Schneier on Security
A blog covering security and security technology.
« Peer-to-Peer Alarm Systems |
| Amtrak "Security" »
November 10, 2004
The Problem with Electronic Voting Machines
In the aftermath of the U.S.’s 2004 election, electronic voting machines are again in the news. Computerized machines lost votes, subtracted votes instead of adding them, and doubled votes. Because many of these machines have no paper audit trails, a large number of votes will never be counted. And while it is unlikely that deliberate voting-machine fraud changed the result of the presidential election, the Internet is buzzing with rumors and allegations of fraud in a number of different jurisdictions and races. It is still too early to tell if any of these problems affected any individual elections. Over the next several weeks we'll see whether any of the information crystallizes into something significant.
The U.S has been here before. After 2000, voting machine problems made international headlines. The government appropriated money to fix the problems nationwide. Unfortunately, electronic voting machines -- although presented as the solution -- have largely made the problem worse. This doesn’t mean that these machines should be abandoned, but they need to be designed to increase both their accuracy, and peoples’ trust in their accuracy. This is difficult, but not impossible.
Before I can discuss electronic voting machines, I need to explain why voting is so difficult. Basically, a voting system has four required characteristics:
- Accuracy. The goal of any voting system is to establish the intent of each individual voter, and translate those intents into a final tally. To the extent that a voting system fails to do this, it is undesirable. This characteristic also includes security: It should be impossible to change someone else’s vote, ballot stuff, destroy votes, or otherwise affect the accuracy of the final tally.
- Anonymity. Secret ballots are fundamental to democracy, and voting systems must be designed to facilitate voter anonymity.
- Scalability. Voting systems need to be able to handle very large elections. One hundred million people vote for president in the United States. About 372 million people voted in India’s June elections, and over 115 million in Brazil’s October elections. The complexity of an election is another issue. Unlike many countries where the national election is a single vote for a person or a party, a United States voter is faced with dozens of individual election: national, local, and everything in between.
- Speed. Voting systems should produce results quickly. This is particularly important in the United States, where people expect to learn the results of the day’s election before bedtime. It’s less important in other countries, where people don’t mind waiting days -- or even weeks -- before the winner is announced.
Through the centuries, different technologies have done their best. Stones and pot shards dropped in Greek vases gave way to paper ballots dropped in sealed boxes. Mechanical voting booths, punch cards, and then optical scan machines replaced hand-counted ballots. New computerized voting machines promise even more efficiency, and Internet voting even more convenience.
But in the rush to improve speed and scalability, accuracy has been sacrificed. And to reiterate: accuracy is not how well the ballots are counted by, for example, a punch-card reader. It’s not how the tabulating machine deals with hanging chads, pregnant chads, or anything like that. Accuracy is how well the process translates voter intent into properly counted votes.
Technologies get in the way of accuracy by adding steps. Each additional step means more potential errors, simply because no technology is perfect. Consider an optical-scan voting system. The voter fills in ovals on a piece of paper, which is fed into an optical-scan reader. The reader senses the filled-in ovals and tabulates the votes. This system has several steps: voter to ballot to ovals to optical reader to vote tabulator to centralized total.
At each step, errors can occur. If the ballot is confusing, then some voters will fill in the wrong ovals. If a voter doesn’t fill them in properly, or if the reader is malfunctioning, then the sensor won’t sense the ovals properly. Mistakes in tabulation -- either in the machine or when machine totals get aggregated into larger totals -- also cause errors. A manual system -- tallying the ballots by hand, and then doing it again to double-check -- is more accurate simply because there are fewer steps.
The error rates in modern systems can be significant. Some voting technologies have a 5% error rate: one in twenty people who vote using the system don’t have their votes counted properly. This system works anyway because most of the time errors don’t matter. If you assume that the errors are uniformly distributed -- in other words, that they affect each candidate with equal probability -- then they won’t affect the final outcome except in very close races. So we’re willing to sacrifice accuracy to get a voting system that will more quickly handle large and complicated elections. In close races, errors can affect the outcome, and that’s the point of a recount. A recount is an alternate system of tabulating votes: one that is slower (because it’s manual), simpler (because it just focuses on one race), and therefore more accurate.
Note that this is only true if everyone votes using the same machines. If parts of town that tend to support candidate A use a voting system with a higher error rate than the voting system used in parts of town that tend to support candidate B, then the results will be skewed against candidate A. This is an important consideration in voting accuracy, although tangential to the topic of this essay.
With this background, the issue of computerized voting machines becomes clear. Actually, "computerized voting machines" is a bad choice of words. Many of today’s voting technologies involve computers. Computers tabulate both punch-card and optical-scan machines. The current debate centers around all-computer voting systems, primarily touch-screen systems, called Direct Record Electronic (DRE) machines. (The voting system used in India’s most recent election -- a computer with a series of buttons -- is subject to the same issues.) In these systems the voter is presented with a list of choices on a screen, perhaps multiple screens if there are multiple elections, and he indicates his choice by touching the screen. These machines are easy to use, produce final tallies immediately after the polls close, and can handle very complicated elections. They also can display instructions in different languages and allow for the blind or otherwise handicapped to vote without assistance.
They’re also more error-prone. The very same software that makes touch-screen voting systems so friendly also makes them inaccurate. And even worse, they’re inaccurate in precisely the worst possible way.
Bugs in software are commonplace, as any computer user knows. Computer programs regularly malfunction, sometimes in surprising and subtle ways. This is true for all software, including the software in computerized voting machines. For example:
In Fairfax County, VA, in 2003, a programming error in the electronic voting machines caused them to mysteriously subtract 100 votes from one particular candidates’ totals.
In San Bernardino County, CA in 2001, a programming error caused the computer to look for votes in the wrong portion of the ballot in 33 local elections, which meant that no votes registered on those ballots for that election. A recount was done by hand.
In Volusia County, FL in 2000, an electronic voting machine gave Al Gore a final vote count of negative 16,022 votes.
The 2003 election in Boone County, IA, had the electronic vote-counting equipment showing that more than 140,000 votes had been cast in the Nov. 4 municipal elections. The county has only 50,000 residents and less than half of them were eligible to vote in this election.
There are literally hundreds of similar stories.
What’s important about these problems is not that they resulted in a less accurate tally, but that the errors were not uniformly distributed; they affected one candidate more than the other. This means that you can’t assume that errors will cancel each other out and not affect the election; you have to assume that any error will skew the results significantly.
Another issue is that software can be hacked. That is, someone can deliberately introduce an error that modifies the result in favor of his preferred candidate. This has nothing to do with whether the voting machines are hooked up to the Internet on election day. The threat is that the computer code could be modified while it is being developed and tested, either by one of the programmers or a hacker who gains access to the voting machine company’s network. It’s much easier to surreptitiously modify a software system than a hardware system, and it’s much easier to make these modifications undetectable.
A third issue is that these problems can have further-reaching effects in software. A problem with a manual machine just affects that machine. A software problem, whether accidental or intentional, can affect many thousands of machines -- and skew the results of an entire election.
Some have argued in favor of touch-screen voting systems, citing the millions of dollars that are handled every day by ATMs and other computerized financial systems. That argument ignores another vital characteristic of voting systems: anonymity. Computerized financial systems get most of their security from audit. If a problem is suspected, auditors can go back through the records of the system and figure out what happened. And if the problem turns out to be real, the transaction can be unwound and fixed. Because elections are anonymous, that kind of security just isn’t possible.
None of this means that we should abandon touch-screen voting; the benefits of DRE machines are too great to throw away. But it does mean that we need to recognize its limitations, and design systems that can be accurate despite them.
Computer security experts are unanimous on what to do. (Some voting experts disagree, but I think we’re all much better off listening to the computer security experts. The problems here are with the computer, not with the fact that the computer is being used in a voting application.) And they have two recommendations:
- DRE machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot). This is a paper ballot printed out by the voting machine, which the voter is allowed to look at and verify. He doesn’t take it home with him. Either he looks at it on the machine behind a glass screen, or he takes the paper and puts it into a ballot box. The point of this is twofold. One, it allows the voter to confirm that his vote was recorded in the manner he intended. And two, it provides the mechanism for a recount if there are problems with the machine.
- Software used on DRE machines must be open to public scrutiny. This also has two functions. One, it allows any interested party to examine the software and find bugs, which can then be corrected. This public analysis improves security. And two, it increases public confidence in the voting process. If the software is public, no one can insinuate that the voting system has unfairness built into the code. (Companies that make these machines regularly argue that they need to keep their software secret for security reasons. Don’t believe them. In this instance, secrecy has nothing to do with security.)
Computerized systems with these characteristics won’t be perfect -- no piece of software is -- but they’ll be much better than what we have now. We need to start treating voting software like we treat any other high-reliability system. The auditing that is conducted on slot machine software in the U.S. is significantly more meticulous than what is done to voting software. The development process for mission-critical airplane software makes voting software look like a slapdash affair. If we care about the integrity of our elections, this has to change.
Proponents of DREs often point to successful elections as "proof" that the systems work. That completely misses the point. The fear is that errors in the software -- either accidental or deliberately introduced -- can undetectably alter the final tallies. An election without any detected problems is no more a proof the system is reliable and secure than a night that no one broke into your house is proof that your door locks work. Maybe no one tried, or maybe someone tried and succeeded...and you don’t know it.
