Maryland Testing E-Voting System That Lets People Verify Their Votes Counted

from the experimenting-away dept

For many years, David Chaum has been pushing for a voting system that he claims will be a lot more reliable. Basically, after you vote, you get a coded number, and then after the election, you can go to an election website, punch in your code and make sure that your vote counted, and was for whom you meant to vote. On top of this, there’s a system for auditors to check to make sure that votes were counted accurately, with information released publicly so people can “audit” the election without being able to connect voters to their votes. This system tends to generate a lot of controversy (though some of it appears to be from people who just don’t like David Chaum, rather than because they really have a problem with his system). However, the system hasn’t been really tested in an actual US election… until now. The municipal elections in Takoma Park, Maryland used the system, despite the state recently signing a big deal with Diebold. It’s not clear how the overall election went yet — or how many people actually checked their votes online (approximately 30% in an exit poll said they copied down the code). However, it’s good to see that some gov’ts are not just accepting what the big e-voting firms give them, and are willing to explore more sophisticated voting systems that aren’t based on pure faith in the e-voting company to get the system right.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Maryland Testing E-Voting System That Lets People Verify Their Votes Counted”

Subscribe: RSS Leave a comment
35 Comments
Anonymous Coward says:

Questions

I wonder how they deal with the issue of vote selling. That’s always been a problem with “receipt” type systems because it allows the voter to later prove to a someone else how they voted in order to collect a payment.

The other problem is that someone could also pressure or even force someone to prove how they voted. With the secret ballot system that isn’t possible, but with a receipt system it is.

Do they have answers to these problems or are they just ignoring them? I didn’t see them mentioned in the article.

Tor (profile) says:

Re: Questions

“I wonder how they deal with the issue of vote selling”

Exactly my question too. If not the system is useless.

Geeks always focus on the technical aspects (me too), and of course open source is important if you are going to use electronic voting at all. But in the end this boils down to a trust issue. Can your 80 year old neighbour lady understand how the counting is done? If not, can she still trust the system?

TheStupidOne says:

Re: Re: Questions

“After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.

When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally.”

So what the website shows is the code, not what was voted for, and the codes are different for each ballot. Which means vote buying is prevented.

Also the serial number is in no way associated with an individual voter (except through the receipt) so it would be impossible to determine the identity of a voter from the ballot. Now if you have the ballot and a copy of their receipt it’s a different story.

Anonymous Coward says:

Re: Re: Re: Questions

After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.

You know, I don’t remember seeing that part in the article earlier. Has it been “updated”? But anyway, in that case the receipt is also not very useful to the voter either because the system doesn’t tell them which candidate their vote is being counted for. So why bother?

Rich Kulawiec says:

Re: Questions

Precisely correct — this system enables vote selling, therefore it must be discarded immediately. This is a novice-grade error in the design of voting systems, which means that the people developing/using this system are far too inexperienced to be permitted anywhere near an election.

Anonymous Coward says:

Re: Re: Questions

Wait…

Go back and reread the article again. You missed something. The online part only has a code for a particular vote, not the specific option the person picked. It either matches with the code the voter wrote down, or it doesn’t. Again, for comprehension: It does NOT specify option the voter selected, therefore it does not support vote buying.

Rich Kulawiec says:

Re: Re: Re: Questions

Great. Then it doesn’t support verification, either.

It’s impossible to have this both ways simultaneously, based on basic information theory principles — it doesn’t matter how it’s implemented. Now…it might be more difficult to recover that information, depending on the implementation, or it might be that some information is deliberately withheld, again, depending on the implementation, but you can’t achieve both goals (that is: voter verification and anonymity) simultaneously, because you can’t “have” and “not have” the same data simultaneously.

As a side point, and without looking at the algorithms they’re using, this is just an observation for further study: any number of very interesting studies lately have shown that anonymized data often isn’t very. I’m thinking of the NetFlix data, for example. What happens when (not if) the raw data gets disclosed? Is what’s in there sufficient to allow de-anonymization?

And yes, it very much is “when”. Someone will lose a CD or misplace a USB stick or have a laptop stolen. It’s guaranteed. So the time to think about what the consequences are is now, not afterwards when everyone’s wringing their hands and saying “No one could have foreseen….” and “We have no evidence that the data…”
and all the other things that they always say to cover up their lack of vision and foresight.

