Schneier on Security
A blog covering security and security technology.
« Voting Technology and Security |
| The Inherent Inaccuracy of Voting »
November 13, 2006
More on Electronic Voting Machines
Seems like every election I write something about voting machines. I wrote this and this in 2004, this and this in 2003, and this way back in 2000.
This year I wrote an essay for Forbes.com. It's really nothing that I, and others, haven't already said previously.
Florida 13 is turning out to be a bigger problem than I described:
The Democrat, Christine Jennings, lost to her Republican opponent, Vern Buchanan, by just 373 votes out of a total 237,861 cast - one of the closest House races in the nation. More than 18,000 voters in Sarasota County, or 13 percent of those who went to the polls Tuesday, did not seem to vote in the Congressional race when they cast ballots, a discrepancy that Kathy Dent, the county elections supervisor, said she could not explain.
In comparison, only 2 percent of voters in one neighboring county within the same House district and 5 percent in another skipped the Congressional race, according to The Herald-Tribune of Sarasota. And many of those who did not seem to cast a vote in the House race did vote in more obscure races, like for the hospital board.
And the absentee ballots collected for the same race show only a 2.5% difference in the number of voters that voted for candidates in other races but not for Congress.
There'll be a recount, and with that close a margin it's pretty random who will eventually win. But because so many votes were not recorded -- and I don't see how anyone who has any understanding of statistics can look at this data and not conclude that votes were not recorded -- we'll never know who should really win this district.
In Pennsylvania, the Republican State Committee is asking the Secretary of State to impound voting machines because of potential voting errors:
Pennsylvania GOP officials claimed there were reports that some machines were changing Republican votes to Democratic votes. They asked the state to investigate and said they were not ruling out a legal challenge.
According to Santorum's camp, people are voting for Santorum, but the vote either registered as invalid or a vote for Casey.
RedState.com describes some of the problems:
RedState is getting widespread reports of an electoral nightmare shaping up in Pennsylvania with certain types of electronic voting machines.
In some counties, machines are crashing. In other counties, we have enough reports to treat as credible that fact that some Rendell votes are being tabulated by the machines for Swann and vice versa. The same is happening with Santorum and Casey. Reports have been filed with the Pennsylvania Secretary of State, but nothing has happened.
I'm happy to see a Republican at the receiving end of the problems.
Actually, that's not true. I'm not happy to see anyone at the receiving end of voting problems. But I am sick and tired of this being perceived as a partisan issue, and I hope some high-profile Republican losses that might be attributed to electronic voting-machine malfunctions (or even fraud) will change that perception. This is a serious problem that affects everyone, and it is in everyone's interest to fix it.
FL-13 was the big voting-machine disaster, but there were other electronic voting-machine problems reported:
The types of machine problems reported to EFF volunteers were wide-ranging in both size and scope. Polls opened late for machine-related reasons in polling places throughout the country, including Ohio, Florida, Georgia, Virginia, Utah, Indiana, Illinois, Tennessee, and California. In Broward County, Florida, voting machines failed to start up at one polling place, leaving some citizens unable to cast votes for hours. EFF and the Election Protection Coalition sought to keep the polling place open late to accommodate voters frustrated by the delays, but the officials refused. In Utah County, Utah, more than 100 precincts opened one to two hours late on Tuesday due to problems with machines. Both county and state election officials refused to keep polling stations open longer to make up for the lost time, and a judge also turned down a voter's plea for extended hours brought by EFF.
And there's this election for mayor, where one of the candidates received zero votes -- even though that candidate is sure he voted for himself.
ComputerWorld is also reporting problems across the country, as is The New York Times. Avi Rubin, whose writings on electronic voting security are always worth reading, writes about a problem he witnessed in Maryland:
The voter had made his selections and pressed the "cast ballot" button on the machine. The machine spit out his smartcard, as it is supposed to do, but his summary screen remained, and it did not appear that his vote had been cast. So, he pushed the smartcard back in, and it came out saying that he had already voted. But, he was still in the screen that showed he was in the process of voting. The voter then pressed the "cast ballot" again, and an error message appeared on the screen that said that he needs to call a judge for assistance. The voter was very patient, but was clearly taking this very seriously, as one would expect. After discussing the details about what happened with him very carefully, I believed that there was a glitch with his machine, and that it was in an unexpected state after it spit out the smartcard. The question we had to figure out was whether or not his vote had been recorded. The machine said that there had been 145 votes cast. So, I suggested that we count the voter authority cards in the envelope attached to the machine. Since we were grouping them into bundles of 25 throughout the day, that was pretty easy, and we found that there were 146 authority cards. So, this meant that either his vote had not been counted, or that the count was off for some other reason. Considering that the count on that machine had been perfect all day, I thought that the most likely thing is that this glitch had caused his vote not to count. Unfortunately, because while this was going on, all the other voters had left, other election judges had taken down and put away the e-poll books, and we had no way to encode a smartcard for him. We were left with the possibility of having the voter vote on a provisional ballot, which is what he did. He was gracious, and understood our predicament.
The thing is, that I don't know for sure now if this voter's vote will be counted once or twice (or not at all if the board of election rejects his provisional ballot). In fact, the purpose of counting the voter authority cards is to check the counts on the machines hourly. What we had done was to use the number of cards to conclude something about whether a particular voter had voted, and that is not information that these cards can provide. Unfortunately, I believe there are an unimaginable number of problems that could crop up with these machines where we would not know for sure if a voter's vote had been recorded, and the machines provide no way to check on such questions. If we had paper ballots that were counted by optical scanners, this kind of situation could never occur.
How many hundreds of these stories do we need before we conclude that electronic voting machines aren't accurate enough for elections?
On the plus side, the FL-13 problems have convinced some previous naysayers in that district:
Supervisor of Elections Kathy Dent now says she will comply with voters who want a new voting system -- one that produces a paper trail.... Her announcement Friday marks a reversal for the elections supervisor, who had promoted and adamantly defended the touch-screen system the county purchased for $4.5 million in 2001.
