Slashdot Mirror
Early Voting Problems, Open Source Alternative
Techdirt makes note of some problems cropping up already for early voters in the presidential election. CNN covers some of the issues, including machines in a West Virginia county which recorded some votes incorrectly because of an alignment error. A lengthy discussion of the problems was also featured on NPR. Reader Rooked_One points out a related story at NPR about a voting program called PVOTE, written in Python and only 500 lines long. "Pvote is not a complete voting system. It is just the software program that interacts with the voter. Other necessary functions, such as voter registration, ballot preparation, and canvassing, are not part of Pvote. It is especially important that the voter interaction be correct because it is the only part of an election that must take place in private, whereas all other parts of an election can and should be subjected to public oversight and verification."
We're going to have a very close race and it's going to be more acrimonious than 2000. And when it hits the fan, they're going to be looking for a goat. Guess what, not who, it's going to be?
Folks are NOT going to be pleased that there's no paper trail or any other way to audit the machines. I may have to go and buy surplus paper voting machines and make a killing.
Even if you have a short programm you still cannot guarante that it works because there's still a system surrounding it. In fact you could even manipulate the CPU hardware to give you false results.
The _only_ practicable and moderately secure way to do an election is by pen and paper and manual counting. It's done all over the world and it works near flawlessly. Everybody, not just programmers, can watch the process and see what's happening. There's no "black magic" involved and it's completely transparent.
As soon as there is some form of technology involved, people will cease to understand it, therefore making the whole system intransparent and prone to manipulation.
Everything in Oregon is weird. We can't pump our own gas, we don't pay sales tax, and we do all of our voting by mail. It makes no sense, and it's ripe for corruption (though nobody has called the "C" word so far. At least not lately)
But it's kind of nice. No computers, no machines, just fill out your ballot and mail it in. I got my ballot in the mail yesterday. I've plenty of time to research the state and local ballot, so I can make an informed decision.
The Internet is generally stupid
By doing a COUNT() on some database field? :|
That's good. It means that the trusted computing base is only a POSIX kernel, a C standard library and a Python runtime. Only about 100MB of source code to audit to ensure that this 500-line program runs correctly.
I am TheRaven on Soylent News
Here's some reasons:
1. Avoid undue pressure. As most everyone knows, the city of Chicago is run by the Democratic machine. If you publicly were to vote Republican, you'd probably not get your garbage picked up or any of the other services the city provides. According to my wife, her grandma used to go vote (in Chicago) when it was busy, and tried not to be noticed, because she wanted to vote Republican but still wanted her garbage collected.
2. Make it harder to sell your vote. If I give you $500 to vote for McCain, I have to just trust that you did it. If it's a public vote, I can check.
3. Variations on vote selling that don't involve money. ("I'll break your legs if you vote Republican.")
4. Family pressures. Despite voting Republican in every presidential election since I could vote, I'm probably going to vote Obama, not because I like him that much on the issues, but because he seems more flexible and smarter than McCain. My mom is a staunch Republican and has kind of figured out I think this way. It's bad enough to get the weekly harangue without the tumult that would result if she knew for sure who I voted for.
The preferred solution is to not have a problem.
Vote this way or get fired, shot, killed, beaten etc.
That's why we have anon ballots
simple solution
machine prints ballot showing who you voted for and preferences and etc. the machine makes no receipt no records only prints one.
then that Ballot gets folded and put into a box that is in the open such as http://www.nancarrow-webdesk.com/warehouse/storage2/2007-w46/img.75405_t.jpg
then you have an independent group that does the counting
not bipartisan independent every party and ind can put reps in there to watch you have 2 people watching it at all times
also consider preferences and multi-candidate seats (and bin the EC)
What if your millionaire uncle tells you you're gonna vote for x, or you'll be out of his will?
What if your employer tells you you'd better vote for y or you'll be fired?
If your vote is public, all sorts of nasty stuff can happen because of your vote, and just knowing that it might will already influence your vote.
Why not simply make voting a public action? I'm voting for Obama. There. Done.
Because that opens it up to vote buying and voter intimidation.
If Bill Gates promised everyone $1000 to vote for him, he could buy 56,000,000 votes which would put him in the White House.
