Schneier on Security
A blog covering security and security technology.
« RFID as Automobile DNA |
| PS2 Cheat Codes Hacked »
January 28, 2005
Here's a nice little essay about election recounts.
Posted on January 28, 2005 at 8:00 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Unfortunately, there remain a number of states and counties that cannot see the writing on the wall. After all, pressing a button to reprint a "recount" would seem to be the clean and easy solution; if the numbers never change, voting officials can simply claim that the first count was correct and call it a day."
This goes back to the adage "Who is watching the watchers". Generally the writing cannot be seen on the wall since no one (in power) really grasps (or attempts to [due to lack of time, lack of reason, lack of shame]) real world situations regarding man and machine with a twist of chaos. As seen in the software world there will always be bugs and there will always be users that fall through the cracks due to some obscure test case. If anything the applied mechanisms are more of a target to attacks, flaws, and manipulation than the "simplicity" it once was.
Excellent essay. Kudos to EFF. Speaking of making Democracy easier: I think it appropriate to mention America's election process this Sunday in Iraq where many voters are not allowed to know where they can vote or even who they can really vote for. Is there any chance that these elections can be held fairly?
I mean, is there any significance to the fact that the electoral group headed by "interim" Prime Minister Iyad Allawi (the ex-CIA agent) was caught handing out $100 bills to Iraqi journalists last week? http://news.bbc.co.uk/2/hi/middle_east/...
The NYT reported on the 16th ("Rising Violence and Fear Drive Iraq Campaigners Underground") that the United Iraqi Alliance has been distributing election material that says "Our apologies for not mentioning the names of all the candidates, but the security situation is bad, and we have to keep them alive."
At least we can guess that with 75 parties in nine coalitions, elected through proportional representation, just about any candidate with 1/275th of the vote will get a seat.
And while the election might be a huge win for the U.S. military-backed Shias, who look ready to roll into power for the first time since being conquered by the Ottomans, the British, the kings and then Sunni dictators, we might correctly expect the other 30% of the population (Kurds and Sunnis) to either push towards their own independence or contiue armed resistance.
And, if I understand correctly, this complex and controversial election is meant to be quickly wrapped up so it can be followed by a poll held before October 15th to establish a Constitution, with another election before December 15th to choose a new government.
With all of that in the balance, I do not see any open path or even intent to ensure that the voting figures for these elections will be fair.
The EFF article says exactly what you are asking for: electronic vote box recounts often seem to designed to be "easy" rather than "accurate".
The problem with electronic voting systems really should not be much of a surprise to anyone working in software security and trying to get project managers to conform to rather difficult best practices, regulations or development standards, rather than the lure of implementation (e.g. salary, sales, bonus) deadlines.
Even aerospace programs, with everthing on the line and so much to lose, still make fairly obvious and regular mistakes in their code and procedures.
Imagine if Chuck Hagel, ex-CEO of Election Systems & Software, had been flying into space instead of running for public office on the computers his company sold. I suspect there might have been quite a bit more oversight and concern regarding the accuracy of the computations.
Perhaps in support of your argument that things can be done earlier in the process than the paper trail, we could look to Australia's approach, which makes the code for their machines available online. I find it interesting that American companies are allowed to jealously guard their code, not to mention and their financial supporters (e.g. Council for National Policy, the Chalcedon Institute, the Ahmanson Foundation, the McCarthy Group, Jeb Bush).
David Dill, professor at Stanford University, probably said it best when he wrote "Using these machines is tantamount to handing complete control of vote counting to a private company, with no independent checks or audits. These machines represent a serious threat to democracy." (http://www.verifiedvoting.org/)
Americans can thank citizens like him for standing up and fighting against companies like Diebold to force them to finally release a paper-trail system:
Just had a thought. Paper trails are all well and good, but what's stopping manufacturers of closed source systems from putting in a paper trail ... with enhancements? During the real election, the machines print out the paper trails for the voters and drop them into the bin provided ... but they _also_ print out some _extra_ paper trails and drop _those_ into the bin as well (as well as adding the spurious votes to the tally).
Probably comes down to appropriate oversight and having regular audits of the code by election officials. If the checksum of the compiled code on the systems doesn't match the checksum of known good compiled code... Not to mention that fraud of this nature would be much harder to chalk up to human error, and hence wriggle out of fines and jail terms for electoral fraud.