Migzy says:

Re: Re: Re:2 Questions

It does support verification, go back and read the article again and pay careful attention to the pictures. The special pen used to mark your vote uncovers a code for each item you voted for. So basically to verify your vote you record the serial # and the code uncovered when you entered your vote. In the wired article, the first pic shows “JW” where the person selected the item to vote for and the 2nd pic shows a person entering serial # and being show the “JW” code. In reality, I’m guessing each ballot will be different and thus while you can verify your vote is recorded as you filled it out. It also prevents anyone from verifying who you voted for as that code could be for any candidate.

Anonymous Coward says:

Re: Re: Re:3 Questions

It does support verification,

Umm, apparently not.

go back and read the article again

ditto

The special pen used to mark your vote uncovers a code for each item you voted for. So basically to verify your vote you record the serial # and the code uncovered when you entered your vote.

Each ballot is also different, so a JW vote on your ballot would be different than a JW vote on someone else’s. There is no verification that JW on your ballot is counted towards the candidates you actually wanted.

New Mexico Mark says:

Re: Questions (proposed answers)

Good points. However, I still am highly in favor of a system that provides verification. There is a long and time-honored history of screwing around with elections through any means possible. No solution is perfect, but I lean toward systems which provide fewer intermediary steps (and the resulting attack vectors).

It sounds like they just need one more step, similar to that implemented by TrueCrypt encryption. TrueCrypt provides a way for someone to “reveal” low-value data while keeping the real data encrypted in such a way that there is no possible way for the attacker to even prove it exists. (You have to understand some things about encryption to understand how this is possible, but it really does work.)

Perhaps they could just provide a “practice vote” button and clearly warn voters that this will in every way look/act like a real vote and a receipt will be issued, but it will not actually count in the election. Anyone being threatened will figure out the usefulness of “practice voting” pretty quickly.

A variant of this would be to only issue one receipt, even if a practice vote was cast in addition to the real vote. However, as part of the practice vote, have the user enter their own code. Unless that code is entered (and the “user code, if applicable” field would always be displayed on the confirmation web page), only the practice vote result would be displayed with no indication that it is a practice vote or that a real vote result also exists. This way, no one could be shaken down after they voted to see if they had more than one receipt.

Anonymous Coward says:

Re: Re: Questions (proposed answers)

This way, no one could be shaken down after they voted to see if they had more than one receipt.

Sure they could. All the vote buyer has to do is instruct the voter as to how to cast their “practice” vote in addition to their counted vote. Afterward, the buyer simply has to require the voter to reveal both votes to prove that they voted as instructed.

Not as simple as you thought, huh? That’s why no one has yet figured out how to make a receipt system also a secret system. The two goals are diametrically opposed.

Anonymous Coward says:

Re: Questions

Another problem with a receipt system like this is that it allows a voter to claim to have proof that their vote was recorded incorrectly whether it is was or not.

For example, all a supporter of a long shot candidate has to do is purposely vote for a different candidate and then use his or her receipt as “proof” of a rigged election to get the election results invalidated.

BearGriz72 (profile) says:

Open Source Anyone?

I still think the idea of Open Source code development is going to be essential to the success of e-voting, and I also believe that in our modern connected society electronic vote collection is going to be absolutely necessary. I have not previously considered the idea of “Paid” voting that was mentioned in the previous post, but some type of confirmation would be a good security feature to prevent data tampering. I guess that is why I like Open Source so much, you don’t have to depend on a small group of developers to brainstorm the possibilities to test against.

Rich Kulawiec says:

Re: Open Source Anyone?

I still think the idea of Open Source code development is going to be essential to the success of e-voting, and I also believe that in our modern connected society electronic vote collection is going to be absolutely necessary.

As I’ve pointed out previously, while of course open source is a mandatory requirement for voting systems, it’s not sufficient — in fact, it’s not even close.

Go read Bruce Schneier’s 2004 essay on what it would cost to steal an election. Then adjust appropriately for the political and financial climate of 2010. Then realize that there is easily enough money in play to pay for custom hardware — that is, wafer fab. And anyone who has mastered even first principles of security knows that what’s in the code doesn’t matter if the hardware has been gamed.

It is exceedingly foolish to deploy or advocate electronic voting systems given this reality. We would be far better served by using the simplest available methods (e.g., pencil and paper) as those are far more difficult to attack en masse. Given the infrequency of our elections, it is really quite unimportant if result compilation takes a week or two.

anarkista says:

On a related subject go watch HBO’s Hacking Democracy (available on a torrent near you) and see how Diebold promised and delivered the elections on a silver plate to war-criminal-retarded-chimp Dubya.

You’d think all involved parties would be interested in having accurate vote counting. In the land of the sheep, home of the lame? Think again.

