Inside Electronic Voting Machines

Alien54 and several other people wrote in about a couple of stories published in a New Zealand webzine: an examination of an electronic voting system, and some less interesting political speculation about it. Diebold voting systems are in fairly wide use, and apparently provide zero security to keep election officials from writing in whatever election totals they want.

First vote!

We should have a slashdot poll about this.
And then rig the results. :)

Re:First vote!

> Hey! We are not all in Florida you know.

At least in Florida, no one was encouraged to vote the DAY AFTER the election.. the final "unofficial" recount had Gore winning by a wide margin, except for one thing...

Ever wonder how in 2000 there were an unusual amount of "Florida military ballots" that went through the postal system LATE and WITHOUT POSTMARK?

That normally does not happen (especially since mail ballots are sent EARLY and mail can't be routed without a postmark).

Next election will be worse with Saudi control

Ever wonder how in 2000 there were an unusual amount of "Florida military ballots" that went through the postal system LATE and WITHOUT POSTMARK?

Next election will be even more corrupt for military ballots. Military personnel will vote online in 2004

http://seattlepi.nwsource.com/local/126504_vote14. html [nwsource.com]

The company that has been contracted to provide this service was just bought by a group of Saudi investors.
http://www.newsday.com/business/ny-bzelec0227.stor y [newsday.com]

"Election.com, a struggling Garden City start-up scheduled to provide online absentee ballots for U.S. military personnel in the 2004 federal election, has quietly sold controlling power to an investment group with ties to unnamed Saudi nationals, according to company correspondence."

You wanna see how computerized voting really works?
Go here:
http://www.cntrybob.com/Fun/Voter/voter.html [cntrybob.com]

Why bother to vote at all. Just resign yourself to fighting a revolution. If you value freedom and democracy.

Re:First vote!

Sorry, the City of Chicago has been granted a "business process" patent on fixing elections.

Re:First vote!

right, but it wouldn't make much difference to the crowd here, as much as rigged elections in the real world make (none).

Think about it: How many people would it need to care about rigged elections in order for it to be brought to light ? There is lots of evidence that the 2000 elections were less than proper, but so far there has been very little response to these allegations. A normal reaction would be absolute outrage by ALL politicians and an inquiry that brings up every last bit of evidence. The fact that this has not happened shows that politicians are happy with the status quo (two parties, for outsiders absolutely indistinguishable that exchange the baton every four to eight years).

As if the only subjects you can differ on are abortion, healthcare and whether or not we should endorse a government religion.

I need my meds..

[tinfoil_hat]In the near future we will be given ballots containing RFIDs which will tie the voter to the vote. mwahahahaha![/tinfoil_hat]

Hanging Chads

Suddenly hanging chads aren't so silly anymore...

Of course

It's not a bug, it's a feature!

good website about this whole topic

http://www.blackboxvoting.com i suggest you check it out.

Abuse potential

It should be required that machines use open-source code, and some mechanism be provided for public inspection of the machines to verify the code hasn't been altered, some sort of checksum mechanism.

Re:Abuse potential

No kidding, these things have the potential to be a disaster for the democratic process, enabling voting fraud on a scale never before seen. If they ever try to get such devices in my district without making them open and easily accountable, my congressional district is going to hear holy hell about it from me. I almost never care about politics. I don't write letters to my elected officials or to the editor. I don't donate money to political campaigns or consider myself a member of either party.

But if democracy is going to be done away with through the adoption of flawed technology, I feel I have no choice but to act. Luckily, I believe budgetary constraints are preventing these 'upgrades' in my area.

Re:Abuse potential

No kidding, these things have the potential to be a disaster for the democratic process, enabling voting fraud on a scale never before seen.

Except in Florida.

Re:Abuse potential

This [onlinejournal.com] article talks about how the lack of inspection of the votes and machines is unconstitutional. Interesting read, with case referrences.

Re:Abuse potential

I would go that far. I have to agree with Knife_Edge that OSS for voting systems should be mandatory--this isn't about "companies making a buck," this is about establishing democratic vote-counts.

As our friend the Peruvian senator [slashdot.org] pointed out, in a real democracy the people would have access not only to the raw data of elections but also to the software used to compute the outcome of said elections (amazingly he said this before our 2000 election debacle).

Anyone have any idea what sorts of physical voting mechanisms the Peruvians use to interact with those OSS voting systems?

Diebold.

This should be of no surprise to anyone familiar with Diebold. You may have noticed that these guys are the makers of bank ATMs, among other banking and security equipment. Most of these ATMs, especially the older ones, use only 56bit encryption. 128bit is available in the form of a ridiculously expensive chip which also costs a few hundred dollars labor to have a tech come out and stick it in. Most banks, being the biggest cheap-skates in business, are unwilling to spend the money for these upgrades so, many of the ATMs that you regularly use likely have 56bit encryption at best.

Actually

The biggest delay is in the manufacturing and installing of the triple DES 128 bit encryption boards to install. Most ATM service providers have already changed it so that any new ATM has to have the new board installed, and existing ATM's have to be upgraded also. With ATM's becoming more popular, and are popping up nearly everywhere(We have 12 ATM's in a town of 5,000). Makers of the hardware encryption boards are backed up, and the ATM vendors aren't hiring enough bright people to get the work done.

