E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity
from the line-'em-up,-match-'em-up dept
Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there’s a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren’t designed from the ground up with security in mind, but rather have security procedures slapped on as extras.
In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it’s not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.
Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it’s no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close — and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren’t much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright lying skirting the truth when it claims that its paper trail doesn’t include timestamps (update:: Ed Felten points out that the Diebold ballots don’t have a time stamp, but the electronic records do). It’s not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they’re going to fix things, really is troubling.
Filed Under: e-voting, ohio
Companies: diebold, es&s, hart intercivic, sequoia
Comments on “E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity”
“many of the problems are because they weren’t designed from the ground up with security in mind, but rather have security procedures slapped on as extras.”
True, this is pretty much how everything is done. Software runs into this, corporate networks, VoIP networks, they are all thrown out there in a rush to market and then security is considered. Its a heck of a lot harder to secure it after the fact than to build it in, but in the rush to markets, thats what most companies do.
slight correction
I think Mike may have misread my blog post.
Diebold’s electronic records have timestamps, according to the source code study report from the California top-to-bottom review.
I didn’t mean to say that Diebold’s paper records have timestamps.
At first I didn’t think this was a problem. On the one hand you have people who vote straight tickets, and on the other you have people who check every individual race. Plus some people will just be faster at it than others. In the end, there will be a huge discrepancy between the order people signed in and the order in which the ballot was turned in. There’s enough uncertainty that you would have a hard time targeting a person and saying with confidence that they voted for or against a candidate.
However, you this doesn’t take into account trends or streaks where a group of people all vote the same way at once. In that case, any of the timestamps that may have been swapped will now be swapped with the same vote, and it won’t matter that you checked the wrong ballet. And while the natural state would keep this case somewhat less common, two centuries of gerrymandering have resulting in many polling places with high percentages voting one or another in big races. That raises the likelihood of knowing someone’s vote considerably.
Even with that, I still think timestamps on the ballots are a good idea. I think the solution to the problem is to stop gerrymandering (like that will ever happen) and have a federal exception to open records laws changing the way ballots are requested to preserve privacy.
hmm
I keep teasing about building my own voting machine. I think I probably should.
Here’s what it should do…
It should generate a random number with perhaps a date stamp, but not a time stamp.
That number should be available on a web site, so you can verify who you voted for as a ‘check and balance’.
If done *right* electronic voting could insure fairness, but I don’t think that’s the agenda of the powers in charge.
Re: Re:
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:
1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.
2. Person votes and takes receipt which could be in the form of a secret number or some other token.
3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.
That’s why voter receipts are a bad idea.
Re: Re: Time to end voter anonymity
Anon commented,”
The problem with any scheme that allows a voter to later verify their own individual vote is that it also enables them to sell their vote, which is illegal, or be subjected to extortion. It works like this:
1. Person agrees to vote a certain way in return for payment or maybe to keep their job or avoid harm to their family.
2. Person votes and takes receipt which could be in the form of a secret number or some other token.
3. Person later uses said receipt to prove how they voted and collect payment or satisfy demands of extortioner.
That’s why voter receipts are a bad idea.”
Reply:
I don’t agree with you here. I think voter receipts with verification may be the only true way to put a stop to the majority of voter fraud.
As far as a receipt allowing a voter to sell his vote, I doubt it would matter much. People can already sell their votes if they want and people are bought off all the time for their votes. Thats what politics are about. There are laws in place to handle voter fraud already.
Your argument, although believable, does not mean that a receipt system would inevitably lead to selling of votes and if it did, it would be a hell of a lot easier to prove voter fraud if we used a receipt system.
I will simply not vote until our system can reach a point were I can verify my own vote along with the rest of my fellow citizens to make sure our votes are actually being counted. I would also like the electoral college to be done away with completely but I don’t think politicians would be to keen with that idea.
Re: Re: Re: Time to end voter anonymity
You make this claim but you fail to explain how it happens in an anonymous voting system. Do you mean that payments for an illegal and dishonorable enterprise are then based on the honor system? That seems unlikely to me. Please point to some reliable reports of this happening. While you are entitled to your own opinion, you are not entitled to your own set of facts.
