7,000 Irish e-Voting Machines To Be Scrapped

lampsie writes "You may recall from back in January 2012 that the Irish government had deemed their stock of 7,000 e-voting machines 'worthless.' Turns out they are not — after spending upwards of €54 million purchasing them almost a decade ago, all 7,000 will now be scrapped for €70,000 (just over nine Euros each). The machines were scrapped because 'they could not be guaranteed to be safe from tampering [...] and they could not produce a printout so that votes/results could be double-checked.'"

chéad phost

chéad phost

Re:chéad phost

[nomoreunusednickname]

chéad míle iomarcaíochtaí

Re:chéad phost

Amadán.

Re:chéad phost

[Hognoxious]

chéad mÃle iomarcaÃochtaÃ

Fuck off, Legolas.

Re:chéad phost

Póg mo Thóin , bitchez!

Re:chéad phost

[c0mpliant]

Maith an fear!

Re:chéad phost

[AliasMarlowe]

An bhfuil cead agam dul go dtí an leithreas, más é do thoil é?

Níl. Agus ghlanadh suas do praiseach ina dhiaidh sin.

Re:chéad phost

[arglebargle_xiv]

Kinnts es deppn ned a English ren wia jeda nuamale mensch?

awwwww

[slashmydots]

Daaaaamn, what a waste, considering people have proven you can run Tetris on them. They could have had a whole arcade.

Re:awwwww

[Teresita]

Maybe they could sell them to Chad.

Re:awwwww

[PenquinCoder]

Ever read any other comment threads on this site??? Every. Single. ONE, starts the same way. How is that not redundant?

Re:awwwww

[Imrik]

The first post is in response to the summary, if it merely says something that's in the summary it would be correct to mod it redundant. Note that this is a hypothetical point, and in this case the moderation seems odd.

Re:awwwww

[Splab]

Slashdot provides more than one ordering - for instance GP is not first post in my view; a moderator might have read a similar comment when ordered newest first (remember, moderation is handed out based on some obscure algorithm, not on a "must be this intelligent" basis)

Re:awwwww

[rbrausse]

not on a "must be this intelligent" basis

thanks for explaining! I always wondered why I'm part of the 15 mod points crowd ;)

How Difficult Is It Really?

[AnotherAnonymousUser]

As a question for the geeks and engineers of the community - how truly difficult is it to make one of these voting machines safe for use? Is there something I'm missing that would make it difficult to have a kiosk with an imaged system that's been certified, locked down, and can print out results, without it being easy to tamper with or easy to fudge the numbers of? It seems like this is something that engineers could have designed to be foolproof by now, and at a fraction of the budget. How truly complex is the problem they're trying to solve?

Re:How Difficult Is It Really?

[Hentes]

Assuming that the goal is to make them secure, it's not easy. When someone has physical access to your machine you are already in a losing battle.

Re:How Difficult Is It Really?

[mehrotra.akash]

I guess its the anonymity requirement of the vote that makes it difficult
Otherwise, ATM's are secure, and the same technology could be applied to voting machines

Re:How Difficult Is It Really?

[pegasustonans]

How truly complex is the problem they're trying to solve?

Nothing that an old-fashioned optical scan ballot couldn't handle.

In other words, using the machine was a solution looking for a problem (and causing numerous problems of its own).

Re:How Difficult Is It Really?

[alteridem]

I believe it is actually more difficult than it would appear, mainly because you need to give people access to the machine to enter the candidates and when you do that, you are potentially giving them access to do other things. That said, the problem is not insurmountable. I would suggest open-sourcing the software and the hardware design. There are enough people that are interested in this problem that I expect that it would be well supported and potential security flaws found and fixed quickly. It would also greatly reduce the development costs. We would still need companies and governments to work together to build and certify the machines, but everyone could be working off a common, open blueprint.

Re:How Difficult Is It Really?

[Confusedent]

Here's what Schneier said about it in 2004:

"Computer security experts are unanimous on what to do. (Some voting experts disagree, but I think we’re all much better off listening to the computer security experts. The problems here are with the computer, not with the fact that the computer is being used in a voting application.) And they have two recommendations:

DRE machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot). This is a paper ballot printed out by the voting machine, which the voter is allowed to look at and verify. He doesn’t take it home with him. Either he looks at it on the machine behind a glass screen, or he takes the paper and puts it into a ballot box. The point of this is twofold. One, it allows the voter to confirm that his vote was recorded in the manner he intended. And two, it provides the mechanism for a recount if there are problems with the machine.

Software used on DRE machines must be open to public scrutiny. This also has two functions. One, it allows any interested party to examine the software and find bugs, which can then be corrected. This public analysis improves security. And two, it increases public confidence in the voting process. If the software is public, no one can insinuate that the voting system has unfairness built into the code. (Companies that make these machines regularly argue that they need to keep their software secret for security reasons. Don’t believe them. In this instance, secrecy has nothing to do with security.)

Computerized systems with these characteristics won’t be perfect -- no piece of software is -- but they’ll be much better than what we have now. We need to start treating voting software like we treat any other high-reliability system. The auditing that is conducted on slot machine software in the U.S. is significantly more meticulous than what is done to voting software. The development process for mission-critical airplane software makes voting software look like a slapdash affair. If we care about the integrity of our elections, this has to change."

Source.

Re:How Difficult Is It Really?

[Sperbels]

Is there something I'm missing that would make it difficult to have a kiosk with an imaged system that's been certified, locked down, and can print out results, without it being easy to tamper with or easy to fudge the numbers of?

Yes. What you're missing is that the people making them/buying them didn't want secure machines. They wanted something they could tamper with.

Re:How Difficult Is It Really?

. How truly complex is the problem they're trying to solve?

As I see it there is no problem to solve. Pen and paper works just fine.

Berite Ahern, the former Irish prime-minister (who pushed for the machines) was very condescending about the old (and existing) system referring to "stupid old pencils", but modernization for the sake of modernization, is not a valid argument.

Perhaps the real motivation was to grant a 50+ million euro contract to someone willing to give him a brown envolope, the Irish euphemism for a bribe. This was the same guy who while serving as the Irish finance minister claims he did not have a bank account. Apparently he prefers cash :-)

Re:How Difficult Is It Really?

[EnergyScholar]

It's really, really difficult to secure electronic voting machines and the associated system. Close to impossible. Worse, what's the point? Seriously, electronic voting does nothing new, and adds many new vectors for systemic fraud. It's a losing proposition, unless you wish to defraud the voting system, in which case it's a win.

Re:How Difficult Is It Really?

If it's like the US, it was a solution to the very well-defined problem of the "wrong" people winning elections.
Our routine election-verification tests are centered around detecting ballot-stuffing, not
vote-flipping, because conventional ballots are hard to alter for a different candidate. All-electronic voting systems, however, make flipping trivial.

Re:How Difficult Is It Really?

[Bookwyrm]

The effort and cost of designing such a thing is one aspect. *Verifying* that the actual manufactured item is tamper-proof, accurate, etc. is another. For instance, if you have to secure your entire supply chain to make sure none of the components involved might have been compromised or substituted due to cost cutting (keep in mind that this does not have to be someone trying to skew the vote on purpose, it could be someone being cheap or lazy and producing something prone to errors,) then that aspect can take quite a lot of time and effort.

It's not just designing the box. It's designing the box and the entire process such that not only the box but the process of making the box can be audited through out the life-cycle of the box and its operation. (And there might be some level of who audits the auditors, etc. What happens if a part must be replaced by a different part because of a supply chain problem -- does everything need to be re-certified, etc.)

That's not cheap or simple. It's not the design, it's the process and logistics.

Re:How Difficult Is It Really?

[azalin]

I guess its the anonymity requirement of the vote that makes it difficult Otherwise, ATM's are secure, and the same technology could be applied to voting machines

Do you have any idea how much money is stolen every day by using duplicated bank cards? ATMs are not secure enough for this.

Re:How Difficult Is It Really?

[smooth+wombat]

If you seal the machine, instead of having USB slots on the outside, that would go a long way to prevent tampering.

Not sure why you need to have an external connector available for anyone to use anyway, other than laziness on the part of the programmers and designers.

If they can seal an ATM, they can seal a voting machine. This truly isn't rocket science.

Re:How Difficult Is It Really?

[archen]

That seems like circular logic. If they could be certified, and locked down they would be. As it stands now it's been shown that the e-prom can be replaced and thus the machines can't be guaranteed of security at the hardware level. Keeping in mind that these machines are intended to talk to something at the other end, and that part would also probably need modification. Tthe whole system was poorly thought out. It sounds like a lot of money wasted, but how much more should Ireland dump on it before they decide it's not going to work? See New York city Fog Creek debacle originally slated to cost about $83 million that went on to over $500 million.

Re:How Difficult Is It Really?

[cr_nucleus]

Electronic voting will always be a democratic failure because there's simply no way to actually check the result without an output from the system itself (wich is therefore also tainted).

