Schneier on Security
A blog covering security and security technology.
« FBI to Approve All Software? |
| The Onion on Security »
December 2, 2005
GAO Report on Electronic Voting
The full report, dated September 2005, is 107-pages long. Here's the "Results in Brief" section:
While electronic voting systems hold promise for a more accurate and efficient election process, numerous entities have raised concerns about their security and reliability, citing instances of weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete voting system standards, among other issues. For example, studies found (1) some electronic voting systems did not encrypt cast ballots or system audit logs, and it was possible to alter both without being detected; (2) it was possible to alter the files that define how a ballot looks and works so that the votes for one candidate could be recorded for a different candidate; and (3) vendors installed uncertified versions of voting system software at the local level. It is important to note that many of the reported concerns were drawn from specific system makes and models or from a specific jurisdiction's election, and that there is a lack of consensus among election officials and other experts on the pervasiveness of the concerns. Nevertheless, some of these concerns were reported to have caused local problems in federal elections -- resulting in the loss or miscount of votes -- and therefore merit attention.
Federal organizations and nongovernmental groups have issued recommended practices and guidance for improving the election process, including electronic voting systems, as well as general practices for the security and reliability of information systems. For example, in mid-2004, EAC issued a compendium of practices recommended by election experts, including state and local election officials. This compendium includes approaches for making voting processes more secure and reliable through, for example, risk analysis of the voting process, poll worker security training, and chain of custody controls for election day operations, along with practices that are specific to ensuring the security and reliability of different types of electronic voting systems. As another example, in July 2004, the California Institute of Technology and the Massachusetts Institute of Technology issued a report containing recommendations pertaining to testing equipment, retaining audit logs, and physically securing voting systems. In addition to such election-specific practices, numerous recommended practices are available that can be applied to any information system. For instance, we, NIST, and others have issued guidance that emphasizes the importance of incorporating security and reliability into the life cycle of information systems through practices related to security planning and management, risk management, and procurement. The recommended practices in these election-specific and information technology (IT) focused documents provide valuable guidance that, if implemented effectively, should help improve the security and reliability of voting systems.
Since the passage of HAVA in 2002, the federal government has begun a range of actions that are expected to improve the security and reliability of electronic voting systems. Specifically, after beginning operations in January 2004, EAC has led efforts to (1) draft changes to the existing federal voluntary standards for voting systems, including provisions related to security and reliability, (2) develop a process for certifying, decertifying, and recertifying voting systems, (3) establish a program to accredit the national independent testing laboratories that test electronic voting systems against the federal voluntary standards, and (4) develop a software library and clearinghouse for information on state and local elections and systems. However, these actions are unlikely to have a significant effect in the 2006 federal election cycle because the changes to the voluntary standards have not yet been completed, the system certification and laboratory accreditation programs are still in development, and the software library has not been updated or improved since the 2004 elections. Further, EAC has not defined tasks, processes, and time frames for completing these activities. As a result, it is unclear when the results will be available to assist state and local election officials. In addition to the federal government's activities, other organizations have actions under way that are intended to improve the security and reliability of electronic voting systems. These actions include developing and obtaining international acceptance for voting system standards, developing voting system software in an open source environment (i.e., not proprietary to any particular company), and cataloging and analyzing reported problems with electronic voting systems.
To improve the security and reliability of electronic voting systems, we are recommending that EAC establish tasks, processes, and time frames for improving the federal voluntary voting system standards, testing capabilities, and management support available to state and local election officials.
