A group called Protect Democracy is suing South Carolina because its insecure voting machines are effectively denying people the right to vote.
Note: I am an advisor to Protect Democracy on its work related to election cybersecurity, and submitted a declaration in litigation it filed, challenging President Trump’s now-defunct “election integrity” commission.
CommonSense • July 19, 2018 7:33 AM
Paper ballots hand counted in public is the only way to do voting. Nothing is more secure. In a country of 320 million there are more than enough volunteers to do so.
Stop enriching corporations and making it easier for a few to rig elections. It is impossible to have faith in the results of any election done with machines. Other countries hand count and some even receive results quicker than we do with machines.
echo • July 19, 2018 7:43 AM
I have the submission open in my browser now and will read through as and when.
I won’t clog up this topic with my footstamping but further to having an international money transfer halted by the processing company I have complained to them. Specifically, they breached Financial Conduct Authority rules by pressuring me to divulge confidential information about the product I was ordering under the guise of money laundering legislation which, if I read the due diligience bit of the actproperly, this information may only be used in puruit of this act and for no other purpose. Subsequent to a chat with the FCA I will be contacting the Information Commissioners Office, the Financial Ombudsman, and another statutory regulatory body concerned with the product I was importing. Without going into details the outcome was a denial of fundamental rights.
If there is a common point with Bruces topic my guess is it is how individual corporate conduct (and sometimes even widespread industry conduct) can effectively “create law” in practice without any constitutional, statutory, or regulatory authority behind it in denial of a citizens lawful behaviour and rights.
Pete • July 19, 2018 8:13 AM
A paper audit trail is required.
The voter should be able to read the paper to know that their votes were placed accurately.
An audit committee (and news organizations) should be able to read the paper to compare it to the electronic counts for at least a year after the vote. No thermal printers.
Electronic voting isn’t bad, provided human validation from generated paper can be performed.
Winter • July 19, 2018 8:17 AM
“Election Machines Are Insecure”
As with many of the aspects of voting in the USA, the first question that comes up is:
“Is this considered a bug or a feature?”
John Campbell • July 19, 2018 8:48 AM
Beware, some of y’all are gonna TL;DR this.
@commonsense wrote “Paper ballots hand counted in public is the only way to do voting. Nothing is more secure. In a country of 320 million there are more than enough volunteers to do so.”
The whole point is that, in any system where any portion is handled “out of sight” of the electorate…
The real problem, borrowing from Bruce, is “Who do you trust?”
With paper, there are people from all parties working “together” to keep the materials under as many eyes as possible to keep a single actor from making wholesale changes.
How do you trust the coders and vendors who implement the code? How do you trust those auditing the generic code? Who audits the local coding and can you trust them?
Occam’s razor needs a corollary for voting processes.
“It doesn’t matter how well-crafted a system is to eliminate
errors; Regardless of any and all checks and balances in place,
all systems will fail, because, somewhere, there is meat in
the loop.” – me
So, with manual election processing, there are checks and balances that reduce the ability for wholesale fraud to be committed. Machines, which hide pieces of the process, makes it harder to avoid wholesale fraud done by someone within the “system”.
Mind you, voter suppression efforts qualify as wholesale fraud, though that’s not within the process of counting. (I saw some efforts back in 2004 that made me suspicious, but, more recently, the “voter ID” efforts, combined with “real ID”, can disenfranchise married women since they can face an uphill battle getting their certified identity given the need to explain how they arrived at their “current” name versus that of their birth name. RealID, combined with VoterID laws, may be a bit of a long game to silence women voters.) Yes, my paranoia seldom drops down to 11, much less 10.
There will always be some small level of retail fraud.
Note: Paper audit trails are bullsh!t; A mark-sense system that does the tallying can be corrupted just as easily as a touch-screen system, if not more easily.
Tanterei • July 19, 2018 8:52 AM
@CommonSense
Your assertion is based on the assumption that no falsification can take place during the counting process for paper ballots. Whilst I am not familiar with the process as it is performed in the US I would hazard a guess and say that it is certainly possible to falsify results even for paper ballots.
In case of paper ballots, however, the effects of such falsification would be quite localized – which is probably not true for votes cast electronically.
I’m with @Pete on the necessity of a paper trail – a long-term one. Ideally one should have two parallel channels carrying the information and the voter should be required to verify, that both channels contain the same information at the time of the vote being cast.
reston • July 19, 2018 9:21 AM
@John Campbell: “The real problem, borrowing from Bruce, is “Who do you trust?”