For intimidation, you don't have to intimidate everyone - just a small percentage in a few key states. Imagine if the CEO of WalMart told their employees, "If you work in Ohio, and don't vote the Right Way, you'll be fired." Even if it isn't an official, enforceable policy, it will still have a large percentage of employees worried for their jobs come their next performance review - and they will vote accordingly. With over 2 million employees, even 10% of WalMart employees changing their vote could affect the outcome of the election.
That's assuming that people with baseball bats don't just show up at your house and tell you How You Will Vote - Or Else.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Security-ly speaking, when it comes to voting machines, the software itself is a "hard point", meaning that it is actually quite difficult to leverage in such a way as to alter voting results *without suspicion of foul play*--even if it isn't open source.
Strangely in this case, the hardware itself is a soft point. (meaning everything from NVRAM to the touch display) It's trivial to misalign a touch screen on purpose, for example, and it can always be passed off as an error without drawing any meaningful suspicion.
So, while this python idea is of course a good one, it is a mistake to believe that it would actually fix anything on its own.
Why can't the US do what we do in Canada? You don't have to make this complicated.
In Canada, we show up to our polling station with our voter card, show the card and receive a ballot. We take the ballot, which has the names of the candidates and their party in large font very clearly, and put an X in the big circle beside the candidate we're voting for.
Thats it! No fancy machines, no complicated forms, and no computers to go wrong or be hacked.
See this image:
http://www.elections.ca/yth/images/sample_ballot.gif
I'll Find You Peer, If It's The Last Thing I Do!!!!
I hope that I am not the only one who is amazed that 500 lines of Python code and a 200 page thesis paper that explains my methodology gets me a PhD at Berkley.
I hope he did something else, that I don't know about, like recompile and harden a Unix kernel/ develop his own minimum OS for it to run on and dig through the bugs to determine the security flaws that would exist if he was to use Python.
For the first time in my life, I am glad that I am not pursuing a graduate degree in computer science. If that is what it takes, I think Cmdr Taco should get a PhD for for giving us Slashdot. It is 10x more practical than "pvote" and is soundly implemented. When I think about it, Slashdot was near the front of web 2.0 because he provided a geek means of social interaction, maintains relevance to those in the computer industry, and wastes my time when I am bored.
Crap! I just kissed my karma good-bye.
Almost every place I've ever voted has had optical scans, generally of the connect the arrow type. They mail out sample ballots (marked sample and on different paper, no funny business there) several weeks ahead of time. You walk in with your voting card and/or proof of ID (the laws are getting stricter and require both in many places, now), the volunteers (almost always old people, setup so representatives of both major parties are present) mark your name off as voting and hand you an official ballot. This ballot should match the sample you got in the mail, or there'd be PR hell to pay.
You walk over to the booth, generally a portable table with a cardboard privacy screen fitted around the top. There's a pen of the proper type in the booth -- you can ask to have it replaced if necessary. For each race or proposition, it tells you how many you can mark -- for some state races you can select multiple candidates and the top X number are picked -- and you mark what you wish. For most candidate races (in most states) there's also a blank entry you can mark, and write-in your choice.
You don't have to vote for all races or propositions. If you screw up, you take the screwed up ballot back (using the privacy procedures below) and they give you another. (I've never actually screwed up, but this is what the prominently posted instructions say to do.)
When you are done, there's either a privacy cover (if the cards are printed on both sides) or instructions tell you to turn the marked sides in. You leave the booth and return to the sign-in area, where another volunteer takes the ballot and feeds it into an optical-scan machine right there -- you watch them do it and hear it beep and increment the ballot count. Again at this point, if it fails to read (tho I've never had that happen), you can get a new ballot and try again. The ballot itself is deposited in a lock-box for recounts, if necessary.
Many states have a no-reason-necessary early voting allowed policy. You can either request an absentee ballot and either mail it in or take it to an authorized polling place up to poll closing time on the date of the main vote, or go in and early-vote at the county recorder's office. A few elections ago I did just that, requesting and getting an absentee ballot in the mail, which I filled out, sealed in the provided envelope, and dropped by my normal polling place on the day of the vote. They had a lock-box for them. It was much more convenient than voting as normal, but I missed the voting ritual and it felt kind of weird watching the results come in that nite having not actually voted that day.
