Schneier on Security
A blog covering security and security technology.
« Weakest Link Security |
| Totally Secure Classical Communications? »
December 14, 2005
Leon County, FL Dumps Diebold Voting Machines
Finnish security expert Harri Hursti demonstrated how easy it is to hack the vote:
A test election was run in Leon County on Tuesday with a total of eight ballots. Six ballots voted "no" on a ballot question as to whether Diebold voting machines can be hacked or not. Two ballots, cast by Dr. Herbert Thompson and by Harri Hursti voted "yes" indicating a belief that the Diebold machines could be hacked.
At the beginning of the test election the memory card programmed by Harri Hursti was inserted into an Optical Scan Diebold voting machine. A "zero report" was run indicating zero votes on the memory card. In fact, however, Hursti had pre-loaded the memory card with plus and minus votes.
The eight ballots were run through the optical scan machine. The standard Diebold-supplied "ender card" was run through as is normal procedure ending the election. A results tape was run from the voting machine.
Correct results should have been: Yes:2 ; No:6
However, just as Hursti had planned, the results tape read: Yes:7 ; No:1
The results were then uploaded from the optical scan voting machine into the GEMS central tabulator, a step cited by Diebold as a protection against memory card hacking. The central tabulator is the "mother ship" that pulls in all votes from voting machines. However, the GEMS central tabulator failed to notice that the voting machines had been hacked.
The results in the central tabulator read:
Yes:7 ; No:1
This is my 2004 essay on the problems with electronic voting machines. The solution is straightforward: machines need voter-verifiable paper audit trails, and all software must be open to public scrutiny. This is not a partisan issue: election irregularities have affected people in both parties.
Posted on December 14, 2005 at 3:30 PM
• 103 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Diebold: Shame! Shame! Shame!
Line up the jokers who signed off on this stuff and pink them.
Electronic ONLY voting is the future. Paper backup is NOT realistic.
The right to have your vote be private is YOUR RIGHT. Allow people to exercise their right and publish their vote if they want.
A simple check "Publish my vote".
1,000,000 votes and 100,000 of those "published" with the matching voter information.
It would allow you to Statistically check the results. The 100,000 votes should be in line (within a percentage) with the rest of the 900,000 "Unpublished" votes. If they are not you could investigate further and find out why.
"If they are not you could investigate further and find out why."
The problem with a lot of these DRE systems is that no investigation is possible. Votes can be changed undetectably. So unless there are stronger mechanisms to detect vote tampering after the fact, this solution won't get us anywhere.
We already have exit polls, which are used as evidence of vote tampering in many countries -- but ignored in the U.S.
Exit polls are just the word of the people doing the poll and the people giving the answers.
What I am talking about would look like this;
voter 602:Adam #1 Yes #2 yes #3 no
voter 603:Did not disclose: #1 Yes #2 No #3 yes
voter 604:Bruce #1 Yes #2 yes #3 yes
voter 605:Did not disclose and on and on
Publish these results so you and I can see our votes being counted correctly.
Crunch the numbers and you would be able to see how statistically valid they are. If they break a certain percentage, investigate, find out why, and if necessary redo the election.
By the way I do like your essay on the voting machines. I disagree with your stated reason #2;
"Anonymity. Secret ballots are fundamental to democracy, and voting systems must be designed to facilitate voter anonymity"
I do believe the Right to Anonymity is fundamental to democracy, but the individual should have the equal right to not be anonymous if they choose.
I believe Anonymity is what makes it so easy to fix voting results.
AG: A secret ballot is necessary to avoid coercion. For instance, if my employer can verify that I voted for candidate X, then they're now in a position to threaten to fire me if I didn't, or even to threaten to fire me if I chose to keep my vote secret. Making the actual link between identity and vote secret at all times, even if the voter wishes their choice to be publicly known, is essential for a healthy electoral system.
"Crunch the numbers and you would be able to see how statistically valid they are. If they break a certain percentage, investigate, find out why, and if necessary redo the election."
I understand what you're saying. Again, in many of these systems, no investigation is possible.
Also, people voting for different parties are demographically identifiable, and certain demographics may be more or less willing, on average, to make their vote public. So even in a system without fraud, the public vote percentages wouldn't necessarily correspond to the actual percentages. A democratic voter in a heavily republican precinct, for instance, would probably be less likely than a republican voter to make their vote public.
Also, my employer coercion scenario applies just as much to famialial pressure. If your husband threatens to beat you, or your mother threatens to never love you again, if you don't make your vote public, then your vote is no longer a free vote.
Anonymity is very important, and it needs to be manditory.
Otherwise, vote buying is far too effective (at least with anonymous votes, you can be "bought" but not actually vote the way the person paying you wants).
The whole idea of mechanical/electronic voting machines is completely foreign to me. It breaks one of the most basic laws of creating a robust system: Limit the complexity.
While in the navy we kept using ancient technology such as paper carts and signal flags even when we had much more modern equipment, simply because the old equipment was tested, worked flawlessly and, most important, could not easily fail. They could burn all our computers, but we could still navigate.
I see no need for a voting machine. It makes a critical system more vulnerable by introducing complexity. Here we have been handling the voting in the same, tested, manner for many years:
You take a paper (pre printed or not), mark or write down whom you vote for (and which party) and then you place it in an envelope. The envelope is placed in a (transparent) box and you are ticked of at a list. Then all votes are counted, first unopened (to ensure that the same number of votes are present as people that have voted), and then opened. The counting is arranged so several different persons count each vote, until the result is correct and verified. Volunteers do the counting, but anybody can ask to monitor the process. It would take several persons working in unison without anybody else noticing to change the counting. Each of the major parties always has a representative monitoring the counting. The results are reported (by a normal telephone) to a central office that tabulates all results.
The result is a robust system that is very hard for a single person or a small group to manipulate. The ballots are stored for later recounting. There are checks at each step, making it possible to monitor the progress of your vote all the way.
The system is also a representative system, but we do not have the winner-takes-all functionality of the American system that can make small changes in the votes give huge effects on the outcome. Instead it's (more or less) true majority. This helps to make it more resistant to manipulation.
So, why does America want electronic voting at all? What are the advantages? I think it can be worth 6 hour of work to count the votes by hand and get a robust system, as voting is one of the most important controls in a democratic country. The cost is negligible. The only real advantage of voting machines is speed, but what good is speed if there is a risk that they don’t get it right? Waiting 6 hours for the result is not such a pain.
@AG: publishing votes directly would enable vote buying. im not sure you really want to do that. as it is, you'd have to simply take the word of the person coming out of the polling booth, which makes it kinda pointless.
"The right to have your vote be private is YOUR RIGHT. "
I fail to see how a paper backup violates privacy.
Assume I e-vote. As part of the process, the e-vote machine prints a scanable paper copy where each candidate is listed and the box next to them is blacked out or not based on vote, no id markings on the paper ballot. Possibly a checksum/hash based on a programmed key by site, and a number printed on the form to avoid 'carry-ins'. The process is: you e-vote, hit done which prints the form, visually verify, and hit 'OK' or cancel to accept/try again. Drop paper vote in box on way out, just like N million paper voters do today.
Think todays optical graphite pencil based readers/ballots used in many paper ballot locations (a commonly accepted level of privacy vs. audit) with some site and election specific checksums to limit carry-ins.
Why does this not work? Answer several people want maximum privacy with maximum audit, not real world. Or they want long distance over the net anonymous e-voting with audit, not easily real world.
E-voting at a polling place is possible (IMO). Is it possible that the paper trail will not match the e-vote totals because someone switched the printed paper ballot for one in their pocket? Maybe. It is theoretically possible, has (IMO) low probability and several work arounds to limit opportunity may exist (like the checksums). If the paper ballot is 'the vote' and the e-vote total is a handy shortcut unless recount, it probably provides a reasonable level of privacy vs. audit.