This is not an engineering problem, period.

Re:How Difficult Is It Really?

[azalin]

Yes. What you're missing is that the people making them/buying them didn't want secure machines. They wanted something they could tamper with.

I still have enough faith in humanity left to blame it on stupidity, ignorance, carelessness and greed.

Re:How Difficult Is It Really?

[dremspider]

The rule in security is one thing.... if I can touch it, I can break it... period. The problem with the voting process is you have to trust A LOT of people who all have very mixed motives. These machines need to to be transported to their polling place, set up by humans, then used by people. And to top things off, there is a lot of payoff if you can tamper with these machines. Voting also has a major problem, you don't want to be able to monitor them. Securing these systems well (not perfectly) could be done and the damage could be limited when they are tampered with it just isn't monetarily practical nor does it fit in well with democratic ideas such as anonymous voting. Implementing policies such as a device must be locked in a secure location at all times in a box that requires multiple keys to open and is guarded by at least 2 people would help fix a lot of the problems but would make the process so ridiculously expensive it would be insane. The answer to "securing" the vote is TO NOT TRUST THE MACHINES. Something simple like a printout that the user is given that can then be verified by the user and is then run through a well guarded tally device would go a long way to fixing a lot of the problems.

Re:How Difficult Is It Really?

[Grishnakh]

It's not that difficult, but it does require a team of competent engineers, so it does require some money and time. Apparently, the company the Irish government purchased these machines from lacks that.

Re:How Difficult Is It Really?

It's not possible.

There is no possibility to check if the firmware has been altered, be it a fully electronic machine, or a ballot scanner.

Moreover :
>> Either he looks at it on the machine behind a glass screen, or he takes the paper and puts it into a ballot box

1) if it looks at it then the "trail" stays in one piece, which means a third party can easily follow the paper roll and count the number of people who used that machine to find out the vote of a person : anonimity failed
2) if he puts it into a ballot box, we call that paper voting, coz it is nothing else than paper voting with just a fancy printer.

Re:How Difficult Is It Really?

[Grishnakh]

Wrong.

You don't give the voters access to the whole machine, you only give them access to the touchscreen monitor, and maybe some kind of keypad. If you were to be believed, then we wouldn't be able to use ATMs.

Now of course, as the other poster noted, this means you can't do stupid things like have USB or SD/MMC ports that are user-accessible.

When we talk about having "physical access" to a machine, that means the WHOLE machine, as in a desktop PC where you can put your hands on the tower case, plug in USB devices, open the side panel, unplug the hard drive and put it in another system to access it, etc. Having the system locked inside a kiosk where you'd need a plasma torch to open it, and only having a touchscreen accessible to users, is NOT the same thing.

Re:How Difficult Is It Really?

[Grishnakh]

That's because ATMs are stuck using 70s or 80s technology, namely easily-copied mag-stripe cards with crappy 4-digit PINs, with no encryption used at all. It's not the fault of the ATMs, it's because the whole industry refuses to move to a more secure access device. It's amazing that more money isn't stolen every day.

There's no requirement that voting machines use the same crappy access mechanism. In fact, the access mechanism would be totally different, because of the anonymity requirement; I'm just guessing, but if it's like the elections (which only use optically-scanned cards) I've voted in, you first have to go past one panel of people with your state ID so they can verify you're registered to vote in that precinct and cross your name off, and then they give you a card so you can vote on an anonymous form or machine. With e-voting, they'd just need to give you some sort of access card, or even not at all, just let you use the machine since only verified voters should be allowed to walk up to it and make a vote. It's not like these e-voting machines will be out in dark parking lots at night with anyone allowed to walk up to them.

Re:How Difficult Is It Really?

[unwastaken]

Yes. What you're missing is that the people making them/buying them didn't want secure machines. They wanted something they could tamper with.

I still have enough faith in humanity left to blame it on stupidity, ignorance, carelessness and greed.

Read this and then tell me whether you still feel like that.

Re:How Difficult Is It Really?

[Confusedent]

As to the first one, build the machine to randomize the order of the paper ballots. As to the second one, the only reason (I think) to have a paper ballot is in case there is a recount. If the vote comes down 70/30%, the odds that the so many have been miscounted out of a population of hundreds of millions is pretty low. If it ends up like Florida in 2000, or if there are later suspicions/accusations/whatever about the voting machines, then you do a careful manual recount of the paper ballots. I'm by no means an expert on this, I'm just regurgitating what guys like Schneier have come up with.

Re:How Difficult Is It Really?

[Shagg]

It seems like this is something that engineers could have designed to be foolproof by now

Are you sure they're supposed to be foolproof?

Re:How Difficult Is It Really?

[Shagg]

In other words, using the machine was a solution looking for a problem

E-voting machines definitely solve a problem. It's just that the public's definition of a problem, and a politician's definition of a problem aren't the same thing.

For example, if you want to steal an election, physical paper voting/counting makes it very difficult to effect a large number of votes without having a lot of different people involved (greatly increasing the risk of the public finding out). E-voting machines definitely solve that problem.

Re:How Difficult Is It Really?

[Skapare]

Electronic voting speeds up the results. But it's only the new media that wants that.

The design I proposed was a triple path election system. There would be simple machines to vote at that produce three "results": paper, storage, and communication. But it is the paper result that counts. The stored results (on a CF card) are just for verification. The communicated results are just for the media. The paper result is actually handed to the voter. It will be printed in clear text with the names of who they voted for, and a bar code or QR code to checksum the vote. They take the paper over to the ballot box area. But first, the paper is scanned by a reader right there. Then the paper is inserted into the sealed ballot box. The scanner also stores results and transmits these results separately, which are cross checked. The official results will be the paper count. But the electronic results satisfy the media hunger for instant answers.

Re:How Difficult Is It Really?

The problem, I think, is that people want to make sure "the right process happened" but all you can ever get is "the right data resulted." It's trivial to prove that someone can tamper with a voting machine in such a way that it behaves exactly as it should, except in vote tallying. Maybe you recount verified paper ballots, but maybe you don't do that in all districts (because it's expensive, and you might only need to cheat by 1% to swing an election, which makes the modified districts hard to detect), and if you do it everywhere, what has the machine accomplished? The problem is that, at the end of the day, all you have is a pile of data -- you can say "this is the record the machine produced at noon, and this is the one at 5pm" but you can't say "this is what the machine was doing at noon, and this is what it was doing at 5pm."

The solution to this is to focus less on process and more on data. An easy example of this (which should show why we don't do it):

1) Government creates very strong public/private keypair.
2) Government distributes public key on massive scale.
3) Government allows citizens to appear at town hall with good ID (passport, maybe?) to have their own key signed by government key.
4) Citizens MUST NOT publicize this key.
5) At voting time, citizens generate a large, random chunk of data. They save this for later. They also append the plaintext vote to it, and encrypt the whole thing with the government's public key. Finally, they sign the whole thing with their own private key.
6) The government verifies incoming signatures against their list of citizens' public keys. Bad signatures, or signatures for unrecognized keys, are discarded. They then decrypt the vote using their private key. They then count the votes, as well as publishing an aggregation of the remaining data (vote + random data).
7) Citizens look at aggregated data for their vote. They can verify it because the random data they saved for later will appear next to it.

Benefits:
1) You can't vote if you're not registered.
2) You can't figure out who a specific person voted for, unless you have access to the raw vote data and government key list.
3) Vote counts are accurate.
4) Each voter can verify their own vote.

Drawbacks:
1) New requirements for voting: ID, willingness to register encryption keys, access to computer for generating/saving encryption keys, ability to protect encryption keys, way to get encrypted vote to government (internet, thumb drive).
2) If the government key is stolen, the election is stolen. Note that the government's public key is, in fact, public, so it is only a matter of time until it is cracked. The amount of time may be acceptable (one billion years) or unacceptable (10 years), and that amount may change as the fields of cryptography and computer hardware advance.
3a) If the government throws away the signed vote after checking it, they can publish an aggregated vote list with dummy entries and rig the election, and no one can verify otherwise.
3b) If the government does NOT throw away the signed vote, anyone who recovers it and the government-signed key list can figure out who voted for whom.
3c) This applies on a small scale as well -- if you know someone's public key, and they vote online, and you tap their connection, you can monitor their vote.
4) Incredibly expensive investment in infrastructure.

While many of these issues are the same, or worse, in traditional systems, the risks and expenses make "the devil you know" very attractive.

Re:How Difficult Is It Really?

[Imrik]

Putting it into the ballot box doesn't mean you have to count the paper ballots, they're just there if anyone wants to verify the machine's results.

Re:How Difficult Is It Really?

[del_diablo]

Just have all the printed out "counts" to have 3 forms of hases to find out what firmware they are running. MD5 perhaps, and a few others?

Re:How Difficult Is It Really?

