E-Voting Undermines Public Confidence In Elections Even Without Evidence of Wrongdoing
from the conflict-of-interest dept
Are Republican operatives scheming to steal the election in Maryland this fall? Threat Level is reporting that the contract for transporting e-voting machines in the state has been contracted to a company whose president was the head of the state Republican party until 2006. I think the answer is almost certainly “no”: while this certainly looks like a conflict of interest, I suspect it’s no more than an honest oversight that will be quickly corrected. Still, it’s troubling that we even have to worry about who transports voting machines. With ordinary paper ballots, it doesn’t matter who transports them because there’s nothing a moving company can do to undermine the election. But with e-voting machines, a moving company really could install malicious software that would undermine the election. And once an e-voting machines has been tampered with, there’s no reliable mechanism for detecting the problem. Again, there’s no evidence anything untoward has occurred in Maryland. But no matter who transports those e-voting machines, the public is being asked to take it on faith that they won’t be tampered with. In a well-designed voting system, voters shouldn’t have to take anyone’s actions on faith. The entire process should be simple and transparent, so that anyone can observe it and verify that it was carried out correctly. The complexity and opacity of e-voting machines makes effective public scrutiny impossible, and so it’s a bad idea even in the absence of specific evidence of wrongdoing.
Comments on “E-Voting Undermines Public Confidence In Elections Even Without Evidence of Wrongdoing”
'transparency'
This is why paper ballots work. Everybody can see their ‘vote’ going into a locked box. Everybody knows what’s involved in tampering with the vote, people can volunteer to help count, or watch the counting and make sure it’s done accurately and fairly.
With a computer program, most people don’t really know what’s going on, they have to blindly trust that the computer program is doing the right thing. And it doesn’t even matter if the code is secure, audited, or even open source, because we still don’t know that the code we saw is exaactly what is running inside the voting machines. The Open Source voting thing is a red herring, we need Dead Tree Voting!
The way around this is to make each step of the electronic voting process more ‘transparent’.
Voters can enter their choices on a touchscreen but the result, the actual ‘vote’ is a piece of human-readable paper that they can look at, verify, then deposit into a locked box watched over by volunteers from both parties. It doesn’t matter how the code works, each voter can check for themselves that the result is what they entered.
Votes can be counted by optical scanner, but at any point, for any reason at all, those results can be checked by human volunteers from both parties. It doesn’t matter what code is in the OCR machines, humans check that the machine is producing correct results.
Dirty Republicans
That’s a good idea. Go ahead and get some of the “You stole the election!” complaints prepared, ready to deploy when or if the Democrats lose. You should probably go ahead and call Jesse Jackson and have him on standby for his standard discrimination speech at southern election sites.
Maryland's gone sane
Maryland — after wasting millions of dollars and multiple years, and after holding several elections whose results cannot be verified — is
going back to a verifiable system.
Zcat’s got it right: there are far too many ways to compromise the integrity of any computer-based system, even one that takes the rudimentary and dead-obvious step of open-sourcing the software running it. Readers who don’t understand this should read the classic “Reflections on Trusting Trust” by Ken Thompson and keep in mind while reading it Bruce Schneier’s economic analysis of the budget available to someone who can successfully game the national election process.
This isn’t, or certainly shouldn’t be, a partisan issue.
The integrity of the voting process is absolutely crucial to the functioning of government. If it’s undermined — even accidentally — then it really doesn’t matter, in the long run, which person or which party benefited: we all lose.
Nothing a moving company can do?
With piles and piles of blank ballots available? Ah, ye of little imagination.
Not to mention how badly screwed up things will be if those ballots don’t get delivered on time, or at all.
Nothing a moving company can do?
Yes, as has been pointed out many times, in many places, by many people, opportunities for attacks against the integrity of the voting process still exist even in all-paper systems.
The difference is that — in part because those systems are simple, in part because they’ve been around a long time, and in part because they involve the manipulation of physical objects rather than electrical charges — they’re much more difficult to pull off successfully.
For example: suppose the ballots aren’t delivered. Unlike voting machines, they’re not expensive. They’re easily replicable. Ballots from precinct A half a mile away are quite usable at precinct B. Moreover, the non-delivery of ballots at precinct A is very obvious — one reason why such blatant tactics are rarely used.
