Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Egg Sac Baffles Researchers |
| More on Electronic Voting Machines »
November 13, 2006
Voting Technology and Security
Last week in Florida's 13th Congressional district, the victory margin was only 386 votes out of 153,000. There'll be a mandatory lawyered-up recount, but it won't include the almost 18,000 votes that seem to have disappeared. The electronic voting machines didn't include them in their final tallies, and there's no backup to use for the recount. The district will pick a winner to send to Washington, but it won't be because they are sure the majority voted for him. Maybe the majority did, and maybe it didn't. There's no way to know.
Electronic voting machines represent a grave threat to fair and accurate elections, a threat that every American -- Republican, Democrat or independent -- should be concerned about. Because they're computer-based, the deliberate or accidental actions of a few can swing an entire election. The solution: Paper ballots, which can be verified by voters and recounted if necessary.
To understand the security of electronic voting machines, you first have to consider election security in general. The goal of any voting system is to capture the intent of each voter and collect them all into a final tally. In practice, this occurs through a series of transfer steps. When I voted last week, I transferred my intent onto a paper ballot, which was then transferred to a tabulation machine via an optical scan reader; at the end of the night, the individual machine tallies were transferred by election officials to a central facility and combined into a single result I saw on television.
All election problems are errors introduced at one of these steps, whether it's voter disenfranchisement, confusing ballots, broken machines or ballot stuffing. Even in normal operations, each step can introduce errors. Voting accuracy, therefore, is a matter of 1) minimizing the number of steps, and 2) increasing the reliability of each step.
Much of our election security is based on "security by competing interests." Every step, with the exception of voters completing their single anonymous ballots, is witnessed by someone from each major party; this ensures that any partisan shenanigans -- or even honest mistakes -- will be caught by the other observers. This system isn't perfect, but it's worked pretty well for a couple hundred years.
Electronic voting is like an iceberg; the real threats are below the waterline where you can't see them. Paperless electronic voting machines bypass that security process, allowing a small group of people -- or even a single hacker -- to affect an election. The problem is software -- programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that's left at the end of the day are those electronic tallies, there's no way to verify the results or to perform a recount. Recounts are important.
This isn't theoretical. In the U.S., there have been hundreds of documented cases of electronic voting machines distorting the vote to the detriment of candidates from both political parties: machines losing votes, machines swapping the votes for candidates, machines registering more votes for a candidate than there were voters, machines not registering votes at all. I would like to believe these are all mistakes and not deliberate fraud, but the truth is that we can't tell the difference. And these are just the problems we've caught; it's almost certain that many more problems have escaped detection because no one was paying attention.
This is both new and terrifying. For the most part, and throughout most of history, election fraud on a massive scale has been hard; it requires very public actions or a highly corrupt government -- or both. But electronic voting is different: a lone hacker can affect an election. He can do his work secretly before the machines are shipped to the polling stations. He can affect an entire area's voting machines. And he can cover his tracks completely, writing code that deletes itself after the election.
And that assumes well-designed voting machines. The actual machines being sold by companies like Diebold, Sequoia Voting Systems and Election Systems & Software are much worse. The software is badly designed. Machines are "protected" by hotel minibar keys. Vote tallies are stored in easily changeable files. Machines can be infected with viruses. Some voting software runs on Microsoft Windows, with all the bugs and crashes and security vulnerabilities that introduces. The list of inadequate security practices goes on and on.
The voting machine companies counter that such attacks are impossible because the machines are never left unattended (they're not), the memory cards that hold the votes are carefully controlled (they're not), and everything is supervised (it isn't). Yes, they're lying, but they're also missing the point.
We shouldn't -- and don't -- have to accept voting machines that might someday be secure only if a long list of operational procedures are followed precisely. We need voting machines that are secure regardless of how they're programmed, handled and used, and that can be trusted even if they're sold by a partisan company, or a company with possible ties to Venezuela.
Sounds like an impossible task, but in reality, the solution is surprisingly easy. The trick is to use electronic voting machines as ballot-generating machines. Vote by whatever automatic touch-screen system you want: a machine that keeps no records or tallies of how people voted, but only generates a paper ballot. The voter can check it for accuracy, then process it with an optical-scan machine. The second machine provides the quick initial tally, while the paper ballot provides for recounts when necessary. And absentee and backup ballots can be counted the same way.
You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota. Or run a 100% mail-in election like Oregon does. Again, paper ballots are the key.
Paper? Yes, paper. A stack of paper is harder to tamper with than a number in a computer's memory. Voters can see their vote on paper, regardless of what goes on inside the computer. And most important, everyone understands paper. We get into hassles over our cellphone bills and credit card mischarges, but when was the last time you had a problem with a $20 bill? We know how to count paper. Banks count it all the time. Both Canada and the U.K. count paper ballots with no problems, as do the Swiss. We can do it, too. In today's world of computer crashes, worms and hackers, a low-tech solution is the most secure.
Secure voting machines are just one component of a fair and honest election, but they're an increasingly important part. They're where a dedicated attacker can most effectively commit election fraud (and we know that changing the results can be worth millions). But we shouldn't forget other voter suppression tactics: telling people the wrong polling place or election date, taking registered voters off the voting rolls, having too few machines at polling places, or making it onerous for people to register. (Oddly enough, ineligible people voting isn't a problem in the U.S., despite political rhetoric to the contrary; every study shows their numbers to be so small as to be insignificant. And photo ID requirements actually cause more problems than they solve.)
Voting is as much a perception issue as it is a technological issue. It's not enough for the result to be mathematically accurate; every citizen must also be confident that it is correct. Around the world, people protest or riot after an election not when their candidate loses, but when they think their candidate lost unfairly. It is vital for a democracy that an election both accurately determine the winner and adequately convince the loser. In the U.S., we're losing the perception battle.
