US's First Internet Votes To Be Cast This Friday

longacre writes "If you thought online voting in America was a distant pipe dream (nightmare?), think again: the nation's first Internet-based voting system goes online this Friday, just days after the release of the Damning Report On Sequoia E-Voting Machine Security we discussed yesterday. In the first real world run of the Okaloosa Distance Ballot Piloting (ODBP) test program, election officials from Okaloosa County, Florida have set up kiosks in Germany, the UK and Japan where 600-700 absentee voters — mostly military personnel — are expected to cast ballots. Security experts still have many questions, of course, particularly on the potential for interception of voting data while it travels across oceans (via 'secure VPN'), the security of the kiosks ('hardened laptops' with no hard drives and other sensitive components disabled) and the security of the three data centers (one of which is itself housed overseas, in Barcelona, Spain), not to mention the fact that Florida doesn't exactly have a stellar record when it comes to vote counting. Florida's Dept. of State also has a fairly detailed outline of ODBP's components and processes [PDF]."

Floriduh

It's been two election cycles, everyone still thinks Florida is the only state with voting problems. Get over it.

And if they get 500 votes for Ron Paul ...

[Ungrounded+Lightning]

... they'll claim it's a crack even if they were legit. (Does the system accept write-ins?)

Now if they get 500+ votes for Mitnick...

Re:And if they get 500 votes for Ron Paul ...

[Ungrounded+Lightning]

BAD IDEA.

Which? Ron Paul, or Mitnick?

The Internet balloting is primarily servicemen. If there is a way for them to legitimately vote for Ron Paul (either he's on the ballot or there is a way to write him in) they MIGHT get some large number of LEGITIMATE votes for him.

Re:And if they get 500 votes for Ron Paul ...

[theaveng]

>>>George Bush: The Republican Jimmy Carter.

Actually Bush is more like Richard Nixon - an unpopular president during an unpopular war and a crumbling economy.

BARACK OBAMA will be the next Jimmy Carter - inheriting a royal mess and unable to clean-it-up in just four years time.

WTF?!??

[jddj]

How can internet voting be both guaranteed "secret" - as in "can't tie the user to the choice of candidate", and at the same time ensure that individuals (never mind bots) aren't casting more than one vote?

Re:WTF?!??

[sakdoctor]

Using encryption, exactly what you asked for can be done.
I suggest you start your reading by looking at blind signatures.

Of course, it won't be implemented correctly, but e-voting is mathematically possible.

Re:WTF?!??

[CaptainPatent]

I think you misinterpret what the intention is. While voting is cast back to the US via the internet, these are still electronic voting machines in a designated location for military serving overseas to vote at. Registration is still subject to the same checking procedure and you can't just do this from home. What the worry is deals with the addition to internet encryption / security and not registration checks.

Re:WTF?!??

[IceCreamGuy]

Dude, RTFA, even just read the summary, it's not like they pull up a website from their living room and click a fucking "vote here" button, the only place to vote is on secured laptops over a VPN from a specific location. Clearly the big "if" is "if they can do it correctly," however I think the idea that it can't be done is just paranoid and ignorant of the technology discussed in the article.

Re:WTF?!??

[sakdoctor]

More specifically:

http://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems

Re:WTF?!??

[JesseMcDonald]

Well, let's look at how a traditional absentee ballot works:

To begin with, you have a list of eligible voters and some way of identifying each of them. This is easy enough to duplicate with public keys, passwords, whatever.

The ballot itself consists of an inner part, containing the actual selections, and an outer part, containing the voter's ID. The inner part is sealed, and remains that way until the ID portion has been stripped away.

The same thing can be done with encryption. Create the digital equivalent of an anonymous ballot, indicating your preferred candidates. Encrypt that ballot (with a "salt" value to ensure uniqueness) with the public key designated for the purpose. Sign the encrypted ballot with your own public key and submit it.

When the voting authorities receive your ballot they simply validate the signature and store it for later use, still in its encrypted and IDed form. If you change your mind, or the original ballot was submitted under duress, etc., you can submit a new ballot later or show up in person on the day of the vote, and the old ballot will be discarded unopened.