For another example, consider an attempt to stuff ballots by pre-marking them (say, just for one candidate in one race, not for all) while they’re in transit. Since multiple election judges will see those ballots before they’re issued to voters, and since voters themselves will see them, even if we grant some sloppiness among judges and some poor eyesight to voters, there is still a high probability that
such a scheme will be detected. And schemes that are likely
to be detected aren’t viable.
It would probably be instructive to read about the history of elections in Chicago, long-famous for all kinds of ingenious schemes — some of which worked, some of which didn’t. Consider that people who design election procedures are well aware of all of those, and have engineered the process against them. Sure, that doesn’t prevent a sufficiently ingenious attack from succeeding — but “sufficiently ingenious”, at this point, equates to “extremely ingenious”. (Remember, it’s not enough for
such a scheme to merely change the vote — it also has
to be undetectable.)
Keep in mind as well that for such a scheme to be worth the expense and the risk, it has to have a high probability of producing the desired outcome. That means that it needs
to affect a sufficiently large number of votes, which in turn means that it has to affect a sufficiently large number of sites. (Since a concentrated attack would immediately
draw attention, a distributed attack is required.) This in turn requires additional resources…meaning additional people, meaning increased risk that someone will either
screw up or get caught or turn out to be an informant.
That highlights one of the major differences between computerized and paper systems: with the former, it’s as easy to manipulate the results of 10,000 precincts as one. With the latter, it’s much, much harder.
I’m not sure the Republicans really need to scheme in this Maryland election… our governor is doing a fine job all by himself of driving the votes in that direction, what with the multiple tax increases and whatnot.
Back on topic, though, we had massive (technical and otherwise) problems with the e-voting machines during the last gubernatorial election, and I’m fairly sure that hasn’t helped their cause in our state at least. I’m not sure getting rid of them is the answer, though; I’d like to see them perhaps set aside and tweaked until we get something more reliable, sure, but it seems a waste to say “Well, let’s just throw that $65 million out the window and never speak of it again”. I guess that’s just government.
Why is there a question of conflict of interest? The president had to be either a Democrat or Republican anyway, right?
Or are you saying if the president had been a Democrat, there is no possibility of a conflict of interest?
#6
Celes, a still-better course of action would have been to pay attention to computer security experts (including Maryland’s own Avi Rubin, who works at Johns Hopkins) and NOT waste 65 million dollars on systems that were well-known to be complete failures well in advance of their purchase and deployment.
And mere “tweaks” are absolutely useless: you can’t “tweak” a screen enclosure into becoming a bank vault. Only a complete redesign, starting over from a blank sheet of paper, would suffice.
Which of course raises the question “is it even worth it?” and the answer to that is “no” — because far simpler, far cheaper, far more robust systems are already available.
This is one of those situations where a rush to use technology merely because it was available, or trendy, or well-marketed (translation: “vendor lied convincingly”), or shiny, has resulted in negative consequences.
In the end, the only beneficiaries of this have been (a) the vendors, who clearly were quite willing to sell known-failed technology regardless of its impact on the country and (b) anyone who managed to successfully game the system using that technology. Everyone else lost.
Re: #6
“This is one of those situations where a rush to use technology merely because it was available, or trendy, or well-marketed (translation: “vendor lied convincingly”), or shiny, has resulted in negative consequences.”
In this state, I’d put my money on shiny. Both the local and state governments in MD tend to spend money on “shiny new” whatevers just so that if the whole plan works, they can say they had it early or first. They continue to do it regardless of the fact that it rarely does work, and sadly we the voters don’t pay enough attention to notice, and usually the same folks who are going for the shiny get elected to another office or for another term so that they can do it again.
Voting Machines for Maryland
What, no 30 day warranty?
The machines aren’t even there yet, so if they aren’t going to be used, they can’t be returned?
Seems kind of backwards from how most of the retail world works.
OH wait, its Diebold and the government. I forgot that the government wants to hand them money for free.
Requiring the use of paper ballots because “electronic systems are just too complex” is analogous to stating that we shouldn’t use electronic wire transfers because paper money is the only verifiable means of currency transfer. To think that a paper system is inherently any more secure than an electronic system is foolish. The execution and design of that system (be it paper or electronic) determines it’s security. The media controversy machine is running at full tilt in America these days.
Re: Re:
If each vote were sent immediately and directly to the appropriate candidate, who would then immediately and directly send a receipt confirmation to the voter, your paper/electronic analogy would be accurate.
However, the analogy fails and your argument is baseless.
Re: Re:
If each vote were sent immediately and directly to the appropriate candidate, who would then immediately and directly send a receipt confirmation to the voter, your paper/electronic analogy would be accurate.
