system that uses appropriate statistical sampling processes to verify the vote, code inspection isn't useful.

But that's actually the *LESS* important point.

The more important point is that code inspection doesn't tell you anything anyway. Assume that you have thoroughly vetted all of the code. Assume that your vetting process is so good that no biases can be hidden. How, then, do you ensure that the code that you vetted is actually running on the machines? I should point out that I design and implement high-security systems for a living, and a lot of my time is devoted to finding solutions to exactly this problem. It's much, much harder than you might think. It can be done in controlled circumstances, on specialized hardware, at great cost and with great effort. I posit that it's impossible to do it for an election system.

Re:Still no access to source code

[zestyping]

Perhaps you're understanding something different than I mean when I say "voter-verifiable paper trail".

I'm pretty sure we're talking about the same thing.

Did you see this part of my comment?

If the software crashes more often in one district than another, or sometimes skips contests, or fails to display certain candidates, that's going to bias your result.

Don't you think that would influence an election?

Re:Still no access to source code

[swillden]

Did you see this part of my comment?

Yes, but I thought my response to it was implicit in my response to the rest.

If the software crashes more often in one district than another, or sometimes skips contests, or fails to display certain candidates, that's going to bias your result.

Don't you think that would influence an election?

Don't you think those behaviors would be noticed? I certainly do, especially if the printed ballot showed all races, even those the voter didn't state a preference on. The hardest-to-detect of the behaviors you mention is crashing, but even that one would be fairly obvious to anyone bothering to look.

It's also worth noting that the punchscan system addresses these concerns very effectively, and does not require open source software to do it.

I notice, though, that you completely ignored my point that source inspection is useless. Twice. Why is that?

Re:Still no access to source code

[zestyping]

I notice, though, that you completely ignored my point that source inspection is useless. Twice. Why is that?

Let's go back a bit to clear up what we're discussing. You made a number of points in your first comment. I chose to address just one of them because I didn't have the time to engage in multiple debates with you simultaneously. But I'll explain my thoughts more fully now so you can understand where I'm coming from.

I see three points you're made so far (please confirm):

1. Paper audit trails make source code irrelevant to voting system correctness.
2. Punchscan allows every voter to verify that their vote is recorded and counted correctly.
3. It is impossible to ensure that the code running in the voting machines matches what was reviewed.

Here are my positions:

1. I disagree. Even with paper trails, software is still relevant.
2. I agree. Punchscan's end-to-end verification mechanism goes far beyond what a VVPAT can do.
3. I think it depends on your level of confidence. I agree this is hard to do. If you want 100% confidence, sure, it's impossible. But the confidence level is also not 0%.

My more general point is that all these things -- the correctness of the code, the use of voter-verified records, measures against tampering with the installed software, and more -- contribute to increased confidence. You cannot point to one of them (VVPATs) and say that it completely eliminates all effects of another (the code).

I decided to respond to your point #1 because it was the one I had the strongest objection to. I'll separate out my more detailed response to that, since this is getting rather long.

Re:Still no access to source code

[zestyping]

You wrote:

The only reasonable way to do electronic voting is to define a system such that there is no way the software could manipulate the vote without being detected, no matter how malicious the software. ... A voter-verifiable paper trail accomplishes this rather easily.

I don't think it's all that easy.

Based on what you're written ("The mechanism has to be free of *undetectable* bias." and "Don't you think those behaviors would be noticed?"), I suspect you are making the assumption that detectability is what matters. But that's not enough; the bias has to be actually detected, and a detected bias is okay only if election administrators can recover, and do recover, from the problem.

It appears that where you and I differ is a matter of scope. In the theoretical world, all that you need is a conceivable possibility of an error being detected in order to rule out dependence on software. But in practice, it's more complicated than that.

For example, let's talk specifically about VVPATs. Forget crashing or bad ballot presentation for the moment; I'm just talking about a machine that, some fraction of the time, prints the wrong selections on the audit trail.

Take your scenario with 60000 voters, a machine that misprints 1% of the VVPATs, and a 1% probability that each voter will competently check their VVPAT. Each of those 600 misprinted VVPATs has a 99% chance of going undetected, so the chance that all of them will be undetected is 0.99^600 = 0.0024. So the chance that at least one will be detected is around 99.76%. So far so good. (I'm not sure how you got 95% -- I'd appreciate you walking me through your math.)

But what happens when a voter thinks there's something wrong with their VVPAT? Do you shut down the entire election and start over? Do you launch an investigation of the voting system vendor? Certainly not according to current practice. How many voters have to report a problem before you re-run the election? Keep in mind you can't just do a recount -- you have to repeat the polling process because it's the paper records that are in question.