[aztracker1]

I was thinking something similar... taken a step farther... if the system registers that the voter voted against one system, and the actual vote group to another system, with no correlation data between the two available, it would be reasonable to have online voting... would just need to ensure that both the registration that the person voted, and the record of the vote are separate... give the voter a token, that can be checked against their own vote record, but doesn't tie that token to their id, or that they have voted.

Re:How Difficult Is It Really?

[aztracker1]

In us-AZ, the ballots are optical scan AND have the person(s) you are voting for printed on the ballot... scanning is digital, and there is a physical record... works very well.

Re:How Difficult Is It Really?

[aztracker1]

Wish I had mod-points for this... for that matter, you could go to a polling site, and show your ID, they can check that you are registered, and give you a token to access an https website and cast your vote there... without correlation between your registration, and the vote token, it can be recorded, and you can check your token against the recorded vote later.

Re:How Difficult Is It Really?

[bzipitidoo]

the people making them/buying them didn't want secure machines

I agree. The technical problems are the lesser difficulty. They are all solvable problems.

It's corruption that's really hard. There are always some who think they can use a situation like this to pull something unethical, hiding all the evidence so no one can be sure what happened. They're the ones fighting hard to keep as much as possible hidden. There is no excuse for keeping the software of a voting machine closed. So why did Diebold refuse to release source code? At least try to reduce the appearance of corruption? Maybe because they really were cheating and rigging votes? In which case releasing the source code would reveal the smoking gun. Diebold made themselves the perfect target for such suspicions. Added even more to the smoke (and fire?) by being blatantly partisan with their own political preferences. Diebold's reputation got so bad they sold their voting machine business.

Re:How Difficult Is It Really?

[Nethead]

*Verifying* that the actual manufactured item is tamper-proof, accurate, etc. is another.

Just give it to Bev. She'll gladly verify it for you.

Re:How Difficult Is It Really?

[Grishnakh]

I think some other posters here have a good point that this whole thing really can't work very well. Technically, it could, but the potential for abuse is too great; while you could use encryption to keep things anonymous as you say, the problem is that very few people really understand that, so basically the population is trusting a very small number of people that the voting system is fair and not rigged. We've now tried electronic voting with private companies, and it's been a disaster, because these companies can't be trusted, and in most cases aren't even technically competent. Sure, some good engineers and encryption experts could get together and assemble a really good voting system, but they're not; they're all working at other places, and instead we have crappy companies like Sequoia slapping together some piece-of-shit systems that can't be trusted at all. With plain paper ballots, we don't have this problem: any bunch of regular citizens can get access to the ballots and count them themselves. Sure, it's slow, but it doesn't take an expert to do it, and you don't have the keys to democracy in the hands of some private corporation that may have a vested interest in who wins.

Re:How Difficult Is It Really?

[xs650]

That goes against the primary objective of computerized voting machines, which is to throw elections the direction the people controlling the function of the machines want is to come out.

Re:How Difficult Is It Really?

[Shagg]

Politicians are not members of humanity.

Re:How Difficult Is It Really?

[TapeCutter]

If they can seal an ATM, they can seal a voting machine. This truly isn't rocket science.

No it's not rocket science, nor is it ATM science. Learn how and why the traditional paper systems work and one day you may understand why the quote above is 'not even wrong'.

This method is used in Sweden for example, and conducted as follows. The voter casts three ballots, one for each of the three elections (national, regional, and local), each in a sealed envelope. The party and candidate names are pre-printed on the ballot, or the voter can write them in on a blank ballot. When voting has finished, all envelopes are opened on the counting table, for one election at a time. They are sorted in piles according to party, inspecting them for validity. The piles are then counted manually, while witnesses around the table observe. The count is recorded, and the same pile is counted again. If the results do not agree, it is counted a third time. When all piles are counted and the results agree, the result is certified and transmitted for central tabulation. The count as received is made public, to allow anyone to double-check the tabulation and audit the raw data. There appears to be a high level of confidence in this system among the population, as evidenced by the lack of criticism of it." - Shamelessly C&P from WP.

The last sentance in the quote hits the nail on the head, elections are about trust, anyone who thinks electronic voting is a good idea should be asking themselves what "problem" are they "solving"?

Re:How Difficult Is It Really?

[sl4shd0rk]

You don't give the voters access to the whole machine, you only give them access to the touchscreen monitor,

It's not the vote which matters. It's who counts them.

Re:How Difficult Is It Really?

[AmiMoJo]

You don't give the voters access to the whole machine, you only give them access to the touchscreen monitor, and maybe some kind of keypad.

What about the people running the polling station? They represent a far bigger risk since they have access to the machine for much longer and a voter who can reasonably spend a maximum of 10 minutes in the booth before people start to worry. Plus in the UK the booths are actually open on one side, your body effectively shielding your choice from view, and maybe Ireland is like that too. It would be hard to fiddle with a voting machine without being seen.

Re:How Difficult Is It Really?

[Lithdren]

Doesn't this allow you to sell your vote, and be able to prove you voted a specific way? This opens up a big issue as well.

Boss: "Vote Democan or you're fired!"
99%: "Umm...I did..!"
Boss: "Prove it, what is your token?"

And thus, the entire thing falls apart. You shouldn't be able to prove how you voted, while needing to be sure how you voted is how its being counted. This is why its so difficult.

Re:How Difficult Is It Really?

> That's because ATMs are stuck using 70s or 80s technology, namely easily-copied mag-stripe cards

Huh? In what country? Not that I use ATMs that much anyway nowadays since cash is pretty redundant.

Re:How Difficult Is It Really?

[dvice_null]

We could solve this voting issue very easily. Every vote costs a dollar and you can vote as many times as you want. It would be no different from the current system where only the rich have enough money to advertise themselves to get voted.

Re:How Difficult Is It Really?

[Grishnakh]

Yes, but that's a different issue altogether. If you're trying to protect a computer from people doing unauthorized things to it, like plugging in USB drives and infecting it with malware, or taking out the hard drive and copying or altering it, that's easy, you just lock it up the way an ATM does. If you're worried about authorized people (who have keys to the machine's cabinet) tampering with the vote, that's a whole separate problem, and a good reason that proprietary machines from private companies should never, ever be used.

Re:How Difficult Is It Really?

[Grishnakh]

If you don't trust the people running the polling station to not stuff the ballot box (in a case where you're using paper ballots), then this is really moot.

Of course, I guess with paper ballots, you can put some simple checks into the system to detect tampering, like only having a specific number of ballots printed and using magnetic ink so they're not easily duplicated. Detecting e-voting tampering would be much more difficult. Even so, by making sure that no one (or two) person is allowed access to the machines without supervision, it should be possible to minimize the possibility of tampering. Surely there's checks like that in place with regular paper voting too.

Re:How Difficult Is It Really?

[Grishnakh]

Um... USA and Canada, and I'd be surprised if Europe wasn't exactly the same way. What did you think that ATM/debit card was, a high-tech NFC system or something?

Re:How Difficult Is It Really?

[fredklein]

As a question for the geeks and engineers of the community - how truly difficult is it to make one of these voting machines safe for use? Is there something I'm missing that would make it difficult to have a kiosk with an imaged system that's been certified, locked down, and can print out results, without it being easy to tamper with or easy to fudge the numbers of? It seems like this is something that engineers could have designed to be foolproof by now, and at a fraction of the budget. How truly complex is the problem they're trying to solve?

It's fucking trivial.

Server locked in a cage in the corner of the room. Boots off a DVD. An image of the DVD is released weeks before, and people are encouraged to DL it and check out the code. Day of, anyone interested shows up with a burned copy of the DVD. A random burned copy is selected, and compared (hash-wise) to the 'official' copy. Then the server is booted off the burned copy. Thus, no cheating with the code. (The code is bone-dead simple, anyway. Just add 1 to the person the voter votes for.)

Clients are a simple podium- touchscreen at the top with a locked steel box near the bottom with a nano-sized MB in it. They boot over the network from the server. Privacy curtains only come down to the voters waist, so any attempt to bend over and access the MB would be obvious.

The printer used a huge roll of dual-layer receipt paper (like cash registers used to use years ago). Both layers are printed on at the same time by the same mechanical process, so there's no way they can differ. Once the voter confirms their choice onscreen, a door in the printer opens to reveal the receipt (under glass). The voter then has a chance to read it and confirm it matches what they voted for. Once they confirm, the 'top' copy spits out as a receipt, and the 'bottom' copy remain in the printer as a 'journal' copy. If a recall happens (which can be upon request, or randomly), they can take the journal spools and run them past a barcode reader (it prints the votes in English and in a barcode format), which tallies them up.

The receipt the voter gets has only the vote(s), the time to the nearest minute or so, and the voting machine number. Nothing else. Nothing that can link the receipt to the voter, or vice versa, so there can be no selling of votes- who would buy something that cannot be proven? After all, you could have picked that receipt off the floor, or out of the trash. No one would pay for that.