However, the analogy fails and your argument is baseless.
Is E-Voting a solution? To which problem?
“In a well-designed voting system, voters shouldn’t have to take anyone’s actions on faith. The entire process should be simple and transparent, so that anyone can observe it and verify that it was carried out correctly.”
Exactly1 This is the SAME concern I expressed one year ago in the “Is E-Voting a solution? To which problem?” (http://digifreedom.net/node/52) chapter of the Family Guide to Digital Freedom (http://digifreedom.net)
Thanks!
Marco
e-voting
Agreed. It’s a little known fact that in most states even the board of elections isn’t allowed access to the voting machine’s code — it’s corporate property and, as such, is proprietary information (like Coca-Cola’s recipe). The testing done on the computers at each election station the day before is no barrier to a malicious coder since the program can behave perfectly “honestly” until the internal clock says “Election Day” and then the Trojan Horse’s and other malware kicks into action.
Paper ballots work because the publicly-counted votes occur at the local precinct level and each count is posted for all to see. Rigging that kind of arrangement would require quite a mega-conspiracy.
It's all about chain of custody...
“With ordinary paper ballots, it doesn’t matter who transports them because there’s nothing a moving company can do to undermine the election.”
Yet, with ordinary paper ballots, it still matters who transports them after the voters have touched them! Not having a tamper able machine only “fixes” the problem up until the voting booth. What happens after that is neither transparent or simple.
As a voter, I don’t trust what happens after my ballot goes into the ballot box, but I don’t have unlimited resources to really check up on it. I have the 20 minutes I spent on election day doing what many consider to be irrational!
Fortunately, there are systems emerging that can give voters a glimpse of what happens after the ballot box. I urge you to check out Punchscan, Scantegrity, and Pret a Voter.
Voting machines have tamper seals
I am a volunteer Officer of Election in the city of Fairfax, VA. We use electronic voting machines. The machines arrive at the polling place completely sealed in plastic cases. There is a tamper seal on the lid embossed with a serial number.
The procedure for putting the voting machines into the cases and sealing them involves multiple people, and multiple, hand-written copies of the serial numbers. These are all verified during the un-packing operation by a different group of people.
The machines themselves have additional seals and safeguards with serial information (such as the number of votes cast at the last election). These values are written down in hand from election to election, and the are cross-checked and compared to the values in the machine during the un-packing operation.
The ballot is electronically stored on data cards separately supervised. Besides being cryptographically secured, the physical access to these cards is secured.
Anyone interested physical tampering with the case would have to duplicate the tamper seals and deal with the encryption, software updates, and ballot card access issues.
I guess this could be done, but my take is it probably couldn’t be done by a single person or group. You’d have to have insider help.
People have thought this problem through. Just saying something is possible doesn’t mean it’s likely.
The point of elections
People think an election is when people say to those in power: “we trust person A” or “we want policy X”
Watching election coverage on TV I don’t blame them, but this is of course completely wrong. The point of elections is in fact the opposite.
Elections is when those in power say to the people: “You want person A in charge… Well maybe personally you trust person B better but your friends, neighbors and even your family all want A, so we are going with person A.”
This is precisely what president Bush said when he was (re)-elected*. He specifically said he had a mandate and would use it. And he did. He used his mandate by ignoring the Kyoto protocol, vetoing healthcare for poor sick children and allowing the GOP the let chemical plants that didn’t want to pay for decent security fences of the hook… all pretty much universally unpopular stuff he figured rightly or wrongly he was entrusted to decide on.
Its when president Bush says this that Kerry voters, (and “person B” voters all over the world) can do two things:
A. Bring out the pitch forks, protest, complain and make lots of noise…. or
B. Talk to their friends and neighbors about A and B using protected free speech… for four peaceful years.
Needles to say, having credible evidence of how you neighbors voted helps in this decision. Electronic voting gives a result, but it doesn’t give any evidence. None.
Now many people will say “Pitchforks? you must be talking about crazy Kenya like stuff”. But westerners cant think its that crazy. Afterall, millions of American tax-dollars and European tax-Euro`s* went into funding the post election protests in the Ukraine and Georgia. And millions have been spend on organizing convincing elections afterward. And perhaps most important of all, lots of money *and time* has been spend on carefully monitoring these elections. (Of course these millions of dollars are nothing compared to the billions in foreign investment, oil pipelines and military bases that followed the election of so called “pro-western” parties)
Those who spend the tax dollars care about convincing elections, at least when it comes to the Ukraine.
