Hard Evidence of Voting Machine Addition Errors

goombah99 writes "Princeton Professor, Ed Felton, has posted a series of blog entries in which he shows the printed tapes he obtained from the NJ voting machines don't report the ballots correctly. In response to the first one, Sequoia admitted that the machines had a known software design error that did not correctly record which kind of ballots were cast (republican or democratic primary ballots) but insisted the vote totals were correct. Then, further tapes showed this explanation to be insufficient. In response, State officials insisted that the (poorly printed) tapes were misread by Felton. Again further tapes showed this not to be a sufficient explanation. However all those did not foreclose the optimistic assessment that the errors were benign — that is, the possibility that vote totals might really be correct even though the ballot totals were wrong and the origin of the errors had not been explained. Now he has found (well-printed) tapes that show what appears to be hard proof that it's the vote totals that are wrong, since two different readout methods don't agree. Sequoia has made trade-secret legal threats against those wishing to mount an independent examination of the equipment. One small hat-tip to Sequoia: at least they are reporting enough raw data in different formats that these kinds of errors can come to light — that lesson should be kept in mind when writing future requirements for voting machines."

Well then perhaps you should consider this

[goombah99]

The fact that the company is using legal threats to suppress investigation into the errors is a good argument for using open source equipment that anyone can inspect. I do NOT trust a proprietary solution. Open voting consortium needs volunteers and money. Unlike a normal open source project where all that matters is the quality of the code. This one needs feet on the ground and money to travel in order to get laws changed in 50 states to allow the use of the equipment. (for example many states have laws about how ballots are defined that this protocol requires changing. Many states require certifications which are far from free. But mainly it takes demonstrations and lobbying.)

Right now they have a matching grant challenge, so nows a good time to offer cash. But think about also being an advocate in your state for getting the laws to allow this system.

OVC not only has open code but it also has an open bussiness model. They won't require you use it on any hardware they offer. It runs fine on off the shelf equipment. Any company could use the code, states could use the code. OVC would simply maintain it and certify that it is being deployed correctly.

Open voting solutions is another open source project with a different bussiness model but open code.

Re:Simple solution?

[corsec67]

I can't believe that people STILL don't understand what is wrong with a receipt of how you voted that you remove from the polling place.

Boss: "Show me your receipt for candidate X tomorrow or don't bother showing up"
Husband: "Show me your receipt for candidate X tomorrow or it will be painful"
Creepy Person outside polling place: "Show me your receipt for candidate X and I will give you $10"

Yes, a paper trail is important, but one that you can refer to outside the polling place has very different problems.

Re:Next article:

[discogravy]

I realize you were going for Funny, and got there, but for those unaware, Prof. Felton is not new to this game, has done research (and testified about it) on the MS' "IE can't be removed" antitrust defense, Diebold voting machine bullshit, and Sony's rootkit bullshit among a few other things.

He's got bona fides as a researcher in the field, and I believe was asked to do this work in TFA -- DMCA notices are going to roll off unnoticed, like ....well, like votes for the democratic party on one of these Sequoia machines, apparently.

How OVC system works

[goombah99]

OVC is not merely yet another touchscreen. It's a different kind of voting system. It's procedures are straighforward and simple yet at first blush may seem overly elaborate. In fact each of the seemingly simple steps in the process is a result of long deliberation by many voting system and security experts to foreclose various error modes and attack modes (e.g. chain voting, or secret ballot violations) while not making something too complex to operate and maintain. It also has to fail in a safe mode and be robust against operator error.

Here's the process:
1) voter makes selections on a touchscreen. These are recorded but this is NOT a cast ballot or a record of the vote.

2) computer prints out a paper summary ballot of the voters choices in an easy to read ballot-like format

3) also along the edge is a 1-D barcode encoding the selections in an obfuscated but not encrypted format.

4) voter can now cast this ballot by depositing it in a metal box. Or they can tear it up and ask to vote again. or they can walk out with the ballot if they like (it's not cast unless deposited so it's not a "receipt").

6) After polls close, witnesses and the election judge unseal the box, and hand shuffle the ballots to destroy any residual vote order.

7) then election workers, use a bar code wand to scan every ballot. As it is scanned the ballot is recreated on screen and the judge can compare any ballot she chooses to the paper copy. (this provides one of many random checks on the fidelity of the bar code)

8) as each ballot is scanned, the computer also checks the ballot creation record of the ballot generating machines. Every ballot must have a valid ballot creation session that matches the paper ballot. (the reverse is not true--there will be more ballot creation sessions than actually cast ballots since some ballots were discarded or taken and revoted.) This step is a partial safeguard against ballot stuffing, since an attacker will now have to modify many records and witness accounts to change the ballots (alter the machine records, alter the paper ballots, alter the turned in ballots, etc... And alter various anti-forgery measures)

Nice features:
1) nothing forecloses hand counting the paper in a recount since it's the official ballot not the electronic record or the bar code.

2) the untrusting voter can take the printed ballot to a third, un-netowrked machine to read the barcode back to him to see that it matches. Or she can leave with it and take it outside to some place that will also do this (say the ACLU or the Green party might have a booth set up offering this) Or she could take a cell -phone picture and decode it using some bar-code reader on the web. etc.....

It's a good test because even a single failure leaves the voter with deomstable official proof of an error. And it's robust because an error in the bar code discovered late in the process does not screw the election--you can still recount the paper ballots text.

3) the bar code is made 1D and short, deliberately so that it is information strarved. There can't be any diaboloical things hidden in it, like the voters identity or ways to tell other stand alone scanners to collude in what they tell the voter is in it. Also it allows very low tech equipment to read it (cue-cats wands $5)

As can be seen theres many onion layers to the security model. It's not depeneding of fool proof steps to remain that way. It's robust against operator error.

Additional features are that the touch screen can be just a commodity computer. it boots off an un mutable cdrom not a disk drive. So after the elections you can simply discard the computers. That is, give them to schools or state agencies or sell them on e-bay. These are not sophisticated voting machines. This frees up the monies normally used for secure storage and maintainece.

Since the voting terminals are cheap you can have many of them to avoid lines or problems with machine failure.

Since t