Schneier on Security
A blog covering security and security technology.
« Freakonomics Q&A |
| Fake Dynamite Prompts Evacuation »
December 5, 2007
California Electronic Voting Update
Electronic voting systems used throughout California still aren't good enough to be trusted with the state's elections, Secretary of State Debra Bowen said Saturday.
While Bowen has been putting tough restrictions and new security requirements on the use of the touch screen machines, she admitted having doubts as to whether the electronic voting systems will ever meet the standards she believes are needed in California.
I've written a lot on this issue.
EDITED TO ADD (12/5): Ed Felten comments.
Posted on December 5, 2007 at 1:52 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The machines are fine. The problem is the software. According to The Register, "The source code of the software that is used for online e-voting in the Netherlands has been made public by OSOSS, a Dutch association that promotes the use of open source software in government."
Here in the USA it's called a tragicomedy http://www.theregister.co.uk/2004/05/10/...
All e\voting code should be open source.
It seems simple enough to deploy secure voting systems once you have the hardware. They have that, so there's just the software problem.
Is there an open source project anywhere to develop evoting software for the U.S.?
I'd say the problem is just the opposite - I don't care what software is on the machine, as long as the hardware prints out a paper ballot, which I check for correctness before dropping in the ballot box, and which is the authoritative vote.
The software can produce a fast count so the TV news shows can have exciting up-to-the-minute coverage, and they can be out by a couple of percent for all I care. Just so long as the paper ballots do get counted over the week or so following the election, and the fast count that was initially reported by the software gets corrected as needed.
Look at it another way - so say some open source software is published. How do you know on election day that the software that was published is actually running on the machine in front of you? On the back-end database? How do you know the back-end database isn't in the hands of a crooked admin? You don't, and with proper hardware, you don't need to care.
Even if it is open source how do you verify that the source on the machine you are voting on is the same as the source you verified?
What is wrong with pencil and paper? That's what Australia uses and the results of a national election were known a few hours after the polls closed.
There's no need even for any kind of machine when paper ballots can be designed to be read unambiguously later in the case of a recount.
Florida's ballots were ambiguous. They were perforated punch cards. Perforations can fail. They can fail before you even get your voting card. this made the recount difficult and untrustworthy.
In Orange County, California, ballots were punched, but there were no perforations. You were required to create the hole with the machine. It was simple to view that you had properly voted before you exited the booth, and any recount would have been simple and unambiguous.
A congressional report on elections recommended eliminated all perforated punch card ballots back in 1993. The problem was well-known.
So money is now being spent to solve a non-problem. Of course, when Congress decides to spend billions on something, you can bet contractors such as Diebold will have their hands out. It would be much better if the different State governments had the expertise to reject foolish solutions and go with tried and tested unambiguous paper ballots.
But they haven't, and billions have gone for nothing. Oh well... it's not the only place where billions are wasted.
> I agree.
But did you get a auditable paper ballot *confirming* your agreement?
The only unique advantage I can see for touch-screen is the interactive feedback - the immediate guidance as to whether a valid or invalid selection has been made.
That's got nothing to do with counting.
Yes, the touch-screen systems can provide immediate counts, but so can optical scan. And optical scan can be trusted, because we can do manual counts of the paper ballots.
So it seems to me that the solution is a touch-screen system that prints an optical scan ballot.
The clerk hands the voter a ballot. The voter takes it to a touch-screen system, makes his choices, has it print those choices on the ballot, and then takes the ballot to the optical scanner.
Or, if the voter doesn't think he needs the hand-holding, he simply takes it to a booth and fills it in by hand, and then takes it to the optical scanner.
> But did you get a auditable paper
> ballot *confirming* your agreement?
No. I'm in California.
What Australians and Brits may not get is that California elections are wildly complicated. The voter must make about 50 to 100 distinct votes, for federal, state, and local governments, plus all kinds of boards, and then there are all of the propositions (referenda) to vote on.