One of the dumber comments I hear about electronic voting goes something like this: "If we can secure multi-million-dollar financial transactions, we should be able to secure voting." Most financial security comes through audit: names are attached to every transaction, and transactions can be unwound if there are problems. Voting requires an anonymous ballot, which means that most of our anti-fraud systems from the financial world don't apply to voting. (I first explained this back in 2001.)
In Minnesota, we use paper ballots counted by optical scanners, and we have some of the most well-run elections in the country. To anyone reading this who needs to buy new election equipment, this is what to buy.
On the other hand, I am increasingly of the opinion that an all mail-in election -- like Oregon has -- is the right answer. Yes, there are authentication issues with mail-in ballots, but these are issues we have to solve anyway, as long as we allow absentee ballots. And yes, there are vote-buying issues, but almost everyone considers them to be secondary. The combined benefits of 1) a paper ballot, 2) no worries about long lines due to malfunctioning or insufficient machines, 3) increased voter turnout, and 4) a dampening of the last-minute campaign frenzy make Oregon's election process very appealing.
Posted on November 13, 2006 at 9:29 AM
• 54 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The problems which electronic vote machine in USA are cultural and bad engineering.
There is a side benefit to the Oregon mail in ballot system. You can mail in your vote early, so it changes some of the dynamics of the political propoganda machine. Any "event" in the last days has less impact, and the mass phone bank efforts are less effective.
How can election boards or judges possibly justify refusing to extend hours when the polls open late?
And how could inaccurate vote tallies possibly be interpreted as a partisan issue? If a machine is counting 'wrong' it casts doubt on the entire process regardless of who wins.
I believe they should prohibit party affiliation from being displayed on the ballot. If you dont know the candidates well enough to even know which party they're in, you dont know enough to make a meaningful choice anyway. Heinlein had the right idea.
"If we can secure multi-million-dollar financial transactions, we should be able to secure voting."
We should be able to secure voting. Progress has been slow, for a number of reasons. We haven't done a good job of making a gradual transition. And we haven't done a good job of failing gracefully to tried and true methods.
There is no fundamental block to electronic voting; it's not a similar class of problem as say, making a secure DRM.
PS. Hey bob. Don't tell Eve, but ...
Vote-buying attacks may be "secondary", as Bruce claims. But voter-intimidation attacks should not be considered secondary. A primary goal of the voting system should be to protect the physical security of voters while they mark their ballots.
"The ballot-generating machine generates a ballot paper and an optical scan reader officially registers the vote this ballot paper contains. The voter takes home a copy of the ballot paper for auditing purposes."
It should not be hard, using encryption technology, to print (perhaps in barcode form) a unique unforgeable number on this printout, which can be linked back to the vote cast. The vote, which is attached to the piece of paper, is still anonymous, yet the person, if he/she is suspicious of irregularities, can have an independent party check that the vote has been recorded properly without loosing the anonymity of the vote. I would suggest there are many people out there who would be willing to give up their anonymity if they could irrefutably prove, after the event and in a court of law, that their vote had been recorded incorrectly or not at all!
I agree with Bruce, that there are clearly ways of solving the problem, yet the whole thing seems to be a manifestation of a bigger problem whereby the true voice of the people is being systematically suppressed.
Hee hee. I get the title. "More on electronic voting machines" the same as "Moron electronic voting machines".
They need to get rid of voting machines until they can be sure they can actually be 100% accurate or 99%
Most Florida counties require their elections departments to prepare for "run-off" elections after the November 7th election.
Why not just invalidate the entire 13th district and require a re-vote? There should not be a substantial cost issue.
This doesn't solve the electronic voting machine issue, but maybe it'll solve the 18,000 votes that "disappeared".
@bob "I believe they should prohibit party affiliation from being displayed on the ballot."
I find that thought fascinating, though IMHO it should only be for mail in votes or where there is considerably more time to research the options immediately prior to voting.
@Bruce - your other comment sounded a bit Lean Six Sigma, reducing steps and reducing variability. Since voting is inherently a statistical exercise, has anyone investigated a "designed for six sigma" solution?
A fine outcome would be the "magic guidelines" for what type of voting technology to be used in a particular scenario. For example, a fully exlectronic voting system without a paper trail should only be used where there are n voting machines with a total voting population of y. Each voting machine should have a minimum of y votes not to exceed z. If these criteria are not met, an optical scan method should used. A fully manual ballot system may be used when.... etc.
A lesson to remember is that while the ability to audit is extremely important, just as much effort should be put in place to made the process as "mistake-proof" as possible. Instead of adding multiple checks "down stream" address the issues as far "upstream" as possible.
BTW, has anyone considered (or already being used) actually live process audits with "mystery voters"? Heh, I guess if you count the candidates themselves ;).
Bob’s got it right about prohibiting party affiliation on the ballot. With electronic voting machines, the order of the candidates’ names can also be displayed randomly for each voter. This will even out the effect that uninformed voters cause in my county (i.e. they put an “X��? by the first name in the list).
Washington state has all mail in ballots in all, but 3 counties. The three counties have lower voter turn out. In some of the counties, they actually open drop off centers for the ballots on election day. So, if you cannot make it to the post office, want your vote counted sooner, or what have you, then you can drop it off at one of the centers. Also, the post offices stay open later on election day.
Webfoot is right about the side benefit of changing propaganda techniques. Plus, I like sitting down with my notebook, a cup of coffee, my voter's guide, opinion pieces, and my partner and choosing how to vote in a calm, relaxed atmosphere.
Random ordering of candidates can also be done with paper ballots, e.g. Ohio randomizes by county.
By the way, on NPR they reported that research shows that being first on the ballot is worth approximately 2% of the vote. Apparently, truely undecided tend to mark the first one.
My state of Michigan allows the party controlling the legislature to put their party's candidates first so the Republican candidate was listed first this year in all races.
When we first started voting by mail here in Oregon, I missed the experience of going to the polls: waiting in line with fellow citizens, seeing elderly or disabled folks who obviously put forth great effort to make the trip, and watching the shared faith in the democratic process.