The current crop of electronic voting machines fail on both counts. The results from Florida's 13th Congressional district are neither accurate nor convincing. As a democracy, we deserve better. We need to refuse to vote on electronic voting machines without a voter-verifiable paper ballot, and to continue to pressure our legislatures to implement voting technology that works.
This essay originally appeared on Forbes.com.
Avi Rubin wrote a good essay on voting for Forbes as well.
Posted on November 13, 2006 at 5:47 AM
• 60 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
While ES&S has as many problems as Diebold for most of their machines, they do make one exactly as you describe -- the AutoMARK ballot marking system. It is HAVA compliant with multiple languages, large print, audio support, disabled input devices, etc, but at the end of the vote the output is a marked ballot for the voter to verify before dropping in the ballot box.
The central tabulator is still a potential weakness, as demonstrated by Bev Harris' attack against the memory cards, but there is always the paper ballots available for a recount.
I believe the ballots are pre-printed as well, so the system fails very gracefully if someone forgets memory cards, or power cords, or if an unexpected crowd shows up -- just give the voters the printed ballots and a #2 pencil and have them vote the old fashioned way.
The problem of security of voting technology is something being discussed in Germany and the Netherland right now. A group of hackers hacked the Nedap voting machine and played chess on it; the computer opened the games with d2-d4.
you can go here: www.ccc.de and there are dozens of news just dealing with the votings computers; of course you have to able to read German, I am sorry; if you can do so I would recommend you to listen to chaosradio on ccc.de as there are to podcasts dealing with that topic of voting computer and their manipulation in the Netherlands.
a dossier about the hack you find here:
The system of the machine differs from those of the USA. Here it is not possible to hack the machines just by one person. But a small group can do it without much effort. From my point of view the usage of voting machines creates a risk where never a rish has been. It is a big waste of money.
"The solution: Paper ballots, which can be verified by voters and recounted if necessary."
Can you sketch what kind of business, technical and logistical solution do you propose Bruce?
The chain of custody of paper ballots can be clearly observed too. You put them into a ballot box - which you can see being sealed in the morning and then unsealed in public at the end of balloting. You can then physically watch the actual pieces of paper pass through all the counting processes, etc. And if you have a problem, you can go back and count each piece of paper again, just to be sure.
While I agree with the issues raised here I am not sure whether paper ballot is less secure. I am from India which as you know is a large democracy. But in many poor and rural areas we have seen in the past paper ballots being hijacked. And where the number of voters sun into several hundred millions it really is an enormous exercise to conduct elections. In the last election electronic voting was deployed successfully and was fairly bug/controversy free. Possibly people hadnt figured out ways to get at the system and this may not happen the next time around. But there are pros and cons to both sides. Ultimately like with any other security I guess trained and professional human resources are the key to free and fair ballot.
The question that occurs to me again and again, that, amazingly, I have never heard asked in public, is: Which problem are voting machines made to solve? In other words: what is wrong with paper ballots?
When I discuss this issue, the answer usually boils down to: "Voting machines are cheaper and the votes can be counted quicker."
Maybe they are cheaper in an ideal world. I do not know what the costs are to print ballots and distribute them to the voting stations, and counting the results. I assume they are lower than the price of an appropriate number of machines, but that they would be profitable over the course of several elections. If they did not need to be monitored, safeguarded and protected in the run-up to an election, that is. Those costs add a huge tally which clearly makes them more expensive than paper. So in my opinion, the cost argument does not work.
So the single remaining benefit is the ability to get results quickly. Compared to the loss of trust in those results, I would say that is a very bad deal.
So, remind me again. Just what problem are we trying to solve?
Meanwhile, Brazil has been used electronic voting machine since 1996. 125 millions of voters used this system in the last president election without any significant problem.
In the Netherlands the voting machines were not rejected on the bases of being hackable, no, their license was revoked because the secret part of the voting was not guaranteed. (someone could listen in on a radio frequency)
That is also a part why mail-in or internet voting will not work. Someone can force you to make a vote and it impossible to control if you were not forced to vote to something you do not believe in. This is not solvable by technology ore more paper.
Unless you think anonymous voting is bad of course.
"125 millions of voters used this system in the last president election without any significant problem." - How do you know there were no significant problems?
While using a machine as ballot printer does solve the problems of voter error, unintentionally spoiled ballots, and does help with accessibility, it is still not without its own problems.
For the very same reasons that it is impossible to verify the accurate recording of votes in a machine, it is also impossible to verify that the secrecy of your vote is maintained. A machine can record the votes and the order in which they were cast trivially, regardless of whether or not it produces paper.
Note that voter intimidation and extortion need not be the primary threat, that has its own serious risks for an attacker (the voter might go to the police). Instead, knowing how votes were cast would be enough to aid corrupt voting officials in removing disfavourable votes or ballot-stuffing just enough votes in the opposite direction.
Ballot printers are certainly much much better than DRE voting machines, but they are not without their own inherent risks due to technology.
"How do you know there were no significant problems?"
By the same way that I know there were (or weren't) major problem in a traditional election. By media news, political parties, election organizations and external auditors' reviews and reports.
I just thought I would post what happened here, where they selected an ES&S system. I didn't examine the whole system thoroughly, but I was still relieved to see a paper ballot visible through a window next to the touchscreen.
A clear text message printed immediately stating the selections I was making. There were large gaps between items, so I assume there would also be messages tracking a change in your selection.
After the "vote" was submitted, several 2D bar codes were added to the end. That was nice to see for automation. The fact that I could see and understand what it was printing on the ballot was more important to me, because that meant some poor worker could also read that part of the ballot if worse came to worse.