So if the voters can’t see the counting then there is not point in holding elections! You don’t hold elections for the voters, or for those elected, you hold them for anyone who wants to observe them. The point of elections is watching your neighbors cast uncoerced votes and then seeing their votes, whether you like them or not.
Its way more convenient and cheaper to hold lots of telephone opinion polls. If you hold big polls once a year or maybe once a month, doesn’t that mean you listen to the electorate better and are therefor more democratic? Its way faster and cheaper than voting by mail, but its not that different.
I am a software engineering student who specializes in embedded systems design and security. Even with all the JTAG debugging equipment and logic analyzers in the world I could not be sure of what I see going on inside a voting computer without asking voters what their vote is and keeping my own tally, possibly on a piece of paper.
All I can say to electronic voters everywhere is don’t leave me, my thirty classmates, the hundreds of other students at my school and the hundreds of thousands at schools like it alone with any voting or tabulation computer… even for a minute.
With paper ballots the ballots are counted by the person you can see counting. With computer the votes are counted by the last programmer to touch the software. Do you even know the name of any of the supposed official DRE programmers? Replacing the software in an x-box or cell phone is harder than replacing it in all voting computer I have read about, which by now must be pretty much all of them. People crack x-boxes to play tens of dollars worth of pirated games and cell phones to get rid of annoying logo`s and expensive contracts all the time.
*) After the supreme court decision the Florida counting went on. The last count done by the major media organizations found that under four ways of counting Kerry won the election!!!!! Also Bush won under four ways of counting 😉 Turns out it was in fact a dead tie 😉
*) Yes some European money didn’t came from taxes but essentially from government slush funds with separate sets of books… thats besides the point.
If you want to pay someone anonymously without either party being able to repudiate the payment then paper money is the way to go. Ask any of the crypto guru`s. They have been trying to come up with ways of doing electronic cash for years. Wire transfers work because all parties can now all details, so the can disagree over the payment after the fact all they want without revealing who they are or how much they paid.
Re: The point of elections
“So if the voters can’t see the counting then there is not [any] point in holding elections!”
This is perhaps a bit overstated. The practical reality is that any time thousands of things have to be counted, there are going to be issues of trust regardless of any counting method used.
In the first place, each individual voter certainly doesn’t want to see each individual vote counted. They will delegate that to an organization such as an Electoral Board to handle the operation. So, that’s a layer of trust.
Secondly, the local government has to select and train people to help with the vote operation itself. Those people need to be honest brokers, and not rig the system from the inside. Individual voters aren’t involved in this selection or training, so, there’s another layer of trust.
Before a person can vote in the first place, they have to be officially recognized by the government. So, all the people who create the voter rolls, and maintain them, they need to be trusted, too.
By the time we get down to the actual machine used to do the counting, one realizes that the real security of the process is based on people. Whether the method of counting is by hand, by optical scan, by software, by voice, or whatever method, people are needed to validate that the count was done properly. So, last of all, the voter needs to trust the people in the polling places, and the auditing groups that verifies those results, all the way up the line.
All that said, I agree that having software-recorded votes is an ultimately opaque process, and that does make me uncomfortable. Doing a re-count means going back and re-verifying the checksums of each of the votes recorded to the primary and backup media, so there is some pretty good assurance that the data gets stored. However, the opaqueness doesn’t let a human re-verify that the original intent was selected properly in the first place.
I think the best answer here is to use electronic _ballot_ machines to generate dual machine- and human-readable ballots, and then automate the counting via optical scan. Such a system could be kept very honest by pulling random samples out during the vote, and running dual machine- and human-counted results.
Chain-of-custody and vote-switching.
Have you heard the term, “stuffing the ballot box”? You might reassess this:
“With ordinary paper ballots, it doesn’t matter who transports them because there’s nothing a moving company can do to undermine the election.”
One aspect of election process is chain-of-custody. Ballot boxes are not stuffed or punch cards are not vote-switched (jqjacobs.net/politics/ohio.html) in plain sight. Any time ballots are not counted where cast, an entire domain of chain-of-custody security is created, and everything from poll closing until counting not only must be secured but unnecessary opportunities for election fraud are also created. The chain-of-custody concerns are alleviated by counting paper at the precinct and making the results public at the precinct level.
Hand-counted paper ballots can also be verified electronically at a county level, of course, as a control on possible fraud and the error level at the precincts.