Anonymous Coward says:

Ditto on the vote selling thing (or worst, forcing someone to vote your way). Here, we use the old-fashioned secret paper vote and vote selling is done in the way of taking your id card and impersonating you when voting… which is kind of difficult to accomplish. With a receipt, it’s way easier to force you.

Anonymous Coward says:

Here's the solution

Such measures are far too complicated. The solution is simple. The voting machine issues a paper copy of the vote when it is cast. The voter reviews this copy and must place it in a sealed collection box prior to leaving the polling place. Cell phones or other photographic devices are not allowed in the polling place.

Some measure would have to be made for ballots where someone disputed that the machine voted the way they expected, but a well designed machine shouldn’t have problems with this, and the paper ballots could be utilized as an audit trail if the electronic results are in question.

Anonymous Coward says:

Re: Here's the solution

Such measures are far too complicated. The solution is simple. The voting machine issues a paper copy of the vote when it is cast. The voter reviews this copy and must place it in a sealed collection box prior to leaving the polling place.

This system uses *paper* ballots. How would it help to make a paper copy of a paper ballot? You didn’t read the article, did you?

Nick Novitski (profile) says:

Here's the solution

So your solution is to have “some measure” as part of a “well designed machine”? Forgive my flagging confidence.

The system as proposed enables no more vote-selling than do portable cameras (or pork barrel spending, for that matter). Seriously, being able to verify that your vote was cast the way you wanted means the system “must be discarded immediately”? I’m happy to hold voting systems to a high ideal standard, but they only need to be so good before they’re better than what’s currently in use. Good on Takoma Park for preferring an provably unhackable system (ie, mathematically impossible to both correctly report everyone’s ballots and falsely report the total vote) over the proven insecure Diebold system.

Rich Kulawiec says:

Re: Here's the solution

It’s a bad solution to the wrong problem.

It is not necessary that voters verify their votes: presumably, having cast them, they KNOW how they cast them.

It is necessary, however, that everyone else be able to verify that votes are not altered and that they’re counted properly. This is a different design problem, but one that has to be solved in order for us to verify that elections are conducted properly.

And the problem is that any solution to the first — which actually allows voters to in any way verify their specific ballot choices after the fact — enables vote-selling, bribery, and extortion. And of course without that, it’s really quite meaningless to provide any verification, e.g. “Your ballot was counted” does not tell the voter that their ballot was counted correctly, although I’m sure many ignorant people will foolishly presume it does.

However, as a society, we require a solution to the second. Moreover, we require a solution that preserves anonymity and that works even when individual voters don’t care to participate in it. Beyond that, it has to work in spite of hardware and software failure, operator incompetence, and voter incompetence. And beyond that, it has to work in the presence of very sophisticated. well-funded attacks (see Schneier’s article, again, which is required reading for anyone commenting on voting machines).

And nobody is even remotely close to that. Merely “better than what we already have” is simply not good enough, because “what we already have” is pathetic. And democracy is far too important to allow the franchise to be used as a alpha test site for electronic voting.

The only correct approach to this is to use paper/pencil methods UNTIL someone manages to solve all of these problems simultaneously AND demonstrate the ability to fend off a multi-year, multi-hundred-million dollar attack. Because that’s the threat, and it’s incredibly foolish to merely wish it away because it’s a hard threat to counter.

Derek Reed (profile) says:

Re: Re: Here's the solution

I agree on several of your points, but I think you missed a few key points about this solution. It does preserve anonymity AND allows individual verification (and mass verification). It allows you to verify that your vote is counted correctly in the total. The only caveat is you have to put faith both in the independent auditors and in the fact that the software who’s source you can see and verify is in fact running on those machines and on the servers.

To steal an election with this system is more complex than pencil and paper, aside from bribing/switching the groups people counting the votes (auditors) you also have to somehow steal the votes in the first place, through complex replacement of the software.

Rich Kulawiec says:

Re: Re: Re: Here's the solution

The only caveat is you have to put faith both in the independent auditors and in the fact that the software who’s source you can see and verify is in fact running on those machines and on the servers.

Right. And what I’m telling you is that even if you personally verify the software (presuming that you have the relevant skillset, the tools, and the time) that is NOT a guarantee that the software is going to do what you think it does — because you haven’t verified the hardware.

This is why I keep referencing Schneier’s critical essay and find myself increasingly frustrated with people who haven’t read it and grasped the implications. People are simply not coming to grips with the budget available to attackers and thus with the scope/scale of the attacks they can mount. So even optimistically presuming that the software is perfect (and anyone with the slightest clue knows it’s not and has no prospects of being so anytime soon), there’s no reason to believe it’s executing correctly.