Most banks are rushing to get security features like this in place, because these are the things that government bank examiners have field days on. Don't blame this on the bank, this is out of their hands.

Re:Diebold.

As bad as ATM security might be, they're still better than voting machines in one way. There's a paper trail. They print a paper receipt for the user and print an internal receipt for its own records. IMHO a paper trail is even more important than open source or code review.

Electronic voting in U.S.

Here in Georgia we had an electronic voting summit in Savannah and examined products from eSlate [hartintercivic.com], AccuVote-TS [gbsvote.com] and the iVotronic [srqelections.com].

The short story is that they were all very flashy and glitzy, but all had severe problems with security and/or usability. We eventually decided to run a pilot program in last year's off-year election and try out 5 of the most promising machines in a real-world election. The final winner will be used across the state in 2004.

No more hanging chad, but I think we are going to have a whole new set of problems to deal with.

Does it really take a computer...

... to tabulate the votes of the supreme court? Those are the votes used to selec..., er elect the pres...

Eletronic voting in the real world

The Brazilian government converted to fully electronic voting in 2000, deploying over 400,000 kiosk-style machines. Although our elections are often compared to those in the US, they are actually quite different because the voters cast ballots by using numbers assigned to each candidate (this is necessary because of a high degree of illiteracy here).

Concerns regarding accuracy of the self-auditing systems caused the legislature to mandate a retrofit of 3% (some 12,000 machines) to produce a paper ballot that the voter could peruse and deposit in a box for recount (the first large-scale use of the "Mercuri Method" -- described more fully here "A Better Ballot Box? [ieee.org]").

These paper-trail machines were successfully used during the October 6, 2002 election, and it is hoped that their other machines will eventually be retrofitted as well. Further discussion on this subject can be found in the article: "The importance of recounting votes [notablesoftware.com]" by Michael Stanton (originally published in Portuguese as "A importância da recontagem de votos", on the website of the Agência O Estado de São Paulo, November 13, 2000, http://www.estadao.com.br/tecnologia/coluna/stanto n/2000/nov/13/194.htm). There is also an informative website: Brazilian Electronic Voting Forum by Amilcar Brunazo Filho [votoseguro.org].

Need paper trail

Any computer data can be quickly and easily changed. The best solution I can think of is to print out two paper receipts for each vote, one to go to the election commission (for manual recounts) and one to go to the voter. Each receipt would contain a random code which the voter could then type in on a web site to verify their choices have not been changed. Of course, most people wouldn't bother to verify, but it only takes one person to catch vote fraud.

OTOH...

Then again, it would only take one fraudster to falsly claim their vote had been miscounted.

Also, any system that lets the voter check their vote also lets someone forcing them to vote one way or another to verify that they've done as commanded.

Re:Need paper trail

with less than half the population deciding it's important to vote, I don't see how it would really matter.

Find 99% of 18 year old's SSNs, enter into voting machine, instant winner.

Re:Need paper trail

The best solution I can think of is to print out two paper receipts for each vote, one to go to the election commission (for manual recounts) and one to go to the voter.

Ok for the receipt to the commission, but I'm not completely sure about the receipt to the voter: let's say that some days before the elections someone comes to you telling how you should vote, "or else". And he requires that after the elections, you show him a proof that you actually voted as you were told.

This went so far in some areas of Italy that on the last (regional) elections the usage of photocameras and videophones were explicitly forbidden in the voting booth. And yes, someone actually tried anyways and was discovered (and his vote invalidated).

So, in some way, being unable to prove to someone else how you voted is not entirely a bad idea.

(of course it can be objected that the nasty guys could come after you anyways if the result of the elections is not the expected one, regardless of how you actually voted...).

This article raises an excellent point

The primary drawback of electronic voting systems is that they aren't automatically self-documenting. Hardcopies of all electronic votes could be produced, however the act of punching a card is much harder to do surropticiously than printing a modified or forged vote to a printer.

The only solution I can suggest for an all-electronic voting system would require extensive use of cryptography. Every voter would have to register a public key and every vote would be cryptographically signed. This would require a database of public keys outside of any political influence and it would also require that voters keep their private keys secure, both of which are enormous problems.

Given these drawbacks, an antequated punchcard system doesn't seem quite so bad...

Re:Wow...

It doesn't have to be the Republicans themselves. Just people who would benefit from them being in power.

It may interest you to check campaign contributions from executives at Diebold. They seem to like to give quite a bit of money to the Republicans. Just a quick taste:

Walden W. O'Dell
Chairman of the Board, President and Chief Executive Officer, Diebold
2/14/01 $2,015.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
1/30/01 $3,950.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
8/16/01 $500.00
VOINOVICH FOR SENATE COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
6/30/00 $1,000.00
DEWINE FOR US SENATE

Re:Wow...

Yes, Diebold and ES&S are both closely tied to the Republican party, and have been for a long time. If you look at their campaign contributions for the last election, you will see that everyone that gave, gave only to the GOP.