Over the years, however, I've come to appreciate having the time to cast a thoughtful ballot over a cup of coffee in the dining room. I still miss seeing my neighbors on election day, but I'm more sure about the ballot I cast -- which strikes me as a reasonable tradeoff.
I'll also note that, so far, I haven't noticed much of a decline in last-minute television electioneering. I live only a short walk from our county's Election Commission office, and there's a small traffic jam there on election night as people drop off their last-minute ballots. Maybe that'll change over time, but procrastination means that advertising right up to election day will impact at least some voters.
"This is a serious problem that affects everyone, and it is in everyone's interest to fix it."
Agreed 100% Bruce. It needs to be fixed, and now.
However, as an ex-Oregonian I can assure you that VBM is not a panacea. It is surely convenient as you can sit down with the ballot and review all the issues when voting, and take your time doing it. However, as another writer pointed out, there will be more cases of Husband/Wife cohersion than ever, simply because some dominant spouses will insist upon their partner "voting right". Many may even fill out both ballots and demand that their partner sign and validate one they didn't fill out.
So to avoid that scenario we must keep the polls open, but have an auditable and trusted counting mechanism in place.
The Minnesota optical counters are nice (I now live in MN and used one last week) however I still don't know that it interpreted my ballot properly (in the moment) though presumably there is an auditable paper trail (physical ballot) to validate the machine count.
Bottom line, no one should be disenfranchised when voting. At home or at the polls.
Additionally, organizations, groups, or individuals, that employ robot phone dialing programs that direct voters to the wrong precinct house, or that threaten background checks should be punishable by stiff fine and imprisonment.
This is a basic right guaranteed by the US Constitution, not a game of grab *ss.
Everybody should vote, and every vote should count for 1.0000000000000 votes.
So you like sitting down with your partner and filling out your ballots together in a great atmosphere? I've got something better for you...
Announcement: First Faith Church "Vote for God!" picnic Saturday, November 1st, 2008. Bring your absentee ballot, and we'll bring the food. Free daycare. Our helpful volunteers will help you to remember to vote for God's candidates. Special postal pickup!
You don't like that scene? How 'bout...
Announcement: Worker's Union Local 191 Voting Picnic. Saturday, November 1st, 2008. Bring your absentee ballot, and we'll bring the food. Free daycare. Our helpful volunteers will help you to vote for hard-working candidates. Special postal pickup.
Or maybe that's too blue collar for you. Try...
Announcement: Conglomerated Consolidtated company voting picnic. Saturday, November 1st, 2008. Bring your absentee ballot, and we'll bring the picnic tables. Daycare. Our helpful staffers will help you to vote for the right candidates. Special postal pickup.
> "If we can secure multi-million-dollar financial transactions, we should be able to secure voting."
There's another gap here: not all software is created equally. As a veteran of several shops that secure multi-million-dollar financial transactions and having some experience with official election software, I can tell you that the talent and methods used aren't the same for the two.
A 1% commission on a $100MM trade daily leaves lots of money to hire teams of people who know how to handle the next one. This includes cutting edge QA, external code reviews and engineered processes that reduce faults. Whether you're a fan of the MS-style financial model or open source where many people donate their opportunity cost for the improvement of a product, good code costs lots of money. Then comes the hardware cost.
As has been expounded so many times, a good voting machine that fulfills all requirements is complicated. Assuming the government could come up with truly suitable requirements (have we yet? I've never seen the requirements docs), what's required is highly complex and therefore very expensive.
I don't know what my county's election budget is, but I'm sure it's not big enough to support what needs to be done. If the Army needed voting machines, it would be a different story.
Prohibiting the display of party affiliations simply increases the likelihood of voters casting a ballot for the wrong person without noticeably improving fairness otherwise. It's a bad idea. A voter who pays attention to all races is juggling dozens of names in their head in some elections, some of those names no doubt similar-sounding, and it is unreasonable to expect a voter to remember absolutely everything without some hints. Especially if the voter is elderly.
Regarding the use of optical scanners: when I voted last week my ballot went into the scanner and jammed. The worker opened the machine and pushed it through into the bin rather than pulling it back to make sure it registered. Was my ballot counted? I don't know, and the worker said he wasn't certain but that's what he normally did. When the machine was closed up there was no indication, either. The only reason I wasn't upset is that were a race close enough to make my vote truly important a recount would pick it up. I am glad we did not have electronic voting.
There's an HTML error in this post: Where you link to the New York Times, the previous anchor tag (ComputerWorld) did not have a closing quotation mark, so the two anchors run together.
I just want to second Bruce's comment about the Minnesota elections and what great choices they've made as far as technology. Here in Minneapolis, the only nod to e-voting was a machine that was nothing more than a scanner and touch screen - you fed in your big ol' paper ballot, selected your choices (shown as blow-ups of sections of the ballot) and the machine stamps your ballot. Once you're done, the full size ballot gets spit out for you to review and take across the room to the actual ballot box.
In short, it's just a high-tech alternative to the ball-point pen, but handy for those with reduced vision or who just don't like filling out tiny ovals.
Most people, of course, went with the good old fashioned circle-filling method.
Actually I might have once agreed with not showing party affiliation. However, as an incremental change to our current system towards better representation in the vote, some places have adopted allowing cadidates to run under several parties.
This allows, for example, the greens and dems to both run the same candidate. This way the old "vote splitting" problem is avoided. For example: I want a green, and will settle for a democrat, but no way will I ever vote republican
Under the current system, I have no recourse. I either vote Dem to prevent the republican from winning, or vote greens. The greens wont win and I will essentially just be making it easier for the republican, who i really don't want.
Under this system I can vote the "green" who is really the democrat. This way everyone who votes one way out of fear when they would really like to vote another can vote their conscience.
This could mean many more votes for "minor" parties. It also means that the candidate who wins will see which party affiliations brought them the most votes, and can see laid out how big those voting blocks really are.