Here’s the URL for Schneier’s essay:
http://www.schneier.com/crypto-gram-0404.html#4

He wrote that in 2004. I think his estimate should conservatively be revised upward by a factor of 5, given the changes in economic conditions, political climate, etc. So anyone deploying systems such as these MUST be prepared to engineer against attackers with half-billion dollar budgets. Which means gate-level attacks. Which is exactly what I’d be doing were I the attacker, ignoring all the blathering about software, since I would know that in the end it will execute on my hardware.

There is no place for “faith” anywhere in these system or this process. Faith is for fools.

Derek Reed (profile) says:

Re: Re: Re:2 Here's the solution

I guess what I’m arguing is that there are more hurdles to overcome in stealing the election with this system than there are in the pencil/paper system.

I’ve perused Schneier’s essay, and I disagree with some major parts of it (a candidate still has to run a legitimate campaign to even fake a victory, and the money has to come from and go to somewhere, so there’s a lot of hurdles to prevent just bam, campaign budget = steal election budget) – I don’t think it’s relevant.

Whether the money is there to steal that specific election or not, the best we can do is the best we can do. I don’t see how pencil and paper provides a greater level of public scrutiny than this open system?

Anonymous Coward says:

Re: Here's the solution

The system as proposed enables no more vote-selling than do portable cameras…

So, with a portable camera how do you prove that the ballot you took a picture of is the same one you dropped in the box?

It would nice if some of you at least thought about the problem a little bit before pronouncing your supposed solution.

Anonymous Coward says:

I think that paper ballots are the way, with some sort of easy procedure for counting (rfid, bar codes, whatever), and some sort of electronic measure for pre-counting. IE, having your electronic vote emit a receipt you have to review and put in a ballot thingie. That way, you can know the results beforehand and have some sort of manual recount that ensures fairness.

Derek Reed (profile) says:

It does not allow vote selling

The system provides the voter only with a 2 digit code, that they verify matches up with the 2 digit code that got counted. That code is unique to the voter, and not easily identifiable as a candidate.

The problem with that is of course how do you know your 2 digit code did go to your candidate, which is where the independent auditor part comes in.

It really is a pretty well thought out system, taking a lot of human error and laziness into account in its design. I really think the actual use of this system is the most promising news on voting I’ve heard in the last 10 years

Steve (profile) says:

Another view

Dr. Chaum has been working with using cryptology in the voting industry for many years. Although some of you have found fault with David’s solution for various reasons, the great news is that a voting jurisdiction has taken the lead to try something new. Rather then retreat to “Is it certified?” or “how many other jurisdiction are using it?”, Maryland should be congratulated that it has the guts to try something new.

Open source is an element for future voting systems. But it requires a mechanism in place to ensure that the open source code reviewed is exactly the same code that is on the devices.

Selling votes is very very easy. I request an absentee ballet to be sent to me at home. In the evening I go to the Do Drop Inn and hold up my ballot. Let the auction begin. At work my boss calls me in to his office. Steve we have to let some people go soon. But if you let me help fill out your ballet, I may find a way to keep you on the payroll?. Of course this never ever happens!!!

Much of the source for the voting disenfranchisement is the result of a Catch 22 design of the 2002 and 2005 Election Assistance Commission Voluntary Voting Guidelines. The testing requirements were created to certify existing (or near term) technologies. Virtually no room in the requirements to create and innovate with technologies that come on line over the past 5 years.

The good news is the 2007 Voluntary Voting Guidelines ( http://www.eac.gov/vvsg ) does include a new classification named Innovative?. The guidelines will become more dynamic and can be changed to accommodate new technologies and ideas.

Of course you are free to complain or you could dive in and create new ways of moving the voting industry forward.

Rich Kulawiec says:

Re: Another view

Rather then retreat to “Is it certified?” or “how many other jurisdiction are using it?”, Maryland should be congratulated that it has the guts to try something new.

I don’t think so. This is the real world, not somebody’s testbench. Should experimentation be done? Sure. Should it be done when real elections are involved? Absolutely not.

Anonymous Coward says:

Re: Another view

Selling votes is very very easy. I request an absentee ballet to be sent to me at home.

That’s also a problem with absentee ballots. But why make it worse? That’s kind of like saying “Well, people are killing each other anyway, so let’s just go ahead and let them”. That’s *not* the solution.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »