E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity

from the line-'em-up,-match-'em-up dept

Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there's a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras.

In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it's not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.

Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it's no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close -- and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren't much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright lying skirting the truth when it claims that its paper trail doesn't include timestamps (update:: Ed Felten points out that the Diebold ballots don't have a time stamp, but the electronic records do). It's not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they're going to fix things, really is troubling.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    RandomThoughts, Aug 21st, 2007 @ 6:46am

    "many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras."

    True, this is pretty much how everything is done. Software runs into this, corporate networks, VoIP networks, they are all thrown out there in a rush to market and then security is considered. Its a heck of a lot harder to secure it after the fact than to build it in, but in the rush to markets, thats what most companies do.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Ed Felten, Aug 21st, 2007 @ 6:48am

    slight correction

    I think Mike may have misread my blog post.

    Diebold's electronic records have timestamps, according to the source code study report from the California top-to-bottom review.

    I didn't mean to say that Diebold's paper records have timestamps.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Joel Coehoorn, Aug 21st, 2007 @ 7:05am

    At first I didn't think this was a problem. On the one hand you have people who vote straight tickets, and on the other you have people who check every individual race. Plus some people will just be faster at it than others. In the end, there will be a huge discrepancy between the order people signed in and the order in which the ballot was turned in. There's enough uncertainty that you would have a hard time targeting a person and saying with confidence that they voted for or against a candidate.

    However, you this doesn't take into account trends or streaks where a group of people all vote the same way at once. In that case, any of the timestamps that may have been swapped will now be swapped with the same vote, and it won't matter that you checked the wrong ballet. And while the natural state would keep this case somewhat less common, two centuries of gerrymandering have resulting in many polling places with high percentages voting one or another in big races. That raises the likelihood of knowing someone's vote considerably.

    Even with that, I still think timestamps on the ballots are a good idea. I think the solution to the problem is to stop gerrymandering (like that will ever happen) and have a federal exception to open records laws changing the way ballots are requested to preserve privacy.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    SimonTek (profile), Aug 21st, 2007 @ 7:12am

    hmm

    I keep teasing about building my own voting machine. I think I probably should.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Overcast, Aug 21st, 2007 @ 7:26am

    Here's what it should do...

    It should generate a random number with perhaps a date stamp, but not a time stamp.

    That number should be available on a web site, so you can verify who you voted for as a 'check and balance'.

    If done *right* electronic voting could insure fairness, but I don't think that's the agenda of the powers in charge.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Deez Right Here, Aug 21st, 2007 @ 7:44am

    Sarcasm

    Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
    Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
    I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

    Okay sarcasm over..
    Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. Our next Preseident will also be a half a retard.

    2 cents deposited..

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Deez Right Here, Aug 21st, 2007 @ 7:45am

    Sarcasm

    Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
    Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
    I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

    Okay sarcasm over..
    Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. At this rate, our next Preseident will also be a half a retard.

    2 cents deposited..

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Matt Bennett, Aug 21st, 2007 @ 7:45am

    Ok, but fixing this has got to be the easiest thing in the world. It's like a one line fix. Why bother stone-walling when you can be like "oops, sorry, but we'll have it fixed by tomorrow, we're still in Beta, blah, blah....." ?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Pandu Rao, Aug 21st, 2007 @ 9:20am

    The Three Ballot Voting System

    Here is a paper from Ron Rivest, the cryptographer: http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf

    Abstract:
    We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 9:27am

    Re:

    Obviously, it's because no one who matters cares about fixing it. Bloggers can rant all they want to about the real problems surrounding current e-voting technology, but the reality is, that no elected official cares. Most of them are following the party stand (of either party) and are using the flaws of e-voting to cause enough disruption to swing a precinct or district their way, when, if traditional voting methods had been used, it might have gone the other way. The companies aren't going to fix it so long as the politicians are telling them not to.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Russ Stebbins, Aug 21st, 2007 @ 9:28am

    This strikes me as less a security concern as an issue of conflicting goals.

    The auditors want to confirm that the voting was done correctly without fraud. This tends to a desire to capture all possible information is great detail. Techdirt has been advocating a paper trail.