Its far from perfect. Its not exactly condorcent voting or even IRV, but... given how resistant to change at a fundamental level our system is (and with good reason) its not a bad first step.
I hope not voting for a particular election does not invalidate the ballot. For instance, the county I live in is so Republican heavy that there were some races that did not have a Democrat (or any other party) opponent. On some of those, I did not cast my vote for the listed candidate, nor did I write one in; I left it blank as a "no confidence" vote.
>Actually, that's not true. I'm not happy to see anyone at the receiving end of voting problems. But I am sick and tired of this being perceived as a partisan issue,
I am glad you are tired of it being precieved as a partisan issue.
But as long as accusations like the follow are posted, it will be seen as a political strategy to "sour grapes" for past losses.
Hence when the issues of voting machines are brought up in 2000 and 2004, it has been used as a tool for "How Bush Won". With the assumption that there was no other way for Bush to win. Despite what any one thinks of Bush as president, unless I missed something their is no evidence his team "stole" the 2000 and 2004 elections.
I agree that voting machines are a bipartisan issue. But the voting machine issue has been co-opted by Bush haters. A little debunking from Bruce would help heal some of the defensiveness of Bush supporters and move the voting machine issue into a bipartisan issue.
Hmmmm, you're conflating things that are distinct. I understand what you're saying about 2004 (and note that very few Ohio counties used touchscreen DRE voting in 2004). However, it's plainly obvious that the Bush team (including Jeb) "stole" the 2000 election, and computer voting had nothing to do with it.
Voter suppression, absentee ballot fraud, the "felon" purge database contract, a corrupt superpartisan secretary of state, and a corrupt supreme court, were the methods - aided by faulty punch card technology and especially by the accidental bad design of the Palm Beach butterfly ballot (and lack of usability testing), without which the other tactics would not have been sufficient.
@Paul H., B.D.: You can read up on the issues, drink coffee, decide who to vote for ahead of time at your leisure - then go to the polls and vote [thats what I do, except for the coffee], dont see why mail balloting helps with that. And MB opens up huge doors for [as several others mentioned] fraud and coercion.
@Steve: You and I have been offsetting each other then. I vote for a republican when I what I really want is a libertarian to avoid inadvertently giving it to a democrat :-)
But I dont understand the correlation between being able to vote for a "green" and not having it say green underneath.
You mean you would vote for/against someone without knowing what they stand for or what their voting record is, because a generic label was listed underneath their name?
Much of the Denver metro area used "vote centers" as an optional replacement for voting in a local precinct. There was about 1 vote center per 10-12 precincts, and they would take anyone who was legally allowed to vote. Good idea in some ways -- no need to remember which precinct you're in or have to rush home from work to vote -- but horribly executed. There were 5-hour (or more) lines in many places.
The bottleneck wasn't the number of voting stations -- those were plentiful. Instead, it was the electronic check-in needed to make the vote-center method work properly. Each vote center needed to verify that a voter hadn't voted at any other center, so standard precinct-style books weren't applicable. The vote centers all needed reliable, fast access to a central check-in server. The central check-in server quickly became overloaded, thanks to poor software design combined with a failure to think about the problem. VoteTrustUSA describes one failure: "Then they discovered the server was getting bogged down because poll workers were supposed to close their window after entering each voter name into the e-pollbook software and open a new window for the next voter, but some poll workers didn't close the window, and that left a session open on the server -- and after too many open sessions accumulated on the server, it became overloaded. "
WTF? Your average, standard Web server (say) is smart enough to expire inactive sessions after a short time. It's typically set up that way by default. Same thing for most software that handles sensitive transactions for multiple users. Go log into your bank's Web site: it will log you off and clobber your session after 20 minutes or so. Poll workers shouldn't be responsible for doing the server's dirty work.
Further aggravating the problem were computer-inexperenced poll workers who had difficulty with data entry and similar tasks, plus any "client-side" failures (like having a power or connectivity failure at the center itself).
Contrast this with the standard precinct approach: a record book. It goes as fast as a poll worker can verify ID and check someone off. It requires one ordinary poll worker, one $1 pen, and 0 kbps of Internet or telephone bandwidth. The poll worker can be completely computer illiterate -- he can think that "expiring sessions" means that Alabama's junior senator is deathly ill.
All mail in vote is an interesting idea. Kind of like a slow internet voting. I'd like to mention what Texas is doing. Texas sets very specific and strict rules for absentee voting (which they call voting by mail) -- generally you have to be 65 or older, disabled, in jail (but still eligble to vote) or out of the county where you reside on election day. You also have to request a ballot to be sent to you by mail, which you then complete and return by mail. On the other hand, any resident of Texas can vote early anywhere in the state simply by showing up at a polling place during the preceding two weeks and 4 days before the election. So, if you won't be in town for the election, or if you just feel like getting it over with, or if you want to avoid the election day hassles, you can vote at your convienence before the election -- no waiting, no lines. Works pretty good.
Add my "vote" to those against mail-in balloting.
People forget that about 100 years ago there was a serious problem in the US with vote control due to the lack of secret ballots. There were all kinds of techniques used to "influence" votes at the voting places -- such as giving different color ballots out to those voting straight tickets.
It may be that the system in Oregon hasn't been widely exploited yet for vote control -- but given time it will be. It's the nature of such systems.
As an example, consider the problems with absentees. Not too long ago virtually every state only gave absentee ballots to those who could show they would be out of the area on election day -- and even they had to go to a post office and have the local inspector verify their ID and verify that they'd filled out the ballot in private in the post office. In recent years the absentee laws have been tremendously relaxed. so that it is now common in places like Florida for various organizations to hand deliver bag-fulls of absentee ballots to the election office -- a situation that is obviously subject to vote control and vote fraud.
>a corrupt supreme court,
If you believe the supreme court is corrupt, then there is no hope to fix anything. It's time for you to move to France.
But then if the Bush team "stole" the 2000 election, why could they not steal the 2006 election?