States differ in how they check the ballots, but Arizona (where I am now) at least, requires an audit of several (IIRC two) percent of the precincts, randomly chosen (the "random" process of choosing them is encoded in the law, with at minimum witnesses from both parties, both to the choice and to the verifications, the audited precincts are not known previous to the vote so can't be avoided that way). These audits hand verify the count of the optical scan machines.
This system seems pretty reliable to me. I still can't understand why the entire nation doesn't just go opti-scan, as the machines can be used to count and get quick results as necessary, while the paper trail is there for anyone wishing to verify things.
The biggest problem I've heard about, doing it this way, is the lock-boxes disappearing a couple of times. Each one holds a few hundred votes. Of course, there's an accountability trail, but as they say, **** happens. Unfortunately, that's a problem for pretty much any after-the-fact verifiable system. But those cases are few and far between, it seems, and I've not heard of any of them actually affecting an outcome. There have been a few cases of other oddities as well, but nothing even close to the unverified touch-screen issues that seem to come up every year.
BTW, I've worked with touch screens, and whoever came up with the idea of having the untrained public v
Duncan
"Every nonfree program has a lord, a master,
and if you use the program, he is your master."
R Stallman
And considering they worked well for 100 years, there is no reason to switch. Of course, money changes people's minds, which is why we see that next year New York has scheduled to completely remove them and replace them with unreliable crap.
The brains of a chicken, coupled with the claws of two eagles, may well hatch the eggs of our destruction.
Voting isn't a (*(&^ing nail, stop trying to throw your coding hammer at it! This has gotten to be an example of obsessive compulsive disorder with these schemes. This is crazy. Open source or not, unless there is an independent deep forensics investigation of every single computerized voting kiosk at the end of the vote period, including disassembling the chips on the machine and all that stuff, it can *not* be verified in a timely, cheap and thorough manner. Oh, a "paper trail"? Why yes, let's look at that "new idea" to "insure" and "verify" the computerized vote! A plain empty box CAN be verified at the start of the voting day by many people looking inside and going "yep, empty!" And a paper trail is exactly what you get start to finish with plain paper ballots, no stupid computer and expense needed. Yes, examples in the past of ballot box stuffing, still way easier to keep tabs on it then running everything through obfuscated layers of chips and code. Paper ballots and empty boxes are WAY MORE the lesser of (in)security evils when it comes to voting, let alone being loads cheaper when it comes to co$t$. Empty box per precinct=ten bucks max, what do these computerized schemes cost, and how much has been wasted on them so far and how much "irregularities" do we get to read about and enjoy before this sinks in as just a bad idea overall?
Why not simply make voting a public auction? I'm voting for Obama. There. Done.
there, fixed that for you...
First off Germany has a relatively simple ballot, its only complex because it's evaluated in a complicated way. The US to begin with is large with diverse kinds of governing bodies, and has far far far far more elected offices. So comparing it to German elections is silly.
Second Pvote is not 500 lines. it's 500 lines sitting on top of hundreds of thousands of lines of interpreter code, device drivers, and the tens of millions of lines of Linux.
Third writing a voting system, while non trivial, is not the hard part.
The hard part is twofold
1) creating a viable bussiness model for it's distribution, component agregation, certification, and service it.
2) designing a voting PROCESS so that you don't have to trust the third parties that build or maintain these or the people that operate them. Things have to be transparently secure.
Now the OVC system OPen voting Consortium has had a python based system for years. it's open source too. But more importantly it is designed so we dont' have to trust the programmers (it produces an intermediate paper ballot and physically separates the vote selection hardware from the vote counting hardware ---just as optical scan does.) And it has a well thought out and viable bussiness model that will allow for it's practical distribution and maintainence.
That is what the world needs. so if you want to help. Donate to OVC. They are struggling right now not because they can't write code, but because they have to win acceptance at the state level before any company is going to start marketing the system.
OVC has a very clever bussiness model in which the software is free and open, but companies support it's development through fees paid to certify their OEM component based systems as compliant with the OVC standards.
Some drink at the fountain of knowledge. Others just gargle.
Open voting consortium
Some drink at the fountain of knowledge. Others just gargle.
In Virginia (for example), where voting is completely electronic, they can still do recounts. Wanna know how? By doing the functional equivalent of hitting the refresh button.
IIRC, for some reason, recounts always come up with the same number as the original count. Huh.