In a parliamentary, non-federal system, you vote only once, for your MP. Your MP chooses the national government, and that government appoints everyone else. The local election, if any, is on a different day.
If there's only one question, counting paper ballots is trivial. When there are 50 questions, or more, you need a bit more horsepower.
>What is wrong with pencil and paper?
Because people are stupid. If the ballot requires that a box be checked or a bubble filled in, then how do you count ambiguous markings? Is an empty bubble not counted at all if there is a stray mark nearby? What if the bubble is circled instead of being filled in? What if there is an x in the bubble instead of it being filled in? If you count that, how do you count a bubble that has been filled in with a larger x over it? Does that mean the voter changed his/her mind and the vote has been cancelled? What if two bubbles are filled in, one with an x and another with a blob? What if the candidate's name is circled instead of the bubble? And so on and so on.
No, the real way to do it is to have the machine mark a paper ballot in both a machine-readable and human-readable format. Basically the machine fills in the bubbles for you and it is then optically scanned to make the official count. The paper ballots are available can be counted by hand if there is a challenge to the count. They also can be counted by hand to audit the machine count. Secure, verifiable, auditable, and archivable.
Don't you Californians get too uppity about your complex elections! Aussie elections beat you with only two votes. Why? Because we have preferential voting:
We've just had a Federal election, where the result in the lower house, the House of Reps, was decided on the night. The results of the Senate election won't be known for a few weeks more, because there were some (not sure of the exact figure) +80 candidates.
Fifteen years ago, you had to rank all +80 candidates and not miss a single one, or double-up on a single number. If you didn't your vote was invalid. Or as we say Down Under, "The vote was informal."
Oh, and voting is compulsory. If you don't vote, you get a fine of a couple of hundred bucks. (Quick quiz: what other countries have compulsory voting? Answer below.)
Because of the above, the Great Australian Public invented that Great Australian Institution: the Donkey Vote. You take a ballot paper, start in the top left-hand corner and go down, column by column, filling out "1, 2, 3,...." until you reach the end of the ballot paper.
The donkey vote became so common that that was then simplified so that you can vote by simply filling in special boxes at the top of the ballot paper. But, if you really want to, you can still do it the hard way and fine tune your vote so that it's utterly unique. And people still do. So, the Senate vote (more candidates) takes ages to calculate.
You can't tell me that this compares with voting for the Dog Catcher, Principal Skinner, Otto the bus driver, etc., etc., etc.
There is no move to go electronic; the audit trails have to be solid and results are often challenged.
P.S. The answer is found at
Belgium, Lichtenstien, Argentina, etc.
Maybe the problem is elections have always been dirty and technology is only letting us see it now.
A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, addresses, dates of birth, driver's licence numbers, home and business phone numbers, federal ID card numbers and even firearms licence numbers - of people applying for new passports.
That's the only way evoting is acceptable.
(But I don't think evoting is nessesary)
@Gaius Obvious: this is not a problem. There must be rules for dealing with incorrect or ambiguous markings. Instructions must be posted in the booth, along with the note that incorrectly marked or ambiguous ballots may be disqualified. If somebody still feels creative, that's their problem. If the form is machine-readable, it's even simpler. If the machine can read it, it's a valid marking. If somebody makes a marking that cannot be read, then it's invalid. (And the machines themselves must be validated, so that they produce a correct response!) If it's logically invalid, then it's invalid.
The Finnish ballot is very simple: you write the number of a single candidate in the space provided. Nevertheless, there are always people who write Donald Duck or other names, draw pictures, or submit a blank ballot, as a protest, joke, or otherwise. The rules say these are invalid. The only valid marking is a clearly legible number. For disabled people there's a person on site who's authorized to go to the booth and assist, and is under oath of silence.
I have to ask a fairly fundamental question, given my Antipodean location: why rely on a machine at all? What's wrong with a pencil and paper?
We have a preferential system down here in Australia that relies on paper ballots filled in with pencils, and it seems to me that such a system is a lot less prone - by definition - to technical errors than any electronic system. Yes, it provides more options for people to "donkey" their vote (e.g. by numbering every box as 1 or whatever), but such votes are explicitly invalidated, and every voter has the opportunity to understand what constitutes a valid vote, both in terms of advertisements for weeks before the vote and in terms of the various how-to-vote cards handed out (both by the electoral commission and the various parties).
This also by default gives a reliable paper record that can be used for recounts, should such be required.
So again, and this is a curiosity to me: what's with the American fascination with machines to do your voting for you?
Iain -- the American fascination with machines has everything to do with companies (like Diebold) that stand to profit from the sale of thousands of them, and their effective lobbying of politicians.
In Massachusetts, we have Scantron paper ballots where you fill in the blank with arrows unambiguously pointing at candidates names or ballot question answers. It makes for a big ballot, but you know what you've voted for, and then the ballot gets fed into a counting machine AND then gets physically put into a locked ballot box under the purview of a security guard.
It seems to me this is a great blend of low-tech backup to high-tech convenience.
Black box voting is considered dead in the Netherlands. A group of people founded "we do not trust voting computers" (www.wijvertrouwenstemcomputersniet.nl) and made a big enough fuzz about e-voting such that the parliament forced e-voting out of all elections.
No high tech anymore, just paper, red markers and counting. It *might* lead to a more technical solution with a papertrail, but that would be a very costly investment. Maybe too costly just for a bit of convenience.
A paper trail is good. They could of just fitted the old machines with new digital tabulators to keep count. That wouldn't of cost as much and that seems to be driving the whole thing. Throw away thinking. Baby with bath water mentality.
@js >"There must be rules for dealing with incorrect or ambiguous markings. Instructions must be posted in the booth, along with the note that incorrectly marked or ambiguous ballots may be disqualified. If somebody still feels creative, that's their problem. If the form is machine-readable, it's even simpler. If the machine can read it, it's a valid marking. If somebody makes a marking that cannot be read, then it's invalid."
You would think that would be the case, but Florida 2000 proved that wrong. There ambiguous ballots were counted that count not be read by the machine. In one county if there was a stray dent anywhere near where the hole was to be punched -- it was counted as it supposedly indicated the "intent" of the voter. The claim was the voter was too weak to actually push the chad out and too weak-eyed to see where exactly to poke through the center of the chad. Then there was variation in the count where some counters counted those and others in a different county would only count it if the chad had at least two threads holding it to the ballot but not if it had three or more. There was no consistency in the standards from county to county. And there was enough inconsistency to be within the margin of error.
No matter how you slice it, with e-voting you lose either anonymity, non-repudiability, or both.
Sure, you can have ballot-box stuffing with paper voting, but it's far more painful and expensive than having someone hack an electronic system, whether open or closed source.
"Justice should never be sacrificed to expedience". Back to paper ballots, with various community representatives and sherriff's deputies supervising the count.
> No, the real way to do it is to have the machine mark a paper ballot in both a machine-readable and human-readable format. Basically the machine fills in the bubbles for you and it is then optically scanned to make the official count. The paper ballots are available can be counted by hand if there is a challenge to the count. They also can be counted by hand to audit the machine count. Secure, verifiable, auditable, and archivable.
This "secure" approach ignores several important attacks. An attacker might, for example, reorder the ballot or delete candidates from it, or make it easier to select certain candidates, or selectively delay or deny service. Since none of these attacks create differences between the electronic and paper "ballots", audits (if any) will not catch them.
Except for a tiny number of disabled voters, computational vote casting unnecessarily compromises security and wastes our money. The overwhelming majority of voters should use hand-marked paper ballots. These should be counted in the precinct in which they were cast, either by hand or by tabulators backed by statistically-supported hand audits. Machine assistance should be reserved only for those who need it to vote independently.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.