Suppose it takes 10 voters who are confident that the machines are faulty to force a re-run of the election (an improbably tiny number by current standards).

The probability that 0 voters will detect a problem is 0.99^600 = 0.241%.
The probability that exactly 1 voter will detect a problem is (0.01)*(0.99^599)*C(600,1) = 1.458%.
The probability that exactly 2 voters will detect a problem is (0.01**2)*(0.99*598)*C(600,2) = 4.410%.
In general, the probability that k voters will detect a problem is (0.01**k)*(0.99*(600-k))*C(600,k). Here's what this looks like:

• P(k=0) = 0.24%
  P(k=1) = 1.46%
  P(k=2) = 4.41%
  P(k=3) = 8.88%
  P(k=4) = 13.39%
  P(k=5) = 16.12%
  P(k=6) = 16.14%
  P(k=7) = 13.84%
  P(k=8) = 10.36%
  P(k=9) = 6.88%
  P(k=10) = 4.11%
  P(k=11) = 2.23%
  P(k=12) = 1.10%
  P(k=13) = 0.50%
  P(k=14) = 0.21%
  P(k=15) = 0.08%
  P(k=16) = 0.03%
  P(k=17) = 0.01%
  P(k>=18) = small

Now the probability that the problem will not be corrected is the probability that k is less than 10. That's the total of all the values P(k=0) through P(k=9), which is over 84%. The chance of recovery is less than 16%, which doesn't sound so good anymore.

But it's still worse than that. What is the likelihood that a voter who detected a problem won't just think they made a mistake? Is such a voter likely to think that the machine made the error, or that they made an entry error themselves? Suppose half the voters who find mistakes on their VVPAT cancel and re-enter their votes. The other half (probably a generous fraction) are convinced that something is wrong and register a complaint.

That means 20 voters have to detect the problem in order to cause recovery. Now the chance that the problem will escape detection is the sum from P(k=0) to P(k=19),

Re:Still no access to source code

[zestyping]

How, then, do you ensure that the code that you vetted is actually running on the machines?

The short answer: chain of custody.

Like any other piece of election equipment, the voting machines have to be physically protected from the time they are configured to the time they are used. The same holds true for mechanical voting machines, paper ballots, electronic pollbooks, and so on.

I'm not saying that current procedures for this are adequate -- far from it. Obviously if you leave the machines for unattended sleepovers, they're likely to be vulnerable to tampering. On the other hand, protection of physical equipment is relatively well understood; the risks can be identified and reduced. There is certainly a much longer history of experience in moving things securely from place to place than in recounting voter-verified paper trails.

The problem in this case is not the same as the general attestation problem, which is extremely difficult (though many people think even that is not impossible). We aren't talking about mass-distributed consumer electronic devices that people can rewire in the comfort of their homes in an effort to make them lie about the software they are running. We're talking about moving a machine from one controlled environment to another controlled environment.

If your position is that physical security can be expensive, I have no dispute with you there. If your position is that you don't trust the computing hardware to function correctly, I offer no argument -- in that case all electronic voting is infeasible, VVPATs are moot, and Punchscan is the only solution. I consider that a position worthy of consideration, though I do not take it myself. I think it is possible to trust the hardware, but I'm willing to be convinced otherwise.

Works just fine in the UK

[Nursie]

Walk into polling centre (these are set up in schools and community halls and are likely less than a mile from your house), pick up piece of paper, go to a booth, put your mark in the box next to a name (With a big sign up saying if you miss the box or mark two you're not going to be counted), put it in the ballot box.

Punch cards, machines, everything else, just unnecessary. I never understood the whole situation in the US where you have people queueing and some unable to vote due to being in line too long.

One would almost think the organisers didn't want people to vote...

Re:Works just fine in the UK

[zestyping]

Ballots in the United States typically have 20 to 30 contests on them. The Chicago ballot in 2004 had 90 contests.

Receipt

[Geoffrey.landis]

Printed voting receipt

If the receipt shows that you have voted, but doesn't show how you voted, I don't see what use it is to making the process verifiable.

On the other hand, if the receipt does show how you voted, it defeats the point of the secret ballot.

...I do agree with the open source part (at least, meaning "all voting and counting software must be available for inspection.")