Even if we get the technology right, we still won’t be done. If the goal of a voting system is to accurately translate voter intent into a final tally, the voting machine is only one part of the overall system. In the 2004 U.S. election, problems with voter registration, untrained poll workers, ballot design, and procedures for handling problems resulted in far more votes not being counted than problems with the technology. But if we’re going to spend money on new voting technology, it makes sense to spend it on technology that makes the problem easier instead of harder.
This article originally appeared on openDemocracy.com.
Posted on November 10, 2004 at 9:15 AM
• 99 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Software simply cannot be trusted when the software itself may be tainted by a relatively small handful of people behind the software.
This is very similar to users that play online poker and could swear on their lives that the entity they are playing isn't human even though it is claiming it is. It can't be proved that the system may be cheating the individual but people still pour billions of dollars into online gambling. Trusting a system that appears to be simpler to use than traveling somewhere and staying the night to have fun and perhaps even gain monetarily.
Back to voting, whether the system is deliberately left with holes, hacked, attacked, tricked... opportunities for backdoors and conspiracies will always be there. Even with printed audits people with the smarts will be able to beat it.
This faulty system is likely a precursor to biometric usage to vote - wiping away anonymity. Maybe even tying your vote to your NID card. Of course with the identities being used for "statistical purposes only"... This is one system which decentralization doesn't work well for. All that can be done is change it, unify it and test it, hack it, fix it, and repeat.
Anything under public scrutiny will have problems only because they are constantly being monitored for failures. ATMs fail everyday, banks lose money because of people that have outsmarted the system, but because of non-disclosure it simply isn't made public (until recently but only when the breach reaches certain criteria).
Perhaps this system only works in a utopian world where everyone would be honest...
access to source code alone is not sufficient for trusting code. the compiler must also be scrutinized. see classic paper: "Thompson, K.L., Reflections on trusting trust. Commun. ACM 27, 8 (Aug. 1984) 761-763", or http://www.ece.cmu.edu/~ganger/712.fall02/papers/...
I would just like to direct your readers to http://evm2003.sourceforge.net/ which is a project (put together by some experts in voting as well as experts in computers) to create a freely available voting system which will run on inexpensive hardware and will address all of these concerns: accuracy, anonymity, scalability, and speed, as well as a few others like access for the disabled.
It's a project well worth our attention.
I disagree with the reccommendations about DREs. I think you've jumped the gun by specifying solutions instead of requirements. There is no requirement that would force DREs to have a paper backup ballot, nor is there any requirement that the source code be open. Those are possible _solutions_ to the vote verification problem, but they are not the only solutions.
As a counter example, imagine a voting system that registered each vote anonymously with the New York Times, the Republican Party and the Democratic party. That would meet the verification requirement without paper, or without open source code. Presumably the registration standard would be an open protocol, but there would be no need for the source code to be open, since registering the vote in multiple places would minimize the chance of any one location having compromised software.
Now said solution would involve other issues, but I'm just using that as a counterexample to point out that its a little early to be insisting on a particular direction for election solutions.
It's not sufficient to verify the source code and the compiler. We also need to verify that the proper software is installed on each system. This is yet another problem when the voting process has many steps - each step must be verified.
The "solution" to register the votes with different entities wouldn't solve anything because the voting system could still register the votes incorrectly (by mistake or malice) but consistently. The only real solution is the good old paper ballot and the ideal is to have them counted by humans. Believe it or not, this is the way elections are still organised in many countries but it seems this solution is "too expensive" for the USA. The second best solution thus is to have the paper ballots as backup so that they can be counted by humans if necessary. Why is human counting more accurate? Because social control and interaction is almost always the best security. Bruce Schneier has pointed this out in the past, should he have forgotten it? Fraud can still occur but it takes several accomplices working together, the risk to be detected is very high and any fraud could only be successful on a local scale.
The remark about the 5% error rate is interesting. I know of no democratic country that would consider a 5% error in an election tolerable. Many elections are decided at smaller margins. The remark also assumes a first-after-the-post electoral system where the exact margin of victory isn't important. But in countries with proportional representatiion, the exact result is important, and no error tolerance is acceptable. Maybe this points us to an insight: in an electoral system that truly values every single vote, ballots will be handled more carefully.
The talk of a 5% error rate is intersting, but how does it compare with the error rate under current punch card and similar systems?
What is the error rate on credit card transactions, I thought something like 2 - 3%...why cannot we make the voting process by computer/touch screen whatever, at least that accurate?
I don't understand the fourth requirement for a voting system: speed. Isn't the requirement "timely" and covered in the third requirement, scalability?
While I would be comfortable seeing "timely" instead of "speedy", I would disagree that this is the same thing as scalable.
If you look at the election timeline, http://www.fec.gov/pages/ecworks.htm taking two or more weeks would not be an issue to the election process. In fact, as was seen in this election, in Ohio the provisional ballots are not normally counted until 11 days after the election. One could easily manually count thousands of ballots in 10 days. So "speedy/timely" and "scalable" are not necessarily the same thing in my opinion, even though they interact.
I think that one of the problems with automated voting is that it is taking two separate functions and combing them into one seamless, computerized process. The two process involved with voting are:
1) Balloting - Going from the intent of a voter - to a ballot (a marked list of voting choices)
2) Accumulation - “Scanning��? all ballots and tabulating (with audit trails, recount capability, etc.)
If we were to utilize the edit and useability of a computerized ballot printer- as a function separate from the accumulation/tabulation function - we would provide:
1) standardization of ballot format (no hanging chads, no dimples, no marks outside the box, etc.)
2) a way for the voter to visually verify that the ballot reflects their choices (avoiding missaligned punch card holders, etc.)
3) a way for the voter to see their vote physically entered into the system
4) a mechanism that allows for recount of a physical voting medium
I agree with all four of your characteristics, but for point two (the secret ballot) to be properly protected, at least two major changes need to be made in the present system.
First, we must eliminate voting by mail. There is no substitute for going to a public place and getting into a voting booth, where witnesses can see that you're the only one inside. (The right way to handle absentees is to set up a voting booth at the registrar's office way ahead of time and have them vote early.) Yes, some exceptions may need to be made for the disabled and maybe for our troops overseas (though I'd think that voting booths could be set up there, too), but allowing large numbers of people to vote by mail makes it too easy for a voter to prove to third parties how he has voted, thus breaking ballot secrecy.
Second, where the ballots carry serial numbers to create an audit trail (as here in California), the staff at each polling place must stop writing down who received which ballot, as they do today. This practice makes it possible for an insider to find out how an individual voted. Yes, check the number of ballots that were handed out (and retain spoiled ones) to prevent anyone casting multiple votes, but the only record of the relationship between a numbered ballot and a voter should be the numbered receipt given to the voter -- thus making it impossible to defeat his anonymity without his cooperation.
People are the problem, not computers. Software vendors generally "advise" how to install and secure their product, but it is the ultimate responsibility of the user to secure the hardware and operating system on which that software runs. The vendor will not take on that liability. A tv spot earlier this year highlighted how easy it would be to change a vote tally by hacking the database residing on the "pc" that tabulates the votes in a DRE system. You are assuming that the people who work these machines will have the knowledge to secure them. I have over ten year's experience in IT and still have vulnerabilities on some of the hundreds of servers that I administer. Hardware security is a very complicated process and requires in depth knowledge of computer systems and network protocols. Most of the people running voting systems are your average mother or grandmother who have operated mechanical voting booths designed in the 19th century. They are not computer experts. Asking them to properly secure a computer is humorous at best.
Good point about absentee ballots Fuzzy. Absentee ballots are supposed to be valid even if they arrive long after the election has been called, and are never actually counted. Frankly, I regard that as insulting to the absentee voter. In Germany, absentee votes must arrive before election day and they are counted on election day. Voters have plenty of time to mail them in. The provisional official result, including all ballots cast (48 582 761 in 2002), is published about 1 AM on election night.
One very important piece missing from the "voter verified paper trail" requirement - the requirement that there be some mechanism in place to correct the problem if something does go wrong. There were numerous instances in this election of voters stating that the machines didn't get respond to their votes correctly and how they were ignored or laughed at when they took those concerns to the voting authorities. Those individuals likely did not have their intent recorded properly.
Should use some lessons from the space program:
Computerized Voting machines should consist of multiple independent computer subsystems, each running a different tabluation software program, and a simple comparator subsystem that compares the results of each tabluation program.
Should also have each software program in Rom, so that it cannot be hacked after installation.
This is a presentation (it's a PDF of slides from the presentation) to NIST about the security flaws found in Diebold's source code. Very interesting. The Diebold part starts on page 13.
VOTER CONFIDENCE is ommitted from 'four essential characteristics'. Whether the DRE works or not, voter perception is essential: We must perceive that it's accurate, anonymous and fair is essential.
In other words, we must cut down false positive (and false negative) perception of errors.
Computers provide a better interface, by offering only a few options at once, and validating and confirming selections. But only physical ballots are sufficient for the other requirements.
This dicussion overlooks a subtle disenfranchisement effect with DRE machines- long lines. A municipality will have X dollars to spend on voting equipment, with which it can purchase either a few DRE machines, or one optical scanner and a zillion felt tip pens and voting stations. The long lines and waits at a DRE polling place have a disproportionate impact on blue collar and working class people who have to work fixed hours; there is less impact on professionals and the wealthy.