EAC and NIST provided written comments on a draft of this report (see apps. V and VI). EAC commissioners agreed with our recommendations and stated that actions on each are either under way or intended. NIST's director agreed with the report's conclusions. In addition to their comments on our recommendations, EAC commissioners expressed three concerns with our use of reports produced by others to identify issues with the security and reliability of electronic voting systems. Specifically, EAC sought (1) additional clarification on our sources, (2) context on the extent to which voting system problems are systemic, and (3) substantiation of claims in the reports issued by others. To address these concerns, we provided additional clarification of sources where applicable. Further, we note throughout our report that many issues involved specific system makes and models or circumstances in the elections of specific jurisdictions. We also note that there is a lack of consensus on the pervasiveness of the problems, due in part to a lack of comprehensive information on what system makes and models are used in jurisdictions throughout the country. Additionally, while our work focused on identifying and grouping problems and vulnerabilities identified in issued reports and studies, where appropriate and feasible, we sought additional context, clarification, and corroboration from experts, including election officials, security experts, and key reports' authors. EAC commissioners also expressed concern that we focus too much on the commission, and noted that it is one of many entities with a role in improving the security and reliability of voting systems. While we agree that EAC is one of many entities with responsibilities for improving the security and reliability of voting systems, we believe that our focus on EAC is appropriate, given its leadership role in defining voting system standards, in establishing programs both to accredit laboratories and to certify voting systems, and in acting as a clearinghouse for improvement efforts across the nation. EAC and NIST officials also provided detailed technical corrections, which we incorporated throughout the report as appropriate.
Posted on December 2, 2005 at 3:08 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Now, could anyone remind me why we are so obsessed with security of the process of selection between several candidates which are nominated by some backroom deals and which have no significant differences in their agenda [which can be summarised, pretty much in "give us more money so we can reward our supporters"]?
The security is as weak as its weakest point -- and it is much easier to manipulate candidate nomination process than the vote count; in fact the American democracy already has been truned into a smokescreen allowing ongoing consolidation of power by the political class, outwardly displaying division and competition, but invariantly doing exactly the same things as soon as given power.
This is pretty much similar to worry about strength of crypto protocol when the RNG is broken and yields predictable sequence.
And, yes, this report is merely another part of the smokescreen. "..we are recommending that EAC establish..." - am I the only one who read that as "give us money so we could spend even more on writing papers nobody's going to use?"
> (1) some electronic voting systems did not encrypt cast ballots or system audit logs,
> and it was possible to alter both without being detected;
> (2) it was possible to alter the files that define how a ballot looks and works so that the
> votes for one candidate could be recorded for a different candidate; and
> (3) vendors installed uncertified versions of voting system software at the local level.
Wow, three pretty huge deal-breakers there.
I am particularly interested in how a unit's totals get transferred from the unit to whatever totalizer there is. If this transfer is compromised, then any efforts at securing the voting are wasted. However, this question has never been addressed in any news coverage I've seen.
The transfer is the most obvious place to gaff the election. If all we get is a declaration that a valid transfer took place between the transmitter and the receiver, then all a gaffer has to do is insert an extra device that will receive the valid transfer, replace it with the bogus data, and transmit that through a valid protocol to the receiver, and it's done. Once disconnected, there is no proof there was an insertion.
well, the transfer part is the same weak point as in current paper elections.. how does the local count get to the state election agency or whoever sums them up? Via telephone? As long as the two devices aren't in close proximity and election officials can compare the numbers before and after the transfer, it's prone to be rigged.
There are some safeguards with respect to the transfer. In many jurisdictions, the local totals are separately recorded and publically posted at each precinct on election night. Precinct workers and election observers can check those numbers against precinct by precinct totals published as part of the overall tally.
At least that's one way to make transfer fraud more difficult.
Take away our right to see the source code, and only criminals will see the source code.
In the voting machines, Diebold is using:
(1) WinCE for the OS
(2) A generic VB program to insert data into a
(3) Microsoft Access database
And a simple google search brings:
I'm just a 'tard and found out this info. The owner of the software and anybody else given access could have found it easier. Obscurity hides nothing.
How does one get a job at the GAO, anyway? They seem comparatively reliable and honest.
An odd rumor is circulating that the new Secretary of State in California is trying to reverse the previous Secretary of State's decertification of Diebold paperless voting machines:
For those who have not seen it yet, the Estonian local government councils elections e-voting results at http://www.vvk.ee/engindex.html might be interested. I would say it was quite a success, although the total number of Internet voters was only 1%. The biggest reason why the percentage was not higher is the lack of smartcard readers people have (80% of citizens have already electronic smartcard-based ID cards, but most have not bought smartcard readers for them).
The very fact that I was able to download, inspect and use the very software that was used by Diebold on voting machines in the last election is cause for concern. I was very easily able to alter the parameters and results with a minimum of effort and I am no whiz!
The transfer problem is also major weak point. Tranferred on chips like the small memory cards we all use in cameras, these could easily be exchanged even in full view with a minor skill in prestidigtation (palming one and switching for another), completely avoiding the need to tamper with the machines themselves.
Years ago I proposed a triple redundant encrypted transfer with a paper ballot not touched by the voter (avoids one source of possible tampering), and a voter receipt with a barcode which could easily be compared if there was ever any question.
I have yet to see any system incorporating these basic safeguards to the integrity of the voting system and voter asked for an adopted by any local election commision. At least in California they are now demanding a paper trail.
Isn't time we had a national commision to set minimum voting standards for all states, including who can vote and who cannot? In some states felons who've done their time can vote and in others like Florida they cannot. On a national level this causes distortion as well as other practices such as leaving voters on the rolls even after they've moved (Ohio, 2004).
"The very fact that I was able to download, inspect and use the very software that was used by Diebold on voting machines in the last election is cause for concern. I was very easily able to alter the parameters and results with a minimum of effort and I am no whiz!"
Even worse, the "solution" Diebold wants is for you to not be able to download and inspect the software.
[blah, blah, blah] risk analysis of the voting process, poll
worker security training, and chain of custody controls for
election day operations, [blah] testing equipment,
retaining audit logs, and physically securing voting systems
[blah, blah] security planning and management, risk
management, and procurement.
This is all just a nice way of them saying, "We have no
clue about how to 'fix' the system to make it secure, so we're
going to throw out some things that sound technical and call it
The solution is trivially simple; one need only recall the
problem that these systems were originally brought in to solve, and
you'll find the answer: the problems voters in Florida experienced
in using the butterfly ballot, and in performing the recount
afterwards. There was no need to electronically store
the votes. There was no need to transmit the votes to a
central location. There was no need to "make the system more
The simple fix is this:
1) The voter uses the tablet to vote (no confusing butterfly ballots).
2) When he is finished voting, he prints out his completed ballot and verifies that it accurately reflects his vote.
3) He then drops the ballot into the voting box.
DONE. The ballots can be quickly scanned and tallied using an
optical reader. In the event of a challenge, the manual recount is
easy because there are no hanging chads to worry about; the vote is
clearly printed upon each and every ballot.
I find it interesting that "EAC sought..substantiation of claims in the reports issued by others." That makes it sound as if they are not attempting to prove that the election process is secure, but merely attempting to avoid someone else proving that it's not secure. That's certainly not a good way to ensure its security.
I'll one up 'ya:
How about, state by state, county by county, we use already existing and low-cost technology, and perform a reality-show based declaration to vote -- whereby all registered voters stand up, state their name, and who they are voting for, all on "live" "un-edited" and "re-viewable by all" national (satellite) public television?
This could solve lots of problems, including the "I'm afraid to tell people who I'm voting for so I need to stand behind a curtain" - I mean, you'd have to be a real good non-corrupt candidate to run for office and be subjected to this kind of voting procedure, no?
P.S. "non-edited" includes no on-the-fly digital video editing that can be done SO fast that most folks never even notice.
"How about, state by state, county by county, we use already existing and low-cost technology, and perform a reality-show based declaration to vote -- whereby all registered voters stand up, state their name, and who they are voting for, all on 'live' 'un-edited' and 're-viewable by all' national (satellite) public television?"
Depends if you think a secret ballot is important or not. If you don't, there are all sorts of easy ways to vote securely. It's the secret ballot provision that makes it hard to secure.
"It's the secret ballot provision that makes it hard to secure."
Hm. Right around 9/11, I was feverishly working on solving every holistic problem I could point to, including this one. While I'm not familiar with the actual "secret ballot provision" (which I will look up), I did boil the solution down to something like this: (it's vague to me now and somewhere buried in my notes which are all in storage)
Tie the voter's ID to their MAC address;
Have the Voting Authority connect to the voter's computer through a VPN;
Do a three-way, four-way, or five-way handshake;
Present the voter his/her options (as well as provide any information on the candidates necessary for those who aren't able to keep up);
Recieve the vote through the VPN
Or something like that. Is this another case where it "sounds good in theory"?
re: my post --
"While I'm not familiar with the actual "secret ballot provision" (which I will look up)"
Good Lord. (rolling my eyes at myself). As usual, a quick search provided me enough information around the globe to immediately decide I'm not interested in this particular battle. There are much more interesting/productive ones at this moment in time.
In India,you don't have to worry about hacking , 'cos it isn't that developed to understand to hack these things or people are less bothered about this...encryption ......
Even if it is done nobody could or can possibly prove it.
This article throwslight onto things ,otherwise,doesn't say how you are going to encrypt the whole data and the intermittent data during transfer...
I would gladly give up secrecy in balloting in return for strong odds in favor of my vote showing in the totals.
Maybe public balloting would fix a lot of things, especially people who vote for someone or something they'd be ashamed to be caught supporting.
"Maybe public balloting would fix a lot of things, especially people who vote for someone or something they'd be ashamed to be caught supporting."
That's another way of saying: with public balloting, people would be more likely to vote what their peers expect rather than what they really believe.
This kind of thing cuts both ways, and I am very leery about giving up a secret ballot.
My problem with the balloting process is that there is an underlying presumption that it is possible to count all of the votes correctly.
It doesn't matter what sort of ballots you use, paper or electronic or stone tablet. It doesn't matter what polling strategy you use. It doesn't matter how you count the votes, or how many times you count the votes, or who does the counting. There will always be error. If you're counting a significant number of votes, you're going to have a fudge factor. This isn't rocket science, it's basic human nature.
What makes more sense to me than anything else is to admit this and come up with a reasonable way to measure the error margin, then impose the error factor in an election.
The error margin needs to be established by people who have no vested interest in the process of balloting and counting.
If your method of counting is accurate +/- 5%, then the margin of victory must be > 5% (ie, if it's a straight majority to pass, > 55% need to vote yes, if it's a supermajority then >71.666% need to vote yes, etc.)
Suddenly very error-prone methods of counting will be very unlikely to have public support. In the event of a presidental election, if you can't determine an outcome outside of the error margin, neither side gets the electoral votes.
Now some people will say that this is taking away "one person, one vote". But "one person, one vote" isn't true now. Whether or not it had an affect on the outcome of the 2000 election, people in Dade County were robbed of their vote. In a mayoral vote in San Diego people who wrote in one candidate (but then failed to blacken in the oval on the ballot next to the write in candidate) were robbed of their votes. You can argue that either/both was reasonable or unreasonable given the rules of balloting, but the end point is still that the voters had a desire to cast a vote one way, and the vote wasn't counted.
"This is all just a nice way of them saying, "We have no
clue about how to 'fix' the system to make it secure, so we're
going to throw out some things that sound technical and call it
Yeah, absolutely. This GAO report is as fudgy as could be, and don't expect anything to change because of that. If you want fair and reliable elections, you'll have to stand up for it. A lot of people will have to stand up for it, otherwise your votes will just continue to be rigged.
@Pat Calahan: "If you're counting a significant number of votes, you're going to have a fudge factor. This isn't rocket science, it's basic human nature."
There's a huge difference between a host of human vote counters making some anavoidable but unsystematic errors, and an election technology that makes it possible to systematically manipulate the results. Furthermore, as long as close results can be verified by recounting, the anavoidable error margin (which can be reduced if at least four eyes count each vote) doesn't prevent reliability.
@Bryan: You are apparently not blind or sight impared--if you were that would not seem like a solution at all.
@Pat Calahan & piglet
You have both inadvertenly hit on why many electoral systems demand preliminary and runoff elections (which are party agnostic) instead of our party/caucuss primary system.
It is also worth noting that while the repeated counting of anything will decrease error when those things can be identified individually, any systematic source of error will be the limiting factor (not just things related to people and their lack of disinterest in an election that will affect the way that the place that they live in is run)--but there is no guarantee that repeated recounts under EXACTLY the same conditions will decrease the error rate of counting annonymous items (standard ballots, for example).
The idea of using "digital" systems (may they be mechanical or software-based) is that recounting will not be needed due to the on/off nature of the vote data (assuming the security of such data) itself. This is why people are turning to computers. Those of us in computer security-related (and mathematics-related) fields know why this is folly--but we are by far in the minority.
As for the need of a secret ballot--I have to say that I agree with Bruce. Look at what President Mugabe is doing to the people in his country whom supported the opposition party. No more needs to be said.
Remember, where there is no trust there cannot be true security. Where is the weak link?
> There's a huge difference between a host of human vote counters making some anavoidable
> but unsystematic errors, and an election technology that makes it possible to systematically
> manipulate the results.
Oh, I agree totally. I wasn't trying to give the impression that I thought that voting machines were "okay" because all counting methods are flawed. Voting machines are decidedly less okay (IMO) because both their tallying ability and their auditing ability are integrated into one dingus. This is bad.
> Furthermore, as long as close results can be verified by recounting, the anavoidable
> error margin (which can be reduced if at least four eyes count each vote) doesn't prevent reliability.
My point is that "close" results can't be verified by recounting, because the recounting is going to be inaccurate as well (for some value of "close").
Imagine this as a test: I hand out 100,000 paper ballots to 100,000 people. It doesn't really matter how I tell them to mark them up -> ovals you dark in, holes you punch, whatever. I have everyone "vote" on say 10 different "issues", and turn them in.
Now it's time to count. Some ballots will be smudged, or have hanging chads, or will have end-user errors or some sort (write-in candidate with no corresponding darkened oval, or someone just has voting dyslexia and darkened the wrong oval), or whatever.
Any way you count it (even if you have 100% accuracy on the "countable" votes), you're going to have an inaccurate representation of what those 100,000 people originally wanted. This is what we're trying to reduce, right?
So you have someone analyze the method you use to distribute, cast, collect, and count the ballots and come up with a reasonable fudge factor (this is admittedly hand-wavy, I don't know what the best way is to do this, I just think it's a good idea).
If you have 100,000 votes with a manual four-person recount, your error factor will be very very small. But in 100,000 people, at least *some* are going to be boneheads and mark the ballot wrong or what have you. They may be at fault for screwing up, or there may be a problem with the balloting procedure or whatever, but the fact remains those people are disenfranchised.
My point is that this is unavoidable (at least in a secret ballot) -> some people are always going to be disenfranchised. By its very nature you can't have a good audit trail for a secret ballot, or the ballot isn't secret anymore. There's really nothing you can do to guarantee that everyone's vote is counted accurately (unless you want to go to a multiple-balloting system, but then people won't vote because it's too aggravating a procedure to "vote" for the same things two or three times using different methods).
Forcing the count to pass the error threshold means that you're more likely to get a result that is what the people want. It also means that if someone analyzes a balloting technique and says, "Using this device results in an error margin of 20%", nobody's going to use that device.
> As for the need of a secret ballot--I have to say that I agree with Bruce. Look at what
> President Mugabe is doing to the people in his country whom supported the opposition
> party. No more needs to be said.
We don't even need to go abroad. Imagine what the McCarthy hearings would have looked like if HUAC could get their hands on voting records, "Mr. Schneier, I have in my hands your voting records from 1936. You voted for a Socialist candidate in the mayoral election in Chicago. And you say you're not a Communist sympathizer?!?!?"
> at least *some* are going to be boneheads and mark the ballot wrong or what have you.
Case in point, I'm looking at my midterm in my graduate school class and I darkened one oval completely wrong. I knew the correct answer, and just bubbled in the wrong circle.
"bonehead" is a human state of mind and not an indicator of intelligence :)
Pat, I'm not sure whether you are right but this is a technical question that doesn't interest me much. "But in 100,000 people, at least *some* are going to be boneheads and mark the ballot wrong or what have you." Well, but it's the boneheads' own fault, isn't it? You can't prevent this. The Swiss once voted on whether to close down their nuclear power stations. A close majority voted against, but polls showed afterwards that a considerable number of voters had voted "No" in the belief to vote against nuclear energy - but they should have voted "Yes, we want to close those nuclear plants".
Citizens shouldn't act that stupid, but it happens. One of the Achilles heels of democracy is lack of interest, and of competence, on the part of the citizens. This is not a technical problem and can't be addressed by the choice of voting procedures. The other Achilles heel is the lack of real choice, the power of corporations and media conglomerates and partisan machines. I hold this to be much more serious than the human error factor.
Righto. The interest of the citizens is only amplified by an (in)ability to process sufficient information to make a correct decision.
There are some countries where all the candidates and ballot measures are represented by icons, due to a high rate of illiteracy. You either vote for the chair or the snake -- and you can imagine the implications of the images themselves. I also just read that during the recent California ballot initiative some people recieved propoganda saying "these famous people want you to vote yes" and so that's how they voted. It wasn't until after the election that they discovered they'd been fooled.
Secret balloting is needed (at least in places like Chicago where I live) to make buying votes impractical. Right now you could give me $100 for my vote, but there is no way for me to prove I voted for you. If you make proof easy, vote buying will follow en masse.
"Secret balloting is needed (at least in places like Chicago where I live) to make buying votes impractical. Right now you could give me $100 for my vote, but there is no way for me to prove I voted for you. If you make proof easy, vote buying will follow en masse."
As long as there are mail-in ballots, vote buying is practical. If you give me $100, I can give you my blank signed absantee ballot.
> I'm not sure whether you are right but this is a technical question that doesn't interest me much.
Fair enough. I don't remember all of my undergraduate statistics, but there is considerable research in polling error margins (think Gallup).
Counting without audit is really hard.
> Well, but it's the boneheads' own fault, isn't it?
I was just including that as an illustration that the current "infallible one man one vote" theory is... uh... fallible.
I've tried to argue the addition of an error margin with quite a few people and they always seem to think that I'm talking about throwing people's votes away. "On the contrary," I tell them, "I'm trying to make sure that the balloting process results in an accurate picture of the majority."
Mail-in voting ("It will increase turnout and make things easier on the electorate") exists because (a) people are lazy and (b) somebody somewhere thinks that increasing voter turnout is a worthy goal in and of itself.
It's not, IMO. I'd rather have an accurate tally of the set of people that care about voting than a potentially polluted tally with exactly that sort of ballot stuffing enabled.
We know that mail in ballots are a source of fraud. But because they are tied in with emotional issues (military service, elderly and disabled citizens, etc) you can't get rid of this - to say that these voters don't "care about voting" won't wash with most Americans.
It's not true either. There are legitimate reasons for not being able to vote personally on election day. Mail-in ballots are a security vulnerability but I would think it rather difficult to exploit systematically. In Florida 2000, they decided to breach the rules and count late ballots. The problem was not mail-in ballots but the fact that the responsible authorities were not impartial - actually the worst thing that can happen in an election, and still the biggest vulnerability of the US election system. In 2004, as in 2000, Bush was declared winner by a republican secretary of state and pro-Bush campaigner, a state of affairs which is otherwise only known from one-party-regimes. Heck, how come nobody is talking about that?
I have voted absentee in the past. While it is possible to exploit the system most of the exploits I've heard about had a lot more to do with FAKE ABSENTEE BALLOTS than vote/ballot buying. Also, it is federally illegal to prevent citizens from voting just because circumstances that are not completely under their control prevent them from being within an appropriate distance of an authorized voting location for their district (being in another country getting shot at for minimum wage comes to mind) on election day.
It does, however annoy me that permanent residents of other countries (Israel in particular--not to pick on them, but this is the case) often retain their USA citizenship (and vote in our elections) HAVING NO INTENT WHATSOEVER TO RETURN to the USA as a permanent resident. I think that honestly there should be a requirement to actually reside in the USA for a minimal portion of an election year to be elegible to vote IF you are also a citizen of another country--or that you demonstrate an intent to return (punishable under perjury statutes) for a certian minimal period of time during the term of the shortest appointed political official that you vote for. (I recall that once upon a time such a restriction did exist in a much more draconian form.)
"In 2004, as in 2000, Bush was declared winner by a republican secretary of state and pro-Bush campaigner, a state of affairs which is otherwise only known from one-party-regimes. Heck, how come nobody is talking about that?"
Well, actually the Bush campaign appealed the Florida Supreme Court's ruling that favored Gore and an official recount was stopped by the conservative Federal Supreme Court on a 7-2 decision, and a 5-4 decision said that no new recount would be allowed. Most disturbing, perhaps, is that the Supreme Court even admitted that the block on recounts should not be used as precedent:
"Our consideration is limited to the present circumstances, for the problem of equal protection in election processes generally presents many complexities. The question before the Court is not whether local entities, in the exercise of their expertise, may develop different systems for implementing elections. Instead, we are presented with a situation where a state court with the power to assure uniformity has ordered a statewide recount with minimal procedural safeguards. When a court orders a statewide remedy, there must be at least some assurance that the rudimentary requirements of equal treatment and fundamental fairness are satisfied."
I'm no lawyer, but every time I read this it says to me "ok, the election results are questionable and probably unfairly influenced, but without ideal conditions for a recount we can not allow the results to be validated".
What makes the results from a system with unknown but potentially severe integrity issues more valid than a recount with oversight and known issues?
Davi, my point is that the rules were interpreted (and even made on the spot) by partisan politicians, not by an independent election board. The people in charge of the Florida election were the brother of the candidate (the governor) and his campaign chair (the secretary of state). It was them who ordered the counties to stop the recounts, and they were in charge of certifying the results and declaring the winner. If this happened, say, in Zimbabwe, nobody would call it a fair election.
> There are legitimate reasons for not being able to vote personally on election day.
I agree. However, it seems like these legitimate reasons can be lumped into several classes and dealt with on a class basis, instead of enabling a blanket solution of mail in voting.
Obviously people deployed in the military should be allowed their vote. People on diplomatic assignment should be allowed their vote. (Neither of these classes require a mail-in ballot, since polling places "in the field" can be arranged).
Someone who chooses to go on vacation to Fiji during the week surrounding election day, not so much.
>As long as there are mail-in ballots, vote buying is practical. If you give me $100, I can give you my blank signed absentee ballot.
When I was in college in California I voted absentee in Illinois. I received the ballots and instructions by mail. I had to take them to a Notary Public. There was one in the college administraction building. The Notary read the instructions, which told her to first inspect all the ballots to confirm that they were blank. At the time, I didn't undertand the reason for that. Now I do. Then I marked the ballots, keeping their faces toward me and away from her, and sealed them into envelope A (which did not identify me). Then she notarized a document I signed, and we put that document and envelope A into envelope B. (I no longer recall how we mailed envelope B.)
I would say that the procedure we followed was about as receipt-free as it could have been, and gave a reasonable expectation of voter privacy.
I haven't voted absentee since then, but I understand that the practice has become more lax.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.