Code can be altered on the fly

[Catbeller]

This is utter silliness. So what if you review the code? So what if there are "open standards"? The code you review can be swapped out on election day any number of ways! I mean, you are all programmers, mostly. How can you possibly fall for this? And there is code on the point of voting, code at the accumulators boxen, running Windows may I add, code at HQ adding up the accumulators' totals. It's the work of a morons's minute to swap out vote totals, or change the code at the point of voting to simply flip the voter's choice undetectably -- printing out a "receipt" that is worthless as record of what actually happened. The code can be changed and then replaced instantly. Or more likely, why bother? Who the hell can tell what code is really running on the box? The problem here is you all have a religious belief that when you ask a computer a question, you'll get an honest answer. But these are dedicated boxen, controlled by humans who are extremely motivated to alter the results. You can't beat them. You can only remove the means. No computers system should ever come near an election.

Canada does (did? sigh) vote using a manual process with real time oversight by suspicious characters from both parties present -- you know, the process we decided was mad in Florida in 2000. Somehow they finish up their elections in hours. Although, really, what the hell is the hurry to finish an election? Why not take a week? Someone REALLY wants to alter those votes. They want it quick, unmonitored, and completely open to tampering, and somehow this is the Only Way To Do It?

This idiocy wouldn't stand if we didn't have Kourictainment for a news media... god.

Re:Code can be altered on the fly

[swillden]

Canada does (did? sigh) vote using a manual process with real time oversight by suspicious characters from both parties present -- you know, the process we decided was mad in Florida in 2000. Somehow they finish up their elections in hours.

The reason they can count quickly is that they have so little to count. I don't mean in terms of number of ballots, I mean in terms of ballot complexity. A US ballot often has upwards of thirty or forty separate decisions recorded on it, because it combines federal, state and local elections, and because the US system votes on many offices that are appointed in Canada (and elsewhere).

Personally, I wouldn't mind waiting a few days for the outcome, but for some reason Americans don't even want to wait until all the votes have been cast before getting the answer. Canadians might not like it either, but under their system they can use pencil and paper and still get the answer quickly.

And the FAQ, too.

[Geoffrey.landis]

I definitely recommend reading the guidelines. There's a lot of stuff in there.

Yes, and I suggest reading the FAQ, too:

"Q: Will the source code be available to the public?
A: No. The EAC will make all information available to the public consistent with Federal law. The EAC is prohibited under the Trade Secrets Act (18 U.S.C. 1905) from making the source code information available to the public.

This is a bad idea. A much better idea is this: "No voting machine shall be certified unless the vendor makes the source code available for public inspection." This is fully in compliance with 18 U.S.C. 1905: any company has the right to keep their code proprietary. However, if they do so, they should not be allowed to have their machines used in public elections.

Voting should be secret. Vote counting should never be secret.

It's called paper

[sheldon]

We use paper here in Minnesota, and the ballots are scanned with an optical scanner. It's pretty damn easy, on the ballot are two arrows next to the name and you draw a line between them if you want that selection.

The amazing thing is you can still vote if the power goes out.

It's highly scalable, as voting station tables are cheap and easy to store and setup. you can have a two dozen of them at a polling station for not much money.

The optical scanner is there to count ballots. But they can be counted by hand if need be.

Anything else is TECHNOLOGY IN SEARCH OF A PROBLEM.

Oh yeah, Florida dumped their stupid electronic machines and plan to use the optical scanner like we have in minnesota. Maybe because it works. duh

Re:It's called paper

[chaos421]

i totally agree. the only downfall is the waste of paper. compare that to the power requirements for totally electronic voting and it's probably a wash. in the future, we'll all be able to vote online somehow.

Getting rid of the queues

[Strategos]

They should just allow you to text a vote in. One vote one phone. Only from registered phones. That would get rid of the queues.

Re:Getting rid of the queues

[justinlee37]

In Oregon we have mail-in ballots; you just register to vote, and all of the materials show up in your mailbox.

plain paper voting

[abnoctos]

there is no need for computer technology to be incorporated into voting. in fact, it unnecessarily opens the system to fraud. ANY database solution is inherently open to corruption on a massive scale without the ability to audit the results. people (around the globe) have been casting votes for hundreds of years without the need of a black box intermediary. in america, as most places there are plenty of volunteers who will monitor polling stations and tally the ballots. should staffing ever become a problem, summon citizens in a manner similar to jury duty. (although, i seriously doubt this in any where near being problematic.) the volunteers count ballots using the basic count/recount/audit methods used by most schools selecting asb officers (albeit with any additionally required security measures?). this process is incredibly simple and causes "election rigging" to require massive manpower and coordination to achieve - in contrast to electronic voting (including scantron and every other method i've heard of) which is moderately complicated to coordinate and opens the possibility of fraud without recourse. no need for punch cards. no need for electronic terminals. no need for databases. paper, pen, volunteers, calculators, supervisors.

