Election Machine Insecurity Story

Interesting story of a flawed computer voting machine and a paper ballot available for recount. All ended well, but only because of that paper backup.

Vote totals in a Northampton County judge's race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across more than 100 precincts. Some machines reported zero votes for him. In a county with the ability to vote for a straight-party ticket, one candidate's zero votes was a near statistical impossibility. Something had gone quite wrong.

Boing Boing post.

Posted on December 5, 2019 at 6:06 AM • 32 Comments

Comments

Pocono ChuckDecember 5, 2019 6:53 AM

Many are advocating for a hard copy to be provided to each voter after they cast their ballot. This is not the paper roll inside the voting machine, but rather a receipt provided to the voter, presumably with a QR code (or other mechanism) that would shield their actual vote but allow verification for who/what they voted.

While I instantly understand the concept, what purpose does it serve if a substantial number of these paper ballot receipts are not produced in the event of a recount? In the particular case of the above story, one receipt could demonstrate the candidate with zero votes did, in fact, get 1 vote, but unless you collect nearly all the balots (or at least plurality), what good is it?

Consider: walk into any convenience store with an ATM, and you'll find bank receipts in a trash can (or on the floor). If people are so careless with their financial papers, does anyone believe they'll treat their voting records more securely?

I don't see the push for these receipts to be much more than a feel good solution with little value in the event of a recount.

meDecember 5, 2019 7:13 AM

@Schneier
> but only because of that paper backup.

no! also because the vote ended so bad that it was impossible that one get 8746194678 votes and other gets 3 votes.

if the mistake wasn't that huge nobody would have checked paper.

meDecember 5, 2019 7:18 AM

From the article:
County officials who led the purchase of the machines have argued that the system actually functioned as it should: The paper ballot backup process worked. The touch screens failed, but the backups had the correct vote, so while it was inconvenient, it proved the necessity of a paper backup.

NO, no and again no!!
this is completly flawed, you can't say "hey everything worked we still have the right number of votes" becuase the only reason you checked it is the huge mistake.

i don't get why don't we just use paper vote, it's much more trustworthy.
you need to trust only the bunch of people inside the room to not collude and mess with the results.

in the e-vote you have to trust:
-the machine maker
-the software
-the touch screen maker
-every component plus their firmware
-and also the bunch of people
so you gain nothing

meDecember 5, 2019 7:24 AM

also from the article:
I hit straight Democratic, straight Republican is what registered ... But thankfully it easily reset, and I reset my system, and that time it registered Democratic.

this is problematic too, because not everyone will double check the vote, most of the people will think that if they clicked A, A is what is registered and not B.

MedoDecember 5, 2019 7:47 AM

As a software developer who knows how the proverbial sausage is made, I really prefer simple paper ballots over voting machines. Not just because of stories like this one, but also because voting machines make the counting process opaque.

Possibly the most important feature of an election is the trust that the final results really do represent everyone's votes. In a pure paper ballot election as we have it in Germany, every interested citizen can watch the process in a polling place of their choosing, starting with the sealing of the empty ballot box in the morning, verifying that people coming in are checked against the registry, that the only ballots going into the box are from those people, that only ballots from the box end up on the table afterwards and that they are counted correctly (counting is done publicly, straight in the polling place after the election if feasible). You can note down the counts and check them against the published results afterwards. You can re-do the sums of all the results for all polling places. Thus everyone can personally verify the entire process.

With voting machines it's not so easy. The machine spits out a result in the end, but you as a citizen have no way to check if that result really matches what people have typed into the machine, except in the event that the paper backup is evaluated, but that does not usually happen. Even if you are using a scheme that allows you to cryptographically test that your vote has been counted, you still have to trust that obscure system built on calculations that most people won't understand. It just does not create as much trust as a simple paper ballot.

ROFDecember 5, 2019 9:37 AM

Use HAND MARKED paper ballots! Do not use ballot marking devices. If the paper trail starts AFTER the voting machine has had its way with the voters intent, the voters intent cannot be verified.