What did I miss?
You said: "Electronic ONLY voting is the future. Paper backup is NOT realistic."
You're kidding, right?
What is it about electrons flowing through channels in silicon that makes it inevitable? (I assume that when you say that it is "the future" you mean that it is fated to happen.)
I'm being quite serious, please tell me what your chain of thought is here.
The problem I see with the audit system proposed by AG is that selecting the audited votes from those who choose to be published is not going to result in a statistically accurate cross section of voters. What you are measuring there is the number of people willing to have their vote published, not the larger pool of voters. If the sample used for the audit is anything but random, that can be used to explain away any discrepancy.
Couple that with the fact that a true random sample will often have a margin of error of =/- 3% and you have an unreasonable reliance on a system with no accurate audit trail.
Can AG provide some additional support for the assertation that "Paper backup is NOT realistic"? It seems to have worked pretty well over the past 200+ years of American presidential elections.
It is hard for people outside the US to understand why a pure paper ballot without all of the technological crazyness cannot be done. The manual count with representatives from each of the parties is something that scales surprisingly well and is VERY hard to rig.
The problem is that in the US, elections are a LOT more than just electing the president/vp, a senator and a representative. There is a gazillion of choices, so voting itself doesn't scale too well. Maybe a two tiered system where the important decisions are done on a paper ballot with only minimal choices and the multiple choice exam is done electronically if one choses to do it.
What you propose is more or less how voting and counting the votes happens in Finland. It is simple, realiable, and very fast - and since all counting happens in parallel, counting the votes in US-elections should not take more than 3 hours (in Finland we usually get most votes counted in an hour).
As a systems architect, I cannot see any reason for using any other method.
"Electronic ONLY voting is the future." ??
Does electronic voting gain greater convienience?
No, voting is only done once every few years, any you still enter a booth!
No, obviously, as per Bruce's post.
(You've got to be kidding)
So, there is no compelling reason, unless you're a politician getting kickbacks from Diebold et al.....
Frankly, I'm highly disappointed that electronic voting machines are not subjected to at least the same scrutiny as slot machines that are run by the state.
Is it riskier to be possibly coerced or to keep blindly accepting the results of elections?
What I firmly believe we learned from the 2000 elections... no one has ever really counted the votes.
"Electronic ONLY voting is the future. Paper backup is NOT realistic."
Why? I think that my vote is important enough that it SHOULD be covered with paper backup. What is wrong with that additional step? Why shouldn't it be allowed?
It's simple, you use an electronic voting machine. It prints out a sheet showing how you voted. No barcodes, just clean, easy to OCR text. You verify this sheet. You then put the sheet in a sealed ballot box. If there are questions about the election you open the box and count them by hand, or optical scan or... If there are no questions then the ballots are destroyed.
It's simple, it's effective and it guarantees your right to vote.
Now, please explain why you feel that electronic only ballots are the future?
If you think they're easier to count then that equates to easier to rig. If you think that they're faster to count then while that is true, most British results are in within 24 hours. All hand counted, all done on paper. Why can't that be scaled up for America... When needed... with my suggestion you only need to count by hand if you have questions.
It is the Swedish system, so it doesn't surprise me that it is similar. And as it obviously scales very well up to 9 million users and is distributed I don't see any reason why it shouldn't scale another factor 10. Almost all work is done at the local level.
There are rather frequently additional questions, which are handled like an additional, separate vote (separate paper in a separate envelope) for each question. While we are not quite as happy in ballots as America is it works well with 6-7 separate votes, and I can't see any reason why it shouldn't scale up, beyond the obvious problems with voter interest.
For those who want to view the whole depths of just how bad our election system has become, I suggest checking out the following book from John Conyers,
"What Went Wrong In Ohio:
The Conyers Report on the 2004 Presidential Election" (
@Student, I understand what you are saying and I really think it is more of a psychological thing in the US than anything else. Americans LOVE their gadgets. There is no reason why people should think manual count takes forever, but they do. You mention millions of votes need to be counted and people start thinking weeks and innacurate numbers. What they don't realize is that a distributed algorithm like what is sanctioned by the UN for voting in third world corrupt countries that don't have the highly evolved American sense of Democracy. Not only scales well, but also is very accurate and cheat proof.
It takes as long to count the votes as the slowest poll station. And regarding accuracy, you have each of the observers count the votes and if there is a disagreement you count them again until all the reps agree. Very simple. Can you compromise one polling sation? Maybe. Two polling stations? Harder. Three polling station? Probably someone will spill the beans, too many people involved, and even then it is a miniscule percentage of the total vote. Then put the votes back into the urn, seal it with triple seals and ship it back to the wearhouse. If they want a recount, or a statistically valid sample check, they can do that with minimal effort.
However, I don't think this will happen any time in the near future. It is beyond what people can understand, and anyone pushing for this would be ridiculed by the press and all the special interests, with minimal effort.
On the plus side, eventually, there will be a safe, secure, electronic voting system.
I emigrated here, and don't want to have to do this twice.
Vote buying, paper better than electronic, etc
I don't think you really understand what I am saying.
Today there is no proof your vote has been counted... ever.
There is proof TODAY that every major election in the US has been tampered with to some degree.
I say we need a system that shows us how much tampering is going on.
With paper no one can verify the results without employing the people that probably mixed up the results to begin with.
I say know that we are creating an imperfect system. But also, allows us to throw out the results if they do not jive statistically.
"""If they are not you could investigate further and find out why."""
Maybe because whatever makes people vote a certain way will also influence whether or not the tick the "publicise me" box?
I don't quite understant yout comment on privacy. Why would I vote in the first place if I didnt want to "Publish my vote".
Anonymety is very important in voting, and I think a closed system is a much greater threat to that than a cardboard box filled with paper ballots.
Paper is slow, expensive, unreliable, and cannot be made tamper proof.
Electronic is fast, reliable, expensive, and when correctly designed can be tamper proof.
I think we are agreeing... but the other side does have some great points;
History has shown that publishing your personal information with your vote(Your name, address, etc) can get you harassed, fired, beaten, tortured, or even killed.
@AG I think you are wrong. With electronic voting you have few people able to make big impacts. With paper voting, you don't have few people able to make big impacts, but you do have few people able to make little impacts.
I much rather have a little wrongdoing that can be detected. I prefer a good enough system, rather than a utopia of perfect that will not happen in a long time. Sometimes, the old methods are just good enough and there is no need to add a quantum processor that uses entanglement as proof that it was not tampered with.
"Paper is slow, expensive, unreliable, and cannot be made tamper proof.
Electronic is fast, reliable, expensive, and when correctly designed can be tamper proof."
Nothing is tamper-proof. The politicians clearly don't want their ability to tamper with the vote removed. Paper or digital, the vote can be hacked by those in power. I like the verifiability of paper, at least if those votes are destroyed, there's smoke to be seen. :)
"Electronic is fast, reliable, expensive, and when correctly designed can be tamper proof."
Computers work very differently in your world than they do in mine.
For a proper audit trail, you need the data stored in several places, preferrably in several different formats, and with several different checks and balances on each, preferrably stored in redundant places. There isn't a specific need for the audit trail to be on paper, but it does need to be a different system of storing the data, preferrably one that is hard to change after the fact.
My idea: Preferrably you store your data in a different format in each place, and it should always contain a sequence number of some sort. A hash of each format is stored in both places, as well as the data for one side. The hash of each format should not be identical to the other hash (ie: mixed up entries, different padding data which could be unique to each election/state/county/polling booth, etc). Each place the data is stored then should match the other somehow, and tools could be easily developed to check the hashes and possibly even 1-1 vote mapping. Please note however that no specific details of the voter are actually recorded, so while the erronous votes are tracked, the users still remain anonymous. On paper, you could store the data in a barcode (eg: PDF417, which can store over 1k of data), as well as a textual printout of the voting results. As stated before though, there is no reason the output has to be paper, but does give the voter the ability to see their "vote" as such, and by using a barcode allows faster verification of the results.