Now, on the downside, I guess the some of the ballot scanners slowed to a crawl when they went past 2,400 ballots. So the poll workers in 2 counties were counting votes until past 9 AM the next morning.
In a way, America is cursed with too much democracy. In Canada, paper ballots are easily counted because we only vote for 1 thing per election: federally, our local MP (Member of Parliament), provincially, our local MLA (Member of Legislative Assembly), and regionally our city councilors. None of these elections occur at the same time, and on none of these do we ever vote for extra laws, motions, police chiefs, dog catchers, etc...
So, basically the difference is that it is _easy_ to tally votes in this sort of system. It isn't possible to try to compare with the American system where there is so much more to vote on that it would likely be impossible for humans to easily tally in a timely or consistently accurate manner. Perhaps the expectation of next-day election results needs changing?
Electronic voting machines are being pushed on us because they're "cheaper" and "more efficient" than traditional paper-based or mechanical voting machines. People seem to forget that the old system's inefficiency is actually a safety measure built into them -- to hijack an inefficient system requires many more resources. Each additional person brought into the conspiracy increases the likelihood of discovery.
Vote-by-mail really seems like a strong "candidate". It solves every problem identified above and increases voter turnout (Oregon reportedly had 87% turnout in 2004.) Here's what Oregon senator Ron Wyden said about the program:
# Vote by Mail eliminates poll problems--there are no long lines, polls to open late or even confusion about where to vote.
# Vote by Mail eliminates voter roll issues and the need for provisional ballots--ballots are mailed only to registered voters at their official address. Those who do not receive a ballot have ample time to resolve the issue with election officials.
# Vote by Mail virtually eliminates voter fraud--no vote is processed or counted until a trained election official is satisfied that the signature on the ballot matches the signature on the voter's registration card.
# Vote by Mail reduces the risk of voter intimidation--a 2003 study of Oregon voters showed that groups--like the elderly--who are most vulnerable to coercion prefer Vote by Mail.
# Vote by Mail creates a paper trail.
# Vote by Mail increases voter turnout--by eliminating the need to stand in line at the polling place, voting becomes convenient for hourly wage employees and other working families. Oregon's consistently ranks among the top five states in voter participation.
# Vote by Mail encourages educated voters--receiving ballots weeks in advance, gives voters an opportunity to research issues and deliberate in a way that is not possible in a voting booth.
# Vote by Mail saves taxpayer dollars--because there is no longer a need to transport equipment to polling stations and to hire and train poll workers, Oregon has reduced its election-related costs by 30 percent since implementing Vote by Mail.
Vote by Mail has one significant shortcome: It is not guaranteedly secret and thus cannot ensure the vote has not been submitted under pressure - e.g. by a husband.
Only turning up personally at a voting place and filling out the ballot alone in a voting booth guarantees that.
"Vote by mail reduces the risk of voter intimidation"
Most critiques of vote-by-mail state just the opposite because vote-by-mail allows intimidation. Voting in a public and place with proper procedures eliminates intimidation.
"# Vote by Mail reduces the risk of voter intimidation--a 2003 study of Oregon voters showed that groups--like the elderly--who are most vulnerable to coercion prefer Vote by Mail."
That is certainly an interesting kind of logic. I can imagine both pros and cons of vote by mail with respect to the risk of voter intimidation, but I don't really see why their preference should prove anything. If people could accurately estimate risk we wouldn't have security theatre...
"# Vote by Mail encourages educated voters--receiving ballots weeks in advance, gives voters an opportunity to research issues and deliberate in a way that is not possible in a voting booth."
Aren't the things that are being voted on known in advance? And if so, isn't it possible to do research on beforehand anyway?
"So, remind me again. Just what problem are we trying to solve?"
remember the dimpled and hanging chads that got bush elected the first time?
counting paper ballots isn't as easy or accurate as one would think. paper trails are great, but computers offer the greatest potential for the most accurate elections.
diebold computers, on the other hand, do not.
"remember the dimpled and hanging chads that got bush elected the first time?"
That was already an over-technification. In most countries you vote by simply making a cross on a piece of paper with a pen.
Electronic voting is about to be introduced in Scotland for the next round of elections. Apparently the voting system is now so complext that is cannot be counted by a human (single transferable vote system).
Doesn't sound like a good thing.
Here here! Well spoken Bruce.
I am quite frankly livid that now, six years after the hanging-chad fiasco in Florida, there has been zero change in securing a decent vote count in this Country.
Voting is, perhaps, the single most basic civil right of any American, and when even 1 voter is disenfranchised for any reason we should all be outraged, no matter their political beliefs. And when hundreds or thousands of votes go astray there should be a DOJ inquiry into the matter. It should become a Federal Crime to produce and/or deploy voting and vote counting equipment that cannot produce repeatable and verifiable (auditable) results.
It's high time that this comes to the forefront and gets fixed, once and for all.
Thanks for this write up, Bruce.
"counting paper ballots isn't as easy or accurate as one would think. paper trails are great, but computers offer the greatest potential for the most accurate elections."
Depends on what kind of paper ballots you have. If you have to tick, punch or otherwise alter a piece of paper, yes, we could argue about that half-punched hole until hell freezes over. On the other hand, if all you have to do is pick the piece of paper with the name of your candidate on it, what' s the potential problem? Maybe you picked the wrong piece of paper because you're thinking on something else, but that is the voter's problem.
In Spain, all ballots in a box are counted by a group of 3-4 people (overseers from different parties). Once all the votes are counted and everybody agree, the ballot papers are then thrown away! They are no longer needed once the "acta" (the official document specifying how many votes wer casted, and to whom) is written and sent. Future arguments might be on whether the acta has been counterfeited, or lost, or whether a ballot place closed too late... but you might forget about spending a month reviewing every vote cast.