If ballot counting devices are also used then a risk limiting audit is also required.

1&1~=UmmDecember 5, 2019 9:55 AM

The question people realy should be asking is,

What is this perversion for voting machines?

They obviously do not work, and are also almost impossible to maintain let alone keep secure.

But also how often do they get used, once every couple of years, that is longer than both a "Hardware lifetime" and a "Software lifetime" thus they are obsolete after a single use.

But unlike paper systems using locable boxes, that do not need to be securely stored, thus can just be put in a basment cupboard or unlocked room, voting machines need to be stored in secure locations to ensure they are safe for use. The paper ballot boxes are also good for fifty or more years unlike the machines that will be unreparable in ten years or less.

Thus the cost of voting machines -v- paper balot systems is many magnitudes greater, and an entire wast of money at all stages.

Common sense says that such machines are in effect like the MIC corruption racket a way to take the "tax take" and use it to give backhanders to party political doners...

S. DedalusDecember 5, 2019 10:44 AM

@Pocono Chuck: the personal receipt is a terrible idea because it provides means to verify your selection to a third party, who can then dole out rewards or mete out punishment as they see fit. Secret ballot permits you to lie convincingly to third parties, who will then be much less likely to trust the report. Vote buying becomes a trivial affair if all you need is a kiosk with a QR reader that functions like an ATM.

@me:

You are correct that a paper trail is not sufficient to ensure vote tally integrity, but it is necessary. Statical aberrations can trigger recounts, but a meaningful proportion (say, 5%) of individual precincts should be randomly audited every election. Anomalies detected there should obviously prompt a broader review.

Pocono ChuckDecember 5, 2019 12:19 PM

@Dedalus Don't misunderstand, I am not advocating the receipt. I am wondering why so many are, however.

JesseDecember 5, 2019 1:34 PM

As a software developer, electronic voting machines make me nervous, although good voter verifiable paper trails with rigorous audit requirements can limit some of that risk.

As much as security people don't like digital voting systems, there are many populations that really benefit from them including people with mobility impairments, limited vision, or low literacy. Putting only these people on voting machines is problematic. Even if there is a voter verifiable paper trail, these populations are the least able to verify it. Personally, this leaves me torn between two sub-optimal options.

One part of the article confuses me as it seems to imply that a touch screen issue was (mostly at least) to blame. How does a touch screen issue only impact the digital record and not the paper record? Maybe I missed something, but it seems like there is more to it.

KaiDecember 5, 2019 2:00 PM

There is a quick, and easy, solution for this.

Any company found to be selling electronic voting machines that are subject to errors like this are banned from supplying any more voting machines for a period of 10 years.

These errors are allowed to occur because they favour the incumbent party, who signed the contract to purchase the voting machines, or because there is no repercussions even if the machines are found to be grossly faulty.

If there were sanctions against any company that provided faulty voting machines, you can bet that they would very quickly get their act together.

Mike JeaysDecember 5, 2019 2:32 PM

On-line voting and mail-in voting both have the severe problem that voters can be influenced by other people; for example the abusive spouse watching over their partner's shoulder. (I am careful to avoid gender-specific pronouns here). There is a great deal to be said in favor of a real secret ballot, where people can vote their conscience and lie about it convincingly if they so desire.

David LeppikDecember 5, 2019 3:44 PM

Vote coercion can only be avoided by social norms, not technical means. Particularly these days when everyone walks into the voting booth with a cell phone camera: someone could demand that you show a photo of a properly filled-out ballot.

Here in Minnesota, with mail-in ballots, the Democrats (and probably Republicans) and their allies have encouraged people to have voting parties, where people fill in their ballots at the party. I've never been to one, so I don't know if the voting itself is done in private. It's a way to lock in votes and make sure there are no last-minute snafus. Presumably only enthusiastic supporters would want to go to such a party, but it wouldn't be hard for a close friend or romantic partner to feel obliged to attend.