I personally think that the voter should always be given something (a token) that confirms their (electronic) vote, and this is then handed in and put into a different box. It could be a per-user memory card that then gets dumped into another box, a piece of paper or even a laser etched piece of plastic for all I care. The main thing here is that the voter gets a part in the audit trail.
Also, by giving the voter a token (of sorts), you can even allow them to change their vote before they leave the polling booth. The simply go to a polling representative after they cast their (problem) vote and say "I'd like to change my vote - what I have here isn't what I wanted." They hand over the vote token, and the polling representative lodges their vote as "cancelled" (simply records the details for later), and gets the voter and the polling representative to sign a form saying that this is the case. They then get the voter to vote again (using whatever means they have to give them access to the voting machine). This provides accountability.
The only significant flaw of paper ballots not shared by e-voting machines is the possibility of badly marked or ambiguous ballots. All we need to fix that is a better voting machine.
A reasonably designed paper ballot can be read by all kinds of different hardware. If you have doubts about company X's machines, recount the vote with company Y's. If that doesn't settle it, count the ballots by hand. If some third party doesn't like the results, let them recount the vote themselves, on their own equipment, with appropriate supervision.
Why use the most reliable mechanism as the backup? Make the paper ballot the BALLOT.
machines need voter-verifiable paper audit trails
I disagree. Machines need human-readable verification methods. Meaning any disconnect between what it handed in and what is counted means you can't backtrack to determine original intent. Additionally, flimsy paper receipts will make recounts a nightmare.
Here in Loudoun County, VA, we use an optical scan system which allows for instant machine-handled tabulation but provides a way for me as a voter to look and verify I indicated my intent correctly and for any recounts to be done by hand against my original indications.
"So, why does America want electronic voting at all?"
Obviously, the goal is automation, taking the humans -- especially the voters -- out of the process.
The ruling party will back any manufacturer who can guarantee the system will deliver for the ruling party, allowing it to make itself the permanent ruling party.
"Here in Loudoun County, VA, we use an optical scan system which allows for instant machine-handled tabulation but provides a way for me as a voter to look and verify I indicated my intent correctly and for any recounts to be done by hand against my original indications."
Optical scan machines are the most reliable machines we've got right now.
Thanks for the reply AG, but I think others have adaquately responded to your reply.
I do agree with them, rather than you. I think Stuart Young's response illustrates why; he proposes a relatively safe, but exceptionally complex system of codes and tokens. (Nicely done Mr. Young!) That elaborate system is, well, more elaborate than marking pieces of paper and counting them.
Voters can understand and trust what they see: bits of paper. Securing bits of paper, counting bits of paper, and verifying bits of paper is easy, and is understood by everyone.
A sufficiently well-armed 8 year old could successfully handle all aspects of securing, counting, and reporting a vote. A small team of 8-year old observers would be sufficent to veryify its accuracy.* So long as this was occurring in paralell, simultaneous tampering with all of the human vote counters, or even a significant number would be infeasable.**
*5 year olds could be used in a pinch. See Peter's Evil Overlord List, item #12: "One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation." See: http://www.eviloverlord.com/lists/overlord.html
**I noticed that you mentioned that "With paper no one can verify the results without employing the people that probably mixed up the results to begin with." While this is true, massively parallel vote counting is still too difficult to _consistently_ tamper with. This is why recounts help, and why electronic recounts are not terribly useful.
@thunar123, I believe you attributed AG's words to me in your post above. Please see the previous post for my disagreement with them :)
i agree with "student" and the others supporting paper voting. nobody has questioned the fairness of that since 1960 and we have better systems to manage paper voting now.
i believe we've already had rigged elections, the votes for president in 2000 and 2004, max cleland losing his senate seat in georgia, etc. in 2004, exit polls in three or four states besides ohio showed kerry ahead, but they went for bush, the reverse phenomenon was not observed.
anonymity is overrated in elections. i remember reading a column, william safire i think, calling for all votes to be public. it made sense to me, i'll tell anyone who asks whom i voted for. the bogeyman of vote buying is insubstantial, at least on a national level.
here in oregon we have vote-by-mail, easy, convenient, unhackable.
I think we are agreeing... but the other side does have some great points;"""
I don't think so.
I think electronic voting is just "gadgetitis".
I think low-tech (paper, pencil, lots of warm bodies counting/checking) is __MUCH__ better.
"publishing" your vote opens a few interesting attacks. The ones already mentions are vote buying and/or coercion.
The other one is voting for A, then _claiming_ that you voted for B and using the published vote as 'proof' that the system is crooked.
A system that would allow you to vote anonymously, but verifiably, would be so complex that most people couldn't understant it and therefore wouldn't trust it.
What problem exists with HB pencils and thinly sliced dead trees that all this technology is supposed to fix?
A pointy stick is a tool. It does nothing by itself but makes digging holes easier. The electronic voting machine by itself solves nothing. It is a tool. We need to find out if it's the right tool for the job, and so far it's in question. Until it functions properly it needs its own support by authentication with paper, which pretty much nulls the idea of the machine in the first place. It's a gadget.
I'd like to see the results if folks put the same effort into hacking paper elections.
> anonymity is overrated in elections. i remember reading a column, william safire i think,
> calling for all votes to be public. it made sense to me, i'll tell anyone who asks
> whom i voted for. the bogeyman of vote buying is insubstantial, at least on a national level.
Maybe in parts of the U.S. at the present time. However, there are plenty of examples historically that would indicate that letting your vote be known is a bad idea.
In 1932, the Nazi Party won 13,745,000 votes which gave them 230 out of the 608 seats in the Reichstag. Now imagine if that vote was not secret.
I imagine there would have been a few more guests at the "internment" camps.
As Bruce pointed out on an earlier thread, you want your security to be non-partisan... ideally, you're protecting yourself from whoever is in charge now, and in the future.
Hint: Why have the machines count the ballots?
The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots.
You go to the machine. You stab the buttons, touch the screen, whatever. You hit the big blue done button. A paper prints. You read it.
If the paper agrees with what you vote, you fold it in half, bring it to the tellers, and drop it in the box. That's your ballot.
If the machine fails to agree, you go to a judge, who marks the ballot as fouled, and then drop the paper into the shredder. At this point, you haven't voted. You go back to that machine, or another one, and do it again. For those wondering, serial numbers on ballots is an incredibly bad idea, but counting the number of sheets in and out, and using special paper, isn't. (You want to prove that a ballot is a valid ballot, but you do not want to be able to prove that a ballot is a specific person's ballot.)
Scrutinizing the machines becomes much less important, because the machine don't make the votes, or count the votes (I'd pay close attention to the paper and ink, of course.) You can easily have spares about, because they're basically just layout programs with printers and a pretty interface.
I keep hearing "We need to scrutinize the source." I have this computer. I have no console access, just this voting interface. How do I know the scrutinized source is installed? I can look at a paper ballot and determine if it is true or not. I cannot look at a running machine in a polling station and find this out without comprimising the election (and getting arrested.)
With the paper *being the vote*, and the machine just a way to reach that, you can make every voter a potential auditor. You still have count fraud problems -- but it's vastly easier to fake a register (or read it wrong) than it is to misread dozens of clearly printed ballots, esp. if two-man rules are adhered to.  If it comes to a recount, having clean, well printed ballots makes determining the intent of the voter much easier than punched ballots, and vastly easier than via a computer. The computer may be programmed to lie. The computer may just be broken, and lying unintentionally, but either way, if there is no physical ballot -- not recepit, ballot -- there's no way to confirm what the vote was. You either disenfranchise everyone who voted on that machine , or you accept the fradulent count .