And, not surprisingly, the results are quick to come (say 3-4 hours) and hardy disputed. Unless your life comes to an end if the results of an election takes longer than 5 minutes, what's the need of electronic voting?
Actually, the Swiss are piloting e-voting as well. As far as I know, not using stationary electronic voting machines, but an internet-based voting application, but I'm not 100% positive on this, since I don't live in an area where a pilot is run. And I'm not a Swiss citizen, so I'm not allowed to vote here anyway...
Why does it happen always when Dem's loose? Just like machines have a bias for Depulicans. the bloggers seem to have one for Dems.
(In the link Harlod Tribune claims that Dem's would have won the seat by 600 votes !)
Bruce is raising hue and cry over a bogus story .. his arguments may be all true, but to lead a story with thi preface -- come on just do it based on technology?
As an Oregon resident who voted against vote-by-mail I can say that the system is not as rosy as it's made out to be.
I actually laughed at the idea that VBM reduces the risk of voter intimidation. When you vote in a polling place, the poll workers help to ensure that no one is there to force you vote in any particular way. I've heard of multiple cases (including my own father, sadly, and yes, he got an ear-full from me about that) where the dominant partner in a marriage stood over the other and watched to make sure they voted correctly.
There's also the issue of deceased voters still voting. My grandmother passed away last year, and my mother this year. They both received ballots, even though their deaths were filed with the proper agencies. By voting at a polling place you have some assurance that the person who showed up is actually alive.
As we all know, matching signatures, especially by untrained or inexperienced people, is unreliable. I can sign my name 3 different times within 2 minutes and not have the signatures match. I know others who are the same way. With a real polling place, you need some ID that says you are who you say you are, not an easily forged signature.
As a final data point, this last election I was out of town for an extended period for work. I had my father collecting my mail, and I voted by phone. He marked my ballot for me and signed it with my name, at my direction. While the ability to do this was convenient, it scared me a bit that it was possible to do at all.
While paper based voting is definitely more secure than the current crop of electronic voting methods, I find it strange that you don't even mention the cryptographic alternatives. Using cryptography, it's possible to have elections that are _more_ secure than traditional paper-based methods. Using traditional paper voting, a relatively small group can still undetectably alter the results by "stuffing" ballot boxes, replacing some of the ballots, etc.
The cryptographic techniques allow _every_ voter to verify that her vote was counted correctly. This can be done even if the voter doesn't trust the voting machines; even if they are all running malicious software, they will not be able to change the results without being detected. This can be done even while preserving the secrecy of the vote. Unlike absentee ballots, most of these schemes also have a much stronger property: the voter can't reveal her vote even if she wants to. This property prevents voter coercion and vote buying.
There are already a large number of different cryptographic voting schemes, with many more being devised. See for example, Chaum's Punchscan (http://punchscan.org/), his "original" scheme (http://votegrity.com/), Neff's scheme (http://www.votehere.net/vhti/documentation/vsv-2.0.3638.pdf) , Ryan's "Pret a Voter", Rivest's "Three Ballot" scheme (http://theory.lcs.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf)
Depending on the counting methods, STV elections aren't that difficult to count by hand. Ireland has been counting its STV elections by hand for some time, and continues to do so after an independent commission found the security of a proposed electronic system to be inadequate.
There was a 2D barcode on the paper trail of the machine I voted with (Hart Intercivic eSlate). I find that disturbing, since the 2D barcode obviously isn't voter-verifiable. According to our local elections department, a barcode recount will be offered to candidates requesting a recount as a cheaper way to recount.
Bruce: is there any evidence that a machine-marked paper ballot is actually verified by the voter much more often than a parallel paper trail? Lack of actual verification strikes me as the Achilles heel of VVPT.
I have volunteered to work on election day for near 10 years, and have hosted the local polling place at my home for the last few years (this is in Orange County, California). I got into this to see how things worked, to be able to guarantee at least the local polling was honest, and part out of a sense of civic duty.
First off - there are always errors in the collection of votes (at the local level). Polling places are run by volunteers, some of which are new, and ... we are all human. There are going to be mistakes. Traditional paper ballots are more work for the poll workers. My estimate is that the error rate at the local polling place with paper ballots was around 1% (mostly from the handling of "provisional" ballots). If two candidates were within 1%, you might as well flip a coin to decide who won.
The use of the "electronic voting machines" makes the task easier for the poll workers, and seems to cut the error rate (in the polling place). Orange County uses Hart eSlates (not a brilliant design, but serviceable). Out of 524 votes collected at the end of the day we seemed to have only one potential error (a provisional voter mistakenly issued a non-provisional code).
In terms of how to make a voting system reliable, I keep coming back to Butler Lampson:
" Only end-to-end checks matter - everything else is (or should be) an optimization. "
The end-to-end check here is if I as a voter can verify at the end of the election that my vote was counted. This could be as simple as issuing a code to the voter (at the polls), and after the election listing the votes under each code on a website.
This makes changing or deleting votes risky - but does not guard against insertion of bogus votes.
At the end of the day I get a total of all the votes recorded at my polling place. If the totals shown on the website differ ... I'd be unlikely to keep it secret.
If the hardware and software used in voting machines were open to public review, I could be confident the locally recorded totals were accurate.
Before election day I get a list of the voters in my area - about 2000 voters. At the end of the day we know who voted (from signatures on paper). It is at least possible to check those lists (don't know what sort of review is done).
I think the key is the end-to-end check. If the voter can verify their votes ... subverting the intermediate steps becomes risky.