When it's time to count the votes -- after deleting the obsolete ballots of anyone who showed up in person -- the ID information is discarded (permanently) and the raw ballots are decrypted and counted. The tricky part is ensuring the complete destruction, or at least disassociation, of the ID data, but that's just a matter of developing the proper policies. The same concern applies regarding current absentee ballots.

Re:WTF?!??

[pfbram]

Not really, it's arguably a regressive/recursive problem. Even if the encryption is 100%, the OS could have a back-door and the private key might leak out. There are potential weaknesses at all levels on the layered network model (for instance, the OSI model). I spent some time on this problem myself, designing a concept in which the machines would: (a) print out a receipt to the voter, containing the vote itself -- as well as a unique session/hash number. (b) print the same data on an internal paper-based receipt which is visible through a window (the voter could visually inspect it, and match it with his print-out or complain to the election judge immediately that there was a mismatch). This internal copy/spool would be retained for manual recounts. (c) retain it electronically. But in the end you have a system which is a LOT more complicated and expensive than an ordinary paper-based system, and therefore more easily corrupted in the end anyway. You also have a system which probably can't handle write-ins, without complex handwriting analysis, it would be implemented by a vendor with heavy political connections to the party in charge (basically a truism), etc. I genuinely believe it to be a regressive/recursive human/machine problem.

First?

[DoofusOfDeath]

US's First Internet Votes To Be Cast This Friday

How do we know that Internet voting hasn't already occurred, if we can't see Diebold's source code?

Re:First?

[clam666]

The fact that government officials are even considering internet voting, e-voting, early voting, or any other changes to voting show how much they want to control people and absolutely remove the concept of a government elected (and deriving it's powers) from the populace via representative government chosen accurately and freely.

We have all sorts of voter fraud, deception, dead people voting, and tampering with a voting system based on paper ballots which could be shoved in a box and counted in front of witnesses, and a solution is to shove MORE of the mechanisms of voting into the shadows? Having the algorithms and technology being used hidden from any eyes and oversight? I'm not talking the "source code" that's shown to people, but what's actually installed on the box. Stuffing 2 paper ballots instead of 1 by a person adds slightly little to the total votes, and to manipulate the vote successfully requires a large number of people, duplicate voters, bussing around people from location to location, etc., which decreases the ability to hide a secret collusion to at least a small degree. To change it so one person can change thousands of votes with a simple UPDATE statement or any other security violation technique required, is a much worse proposition.

This clearly shows to me that both political parties are doing absolutely as much work as possible in order to remove control from the electorate and transfer it to a political class, on the basis that they all support these types of systems and do nothing to secure true votes from the people (with the possibility of it being at the expense of their own power).

I'd like to think that there is a secret altruistic reason for doing this, such as an acknowledgement that when a government falls towards democracy it will inevitably destroy itself and transform into a dictatorship or tiny ruling political class (like an apartheid government). I'd like to think this is a secret attempt to control the voting to a level that would prevent the American republic from falling to a real democracy and mob rule, however this would require me to expect a lot more from the people in government than is possible, including intentions to preserve freedom, altruism, and politicians not spending millions of dollars for a job that pays little and expects bigger quiet "payoffs".

I think the reality is that we've already passed that point, and this is a move straight to a dictatorial style of government, and controlling the vote is, as always, necessary to move to a single party system (to remove any choice by the citizens).

There is no vote-safe electronic/internet voting technology that could be implemented safely and absolutely be correct and not subject to manipulation. Anyone telling you it is possible has an agenda, knows nothing about politics and elections, or is thinking purely in a tiny technology box and not the abuses or security issues of such as system. The only possible way it COULD work would not be electronic voting; it would be electronic creation of the paper ballot for purposes of removing hanging chads, validating that the person didn't vote for two different people for a particular job (which disqualifies a vote currently) , which is printed out and verified by the voter in a human readable form (I voted for "SMITH" for president, yes, that's what I picked), and then submitted to be counted by humans for humans.

security is irrelevant.

electronic voting is not bad because of either real or imagined security issues. That is totally irrelevant.

Electronic voting is bad because the procedure can not be verified by any layman. That should be the first requirement for any voting procedure.

Paper ballot procedures are easy to verify and anybody can do it. Simply keep an eye on the ballot box from the initial sealing of the box until the actual voting.