I've heard that in India, corrupt politicians use neighborhood-level bribes. That is, they make it clear that if a particular precinct doesn't vote for the politician, they will be excluded from neighborhood improvements. That's a lot harder to fix, since doing away with granular information makes it harder to detect vote tampering.

ThunderbirdDecember 5, 2019 5:24 PM

There is a quick, and easy, solution for this.

Any company found to be selling electronic voting machines that are subject to errors like this are banned from supplying any more voting machines for a period of 10 years.

I'm sure no one would think of selling the company to a new company that wasn't under any ban.

VDecember 5, 2019 8:07 PM

The goal in elections is not to have a process that is fast, or cheap, or to make the most money for voting machine companies. The goals are (well, should be) elections that are demonstrably fair.

Paper ballots are auditable - they can be counted again in front of the public. A paper ballot process can be demonstrated to be fair to anyone with a high school education. You can see that any one voter gets one ballot. You can see that each voter gets to mark the ballot in secrecy. You can see that the ballot boxes are looked after by at least two judges from - or approved pf by - opposing political parties. You can see that the ballots are counted fairly.

Compare that to voting machines, where you need computer science _and_ electrical engineering skills, as well as access to the innards of the machine _and_ the code before you can trust the system. Good luck with that.

AlphonseDecember 5, 2019 10:26 PM

In the US, machines (of some sort) are desirable because our elections can be extremely complex. There may be 50 different offices being voted on (in another country, many of these would be appointed or perhaps civil service, and I'm not going to claim that the average voter has a clue on any but the top-ticket races), and a handful of text questions (e.g. amendments to state constitutions or city charters). Some locales are messier than others. Ballot marking machines are useful for voters with infirmities (blind, illiterate, etc.) though in my experience as an election worker very few use these (perhaps 0.1%, though a few voters come with trusted assistants to aid them). But all ballots are then scanned (and go into a locked container for possible audit or hand recount). There are checksums involved (number of people signing in, ballots handed out, ballots spoiled and replaced, ballots counted) and any discrepancies must be explained.

The post-election audits are important, and need to be sufficiently frequent so that systemic errors will get detected. Results that are sufficiently close (say, 0.5%) get recounted by hand. We did that once for the entire state (10 million or so ballots).

JonDecember 6, 2019 1:09 AM

On Ballot receipts: There ought to be a better way.

Keep in mind there's no such thing as a perfectly 'secret' ballot. If someone is forcing you at gunpoint to wear a clandestine body camera into the voting booth, there's not much we can do about that.

But the receipt shouldn't be a copy of the ballot. It should be a separate, large, random, number printed (say) on the top and the bottom of the ballot. Then you tick the relevant boxes, tear off the top of the ballot (which has only the number on it) and throw the bottom half of the ballot (with the votes and the number) into a box.

Then, if you personally, with your ID, wish to see your ballot, you present yourself and your number, and your ballot is found and shown to you and you alone in a private and secure location.

This also allows the government to print lists of numbers, indicating 'these ballots were counted, these ballots were spoiled, &c., and you can look up your own ballot number and find out what happened to it.

(Accurate counting is another can o' worms. Not going into that now).

Or something like that. If anyone has a better idea, or can shoot a huge hole in that one, let me know.

In other news, one more very important function of voting machinery is the randomization of the order of people on the ballot. Statistically, people listed first have a huge advantage - randomizing the order removes that (and see the 'butterfly ballot' in Florida's 2000 election...)

"It doesn't matter who votes. What matters is who counts the votes". Attributed to Josef Stalin. J.

DavidDecember 6, 2019 1:25 AM

In many countries taking a photograph, or forcing someone to take one, of a ballot paper can get you a long jail term

meDecember 6, 2019 3:10 AM

The problem of voting machines is that you replace something material, touchable, seeable, feelable, provable by something ethereal, like magnetic or electric fields which nobody can see and trace without complicated tools, and which are less stable and changeable with just a little energy.

So this changes a vote supported by proofs with kind of common and rather proven notarial qualities to something akin to mere hearsay.

Putting software into politics, which in todays world ultimately is powered by hard material powers like bullets of police officiers, might well spell the end of democracy as we know it.


Btw. (OT) @ 1&1~=Umm:
That's one funny nick if you know just the first 10 words of Arabic ;-)

Ergo SumDecember 6, 2019 6:55 AM

Quote from the NY Times article:

“People were questioning, and even I questioned, that if some of the numbers are wrong, how do we know that there aren’t mistakes with anything else?” said Matthew Munsey, the chairman of the Northampton County Democrats, who, along with Ms. Snover, was among the observers as county officials worked through the night to feed the paper ballots by hand through scanning machines.

The fact that the votes were recounted using the paper ballots and showed the correct result brings up some issues.

The chances are that there had been no glitches with the screen, the input device, where the voter made his/her selection. Except for few reported issues, where the paper ballot display did not match the screen or the voter's selection, that the voters could reset and start over.

It seems that the issue was within the software code, that tallied the votes for the office in question. It's unlikely that this was a glitch in the system, especially if the votes for other offices tallied correctly. It is certainly an option, that the office in question tallying process had been modified by the voting system administrator. Most had been a rookie administrator, a seasoned one would not make the modification this obvious.

Since the paper ballots were correct... Why not just scan and tally the paper ballots, separate from the digital voting system, prior to dropping them in to a locked box? Making the tallied paper ballots the official result would eliminate any glitches, intended or unintended, to the digital voting system.

Oh wait, that would also eliminate DNC/GOP making their preferred candidates the winners. Never mind...

Pocono ChuckDecember 6, 2019 7:20 AM

@Jon - that is the first reasonable explanation I've read for a paper receipt. I'll wager the majority of receipts would be discarded, but I imagine poll observers could scoop them up and use them to audit the public record of counted ballots.

This leaves out write-in candidates, but they're typically in single digit percentages or less.

jbmartin6December 6, 2019 7:37 AM

An interesting side note, the state of Pennsylvania has a law requiring a certain percentage of votes be manually audited after an election. This was a quiet but huge factor in the last presidential election where there a lot of suspicions of election fraud. The state was a close contest, but the audits showed the results were kosher.

Electron 007December 6, 2019 11:59 AM

judge's race ... candidate ... a Democrat

No. Just no. Judges are not supposed to be partisan. Not where I'm from at any rate.

It's too bad. All politics is local, and we would have lost all pretense of an impartial trial, if that election had been allowed to proceed as planned.

To allow partisan candidates to run for judge on a public ballot was never a bona fide election in the first place. Kick the pizza-and-beer party out of the courthouse, stop the false and frivolous red-light district rape charges, and try again. City hall wanted hackable electronic elections without auditing or accountability. They thought they were technically proficient enough to secure the elections for their favored candidates. Instead they were hacked by the opposing party.

We little people have no say anymore in matters of government and politics, despite the 12th, 13th, 14th, 15th, 17th, 19th, 20th, 22nd, 23rd, 24th, 25th, 26th and 27th Amendments of the U.S. Constitution.

Jesse ThompsonDecember 6, 2019 6:58 PM

@David Leppik

Hey, I love the idea of cell-phone snapshots of filled in ballots.

1: Fill in the ballot
2: snapshot
3: Tear up the ballot and tell the handlers "woops, I need a new one". :)

JamesDecember 6, 2019 8:30 PM

@Jesse

One part of the article confuses me as it seems to imply that a touch screen issue was (mostly at least) to blame. How does a touch screen issue only impact the digital record and not the paper record? Maybe I missed something, but it seems like there is more to it.

From the article,

Though there has been no conclusive study as to what caused the machines to malfunction, as the machines are locked away for 20 days after an election according to state law, the prevailing theory is that the touch screens were plagued by a bug in the software.

I get the same impression as you from the article, and I'm equally bothered by it. While other excerpts from the article do suggest that there were ALSO glitches with the touch screen, that in no way shape or form explains a discrepancy from the printed and electronic records. If the system had the right information to correctly print the ballot, then it had the right information to record in the electronic record. The same "cast" button initiated recording the info to the USB drive and advanced the printed ballot into the collection box behind the machine. That pretty much eliminates the screen as a the culprit.

It would appear to me that the screen is just an easy scapegoat that would be believed by the non-technical and non-analytical. It's a simple "fix" that leaves the machines in circulation.

I also agree with other's sentiments that this was only caught because of the enormous discrepancy. If it was a 55/45 split it would have gone right through without anyone the wiser. I think every race should have been recounted at that point.

Petre Peter December 7, 2019 7:48 AM

Voting in public squares by a show of hand is instantly verifiable; however, there is no privacy and how you voted becomes public knowledge. The issue is one of privacy v verification.

Bong-Smoking Primitive Monkey-Brained SpookDecember 7, 2019 9:30 AM

@ Petre Peter:

The issue is one of privacy v verification

Why's voting considered private matter? Do I really care if everybody knows I voted for A or B? No!

Seems "free society" is an abstract concept. If it were really free, no one would consider this matter "private".

however, there is no privacy

Is that a fact? There's a solution: vote on Halloween, with costumes, masks, and all. Twenty five Elvis Presley's, play the Trumpet and sing "You ain't nothing but a hound dog" and vote ;)

chrislDecember 7, 2019 11:44 AM

@BSPMBS:

It matters if voting is private because if your vote is public you can sell it and the buyer can verify that you voted as advertised. If it's private, someone can try to buy your vote but has no way to verify that you voted the way they paid you to.

Bong-Smoking Primitive Monkey-Brained SpookDecember 7, 2019 12:29 PM

chrisl:

if your vote is public you can sell it and the buyer can verify...

Sounds there're still ways to prove to the buyer. And "private" voting has been known to be "paid for" too. But I see your point!

DavidDecember 8, 2019 2:55 PM

Ok touch screens have glitches, the calibration can be off. Touching one area can be interpreted as coming from another, but the that alone can not cause a discrepancy betwixt the e-record and the paper one. Could it be hardware only? Does not seem likely with printed circuits but with poor design maybe. Firmware does seem likely. But would be there for all machines with the same firmware.. What seems likely to me is an unwieldy setup method. Too much user input required that should have not even been an option or a poorly conceived option that lead to unwanted (or wanted but that is giving credit for what is likely not cleverness) results.
I'll be awaiting the out come.

Electron 007December 9, 2019 2:11 PM

@ Medo

In a pure paper ballot election as we have it in Germany, every interested citizen can watch the process in a polling place of their choosing, starting with the sealing of the empty ballot box in the morning, verifying that people coming in are checked against the registry, that the only ballots going into the box are from those people, that only ballots from the box end up on the table afterwards and that they are counted correctly (counting is done publicly, straight in the polling place after the election if feasible). You can note down the counts and check them against the published results afterwards. You can re-do the sums of all the results for all polling places. Thus everyone can personally verify the entire process.

The problem with 100% paper ballots is that the process is 100% under the control of your local municipal mayor and labor-union local ballot-stuffers, and the ballot box is stuffed 100% full of city hall's favorite candidates.

City hall in America is a confederate totalitarian dictatorship generally in mutiny and rebellion against state and federal government, and in unchecked violation of our civil, constitutional and human rights, not to mention guns are banned and hunting is outlawed because the local town-hall animal-rights party always gets first dibs at stuffing the ballot box after they've trespassed us off the property and filed mental health charges against us in court.

Tell me life is any better under unelected EU gun-control and NATO disarmament Eurocrats? I didn't think so either.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.