Thus: Electronic voting is fundamentally broken. I can count paper with a machine, then by hand, then with a different machine. With an electronic counter, there's this register that I have to trust was correctly incremented -- and that it didn't get blammoed by a power drop or a cosmic ray, and that it won't get blammoed on a readout.
Voting has to be *vastly* more reliable than email.
 There's a certain point where you cannot make a secure system. This is known as "The guy declaring the victor has more firepower than you." He gets one vote. You get none. No amount of electronic or paper ballot technolgy will fix this problem.
 'Amazing how many of Smith's best districts machines failed, isn't it?'
 'Gosh, lucky for those seven million votes from North Dakota, otherwise, I would have lost by ten percent!'
jammit says: "A pointy stick is a tool. It does nothing by itself but makes digging holes easier. The electronic voting machine by itself solves nothing. It is a tool. We need to find out if it's the right tool for the job, and so far it's in question. Until it functions properly it needs its own support by authentication with paper, which pretty much nulls the idea of the machine in the first place. It's a gadget."
I agree here, but I can see the reason. Counting votes on paper, especially with people counting the votes, takes a terribly LONG time. The idea behind voting automation is to speed up this counting process. This can then be verified "after the fact" by slower processes done with other tokens (eg: paper) that could not have been tampered with in the same way as the original data. It should not stop the original processes for verification, just provide a faster result, that can always be checked for correctness later.
What other method can insure that the electronic results have not been modified other than using a paper trail?
Have the electronic voting machine print a paper ballot that the voter can check and then require the voter drop it into a box. The paper ballots can be compared to the electronic results for a statistical sample of voting locations.
It is not enough to have the voter verify the vote via a paper receipt. You have to insure that the count is not changed after the voter leaves.
Erik V. Olsen says: "The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots."
This is sort of what I was getting at with my original post. Of course, it'd be nice to use it to get fast election results (see previous post) as well, but that's an off-shoot (at least until the system has proven itself over time), and would always be contestable via auditing (counting the paper/tokens). My first post basically just went into a lot of detail on how I'd implement such a system.
Note to non-American readers:
US elections are more complex. In my town, when we voted for President, we also voted for: the local city council, the mayor, two levels of state representatives, district attorney and state attorney general, a governor, lt. governor, a US congressman and senator, as well as nearly 20 ballot initiatives. There were 15 pages on the ballot - marked with a pencil, read optically. In California, they can get over 100 ballot initiatives per election.
It is highly unwieldy. Do other countries have separate local elections?
I forgot, we elect sheriffs too. In most of the US, the sheriff runs the jails and law enforcement for people who have either already been arrested, or are wanted for civil charges (owing money - sheriffs are the ones who handle evictions).
"A 'zero report' was run indicating zero votes on the memory card. In fact, however, Hursti had pre-loaded the memory card with plus and minus votes."
So, if I read this right, Hursti pre-loaded a total of 10 votes: +5 "Yes" and -5 "No." The algorithm seems to be: add up all the votes and ensure the total is zero.
Wouldn't it be much simpler, and more efficient, to examine each count and ensure it is zero?
Where's that 5-year-old advisor when you need one?
@Mary: "Do other countries have separate local elections?"
Yes, in Canada federal, provincial and municipal elections are held independently. We don't vote for any form of law enforcement, and there are rarely any "initiatives" (by which I assume you mean questions on general issues).
How do I know the scrutinized source is installed?
I can look at a paper ballot and determine if it is true or not.
I still want to see the source code and examine the hardware the system uses and the paper used for the ballot.
Because (in theory) you hack a printed ballot system.
You could make a machine that print two results.
The first spot is the one you see and verify, but printed in disappearing ink (fades with time/exposure).
The second spot is initially invisible, but printed with reappearing ink (appears with time/exposure).
You could do the same sort of operation by pre-printing the paper ballots but prefilling spots on the paper that will not hold ink or that will chemically fade a mark on the spot and other prefilled spots on the paper printed with reappearing ink (appears with time/exposure).
You could create a holding/counting machine that includes preprinted ballots in a secret compartment which are then exchanged for the real ballots on a one-for-one basis - the count will still be correct, but the results will differ.
Is that expensive, difficult, and unlikely - definitely. But I still want the an open system - software/firmware, hardware, expendibles (ink, paper). I want them to be available for examination before, during, or after the election.
But even in theory, this sort of tampering is harder to accomplish and easier to detect than any electronic ballot option.
I think purely electronic ballots are a bad idea.
Paper is definitely the way to go.
Mary says: "It is highly unwieldy. Do other countries have separate local elections?"
In Australia there are usually only 2 or 3 things to vote on. Usually:
Member for the House of Representatives
Member for the Senate
Member for Local Council - occasional (if it happens to fall around the election period - not guaranteed)
Referrendums - rare (eg: Does Australia want to become a republic)
For the House of Representatives, we use a preferential system. You get a list of names for your area (seat), and you place 1 to x values in ALL the boxes (never seen more than about 9 myself), in your order of preference. Any errors, misnumbering or blank sheets are not counted.
For the Senate we have 2 ways to vote (on the same form):
Vote above the line (by party). You only need to cross one box, and you rely on the party you are voting for to handle preferences.
Vote below the line (by candidate). You can end up with easily more than 60 boxes which you have to fill in preferentially. That is, you have to fill in every box with a number between 1 and x. This gets horribly tedious, but a must if you don't agree with where your appointed party is assigning their preferences.
PS: This is all from memory. I don't think I'm wrong, but it's possible.
The idea behind voting automation is to speed up this counting process.
Another selling point to voting machines is that they are supposed to improve accessibility for differently abled people.
Waitaminnit. Preloaded the card? Has anybody heard of format, checksum, write all zero? How freakin' long does it take to format a flash drive?
Just a comment and a question regarding anonymity...
Various people have touted anonymous elections as being an important (or mandatory) part of a democratic election (and I agree, in principle), but it seems to open an avenue of abuse... In an anonymous and optional voting system, how do you ensure that no one votes at two different polling places on the same day?
The Australian system is anonymous and mandatory... because of its mandatory nature, each polling place keeps a list of names of people eligible (and registered) to vote in the area, which is marked with attendance (note that anonimity means that your subsequent vote doesn't actually have to be _valid_)... the attendance checklist leaves a paper trail to catch people who voted twice (including absentee ballots, postal ballots, and ballots placed outside your district), as well as people who didn't vote.
There are ideas about using markers to mark the person's body (back of hand, usually?), but I'm sure most people here could quickly think up at least three ways to beat that system. I guess a token based system, like oregon's vote-by-mail makes a lot of sense. There's still the issue of allowing people with no fixed address to vote, but even Australians can dodge the election (for a while) by not registering to vote.
"In an anonymous and optional voting system, how do you ensure that no one votes at two different polling places on the same day?" - Troy
I think the anonymity we require here is anonymity of what you voted for, not who is voting.
Coercion works is a factor when other people know what you voted for, but does very little if all they can find out is whether you voted or not.
"Waitaminnit. Preloaded the card? Has anybody heard of format, checksum, write all zero? How freakin' long does it take to format a flash drive?"
Welcome! I can see you're new here.
I *suspect* that the idea is to have a central machine pre-setup each card so that the card can out to a specific vote-counting device, loads its results, and then bring them back. The idea would be to ensure that the card/contents that went out are the same that came back in.
That's the idea. Apparently its not the implementation.
Troy's description is right on the money.
In Australia, we have an ink graphics core embedded into a 'writing stick' instrument. Using the 'writing stick' or 'pen', the voter marks their vote on the ballot paper, which is then inserted into a sealed ballot box.