I voted yesterday. This is the first time I've voted early. I, too, had concerns about the veracity of the process. I spoke to one of the poll workers, and he explained there is a paper trail. I saw that in action. After running through the touch-screen process, my ballot was printed on a paper roll, and I had time to examine every choice made. I also had the option of changing my vote prior to finalizing it, even though the printing process had begun. The machine printed a barcode at the bottom of my printed ballot, and the roll scrolled to blank paper for the next voter in line. The paper was under plexiglass, so I was not able to actually touch the paper. Overall, I felt the process was secure enough. BUT, my opinion would be the oppsite without the paper trail.
..and trust. Computerized voting verification is PhD level software AND hardware guys with electronic microscopes per every single machine per every single precinct and district and so on, to even start to verify. Paper ballots start to finish, anyone who can read and do simple arithmetic, ie, most of the voting public, and it can be verified. One group is pretty small and couldn't be done realistically, the other group is how we did it for hundreds of years and could still work just fine as long as there is a minimum interest in the results.
Any voter can be present at the end of the day to be a witness to the count with paper ballots, and you can volunteer to be an official as well, which means the group of people you need to trust is only one person, which is YOU, and the guy standing next to you only has to trust one person, himself, if he is a witness as well at the end of the day. Versus how many people could look at machine code or C code or any other obscure "language" and then how do you verify all the chips on the computer? Who guards those computers during the non voting period so they aren't tampered with, versus staring at an empty box? No guards needed on empty boxes, because it is unlocked and opened at the beginning of the day and anyone there in line can look at it, and typically the first person in line signs off on it, I have done that myself "yo, empty!".
NO ONE can just stare at a computer voting terminal and "verify" it without deep forensics, it can't be done, if anyone can do it they can apply to Randi for his million buck prize because you'd have to be 100% psychic to do that. And if you want to insure some vote using something similar to how we conduct electronic transactions with money, it throws the entire concept of anonymity out the window, because you must tie a vote to a single individual, then you still wind up with the machine count having to be verified and back to the forensics, it just adds a further level of complexity and possible points of compromise. Nuts.
KISS works for a lot of things, no need to rube goldberg it up just because it is possible. Voting is too important to trust it to being just a videogame. If people got spare time and want to code and can't come up with a project on their own, no problem! They can go check out sourceforge and find something else to work on.
What you're talking about is often erroneously referred to as a "paper trail". That term is harmful because it is too vague. Diebold sells a DRE (direct recording equipment; the computer records and tabulates the votes it collects) which produces a "paper trail": a long receipt-like strip of paper which ostensibly lists all the voters who used that machine since the last session. The problem with this is it is not voter-verified. Only the election judges get to see it and therefore it is entirely useless, truly nothing but a waste of paper.
What voters need is better described as a voter-verified paper ballot. A piece of paper clearly listing their vote(s) which will be, as you said, manually counted by human beings (never computer counted).
Nobody needs election returns faster than humans can count them. Retention enables recounts. We should retain these voter-verified paper ballots at least until the next election, if not as long as possible.
We also need the software the machines run to be completely free software because free software voting machines allow counties to make the changes they need to handle changes in their electorate. If some district wants an election that isn't counted as first-past-the-post, they will need the freedom to change their voting machines to accommodate this. Nobody should have to beg the proprietor for improvements to their voting systems. Counties should be able to get expertise wherever that expertise exists and only a free software voting system enables this.
A few years ago I served on the appointed committee to help the Champaign County board select a voting machine. We saw some voting machines demonstrated for us, tried them out, and decided what to recommend to the elected county board. The entire affair was picking the best of the worst. The allowable range of debate had been narrowed for us before we began when we were informed that we were only allowed to consider equipment approved by the state of Illinois. Toward the end of our tenure we learned that one of the machines we had been allowed to choose (and ultimately did choose, an ES&S optical scan reader/printer machine for preparing ballots) was not yet so approved. That machine has been deployed in at least two elections since we made our recommendation. Voters can optionally use it to fill out the voter-verified paper ballot before depositing their paper ballot into another ES&S machine which counts and stores the ballots.
Digital Citizen
Don't blame me, I voted for Kodos.
DRM: Terminator crops for your mind!
The fact that you think Bush should be free from attack shows that you know nothing about political debate in it's entirity.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
One points out a related story at NPR about a voting program called PVOTE, written in Python and only 500 lines long.
from __future__ import obama