How would voter receipts make it easier to detect vote-selling? Again you make a claim but then don’t back it up. Offhand, you comments strike me as being along the lines of a burglar trying to persuade people to leave their keys under their mats and make me question your motives.
Re: Re: Re:2 Time to end voter anonymity
“You make this claim but you fail to explain how it happens in an anonymous voting system”
We live in very different worlds I guess. Our system is of course immune to politicians buying peoples’ votes through bribery, tax incentives, proposed legislation, etc. (sarcasm off)
Since peoples’ votes are not conducted with a verifiable receipt we are not even sure if their votes are actually counted. This is a no-brainer for me, there is no real anonymity anymore so it should all be done it a completely open fashion.
“How would voter receipts make it easier to detect vote-selling?”
Without a receipt who is to say what you voted for anyhow? It would be evidence and that is part of what criminal cases are built on. If you have a witness saying someone paid you to vote for candidate and there is proof in the form of a receipt then there is a case.
Anonymity served us well for many years but its time has passed in my mind for massive elections. We have to change our practices to account for technology and opening up voting for everyone to monitor is one way we could move forward in the 21st Century.
Re: Re: Re:3 Time to end voter anonymity
Yes, we do live in different worlds: Mine is not imaginary. If you have some examples of US politicians buying anonymous votes then please provide them. Otherwise I believe that you are just trolling or have no idea what vote-buying is about.
That’s what elections systems with observers, judges, sealed ballot boxes, etc. are all about. You sound like you think that traditional elections are just conducted on some kind of honor system or something which just isn’t the truth.
It is illegal to agree to accept payment for your vote whether you actually follow through with it or not, a receipt would make difference. I don’t know were got the idea that a receipt is needed. Either that or you’re just making more stuff up like you’ve been doing.
Only if your idea of moving forward in the 21st Century includes an Orwellian voting system where people are afraid to vote freely and elections are shams as a result. No thanks.
Re: Re: Selling votes?
Receipts are a great idea that’s why you get them everytime you charge something on your credit or atm card.
It is NOT illega to get a receipt of how you voted as long as your name and personal identifying info is no on it.
You CAN sell your vote even easier with a write in ballot. Just sign the ballet and take it to the purchaser to fillin the ovals or circles. They then put your pre-signed ballot in the mail and that way they vote for you.
C’mon people wake up! The receipt is a great idea that’s why special interests countered it with the bogus claim that it allows you to sell your vote.
By the way how do you buy votes if it is illegal? Run an add on tv saying descrete vote buying? Give me a break! Don’t be fooled receipts ensure honesty followed by random surveys.
Sarcasm
Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW
Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. Our next Preseident will also be a half a retard.
2 cents deposited..
Sarcasm
Diebold a major corporation, more beholden to Republicans than any other party; acting without integrity?
Who would have thought that in this GW Bush administration; a company would do something unscrupulous?
I mean to think that code was written in a hurry, rushed out to the public only to be easily manipulted? WOW
Okay sarcasm over..
Give me a break, is anybody really suprprised? I might sound like a hippie, but this should be Open Source man. An agreed upon standard I think might eliminate the mystery and ability for others to secretly exaploit the software. Linux is secure. Why not develop a Linux based os around voting machines? Why not have real hackers murder the code to make it bulletproof. At this rate, our next Preseident will also be a half a retard.
2 cents deposited..
Ok, but fixing this has got to be the easiest thing in the world. It’s like a one line fix. Why bother stone-walling when you can be like “oops, sorry, but we’ll have it fixed by tomorrow, we’re still in Beta, blah, blah…..” ?
Re: Re:
Obviously, it’s because no one who matters cares about fixing it. Bloggers can rant all they want to about the real problems surrounding current e-voting technology, but the reality is, that no elected official cares. Most of them are following the party stand (of either party) and are using the flaws of e-voting to cause enough disruption to swing a precinct or district their way, when, if traditional voting methods had been used, it might have gone the other way. The companies aren’t going to fix it so long as the politicians are telling them not to.
The Three Ballot Voting System
Here is a paper from Ron Rivest, the cryptographer:
http://theory.csail.mit.edu/~rivest/Rivest-TheThreeBallotVotingSystem.pdf
Abstract:
Re: The Three Ballot Voting System
While this was their original intent, the body of the paper admits that in the end they failed in actually making it immune to vote-selling and extortion schemes.
Re: The Three Ballot Voting System
Do we really need another process? I thought the point to go digitial was to eliminate that?
I’m not salmming the idea just want clarification..
This strikes me as less a security concern as an issue of conflicting goals.
The auditors want to confirm that the voting was done correctly without fraud. This tends to a desire to capture all possible information is great detail. Techdirt has been advocating a paper trail.
Then there is the open government advocates which want government processes to be as transparent as possible. In Ohio (and it looks like other states do not run into this issue) all documents are public. As an unintended consequent, by putting two documents together you can get a good idea of the voting pattern.
The question is how to reconcile these goals.
Security Cameras
It seems that it would also be very easy to match time stamps from hidden “security” cameras in the polling place to time stamps on paper trails to detect how people voted.
Extremely high error rate
The process to identify the voter from the time stamp will have a very high error rate, even if the list is mismatched by a few voters.
e.g. let us take a 50% sample (for simplicity D,R,D,R,D,R). With a mismatch of 1 voter, the the process will have a 100% error rate and will be useless.
So it seems it is not so much of a problem after all.
Re: Extremely high error rate
OK, so what are the error rates and probabilities involved here? I am formally trained in such things and would like to see the math behind your assertion.
That’s far from any kind of mathematical proof of the general case.
If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.
Re: Re: Extremely high error rate
That’s far from any kind of mathematical proof of the general case.
I am not offering a mathematical proof here. I would leave that to the statisticians. I am just pointing out a likely scenario and how this information is virtually useless.
If you followed the link and read the article you would find that Moyer and Cropcho seem to have been successful in actually doing it. That seems like a problem to me.
I have no doubt that you could get the two lists of voter sign ins and votes with timestamps. However combining it, will not generate any viable data.
Re: Re: Re: Extremely high error rate
Obviously. Quit acting like it.
Good idea.
And then there you go again. That didn’t take long, did it? Likely? How likely? That involves probability and statistics, something you promised to leave to real statisticians. First you almost admit that you don’t know what you’re talking about, and then you go spouting off again.
That statement is provably false because in this case it did.
Re: Re: Re:2 Extremely high error rate
The scenario (50% democrat and 50% republican) is very likely given the voting distribution in the country. With that you get an 100% error rate, with 1 mismatch. With other scenarios, (with maybe more than 1 mismatch), error rates may be 70% or 80% or more. The data to be viable has to have a low error rate (of the order of a few percentage points). So this explains why the data is not viable. Now is that simple enough for you?
Re: Re: Re:3 Extremely high error rate
Simple enough to show your continuing ignorance. Go get some formal education in the subject, then come back with the math to back it up. Of course, you won’t do that as it would destroy the blissful ignorance in which you live.
Only a problem if sign-in is ordered
I live in MA. I don’t recall signing in. I did check in, but that entailed telling the polling volunteer who I was and where I lived so that my name could be checked off in a large book of registered voters.
So my name isn’t recorded as having entered the polling place after one person and before someone else. This means that there’s no way to use a timestamp on my paper vote record to see how I voted.
Re: Only a problem if sign-in is ordered
Could someone observe you there? If so, couldn’t someone observe when you voted and then match that observation to a timestamp?
In my district (NJ) you sign the register before you go in the booth to cast your vote. They compare your signature with the one on file.
Time stamps not on signature book
An observer would have to time voters walking into the polls, since no one can tell at the end of the day what time any given signature was inked. Anyway, why bother with it when a modestly sophisticated hacker could plant a virus and steal the entire election while appearing to vote.
I sound like a luddite, but the day we have hand counted paper ballots will be the day we finally get honest elections again.