"The officials at each polling place are supervised by an officer-in-charge. Their work can also be observed by scrutineers - people appointed by the candidates who have the right to observe the sealing of the empty ballot boxes before the polling place opens and watch out for any irregularities in voting procedures that might disadvantage the candidate they are working for.
After the voting finishes at 6.00 pm, each polling place becomes a counting centre where the ballot boxes are opened and officials sort the ballot papers according to the first preference votes. Again, scrutineers are permitted to watch and they have the right to challenge any ballot paper they believe is informal." [Informal = donkey vote, scrutineer = 1 person from each political party. Scrutineers are not permitted to challenge voters.]
IIRC, 3 people count each vote.
While it is law that voting is compulsory (the fine is ~$100 if you don't vote unless you have a reason), you really only need to turn up to a polling station and get your name marked off.
This setup is standard at every polling station in Australia.
Secure, accountable, anonymous, easy, with results by 8pm. No flash cards, compiled code, network connections, optical scanners, chads, moving parts, or hanging chads. Works pretty well.
your conclusion does not logically follow from your premise.
"[T]here are plenty of examples historically that would indicate that letting your vote be known is a bad idea. In 1932, the Nazi Party won 13,745,000 votes which gave them 230 out of the 608 seats in the Reichstag. Now imagine if that vote was not secret. I imagine there would have been a few more guests at the 'internment' camps..."
i don't believe there would have been a reich at all if the brown shirts had to wear name tags above their shirt pockets. voting is a public act fraught with responsibility, but as yet no accountability due to anonymity. anonymity nurtured national socialism in its larval and pupal stages before it gained the critical mass where it could erupt. there would actually have been *less* guests in those camps if they had existed at all.
to remove the slightest trace of risible irony from this post, i don't mind disclosing my real last name here "murdock" as if dhs couldn't figure out who i was anyway. en garde!
"This setup is standard at every polling station in Australia." - Pauld
Heheh... apparently not quite...
In the 2001 elections, 80 polling booths (I don't know how many venues that translates to... perhaps 6 or 7?) in the ACT used an open-source electronic voting system with no paper audit trail (to reduce costs).
Interesting to note: One of the companies in partnership with the deal pulled out prior to development, the tender was actually awarded on April 19th, but the company still managed to develop the system in time for it to be tested and audited in time for the October 20 election, and cost less than half a million $AUD including hardware!
It seems that someone in California wants to do the same... I love the quote from a "computing expert" on page 2:
"A crappy open-source system that can be modified readily is no better than a closed-source system. In fact it could be worse," she said. "When you have open-source software, people can modify it and change it however they want."
Because of course, you're going to download the code from a random page on the internet saying "This code has already been checked, no need to certify it before installing on your system".
Or perhaps I'm forgetting the mystical property for open source software to be changed by random people after it's been certified, compiled and installed...
"Electronic is fast, reliable, expensive, and when correctly designed can be tamper proof."
So far, evidence has shown that electronic vote tabulation is fast, UNreliable, expensive, and so far, there has been little interest in making sure that it is correctly designed - and less interest in making sure that it is tamper-proof, as long as it appears to be.
With all the polling station talk you kind of start wondering about the security of the rest of the system.
How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? They claimed their telephone calls where inexplicably redirected to their competitors. Do telephone poles get barbed wired during election time? Are telephone switches more secure since the Mitnick days and is employee screening improved at telco`s? (Not that screening will help, if you are after an election you dont want an accomplice with a record or bad reputation now do you? if only for the double crossing risk.)
Of course the paper record that is send trough a rightfully trusted channel after the results are phoned in is religiously triple-checked for every polling station even though this is a very boring glamorousless job (Its already known who won) that just always results in records matching... right? Even after lots of money has been spend on voting machines and cutbacks are going on everywhere else... right?
There are the stories of a (married?) couple of white people dressed as hippies (sans beard/long hair/sandals though) waving banners praising Kerry for his homo and abortion friendly policies in a predominantly religious black district, and driving away in a big SUV after being asked to move. There is little doubt that there is the perceived risk of people from whatever organization playing dirty in the US.
Looking at the company that is accused of stock fraud, has higher ups being openly partisan to the point of vowing to bring a candidate a victory in a fundraising context, has cheated at certification, uses way to complex hard and software (I mean MS access? my free pocket calculator can count and doesn't overflow at 64.000!), needs its own compiler and interpreter and sells ATM's that spontaneously turn into nothing but windows media player based jukeboxes... well looking at them is a sensible first move.... but there are other risks you know. You can't plan a diversion that perfect though.
For the record, my stance:
- Vote secrecy? worth fighting for! If not for the baseball bet wielding criminals then for those whose many neighbors go around the neighborhood/church/school proudly (patriotically?) showing of their proof of vote without explicitly saying they expect you to do the same. Just like last time when someone else wasn't quick enough to explain he didn't tell them how he voted out of principle. he got shunned for a year for not supporting the troops/fight against evil corporations/fight for tuna free dolphin.
- Internet voting? worth fighting against! The attack scenario I liked. Big scary guys with a wireless Internet terminal going door to door, maybe just happening to be offering coupons for free stuff on the side.
- Expecting plain paper to work is reasonable. If there is a problem with it, trying to fix it would seem like the smart thing to do first. How about more counting volunteers to speed things up? (isn't this cheaper than Diebold latest, greatest and shiny-est at this point? What are the part costs of a big LCD touch screen, a windows CE license and the processor to run this on?) Everything but paper is at best gatgetitus of the shiny& colorful kind, or at worst corruption. (There is a least something wrong with machines this expensive being this popular)
- Siplicity, of papertrails and elsewhere? who would have thought that explaining people that engineering stuff as simple as possible is smart could be this complex.
Australia has 10% of the population of the US, and significantly higher literacy rates. What works in one place may not necessarily work the same way somewhere else. Australia has consistent voting laws and requirements across the whole country. The US has different regulations, practices and supervision in different states and even counties. In Australia, everyone answers the same questions at an election - "Who do you want to represent you?". There may possibly be a referendum question as well - like "should the head of state be a middle-aged woman in a country on the opposite side of the world?" but even then, everyone answers that question too.
In the US, there may be many other questions put to voters that are irrelevant to the election, but convenient to ask at that time, since they're going to be at the polling booth anyway. These questions vary by location
ACT is not an Australian State - it's a territory that is essentially an adjunct to the Federal government - and anything that happens there is generally treated like a test case (similarly to the Northern Territory which recently had euthenasia laws overturned by the federal government). I find it amusing that between you and Pauld, you managed to quote from the two non-states in Australia.
Troy, I stand corrected.
What I should have said is that the paper ballot/box setup is used ~98% of the time. This differs from the US where some states use Diebold machines, others use optical machines, some use punch cards.
I don't understand the obsession with electronic voting machines. It's a bad solution looking for a problem.
"US elections are more complex. In my town, when we voted for President, we also voted for: the local city council, the mayor, two levels of state representatives, district attorney and state attorney general, a governor, lt. governor, a US congressman and senator, as well as nearly 20 ballot initiatives. There were 15 pages on the ballot - marked with a pencil, read optically. In California, they can get over 100 ballot initiatives per election."
It is this variation that makes the whole US electoral system unscalable and unsustainable in my view. In Australia (my sole area of electoral experience), we have separate Federal, State and local elections. It is incredibly rare to have anything other than the election of those representatives on the ballot sheet. I may be incorrect, but I believe that the only time that this happens is a referendum relating to constitutional change (which requires >66% majority).
It is also ONLY those representatives that we are electing - not their leaders. Out of what you listed, the positions that we elect people into are: a Federal representative for the local area (into the House of Representatives); a few Federal representatives per state (into the Senate); similar things on a smaller scale for each state (in separate elections - often a couple of years apart from the federal elections); local government councillors.