Once again this is why the issue is partisan. It's very easy to say "election fraud" when you loose the election. With the massive GOP losses in 2006, Bruce could only sight one Republican who may have been affected by the voter machines. Yet I bet if the Dems just missed taking the Senate, there would be massive talks of "Election fraud". Again another example of why it is seen as a partisan issue.
p.s. if you look at the web site "cos" is linked to you will see that he is the kind of ideologue that is at the root of this partisan problem.
"if the Bush team "stole" the 2000 election, why could they not steal the 2006 election?"
Because House and Senate votes are done by district and state, not added up using the Electoral College? This makes it more difficult, since one state can't swing the whole thing.
Note that in both 2000 and 2004, the flipping of one very close state would have changed the outcome of the election.
Note that in both 2000 and 2004, the Secretary of State of the swing state was also the Bush campaign chair for that state.
In both cases, leaving out any issues with the voting systems themselves, there were arguably partisan tactics being used by the respective Sec of State. "Felon" purges based solely on similar names? Sending fewer machines to Democratic-leaning districts than were available for the primary election that same year?
oregonian here, strong supporter of oregon's vote-by-mail. screw these machines.
laughing at the fud being spread by vbm opponents. "the church/union/corporation will be doing the actual voting." not in curry county, oregon! "one spouse will dominate the other." they would likely have voted the same way anyway. while the u.s. supreme court guaranteed "one man, one vote" in baker v. carr, in actual fact, some citizens are naturally a little more influential than others.
voting is the sacrament of democracy, and i'm just a little more comfortable taking the sacrament at my own desk, rather than waiting in line with strangers to vote on a kludgy machine, and i trust the outcome more.
let me close on a blatantly political note by saying how happy i am that control of congress has passed from the scary party to the merely laughable one.
A town of just 80 people uses a electronic voting machine? for what reason? There have been less than 40 votes, something that can be reliable counted in less than 10 min. and can be recounted in another 10 min. Crazy things.
The Dogs Bark, but the Caravan Rolls On.
It seems like the whole system in the US is directed at preventing people from voting, by making all sorts of strange demands, like registering. Usually, the vote is of the citizens, not of a body of "registered voters". Therefore, in most places in the world, all one needs to vote is have an ID or driver's license, and there are polling booths even at hospitals and jails. In the US, even after going through all this trouble, chances are the vote will be cast off.
Why not stick to normal, preprinted ballots with the candidate's name, one per (distinctly colored) envelope, and do manual counting, like in any normal democracy in the world?
In the haste to get immediate results, the democratic process is lost. It would be wise if the US took care of its own democracy before educating other countries.
"Many may even fill out both ballots and demand that their partner sign and validate one they didn't fill out."
I wonder how much some drunk or druggie would sell a signed ballot for?
I'm not against any voting - fraudulent or otherwise - I haven't voted in 20 years and likely won't again. There is no chance of the only thing that would be worthwhile happening - government is going to keep on growing and becoming even more intrusive, because of the incentives of the crooks that vote - the last estimate I saw (several years ago, I don't remember exactly where) was that 60% of Americans received at least half of their income - welfare (incl SS), pay checks, or as contractors' employees - from some branch of government. A vicous, positive feedback spiral. The only way I'd bother voting is if all welfare, Social Security, government employees, and employees of government contractors were not allowed to vote for more - the current SYSTEM is thoroughly corrupt.
"And how could inaccurate vote tallies possibly be interpreted as a partisan issue? If a machine is counting 'wrong' it casts doubt on the entire process regardless of who wins."
The results determine the battle lines.
"Announcement: Conglomerated Consolidtated company voting picnic. Saturday, November 1st, 2008. Bring your absentee ballot, and we'll bring the picnic tables. Daycare. Our helpful staffers will help you to vote for the right candidates. Special postal pickup."
Why isn't this sort of risk talked about more?
"I agree that voting machines are a bipartisan issue. But the voting machine issue has been co-opted by Bush haters. A little debunking from Bruce would help heal some of the defensiveness of Bush supporters and move the voting machine issue into a bipartisan issue."
You're right about this.
"It seems like the whole system in the US is directed at preventing people from voting, by making all sorts of strange demands, like registering."
Voter registration is inherently a voter supression tactic. I, too, don't like it. I prefer systems where citizens automatically get the right to vote.
The problem is that individual voters need to be identified (I am Derf), authenticated (I have an ID card that says I'm Derf and I sign my name), and authorized (I am registered to vote in this precinct and have not already voted), but the actual vote needs to be anonymous (no one can know or be able to prove who I voted for, only that I voted).
Mail in ballots fail, because the voter is not authenticated. Also, without a return address, the Post Office can't return a problem ballot to the home of the voter. If the mail-in ballot includes a return address, however, it breaks the anonimity of the vote within.
It's a difficult system to design, much less design well. However, there are obvious problems with some of the current crop of electronic systems.
Oregon's mail in ballot system solves or partially solves all those issues.
There are two envelopes: A postal envelope, and a secrecy envelope. The completed ballot goes in the secrecy envelope, which is identical to all other secrecy envelopes, and not marked by the voter.
The secrecy envelope goes in the postal envelope, which has the voters name and address pre-printed on it (identification). The voter must sign the back of the envelope (authentication; arguably weak). All the signatures are checked against registration records at the county office, to ensure that no one votes more than once, and to authenticate the signature (authorization).
Then, the postal envelope is opened, and the secrecy envelope is dumped in a bin with others, thus effectively anonymizing the ballots.
Then, the secrecy envelopes are opened, and the ballots are optically scanned.
As mentioned before, kitchen-table coercion is the biggest threat to this system. It's somewhat offset by the availability of private booths at actual election offices, and huge criminal penalties, but I doubt those help in the situations where it's most likely to occur. Still, it retail fraud, rather than wholesale.