+1
….”The people who vote decide nothing; the people who count the vote decide everything” – Joe Stalin
So you and them were against investigating the integrity of elections before you were for it?
mark • July 19, 2018 11:26 AM
Bruce (and others),
I’ve like to see folks’ thoughts on the Chinese company that bought into Maryland’s voting machine supplier (asks the MD resident).
Alyer Babtu • July 19, 2018 12:52 PM
Some good background reading on internet voting, voting machines, and earlier law cases at
MikeA • July 19, 2018 12:56 PM
I first ran into the issue of “software voting” nearly 50 years ago. The ASUC (Student Body) elections at U.C. Berkeley (that controlled, among other things, how a portion of our student fees would be spent) went to ranked-choice voting, and some of us in C.S. wanted to inspect the code that would do the tabulation. We got the “nothing to see here, move along” treatment, with a side order of “But if we let you see the code you might hack the election”.
Yeah, deja vu all over again.
Alyer Babtu • July 19, 2018 1:16 PM
And, besides solving the honest recording and tabulation problem, there is how to ensure the aggregation of individual votes uses a method that reflects “the wishes of the voters”. Very helpful discussion of this issue in books by Donald Saari.
justinacolmena • July 19, 2018 3:08 PM
Suing?
In a civil court?
Over a totally defunct and broken voting system? In a supposed democracy?
This only thing “civil” about this is war, insurrection, and rebellion against the United States.
We don’t even have a “civil” court system anymore since “tort reform” and criminal no-trespass orders barring litigants from courthouse property after their suits have been dismissed a certiorari with extreme prejudice — Don’t ever come back to the courthouse for any reason!
Computerized warrant and background check systems as well as court records for prisoners have been hacked by Eastern European thieves in law.
denise • July 19, 2018 4:34 PM
Tanterei, re: “Your assertion is based on the assumption that no falsification can take place during the counting process for paper ballots” — no, the statement by CommonSense assumed less falsification, not no falsification (and that machine-based elections are bad enough so as to be useless).
echo • July 19, 2018 5:14 PM
I note on page 13 of the motion for preliminary injunction it says the Commission has never explained why it needs the data or how it processes it which it is required to explain and failed to do. It then wished to cross reference this data with other databases that contain information against immigrants including naturalised citizens. It has never explained the issue at the level of multiple external databases or how it would ensure compliance with the law.
I only made a provisional complaint to the international money transfer company to keep things easy but am preparing something more through. While somewhat dissimilar on the surface the basic logical structure is similar enough.
There is also an interesting comment on page 23 about “authority” and “agency”. It also goes on to discuss the broad reach of the PRA. The later discussion fo no alternative remedy is interesting too, as is “unlawfully witheld” and undue delays.
Page 34 notes that courts have noted where an obligation to disclose exists irreparable harm may result if denied access to information relevant to an ongoing debate.
Comparing the US situation with the UK/EU situation is interesting. Moving beyond my provisional complaint to the (US owned) UK branch of a financial company I’m cogitating before writing things up for the different statutory authorities and the company itself. I’m not aware of anyone who has legally challenged onerous and invasive application of money laundering and other laws of this level to the ordinary consumer or service user. Nor am I aware of any company which has taken a robust stance with implementing the law while defending and protecting customers rights. With regard to internet providers they have taken a defensive position on copyright law and privacy in the past but to some degree are half hearted.
In my experience where an administration (state or otherwise) wants to have its way you must either collect information from people who have experienced this before or go through the process and take a beating on the inside to discover the information. Ok, done that. The next step is much like the submission which is to carefully examine the policies and basic issues and go from there.
The difference in US and UK style of submission is quite stark. I find on average US submissions tend to be more straightforward. With UK stuff you have to pick bits out then try to make sense of it after which doesn’t make it an easy learning exercise.
Hmm • July 20, 2018 1:39 AM
Are we really going to have to sue in each individual state to maintain basic nice thing standards?
Maybe we really are hosed, eh?
@John Campbell
“Mind you, voter suppression efforts qualify as wholesale fraud, though that’s not within the process of counting.”
True, that.
“Note: Paper audit trails are bullsh!t; A mark-sense system that does the tallying can be corrupted just as easily as a touch-screen system, if not more easily.”