The supposed advantages of DRE machines are easily replicated in optical scan systems. The scanner can refuse to accept ballots with overvotes, giving the voter a chance to correct and resubmit. Paper ballots can be prepared in multiple languages, and each precinct can have the correct mix on hand because the language of the ballot can be selected at registration time. To assist the blind, a conventional computer with headphones and a printer can be used to create the ballot, which is then scanned with all the others. If this standalone computer is compromised, it only impact s the few (and not even then, if the visually impaired are able to have the ballot verified before scanning).
"a voting system has four required characteristics"
I think you missed an important one, or at least an important aspect of one you listed. A voting system must not only be anonymous (in the sense that no one other than the voter should be able to determine how the voter voted, against his/her wishes). It also must provide no proof the voter can use outside the system to prove how they voted (to prevent vote-buying, coercion, etc.).
An election is a process. It is delusional to think verifying source/compiler/hardware of a component makes the process secure.
For instance, if the printed receipts are the final vote cast for the voter, so should they be for the tally. The electronic results are provisional at best.
A "voter verified paper trail" essentially means you're using a $2000 machine to do the job of a fifty cent pen... making a mark on a piece of paper.
No "open source" scrutiny can ever prove anything. You must check the compiler, and the compiler's compiler, and the compiler's compiler's compiler, ad infinitum. "Open source" does NOTHING for proving the code that is being used in the voting machine is actually the code that was published.
I can't believe someone like Schneier would even begin to suggest that software-based systems could EVER be made secure. THEY CANNOT, EVER. Surely he is aware of Ken Thompson's paper "Reflections on trusting trust" ?
Any system without "voter verified paper trail" can simply say "You voted for Kerry" but actually record a vote for Bush. Totally undetectable... except for potential exit poll anomalies. Hmmmm, sound familiar anyone?
i think that they should test the machine before they even use it. although they spend alot of money fixing those machine they should have test it and make sure that it is safe to use it and it won't cause any problems for the people to use it. We know that alt of experts are trying hard to do their very best to make it to work but i think that the best way they could have prevented the lost of many votes was to have another comp. to recount the vote after the first computer counted it and the lost of the votes may be or may not be fraud but unless we keep everything straight and think about this thing that happen maybe we can prevent it from happening for the next 4 years or 2.
DREs are the last place I would focus effort if you want to truly clean up US elections. We need to focus on out and out voter fraud; illegitimately or illegally registered voters, voters registered in multiple districts, phantom votes, dead voters, lack of a need for providing identification when voting, and the sorry joke we have for absentee ballot systems in most states. We accept heightened security in every other phase of our lives but we pass laws (such as Motor Voter) that result in 8 of the 19 September 11th hijackers being registered to vote. When people (read as "politicians and political parties") decide to scam an election, they go low tech. It's far easier and has far less chance of ever being caught.
I thought of a way for electronic voting to be done accurately and in a verifiable manner. Let me know what you think about the following method:
When you vote, you get a receipt with two pieces of information on it: a unique ID and the candidate for whom you voted. All the votes are recorded in this mannel in a central database. After the election, the ENTIRE database is made available for anybody to download. This would allow every person to verify that his/her vote has been recorded correctly, as well as verify that the entire pool of votes has been counted correctly.
Cheating would be impossible in this scenario. The only drawback is that the database would be quite large and it would be tough serving it from a single server. However, that's when BitTorrent comes into the picture... :)
There are three major components to voting - Registration - Voting - Counting.
Together, these compontents form a system which ensures our democracy. It is the foundation, the walls, the food, the currency, the hope that we can keep democracy alive.
Voting does NOT have to be electronic, but when dealing with the millions of people who vote and want instant answers, it seems likely it is the only way to achieve the goal.
The largest problem we face is making sure that the non-technical, non-logical, sometimes character flawed people that make decisions about our voting systems do not destroy our democracy either on purpose or through sheer ignorance.
This is a techical problem that can easily be solved by engineers and scientists with the proper backgrounds. Using sound developmental principals, we could easily lead the whole world into a new age of democracy.
However, this will not happen with corporate idiots like Diebold and ESS and others leading the way. In fact, it most be a NON-partisan team that is only interested in the accuracy, reliability and usability of the system, not the outcomes it generates, that can create such a system.
We have just completed phase I, release 0.9, of the new electronic voting systems. They are the first generation. They are DOS 2.1. They are pre-Macintosh. Hell, they are pre-Multics.
It is time to start thinking about how to really solve this puzzle. Time to start thinking about the system, not the parts.
I suspect most of y'all won't believe me, but my company is making software that addresses the above-mentioned concerns. I encourage everybody to run through the little on-line demo, and/or download the source code, at http://www.votehere.com/downloads.html
The more I know about voting machines the more upset I get. When there is no paper trail or any recount possibility at all, the situation with the voting machines is essential the same as if all the voters write their choices on a piece of paper and hand them to me. I'll then tell you what the totals are. Absolutely no one has any chance to recount the votes or second guess me.
I am a software engineer and I can attest to the fact that by keeping source private, the voting machines companies have total control of the election outcome. Even if source code were public, you may not be able to ensure that it's even the actual code loaded into the machine. There's also plenty of opportunity for vote tampering in the servers that collect the precient totals. By the way, none of those systems should even be connected to the internet. Workstations at the voting precients should only use a dialup connection to relay the results.
This is my idea about how the voting machines should work. When a person inputs their vote, the machine will print a paper receipt showing their selections with a random assigned identifying number, not their name. After the polls close, a list of results are posted with the random ids and the votes they selected. The voters will then be able to check the list to verify that their votes are shown correctly. What is so difficult about that? The voting machine manufacturers will have no opportunity to manipulate the results as I now firmly believe Diebold and others did in this election.
Many of you making comments demonstrate a breathtaking amount of ignorance in the voting process. Many of you probably haven't ever voted.
The real problem facing electronic voting isn't anything that has been mentioned on this page. The problem is money. Very few in this country are willing to pay what it will cost to have the kind of accuracy and security that is demanded by the neophyte/luddite 'so-called' voting systems experts.
Were there isolated problems in the 2004 General Election? Yes. Do similar problems happen in non-DRE jurisdictions? Even more so.
Did you know that 95% of the reported issues with DRE voting machines (which have been used in this country for over 20 years, this ain't new kids) result from USER error, both voter and election administrator? Many of these reports assume that it was the voting systems fault as opposed the person operating the system. How is it that we always seem to hear about the exact amount of votes in question? It is because the system works.
Electronic voting systems are more accurate, easier to use, and less prone to malicious attacks than any previous voting method. Ask a person who actually knows what they are talking about. Talk to your local election officials.
No system is ever going to be 100% accurate. And the voting system used is secondary to the entire election administration process. It is a very involved process incorporating many checks and balances, as well as many, for the most part trustworthy, people. This entire process requires trust be placed in the whole. A DRE is just a tool, a part of the whole.
Back to my original point. Do you want to fund our elections with a budget similar to NASA’s? Where do you think we will get that money? Just think about how much we will have to pay for better poll workers. How much we will have to pay for competent State and County election officials? How much we will have to pay consultants to tell election officials what they already know? How much will we have to spend on the bullet-proof systems the Avi Boobins of the world think we need? Is there ANY system in the world, if given complete unfettered access to, could not be compromised?
Stop believing everything you read. Call the jurisdictions that you have heard had problems.( I know many of you believe that everyone in the world is corrupt and involved in a conspiracy.) The truth will be very different that what you have read. I have investigated many of these incidents and found most to be human error. And guess what, you will never code your way around that. Statistically the ‘voting system’ problem, isn’t.
Interesting to see the Indian Electoral officials' confidence in US manufactured firmware.
Click on Electronic Voting Machines and note the verification process in Q28. Of course these machines are intended for a single member FPP system, and would need some development for multiple selection, or proportional voting elections.
Americans and TV is the problem here, if you weren't so impatient for the results, the problem would go away since the "old" manual way has worked for so long. Remove the "I wanna know now" and election fraud is a lot less likely. And anyway how is it possible for Venezuela to do it right but not America? (Sorry, I meant, the US)
You know, voting is really a tough/interesting problem, but most of the people who comment on it are dilettantes. Even Bruce gets it wrong here because he thinks _his_ solution is the only solution.
Less hysteria please, until you read a book on how past elections have been rigged...voting machines aren't perfect, but they're much better then punch cards...
I'm going to rip into Don here as an example. (Sorry Don)
Don claims that without a paper trail, everyone would just have to trust the machine. Nope.
Audit trails are not the same thing as paper trails. If your vote was transmitted to both the New York Times and the party of your choice, that would provide an audit trail. DON'T FIXATE ON PAPER, FIXATE ON AUDITING.
Don then manages to contradict himself in the same paragraph about whether open source is important, and then blathers on about network/internet connectivity. Not of that matters. If the computers were ALL connected to the internet to transmit their votes securely over a standard protocol, it wouldn't matter if they'd been hacked, because the protocol could secure the vote. So that would provide both an audit trail, and you wouldn't care if the source had been hacked.
Don then talks about having a ballot ID which you get to take away with you for later verification. He asks what's so difficult about doing that.
What's so difficult about it? He's just violated ballot secrecy, that's all. Now you can show person X your ID, and they can confirm you voted how you were supposed to and pay you your $5. FYI, the mafia was busted in Italy for having people take camera phones into the polling place to prove they voted for who they were supposed to. Goto www.votehere.com , they have one of the few paper receipts that you can actually take with you, but its still a tough problem if you actually read about how they have to do it.
Don then concludes with his moonbat belief that Diebold stole the eleciton.
Nope. Didn't happen. Don't care if you believe it, you don't know anything. Go read the Caltech/MIT report on the issue.
Thank you for commenting on voting. From the reasons brought out above it really appears that having a computer in the voting booth does not help things.
I have a suggested idea for an electro-mechanical machine which would have the computers involved before the voting booth and after the voting booth but not in the voting. Of course it requires proper policies and procedures to ensure that the device is checked.
Any ideas on who might be able to take a concept to testing?
It's really very simple. The legal and binding result of the voting transaction needs to be the paper ballot generated. not bits flipped invisibly on some storage media.
Why? Because it's human verifiable. Not only by the voter but also by anyone desiring to recount the ballots. It's also a significant deterrent to the temptation to tamper with the technology. If a potential hacker KNOWS even if the tabulator is hacked the paper ballot will still exist and could be used to verify the results, the motivation for hacking the system isn't there (remember we know we can never fully secure any useful computer system!)
To those who would point out that it's just as easy to "hack" a paper ballot election I'd point out that while an individual act of tampering might be easier, I'd compare the difficulty in spreading snail-mail spam (think postage costs) versus spreading email spam (essentially free to the sender). The impact of an individual tampering event is potentially so much greater.
We technology minded people need to resist the temptation to over-engineer the voting process.
"in-the-know" suggests that "95% of the reported issues with DRE voting machines result from USER error, both voter and election administrator"
I have two simple questions:
1. Where is this fascinating figure documented?
2. If user error is so common, how is that not a case of poor software and interface design?
Thanks for this great writeup.
Do you think a server based web interface would be more secure as in easier to watch?
The voter MUST directly observe and comprehend the exact, specific, tangible, physical object which is his/her ballot and confirm to their own satisfaction that it reflects their wishes before that ballot is cast. Only then can an election be trustworthy. Until we as a species can directly observe and comprehend FlashRAM or HDD stored voting data, I'm afraid we're stuck with paper.
I'm all for DRE/Touch Screen voting and believe strongly that it is an improvement. Such an opportunity to publish preliminary results should not be ignored. I also believe that a printed/voter-verified record would disuade potential tamperers (since there efforts would not withstand a recount). But those benefits can only exist in a scenario where the voter-verified, human comprehendable printed ballot is the official and final representation of the voter's intent.
There is no need for a 'take home' reciept and as indicated it would create an avenue for abuse without providing any significant benefit. Indeed the voter wouldn't need to even physically handle the ballot (though it would be fine if they did) so long as they could witness the actual physical object they reviewed be put in the ballot box. A 'ballot behind glass' has some issues to be overcome regarding ensuring anonymity (sequential deposits of ballots would be problematic), but these issues could be overcome.
I agree with guanxi that voter confidence is the missing essential here. The key element to acheive this is, I think, transparency. The thing about paper ballots is that any random person could watch the whole process, from ballots going into a sealed box, to unlocking that box and counting the ballots at the end of the day, in the presence of multiple election officials, party observers, reporters, and whoever else wants to watch. This is true of optical scan or punch card ballots, too, for the most part. Though the counting mechanism is automatic, a hand recount would theoretically get the same results. The margin of error due to ambiguously marked ballots is low, but higher than most any non-expert would have guessed before Florida 2000.
Another problem with electronically registered ballots is that they are utterly opaque. Even in the best case where the code, hardware, etc. is open to public scrutiny, only a few people would be qualified to provide that scrutiny, and the general population would have to rely on their opinions. To the average person, that does not sound much more reassuring than the situation now, where they are expected to beleive the word of election officials and Diebold spokespeople that the machines are accurate and reliable.
For a system as simple and important as voting, why not use the simplest technology possible, so that it is truly transparent, in the sense that almost any citizen could watch the whole process and see that it is fair? Find a way to reduce error rates (no dimpled chads), but keep it simple. My preference is for machine-readable ballots marked with black ink. A machine-generated (but human-readable) ballot, where the machine that generates the ballot has nothing to do with the counting, could acheive this, too, as well as removing the problem of overvotes.
The ballot box requires one box, and scales linearly with the number of pens and flat surfaces available.
The electronic voting machine scales linearly with the number of secure touch-screen boxes available, cost about $3000 each. So please explain how this model is going to obsolete the modern ballot box -- optical scan -- any time soon? Never mind the security aspects; the logistics of electronic voting machines will never make them anything more than a pork-barrel project for the likes of Diebold.
Here, here, (to Macs comment)
Good to see we're on the same wavelength on this one. I'm always validated when I read something from you that coincides almost exactly with my take on it. :)
Excellent take on the problems with electronic voting.
The Open Voting Consortium is working on just such a solution and needs the aid and support to make it become a reality whether you can donate time or money this is a worthy cause. Their website is http://www.openvotingconsortium.org be sure and run the demo and sign up if you're able to help.
I totally agree to Mac's analysis. What's the point to using comuters, when only one voting per year happens (in average)?
First hiring people for this process is less expensive, second less error prone, and it's probably even more user friendly.
And you can organize a paper ballot to be fully counted within hours per state (obviously you will use computers in the backoffice, but you won't need them to cast the vote).
The good ole trick from Julius Caesar works perfectly fine (since decades now): Divide et impera!
I've been told by a friend who was a poll worker in the last brazilian elections that it was possible to deduce at some distance the electronic vote cast by careful listening to the pitches emanated by a voting machine. Each one of the two digit combinations for president would chirp differently. Many poll workers made mental appointments of who voted in whom. He was not computer literate and couldn't help me to decide if this leak was due to the keypad, monitor, some twisted capacitor or whatever. Also don't know if this issue was widespread or not. I wonder if someone could have massively learned every vote at distance by a simple electromagnetic emanation analysis. Does anyone know how these issues are being tackled in the USA?
Nice posting, in general. A couple of comments.
1. I disagree that "DRE machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot)". An audit trail is different from a vvpb. The important principle is that the vvpb is THE voting token. If in doubt the vvpbs will be recounted. Everything else is secondary to the vvpb. Until a vvpb has been created correctly, the vote has not been cast. This is important in comparison with something more like a receipt, which may not print for some reason, even though the vote has been cast. As soon as any divergence is allowed between the vote and the verifiable token, there is always going to be an implementation problem 'on the day'. This creates a requirement for a back-door to make corrections, and the game is lost. So the vote must be THE verifiable token, the vvpb.
2. A couple of comments touch on protocols. One gripes about Bruce's solutionist view. My view is: state your requirements, and propose protocols to meet the requirements. (By protocols I mean practices, as well as communication protocols.) Publish the protocols, and define challenges and test suites to run against each new version of the protocol.
It will prove very difficult to answer all the basic requirements using automated systems.
3. I've worked >20years with technology and am always on the bleeding edge, but my vote is for paper and ink. Works in most other countries, and will always be more credible.
4. We should be far more concerned with implementing IRV than worrying about automating the vote. That's a mere distraction.
I would have to say that there should be two systems for the votes to be counted on.
One system would be a touch screen or similar to allow for the electronic vote, then a paper print out is given to the user. The user then takes that peice of paper which has a barcode on it and the details of the vote for the user to verify, the user then scans that on a seperate system. The peice of paper is then placed into a ballot box in case there is doubt over either system. Both systems CANNOT be run by the same people.
This gives two forms of redundancy. The pundits that say that the system doesn't have to be open source, that's fine, the touch screen system doesn't have to be open source, but the verification system must, or vice versa. One of these components must be publically verifiable.
The data from both of these systems can then be sold off to pay for the cost of the equipment and writing of the software.
Now all this is a relatively high tech answer to this problem, and each step must be audited. In comparison the old paper ballot is still very easily verifiable, and certainly doesn't have the confusion that exists at the moment. The only problem is interpretation. With computers it's 1 or 0, and that's it. Your vote counts or it doesn't. The Florida debarcle I would not like to see happen again.
Well having watched the US elections I am amazed at the amount of interference is allowed in any election. I agree with Bruce that the code needs to be open to the public, I also agree that a paper trial is need, makes the user feel happy, and that is the end result.
If a person votes and feels secure in their vote becuase the computer printed out a result then the system is ont he right path.
The US voting system needs to have a way of validating the votes, two methods come to mind. A simple bar code printed out from the touch screen which has you vote on it which you then scan with a totally seperate system. You should get to keep a copy of you vote if you want and place the paper vote into a sealed bin.
This gives 3 forms of counts.
1. the touch screen
2. the bar code system
3. the paper vote
The first two should be counter by different departments which do NOT share the result with each other. The 3rd system could be used if there is something amiss with the counting.
Another high tech approach is to issue a random security device to each voter. I mean random, as in generate the "keys" and have people select them from a voting bin. The "keys" can be for a single vote or kept to vote for your entire life liek a smartcard. This card should have no idenitifiaction on it, record you vote and the place date and time. The card holder should be able to use ATM like machines to validate the cards records results and the encryption shoudl protect the validity of the vote.
I know a loy of people will say they will track your vote. If the whole process is open source and the process used is random. The card has no identification on it at all. The "key" is only there to validate you right to vote and record you vote so you can check it when ever you want.
These "keys" can be given to valid voters who keep them and use them at every election, or used and then given back at the end. I still believe a paper audit trial should me maintain, ie a printed receipt with the card you used and the vote you cast. This should be in machine readable format so if can be counted quickly.
The whole idea of two tally system is the best approach to any voting system. The two seperate system audit each other. The third tally system can be used to audit the first two. Having voters keep a record of how they voted and giving them a way to validate this is also a good approach.
It is sad to see a Country like the US run by money when it comes to elections. If the US spent 1/10 off the money on weapons then you would have a great voting system and people would be pround to vote.
I agree that a voter-verified paper trail is mandatory. Registering the vote electronically with any number of third parties isn't good enough, because there's no way to be sure that the vote being sent to the third parties corresponds to the voter's selection. Go ahead and count the votes electronically, but at the same time print them out on a paper roll behind glass. The voter can see that his vote was recorded correctly, and the paper is available for a recount, if necessary. And because it's behind glass, there's no possibility for vote selling.
Or you can do what we do here in Canada: Mark an (X) on a paper ballot, and have the results counted by multiple representatives of all political parties on the ballot. The combination of everyones' self-interests guarantees a fair and accurate count.
Here's another recent article about the risks of DREs:
I've counted votes in a couple of elections in Germany, some of them having very large candidate lists (e.g. 30 or more per party, and you could cumulate votes, 1-3 votes per candidate, a total of 30). We used paper ballots and sealed boxes, and we had 100% accuracy, 100% anonymity, scalability was fine, and even the most complicated elections were counted by 1 or 2 o'clock a.m. next day.
I've read a lot about voting machines, electronic voting and the like, but I can't imagine how any of these systems could even come close to the efficiency of using paper ballots, sealed ballot boxesm and manual counting.
I must add that in the back office we are of course using computers in Germany. But everything done there could be verified by recounting the votes.
For a national election (which is rather simple with just a few parties and local party candidates to choose from) we were able to report our preliminary results (just the party, whithout double checking) within less than an hour, which means on a nation-wide level that accurate estimates are on TV only 1-2 hours from the closing of the election, and the preliminary official results are out early next day.
Some points I want to make:
- Paper and pencil voting is cheap. Yes, you need a few people to count the votes, but from reading about the U.S. elections I have the feeling that we have managed more voters with less people than in U.S. counties using Diebold voting machines.
- There is no easy replacement for the ballot box. Printing receipts that can not be taken away means that the machine might be able to keep track of the order of the votes, which is a general issue with all voting machines, but not with the paper ballots, which are a randomly ordered heap of paper or paper envelopes after the boxes have been opened and emptied on the tables. If the receipts are put into ballot boxes you could as well just use the ballot boxes with plain paper ballots in the first place. You need the same number of people to make sure nobody puts in the wrong number of receipts or takes the receipt with them.
- As others have pointed out, it's extremely hard to efficiently manipulate well-organized paper-and-pencil elections. It happens from time to time, but not undetected. One example I read about using Diebold machines: The machines were put up the day before the election. So anybody with access to the room would have been able to manipulate the machines. In Germany the voting rooms are prepared the day before, too. But the ballot boxes are sealed right before the elections start, and all the members of the election commitee for the election site can verify that they are empty before sealing. From that point on two people have an eye on every ballot box at any time, and the number of voters is compared to the number of votes that go into the ballot box. If any of those numbers (voters, votes that should be in the box, votes that are in the box) don't match (which actually never happened during any of the elections I took part in) we know something is wrong.
Another thing I've heard of is less a technical than a mere organizational issue, but probably even more scary than the issues with the voting machines: It seems that in the U.S. the voter lists are not maintained in the same way we are maintaining them. In Germany the local authorities make sure that all registered citizens are on the lists and get an invitation. You don't have to register for the elections separately, and if you have a reason to believe that somebody is on the list who shouldn't be there (like you know the neigbour died two weeks ago and his son tells everybody that he's going to vote for two) you'll be able to look at the lists to verify them.
Because you can only vote either in your local election office (which maintains the voters list during the election) or using a special voting permit that you have to hand in at the election office it's impossible to vote twice. Even if you fake a voting permit this will become obvious in the end because the permits are collected after the elections and duplicates would become obvious. Using fake names wouldn't work either because you have to provide a photo id.
I could imagine a computer-based voting system that comes close, but that would involve strong encryption using public key schemes, digital envelopes to make sure that the voters can not be mapped to their votes, and physical separation of steps via protocols. E.g. the machine that knows how to open the digital envelope is not supposed to be able to verify the voter's id. It would have to get the "stripped" and anonymous envelope from another machine that wouldn't know how to "open" the envelope.
Even then there could be technoligical issues, but those could be solved using proven transaction mechanisms like the ones used in online banking transactions. In any case such a system would have to be rather complex, and all the systems I've heard of so far are much simpler by design not secure.
Folllowing up to Joachim Werner's post...
...the bottom line is, if you want a fair vote, move to Germany.
One nice feature to add to the dream system Joachim ends with, would be a mechanism to have a token printed on your receipt of which a 'shadow' would be visible in the final checksum for the final vote IF your vote was counted.
I must disagree with O. Bastard when he says "Audit trails are not the same thing as paper trails. If your vote was transmitted to both the New York Times and the party of your choice, that would provide an audit trail." This may be an audit trail, but it's not sufficient. THe voter cannot verify that his vote and his screen display correspond with what is transmitted offsite, and if they don't there is no way to go back and count it correctly. An ink impression on paper that the voter verifies does leave a permanent record that can be manually audited and recounted after the fact. I just can't see how any method that does not leave a permanent record can be subject to a valid recount.
After using punch cards last time, we were back to black ovals on a scanned ballot this time. I felt much more confident in that system than I ever could in a DRE system.
What do you make of this: The Obfuscated V contest ( http://graphics.stanford.edu/~danielrh/vote/... )
It was a contest to write code to count votes. The catch is that the code must intentionally sway the vote to one side or the other, but be difficult for someone examining the code to detect the intentional bias. My point is, what if some of these techniques slip into DRE machines?
Bruce, I completely agree with you about fallacy of software systems. However, software bugs would affect not only DRE systems, but those that accumulate and tally traditional paper ballots as well.
I believe that US fed gov't should produce a set of requirements, a spec in essense, for a voting system. The hardware and software for any developed system should be open for public review and comment, and once completed should be distributed in a 'tamper-proof' fashion. If done correctly, this could work. Paper backups are not the answer -- there can be plenty of errors, intentional or not, with paper as well.
What I'm surprised about is how completely and totally 'we' missed the boat about a simple issue with DRE: it doesn't scale to large crowds. For cost reasons, only a few machines can be purchased. (Maybe a good argument for not buying them at all, but anyway...) Paper ballots only require privacy and a pen, and people are willing to sacrifice the former. The marginal cost of extra paper ballots is low, too.
The long lines have to be factored into the error rate, since some voters probably did not cast their 'indented' vote at all.
Of course technophiles unquestingly believe that next time, if we just try hard enough, if we resolve to spend enough money, everything will be better.
The only fix for electronic voting and automated counting is their complete elimination. Like many others, Canada has paper ballots and counts the votes manually. They spend US$2 per voter, we spend US$10. Their federal elections have results in 4 hours, we're still arguing about 2000. Their voters have absolute confidence in the results, we have faith.
Debating the merits of various arcane and complicated computerized voting technologies is akin to rearranging the deck chairs while the Titantic sinks. Electronic voting and counting is expensive, brittle, and fails silently. In other words, the worst of all possible worlds.
This is one situation where I’m not happy to accept the idea that no system is secure. There is just too much at stake.
Only one rule of thumb comes to mind on how to be reasonably sure that a system is secure. Others have said it better including, I think, Bruce, but I’ll paraphrase. “If you want a system to be secure, make the cost of compromising the system higher than the value of the system’s contents.��?
We can flip the formula around and solve it for a critical strategic factor in this discussion. “Your enemy’s resources will approach the value of the thing you are trying to protect.��? So we can ask ourselves the value of an election and that will give us a solid idea of what we are up against.
For a low-end estimate we can note that the US just spent about US$3.9 billion on the 2004 presidential and congressional elections. For a high-end estimate we can consider what nations typically spend to influence each other’s behavior through more primitive means. So, we have to ask ourselves if we are willing to spend enough to protect our own elections from that level of effort? Are the little voting machine companies, who are worried about quarterly profits, willing to play in that league? Are we even close?
Fortunately a technique is available which makes elections incredibly expensive to hack. By increasing the visibility of the process and using that visibility to disburse awareness of each votes chain of custody among many people, it is possible to escalate the cost of compromise at a spectacular rate. The higher the transparency, the higher the number of people that have to be “hacked��? and the higher the cost. Those costs include time to reach each person, dollars or other value used to persuade, and the risk of being caught.
In contrast, any system that allows a vote’s chain of custody to disappear into a computer will always create periods of time where the status of the vote is not transparent or immediately apparent to anyone. This is even true for the people who originally write the system’s programs. Yes, there are probably ways around this, but they would be spectacularly expensive and worse, would still ultimately require faith from the public. Who are we to ask for that level of faith?
Oddly, the most hack resistant approach is the old less technical one. A voter verified paper ballot sounds best. A machine to create them would be very helpful for the blind. But, I’d prefer to mark mine with a fat black marker. For those with a need for speed, a scanner is fine for a preliminary count. I know it would be fine to always count a random sample and compare the results to the scanner totals. But I’d rather just count them. Is that asking too much for what we receive in return?
Well, I discussed the OpenSource Issue with a friend and our outcome is that it is no guarantee for anything but better than nothing. I am one of the old guys that is able to patch a compiled program in a EPROM, FLASH or on disk, so I would not worry about OpenSource if I was going to manipulate such a machine. In fact, it may make it easier to find the place to patch.
In Germany we still use a "paper vote system". Mark your ballot, put it in a box. We are pretty quick with counting, usually we have final results within 4-5 hours. The process scales and there is no reason why it should not work with 300000 voters as well as with our ~50 millions. The counters are volonteers out of the middle of the society, they are independent and they make sure the process is transparent.
However, the most important thing in my opinion is: The people who count, assist and manage the voting must be well trained, integer and willing to give the voters a chance. The process has to be open and transparent. No matter if you use a voting machine or a piece of paper.
I agree with what the majority of what you say. However, I think you should be careful of comments like:
'This is particularly important in the United States, where people expect to learn the results of the day’s election before bedtime. It’s less important in other countries, where people don’t mind waiting days -- or even weeks -- before the winner is announced.'
There is no logical reason why this should be the case, and I think it's a little patronising to suggest any different. The rush for an election result is normally merely one of curiosity, not of necessity, so there is no particular requirement for the speed. Moreover, there is no reason why this should be different in other countries. One shouldn't pander to the media pundits and others with a vested interest in speed whilst sacrificing the quality of the election.
The culture of the people who purchase voting machines here in Minneosta demands that the results be available instantly after the polls close. You're probably not going to be able to alter that culture.
Absentee ballots are counted according to rules set up by each state. Here in Minnesota, they must be counted at the polling place on the "day" of the election. (Day is in quotes because it could run into the early morning of the next day.)
The requirement to show ID is a red herring as far as I'm concerned. Making voters provide a photo ID reduces voter turn out and very much favors those with money over those without. (No permitting same day registration is another method of elevating the voting rights of those with money over those without.)
When Minnesota starts using touch screen voting, there's only going to be a few touch screen machines at each polling place. There will still be paper ballots available and voting booths. The touch screen computer will only print out the ballot to be fed into the optical tabulator. It will not, by itself, count the votes.
First of all, congratulations for your work and for this article. I find it clear and concise.
Where I live all elections are hold with paper ballots, counted by hand. Frankly, although I´m an engineer and quite technology oriented, but I can not find the advantage of mechanical or electronical votes.
Paper ballots and hand counting may be a bit slow, but the results in nationwide elections are usually known in two or three hours. The total costs may be similar.
This traditional vote is crystal clear. Arrangements are extremely difficult. The full mechanism is traceable, anonymous and cheap. Also it forms a traditional imaginery in the people´s mind. The voter knows by heart what he has to do and how. And the voter feels a direct association between his vote and the final result.
The only reason electronic voting machines are needed is the remarkable complexity of the ballots. In Columbus, Ohio there were something like 34 different issues to vote on. Just hold a damn Presidential election. Hand everybody a slip of paper with the candidates' names on it and have them make an X in the appropriate box. Save all the little crap for separate state or municipal elections. There's no way somebody should be voting for The President Of The United States Of America and their local dog catcher on the same ballot.
> There's no way somebody should be voting for The President Of The United States Of America and their local dog catcher on the same ballot.
I see your point, but would anyone show up for all those other elections? I admit I never go and vote except for presidential elections.
"The auditing that is conducted on slot machine software in the U.S. is significantly more meticulous than what is done to voting software." – Bruce Schneier, above.
Having worked in the video lottery industry (slot machines run by a state, as opposed to a private enterprise), let me relate some of the basics that need to occur for a video lottery machine to be used in the field.
1) The user interface must be simple. Every action must be simple, the consequences clear, and help must be available for the simplest of actions. If there is any dispute as to the intent of a phrase, the meaning of a symbol, or anything else, the court ruling may well go against the company and/or the state - even if the failure in question was due to hardware (one color going dead in a RBG monitor) or even non-obvious user error(beer mug causing condensation on the screen).
2) The machine must be individually auditable. There must be a way of determining from that machine the series of last plays, up to that mandated by applicable law. Most jurisdictions require multiple physical copies of the data in some sort of static memory.
3) All communications between the machine and the central database system must be authenticated and encrypted. One must assume that an attacker has the protocol (particularly since many are openly published).
4) The software must be authenticatable, even while it is running. This usually involves running an algorithm over the entire code body using a seed that changes each time it is executed, and matching the expected value with the actual value.
5) Power Failure must not be an issue. If you loose power in the middle of a game, the machine should come up in the middle of the same game in the same state when power is restored.
6) Accuracy is essential. This is one place where the video lottery industry is different than the casino industry. The video lottery industry considers any inaccuracy as unacceptable. I've seen statewide shutdowns of systems from a particular vendor for a .0002% miscount of money. This is one reason that certain features, like progressive systems, took far longer to enter video lottery than casinos.
7) Everything (hardware, software, etc) is independently tested, most commonly by Gaming Laboratories International, Inc (again, this varies by state and country). Similarly, they review the code and any changes to the code.
8) Physical access to the hardware containing the software must be locked separately from the rest of the machine. In some jurisdictions this is sealed as well as locked.
There are numerous other requirements, but most of those have little to do with voting machines. I view the above to be minimal requirements to have a safe, effective voting machine.
I wholeheartedly agree with Bruce Schneier's second recommendation recommendation (only use open source code). However, I would expand this to requiring hardware designs, the operating system, protocols, etc. to be publicly available, preferably open-sourced, for similar reasons. Independent testing by an experienced third party is good, but having thousands of software, hardware, systems, and security experts pouring over it is far, far better.
As far as his first recommendation is concerned, I think that a good, hardened internal record may be sufficient (my experience is that the failure rate on well-done systems is so low as to be negligible), but a paper receipt would be a wonderful confidence builder, and marginally better as far as verification and re-counting are concerned.
This is getting horribly complicated to read and track what people have said. I'm sure I've missed stuff.
Look at where the system might fail.
Take the example of the voter-booth machine sending the votes, real-time, to three different external systems. The two major parties, and the New York Times.
All that tells you is that the voter-booth machine is reporting consistently. It can still fail to record voter intent. It's still the single point of failure.
Yes, ideally they should run different software on the auditing sites. But if you can't be sure of all the software on the voter-booth machines the auditing is useless.
The software, whichever company provided it, and the people who wrote it, are the failure points. A handful of companies, a close election, how many people does a conspiracy need to make a difference?
And, without publication of the code, how can any election organiser know that their version 4.7 is the same as the next county's version 4.7? Is that paranoia?
I'm afraid it does sometimes look as though US elections are run on an assumption that accuracy doesn't matter.
How are there any fewer or more steps when people count the votes as opposed to when machines count the votes? People still read the ovals much as a scanner would. People still record the votes like the machine. Each counter's tallies get tallied with the other counters' tallies. I would venture to even say that when humans do it there's an extra step. And humans make mistakes much more often than machines which, unfortunately - and the major problem with e-voting machines I see - are programmed by humans.
I know it's not a simple, straight-forward process but it's not rocket science and perhaps better contracts need to be obtained by those organizations that can produce better results. Case in point: Diebold has done a bang-up job of producing an insecure and very inaccurate system as of late.
When you have errors like subtracting instead of adding, that's just proof that Joe "I got a job in computers because everyone's doing it and it pays well" Schmoe shouldn't be on the project.
I think one thing that would help - especially in the case of Diebold - is to open up the source. (To note, I'm definitely not one of those people that think everything should be open source.) As you've stated in one of my favorite books, "Applied Cryptography, [SE]", having the algorithm open while the cipher text is still uncrackable proves that the algorithm is sound. With all the buzz about e-voting machines, I'm sure the project would need to be managed like the Mozilla project eventually was because of all the developers that would lend a hand, catching many errors that plague college-level tallying problems.
Actually, what we really need is a franchise system that could possibly change the world as we know it today.
I'm sure that I'll shock many people when I suggest very strongly that what this country actually needs is an nationwide internet voting.
I'm talking about active voting right from the very home, office or wherever - if one wishes to do so. Of course, there would still be polls for those who prefer to exercise their Right of Franchise in that traditional way.
Really think about it for a few moments. Wouldn't that be the truest form of "real democracy?" A franchise system even better than that of Switzerland, wouldn't you say?" No longer would there be seemingly endless voting lines that have traditionally resulted in countless numbers of tired and discouraged voters not voting at all. Perhaps, no longer would there be any effective "Jim Crow" voter intimidation efforts across the country. Indeed, there wouldn't be any sense to rush one's vote. There also wouldn't be very many problems concerning getting time off from work in order to vote.
A "Nationwide Internet Voting System" would certainly be less expensive in the long run, and particularly if it really caught on. There would be fewer poll workers to employ, fewer security personnel to hire, and fewer expensive voting machines to buy and stock with voting materials, etc.. Another positive would be that a voter would be provided with more privacy. Neeedless to say, I'm sure we could all find many more positives with this kind of national franchise model in place.
Importantly, one of the major effects of such an "all inclusive voting system" would likely be that millions and millions of more Americans would simply exercise their right to vote. In and of itself, wouldn't that be a good thing for any democracy, friends?
Additionally, it is likely that such a wider system would bring out many more Democratic voters throughout America; voters in far greater numbers and proportions than Republican voters. Friends, it's all about "the Notion of Equality of Bother." In that specific regard, it may just be that the Republican Party might end up on the "endangered species list." That is true because if everyone in American simply voted their real economic and political interests by endorsing the party that really represented those interests, then Democrats would far outnumber Republicans in a ratio of at least three to one.
Moreover, under such an open system, the likelihood of third parties being created from ground up that could survive the vissicitudes of sometimes very dirty and even criminal politics in America would be greatly enhanced. Where in our Constitution does it say that we Americans are relegated to choosing our important public officials from just two political parties?
Someone at this point might ask: Why do you believe that so many Democrat-leaning non-voters of present-day America would actually vote, even with an "easy-access internet system" in place nationwide? Well, I'll simply respond that my extended family (through various chains of acquaintances of acquaintances of acquaintances) must know at least 1,000 voters today who presently do not vote, but who would vote if someone would simply come to their homes on election day with a laptop computer and portable printer and help them exercise their guaranteed rights. Granted, many of these people may be deemed losers and welfare cases by some people; however, they are still Americans (and human beings too) who have the Right of Franchise and who should also exercise that very important Right of Franchise. How many of these people do you know through the acquaintances of family and friends who fit this specific description, and who would vote their real interests and political consciences come election time, if only they could do it from their homes?
The main problem, of course, is one of security. Yet, I ask you: Isn't a wide open system far less subject to fraud and deceit than the closed and secret system that exists today?
What if everyone who registered to vote were given a random pin number? What if any person's vote could be registered simultaneously in say 5 or 6 places at the instant a particular vote is cast? Some of those places might be the party headquarters of all candidates, the League of Women's Voters, a sealed election ballot container of some sort (only to be opened in the event of an official recount), in addition to the governmental election headquarters site itself...or wherever. Suppose also, when a person's vote is cast over the internet, concommittmently there are created paper voter receipts of some type (perhaps like an ATM machine) in all the places mentioned immediately above. In addition to all of this backup security, suppose all voters could subsequently go to an internet site and look up and verify their votes using their pin numbers. Sometimes, sunlight is man's most effective disinfectant.
Just to let you know: I have a friend of a friend of a friend who knows Dr. Howard Dean quite well, and he has suggested that I come up with some solid ideas concerning a nationwide internet voting system that might pass all major security concerns and be highly effective and inclusive at the same time.
Therefore, it is at this point that I am sincerely asking or your much needed help in this endeavor. Please consider it a "brain trust exercise of the first order." However, please know this: Every good faith suggestion will be considered in full and on its own merits.
So how about it, all? Please endeavor to create for us the best and most honest internet voting system that would make America an even greater democracy than she presently is (Alas, some say that isn't very much right now). Perhaps someday a national franchise system like the one we "brain trust" here might actually change the world as we know it today. Stranger things have been known to occur, you know. ANYWAY, THX lots and lots, and "May the FORCE be with you" always.
There's no need to open Diebold's source. Their software is worthless, as there clearly was no intent to use even a modicum of common sense, let alone security.
Here's just one of many documented examples of people altering votes in the Diebold database:
Think that's bad? Try watching a Chimpanzee change the Diebold audit logs. That's right, a Chimp!
Companies like Diebold make America the laughing stock of the world. We might as well be called little-Nigeria.
You've been spammed. (see the posting by "bodazhang" last night)
I live in Belgium and we have been using electronic voting for over 10 years. We don’t use punch cards or paper at all over here instead we use magnetic cards.
The voter gets his card and he goes to the voting computer and votes. If he wishes he can check his vote when he is done by entering his card into the voting computer again but cannot change anything.
When he is done he puts his card into the sealed voting urn where his vote is immediately registered but the count of votes is unreadable until the end of voting time. This way we keep voting secret.
Faulty cards get either intercepted by the urn or the voting computer. No network exists between the voting computers or the urns. So hacking of the system can only be done at the local level. All counts are transmitted by hand and the urns get collected to a single place. In case of a recount we take the cards in the urns and put them trough a machine.
The system is so easy as the only thing keeping our system safe are 5 randomly selected people that verify the voting and help those having trouble.
Sure we have had to do a small reelection for 1 voting bureau because the computers or the power failed and people couldn’t vote in time but we have yet to see the first case of fraud with our system.
I like our system because it works exactly like the approved system we have been using for 100 years except that the count s done by machines.
I'M PRESIDENT OF TRU VOTE INTERNATIONAL PAPER TRAIL MACHINE EMAIL OR CALL 615-860-6049 ASAP
"DRE machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot). This is a paper ballot printed out by the voting machine, which the voter is allowed to look at and verify."
What's to say that what the machine prints, and what it actually records are the same thing?
"Software used on DRE machines must be open to public scrutiny."
Okay, but who's to know if the code under public scrutiny is what's actually running on the box?
Plus, as soon as internet voting starts (and no doubt it will, it's just when) Your IP will be tagged (just like you're apache server is doing now) and there goes the anonymity.
I code for a living, and this is one instance where I think it needs to stay as low-tech and hardcopy as possible.
"What's to say that what the machine prints, and what it actually records are the same thing?"
The idea is that if the machine record is dubious, it can be verified by counting the paper ballots. But I agree with many others in this discussion that the hardcopy ballot should be *the* ballot to be counted, not only a backup. In that case, the DRE machine would only be an expensive printer, thus superfluous.
is ELECTRONIC voting E-OK ???
In addition to functional and reliable electronic voting machines, voters should have a paper alternative.
Paperless electronic voting machines will be used once again this fall, and already during the primaries they failed. In Maryland crowds of legal voters were turned away from the polls when the machines couldn't be started.
There's a simple safeguard - have enough paper ballots on hand so the election can go forward even if the machines let us down again. Obvious, right? Senators Boxer (D-CA) and Dodd (D-CT) have introduced a last-minute bill which would provide money to any state that is willing to print up the paper ballots. It's cheap, it's easy, and there's no reason not to do it. But time is short.
TrueMajorityAction is running a campaign to drum up public support for this bill. If you feel strongly about protecting elections and ensuring voters' rights, click here to tell your Senator so!
Why are we trying to invent electronic voting? Like the wheel, it's already history. This last weekend, Brazil, a nation the size of the USA but with less resources, had a national election all electronically. They've been doing it for years.
We also seem to be inventing ethanol-powered autos. GM and Ford have made and sold them by the 100-thousands in Brazil for years.
Are we too proud to find out how they do it? Or maybe outsource our elections??!!
I've been an election poll worker for some years now, in elections using punch cards, optical scan, and electronic machines (without, and now with, paper trails). I have a few comments on your articles that you may find useful in the future:
1) You say "Every step, with the exception of voters completing their single anonymous ballots, is witnessed by someone from each major party; this ensures that any partisan shenanigans -- or even honest mistakes -- will be caught by the other observers" Actually, this is not the case, at least not in California. There is no requirement here that the election workers at a precinct include members of both parties. While it might be a good idea, and I've heard it is the law elsewhere, here they struggle to get enough people to work the polls at all.
2) One reason why the electronic machines are being chosen is that HAVA (Help America Vote Act, passed by an overwhelming bipartisan majority in Congress) mandates that visually impaired voters be able to vote completely unassisted. Paper ballots don't seem to make this possible, unless there's some kind of braille ballot I've never heard of. My gut tells me that, while it is politically incorrect, we should relax this part of HAVA and "force" blind folks to have a friend or poll worker(s) help them, probably using an absentee ballot. Since that would affect less than 0.5% of the electorate, it seems like a good tradeoff to me (of course, I'm not blind). In all my years, I've never seen a visually impaired voter come to my precinct.
3) The poll worker procedures are complex, usually for good reasons. We're trying to get fair and accurate tallies. But any complex procedure you perform only once every year or two is fraught with error, whether you are professional or not. I know that I personally have made (unintentional) mistakes in handling provisional ballots over the years, for example. The flow chart for handling provisional voting is a multi-page description. I don't know of any good way around this.
4) While I agree somewhat with your concern about the electronic machines, the paper audit trail (on Diebold machines) we use now in San Diego goes a long way to avoiding/minimizing the security risks involved, because you can do a recount. In the 30 days after the election, the Registrar of Voters here actually does a manual recount from the paper trail, at some randomly selected (small) subset of precincts, to detect any systemic errors. I'd still prefer optical scan, but, given the HAVA requirements, that would mean we'd have to have BOTH kinds of voting systems at each precinct. I've run elections that way, and it is even more complex: more training, more chances to make a mistake in the closing procedures, etc. Remember that an optical scanner also has an operating system, and voting software, and a memory card, so it is just as hackable. If you have an audit trail (which our electronic machines now do), I frankly don't see a significant difference. Further, I've heard that the accuracy rate of optical scan is surprising bad (98-99%?), which is why you always want a paper trail for recounts.
Personally, like you, I probably prefer the optical scan ballot system overall, but the electronic machines do work better in many instances, particularly for handicapped voters and for primary elections. In June, we had 11 different paper ballots, in two languages (some precincts had four languages!), for a total of 22 different kinds of ballots. What a nightmare! With electronic machines, there is no such proliferation of physical ballot types.
So, I think that the picture is probably more complicated than you say. I don't think that electronic machines are inherently a lot more insecure than other types, assuming you have the paper trail (which not all states do).
One other comment. Many here say that counting by hand should be ok. In our election last week in San Diego, there were over 50 issues on the ballot! The paper ballots were double-sided legal sheets and completely full of races and propositions. Some of the issues were yes/no, but many of them had multiple candidates.
Counting those by hand (~400 ballots in our precinct) would take many, many hours and be very error-prone, particularly since by then we had already been working for 14 hours. At that point, it's frankly hard enough just to count the ballots and get that total right. If there were only five issues on the ballot, hand counting might be more feasible, but I see no problem with using technology to do it faster and better, as long as there's a way to do a manual recount if necessary.
I'd urge everyone involved in this discussion to actually volunteer as a poll worker a few times if you haven't ever done so. You'll gain some good insights into the issues involved, and you'll help your community.
I've been thinking about a framework within which a transparent voting system could be laid down that would capture the useful features of electronic voting (quick counts, ease of use, etc.) while maintaining the recordkeeping and transparency of paper ballots. This is what I've managed to come up with, but I'd like some feedback on it. Once it's been cleaned up a bit, I think this is something that would be worth pushing on a Federal level, at least in my opinion.
I hereby relinquish this framework to the public domain.
-- Voter participation --
1. Voters vote on e-voting system.
2. E-voting system prints a human readable ballot.
3. Voter verifies ballot.
3a. If voter disagrees with ballot, voter inserts ballot in slot on e-voting machine, which stores the ballot and lets the user start over at #1.
3b. If voter agrees with ballot, machine tallies the recorded vote, returns to kiosk mode and awaits the next voter.
4. Voter proceeds to ballot box, and inserts human readable ballot into ballot box.
5. Ballot box includes OCR scanner that reads the vote, then makes its own internal tally.
-- Verification --
1. At the end of night, totals from the e-voting machines and the ballot boxes are compared. If statistically significant differences between the totals are discovered, an immediate audit of the machines to verify what happened is triggered.
2. Preliminary results pending verification are released.
3. A manual count of a statistically significant portion of the ballots is performed. If the vote percentages of the manual count vary from the electronic count to a statistically significant degree, the electronic vote is invalidated, a full manual recount is triggered, and a mandatory audit of all voting machines is triggered to determine where and how the miscount occurred.
Last year the city of Montreal used an electronic scanning system for the municipal election. You marked a paper ballot and it was scanned into the system.
At the poll I went to it seemed to be working OK, but apparently that was an exception.
There were so many problems with the system, and badly trained workers thtat the chief elections officer looked into the election and concluded that while the published vote was not that close, the system was so screwed up, it was inmpossible to say who actually won the election.
It will be paper ballots for the foreseeable future here.
Your observations about touch screen voting are right on point. I am on permanent absentee status (you can do this in California no matter what your physical condition) and I always use a paper ballot.
A friend of mine, a physician, brought up the point that touch screens are a very effective way to transfer germs and other pathogens among the population. He recounted hearing the voter in the next booth coughing violently as she voted. Imagine the next voter putting his finger into her sputum!
This issue is getting some attention in the media and on the Web.
An article by Janice Lieberman of the Today Show (see http://www.msnbc.msn.com/id/15282076/ ) recounted her search for health threats on an airline trip. "First stop: the check-in monitor. A swab of the kiosk revealed lots of bacteria and some mold. Morbach also found penicillium, which can cause allergic reactions. This mold was not life threatening, but if you are prone to rashes and allergies, wipe the monitor off before you touch it."
Talking about ballot integrity in Illinois, the site www.ballot-integrity.net/problems.htm observes that "An election judge also expressed concern about the possible transfer of germs, especially flu germs during the November election, from using the touch screen machines, which could be particularly serious for the elderly."
This does not even address the security issue of intentional transfer of pathogens to touch screens. This would not be an efficient way to wage biological warfare, but it could cause a panic (short-lived) among the population in much the same way the poisoned Tylenol did a few years ago.
Perhaps I'm missing something. We've had paper ballots for several hundred years now, along with paper accounting, logs, laws, books, etc. In my 42 years in the computer business, every process I know of that's numerical/tabulation/record keeping oriented has gotten more reliable and less subject to fraud when computerized. Not the reverse, which possibility seems to be the concern of many commentators on this subject. Also, it seems to me, that many of those same commentators could be associates of Democrats/progressives/leftists/liberals (so called), and that the Dplls have been the most efficient and capable practitioners of election tomfoolery (e.g. Tammany, Chicago/Daly, St. Louis (Truman et. al.), anything in Massachusetts, &, &. Any connection? Are those folks afraid they aren't going to be able to continue to have great-grandpa continue to vote straight D in every election, just like he did before he died in 1927 (and every election since)?
"every process I know of...has gotten more reliable and less subject to fraud when computerized..."
Wow, that is a very tall claim to make. It is so tall, at first I thought you were being sarcastic.
Care to provide some evidence or examples of how *every* process you know of has been *less* subject to fraud when computerized? While you might have had a point that computers have changed attack vectors, and computer-based fraud is very different than with paper (faster, more pervasive, harder to trace, etc.), to say that computers are less subject to fraud...that is just plain silly.
Reminds me of a VP I once ran into who swore up and down that his systems were clear of viruses because...wait for it...they had no anti-virus software on them. Yes, his proof, he said, was in the fact that he personally had not seen or heard of problems with viruses in his x years of being in charge, of course; ergo, no awareness of viruses means no need for anti-virus. Once we finally moved past this little illogical dance, and installed anti-virus software, his teams had a *lot* of expensive clean-up to do...
The Dutch minister for "Governmental Modernisation" today reports that 23 Dutch municipalities will use the red pencil in the next provincial elections. This is because voting machines of a certain brand are not adequately shielded and voting can be monitored from a distance.
Would it be fair to call it Computerated voting?
Joining in late in this discussion, but canning touch screens won't get a valid election. I fear we're in for some mega messes. The only secure computer system is one kept under lock and key that is never turned on. I just finished a book about an election conspiracy. Fiction, but chilling nonetheless. We must have scrupulous checks and balances, audits, standards.
To what extent can evoting affect an election conducted for about 7000 people using just three polling stations?
Does the number of voters and polling stations affect the entire electronic voting system in anyway?
i am really( about 95%) in support of electronic voting systems
"To what extent can evoting affect an election conducted for about 7000 people using just three polling stations?"
It depends on the marginal difference between the votes cast for the candidates and the if the election is in a "key" or "marginal" area.
The contested election of JWB for the US was reported as swinging on as little as 16,000 votes (if true) 7000 votes would have made one heck of a difference and history would undoubtadly been very very different.
Electronic voting devices sucks like hell!!!
As a Ph.D student, can I do research on e-voting?. If so, Pls give me some idea
as a student doing a degree in information technology can you advice me to do a project on e-voting?
This is so simple as to be rediculous. Anymore, true anonimity is face to face.If I wanted to "drop a dime" on someone today, I'd ask a cop if he knew me. If he says no (and most do) I would say Terrific!, and proceed to give him the informatoin. that information is "entered" into the system...
The key here is that even today, the anonymity part still does not exist, no matter what people are saying. some states you must declare whether you are democrat or republican. so much for that, and notice that the democrat states are the ones doing it, but they bitch foul the hardest when things go wrong. Get rid of this rule, and that's a step in the right direction.
Really, one simply needs a swipe card that does not tie into the actual counting system, it simply lets you in. You get counted, no numbers to record at the other end save the tally. Like a bank Kiosk, the primary system knows who you are, and won't let you in for four years.
Truly, the trick here is to de politicizeng the voting process, and let those volunteers that could give a crap about who wins, (I will survive either way, prosper or stay under the radar) and keep the "fair fanatics" out, because they are the worst.
You want a decently fair system designed for this? I can do this, its one of those "why didn't I think of that?" things. I don't program, or write code. I can give you a flow chart, someone else will need to do the rest. But I warn you, the sysem may have to have a mechanical connectoin somwhere to keep one set of computers from exchanging informatoin with another, and also a separate tallying entity for the final count, maybe two or three separate ones, unknown to each other, to make sure things are fair in the final count.
Nice post from you.
I would like to know your views on Indian Electronic Voting Machines (EVMs), which is a simplified version.
Since india is a biggest democracy, and that the current election is done entirely using EVM's, do you feel, this simple electronic machine could be hacked?
Electronic voting machines are run by a computer; therefore, they can be hacked.
There are possibilities that the candidates can hire a computer experts to hack the system and manipulate the entire
I voted Republican all across the board and soon found out that it was changed to Democrat when it was too late. Now I know how that socialist president won both times.
@ Eric Alban
Such strange things also happened during the Bush/Gore elections. A good look into many instances of rigged elections, software flaws, backdoors, and more is in the documentary below.
At least one locale switched back to optical scan machines due to ease of tampering with computerized voting machines. Optical systems have their own issues, but Scantegrity seems like a nice solution.
I'm all for wider development and deployment of systems like Scantegrity. I'd also like the software to be made by the likes of Praxis for effective security/correctness and made extremely portable to arbitrary hardware (maybe Linux compatible). I include the latter to make it harder to do supply chain subversion.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.