E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity

from the line-'em-up,-match-'em-up dept

Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there’s a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren’t designed from the ground up with security in mind, but rather have security procedures slapped on as extras.

In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it’s not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.

Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it’s no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close — and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren’t much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright lying skirting the truth when it claims that its paper trail doesn’t include timestamps (update:: Ed Felten points out that the Diebold ballots don’t have a time stamp, but the electronic records do). It’s not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they’re going to fix things, really is troubling.

Filed Under: ,
Companies: diebold, es&s, hart intercivic, sequoia

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity”

Subscribe: RSS Leave a comment
30 Comments
RandomThoughts (user link) says:

“many of the problems are because they weren’t designed from the ground up with security in mind, but rather have security procedures slapped on as extras.”

True, this is pretty much how everything is done. Software runs into this, corporate networks, VoIP networks, they are all thrown out there in a rush to market and then security is considered. Its a heck of a lot harder to secure it after the fact than to build it in, but in the rush to markets, thats what most companies do.

Joel Coehoorn says:

At first I didn’t think this was a problem. On the one hand you have people who vote straight tickets, and on the other you have people who check every individual race. Plus some people will just be faster at it than others. In the end, there will be a huge discrepancy between the order people signed in and the order in which the ballot was turned in. There’s enough uncertainty that you would have a hard time targeting a person and saying with confidence that they voted for or against a candidate.

However, you this doesn’t take into account trends or streaks where a group of people all vote the same way at once. In that case, any of the timestamps that may have been swapped will now be swapped with the same vote, and it won’t matter that you checked the wrong ballet. And while the natural state would keep this case somewhat less common, two centuries of gerrymandering have resulting in many polling places with high percentages voting one or another in big races. That raises the likelihood of knowing someone’s vote considerably.

Even with that, I still think timestamps on the ballots are a good idea. I think the solution to the problem is to stop gerrymandering (like that will ever happen) and have a federal exception to open records laws changing the way ballots are requested to preserve privacy.

Overcast says:

Here’s what it should do…

It should generate a random number with perhaps a date stamp, but not a time stamp.

That number should be available on a web site, so you can verify who you voted for as a ‘check and balance’.

If done *right* electronic voting could insure fairness, but I don’t think that’s the agenda of the powers in charge.

Anonymous Coward says:

Re: Re:

Here’s what it should do…

It should generate a random number with perhaps a date stamp, but not a time stamp.

That number should be available on a web site, so you can verify who you voted for as a ‘check and balance’.

If done *right* electronic voting could insure fairness, but I don’t think that’s the agenda of the powers in charge.


The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

2. Person votes and takes receipt which could be in the form of a secret number or some other token.

3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

That’s why voter receipts are a bad idea.

Reed says:

Re: Re: Time to end voter anonymity

Anon commented,”
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:

1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.

2. Person votes and takes receipt which could be in the form of a secret number or some other token.

3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.

That’s why voter receipts are a bad idea.”

Reply:

I don’t agree with you here. I think voter receipts with verification may be the only true way to put a stop to the majority of voter fraud.

As far as a receipt allowing a voter to sell his vote, I doubt it would matter much. People can already sell their votes if they want and people are bought off all the time for their votes. Thats what politics are about. There are laws in place to handle voter fraud already.

Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.

I will simply not vote until our system can reach a point were I can verify my own vote along with the rest of my fellow citizens to make sure our votes are actually being counted. I would also like the electoral college to be done away with completely but I don’t think politicians would be to keen with that idea.

Anonymous Coward says:

Re: Re: Re: Time to end voter anonymity

People can already sell their votes if they want and people are bought off all the time for their votes.

You make this claim but you fail to explain how it happens in an anonymous voting system. Do you mean that payments for an illegal and dishonorable enterprise are then based on the honor system? That seems unlikely to me. Please point to some reliable reports of this happening. While you are entitled to your own opinion, you are not entitled to your own set of facts.

Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.

How would voter receipts make it easier to detect vote-selling? Again you make a claim but then don’t back it up. Offhand, you comments strike me as being along the lines of a burglar trying to persuade people to leave their keys under their mats and make me question your motives.

Reed says:

Re: Re: Re:2 Time to end voter anonymity

“You make this claim but you fail to explain how it happens in an anonymous voting system”

We live in very different worlds I guess. Our system is of course immune to politicians buying peoples’ votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)

Since peoples’ votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted. This is a no-brainer for me, there is no real anonymity anymore so it should all be done it a completely open fashion.

“How would voter receipts make it easier to detect vote-selling?”

Without a receipt who is to say what you voted for anyhow? It would be evidence and that is part of what criminal cases are built on. If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.

Anonymity served us well for many years but its time has passed in my mind for massive elections. We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.

Anonymous Coward says:

Re: Re: Re:3 Time to end voter anonymity

We live in very different worlds I guess. Our system is of course immune to politicians buying peoples’ votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)

Yes, we do live in different worlds: Mine is not imaginary. If you have some examples of US politicians buying anonymous votes then please provide them. Otherwise I believe that you are just trolling or have no idea what vote-buying is about.

Since peoples’ votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted.

That’s what elections systems with observers, judges, sealed ballot boxes, etc. are all about. You sound like you think that traditional elections are just conducted on some kind of honor system or something which just isn’t the truth.

If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.