"So, if I read this right, Hursti pre-loaded a total of 10 votes: +5 "Yes" and -5 "No." The algorithm seems to be: add up all the votes and ensure the total is zero."
The algorithm is whatever Husrti says it is. That is the whole design flaw. You would expect they put a non executable page layout on the memory cards where code from the machine fills in the results at the (many and diffrend with every election) right places during printout. That would mean that as long as the results (name and # votes) are in the right order nothing fancy heaponed. (Maybe you could still swap names)
Instead the printoud is done by an interpreted "accubasic" routine that is stored on the memory card without any protection against tampering. This makes the machines very future proof. but it also means you can just put a routine there that reports there are 2600 votes for everyone when there are zero (or -100 or whatever) and that reports cowboyneil has won once the results are printed (regardless of wheither he was on the ballot or not). You can also make the display of the machine read "your so 0wn3d" I guess.
It would be really cool of these accubasic routines also had control over any speakers or mechanical parts of the system. Sadly, undetectably faking results may
convince less people that the machine is broke beyond repair than clouds of smoke and noises ;-)
"I don't understand the obsession with electronic voting machines. It's a bad solution looking for a problem."
You are looking at it the wrong way, it is from one perspective an excedingly good solution.
The man that owns the company that makes these voting machines is (I have been told) a "dyed in the wool" Rebublican, and makes significant campaing contributions.
There is also I understand preasure from the current administration to go "HiTec" ie by these electronic voting machines.
On the face of it it appears to be the usuall "you scratch my back" arangment which I privately call something alltogether different.
At this point it is very much like any other "campain kick in" arangment, however there have been some more worrying things reported.
I have seen several postings around the Inet about analysis of votes cast where these electronic machines are used and where they are not, and there appears from what has been published to be some significant variance. Sufficient it appears to have made sufficient difference to have changed the result of the presidential selection...
Now if the above is true then you realy do have a very very good outcome for one or two people...
- Safe and secure elections.
- Result within a short time.
- Elections with a huge number of items.
You cannot have them all.
Lots of interesting comments here, and a couple borderline silly ones:
The near-silly include "AG's" suggestion that we just check votes by statistical analysis.
If we wanted to do that, why not just suspend voting altogether and simply do polling, declare the winner based on statistical sampling?
Point 2: Where would statistical sampling have come out on President Bush's 300 or so vote margin of victory in Florida in '00?
Final silliness: the suggestion that a book by John Conyers be used to study the Ohio vote in '04! Can that person even pronounce "Agenda?"
>Otherwise, vote buying is far too effective (at least with anonymous votes, you can be "bought" but not actually vote the way the person paying you wants).
The way it works with paper votes is that somebody takes out an empty voting form.
The "correct" vote is marked.
Then the person who sells their vote goes in, leaves the premarked sheet, and brings out an empty instead.
This way the buyer can make sure that they payed for the correct vote (or at least for an invalid vote, but surely not a vote for the oposition)
I see several benefits to an electronic voting system:
1) Elimination of the problem with printing too many ballots (the blanks could be marked up and used to rig the election) or not enough ballots (in which case people show up to vote, and have to cool their heels while ballots are printed/shipped to the polling site. Some give up in disgust and leave.)
2) The ability to support multiple languages (by law where I live some precincts have to have ballots printed in up to 5 different languages), as well as methods used by some disabled individuals (e.g. Braille.) In the USA, the Americans with Disabilities Act mandates voting equipment that is 'handicapped-accessible.'
3) The ability to provide a count quickly, with a minimal amount of human handling of the ballots. If I recall, part of the problem with the 2000 Florida recounting was that each time the ballots were handled, more of the 'hanging chads' separated from the ballots, leading to further confusion as to what the 'voter intent' was. Also, remember that each time humans touch the ballots that 'extra' ballots can be introduced into the count. This would be especially problematic in some of our elections, where questions are on the ballot that special groups have a serious economic interest in (just look at this year's Consitutional amendments for the state of Texas to get an idea of what I am talking about.)
4) Elimination of the 'two votes' problem, where someone (either mistakenly or on purpose) marks two choices on a particular ballot item. This normally results in the person's vote not being counted (as it should, since you can't discern voter intent under these circumstances.)
That being said: I do think that it is paramount that the process be robust enough to provide assurance that 'voter intent' is registered accurately. Paper backup is certainly one method of accomplishing this, but not necessarily the only method (and maybe more than one such audit trail should be used to provide independent confirmation.)
I actually used the eSlate system in the last election, and it was easy enough to use. It provides both paper and electronic audit trails, according to information provided by the Travis County county clerk's office.
The ballot system (whether electronic or paper or whatever) is simply a tool for a person to record their wishes. In the photographic world, we have a saying "It is the image, not the camera, which makes a good photograph." I would say the same holds true for elections: the voting system is a means to reach an end, not the end in itself.
I would question the ability of any particular system to really enforce anonymity if someone is really intent on buying votes. The machine itself can only do so much, beyond that, the buyer can use methods independent of the machine to violate anonymity.
For example, hand you a cell phone or camera with video capability, watch you go into the poll. Then demand to see a live streaming video of everything that goes in that voting booth. Then there goes the voter's anonymity. If the person doesn't comply, they don't get paid, or worse.
@Redbob: "The near-silly include "AG's" suggestion that we just check votes by statistical analysis.
If we wanted to do that, why not just suspend voting altogether and simply do polling, declare the winner based on statistical sampling?"
Isaac Asimov wrote a short story, "Franchise," which took that premise to the extreme: in the story, statisticians would look for one person who represented the views of the US, and the entire voting process consisted of that one person walking into the booth and making his selection. Nobody else voted.
Interestingly enough, apparently Asimov wrote the story after the Univac computer was used to predict the outcome of the 1952 Presidential election, based on statistical information it had been fed (http://www.asimovians.com/bookreviews.php?op=showcontent&id=77)
"Optical scan machines are the most reliable machines we've got right now."
What I don't understand is what more do we need? Or more to the point, what more is there we could do that isn't far outweighed by the downsides?
"The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots."
I think it's acceptable to report the electronic totals after the polls close but before the paper count being complete, which provides instant feedback that will in most cases be a good predictor of the true result.
"Isaac Asimov wrote a short story, "Franchise," which took that premise to the extreme"
The interesting thing is that if you choose that person entirely at random, it's a fair system by some definitions, and the only one in which the voter has no incentive to misrepresent their true preferences - ie there is no "tactical voting" in this system.
> your conclusion does not logically follow from your premise.
That depends on whether or not you believe that a public vote would have prevented the Nazis from coming to power. If a public vote would not prevent the Nazis from coming to power, then I think my conclusion is fairly defensible.
> i don't believe there would have been a reich at all if the brown shirts had to wear
> name tags above their shirt pockets.
That's an interesting proposition, but I don't know that you can back it up.
> anonymity nurtured national socialism in its larval and pupal stages before it
> gained the critical mass where it could erupt.
I don't know that this is true. Certainly it's the case here in the U.S. that the more extreme "political parties" (e.g., neofascists and the current iteration of the KKK) make no bones about their membership. Usually the members of these sorts of parties are public and vocal, not anonymous at all.
Of course, I don't know if this was the case vis-a-vis Hitler's brownshirts, but you'd have to present some sort of evidence that they enjoyed anonymity.
Public shaming is not always an effective tool in deterring socially aberrant behavior.
Safire proclaims himself to be a libertarian conservative, and (IMO) one of the weaker elements of libertarianism is that there is an underlying assumption that the human masses always respond to issues following the principles of game theory (ie, there is no free rider problem, people always follow their best interests). This is not always the case.
"I think the anonymity we require here is anonymity of what you voted for, not who is voting."