The accessibility problem is neatly solved as well. Disabled voters may vote using a web page, and print their ballot on their printer. This leverages standard screen readers and magnifiers.
there's only one thing that's broken with direct recording voting machines: it's the use of RAM instead of paper as a storage medium for the votes. the main difference is that RAM can't be read by the voter without the help of a device and it's content is changeable in an instant without a trace. so the voter can never be sure if his vote is stored as intended, and he can't be sure it isn't changed afterwards, and he can't be sure it's tabulated right.
using paper he sees what he marked and changing a paper ballot is quite hard without being noticed and leaving a trace (kind of WORM, write once, read multiple)
that solved, the remaining problems of voting machines are:
* secrecy of the votes (tempest/van eck)
* "technical problems" in certain neighbourhoods which delay the voting.
the last problem should anyway be reduced by voting on sunday or a holiday like most of the world does.
for a recent case of election fraud in postal voting see:
In the UK Blair and Co have forced local councils to move to postal ballots and/or make them much easier. The official reason was to increase turnout percentages. As with most things from Blair, it was rushed in without thought, in particular about authentication. Fraud is way up. It is also too easy to get extra names on electoral register here, so the two things, extra names and postal ballots allow fraud.
What about Australia? Admittedly, we have compulsory voting (a whole new 'kettle of fish'), but the election management is much more efficient therein.
We still use ballots, in ballot stations all over the country, manually deposited in ballot-boxes and later counted - overseen by a member from each of the two dominant political parties. We have a mail-ballot system determined based on set criteria, but there are certainly less problems than machine-based elections. Machines it seems are less reliable, and leave no paper trail: but if there have been recurrent problems, why are they still used if they are not improving significantly? (or rather, why are contracts not changed?)
As has been stated, I do believe the key issue with electronic voting machines is the lack of authentication, and there being no paper trail. In fact, at so many levels there is no paper trail (I put the question... are figures from, for example: individual ballot stations, areas/counties etc made public after elections? [I don't know :) - are they?])
Further, as arnim rupp suggests, the machines breaking down on a single day, so important as an an election: they should simply not: having only to function on a single day of the year. Extensive public testing and large-scale mock elections (such as at universities/colleges) would seem (to me) necessary to undertake before elections... especially as this seems to be recurrent, election after election.
As an afterthought, it also doesn't seem as if the outsourcing of these machines to companies has resulted in higher quality machines. IMHO they should be designed by a government-sponsored board: or at least, the contracts for machines changed and based on performance, and a government-board implemented if no companies can suitably supply a solution.
There are a few issues with that:
1) The secrecy/postal enveloping system is out of your sight - you, the voter, have no way to guarantee that your vote is or is not matched to your name.
2) You can helpfully fill out your neighborhood's ballots for everyone. At best, you get some extra votes in for your candidate. At worst, you might cancel some out for both sides if the multi-vote fraud detection actually works as advertised.
3) If there's a mistake on your (or your neighbor's) ballot and you send it in that way, there's no helpful, elderly ballot worker (or machine) to correct you. Your vote just gets dumped.
4) Kitchen table coercion isn't the only type that could happen. With a poll-station setup, you cast the vote in secrecy by law. With the mail-in kind, Guido the killer pimp or Tony Soprano just might drop by and assist you in your balloting.
Thought you might find this interesting. In California, state law is requiring a "paper trail" for all electronic machines. The computerized system in my district implemented it for the first time, and the flaws with it are glaring.
It uses a thermal printer, similar to those on a cash register. These are not sufficiently reliable for such a critical system. In fact, the printer jammed when my wife voted (and the officials were unsure whether or not her vote was tallied).
In addition, thermal printouts frequently fade to nothingness after just a few weeks or months.
But the most interesting part is that after printing out your voting choices in english, a barcode is printed that -- supposedly -- contains the same information. I say "supposedly" because, who knows?
During a recount, the rolls of thermal paper are intended to be run through a machine to use the barcodes to "recount" the votes. But can you be sure that *all* of the barcodes match what was printed in english?
The voter can only confirm the words on the printout. They have no way of knowing what is encoded into the barcode. And since the english words will most certainly not be used (you should have seen how tiny and faint the font was), the barcode could be maliciously programmed to always match the machine count. Thus any quick recount will always match.
To catch any error you'd have to actually read the tiny printout of a good portion of the votes and compare it to what is encoded in the barcode. An alteration of 1% or 2% of the votes -- where the printed words don't match the barcode -- could easily go undetected.
Thus the "paper trail" in my district is not a backup at all. It is "voting theatre" meant to assure the voter that some physical record exists.
We replaced a simple, reliable, and understandable punchcard voting system with an expensive, fragile, less reliable, opaque voting system. The "opaque" part is the most insidious. It is difficult enough to get people to participate in elections without giving them yet another reason to believe that their vote does not matter.
I emailed this to Bruce who suggested I post it here for others to read...
I follow the US voting machine controversy with interests
(mostly morbid ;) and thank my lucky stars that NZ has not gone down
this track. Thanks for your articles and the references to Avi's.
In the last article in this series you wonder how 'professional'
election workers actually work out in practice -- well this is
something I can help with as I have been involved with national
elections here for the last 25 years.
Our setup works like this:
* we use an entirely manual, paper based voting system (this works
because we are voting for just a few posts not the multitude that
you have in the US) We have a mixed member proportional (MMP)
system on the German model. So we have two votes, one for the
party and one for a local candidate. Local body elections
(mayors, hospital boards etc are held at a separate time).
* Each polling place (typically school or local hall) we have two to
four 'booths' and a "returning officer" who is responsible for the
overall running of the polling place.
* Each booth has a returning officer and an assistant. The booth
has a pad of voting papers, ballot box and a electoral roll on
which voters are marked off and their number added to the voting
paper. The returning officers and assistants are all paid and
trained, typically returning officers would have served as
assistants in previous elections and polling place ROs would have
been Booth ROs before. I'm not sure exactly what qualifications
are necessary but the folk who get selected are invariably
'professional', often school teachers, and the like.