It is illegal to agree to accept payment for your vote whether you actually follow through with it or not, a receipt would make difference. I don’t know were got the idea that a receipt is needed. Either that or you’re just making more stuff up like you’ve been doing.

We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.

Only if your idea of moving forward in the 21st Century includes an Orwellian voting system where people are afraid to vote freely and elections are shams as a result. No thanks.

PaulC aka mrbios says:

Re: Re: Selling votes?

Receipts are a great idea that’s why you get them everytime you charge something on your credit or atm card.

It is NOT illega to get a receipt of how you voted as long as your name and personal identifying info is no on it.

You CAN sell your vote even easier with a write in ballot. Just sign the ballet and take it to the purchaser to fillin the ovals or circles. They then put your pre-signed ballot in the mail and that way they vote for you.

C’mon people wake up! The receipt is a great idea that’s why special interests countered it with the bogus claim that it allows you to sell your vote.

By the way how do you buy votes if it is illegal? Run an add on tv saying descrete vote buying? Give me a break! Don’t be fooled receipts ensure honesty followed by random surveys.

Deez Right Here says:

Sarcasm

Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. Our next Preseident will also be a half a retard.

2 cents deposited..

Deez Right Here says:

Sarcasm

Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW

Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. At this rate, our next Preseident will also be a half a retard.

2 cents deposited..

Anonymous Coward says:

Re: Re:

Obviously, it’s because no one who matters cares about fixing it. Bloggers can rant all they want to about the real problems surrounding current e-voting technology, but the reality is, that no elected official cares. Most of them are following the party stand (of either party) and are using the flaws of e-voting to cause enough disruption to swing a precinct or district their way, when, if traditional voting methods had been used, it might have gone the other way. The companies aren’t going to fix it so long as the politicians are telling them not to.

Pandu Rao (profile) says:

The Three Ballot Voting System

Here is a paper from Ron Rivest, the cryptographer:
http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf

Abstract:

We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.

Anonymous Coward says:

Re: The Three Ballot Voting System

We present a new paper-based voting method with attractive security properties. Not only can each voter verify that her vote is recorded as she intended, but she gets a “receipt” that she can take home that can be used later to verify that her vote is actually included in the final tally. Her receipt, however, does not allow her to prove to anyone else how she voted.

While this was their original intent, the body of the paper admits that in the end they failed in actually making it immune to vote-selling and extortion schemes.

Russ Stebbins says:

This strikes me as less a security concern as an issue of conflicting goals.

The auditors want to confirm that the voting was done correctly without fraud. This tends to a desire to capture all possible information is great detail. Techdirt has been advocating a paper trail.

Then there is the open government advocates which want government processes to be as transparent as possible. In Ohio (and it looks like other states do not run into this issue) all documents are public. As an unintended consequent, by putting two documents together you can get a good idea of the voting pattern.

The question is how to reconcile these goals.

ranon says:

Extremely high error rate

The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters.

e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.

So it seems it is not so much of a problem after all.

Anonymous Coward says:

Re: Extremely high error rate

The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters

OK, so what are the error rates and probabilities involved here? I am formally trained in such things and would like to see the math behind your assertion.

e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.

That’s far from any kind of mathematical proof of the general case.

So it seems it is not so much of a problem after all.

If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.

ranon says:

Re: Re: Extremely high error rate

That’s far from any kind of mathematical proof of the general case.

I am not offering a mathematical proof here. I would leave that to the statisticians. I am just pointing out a likely scenario and how this information is virtually useless.

If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.

I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.

Anonymous Coward says:

Re: Re: Re: Extremely high error rate

I am not offering a mathematical proof here.

Obviously. Quit acting like it.

I would leave that to the statisticians.

Good idea.

I am just pointing out a likely scenario and how this information is virtually useless.

And then there you go again. That didn’t take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don’t know what you’re talking about, and then you go spouting off again.

I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.

That statement is provably false because in this case it did.

ranon says:

Re: Re: Re:2 Extremely high error rate

And then there you go again. That didn’t take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don’t know what you’re talking about, and then you go spouting off again.

The scenario (50% democrat and 50% republican) is very likely given the voting distribution in the country. With that you get an 100% error rate, with 1 mismatch. With other scenarios, (with maybe more than 1 mismatch), error rates may be 70% or 80% or more. The data to be viable has to have a low error rate (of the order of a few percentage points). So this explains why the data is not viable. Now is that simple enough for you?

Mike says:

Only a problem if sign-in is ordered

I live in MA. I don’t recall signing in. I did check in, but that entailed telling the polling volunteer who I was and where I lived so that my name could be checked off in a large book of registered voters.
So my name isn’t recorded as having entered the polling place after one person and before someone else. This means that there’s no way to use a timestamp on my paper vote record to see how I voted.

Anonymous Coward says:

Re: Only a problem if sign-in is ordered

So my name isn’t recorded as having entered the polling place after one person and before someone else. This means that there’s no way to use a timestamp on my paper vote record to see how I voted

Could someone observe you there? If so, couldn’t someone observe when you voted and then match that observation to a timestamp?

Chris Brudy says:

Time stamps not on signature book

An observer would have to time voters walking into the polls, since no one can tell at the end of the day what time any given signature was inked. Anyway, why bother with it when a modestly sophisticated hacker could plant a virus and steal the entire election while appearing to vote.

I sound like a luddite, but the day we have hand counted paper ballots will be the day we finally get honest elections again.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...