@ Crypto Fan:
Bruce has discussed the schemes you mentioned in the past. But as he says, "Voting is as much a perception issue as it is a technological issue." People don't trust things they cannot understand, and while these cryptographic schemes may be mathematically sound, many of them can be difficult to explain to your average voter. People have seen that they cannot trust the voting machine manufacturers; is it any better to ask them to just trust the cryptographers? Restoring voter confidence is going to be a long process, and the first steps should rely on technologies that people can understand and trust.
Electronic voting's not the problem, the procedures that resulted in the current crop of machines are the problem.
We can solve all of the problems with today's technology, but it must be done and reviewed in public by experts. Peer review has been recognized as the best way to gain confidence in scientific solutions for a long time.
Most of us wouldn't consider adopting new cryptography or a new cancer medication that hadn't been reviewed by numerous experts in the domain - why should we accept electronic voting machines shrouded in secrecy?
I don't think ballot printers are the best solution. I see no reason why, with cooperation between hardware, software, security and ergonomics experts, we can't come up with a reliable and secure electronic voting system.
This is the sort of thing that the government should be able to excel at - fund the research (I'd rather my tax dollars went to reliable elections than almost anything else I can think of), publish a complete, publicly reviewed design with testable conformance requirements, then allow districts to purchase from manufacturers in competitive bids.
Contracts would require passage of the conformance tests, and competition should keep the manufacturers honest. And with only a few specified interface points, sole sourcing and vendor lock-in wouldn't be an issue.
I won't claim there's no better solution, that's what the public dialog is for, but it's a start.
I agree that voting is a "perception issue" as well as a technological one. But most of the cryptographic systems I mentioned can be used _in addition_ to a standard paper trail. I think an average voter can understand that this can only be more secure than just the paper ballot. Also, there is ongoing work to make the schemes themselves easy to understand. For instance, Rivest's scheme has no math in it at all, and computers aren't even necessary (although, to be fair, it's not really a secure voting scheme -- there are some attacks that his scheme doesn't deal with yet).
No completely electronic voting scheme can _ever_ be really secure, as long as people can't run code in their heads to verify it. The reason is that the most significant threat isn't from hackers, it's from the people who build the voting machines (or the people who pay them).
There's no practical way to verify that a particular machine is running the code it's supposed to (in fact, I'm pretty sure some goverment-funded researchers showed that this problem is very hard to solve, even with enormous computing power). Even if all goverment funding went into solving this problem, this is not likely to change in the near future.
> Actually, the Swiss are piloting e-voting as well
It is a hybrid system whereby you are sent a written letter entitling you to vote. This letter has to be posted back or taken to a ballot box in order to register the vote. This has always been the case. What is new, the entitlement letter contains a code for each voting choice which you can sent in by SMS. The voting system checks the authenticity against the code provided on paper.
Some systems whereby this process can be extended to internet voting are being considered.
Granted, total assurance in anything but a trivial system is almost impossible to achieve, but achieving an acceptable level of trust is not. It would be unthinkable to assure the correctness of the global distributed system my bank (one of the world's largest) uses to manage my money - even determining the cyclomatic complexity of the system as a whole might well be impossible. Nevertheless, since bank recordkeeping became completely computerized, I've *never* found an error on any of my statements, and that has been many years now.
The end result is that I trust the system, even if I can't assure its correctness.
As I frequently tell people, I get paid to be paranoid. I'm involved in evangelizing and educating on how to achieve trust in enterprise systems in a major high tech corporation. This involves a healthy dose of preaching the science of software *engineering* and how it relates to assurance (which is, after all, the true goal of all such endeavors). What I don't preach is that you can't trust a system that can achieve a state you haven't analyzed, in other words, almost any interesting system.
Software and hardware *can* be properly engineered to be trusted even when they can't possibly be fully analyzed. That's what engineering is - know the characteristics of the components and the rules governing their relationship so you can trust the untestable result.
Think about it the next time you drive across a bridge.
Greg, on voting for only one thing per election in Canada: that's not actually true. This morning I voted in the Waterloo, Ontario municipal election on five different races: mayor, ward council, regional council, regional chair, and school board. These were all in separate sections of one paper ballot, which I marked by hand with a felt pen and gave to a volunteer to feed into an optical scanner.
I think we really need to apply all the technology at hand and do a statistically correct election. We just do a statistically significant sample and if the error bands are OK then that's how we pick the president. Where there is statistically significant signs of tampering we eliminate all those votes.
That would greatly simplify the election process, make it cheaper and not bother so many people. It is the logical next step.
I was an election judge last Tuesday. Here is some wisdom from the trenches.
1) Straight paper voting/tabulating is not practical in the U.S. because of the huge number of ballot positions: over 100 in my Chicago precinct this year. The turnout was light, only 188 ballots cast, but still about 19,000 individual votes to tally. At 1 per second it would take over 5 hours - after the election judges have worked for fourteen hours running the polling places. Very few disinterested citizens have that much energy available, so the process would fall into the hands of partisan operatives.
2) It's possible to combine electronic tallying with a hardcopy backup for auditing. The Votematic punchcard system did this. It had flaws, but it was a vast improvement over the old mechanical voting machines which were not auditable at all. _And_ much less work for the judges. A printed receipt listing one's votes which is saved in a drop box is fine.
3) Touchscreen voting eliminates the problem of the incompetent voter who makes a total hash of a mark-sense ballot. You would weep to see some of the examples i saw last Tuesday.
3) Electronic voting systems should be validated by the same standards as electronic gambling machines. Every 'slot' or video poker machine goes to a lab which verifies that the installed firmware generates the advertised set of outcomes, then seals it against tampering.