THERE. The outlines of a simple, foolproof electronic voting system.

Re:How Difficult Is It Really?

[Livius]

The hard part is finding people who genuinely want voting machines that are safe. The supplier was probably shocked that the Irish government wanted to actually count real votes, because that's not the purpose of the devices they sell.

Re:How Difficult Is It Really?

Can you elaborate on this "New York city Fog Creek debacle"? My Google-fu is too weak to be able to work out what the story is.

Re:How Difficult Is It Really?

[blackest_k]

Ireland doesn't have a population of hundreds of millions...
2011 total voting age 3,516,795 of a population of 4,670,976
registered 3,202,442 voted 2,243,176 turn out about 70% who were registered or 63% of voting age spoilt ballots 1%

Most area's elect 3 or 4 tds and the votes are carried out in rounds so who ever comes last in first preference votes gets their votes split according to 2nd preference and so on until there are just enough candidates left to fill the seats as a rough figure less than 13,000 votes are needed to be elected a TD with 176 TD's to be elected.

In theory most people will have voted a TD into office even if it wasn't their first choice. It has the advantage that two people with differing political views in the same area will have a representative that they supported to some extent elected.

   

Re:How Difficult Is It Really?

[archen]

This is one story. It was on slashdot as well a while back.

Re:How Difficult Is It Really?

Electronic voting speeds up the results. But it's only the new media that wants that.

How much is the speedup? In Germany, which uses traditional paper voting, the first results come in about one hour after closing and after 3 to 4 hour more or less all votes are counted. Most of the times the trend stabilizes quickly after the first results but it happens sometimes that the tally tipps in the other direction during the evening. Then you get hilarious backtracking of premature victory speeches.

Re:How Difficult Is It Really?

[Patch86]

I believe it is actually more difficult than it would appear, mainly because you need to give people access to the machine to enter the candidates and when you do that, you are potentially giving them access to do other things.

Do you mean "an admin entering the names of the candidates so they can be displayed for selection", then that's an easily solvable problem. You just give the user an unchangeable selection of "Candidate A", "Candidate B", etc., and print the names of each candidate on posters stuck on and around the polling machine. Finish the evening's count with "Candidate B wins" and then look at the table to see who that is.

If you mean "give the voter access to the machine to make a selection", then I'm not sure I understand the problem- except insofar as they could whip out a screwdriver and start tampering. And that seems like something that can be at least mitigated by making the machine's case along the same design as your average fire safe, with the only visible display/controls being usable only to make a candidate selection.

Re:How Difficult Is It Really?

[hey!]

Well, a user readable paper receipt which the voter drops in a locked box would do the trick.

Short of that, nothing you do to try to "secure* the machines can ever prove that the machines recorded votes correctly. The simplest demonstration of this is to ask yourself two questions. Who does a system require that you trust? And can you verify whether that trust has been violated?

(1) Who do you have to trust. When you record a vote on a purely electronic voting machine, you have no proof that your vote is recorded properly and no way of telling whether votes were tallied correctly. You have to trust everyone who's been involved with the machine: the hardware company, the programmers, the technicians maintaining the machine, anybody who might have access to the machine while it is in storage, the people who transport the machine to the polling place, everyone who has physical access to the machine while the polls are open, and the officials who gather the data from the machine. Any one of them could potentially tamper with the machine -- especially if two or more kinds of people on that list are in collusion. Oh, yes, and you have to trust that the software of the machine is bug free.

(2) How can you tell whether your trust has been violated. You can't. No matter how elaborate the attempts to "lock down" the machine is, you can't tell if the machine is telling the truth unless you can see what's happening inside the circuits of the machine, and do that from the time the machine is activated until the time it provides a result.

Suppose the officials who set up the machine, transport it to polling place, supervise its use, and get the results are completely trustworthy. They have no more assurance that the machine is responding to *them* correctly than the voter has assurance the machine is tallying their vote correctly.

Except for providing secret ballots to visually impaired voters, there's nothing these machines can do that can't be done just as quickly and more cheaply with a properly designed paper ballot and electronic tallying machines. Electronic voting machines are more complicated than they need to be -- the very *concept* is more complicated than it needs to be. Therefore they make the voting process less secure than it could be. With no independent physical verification of voter intent, there is simply no way to know whether the results in an election using these machines is correct.

Re:How Difficult Is It Really?

[archen]

My mistake, it looks like it wasn't Fog Creek but CityTime. Not sure why I rememberd that as Fog Creek.

Re:How Difficult Is It Really?

That doesn't solve anything. A tampered firmware could be made to print the hashes of a legitimate firmware, and there'd be no way to tell just from the printout.

Re:How Difficult Is It Really?

::Sigh::

This is a solved issue. From my post lower down the page:

"The receipt the voter gets has only the vote(s), the time to the nearest minute or so, and the voting machine number. Nothing else. Nothing that can link the receipt to the voter, or vice versa, so there can be no selling of votes- who would buy something that cannot be proven? After all, you could have picked that receipt off the floor, or out of the trash. No one would pay for that."

Same goes for 'threatening', as well as 'buying'. The receipt you show your boss could be off the floor or out of the trash, so even IF you don't turn his ass in to the Feds for trying to influence your vote (a felony IIRC!), he can never be sure the receipt is yours. So why would he bother?

Re:How Difficult Is It Really?

[fgouget]

You don't give the voters access to the whole machine, you only give them access to the touchscreen monitor, and maybe some kind of keypad. [...] When we talk about having "physical access" to a machine, that means the WHOLE machine, as in a desktop PC where you can put your hands on the tower case, plug in USB devices, open the side panel, unplug the hard drive and put it in another system to access it, etc.

Voting machines typically spend more than 99% of their time in storage (something close to 364 days out of 365). If you get access to the storage room for just one night you'll get full access to the machines. At 1 minute per machine to change a ROM that's enough to rig an election.

Re:How Difficult Is It Really?

[fgouget]

Um... USA and Canada, and I'd be surprised if Europe wasn't exactly the same way. What did you think that ATM/debit card was, a high-tech NFC system or something?

Well in France all our credit cards have had chips for the past twenty years. Of course the problem is that ATMs still have to accept credit cards that only have a magnetic stripe otherwise tourists would be unable to use them. So that reduces the security again.

Re:How Difficult Is It Really?

[fgouget]

Nothing that an old-fashioned optical scan ballot couldn't handle.

In other words, using the machine was a solution looking for a problem (and causing numerous problems of its own).

While I agree with you on the whole, optical scan machines are electronic voting machines. They can malfunction and change 30% of the votes, so they could be rigged to steal an election too. And yes, two years later people may notice, but by then it's too late.

Re:How Difficult Is It Really?

[fgouget]

I would suggest open-sourcing the software and the hardware design.

That would not help. What is needed is for any voter to be able to check, on election day, that the software really being used is the one that was specified. But there's obviously no way of doing that without also giving that voter all the access he needs to completely rig the election (or just DOS it as verifying everything would take days).

Re:How Difficult Is It Really?

[fgouget]

I agree. The technical problems are the lesser difficulty. They are all solvable problems.

No. The combination of anonymity, transparency, verifiability and robustness against insiders is unique to voting and there is no known DRE solution to this.

So why did Diebold refuse to release source code?

I think they just didn't want their competitors to steal their code, just like any other proprietary software company. They probably also (at least unconsciously) did not want the public to see how shoddy their code is and get called out for doing such a bad job.

Re:How Difficult Is It Really?

[fgouget]

And then nobody ever counts the paper ballots since the result is known anyway, and so rigging the electronic part of the election is all you need to get your candidate elected.

Re:How Difficult Is It Really?

[__aaltlg1547]

That's only a small part of the problem. Some of the reported problems on voting machines:

Number of votes recorded on machines exceeds number of voters who used them

Votes recorded for candidate the voter did not intend to choose

Machines wouldn't work on election day

Machines not producing verifiable tallies

Machines allowing the same voter to vote multiple times

Also, the voting machines do not solve and if not well designed can make problems worse with regard to chain-of-custody as compared to paper ballots. The science of making sure a physical box is empty at the beginning of the day and contains N ballots at the end of the day is quite easy to manage. Then you physically seal it and deliver it to the counting venue where the first thing they do is validate the seal and the second thing they do is make sure that box 2351 has N ballots exactly. You have all the same problems with a voting machine but to most people the idea of having an erase procedure at the end of the day and a shutdown procedure that secures the machine's non-volatile memory is not natural. If engineers ran the election, they could ensure that all these operations are carried off without a hitch, but there's not enough technically savvy people to do it, so you have to have non-technical people performing these technical functions and they have to be able to do it without a hitch, because any hitch could result in you having to throw out or having thrown out a whole machine's vote tally.

Re:How Difficult Is It Really?

[__aaltlg1547]

ATMs are NOT secure. You think a four digit code and a card that can be readily copied are secure? People come up with schemes to steal these all the time. Banks just absorb whatever losses the users notice and complain about.

Re:How Difficult Is It Really?

[__aaltlg1547]

And there would be an instant free market for those tokens. It's the best of all possible worlds!

Re:How Difficult Is It Really?

[Grishnakh]

Yes, unfortunately we Americans are way behind the times, as usual. Is it only France that has chips in cards or is it Europe wide?

Re:How Difficult Is It Really?

[azalin]

That would explain a lot

Re:How Difficult Is It Really?

[azalin]

Germany has them too. The chips can also be charged with money and used for bus rides, parking fees and other small payments. The skimming and copying tricks still works to some degree though. Criminals just copy the magnetic part, mail it to their partners who will use foreign atms without the enhanced security. Though I think sooner or later (once enough machines are upgraded) they will just disable it by default.

Re:How Difficult Is It Really?

[Skapare]

See, that's the fallacy.

use the same system for slot machines

[Joe_Dragon]

use the same system for slot machines
they go under lots of testing to make them hard to cheat them even to the point of shocking them.

Re:use the same system for slot machines

The payout from slot machines can be monitored, and if it seems questionable then it can checked and/or scrapped. Tough to do that with e-voting machines, except maybe for the overall count of voters.

Re:use the same system for slot machines

[rtfa-troll]

Nobody actually knows how hard this is since nobody has ever actually succeeded in doing it, despite the fact that many people have tried. Here is another example:

use the same system for slot machines they go under lots of testing to make them hard to cheat them even to the point of shocking them.

This is one of the standard examples, the other given is bank machines. The average engineer/computer scientest will tell you this every time up to the stage of actually starting voting machine companies and spending millions on delivering machines which fail to be sufficiently secure. Just think about how much more hostile the voting machine environment

• if you cheat a slot machine you can get a few hundred dollars - if you beat a voting machine you can controll F22 contracts worth US$66.7 billion
• slot machines are run in an environemnt where you can watch the users - watching voters is illegal
• you can see who wins on your slot machine and almost nobody cares - voters are supposed to be anonymous
• slot machines are essentially static; the money is put in and taken out in the bar - voting machines have to be distributed to many locations
• your slot machine will still earn money even if it is completely emptied several times a year - a voting machine only needs to lose once

It's true that the slot Las Vegas slot machine program is much better than any current voting machine goes through. That is outrageous. However, don't think that if you did follow the Las Vegas system that would be enough.

Re:use the same system for slot machines

[Inda]

Why do people even need to walk to the polling station and use 'machines'?

I pay my bills online.
I do my banking online.
I order my shopping online...

Let me vote from my PC/Tablet/Phone/Generic_electronic_device

Deliver my voting slip to my door, just like you deliver my electoral registration form to my door by hand by an official goverment worker. Hell, you let me vote by post, ffs.

Crypto handshakes and hashes and keys and magic - it's all been done before.

UK only. Other countries may have different requirements. :)

Re:use the same system for slot machines

[RobertLTux]

one "feature" that voting machines don't have that Vegas slots had back in the day

They used to break people for cheating the slot machines

Re:use the same system for slot machines

[Paradise+Pete]

use the same system for slot machines

The problem is that (unlike slot machines) there are conflicting goals - keeping verifiable totals while at the same time preventing any individual's vote from being revealed.

Re:use the same system for slot machines

[khendron]

I pay my bills online.
I do my banking online.
I order my shopping online...

And all those activities are the target of a significant amount of fraud. It is tolerated, though, because the savings outweigh the costs. You can't say the same for an election.

Re:use the same system for slot machines

[c0mpliant]

And you think there isn't fraud in the voting system? The most easiest way you could do it is to register in a constituency to vote using the form thats sent out to houses in the lead up to elections without using the RFA3 form to transfer your vote from your original constituency. The reason a lot of people do this is because the form thats sent to each house just needs you to fill in the sections and then send it back in the post, postage free of charge. The RFA3 form requires you to fill it out, go to your local garda station and only your local garda station and get them to sign the form confirming you are who you say you are. Then to send it off to the local authority either in the post after paying for postage or drop it in yourself. People will generally take the path of least resistence and end up registered in two constituency. I really believe this is the only way that FF got anyone elected during the last election

Re:use the same system for slot machines

[Cinder6]

Voting fraud is ridiculously easy (in California, at least): They don't even check your ID to make sure you're the person you say you are! Figuring out how to cheat the system on a wide scale is an exercise for the reader.

Re:use the same system for slot machines

[TapeCutter]

Trust is not a technical problem and slot machines are not transparent to all parties. The speed of a manual count is also not a problem. Basically electronic voting is fixing a problem that doesn't exist, like an electronic mouse trap it's expensive, unreliable, and pointless.

Re:use the same system for slot machines

[TapeCutter]

With manual fraud one man can effect one polling place, with computerised fraud the same man can effect the entire election, and with less risk of being caught.

Re:use the same system for slot machines

[oldmac31310]

the word you want is 'affect'.

Re:use the same system for slot machines

Actually, that's not entirely correct:

"Nobody actually knows how hard this is since nobody has ever actually succeeded in doing it, despite the fact that many people have tried."

A gentleman named Athan Gibbs put together such a system, called TruVote, finalizing the device in 2004. He died in a car/18-wheeler collision that same year. I espouse no conspiracy - my link is somewhat inflammatory - but a lot of the links are dead and there is no Wikipedia article on either him or his system. Odd as that may seem. It was quite the story in progressive media back then.

Here's a starting point, if you have an interest:

http://www.commondreams.org/views04/0318-02.htm

Re:use the same system for slot machines

[rtfa-troll]

This is a paper trail based voting machine. I will admit that I think that these are mostly acceptably secure, however that's because they start with the fundamental assumption that you can't trust the software. Still, there are clearly opportunities for cheating. For example, if votes are only normally recounted on close elections, then only cheat on elections where you are expected to win but don't, and then, when you do cheat, cheat in a big way. As long as you only do it once or twice you have a good chance of getting away with it.

The correct thing to do is to assume that there must always be a hand count and (almost) always do one.

Re:use the same system for slot machines

[Livius]

Both will work in this case.

Re:use the same system for slot machines

Nobody actually knows how hard this is since nobody has ever actually succeeded in doing it, despite the fact that many people have tried.

Protip: if many people have tried doing something and nobody has succeeded, then doing that something the first time is hard.

Re:use the same system for slot machines

[oldmac31310]

No. They won't both work.

Re:use the same system for slot machines

[godel_56]

Voting fraud is ridiculously easy (in California, at least): They don't even check your ID to make sure you're the person you say you are! Figuring out how to cheat the system on a wide scale is an exercise for the reader.

Vote early and often!

Re:use the same system for slot machines

[dbIII]

And you think there isn't fraud in the voting system?

There obviously is and the Indian machines were designed with that in mind - for example, even if you steal a single machine and hack it to give 100% of it's votes to whoever is paying you that has a limited impact on the total vote. Stealing a lot of machines is likely to be noticed. Others (like some of the Diebold stuff) seem to be designed to make fraud and gaming the entire system easy from a single entry point, but that is possibly more due to incompetance and deliberate shortcuts instead of a criminal conspiracy.

Re:use the same system for slot machines

[mdvolm]

Not a bad idea, except that the main source of security for a slot machine comes from the fact that it is under 24/7 surveillance. Give someone unsupervised physical access to the machine though, and all "security" is lost.

Re:use the same system for slot machines

[billstewart]

But somehow in the 2004 elections in Ohio, the "unreliable" bit was much more significant in the poor Democrat-leaning inner-city polling places, which opened late and had 1-2-hour-long lines out the door, than in the Republican-leaning suburban polling places, which had all the right parts to get their machines started and working. And Ohio's secretary of state had made a speech telling the Republicans that Ohio would be a solid win for the Republican Party.

Re:use the same system for slot machines

[fgouget]

I pay my bills online. I do my banking online. I order my shopping online...

When you pay online, your the recipient knows who you are, how much you pay and why. The bank or an intermediary like PayPal also knows who you are and who you paid that money to, and how much you have left in your account. The stores you shop at know which items you looked at, for how long and obviously which ones you ordered, and provide you with proof that you ordered stuff.

A voting machine must provably not record who you voted for, must not provide you with a way to prove how you voted, must still be provably secure, and must be understandable and verifiable by anyone.

So no, shopping / paying bills online have nothing in common with voting online. The former is easy, but for the latter we simply don't know how to do it with DRE systems.

Re:use the same system for slot machines

[fgouget]

There obviously is and the Indian machines were designed with that in mind - for example, even if you steal a single machine and hack it to give 100% of it's votes to whoever is paying you that has a limited impact on the total vote. Stealing a lot of machines is likely to be noticed.

If you plan to rig the machines used in the election to favor your candidate, then obviously stealing them is a bad idea since the organising authority won't have them anymore. However they spend more than 99% of their time in storage (something like 364 days out of 365). So all you need is get access to them while they are in storage to rig them and then it much less likely anyone will notice. Since the machines have not been stolen, they will be used in the next election and get your candidate elected.

Oh, for a local election you will have access to all the machines at once so you'll be able to get your candidate elected with 51.5% of the votes so it does not raise any suspicion. For a national election you'll have to do it in a few more storage depots, or bribe a software developper working on the next 'security update'.

Re:use the same system for slot machines

[__aaltlg1547]

use the same system for slot machines they go under lots of testing to make them hard to cheat them even to the point of shocking them.

But random results are acceptable to the user of the slot machine.

Re-refurbished Louisana Voting Machines

I hear Mexico has some Re-refurbished voting machines they purchased from Louisiana after we got "updated" touch voting machines.
Apparently they were really upset when Edwin Edwards was elected as President of Mexico.
I am sure they would be willing to sell them really cheap.

I look forward to the official statement

[poetmatt]

I can just see it now:

"Did we get screwed? I think so"

while the reality is "Maybe we should have researched this before investing"

Re:I look forward to the official statement

[bugs2squash]

I think it meets the definition of criminal negligence. Someone has blown $60MM on worthless voting machines. I think that even someone who isn't a professional in the field of election automation could have spotted these flaws very quickly (if not immediately looking at the specs on paper never mind with an alpha trial).

When will there be a prosecution in this case ?

Re:I look forward to the official statement

All that matters is that the producer got the contract and the politicians got bribed. Now that the old machines are disposed of, they can do it again :-)

Interesting Maths

[AlastairMurray]

all 7,000 will now be scrapped for €70,000 (just over nine Euros each).

I suppose €10 is just over €9.

Re:Interesting Maths

[91degrees]

In other news, the Independent has deemed its stock of pocket calculators worthless because they can't get the right answer to siple calculations.

(Actually there were 7500 of them, going for â9.30 each but where's the fun in that?)

Re:Interesting Maths

[rtfa-troll]

If you had READ the FINE ARTICLE; you would know that 7000 == 7500 and 9 == 9.30 and 70,000 == 70,267. Typical careless rounding of the type that can easily get the wrong person elected..

So basically what you're saying is...

[dohzer]

... because they could be compromised, they're worthless?

Re:So basically what you're saying is...

[Immerman]

Yes.

More precisely they're worthless as voting machines because they're considerably easier to compromise than the pen-and-paper alternative, and it would be almost impossible to detect. Since it appears these specific machines are special-purpose devices without a lot of other applications that pretty much reduces them to scrap value.

Not guaranteed safe from tampering? Nae!

[mistaryte]

They were really scrapped because they did not dispense a shot of Jameson's after vote completion.

Re:Not guaranteed safe from tampering? Nae!

[Chrisq]

They were really scrapped because they did not dispense a shot of Jameson's after vote completion.

That would be one way to guarantee a 100% turnout

That depends on your limitations

[Casandro]

Building a voting computer which satisfies the demands for a democratic election is near impossible.
Since fraud needs to be detectable even by single uneducated voters, there minimum security would be like this:

1. Get at least 80% of your voters a degree in Mathematics and Cryptology. They need to be able to verify all the algorithms used in the process.
2. Get at least 80% of your voters fluent in reading machine code off microscope images of ROM chips.
3. Get at least 80% of your voters good at re-engineering micro controller systems from silicon up in a reasonable timespan. (e.g. 30 minutes, this might require genetic engineering)
4. Develop a form of computing device which is transparent.

The big point is, it's not enough if we have some "perfect" voting computer which 10 specialists attest to be "perfect". For a democratic election everybody who is allowed to vote must be able to check the system for fraud. With a simple pen and paper system that is trivial. You just sit at the polling station, check that only single sheets are handed out to the voters. You also check that the voting urn is empty when the voting starts and that everybody just puts in his single sheet into it. Then you check the counting for miscounts and people trying to hide votes. The total number of votes can be compared in different ways.

So everybody involved in it can check it. There is no secret knownledge involved. You can come up with the points I just wrote by yourself. You can even find the points I was missing. That's the minimum standard for voting systems, and it can be settled by the cheapest way to conduct elections, pen and paper. Why on earth should we spend a lot of money for much worse systems?

Re:That depends on your limitations

[Nadaka]

According to the CEO of Diebold, voting machine manufacturer, that verifiability is a defect. How can he promise to deliver victory to republican candidates if he does not have a way to tamper with the votes?

Re:That depends on your limitations

Back home we use an optical scan system. Just fill in the bubble with a dark pen and it gets scanned through a machine. If you make a mistake you just X it out and fill in the one you meant. The counting itself is done in a large room with tables that don't have drawers that has glass walls all around it and where the public can watch the count proceeding.

It was put in place because conservatives were whining about the vote count stealing statewide races. It turns out that they were being robbed by the voters that were voting against them.

I'm not sure how much more secure you can get than that. Sometimes technology isn't the solution to the problem.

Re:That depends on your limitations

[Pinky's+Brain]

Having a paper print out which can be checked by the voter works well enough.

Re:That depends on your limitations

[Casandro]

How does that work? Do you put the vote into an urn? How do you know the voting computer counted the vote the way it was printed?

If you put the vote into an urn, why don't you just replace the voting computer with a pen? Germany proves that to be very efficient with most voting locales finishing their duty 30 minutes after the end of the election.

Re:That depends on your limitations

[company+suckup]

Diebold has no entitlement to be involved in the voting process. One can argue about what technology needs to be used to count the votes fairly and accurately. Problem is the heads of these election commissions are anything but techie savvy.

Re:That depends on your limitations

[fgouget]

Having a paper print out which can be checked by the voter works well enough.

So your solution is to do a regular election with hand counted paper ballots but add some computers that produce results that are thrown away because they cannot be trusted. And you say that's better than the same election without the useless computers?

refurb/rebrand/resell

[Sooner+Boomer]

Touch screen computers from Ireland? Sell them as the "New iTablets*", and "not from that fruit company either!". At 20E a piece, you could *double* your money!

*Irish Tablets, thank my Lucky Charms!

Re:refurb/rebrand/resell

[JDG1980]

Touch screen computers from Ireland?

If there were flat-panel touch screens, or even regular flat-panel color LCD monitors, then the units would probably have been worth more than 9 euros each. I did a search and found some photos of these machines (there's one at the top of this article) and they don't have any of this. There is only what appears to be a two-line, character-based, monochrome LCD display, with a big row of labeled pushbuttons and corresponding LEDs below it. Cheap, generic, largely worthless hardware.

Re:refurb/rebrand/resell

[MickLinux]

Well, considering that the Irish used those very voting machines to vote out the "pro-bailout european banks" politicians, I think they did very well with what they had.

On the other hand, considering the folks they voted *in* (the "let the investors who make bad investments bear their own loss" politicians) immediately turned around and bailed out the European banks, maybe they were worthless after all.

Yeah. I'd probably say they shouldn't be valued at more than 9 euros [and a bronx cheer] each.

an outline for a secure voting machine

[RobertLTux]

1 have as little of the OS loaded as possible
2 the OS image should be on a readonly image (with the image FIXED no later than 14 days before an election)
3 the poll info should be on a separate image (also readonly)

the voting screen should have a hash of both images on a "rail" at the bottom so that both can be verified at random

when you vote your vote info should be etched on a metal plate (each one should be given a serial number and accounted for) that holds X votes. Also a printout should be presented to you so you can verify your votes.

if any issues show up then you
1 count the info from the plates
2 count the info from the voter "chits"

and then deal with any problems as needed (good luck tampering with all three counts)

of course then we will need to deal with the Vote Early Vote Often problems in some areas but...

Re:an outline for a secure voting machine

[JDG1980]

1 have as little of the OS loaded as possible 2 the OS image should be on a readonly image (with the image FIXED no later than 14 days before an election) 3 the poll info should be on a separate image (also readonly)

For such a simple application, why use an OS at all? Wouldn't it make more sense to run on bare metal on a microcontroller?

Re:an outline for a secure voting machine

[RobertLTux]

well if you could get all the bits crammed into a microcontroller then yes but even a simple (like win95 level) OS could work the point here is to have as little as possible running (so no Network Stack at all).

Re:an outline for a secure voting machine

Metal plates?

I was just thinking that the machine should be pre-loaded with a unique random number for each vote. Store the voted ballot in the machine, with the random number part of the ballot.

Print a receipt with the random number on it.

Post the votes and the random numbers online. Anonymity is preserved, because you just have random numbers next to votes. You don't have timestamps, the polling place, or any other data. When the random numbers and ballots are dumped from the machine to the server (the machine is not connected to the net while voting) the polling place data are not preserved. That's about as anonymous as you can get; probably more anonymous than paper ballots.

Voters can then verify their votes online by keying in the random number.

Oh, BTW, anybody attempting to enforce contracts in their .sig agrees to pay my attorney for reviewing the contract. He charges $500/hr, minimum 1 hr for each contract reviewed.

Re:an outline for a secure voting machine

well if you could get all the bits crammed into a microcontroller then yes but even a simple (like win95 level) OS could work the point here is to have as little as possible running (so no Network Stack at all).

Definitely could not be from Apple as they often have to change a shipping OS because of some flawture that they overlooked eg the original Mac would reboot if the clips to be pasted were stored at an address beginning with 0.

Re:an outline for a secure voting machine

QNX yo mean

Re:an outline for a secure voting machine

[fgouget]

the voting screen should have a hash of both images on a "rail" at the bottom so that both can be verified at random

That's like asking a suspect whether he is guilty and believing him when he says no.

Re:an outline for a secure voting machine

[RobertLTux]

One should be able to assume that the hash would be also published in say a newspaper (also in the event of a problem somebody could open the machine and then run the hashes as a check)

besides i said OUTLINE details would need to be sorted out.

Re:an outline for a secure voting machine

[fgouget]

One should be able to assume that the hash would be also published in say a newspaper

Irrelevant.

(also in the event of a problem somebody could open the machine and then run the hashes as a check)

Can only happen after the election, in other words, too late.

besides i said OUTLINE details would need to be sorted out.

The devil is in the details. There are researchers working on this and they have not yet found even so much as a theoretical solution.

Re:an outline for a secure voting machine

[randyleepublic]

You are chasing a chimera.

No verification?

[hendridm]

they could not be guaranteed to be safe from tampering [...] and they could not produce a printout so that votes/results could be double-checked.

Well, whose dumbass idea was it to leave that out of the spec? This is voting we're talking about. It's ALWAYS scrutinized.

Yes

Not because they can be compromised.
But because they cannot be proven uncompromised.

Hi!

This is very old news. These machines were on track to be scrapped as they are crap and open to corruption. Move along.
BTW, I'm Irsh. nice to meet you!! Paper trail place. Any Socialist Republicans left in the world - yay!

Re:Happy Friday from The Golden Girls

Troll sucessful! Down periscope.

Repurposing e-voting machines?

[oneiros27]

At the very least, all of the e-voting machines that I've seen have touch screens. I would think that someone could be able to get these for pennies on the dollar, and find a way to use the parts to build kiosks for other purposes.

The CPUs might not have the necessary power for much, but if it's just a lookup & display system, it shouldn't require much.

Re:Repurposing e-voting machines?

[Nethead]

I would think that someone could be able to get these for pennies on the dollar...

It sounds like someone did.

Re:Repurposing e-voting machines?

[bussdriver]

You must have no experience with government. Their easiest way out would be a gov auction like we sometimes have - problem is you have to be setup to do those to make them worth it and by the time we have enough junk to do an auction the gear has been sitting around for years - making computer gear kind of useless.

Then there is all the oversight and paperwork involved in doing anything. There is always some official wanting to flex their oversight muscle to show they are protecting the public and since they are most likely crooks they are looking for easy examples to distract from the real stuff they are pulling.

Politics: if something is a failure it is preferred to destroy all evidence of the failure rather than allow some wiseguy investigating and pointing out in detail what went wrong ("how dare they tell us how and why we failed!" the deciders all have such egos they never can handle critiques.) Security often means covering your own ass.

Re:Repurposing e-voting machines?

[oneiros27]

You must have no experience with government

I've worked as a contractor for the federal government for the last 8 years, I've been a municipal elected official for the last 4 years, I was chief election judge for the same municipality for 4 years, I did two years of contracting for a state government, and I interned for three summers in high school with the DoD.

So, I actually *do* know how these things work ... and all it really takes it one person who knows what they hell they're doing to get these things straightened out.

In my case, the location that I work has an 'excess warehouse' ... which, given the right person to sign off on the paperwork, I've been able to go down there and acquire old computer equipment to repurpose in different roles. (one of which required me going through the higher up 'I can't believe they still have this stuff around' shelves to try to find a working 21" CRT monitor that met certain size & weight distribution requirements)

Given the right people to do this, you could have those things repurposed and placed into government buildings for people to figure out which floor they need to go to for different issues; what courtroom for specific cases; card catalog lookups in libraries; etc.

Re:Repurposing e-voting machines?

> I would think that someone could be able to get these for pennies on the dollar, and find a way to use the parts to build kiosks for other purposes.
If you read all the way to the bottom of the article, the last sentence says:
> A condition of the contract is that two electronic chips in each machine, which hold information on how the equipment works, are destroyed.
If you're willing to buy 7500 of them, you could probably get an equivalent system new for less than the cost of replacing the ROM/flash.

The question is...

[darkshadow]

could one construct a Beowulf cluster of these?

Secure and anonymous

[ColdCat]

Secure and anonymous at the same time is the challenge.
And as every actual technical solution will be always worse than paper.
Better stay with paper

1 bug in machine=all people vote suspicious
1 "bug" in paper=1 paper ignored

Why did they buy 7000?

Why did they buy 7000 of them instead of just two or three for testing purposes to figure this out?

Bet you 70,000 euros...

...that the state of South Carolina is the one buying them at a discount. Voter accuracy? Pshaw. What do we care?

Re:Bet you 70,000 euros...

[fiannaFailMan]

...that the state of South Carolina is the one buying them at a discount. Voter accuracy? Pshaw. What do we care?

You owe me EU 70,000. The machines are being shredded, as explained in TFA.

Thanks for the memories Bertie

The voting machines are former Irish Prime Minster Bertie Aherne's baby. I remember him in 2002 chastising those in parliament who were distrustful of them, he was almost angry that people would have the temerity to question The Machine. Unlike Bertie's economic policies, this thankfully never lived long enough to do any damage.

Why not print SAT style bubble-sheets?

I'm wondering if we are being way too technical in our solution. How about a machine that translates your touch-screen choice into a printed page representing your vote like on a school style bubble test. So you put your choices in the touch screen and the machine prints a page that has the list of candidates and a bubble next to the one you chose. It can be clearly verified that the bubble appears next to the choice you made. Then you put this into the same style reader that is used in many places today. The paper copy is easily verified by the voter, recounts are possible, and it relies on basically existing technology.

Re:Why not print SAT style bubble-sheets?

And it offers exactly zero benefit over having voters directly fill the bubble on an optical scan ballot, while adding the cost of an extra computer (typically touchscreen equipped) to every voting booth*. And it introduces the possibility for people to load evil software on the vote-printers that flips one in ten votes -- some people will notice, and when they redo it, it works right, they assume it was just a mistake on their part. But some people won't notice. Sure, you can make it secure, make sure nobody can load custom software, rigorously test the factory software, etc. -- adding even more cost to protect against a vulnerability that you just added for no bloody reason

*Note that my polling place has something like 4 or 5 voting booths -- each one a simple folding table with a triptych privacy screen and a felt-tip pen -- and one optical scan machine. So, while the ballot-printing machines may be much cheaper than the scanner, there's still many more of them -- it adds significant cost for no benefit.

A new low in arithmetic?

"all 7,000 will now be scrapped for €70,000 (just over nine Euros each)"

To all those who though "WTF, €10!" and didn't bother RTFA, it's actually 7500 machines at 9.30 Euros each and the total is close enough ;)

Re:Happy Friday from The Golden Girls

[chilvence]

Try 'up periscope'!

What a waste

I'm sure some US precincts would have paid at least 10 EUR for them!

Oh boy

[fiannaFailMan]

There are times when I wish I could change my /. username.

Re:Oh boy

Well, go on then, do it!

Vote by Mail

[elliott666]

I think the problem here is the approach. I live in Oregon in the US and we have a vote by mail system. I get my ballot in the mail and then when I have time I sit down with my laptop and a glass of wine and slowly go over the thing, looking up all the ballot measures on my computer. I have three weeks to do this in. I have never had to make a special trip into a voting station and I'm glad, it sounds like about as much fun as going to the DMV or something. My point is, electronic voting? Screw that. Vote by mail.

As for the issue at hand. If it ain't open source I ain't trusting it.

Re: Chad?

[rnturn]

Texas and Florida are probably submitting bids at this very moment.

Elections are a bad idea...

[snemiro]

I think things would be much more independent if people is just elected by national lottery numbers.... No campaign, no fundraising, no bribes, no sponsors, low cost..... Maybe the difference would be amazing....to have normal avg people in power positions....senate.....etc....

Re:Elections are a bad idea...

Go and read Philip K. Dick's "The Solar Lottery" :-)

Worthwhile use...

Wouln't a few counties in Florida want them?

double-checked, so they do

[Hognoxious]

The requirement for double checking wasn't part of the original spec. It's just that Irish people end every sentence with "to be sure, to be sure".

Wow

70,000 / 7,000 = "just over nine"

7 grand each?