I’ll borrow here from Wikipedia: “Any subject matter may be audited. Auditing is a safeguard measure since ancient times (Loeb & Shamoo,1989).[3] Audits provide third party assurance to various stakeholders that the subject matter is free from material misstatement.”
Properly done, the use of both random and focused audits of mark-sense paper ballots can be highly effective in ensuring accurate vote counts. The rub is in the “properly done” part. Elected Secretaries of State might be disinclined to follow up and order recounts, or state legislatures may seek to limit audits. Audit recounts should be random and routine, done just as wholly paper ballots are counted: in public, by partisans from all sides to insure no shenanigans.
wumpus • July 20, 2018 8:07 AM
Sometime between the 2000 election debacle and the recent primary, all my votes in Maryland were done electronically on a flashcard ballot (exactly how you run an election to steal it). The company that makes this system was purchased by a Russian Oliarch and was likely accessed in 2016.
Fortunately they seem to have switched to “scantron” ballots that can be retained, it is relatively easy to write new OCR software for a recount, and can even be counted manually (and there is little danger of voter confusion between what they thought they were voting for and what was counted as a vote).
I had been advocating a “kiosk” voting system similar to the flashcard based system, only with a printed out ballot with the names of the officials voted for clearly written. Using a “scantron” system may be slightly slower, but it leaves no doubt that the voter looked at the ballot and deliberately chose the selections.
John Campbell • July 20, 2018 2:25 PM
@JF…
A paper “receipt” which is mark-sense would require you being able to read it, too, without “technical assistance”.
Frankly, a fully manual re-count, if it can be pre-arranged, can behave like a denial of service. (In the Alabama special election where Roy Moore lost, the margin was just large enough to make a re-count unnecessary. Random selection of precincts for a manual audit after all elections would be required to ensure there was no technical jiggery-pokery of the automated count.)
(shrugs)
There will ALWAYS be people attempting to “game” such a system, you will NEVER get the error-rate all the way to zero, even WITH manual counting being done by people of all parties to check and balance each other, but any time you can move things out of sight– like a computer does– the deeper the doinking can be.
Jesse Thompson • July 20, 2018 2:57 PM
Whenever there’s a database compromise the advice I always hear is “never trust your data to the cloud”
Whenever there’s a smartphone exploit I always hear “I stopped using smartphones in aught-seven, never really needed them”.
Whenever there’s news about autonomous cars I always hear “the software will never be practical, you need meat behind the wheel”.
During the recent Spectre/Meltdown news I hear “Branch prediction and memory caching was a bad idea to start with, people who really care about the results of their operations don’t mind waiting 100 times as long to get them”.
For any IoT exploit it’s “that didn’t need to have access to the Internet” as though the only reasonable firewall is an air gap.
I don’t know if the problem is that these people who claim to be committed to security are really Luddites who feel that anything digital is doomed to sabotage OPSEC, or just that these voices are sufficiently lazy that they view their job in security as an exercise in destroying the primary asset so that there’s no longer anything vulnerable to attack in the first place, or else covering their asses by discharging all responsibility from their “digital security” domain and pushing it to the edges where they can instead blame the victims at those edges.
But I’m certain that for every “voting should be 100% paper” voice out there today, some number of centuries ago there had to be as many people who didn’t trust paper because it could be forged and who swore that all voting had to be done via word of mouth or in person. :/
I get that voting is a charged, and polarizing, and high-stakes endeavor that represents a heavily expensive asset with a fractally broad surface area of attack. But it’s far from the only one, since virtually everyone on Earth now does their banking online and via ATMs and their smartphones.
Almost all of these voting machines that get mired in script-kiddie level scandals are made by Diebold, who in turn makes nearly every ATM that we already trust with unfettered access to our personal wealth!
Is my vote for who will be president between bought plutocratic candidate #1 and bought plutocratic candidate #2 really more valuable than several thousand dollars of personal wealth that I deposit and spend and save every month?
Then why do we feel so much more secure in the latter than in the former? What missing ingredient do we need to ensure that a person’s vote gets counted and defended from coercion as effectively as their bank balance does? :/
@John Campbell
“A paper “receipt” which is mark-sense would require you being able to read it, too, without “technical assistance”.”
Mark-sense paper ballots are both machine and human readable; perhaps you are unfamiliar with them?
John Doe O
Jane Deer O
Other O ________________
After marking your ballot you feed it into the machine which reads it and stores it for audit, if necessary.