4) Article IV Section 4 of the Constitution sez
The United States shall guarantee to
every State in this Union a Republican
Form of Government...
which has never been tested, since no state ever named a King. But ISTM that it authorizes the Federal government to regulate state and local elections, to insure that democracy is real and not just nominal.
And open source required, too.
Single-transferable voting existed long before vote-counting computers, so it can be counted by hand. Bruce is right: paper ballots cast in public voting places are the safest and most secure.
"Last week in Florida's 13th Congressional district, the victory margin was only 386 votes out of 153,000. There'll be a mandatory lawyered-up recount, but it won't include the almost 18,000 votes that seem to have disappeared...."
Amazingly enough, the race was for the seat that KATHERINE HARRIS vacated in order to run for Senate. That is can interpreted either as an ironic coincidence, or as evidence that Florida's elections really, truly can not be trusted.
Either way, I hope that the House of Representatives refuses to seat the "winner" of the race, on the grounds that the true outcome of the race is unclear. Congress has done this before, with a new vote being called. A new vote would be more fair to the district's voters, and more importantly, would draw attention to the problems with electonic voting machines.
As for someone hacking the voting machines, that might be an even better way to draw attention to this problem. If, say, the Green candidate got 98% of the vote in a major race, people would have to admit there was a problem!
[Btw, Hi, Bruce, this is the 1st time I've commented here. We've met several times, I'm friends w/ Niels & Denise.]
Andrew W quoting Oregon senator Ron Wyden: "Vote by Mail virtually eliminates voter fraud"
Here in the UK, we've had a couple of postal vote scandals in the last couple of years (having recently made postal voting much easier in order to increase voter turnout). Admittedly not fraud by individual voters, but despite the narrow focus of the Senator's statement that's hardly the point.
Police found three people handling unsealed postal ballots in a deserted warehouse described as a "vote-rigging factory" (with a judge describing the case as "electoral fraud that would disgrace a banana republic"):
Reports of voters being pressured to vote in a particular way, or to hand over blank postal voting ballots (including an employer threatening to fire any of his staff not voting how he instructed):
As you say, we need a system that has a voter-verifiable paper ballot. There is only one touch screen machine that I know of that provides voter-verifiable paper ballot (not just a paper tape record) - the Populex system. It is a touch-screen voting system that prints a printed ballot that the voter can verify and put in the ballot box like any other paper ballot. This also makes recounts extremely easy and accurate.
You can find out more about them www.populex.com. They are a small company, but have systems being used in Illinois, New York, Missouri and other states.
"While paper based voting is definitely more secure than the current crop of electronic voting methods, I find it strange that you don't even mention the cryptographic alternatives."
The problem isn't the math, it's the human procedures around the math. I don't think a cryptographic voting system would be an improvement, because that's not the weakest link.
"How do you know there were no significant problems?"
By the same way that I know there were (or weren't) major problem in a traditional election. By media news, political parties, election organizations and external auditors' reviews and reports.
So what you know is that a) there were no VISIBLE problems [i.e. voter interface] b) you do NOT know the votes went to the correct candidate...
See Bruce's "iceberg" comment....
The problem with the undervote in Florida's 13th Congressional district can easily be solved by providing an explicit "Abstain" box for each race, and requiring one box to be filled in per race. If you use optical scan to count the vote, the optical scanner can validate the ballot prior to accepting it, even if the ballots are subsequently hand counted. Now you know that if race 1 had a total of 500 votes, and race 2 had a total of 498 votes, someone didn't count right, so you automatically recount.
This method also makes sure that there's no such thing as a "spoiled ballot".
The Libertarian Party has done something like that for years on internal voting (ie. candidate selection and party platform changes). It's called NOTA, for None of the Above.
The "Chad problem" looks like what was once a well known cheat for punch cards: You break one or two corners loose on your candidate's hole and give it to the voter, if they vote with you no problem. If they vote against you a number of the cards will be "soiled ballots".
The exact same area in Florida had a proven case of voter fraud (ballots in the possession of one candidate) and Janet Reno jailed the reporters that found it. I will let you guess what party is strong in that area.
Odds are there were a lot of people who just voted "neither" in the 13th district. The prior race was ugly, this race was ugly and many people just did not like either choice.
A "NOTA" selection is a good idea.
Helge asks, "Which problem are voting machines made to solve? In other words: what is wrong with paper ballots?"
Well, according to the Help America Vote Act, the problem with paper ballots is they don't provide a way for people with some kinds of disabilities to cast a secret ballot.
You're right about paper, Bruce. The only problem I ever had with a $20 was when they tried to mark it with a Sharpie at the checkout line -- only to discover that the bill was from the 1950s, before they used the type of ink that would "register" at legit with a Sharpie. So I took the fella to the bank and had him "retired."
@T. Hudson: I agree that the tabulator is still too much of a risk. The ability to recount the paper ballots is nice in theory and may motivate the manufacturers of voting machines to improve their products, but won't help if no recount is done. Hence, to be sure one must recount anyway. If the tabulators are not too expensive then it might help to spot errors in manual counting.
Still, how do I know if the tabulator takes my picture while I put my ballot in? For the same reason, I don't want to use a machine that prints the ballot for me. At least I want a choice to make a pencil mark myself, in a technology-free voter cabin.
Also, as soon as a DNA database exists, I would need to wear gloves while touching the ballot.
@Swiss Connection: "Can you sketch what kind of business, technical and logistical solution do you propose Bruce?"
I am not Bruce, but would recommend the stack of solutions used in germany where we do vote on paper.