With electronic voting that is not possible. A paper trail comes close, but voters can screw that up by not putting there tag in the box, or any other random piece of paper in its place.

Bottom line: voting is about TRUST in the procedure first, the actual results second.

Re:First

[moderatorrater]

Sorry, they've already registered 200 votes for some nigerian guy and another 150 for penis enhancements.

It's probably better...

[nsayer]

... than the alternative

Rick the Vote!

[FourthLaw]

How long before some one hacks them to write in Rick Astley?

libertarian

[barv]

If banks can securely (with ~ 99.999% security) transfer thousands of dollars online, then the technology exists to securely permit voting online.

Anything that speeds up voting encourages greater participation. Our present voting system originated in the dark ages. The fastest communication was by horse, it took several days for a horse to get from one side of the USA to the other, or about 2 months by boat to get from UK to Australia.

If the internet had existed in the time of the founding fathers, I feel sure they would have used it to give the people greater oversight of the legislative process.

Re:libertarian

[enbody]

If banks can securely (with ~ 99.999% security) transfer thousands of dollars online, then the technology exists to securely permit voting online.

No, you miss an important difference between dollars and votes.

If a dollar is lost, it can be replaced by another dollar so banks figure in a loss rate and charge for it somehow.

A vote is unique, secret, and anonymous so if a vote is lost, it cannot simply be replaced by another (because you don't know what the vote was). In addition, a vote should be verifiable, e.g. there needs to be some way to check that the voting method worked (e.g. with a recount).

Re:libertarian

[rtfa-troll]

Two things; a) banks can't. Fraud is a serious problem.

More importantly; b) banks get to try again. Most electronic cash transfers have two ends. It's in the interest of each one to check it goes right. If one end is committing fraud then the other end will complain. You can then reverse the transaction (if you have correctly identified the parties) or at least take security measures so it doesn't happen in future.

Voting is different. In order to avoid vote buying it has to happen in secret and for the most part if you can check your own vote you can also show someone else how you voted. This is much harder than securing most financial transactions.

Re:libertarian

[zermous]

Well, we are supposed to assume, as a starting point for these kinds of discussions, that voting is good and that more accurate elections are more good. If this goodness is overwhelmed by the tragedy of the votes being cast by imbeciles for malicious people, then that is a problem to solve another day.

But quite apart from all that, it is also generally assumed that support for an election is more important than which particular candidate is elected. A more accurate election facilitates belief in the democratic process which keeps countries from dissolving into chaos or autocracy.

Re:libertarian

[zippthorne]

I've seen schemes presented to slashdot that would appear to solve the anonymity and verifiability problem. But I haven't seen any that are simple enough for the average voter to understand well enough to be confident that that has occurred.

I say that as an average voter, who's read some of the plans, and after a good deal of thinking couldn't find any holes, but also wasn't positive I just wasn't smart enough to think of 'em.

Re:First

[alexj33]

var myVoteInstance = new votingObject();
var publicMediaInstance = new publicMediaObject();

while (publicMediaInstance.areTheyWhining() == true)
{
myVoteInstance.vote(youknowwho);
}

Pipe dream?

[Drooling+Iguana]

If you thought online voting in America was a distant pipe dream (nightmare?), think again

So I guess now it's a tube dream.

Or possibly a series of tube dreams.

Re:Pipe dream?

[jez9999]

It's NOT a big truck.

Remember the disclaimers that apply

[dkleinsc]

1. Don't complain about lack of options. You've got to pick a few when you do multiple choice. Those are the breaks.
2. This whole thing is wildly inaccurate. Rounding errors, ballot stuffers, dynamic IPs, firewalls.
3. If you're using these numbers to do anything important, you're insane.

US's First Internet Votes To Be Cast This Friday..

[Subm]

US's First Internet Votes To Be Cast This Friday...

George W. Bush to be declared winner Saturday.

Internet voting is stupid and unneeded.

[FireStormZ]

Absentee ballots via the US mail work just fine... This is just smoke an mirrors to make people think there has been progress in fixing the American balloting system..