(Sorry about the bubbles not being aligned, but you get the idea.)
echo • July 20, 2018 4:19 PM
@JF
Useful thoughts. I am compiling a complaint against a financial company. I have already identified them being overzealous in their application of fraud/money laundering law. They are making basic mistakes at the administration level and I felt possibly supervisory level. Your arguments have helped me focus a little better on their companies fitness to trade.
@Jesse Thompson
Following on from this I note that a “secure system” can actually in practice begin working against the goals it is meant to achieve and make things worse, and in fact drive people away from the legitimate system and be placed at risk by their only reasonable available means is via insecure systems.
This kind of inherent systemic problem seems to be present across a variety of government directed schemes not just financial processing but increasingly also voting systems and voter representation.
Clive Robinson • July 20, 2018 4:39 PM
@ Jesse Thompson,
Almost all of these voting machines that get mired in script-kiddie level scandals are made by Diebold, who in turn makes nearly every ATM that we already trust with unfettered access to our personal wealth!
The difference is in reality who is paying for security and who is not.
The banks are paying for both availability and security, as the ATM’s get significant abuse day and night 24×365.25. Voting machines are a joke the biggest security concern for most purchasing Local Government is that they do not get bashed to bits by clumsy/angry voters, oh and all at the lowest possible price…
As for your “Luddite” list of Security gripes, most are true security workaround solutions. They are required for a whole host of reasons, but mostly they are as a direct result of “Marketing Dept” having the veto over anything that they see as NIH. Frequently on the excuse “the market does not want it” or “it will critically negitively effect product release dates”…
Thus security in by far the majority of products is not just close to zero but way way out on the negative side.
If we want real security not painful and impractical workarounds we need to get security built into products from before “day zero” in the same way Qiality Assurance is built into every step of the product production process…
But hey I’ve only been saying this since last century, so don’t worry give it another fifty years or so and we might have the legislation in place to encorage/force security. But first the pain threshold has to become unbearable to the point where the money people (Intel Managment for instance) start getting a stripy view of the world due to looking through bars…
echo • July 20, 2018 5:35 PM
@Clive
Business and government don’t get “intersectionality”. I’m not sure why. Maybe it’s a “bloke” thing or comes over as jargonistic. But basically what you say is that a system must integrate different sub-systems. This does, I agree, make some decisions quite difficult when the limits and interactions and outputs are concerned. Cue me left screaming “Why don’t you get it!!!!!!???”
While I get what Bruce says about him trusting a system built by experts which stands the test of time I don’t completely agree with his circumspection of technical-social systems. The reason, as you infer about managers needing to experience a stripey view of the world, is the human decision maker at each node of the process.
I have noticed within some organisations especially and have began closely observing the world in general for this and fairly sure the “good cop, bad cop” phenomena is real and reports and studies seem to bear this out. The basic reason, I believe, is where a competently curated body of knowledge is not throughly disseminated it results in random behaviour. This can explain the “tick, tock” behaviour when navigating organisations or when coming in contact with people within the general population. I daresay this has implications for voting systems and economics too.
Kevin McGrath • July 20, 2018 6:12 PM
I retired to SC in ‘09 and it’s not surprising that they have been using a system that can be easily hacked. In late 2012 when Nikki Haley was governor the state experienced a massive data breach back and the state was forced to give out free credit monitoring to all residents for years afterward. The state has one of the lowest tax rates in the country but this also means that they have very litte money to spend, or the interest to spend, on professional data security or to pay the fees and salaries of high quality associated security staff. With the current group of anti tax wackjobs that pass for legislators in our statehouse I don’t see any changes to this status quo in the near future.
echo • July 21, 2018 12:19 AM
I used to think Brexiters were humourless but they do irony quite well.
Tougher powers needed to prevent election ‘tampering and manipulation’ after Brexit campaign fined, MPs demand
A Vote Leave spokesman said the Electoral Commission’s report contained “a number of false accusations and incorrect assertions that are wholly inaccurate and do not stand up to scrutiny”.
Clive Robinson • July 21, 2018 1:49 AM
@ echo,
The final paragraph of,
Is what many people have said about the “Brexit Facts on the Bus” etc of the BoJo and MiGo commody –of errors– duo, the dificulty being working out who the straight man was.
For those reading along not from the UK, the Brexit campaign had two contingents the “leave campaigners” who basically broke the law, were backed by questionable organisations and lied incessently and the other group that because it did next to nothing anybody can remember…
There was however a third element… From the US of which the most memorable was President Barack Obama who broke existing British electoral law, whilst on British soil… But that was OK he had American Exceptionalism and a Diplomatic Passport… Mind you I doubt if he would have been prosecuted any way, he was simply “Stating the bleeding obvious”.
Unlike the other US involvment funding and organising the BoJo MiGo and subsiduary contingent illegally and carrying out quite abusive activities via social media… With yet more evidence and hopefully convictions to follow…
Tony • July 21, 2018 2:47 PM
@Jesse Thompson said:
“Then why do we feel so much more secure in the latter than in the former? What missing ingredient do we need to ensure that a person’s vote gets counted and defended from coercion as effectively as their bank balance does?”
The missing ingredient is that I can audit my bank balance. I know how much I put in. I know how much I took out. If there are any entries on my bank statement for transactions that I did not authorize I can complain to the bank (and for the moment to the CFPB).
When I walk away from the polling station there is no way to find out if my vote was tabulated as I cast it (deliberately … we have a secret ballot for very good reasons).
echo • July 21, 2018 5:56 PM
Is it possible to built a machine which would drop a ball bearing down the relevant chute and the voteis counted by weighing the buckets later? The advantages are it is a mechnical system anyone could at take apart to understand or even see working. The other is counting is very fast. Is this practical and secure, or so bad an idea it is beyond stupid?
Hmm • July 22, 2018 2:10 AM
“or so bad an idea it is beyond stupid?”
Nobody say anything, shh. The wind will tell us.
PDo • July 22, 2018 8:48 PM
Just earlier this year I wrote to a local reporter for the newspaper-of-record for the city in which I used to live regarding that county’s very insecure electronic voting machines. I encouraged the reporter to attend the next meeting of County leadership, armed with the notes I had made and sent to the reporter.
Never heard back.
But it sure does bring a smile to my face as I picture myself filing a similar lawsuit there. Just to see those smug smiles turned upside down….
David • July 25, 2018 12:32 PM
@echo
Mechanical devices have their own problems.
Let’s say your voting device broke at the polling station. Are there skilled technicians on-hand to fix the device? Do we keep the polls open longer? Do the rest of the people just not get to vote?
What happens if a ball bearing gets stuck in the machine and the vote weight is off. Does that invalidate the results at that polling station? For recounts, would we need to disassemble all machines to check for stuck ball bearings?
Uniformity in ball bearing size. There are minute differences from one ball bearing and another. If a vote total weighs more than expected or less than expected is that ballot stuffing possibly? Also are voters/politicians going to be okay if the steel used is not American (for U.S. elections)
Loss of voting ball bearings. Ball bearings are pretty hefty things (I’m picturing pachinko balls at the moment). I doubt polling machines could hold all the ball bearings used in that day’s vote. Poll workers would have to have a supply of to-be-used ball bearings to resupply machines or somehow be able to empty the machines of the used ball bearings. How do you prevent poll workers or technicians from adding to or removing ball bearings that could affect that election? Also imagine a ball bearing container breaking and spreading ball bearings all over the floor, how confident would be in the results if we couldn’t tie a ball bearing back to a voter?
Jesse Thompson • September 16, 2018 6:53 PM
@Tony
But there are tons of crypto systems that can provably allow individuals to verify that their vote is accounted for in the final tally without allowing third parties to do so (maintaining secret ballot).
Here is Professor Ron Rivest detailing one of them on Numberphile, with a link to the paper in the description.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
me • July 19, 2018 7:08 AM
i don’t know the laws but i think that is a good idea!
Here in italy, they used electronic vote for the first time (for regional voting only).
i think that is a bad idea and a nightmare for the security.
for example: the touchscreen is both the input and output of the device.
so the producer of the touchscreen can make an “evil” touchscreen that let you think that you voted A while he tap on candidate B no matter what you tap.
this can’t be detected by antivirus or from software.
elections must be costly, so that they are costly to hack.
to hack paper election you have to pay 5 persons inside the room to have them report that candidate B has been voted by almost all the people. and pay 5 persons is costly, also if even a single one doesn’t accept and report the attempt to the police you failed.
while in the electronic election you have just to place modded touchscreens or whatever other piece.
and there was an indian research (if i rember correctly) that noted that it was pretty hard to find out hacked machines as even with extra chips they looked exactly as the original one (because chip was hidden under the lcd or othr components)