"...millions of voters used this system in the last president election without any significant problem"
@rputran, Gustavo Bittencourt: You miss the point. The risk is that the election can be forced without the public knowing, so your election may very well have been forged. Please explain why you have reason to believe that nothing was forged. All your "media news, political parties, election organizations and external auditors' reviews and reports" say nothing if all they review and report is what the "owned" voting machines spit out.
@Greg: Having fewer choices may be faster and cheaper, but is a problem of it's own. I don't like that the only thing I can vote for is one of two pre-configured baskets when each of them stinks in some way. I want to tell the nation (anonymously) what I want, not only whom I mistrust less.
@Chris: "the old system's inefficiency is actually a safety measure built into them"
Very right. Security comes from transparency and division of power. The inefficiency of paper is a necessary side effect of these two indispensable properties. Voting machines take both away because they are intransparent, and can be hacked by a few powerful people.
"Vote by Mail has one significant shortcome: It is not guaranteedly secret..."
@Helge, Rich: I agree, as long as the place of voting is secured against surveillance technology. Imagine the blackmailer has a supertiny camera in the voter cabin...
@Crypto Fan: Cryptographic voting protocols are fascinating, but they fail to deliver transparency for those who cannot verify and trust the mathematics, implementations, and their own computers. Remember the myriads of spyware, backdoors and botnets. Imagine how the NSA could force an election with all their knowledge of cryptography and cyber warfare, and access and control over the national information infrastructure. Totally inacceptable.
@Ted: "We can solve all of the problems with today's technology, but it must be done and reviewed in public by experts." Who elects the experts? Why should I trust them? You know, each study ordered by Microsoft "proves" that Windows is ah so secure and cost effective. @Crypto Fan: In this respect I agree with your answer to Ted.
@Ted: The reason you trust your bank is not that they use software to book your money, but that you can and actually DO verify the paper trail. (As a programmer in a bank I can tell you that you should.) You do end-to-end authentication. Can you do that when voting with an internet browser?
@Fred F.: "Where there is statistically significant signs of tampering we eliminate all those votes." Oh you are so wrong. Would you accept the result if all the districts that traditionally vote for the candidate of your choice have their votes deleted? Furthermore, if the error margin is known in advance, an attacker could at least forge the election up to 3/4 of the confidence level. But I agree, counting a (really random!) subset of the paper ballots is better than nothing.
@Rich Rostrom: "And open source required, too." Open Source is nice, but how do you know that the voting machine in front of you really runs the same code that you verified on your pc? Your idea to validate then seal every voting machine looks nice at first, but has two flaws:
a) machines can recognize validation suites, e.g. by the speed, number and ratio of votes casted, and switch over to "clean" behaviour until the suite is over. Some car motor electronics switched to "environmental friendly mode" when tested, and to "performance mode" when not.
b) You can't seal the machine in practise. For example, a voter could touch the screen or other parts at a sequence of special places, or just enter a special combination of votes, to activate hidden code.
@Swiss Connection: Voting with a code via SMS is bad because a) you don't know if your SMS was altered or removed on it's way, and b) someone who knows which code you got could know how you voted.
@David Brodbeck: "according to the Help America Vote Act, the problem with paper ballots is they don't provide a way for people with some kinds of disabilities to cast a secret ballot." This looks political correct at first sight, but the risks of voting machines far outweigh the drawback of excluding the handful of disabled people who really can't put a pencil mark on paper.
Personally, I am glad we still have paper and nothing else in germany. It is the only thing I trust. If they change that one day then I will speak up at the polling place, and if they can't offer me a trustworthy way to vote then I won't bother to vote at all.
Electronic voting machines actually create the problem that technology is most often here to solve: throughput and efficiency. At our polling place, we use the same kind of bubble sheets that everyone who's gone to school since the 60s knows how to fill in. The wonder of these sheets is near limitless parallelism. While there are a limited number of private screens for voting, if you're willing to sit at the long cafeteria tables to vote, you can be in and out in no time. Short lines means more voters, which is good for democracy.
When you add electronic, or even mechanical, voting machines, you can only have as many parallel voters as you have machines. Lines go round the block.
For all the expense and problems with electronic voting machines, what problem were they here to solve? As an accommodation for those with disabilities, poor eyesight, or unfamiliarity with bubble sheets, a few machines per polling place that assist in generating a paper ballot are fine, but as the primary or sole voting mechanism, the high cost is balanced with a nonexistent benefit.
I agree wholeheartedly paper ballot backup is the way to for voting machines. In fact, these paper ballots ought to be the primary source for the official tally, with the electronic votes only used for preliminary numbers.
Yet there is a serious security problem relating to paper ballots emitted by electronic voting machines.
As malware can be used to flip votes, malware can also be used to record the order of vote selections recorded by the machine. This order can then be easily tallied against the order of voters ID´d and then though voting may be secure, it will no longer be secret.
And if voters cease to trust the secrecy of the electoral process they will no longer cast independent votes!
This problem is especially serious in lesser-developed countries, where voters can lose their jobs or even be killed for their voting selections.
The solution is to use malware-immune mechanical only (as opposed to electronic) voting machines that mark a paper ballot in a human-readable form that is then stuffed manually by the voter into the ballot box. And if the paper ballot markings are designed intelligently they can be machine read in no time at all.
dear mr Scheier, have you already tried to design what you and others consider a
"best voting system", including the hardware,
standardised and off the shelf, to be produced by any manufacturer, and the open-source software which would accompany it? It would be probably be much more efficient to have all the states go to mail voting, but unfortunately, for psychological reasons , I dont consider it very likely in the near future. but we need it by nov. 7, 2008.
one thing that should absolutely be done before 2008 would be to declare election day as a Federal holiday.
just this simple change would help our democracy a lot, facilitating voting, a civil duty, for concerned citizens and voters who now must often choose between voting and the vagaries of their remunerated work, (and too often have their votes suppressed because of threats to their job security).