    Then there is the open government advocates which want government processes to be as transparent as possible. In Ohio (and it looks like other states do not run into this issue) all documents are public. As an unintended consequent, by putting two documents together you can get a good idea of the voting pattern.

    The question is how to reconcile these goals.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 10:18am

    Re:

    Here's what it should do...

    It should generate a random number with perhaps a date stamp, but not a time stamp.

    That number should be available on a web site, so you can verify who you voted for as a 'check and balance'.

    If done *right* electronic voting could insure fairness, but I don't think that's the agenda of the powers in charge.

    The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

    1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

    2. Person votes and takes receipt which could be in the form of a secret number or some other token.

    3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

    That's why voter receipts are a bad idea.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 10:32am

    Re: The Three Ballot Voting System

    We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.
    While this was their original intent, the body of the paper admits that in the end they failed in actually making it immune to vote-selling and extortion schemes.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Tsu Dho Nimh, Aug 21st, 2007 @ 10:48am

    Security Cameras

    It seems that it would also be very easy to match time stamps from hidden "security" cameras in the polling place to time stamps on paper trails to detect how people voted.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Deez Right Here, Aug 21st, 2007 @ 12:53pm

    Re: The Three Ballot Voting System

    Do we really need another process? I thought the point to go digitial was to eliminate that?
    I'm not salmming the idea just want clarification..

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Reed, Aug 21st, 2007 @ 12:53pm

    Re: Re: Time to end voter anonymity

    Anon commented,"
    The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

    1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

    2. Person votes and takes receipt which could be in the form of a secret number or some other token.

    3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

    That's why voter receipts are a bad idea."

    Reply:

    I don't agree with you here. I think voter receipts with verification may be the only true way to put a stop to the majority of voter fraud.

    As far as a receipt allowing a voter to sell his vote, I doubt it would matter much. People can already sell their votes if they want and people are bought off all the time for their votes. Thats what politics are about. There are laws in place to handle voter fraud already.

    Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.

    I will simply not vote until our system can reach a point were I can verify my own vote along with the rest of my fellow citizens to make sure our votes are actually being counted. I would also like the electoral college to be done away with completely but I don't think politicians would be to keen with that idea.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    ranon, Aug 21st, 2007 @ 1:20pm

    Extremely high error rate

    The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters.

    e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.

    So it seems it is not so much of a problem after all.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 1:58pm

    Re: Re: Re: Time to end voter anonymity

    People can already sell their votes if they want and people are bought off all the time for their votes.
    You make this claim but you fail to explain how it happens in an anonymous voting system. Do you mean that payments for an illegal and dishonorable enterprise are then based on the honor system? That seems unlikely to me. Please point to some reliable reports of this happening. While you are entitled to your own opinion, you are not entitled to your own set of facts.

    Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.
    How would voter receipts make it easier to detect vote-selling? Again you make a claim but then don't back it up. Offhand, you comments strike me as being along the lines of a burglar trying to persuade people to leave their keys under their mats and make me question your motives.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Mike, Aug 21st, 2007 @ 2:02pm

    Only a problem if sign-in is ordered

    I live in MA. I don't recall signing in. I did check in, but that entailed telling the polling volunteer who I was and where I lived so that my name could be checked off in a large book of registered voters.
    So my name isn't recorded as having entered the polling place after one person and before someone else. This means that there's no way to use a timestamp on my paper vote record to see how I voted.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 2:17pm

    Re: Extremely high error rate

    The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters
    OK, so what are the error rates and probabilities involved here? I am formally trained in such things and would like to see the math behind your assertion.

    e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.
    That's far from any kind of mathematical proof of the general case.

    So it seems it is not so much of a problem after all.
    If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 2:25pm

    Re: Only a problem if sign-in is ordered

    So my name isn't recorded as having entered the polling place after one person and before someone else. This means that there's no way to use a timestamp on my paper vote record to see how I voted
    Could someone observe you there? If so, couldn't someone observe when you voted and then match that observation to a timestamp?

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 3:50pm

    In my district (NJ) you sign the register before you go in the booth to cast your vote. They compare your signature with the one on file.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Reed, Aug 21st, 2007 @ 4:35pm

    Re: Re: Re: Re: Time to end voter anonymity

    "You make this claim but you fail to explain how it happens in an anonymous voting system"

    We live in very different worlds I guess. Our system is of course immune to politicians buying peoples' votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)

    Since peoples' votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted. This is a no-brainer for me, there is no real anonymity anymore so it should all be done it a completely open fashion.

    "How would voter receipts make it easier to detect vote-selling?"

    Without a receipt who is to say what you voted for anyhow? It would be evidence and that is part of what criminal cases are built on. If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.

    Anonymity served us well for many years but its time has passed in my mind for massive elections. We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Aug 21st, 2007 @ 5:57pm

    Re: Re: Re: Re: Re: Time to end voter anonymity

    We live in very different worlds I guess. Our system is of course immune to politicians buying peoples' votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)
    Yes, we do live in different worlds: Mine is not imaginary. If you have some examples of US politicians buying anonymous votes then please provide them. Otherwise I believe that you are just trolling or have no idea what vote-buying is about.

    Since peoples' votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted.
    That's what elections systems with observers, judges, sealed ballot boxes, etc. are all about. You sound like you think that traditional elections are just conducted on some kind of honor system or something which just isn't the truth.

    If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.
    It is illegal to agree to accept payment for your vote whether you actually follow through with it or not, a receipt would make difference. I don't know were got the idea that a receipt is needed. Either that or you're just making more stuff up like you've been doing.

    We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.
    Only if your idea of moving forward in the 21st Century includes an Orwellian voting system where people are afraid to vote freely and elections are shams as a result. No thanks.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Chris Brudy, Aug 21st, 2007 @ 10:37pm

    Time stamps not on signature book

    An observer would have to time voters walking into the polls, since no one can tell at the end of the day what time any given signature was inked. Anyway, why bother with it when a modestly sophisticated hacker could plant a virus and steal the entire election while appearing to vote.

    I sound like a luddite, but the day we have hand counted paper ballots will be the day we finally get honest elections again.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    ranon, Aug 21st, 2007 @ 10:47pm

    Re: Re: Extremely high error rate

    That's far from any kind of mathematical proof of the general case.

    I am not offering a mathematical proof here. I would leave that to the statisticians. I am just pointing out a likely scenario and how this information is virtually useless.

    If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.

    I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Aug 22nd, 2007 @ 11:53am

    Re: Re: Re: Extremely high error rate

    I am not offering a mathematical proof here.
    Obviously. Quit acting like it.

    I would leave that to the statisticians.
    Good idea.

    I am just pointing out a likely scenario and how this information is virtually useless.
    And then there you go again. That didn't take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don't know what you're talking about, and then you go spouting off again.

    I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.
    That statement is provably false because in this case it did.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    ranon, Aug 22nd, 2007 @ 1:52pm

    Re: Re: Re: Re: Extremely high error rate

    And then there you go again. That didn't take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don't know what you're talking about, and then you go spouting off again.


    The scenario (50% democrat and 50% republican) is very likely given the voting distribution in the country. With that you get an 100% error rate, with 1 mismatch. With other scenarios, (with maybe more than 1 mismatch), error rates may be 70% or 80% or more. The data to be viable has to have a low error rate (of the order of a few percentage points). So this explains why the data is not viable. Now is that simple enough for you?

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Aug 22nd, 2007 @ 2:54pm

    Re: Re: Re: Re: Re: Extremely high error rate

    Now is that simple enough for you?
    Simple enough to show your continuing ignorance. Go get some formal education in the subject, then come back with the math to back it up. Of course, you won't do that as it would destroy the blissful ignorance in which you live.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    PaulC aka mrbios, May 19th, 2008 @ 12:36am

    Selling votes?

    Receipts are a great idea that's why you get them everytime you charge something on your credit or atm card.

    It is NOT illega to get a receipt of how you voted as long as your name and personal identifying info is no on it.

    You CAN sell your vote even easier with a write in ballot. Just sign the ballet and take it to the purchaser to fillin the ovals or circles. They then put your pre-signed ballot in the mail and that way they vote for you.

    C'mon people wake up! The receipt is a great idea that's why special interests countered it with the bogus claim that it allows you to sell your vote.

    By the way how do you buy votes if it is illegal? Run an add on tv saying descrete vote buying? Give me a break! Don't be fooled receipts ensure honesty followed by random surveys.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This