Not an Encryption Problem

[boatboy]

I agree it's possible to separate a user's choice from their identity and still provide an audit trail, but wouldn't any encryption scheme require that the 'user' provide some sort of identity - be it a public key, id #, etc.? Even if that identity was in no way tied to a particular vote, it is still considered a civil rights violation in many states to require id cards/drivers license/etc. In my state, you give your name, which is crossed out in a big book- and efforts to do otherwise have been called "racist" and "voter intimidation". In other words, you get to log in by providing any username and no password. Without reliably establishing identity, you can't verify that a person hasn't voted twice.

Re:Not an Encryption Problem

[pcolaman]

Not requiring an ID in my opinion allows for the realistic possibility of voter fraud on many levels. Who's to say that the person is that name? Who's to say they are a legal US Citizen? Who's to say they have voting privileges (Convicted Felons have their voting privileges taken away for a specific period of time)? Who's to say they haven't voted under 10 names already that day? Having a system where you can categorically say that this person hasn't voted yet and is eligible to vote will allow for a more fair system. Is it fullproof? Nope. Is it better than what you described. Fuck yeah. Crossing names out of books? WTF?! That's just asking for fraud.

Re:Not an Encryption Problem

[sumdumass]

I imagine it would work similar to the way it works in the states where these remote machines will be staffed and you will be issued a card based on your identity that gives three shots at casting one ballot. If you attempt to show up a second time, your name is checked on a list that says you already cast a ballot and the staffers would refuse to give you a card.

Absentee voting should all be provisional votes in my opinion. This means that your vote is in essence tracked so if it becomes challenged, it can be removed from the totals. There are anonymous ways of doing this or should I say ways of keeping your vote secrete even though someone could technically find out. These ways might include where enough people in the know will be notified is someone attempts to access your vote. If it is electronic, I think it should automatically yank your ballot, notify you and monitors that are independent from the state as well as the state election officials too. This way when someone attempts to check on your vote, then need a legitimate reason that can be justified to you, the state, all the candidates involved and so on where fraud can be detected and dealt with appropriately. If an employer or public official uses the information against you, there should be mandatory jail time along with severe civil damages. But this is just my opinion.

Sadly, we already have people in Ohio attempting to hijack absentee ballots and it is probably going on in other states. On the news last night, a woman reported that someone came to her door claiming to be the Official absentee vote collector and told her she needed to finish filling it out and give it to them. She supposedly claimed that she didn't believe them and it was at work so he would have to come back later and someone actually called her saying that was the way they are collecting absentee votes and she was supposed to give it to the worker who stops by. We have out of state college kids renting houses specifically to case votes while claiming to live there, they were actually back into other states going to school and comming back on weekends or in between classes to establish residency. They are currently under investigation by the Franklin county prosecutors office and my understanding is that they have word on others homes like that in other counties.

It is a shame that people want to game the system like that. It is more of a shame that they feel they need to do that in order for their candidate to win. I guess Ohio is doomed to have their will hijacked by out of town people supporting a candidate other then what they choose. I know who they are supporting but we will leave that out because a lot of people will excuse them for some reason.

internet voting is just lobby-budget driven

we have had paper trail voting every year the last hundred years. i costs very little, all votes are counted by 02.00 AM, with the last voter leaving the voting booths around 18. A second count is then done (by different people) which is done by lunchtime the next day.

all papers are stored forever in a deep mountain storage facility. we have all our votes stored over the last 100 years. if you would like to go count, say 1974's votes, just go ahead.

~80% of our population goes voting. (US today is 40% i believe)

i live in sweden.

Voting should always be done secretly

[shazzle]

Don't forget that after one can vote from home, or better yet, cellphone, votes can be sold MUCH easier. I don't think blackmail is out of question either.

Also, once daddy has made up his mind who the family is voting for, he can observe his family-members vote for the 'right' candidate.

It is still necessary to go to give your vote in a voting booth and for the sake of democracy, I suggest that voting should remain as easy and uncomplicated as it is. This is one of the only things I pride myself on being conservative of.

Re:Cost Effective?

[sumdumass]

It isn't really the costs of the voting at issue here. In the 2000 and 2004 elections, overseas ballots somehow got held up in the mail and even though the postmark was before the deadline, the state already tabulated the votes and didn't want to count the late arriving ones. Most of the over seas ballots are military personnel and for whatever reason, if it is no fault of their own, anyone potentially in harms way should have their votes counted.