* Each political party has the right to have a scrutineer at every
booth (only the major parties bother and then often only in
closely contended electorates) This is where I have been
involved. In fact in most cases the main role of scrutineers is to
'fly the party flag' in the form of a rosette. They are not
allowed to communicate with voters in any way but may speak to the
The system seems to work well. Typically the RO and the assistant have
not met before polling day (they may be randomly allocated with each
electorate?) so that reduces the opportunity for collusion and I have
never observed anything untoward in the six or seven elections that I
have been involved in. I have reported long queues back to party HQ so
they can pester electoral officials to move resources where they are
needed, I've also questioned how some intellectually impaired old folk
were handled but that's it. In the latter case the RO allowed the rest
home manager to 'help' them -- I got the head RO to intervene.
In my opinion we need to move to an automated counting system with the
advent of MMP (now 3 elections ago) as it requires two counts of the
papers. Under the old first passed the post system we would often have
all the votes counted in about 2 hours from close of polls. Less if the
RO bent the rules and allowed scrutineers to help. Typically what we
would do is sort votes into piles then have two different people count
the piles, if they don't agree then someone else counts them. Then all
the totals add up to the the (known) number of people who passed through
Oh yes, the issue of questionable/defaced votes, officially scrutineers
have no say in decisions but in practice many RO (particularly the more
experienced ones) have an open discussion with scrutineers -- saves
official complaints later.
All in all the system works very well for us, we do have a few recounts
every election typically where margins are down to less that 50 out of
an electorate of 30,000. These are expensive but are accepted as part
of the price of democracy.
As a software developer from the early 70s, I had made my own feeble attempts here in Texas, during the late 70s, to bring to light the shortcomings of electronic voting. Unfortunately it is all too often the case that technical explanations can bore at least as much as they can inform. I do wish that your article had received much more extensive coverage, especially in
light of the fact that it addresses the fundamental integrity of the election process. I have personally witnessed electronic votes being destroyed because a voter, who had occupied the voting booth prior to me, had failed to push a button to record their vote(s).
The election official(s) simply voided the vote and cleared the machine. All that history has to record this is my voice; no documentation of any kind. The Florida example you've cited brought to mind my experience in the 2004 election.
After reviewing my email from this morning, I find that I actually neglected to mention my complete agreement with Mr. Schneier's suggestion regarding paper ballots. Paper ballots are, for lack of a better adjective, "understood" or, at least, they more closely approach "understood" than any other method that I've seen in my life. I simply can't think of a more adequate or accurate word to use. Slower? Certainly, but then I'll be happy to wait for a correct result; a result that can be audited and verified by human beings. Paper ballots are far from perfect. Anybody from Texas knows about the missing ballot box (Box 13) from Alice, Texas that allowed one Lyndon Johnson in 1948 (thereafter called: Landslide Lyndon) to barely beat Coke Stevenson for a U.S. Senate seat (by 87 votes). However, that was not a failure of paper ballots; rather, it took a conspiracy involving a human being (an election judge) to cause that to happen and it was the existence of the paper ballots that allowed the conspiracy to be detected, exposed and finally even admitted to by the very election judge who had rigged the votes, albeit 3 decades after the election and after Justice Hugo Black refused to allow the challenge.
If the vote were as sacred as many claim, all these problems would be solved by seeking accuracy, or mere credibility, over "efficiency". Indeed, when questioned closely, it turns out that "efficiency" is really "speed", to create the impression of a horse-race for tv.
US elections are democracy-theater.
I've been reading Crypto-Gram for five years (exactly five years today!), and each issue's arrival brings the same pleasurable sense of anticipation. Yesterday, as it happens, I gave a guest lecture on E-voting, and of the lecture notes' eleven citations, Mr. Schneier's name appears in four.
That said, I wish to register my disagreement with Mr. Schneier's remark that "an all mail-in election -- like Oregon has -- is the right answer." Whether the issues of vote buying and voter coercion are "secondary" depends, I suspect, on how much one has invested in mail-in elections. More to the point, every one of the four benefits he attributes to mail-in elections can be obtained without sacrificing the protections against vote buying and voter coercion that accrue only from ballot secrecy.
Benefit #1 --a paper ballot-- can be obtained by transforming DREs into Electronic Ballot Printers (EBPs), as Mr. Schneier and many others have long been advocating. Note that this is not the kind of "paper trail" described by Mgotts; it is laser-printed on letter-size paper and deposited in a locked ballot box by the voter, and it is the only official record of the voter's intent. For a working prototype which you can try out on the web, see .
The other benefits -- 2) no worries about long lines, 3) increased turnout, and 4) dampening last-minute campaign frenzy-- can be obtained by combining EBPs with early voting. Here in Travis County, Texas, we can vote at any time during the two weeks before the official election day. The early-voting polling places are open evenings and weekends, and many of them are in places, such as supermarkets, which many voters visit routinely. (The machines we use --Hart eSlates-- are DREs rather than EBPs, but we're working on that.)
It's worth noting that the early-voting locations are considerably less numerous than the election-day locations, and that any voter can vote at any early-voting place in the county. This means that each polling place has ballot templates for all of the county's precincts; when a voter goes to vote, the appropriate ballot is loaded into the machine (well, not always-- my wife got a wrong ballot, which was quickly replaced when she complained). From a logistical point of view, this is a considerable improvement over early voting in the days of hand-marked paper ballots, when each polling place had to have a stock of every ballot used in the county.
Now imagine extending this system beyond the borders of a single county. A traveller could walk into any polling place in the country and present her voting credentials (e.g., a voter registration card). The appropriate blank-ballot image would be obtained via the Internet and loaded into the machine. The resulting printed ballot would be sealed in an envelope by the voter in view of the poll workers, who would mail it to the voter's home precinct to be counted along with all the other ballots. Such a system would eliminate the need for mail-in absentee voting, and thereby close the vote-buying and voter coercion loopholes.
For the convenience of US citizens travelling or residing abroad, or serving in the military in foreign lands, such a system could be extended to include US embassies, consulates, and military bases. One can even imagine an international system, with official professionally staffed polling places (under UN auspices?) offering voting services for elections worldwide.