'When Congress passed the Help America Vote Act (HAVA) after the Florida recount debacle, most of us imagined that new electronic voting machines would make the voting process easier. What we didn't anticipate was that some e-voting vendors would make it "easier" by removing the ability to do an accurate recount -- the design equivalent of a CEO making an audit "easier" by eliminating the accounting department.'
The *EFF* didn't anticipate that? Well, what the hell was the EFF thinking? *I* anticipated problems long before HAVA, and I'm not anybody's privacy watchdog.
What's with this reluctance to say, "I told you so"? Is it really more effective to pretend that you they found out about this problem than it is to point out that people have been calling for audit trails from Day 1, and the Ohio results show that they were right?
Ultimately, you drop back to what we have now - each vote is keyed against the voter registration rolls.
It's not any easier to add "extra" paper trails than it is to add extra paper ballots. They still have to ultimately represent a voter in a verifiable way.
But yes - that would be tantamount to throwing out a number of votes for one candidate and replacing them with votes for another. This doesn't (shouldn't) happen because you have bipartisan or impartial parties monitoring what happens with those bins of paper.
Ideally, with an electronic system, the machine prints out a receipt, it's verified by the voter, then it's dropped in a sealed container in the presence of an election official, and thereafter is stored uncompromised. >That
Today's Guardian (http://politics.guardian.co.uk/news/story/0,9174,1401369,00.html?)
has a story on voting fraud in Britain:
The head of electoral administration at the Electoral Commission, is quoted as saying: "If you go into a police station and say 'Someone has stolen my car', they know what to do. If you say 'Someone has stolen my vote' they don't know what to do."
Another thing I should add - even with the system I outlined, it's possible to game the system. I can't take credit for coming up with this, and I don't remember where I read it, but if you program the machine to switch candidates in, say, 5% of the cases, some small but significant portion of those people will simply not realize that their vote has been changed, and the ones that do will chalk it up to random error, or think they pressed the wrong button, or something to that effect.
If you're going to allow a machine to actually make the vote, it helps to be able to see the source code (and also verify that that source code is what's running), as well as have much more accurate ways of voter vote verification. Color coding is probably a start, but any additional effort you put into having the voter verify individual votes means it's less likely that people will get it right.
I have a real hard time with the premise of the article:
"The goal of a recount is to ensure that the voters' intentions were properly recorded and the right person won. That's why we pull out the punch cards and review them for hanging chads, or check optically scanned ballots for stray marks."
I think this is a bogus position which is all too readily accepted. A recount should simply ensure that properly cast votes were actually counted, not the black art of interpreting chads, stray marks and entrails into the presumed intent of a voter.
I certainly agree that electronic voting systems need to help voters cast and accurately record votes. Open source code and paper verifications are good ideas. We should also ensure that voters that want to willfully spoil their vote may do so, such as voting for all candidates when only one choice is 'allowed' as well as including 'write-in' and 'none of the above' choices. We should stop insisting that these people's votes must be interpreted as something other than exactly that.
We have heard about recounts where significant errors occurred, where the votes were not submitted by officials properly or some kind of system error resulted in inaccurate tallying of real votes. These errors can and should be discoverable.
We should also put out attention to reducing voter fraud through the technologies that are being proposed. Today it is far too easy for someone to walk into multiple polling places and cast votes improperly (whether due to multiple registrations in different precincts or due to simple fraud - claiming I am someone I am not). Perhaps digital photos for each voter indexed federally (and securely) to a social security number which is taken during a registration period.
Stuart - I disagree somewhat.
In the case where the automated process can't determine whether a vote was fully punched or not (hanging chad), a human can. That vote is still a vote, and should be counted. Granted, there are gray area of voter intent, but some things can be determined by humans where machines fall down.
The problem in Washington state appears not to be with the recount process, although some want to blaim the hand recount. The problems appear to be in the process of accrurately determining who should vote or not. The process of validating voters appears to introduce more error into the equation than any of the machine errors. Determining whether dead people, felons, or others who shouldn't be voting (e.g., illegal aliens) is a much bigger problem than any of the machine/software problems. Add to this the inaccuracy of humans marking ballots (e.g., double-marking, circling instead of drawing a line, etc) and there is plenty other avenues that also need to be addressed to minimize errors in the system.
Habe you heard of that?
"Stephenson also discovered that Jeffrey Dean, the senior programmer of the Diebold Gems central tabulator system counting a third of the votes in the Bush-Kerry election in 37 states, has a police record. He pleaded guilty to 23 counts of embezzlement involving sophisticated manipulation of computer accounting records."
Online home appraisal here
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.