So no, the cost isn't as important as counting the votes of the military and civilians in the immediate areas of the military personnel. In the 2000 elections, it actually took a lawsuit to get the voted counted. In 2004, they brought up the results of the 2000 lawsuits to for the count. This wasn't isolated to Florida either and the mail wasn't all held up in the same places. It had more to do with the increased volume of mail then any conspiracy but the result was people who probably should have their vote counted the most (it could literally be life and death for them), ended up almost not having it counted at all. This is an attempt to avoid that situation.

Re:Encryption vs ID Theft

[sumdumass]

They probably has poll workers or a senior officer in charge who gives the person access to it based on their military ID and checks their name off a list so they can only use it once.

Paper Trail Still a Good Option

[Jherek+Carnelian]

Without thinking too deeply about it, it seems like even internet voting could make use of paper ballots. The thing to remember is that the best way we've come up with to design an in-person voting machine is to use the computer to make it easy and clear which candidate the user is voting for. But print a paper ballot with those (and just those) selections so that the user can visually verify that the ballot matches their choices with no ambiguity.

So to do the same with internet voting would require a printer, a camera and at a minimum a clock for each 'internet voting machine.' The user fills out the electronic ballot and then remote end prints the paper ballot in full view of the camera with a clock also in frame with the ballot so that the user can verify the paper ballot reflects their choices. If all is good, the user clicks 'submit' and watches the paper ballot go into the ballot box, if he clicks 'cancel' it goes into the trash and the user goes back to filling out the ballot.

Now the reason for the clock being on camera too is to raise the bar for replay and impersonation attacks. It certainly isn't fool-proof, but no system of anonymous voting has ever been fool-proof. The goal is simply to make voting fraud en-masse prohibitively expensive. We will always have onsie-twosie fraud, but in the big picture that kind of fraud doesn't usually matter.

Andrew Appel.

[Irvu]

I would point out that at least one of the systems mentioned on that page has been defeated by Andrew Appel (see here) the author of the top-linked Sequoia study.

And, ultimately, as much fun as these systems are they often ignore the far more real problem of vote observation and intimidation. This isn't an indictment of the algorithms per-se but the reason that we have a closed voting booth is that voting in the open lends itself to voter indimidation (i.e. show me you vote the right way or I'll fire/kill/pay you) which has been a real problem in the U.S. Granted this problem also exists with absentee ballots and "everyone vote absentee" methods like Oregon's Vote By Mail, but in the rush to develop auditable systems this often gets ignored.

Additionally, at least the end-to-end systems that I have viewed suffer from the problem of auditability, no means to confirm the end message with the local understanding, and a problem that the connected server can itself be compromised meaning that wired in votes can be miscounted with no means to audit them.

Re:Andrew Appel.

[Irvu]

The website ishttp://www.cs.princeton.edu/~appel/voting/index.html

wtf, voter turnout depends on tallying speed?

[jonaskoelker]

Anything that speeds up voting encourages greater participation.

How long does it take the average voter to cast his or her vote, in your guesstimate? How long has it taken you? From my vague memory, it takes me transportation [2 x 2km by bike] plus five to ten minutes. If you mean to talk about tallying speeds, you're saying that some people go "I could vote, but because I'm going to have the result in $n days instead of... still getting the result in $n days, I'm not going to".

I don't know much about voter registration in the US [in Denmark, you get a card mailed to you that you hand in at the voting hall in exchange for an empty ballot], but I suspect that this is the real culprit. I remember John Taylor Gatto (.com) say in one of his talks that he sent some of his students (\in K-12) out on the streets handing out voter registration forms. People came running and screaming for them.

I think the danish system works very well. Voter turnout is still too low in my opinion (http://en.wikipedia.org/wiki/Voter_turnout says it's 87%), but at least the bar is fairly low; if people abstain due to apathy or a busy schedule, that's not really something you can fix by forcing them to turn up [and cast a blank vote].

But I agree with your view; actually, an overarching one: making voting easier makes more people do it.

If the internet had existed in the time of the founding fathers, I feel sure they would have used it to give the people greater oversight of the legislative process.

s/legislative process/all of government/. All power must be kept in check.