But a Federal design for such a voting system, arrived to through consensus from a distinguished non-partisan body of scientists, consultants in the various technologies necessary, and industry designers and manufacturing industry, (obviously all the design would be thought out with good security in mind). it should be as simple as possible, ( all it has to do is record correctly the vote and emit a paper trail,after all.), to be mass produced at the lowest possible cost ( I imagine such a machine may be built much cheaper than one tenth of the cost of a banking ATM), opening in this way the market for voting machines to any computer company, might be a good solution to our voting problems.
it might be interesting to start a "Wiki" project on this, especially at this time when people have been reminded of the glitches of our present system.
I am sure also that there already is some work that points in this direction, and maybe
even completed projects, and I would thank you for any internet references on this.
I guess all I really know about security started from you, so I (already) thank you for that!
Re: Voting machines:
"Ma'am, you don't have the privacy booths this year!"
"Yes, sir, the machines have the "wings" on the side to preserve privacy".
"But, unless you are three feet tall, with the machines this close together you can easily see over the wings and see the votes of the person next to you. (Without even turning your head!)"
"Yes, sir, but that's as far apart as we can put them given the length of the cords."
- Butler Middle School polling location, Salt Lake City, Utah.
So, I give up my voting privacy because the machines don't come with extension cords? (And the election commission spent all their money on the machines, and have none left over for such cords?)
But, to give them their due, they did find duct tape to secure the cords down so people didn't keep tripping over the cords and and unplug the machines.
I agree with Ron Napier about using the "bubble sheets" we´re all familiar with, but make sure the scanning machine doesn´t require the voter to use the famed "No. 2 pencil" and be exposed to low-tech vote flipping via an eraser!
The concept that "There's no way to know" if you have the right number of votes horrifically bad for a democracy.
In terms of being "convincing", it seems to me that one of the problems with a voluntary voting system is that you can never be sure how many people are voting, so you have the dual problem of accurately tallying the number of voters as well as tallying the number of votes.
If you manage to hack both of those tallies, then you can commit whatever election fraud you want and nobody can really be sure if any fraud has occurred and nobody can really be sure how large the fraud was (because total number of votes collected still equals the total number of voters counted). Comparing two unknown quantities to each other gives you no information about which quantity is the "correct" one.
Ideally, the system used for counting voters and the system for counting votes are independent and separately secured, so that the results can be compared against each other with more confidence. This is like the Space Shuttle having multiple, independent, redundant systems that calculate decisions then confirm with each other that they all agree. Obviously, having a single voting machine doing double duty is a bad idea.
In this respect, the Australian system of mandatory voting gives me more comfort because at every election you know beforehand exactly how many total votes are supposed to be cast. Everyone needs to be registered before the election occurs and the system for registering voters is separate from the system for counting votes. Anyone failing to vote receives a fine, so there's incentive to get it right. The total number of votes collected on election day is easily compared to the known, fixed number of voters who were registered. This is a real quick "sanity check" that the election was not hacked and harder to break because of the separate, independent counting and registration systems.
If a voting machine malfunctions (or even if a box of paper ballots was lost), you can immediately work out there was a problem and you can immediately work out how large the problem was. If the number of lost votes isn't large enough to change the result, then you can still declare the result with confidence. Otherwise, it might be 'back to the polling booths' for a second try.
Now, an election hacker may try to change the electoral roll or the voter registrations at the polling booths, but if the effect is to cause more fines to be sent out, then people will kick up a stink and the election fraud will be exposed again.
Whatever other arguments there are for/against mandatory voting, at least it gives us this solid, quantitative benchmark for how "convincing" the result is.
Every time I use an ATM, I choose from options on a touch screen (in English or Spanish) and when I'm done, I get a little paper receipt stating what I've done with my accounts. I think it very likely that the bank does, too, probably in at least one other site, to balance the books. These machines are made by Debold, who also makes voting equipment.
When I visit Sheetz (a local gas and convenience store), I can order from a touch screen, too. I usually get a couple of hot dogs with chili ($.35 extra) and onions (no charge), and when I'm done ordering, I hit "finish." A little slip of paper curls up for me to take to the cashier. Simultaneously, one turns up in the kitchen area, where the order is made up. Several other food-service places also use touch screen, and when I get my bill, it is printed up with all items, from a touch-screen start. I daresay the computers behind this also track inventory, and perhaps order automatically, based on sales. Also, it would go some way toward forestalling "internal losses."
When I voted in November, it involved a touch screen which offered me nothing in the way of proof of my selections.
If banks and purveyors of food can manage this, why can't election officials? It can't be that the technology isn't available; clearly, it is. There must be some other reason why election officials don't want to know for sure what the voters want, because they certainly could. Now, why would they want a little wriggle-room in what could be a cut-and-dried procedure? Why would they deliberately opt for "uncertainty" in elections when I can prove what I ordered on my hot dogs? The custodians of elections will get the technology they want. Why would they want slop when precision is there to be had?
I think what this all proves is that elections have just become way too expensive for a modern democracy to run.
I therefore propose one of the following two suggestions:
1) Outsource the management of the process to a more competitive and - let's be honest - low wage jurisdiction, such as India or Uzbekistan, where the counting can be done more cheaply. Frankly, I'm surprised nobody has suggested this commonsense 'middle way' before; or
2) Adopt the 'Single Transferrable Dictatorship' model in which the various governments of European and North America simply move around every couple of years according to a simple roll of the dice. This might be more fun - particularly when the European Union finally reaches such places as Moldova and Azerbaijan.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.