I would also like to add my opposition to "mail-in" voting. As many others have pointed out, once it becomes widespread, voting coercion will become a real possibility and a real problem. Everyone from organized crime to terrorist groups to abusive spouses will take advantage of "mail-in ballots" to influence the choice of candidate.
It has already happened in Calgary, Alberta, where the results of a municipal election were overturned after the husband of the erstwhile winner was linked to a scandal involving over 2,000 mail-in ballots supposedly cast by members of the Vietnamese community. When reporters investigated, they discovered that many of the people who had supposedly voted were elderly and spoke little or no English; IIRC, some of them weren't even aware that an election had taken place, and many others denied having voted. The supposed winner refused to step down for several weeks, but eventually was forced to resign her seat due to public outrage. The incumbent, who had lost her seat due to the tainted vote scandal (IIRC, the margin she originally lost by was less than 2,000 votes), lost the subsequent by-election, perhaps because she had spent thousands of dollars on her original campaign and had no money left to mount another one within a few months.
Granted, there were some serious violations of election protocol - for one thing, thousands of mail-in ballots were shipped to a single PO box, which should never have occurred - but the point is, mail-in balloting is ripe for this kind of abuse and there is no way to secure against it.
"but the point is, mail-in balloting is ripe for this kind of abuse and there is no way to secure against it."
The fact there was a scandal, public outrage, and a revote seems to imply there *IS* a way to secure against it. It's called vigilance.
One part of that vigilance is the auditable paper-trail that let someone discover thousands of ballots were sent to a single PO box.
I think you've made the case that mail-in balloting is better, not worse, than e-voting machines.
"I prefer systems where citizens automatically get the right to vote."
One thing registration helps prevent is voting-place stuffing. If ballot-box stuffing is putting more votes into a ballot-box than there are voters, then voting-place stuffing is putting more voters in a precinct than there are residents.
Without a way to confirm that the person is entitled to vote, and hasn't already voted, then busloads of people can be hauled in to any location and they'd be allowed to vote there.
I'm not saying that registration can't also be used to disenfrancise citizens. I'm just saying it also serves a legitimate and important purpose: ensuring that no one casts more than one vote.
Dear Mr Schneier:
Given your interest in voting machines, I hope that you would find interest in the matter outlined below.
I would be glad to provide additional information.
Joseph Zernik, PhD
Human Rights Alert (NGO)
Fraud Opined in Case Management and Online Public Access Systems of the US Courts
An Urgent Call of Legislative Action
Los Angeles, August 30 - Human Rights Alert (NGO) and Joseph Zernik, PhD, submitted paper for peer-review and consideration for publication in top-tier law journals, opining large-scale fraud in case management and online public access systems of the courts in the United States. Digital voting machines were previously shown to be vulnerable to malfunction and malfeasance. Likewise, the current study outlined conditions of digital case management and online public access systems that govern the courts, jails, and prisons in the United States and documented large-scale abuse of such systems.
Material deficiencies were identified in all systems, which were examined. Such systems enabled the holding of prisoners under pretense of lawfulness, the conduct of pretense court proceedings, and the issuance of invalid court records as part of pretense of judicial review. Invalid case management and online public access systems were described, which enable collusion between judges and large financial institutions in pretense court proceedings, which undermined any prospect of effective banking regulation in the United States.
Moreover, a "chain reaction" effect was documented, where the US courts, up to the Supreme Court of the United States, engaged in pretense review of cases originating from pretense actions of the California Superior Court, County of Los Angeles.
Corrective actions were outlined, which were urgently needed - comprehensive review and the establishment of publicly and legally accountable validation of all case management and online public access systems at the courts, jails, and prisons.
The paper further called for restoration of public access to judicial records, which were now concealed in case management systems of the courts, in apparent violation of First Amendment rights. The paper further claimed that only upon restoration of public access to such records, the full scope of judicial misconduct in the United States would be exposed. Therefore, the paper also called for the establishment of Truth and Reconciliation Commission - for review of conduct of the judiciary in the United States. Patrick Leahy, Chair of the Senate's Judiciary Committee previously proposed the establishment of such commission for review of conduct of the US Department of Justice.
The paper opined that such actions were likely to affect restoration of effective banking regulation, access to the courts, the rule of law, and the safeguard of Human Rights in the digital era.
Two pervious papers, peer-reviewed and pending publication by international computer science journals opined fraud in the Los Angels County, California, Sheriff's Department "Inmate Information Center" - the online public access system - which enabled unlawful imprisonments,  and in PACER & CM/ECF - case management and public access system of the US District Court, Central District of California - which enabled the conduct of pretense court actions. 
Expert opinion previously issued by an international Computer Science expert, based on manuscripts authored by Dr Zernik, which analyzed Sustain - the case management system of the Superior Court of California, County of Los Angeles, stated "credible evidence" of "fraud" and called for review of the system by US-based Computer Science experts. Human Rights Alert is dedicated to discovering, archiving, and disseminating evidence of Human Rights violations by the justice systems of the State of California and the United States in Los Angeles County, California, and beyond. Special emphasis is given to the unique role of computerized case management systems in the precipitous deterioration of integrity of the justice system in the United States.
Liberty, Access to the Courts, Human Rights, Rule of Law, Fraud, United States Courts, Superior Court of California, Los Angeles County, Digital Signatures, Relational Databases, Functional Logic Verification, Case Management Systems, Online Public Access Systems, Prisoners' Registration
 A peer-reviewed paper, opining fraud in the Los Angeles County Sheriff's Department "Inmate Information Center":
Data Mining as a Civic Duty - Online Public Prisoners Registration Systems - pending publication, SONET2010
 A peer-reviewed paper, opining fraud in PACER & CM/ECF at the US District Court, Central District of California:
Data Mining of Online Judicial Records of the Networked US Federal Courts
 Qualified opinion of Prof Eli Shamir, Hebrew University, Jerusalem, regarding fraud in Sustain - case management system of the Superior Court of California, County of Los Angeles:
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.