120 Days + 120 Days... Don't procrastinate.

[dhj]

The press release http://www.eac.gov/vvsg/News/press/eac-seeks-public-comment-on-tgdc2019s-recommended-voluntary-voting-system-guidelines-online-comment-tool-now-available says the VVSG will be open for public comment for the next 120 days. After the 120 days they will internally review/modify the document and then re-open it for comments for another 120 days. If you have posted some brilliant, insightful bit of wisdom here on slashdot for karma... PLEASE TAKE THE TIME TO LEAVE A COMMENT IN THE RELEVANT SECTION OF THE VVSG. I am guessing comments that get posted in this first 120 day period will have more influence than those posted in the second 120 day period.

Stop! Who believes computers won't fail?

[lanibrown]

It's what we do when they fail that makes a difference. Right the broken machines and processes. Yes. But prepare for the glitch. Change election laws to recognize statistically improbable results for what they are and let those voters who were victims of the failed process resubmit their vote. A MARGIN OF ERROR: BALLOTS OF STRAW, novel of the stolen election. Featured on http://votersunite.org/

They make some bad assumptions

[John+Sokol]

It assumes the voting system is based on the "VOTING MACHINE" and not the algorithm's and network.

The assumption is that voting is based on the "VOTING MACHINE", but this isn't always the case.
So any system fitting there template must rely heavily on "SECURE VOTING MACHINE HARDWARE" and looks at physical Security totally over looking the network and electronic security.

My largest single concern is the possibility of a clever software trick that could alter larger numbers of votes in mass using some automated process.
Such as pre-loading the "BLANK" voting cards with a negative and positive bias in favor of one candidate that was seen in the last big election. This was caught when some candidates had negative votes, something that shouldn't be possible!

I will post here next my MailClad system that doesn't require any secure hardware or networks..
It's a rough draft but any criticism and suggestions are appreciated.

It assumes all are untrusted.
Hopefully I will be able to get this up on my web site soon mailclad.com and it's sourceforge page.

Proposed MailClad system

[John+Sokol]

MailClad system that doesn't require any secure hardware or networks..

This is a very rough draft but any criticism and suggestions are appreciated.

my approach, it's actually very simple, and based on the same solution that the Horse racing tracks, Vegas Casino's, lotto lottery system uses and many others.

Plain Random numbers, in a secure data base, no encryption at all. The "software" and underlying network, will not be able to alter or bias any of the results.

See: http://www.dnull.com/~sokol/patent/WO2005048082A2.pdf

This is related and similar in concept.

Mailclad is very similar to the scratch off lottery tickets. Something time tested, secure since there is a LOT of money at stake and something even old people can use.

Mail is assumed to be too cumbersome to interfere with and not go unnoticed. There are already laws in place protecting it and special agencies already in place to investigate mail theft.

So a person gets a letter in the mail, in that letter there is printed numbers, possibly with bar codes. maybe scratch off or tear off or anything really. That person then can enter those number into a web site, over the phone, or at a polling location, that is using regular off the shelf PC's or Mac, or anything with a web browser or some data collection GUI or scripts to collect these number.

The numbers are all unique, for each candidate, and voter. The only place the "meaning" of these numbers is recorded is in 2 locations.
1.) on the paper mailed out.
2.) in a Vault where the letters were printed and mailed out from.

#2 is a process that is identical to the Lotto and racetrack tickets, where again a LOT of money is at stake and has never been cheated.

So number are collected, and shared publicly with all parties.

After the election, the number and there associations to the "votes" are shared publicly also. So at that point anyone can compute the election results.

The data that connects a voter to there numbers only is on the mailed letter, and not recorded, so there is know knowledge who received what numbers.

Hence the Name MAILCLAD, where the public mail service provides much of the security, and the sheer physical BULK and tamper proof mail envelopes.

In my scheme, Total anonymity is given, while results can easily be verified.

Problem here is several,
Computers can not be trusted.
Humans from any single organization can not be trusted.
(I assume some small centralized over site by several opposing parties is safe)
Communication network can not be trusted.
Any cryptographic system based on Primes can be cracked with sufficient CPU power, or Quantum computers.
This covers all DES, AES, RSA, PGP and public key systems
cryptography seems to ignore information theory, specifically what is needed to extract a signal from noise or alter it.
Based on information theory my system is unbreakable

Other considerations here.
Voters must be protected from coercion, such as from a workers Union that might wish to verify someones vote.