Virginia Scraps Electronic Voting Machines Hackers Destroyed At DefCon

Following the DefCon demonstration in July that showed how quickly Direct Recording Electronic voting equipment could be hacked, Virginia's State Board of Elections has decided it wants to replace their electronic voting machines in time for the gubernatorial election due on November 7th, 2017. According to The Register, "The decision was announced in the minutes of the Board's September 8th meeting: 'The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment." From the report: With the DefCon bods showing some machines shared a single hard-coded password, Virginia directed the Virginia Information Technology Agency (VITA) to audit the machines in use in the state (the Accuvote TSX, the Patriot, and the AVC Advantage). None passed the test. VITA told the board "each device analyzed exhibited material risks to the integrity or availability of the election process," and the lack of a paper audit trail posed a significant risk of lost votes. Local outlet The News Leader notes that many precincts had either replaced their machines already, or are in the process of doing so. The election board's decision will force a change-over on the 140 precincts that haven't replaced their machines, covering 190,000 of Virginia's ~8.4m population.

Let's face it

[mwvdlee]

Despite the ongoing efforts of all political parties; democracy is too important to entrust to for-profit organizations.

Re:Let's face it

[TWX]

Don't use the computer to take the voter input and then generate a paper receipt, use the paper ballot with on-site optical scan to record the result that the voter marked on the paper. If you want to get 1980s-fancy, implement an on-ballot print technique that puts one pattern of ink dot next to each entry that the voter filled-out correctly, and possibly another next to those that the voter did not fill-out correctly (like those pick 3 entries for county commissioners etc, or where the voter left the field empty) in case later manual review is necessary. Could even go so far as to generate serial numbers on the now-scanned-and-printed ballots, where those ballots that had issues have their serial numbers noted for manual review if necessary (ie, at a minimum if the voting is too close to call for some particular initiatives) and for that serial number to be machine-readable in the future (ie, also helps the computer know the ballot is already scanned, so that it doesn't tally multiple times if scanned multiple times). We had this technology with optical-scan "scantron" forms for school tests from at least the 1980s, if not the 1970s, so this should not be a hard thing to do.

If an election goes well then board of elections can perform a small audit, looking at perhaps a few polling places to confirm that the paper matches the electronic, and then perhaps a random sampling of ballots at other polling places, and then pat itself on the back. If an election goes spectacularly badly, the board of elections can hand-tally each and every paper ballot if necessary, because they were human-readable when marked by a voter. The ballots, not the computer, is the official result of the election. The computer merely helps speed-up the process of counting the results.

Re:Let's face it

[Curunir_wolf]

The city of Richmond replaced all their touch-screen voting machines 3 years ago. The replacement? Paper ballots and scanners.

As an election officer, I prefer the paper ballots. Easy to track and easy to recount when necessary. I trust the system a lot more than the old touch screens. What's wrong with paper ballots? It's just as fast getting voters through and counting is actually easier.

Re:Let's face it

[Sique]

There is a fundamental problem with e-voting.

If we look at the conditions of a fair election, we have certain criteria to be met. Elections should be fair, meaning that voting should be no undue burden to each of the voters. Elections should be free, meaning no one should be able to force you to vote a certain way. Elections should be equal, meaning, that each vote counts the same, votes are not tampered with, and no additional votes should be added (e.g. ballot stuffing or changing invalid votes into valid ones).

The problem with e-voting is that it can't warrant free and equal at the same time. If voting is free, no one should be able to know how you have voted, and you should not be able to keep any proof how you voted. Because if you could prove your vote, a "voting enforcer" could either pay you if you provide proof to have voted correctly, or punish you for not having the proof. For e-voting that means that there should be no electronic or physic trail from a vote back to you. On the other hand, there has to be proof that all valid votes have been counted, no vote has been tampered with, and no additional votes have been added to ensure the equality of votes. How do you keep track of immaterial entities? You can't sign them with the voter's key, otherwise they aren't free anymore. If you sign them with another key, how do you ensure that this key is not used to add votes? And how do you ensure that the votes are really counted the way they were cast? And how do you watch the count? One important argument why to use computers in the first place is to speed up the counting process. I disagree. Counting should never be faster than the watchers can count.

It takes a team of specialists to go through the code of the voting application itself to ensure it does only what it is supposed to do. And the Underhanded C Contest shows how easy it is to hide side effects within code. And this only looks at the application itself. It doesn't even look at the operating system or hardware tampering. Who does audit the millions of lines of code for the operating system and the billions of transistors on today's processors and RAM chips?

Having people watching the sealing of the ballot box and people watching the ballot boxes during the voting process until the seal is broken and the votes are counted by hand, and then the resealing of the boxes and the transport to the central voting office together with the counting tabs, and then watching how the final tab is counted does not require any specialist knowledge.

Manual counting only in Norway last night

[Terje+Mathisen]

Here in Norway we just had a general election last night:

Just 2-3 weeks ago Jan T Sanner, the minister with responsibility for elections, decided that every single vote had to be counted manually, including all early voting ballots. Previously those votes had been counted using optical scanners but with the news about how hackable most voting machines have turned out to be, he decided that we won't trust them.

Voting booths closed at 21:00 and the trend (our current prime minister will almost certainly get another 4 years) was immediately clear even though many of the details were less settled. This is mainly due to our voting setup with 169 representatives from 19 counties, where each party is supposed to get a total number which corresponds as closely as possible to the total vote counts, but with a cutoff of 4.0%: If a party gets less than that they will not get any of the final 19 slots which goes to the parties which have gotten too few direct representatives.

This morning at 07:00 we had passed 95% of total votes counted and a couple of the smaller parties had just managed to lift safely above the 4.0% cutoff point, so now the result is for all practical purposes final.

The key idea is that in all countries with "one person - one vote" the effort needed to do a full manual count (which is actually a dual count and verification) is exactly proportional to the size of the country, so it should be just as easy to do this in the US as in Norway!

Terje

Re:Manual counting only in Norway last night

[TheRaven64]

That doesn't sound right. As I understand it, Ireland has a Single Transferable Vote (STV) system. Under STV, you count all of the first votes, and if no one wins outright then you eliminate the least-popular candidate and redistribute their votes to their second choice. If there's still no clear winner then you eliminate the least-popular remaining candidate and redistribute all of their votes to their second choice if they're still there or to their third choice if they aren't. You repeat this until someone has 50%. You never dump all of the votes out, you only redistribute them from the least-popular candidate.

There are other problems with STV, including some quite odd failure modes. For example, if you have four candidates, A, B, C, and D and 30% vote ABCD, 25% vote CBDA, 24% vote DBCA, and 21% vote BCDA, then candidate A will win. B is eliminated in the first round (because he receives the fewest votes) and all of his votes are redistributed to A. Now A has 51% and so wins, in spite of being there last choice for 70% of the electorate, and B never gets to see any of the second-choice votes in spite of being the first or second choice for 100% of the electorate. Of course, the same problem happens with first past the post, but there you don't have the information required to know that it's happened.

There are some variations on STV that avoid these corner cases, but they make counting harder.

Re:Why americans don't care?

[NoNonAlphaCharsHere]

We use first-past-the-post voting, for a single representative, which Duverger's Law tells us inevetably results in a two-party system. In other words, the two-party problem is systemic and isn't going to go away simply by wishing it would, or especially, by voting for some quixotic can't-possibly-win third-party candidate, on the theory that that will somehow change things.

Re:We had paper ballots here in Virginia Beach

[hey!]

I have a theory why some districts may prefer voting machines to electronically scanned paper ballots. Voting machines make it possible to manipulate election results without actually hacking the machines themselves. You just have to hack the wait times in districts unfavorable to you. Lest that seem far-fetched, note that studies have shown that waits in minority-dominated precincts are on average almost twice that of white districts.

For the price of a single voting machine you can put up a dozen of those cheap pop-up voting booths. This means the marginal cost of scaling up an overloaded precinct's capacity is extremely low. I live in a state that uses scanned paper ballots, and the voting places have so many booths that in 45 years of voting I've never had to wait more than five minutes to vote -- and that's for checking in with the elderly volunteers. There's always free booths, no matter how heavy the turnout.