Both are needed. There are often times in disputed elections when simply knowing that someone has or hasn't voted can be used to intimidate them. Heck, in my lifetime people in the US have been killed for trying to merely register people to vote. And episodes of racially based voter intimidation continue to this day.
The proper role of electronic voting machines is to replace the pen, not the ballot.
That way e-voting can help with accessibilty concerns, etc., while still remaining verifiable. If you want electronic counting as well, have seperate companies make ballot counting machines. In the event of a discrepancy between the voting machine's total and the ballot counting machine's total, hand recount the ballots. And, audit (recount) a percentage of machines at random as well.
"The problem is that in the US, elections are a LOT more than just electing the president/vp, a senator and a representative. There is a gazillion of choices, so voting itself doesn't scale too well."
Good gracious, do we have to go through this nonsense again? It's bullshit. Voting does scale well, if you want it. What does not scale well is electronic voting. This happened in Ohio 2004 and elsewhere: there were simply not enough voting machines in certain counties, and many machines were not functional because of technical problems so voters had to wait for hours or go home and renounce their right to vote. This doesn't happen in paper and pencil elections. Basically, it only happens in the United States of America, apart from poor developing countries which don't have enough resources (and sometimes not yet enough experience) to better organize their elections. It certainly doesn't happen in European countries which use paper ballots.
As to the argument about the many choices in US elections: The Swiss people elect almost every official imaginable, on every level imaginable, plus they vote on almost every law on the federal, state and municipal level. They manage all right, with votes usually every three months. Many other countries have many choices on at least three different levels of government, if not as many as the Swiss. There is no inherent reason why the US among all countries shouldn't be able to have clean and verifiable elections.
"How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? They claimed their telephone calls where inexplicably redirected to their competitors. Do telephone poles get barbed wired during election time?"
The people doing counts phone in the numbers after having written down the results on a piece of paper they keep in their physical possession. The office that adds up all the numbers publicise the numbers they have added (identified by polling place). Afterwards the counters verify at their leisure that the public numbers match the ones they phoned in.
And pretty much impossible to tamper with without either being found out, bribing all of the counters at some site, or stipulating an adversary with the power to make the counters receive _different_ falsified versions of the offical record of the election.
I figured it out. Get every voter's fingerprint at registration. Store somewhere secure. At election time, cut off a finger corresponding to their electoral choice. Sort the fingers for counting; store for verification. Can be authenticated against the fingerprint database. Only works for one election, unfortunately.
"there is an underlying assumption that the human masses always respond to issues following the principles of game theory (ie, there is no free rider problem,"
Game theory can account for the free rider problem, can't it?
try this link...
The relevant bit is 48:00-54:00 (more or less) of the hour...
The part I found the most interesting is that the American media is just not interested in covering this story.
@another_bruce: "i don't believe there would have been a Reich at all if the brown shirts had to wear name tags above their shirt pockets. voting is a public act fraught with responsibility, but as yet no accountability due to anonymity."
I don't think so. Nazi activists were usually very well known and didn't care to hide their political affiliation. Remember, they fancied wearing those uniforms in public. Maybe not with name tags but they hardly stayed anonymous that way. They used to hold big parades (other parties did that too, and some had uniforms, too). Moreover, the "respectable" conservative and nationalist parties, as well as important parts of the ruling classes and the capitalists, formed alliances with the Nazis - sometimes holding their noses - as soon as they had become a political factor. The President who finally gave the power to Hitler (who was not representing a popular majority) was acting exactly as the representative of the ruling classes. Abandoning election anonymity would only shut out political movements which are unpopular with the ruling classes. There's no reasonable case for that, and the nazis are certainly not a case in point.
"Here in Loudoun County, VA, we use an optical scan system which allows for instant machine-handled tabulation but provides a way for me as a voter to look and verify I indicated my intent correctly and for any recounts to be done by hand against my original indications."
You mean there's a paper ballot? If yes, then I agree it's a good idea.
"US elections are more complex. In my town, when we voted for President, we also voted for: the local city council, the mayor, two levels of state representatives, district attorney and state attorney general, a governor, lt. governor, a US congressman and senator, as well as nearly 20 ballot initiatives. There were 15 pages on the ballot - marked with a pencil, read optically. In California, they can get over 100 ballot initiatives per election. It is highly unwieldy. Do other countries have separate local elections?"
There are countries which have similarly complex systems, but I know of none where all elections are concentrated on one day. Why should you? In Germany, state and federal elections are sometimes on the same day but not in general. There are also European and local elections (municipality, county and district usually on the same day).
Asking voters to decide up to 100 questions in one vote seems crazy to me. The technical difficulty can be solved but I'd be worried about the democratic process - how can you have meaningful campaigns about so many different questions at the same time, and how can you expect even the most effective citizen to remember them all? The Swiss vote up to four times a year, for this very reason.
"Australia has 10% of the population of the US, and significantly higher literacy rates. What works in one place may not necessarily work the same way somewhere else. Australia has consistent voting laws and requirements across the whole country. The US has different regulations, practices and supervision in different states and even counties."
The population size doesn't matter. You have to consider the cost per capita, which is not affected by population size. I think you are right, though, regarding consistent regulations. I find it not acceptable that US voters are treated differently depending on their geographical location. Shouldn't this be obvious?
>That's an interesting proposition, but I don't know that you can back it up.
you are correct. it isn't testable, provable like a mathematical theorem, it's just a conjecture based on underlying concepts i can't rigorously describe, but i damn well recognize when i see them:
right and wrong
shame and conscience
id and superego...
i am not a saint, and it is my personal experience that temptation is muted when i'm being watched, particularly by my friends whose opinion of me i care about.
>Certainly it's the case here in the U.S. that the more extreme "political parties"
(e.g., neofascists and the current iteration of the KKK) make no bones about their membershio.
my guess is they keep a lid on that during job interviews and first dates.
i believe you have mischaracterized libertarian conservatism (that's me), it isn't about game theory. it's about maximum personal liberty and minimum government. it's also about fiscal responsibility, environmental stewardship and peaceful relationships incentivized by the deterrent of a strong defense.
yes, the nazis paraded around in public, but they were in the company of kindred spirits so there was little risk. the day we have to fear the "ruling classes" on account of our votes, we lose the last vestige of our common ground as americans. i'm not sure if i'm a member of the ruling classes, a potential insurgent, or both at the same time.
"[I am] committed to helping Ohio deliver its electoral votes to the president next year." - Walden O'Dell, ex Diebold CEO.
While this is not to say that Diebold machines were/are rigged, the apperance if electoral fairness is rather lacking when the guy who builds the voting machines has 'committed' himself to putting a specific candidate in office. The fact the American people did not run Diebold out of the voting machine business on a rail after that little misstep is of far more consequence to American democracy than the finer points of electoral technology. If the people don't ensure that the voting process is above reproach, there's no point in freting over what technology one uses to move the deck chairs on the sinking ship of state.
> anonymity is overrated in elections.
Bullshit. Ask any woman married prior to like 1960 about husbands expecting wives to vote a certain way or else.
Or ask someone like a Hasid if he'd like the rebbe to know how he didn't vote the way the rebbe told everyone to.
People with power over other people tell them how they should vote; it's just a simple fact. Without anonymity, they will not be able to vote their conscience and it is not "one man, one vote," but tribal voting.
One thing I see missing in this discussion, particularly around paper ballots is the concept of the "scrutineer" - people who are there from the interested parties or candidates who watch the counting. This makes paper ballots counted by hand the *most* secure and accurate methodology. I gather that the Canadians have moved away from this in the past couple of decades, but that's what wored very well there - representatives from each party were present during the day while the elections went on, and observed the ballot box being sealed in the morning, empty. Any chicanery would require the collaboration of people who do not have a vested interest in the chicanery (assuming there's coverage from all parties..) or it could be reported immediately and investigated.
When the ballot box is opened, the ballots are visible to all the scrutineers, and they tally the results independently, reporting the totals back to their party /candidate - this prevents fraud at the central tabulating site, since the vote counts from each poll are known to each of the parties independently.
Could it be hacked? Not easily. Is it more expensive than having insecure electronics? Maybe - it works best with polling stations in the hundreds of people rather than the thousands that seem to be the norm here - but it is verifiable, reproduceable and secure from wide-scale indetectable tampering.
Erik V. Olsen says: "The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots."
This is a great one-line summary of the approach advocated by the Open Voting Consortium. To elaborate:
The Open Voting Consortium (OVC) is a non-profit organization dedicated to the development, maintenance, and delivery of open voting systems for use in public elections.
The San Jose Mercury News has written that the OVC system is "The touch-screen holy grail."
Please go to http://www.openvotingconsortium.org/ to learn more.
@another_bruce: "yes, the nazis paraded around in public, but they were in the company of kindred spirits so there was little risk." I don't know what you are trying to say. The point I would like to emphasize is simply that you cannot discuss this question without taking power into account. You say it's a good thing if people are being "watched by friends of whose opinion they care". That is true to an extent, but we are not only watched by benign friends. We are also being watched by employers, by government, by those who have power and who don't want to lose it. Even within families, relationships are shaped by power,as artappraiser has pointed out correctly. Maybe this is something libertarians don't like to talk about. In modern society, anonymity is an indispensable protection for the individual, especially concerning elections.
ok, i give up, for now, i wasn't able to muster any supporters. in the anonymity/security tradeoff i usually support anonymity, but elections are different, and i'm willing to risk the intimidation of 10-20 percent of the voters in return for an absolutely transparent, secure vote count, because public confidence in the result is so very important to our ability to continue to function as a republic. i lost my confidence some time ago, and i fear that we lost our republic under the cloak of anonymity (florida 2000, ohio 2004). once the notion that a president could have illegitimately taken power becomes plausible, never mind proved, a citizen's willingness and ability to function as part of a national community is utterly degraded. we become 100,000 balkanized communities; at least in my community people stand up to be counted on the important things, and we don't wear bags over our heads. i had heard of republics being lost at gunpoint, but as a younger man i would have scoffed at the notion that we could be undone by proprietary software. if i ever get the chance to vote on whether oregon should secede from the union, i'll probably vote yes, i can no longer say with confidence that this union is worth the time, trouble, effort and expense needed to keep it together.
"ok, i give up, for now, i wasn't able to muster any supporters. in the anonymity/security tradeoff i usually support anonymity, but elections are different, and i'm willing to risk the intimidation of 10-20 percent of the voters in return for an absolutely transparent, secure vote count, because public confidence in the result is so very important to our ability to continue to function as a republic."
I disagree with this, but it's not an unreasonable position. I believe some parts of Switzerland have open elections.
And I have argued that the popularity of the mail-in ballot makes vote buying more likely, and we seem willing to give up that bit of security for convenience.
"I believe some parts of Switzerland have open elections."
You are referring to people's assemblies in some Swiss states, called Landsgemeinde. Those assemblies are the traditional, low-tech way of reaching democratic decisions, adequate of course only to very small populations. I think they have now been abolished almost everywhere. There are interesting arguments pro and con. The vote counting wasn't always accurate - try to count accurately several thousand raised hands. On the other hand, some have pointed out the unique experience of people's sovereignity. Of course, women were admitted to those assemblies only about one generation ago.
"You are referring to people's assemblies in some Swiss states, called Landsgemeinde."
Thanks for the info.
Some thoughts from this conversation:
1) I don't think that *any* electronic vote tallying system can be trusted. This includes open source systems.
Why? Because there are too many points to jigger the system - is the software that's loaded on *this* voting machine the correct version? How do you prove it? How about the central tallying point? The communications point between them? Do we have enough genius CS types around to adequately verify the integrity? And what of the next genius who comes up with a way around the system? (hmm.. howabout a hacked video chip that catches the results & changes them to the screen.... the program is performing perfectly, but the hardware's been hacked.. not *that* far-fetched).
2) The core problem here is that there's nobody who has enough of a view for a check/balance system. Someone hacks the ATM and banking networks, there's someone who has enough of a view of the transactions to say "hey - I can see a discrepancy" - because both parties to the transaction sets have complete records, or close enough. In an election, there's a single outcome (for each race/proposal), that takes millions of inputs to come to the answer, and there's not the second trail. Having multiple counting mechanisms (scrutineers - see my note above) gives that check & balance - the various interested parties have their own intermediate results, aggregated by their folks from visible single results, and can check that the summary from each sub-group is valid, and the overall numbers are also valid. No electronic system will provide that - it takes multiple humans observing the same event to provide the balance.
Sorry for the late reply, I only just noticed your question:
"How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? ..."
In my country (Australia), which uses paper ballots, I don't know if any other methods are employed, but one method is that as results are called in, they are displayed on an indicator board which (along with talking heads commentary, similarly to the US) is broadcast continuously by the national broadcaster (both terrestrial and satellite networks) and every half hour or so on the commercial networks. I think they also do radio coverage. So if such an attack was mounted it would be discovered within minutes unless the attacker could take out all the terrestrial and satellite networks at once.
Even if they did manage to do that, it would be discovered the next mornign when the newspapers published the district-by-district breakdowns; a recount can still be called at that point.
"Of course the paper record that is send trough a rightfully trusted channel after the results are phoned in is religiously triple-checked for every polling station even though this is a very boring glamorousless job (Its already known who won) that just always results in records matching... right?"
Yes, actually it is checked -- and considerably more than triple checked. Note merely a paper total but ALL the actual ballots are delivered to divisional offices under seal for their FOURTH counting. Then under certain conditions there may be a fifth scrutiny. All of these scrutinies, at local polling places and divisional offices, are checked by election officials, scrutineers (who are political party appointees and usually quite eager to find a discrepancy if they are not winning), and sometimes also by academics. Despite all this checking most electorates have a final result by 8 pm -- but the final result is not the end of it! In fact while individual ballots may eventually be destroyed the rest of the records have to be kept forever and quite apart from the scrutineers, various scholars analyse them five ways to Sunday. Most elections result in several academic papers worth of analysis.
Adding "paper trails" and opening voting machine software to public scrutiny is *insufficient* to prevent malicious vendors, or malicious employees of vendors lacking sufficient internal and external controls, from cheating. A malware loader embedded in firmware (e.g., BIOS, FPGA, ASIC), combined with a communications device or hidden data storage (e.g., steganographic encoding) allows a malicious vendor to load any program or data it wishes into its machines during the election. This works even if the voting application and operating system are completely honest and are properly and honestly installed in the voting system.
See my comment at http://www.vote.nist.gov/threats/papers/... for the details.
Computer-assisted voting is unnecessary, expensive, and -- worst of all -- imperils our republic.
The only thing that is going to trump the vulnerability of an anonymous un-voter-traceable-vote is a way to verify your vote, and if it's been altered, have the legal right to correct it. I strongly suspect that vote-flipping or loads of false presets (so the initial count isn't zero) is how voting is being cheated most significantly. Vote suppression is probably the next best and from there, who knows. Vote suppression needs to be handled by LAW. Allocation of voting booths need to be covered by LAW. But nothing protects a vote that the voter can't be sure of how or even IF it was counted. I'm getting beaten up (over at Black Box Voting) for saying that voters should get a legally binding copy of their ballot with an ID number on the ballot, so that they can check how it's recorded and take it back to get it corrected. Read there if you want all the details. But your vote is incredibly vulnerable if you have an untraceable-by-the-voter ballot. I don't see a way around this. I think you can have your country, or you can have your untraceable vote. I'm not saying it can't be anonymous, but it can't be untraceable.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.