[rastoboy29]

Do the math.  That's horrible.

I suppose they're out of warranty...

But the thing is...how could they ever be worth that much money?  I mean, even if they worked--why not just use paper and save 54 million euros?

Re:7 grand each?

[tbird81]

But then the suppliers, who happen to be quite good friends with the people in charge, would not have had the chance to make 53.95 million euros.

The Robinson Method

http://www.paul-robinson.us/index.php/2008/10/25/the_robinson_method_a_really_simple_way_?blog=5

Time after time I post this up, in any article about problems with electronic voting, everybody either ignores it or poo poos it - what exactly is the problem? It should work, costs very little (a tiny fraction of the current voting system, since counting is done in seconds), and can be made virtually fraud proof.

The US uses easily hacakble voting machines..

[BlueshiftVFX]

Why scrap them when the US would be happy to have them.

But they are computers.

But they are computers, they would have served a better use
unlocked and given to 7000 computer science students.

Voting machines are easy.

[tbird81]

I've just whipped up a quick mockup in PHP. :-D

The problem was...

...they bought the machines from America, and for some reason the Irish Republican Army kept winning.

Of course Ireland has no need for the machines

Why hack the vote when you can have the people vote again and again until you get the "right" result, at which point, the voting stops (example: Ireland's EU referendums).

Voting Machines Features are Different in Ireland

[billstewart]

It's not so much that they need to have English and Gaelic instead of English and Spanish - it's that the US machines' "Change to vote to Republican when nobody's looking" option means something a lot different there.

Requirements were Political, not Accountability

[billstewart]

The US voting machine contracts were given to politically connected companies after the Republicans got a lot of flack for the 2000 election vote counting failures. Accountability and Auditability were very much not requirements - they didn't want paper trails that could be audited and recounted. Speed of deployment was a requirement, and sloppiness wasn't viewed as a problem.

And while Las Vegas slot machines have a strong house advantage, the way the Republicans provided a house advantage in Ohio in 2004 was to use complicated voting machines that had to have a lot of parts to be useful, and somehow the machines in the Democrat-leaning inner city precincts didn't have enough parts to open the polls on time or keep up with the 1-2 hour-long line of voters on a rainy election day, while the Republican-leaning suburban districts had lots of working machines and no waiting. (Oh, bummer, we can't find the customized power cord! Or the cable that connects the monitor to the base, or the part of the stand that shields the voting from view when you're using it,. or we don't have a long enough extension cord to plug half the machines in to the other side of the school cafeteria because the nearby electric socket isn't rated for enough amps, or whatever.)

Also, with Las Vegas slot machines, if the casino decides that the machine malfunctioned and gave somebody a huge jackpot when it wasn't supposed to, they can declare the result to not count and not pay the sucker\\\\\\ customer.

Voter ID Republican Talking Point

[billstewart]

Sorry, Mr. Republican Talking Point, but that's a bogus issue, which the Republicans have been using to exclude poor and old legitimate voters who tend to be Democrats. You've probably noticed that in most of the US, you have to sign your name in the book when you vote, and there are poll watchers from both major parties watching the voters sign in, and if more than one person shows up claiming to be a given registered voter, the second one notices it.

Yes, fraud is possible, and some dead people probably still vote in Chicago, because it's Tradition, but your party's poll watchers haven't identified more than a few cases a year in the decades they've been doing this. Furthermore, it's easy enough to audit after the election - you can take a random sample of records from people who showed up to vote, contact the registered voter and ask whether they voted, and what polling place they voted at, and if they say they didn't, check whether it's their signature.

Also, you Republicans are supposed to be the party that opposed big intrusive government, so why are you trying to make everybody carry ID?

Technical Issues vs. Market for Voting Machines

[billstewart]

A friend of mine had a voting machine startup company in the early 90s. It failed, partly because of the usual reasons startups fail, but largely because they couldn't find enough of a market for highly secure tamperproof voting machines. (The Republicans fixed that problem in the early 2000s, creating a market for insecure tamper-friendly non-auditable voting machines developed by politically well-connected big companies, but a decade earlier there just wasn't a market.)

I don't know how secure his company's machine was - he was much better at sales than at technology or management, and he wasn't well-connected to the crypto community who did a lot of research into voting machine issues after the 2000 election, but it was probably at least comparable to the old lever-based machines we used back East for decades, and in spite of having some connections to the political establishments in a couple of states, he couldn't sell them.

The crypto researchers identified a bunch of requirements for secure voting, many of which are hard to do simultaneously. How do you combine auditability with voter anonymity? Can you do it in a way that ordinary non-math-geeks can understand or trust? You need a paper receipt so the voter can check it themselves later - but you need it to not show the votes so a briber or bully who told the voter how to vote can't verify it themselves. Can you audit the vote totals without having all the receipts from the voters? If there was fraud, can you fix it without violating voter anonymity?

Voting against Grammar Nazis

[billstewart]

Technically, both of them can. "affect one polling place" works a lot better, of course, and is almost certainly what the original poster meant.

But in a sufficiently badly designed electronic voting system, one fraudster could in fact "effect one polling place", instantiating it from scratch, creating fictitious voters and audit records, and get its votes included in the district-wide totals. Back in the old paper-ballot days, you'd have to show up at the Elections Clerk's office with a stuffed ballot box and paperwork showing that it was from South Nonexistentville or from Precinct N+1, with a lock on it that would open with the Elections Clerk's key (or probably the Any Key), and it would be easier to do if several people were colluding, but an insider with credible fake paperwork might get away with it.

Why Ireland rejected US voting machines

[billstewart]

The problem wasn't just the incompetence - it was that the "Change the Vote to Republican if Nobody's Looking" feature was designed for the US, and "Republican" means something much different in Ireland.

Re:Why Ireland rejected US voting machines

[dbIII]

I didn't want to make the americans respond with kneejerk tribalism backing either side and gettign offtopic so I gave them the out of incompetance (I'd say it was both incompetant and criminal anyway). I'd say they'll be a good book or two in the Diebold stuff in a few years.

US elections are more complicated

[billstewart]

They may not be as complicated in most places as they are here in California, where we typically have half a dozen ballot questions in addition to the candidates, but for instance in the most recent election (which was a primary, not the general election), my ballot had President, Senate, Congress, State Senate, State Assembly, County Supervisor, a couple of judges' districts, two state ballot questions, and a couple of local ballot questions and bond issues. (Local governments and school boards are non-partisan, so they weren't in the primary, and while the judges are non-partisan, there were a couple of vacancies that needed to be filled.)

So yeah, the system used by most first-world parliamentary governments is much simpler and more trustable, but it's not likely to work here.

Re: Chad?

[HArchH]

More likely Chicago.

Re: Chad?

[company+suckup]

No, that would be Ohio.

On-line voting

[__aaltlg1547]

I was thinking something similar... taken a step farther... if the system registers that the voter voted against one system, and the actual vote group to another system, with no correlation data between the two available, it would be reasonable to have online voting... would just need to ensure that both the registration that the person voted, and the record of the vote are separate... give the voter a token, that can be checked against their own vote record, but doesn't tie that token to their id, or that they have voted.

Once we go to on-line voting, it will solve everything. The NSA already knows how you intend to vote. You don't even need to bother logging in, they'll do it for you. Verification of their totals will be via contracts to Facebook and Google.

Re:

[davide+marney]

Is IS possible to secure an election. The things that make an election secure are: 1) Everything must take place in the open, 2) There must be a strong chain of custody of election equipment and materials, 3) All election equipment (not just voting machines) must be verified every time before use, and 4) Results must be stored in multiple formats by multiple parties.

Everyone is focused on voting machine security, but that is only one link in the chain. It's like focusing on just the PC to provide security against viruses and spam. In any distributed system, the entire ecosystem needs to participate in making things secure.

Re: Chad?

Sorry, Florida is now using the Fisher Price version of the voting machine. The square blocks and triangles in the correct slot just work better.

Re:Voting Machines Features are Different in Irela

It's not so much that they need to have English and Gaelic instead of English and Spanish - it's that the US machines' "Change to vote to Republican when nobody's looking" option means something a lot different there.

Some sort of logic bomb, obviously.

Solved It

Just give voting machines new types of hard drives made with "write-once" media. Associate a chain of custody with this hard drive and enact criminal penalties for failing to maintain the chain of custody when moving it. Because it's "write-once" media, and because the chain ensures nobody has a chance to secretly take some serious hardware to modifying the drive, we can rest assured the votes counted off this hard drive are the votes which were cast. Randomly distribute to each voter two IDs. One worker without access to the votes can check voter names against the first ID. A second poll worker can count votes and make sure there is only one second ID number for each set of votes. A third poll worker can then independently verify the count by cross-checking the first ID and the second ID. At no point is a voter's name associated with a vote.
^----This is it. This is the electronic voting system they've been trying to come up with.