Chuck Hagel still owns stock in ES&S's parent company. He has won every election that used ES&S machines to count the votes.

Plenty of Security

There's plenty of security preventing people from changing the results. Its called exit polling. If the vote tallies are wildly different from the scientific exit polling done by independent 3rd parties, then I'm sure a full investigation would follow.

They could certainly be abused, however, in smaller state and local elections where a small handful of votes can make a huge difference.

Re:Plenty of Security

Vote tallies have been different from exit polling in recent elections (that's one of the reasons people were looking at Palm Beach County), and what has it gotten us? Besides, in 2002 we had almost no exit polling because of the convenient demise of the Voter News Service. Exit polling is hardly a solution to flawed electronic voting systems.

Re:Plenty of Security

There's plenty of security preventing people from changing the results. Its called exit polling.

You're forgetting that the exit polls declared Gore the winner in Florida, by a pretty good margin. However, the *official* ballots told a different story, mostly because of all the accidental Buchannan votes. So without an audit trail, vote riggers could just say "Gosh, I guess those people reporting their votes to the exit pollers were mistaken or lying."

The US military wants to use windows

The US military wants to make sure that US servicemen/women overseas can vote. That's not a bad thing and there is a US law that requires this.

But there is a bad thing - the system they are promoting runs on MS Windows - including Win 95/98 - using Internet Explorer (5.5 and up) and Netscape.

Somehow they have in their minds that if they run HTTPS and require anti-virus software that the machines will be secure enough so that votes made through those machines won't be buggered.

Oh, and did I mention that the voter registration occurs through the same machines and same web-browser/https mechanisms?

Seems to me that this is a recipie for disaster - I don't consider any operating system safe from tampering, particularly none of the MS products. And these machines will likely be shared by many people, configured by DHCP (itself a security risk), perhaps with programs being loaded over insecure nets from insecure file servers, and crossing the internet via web proxies, "transparent" web caches, WCCP, and who knows what else.

This could make Florida 2000 look like a picnic.

Re:How is this different than with paper ballots?

But it IS easier to change - a LOT easier to change.

And a lot easier to forge.

To stuff a ballot box, you need the right paper, ink, and print format BEFORE the election. This creates a paper trail and gives us time to stop you before you do it.

It also requires multiple criminals, which may very well turn state's evidence.

To change purely electronic data, it can be done on the fly, during the election, by one angry man, leaving apparently NO traces, according to the analysis of the machines currently used. And their would be no way to recover the original data.

The original paper ballots can and DO get checked by hand. To really fix any election that has paper ballots, it is MUCH harder than a pure electron one.

Commodotize Voting Machines

Make a public domain design&software for a voting machine. Get five companies to build them. No one company can rig the election.

My only big design point is Dual Receipt, like a credit card transaction. Fast electronic count, paper count for them, paper count for me.

Some observations

Their article is interesting, but a bit misguided IMNSHO. First they harp on the three sets of ledgers. Well what's the big diff. They say that this somehow allows more leeway to fudge, well actually it doesn't. The fact is that you have to know that there are three sets and exactly which sets of reports get their data from which sets (a very lame attempt at security thru obscurity?). Having a single ledger means that you only have to go to a single place to mess with things.

But the biggest problem with there report is that they spend a lot of time talking about essentiallly one issue, that the tables are available for anyone with the password to edit and manipulate. There doesn't seem to be any type of tiered access and because they use access, a TRUE audit trail can not be created.

I would think that a voting system would be important enough to warrant the extra time to create a custom DB that audits absolutely everything to a file/table that can't be touched by anyone but the app (e.g. only the app can add rows and rows can never be deleted). I assume that Diebold was able to use Access because it made their bid lower and the company that actually had a decently secure system was underbid.

I smell a voter's lawsuit, oh to be a lawyer.

What ever happened to the concern?

It amazes me. After the 2000 elections, every expert in the world pretty much agreed that electronic voting technology should not be deployed unless safeguards were added, and they went to great lengths to enumerate those safeguards.

Three years later, and it seems that equipment manufacturers have managed to blithely ignore every bit of it. And apparently, so have the people purchasing the stuff.

Re:Somebody Call Georgia

Access databases

Voting is one domain where Microsoft needs to step aside and let someone else do it right.

A little inflammatory

On the issue of electronic security, I have to concede that I have little experience. Given these tests, I am concerned that a dishonest person could edit returns and cause problems with an election. This could be particularly problemmatic in counties that use 100% electronic voting, with no paper trail. It's bad enough that the log is so easily hacked without a trace. It would be even worse to have no real recourse.

Fortunately, as someone who has served as an election judge (working the polls) in Minnesota, I can tell you that these concerns are a little overblown. We use the optical scan machines here, and we submit the precinct detail report (list 1 for those who read the article) to the county electronically and in paper format (3 copies). Additionally, we have all the paper ballots that were filled out by the voters carefully stored in the machines during the voting period, and then mailed to the county in sealed envelopes and signed by all the election judges.

Not only is the written process pretty fail-safe, but I worked an election where there was a discrepancy between our ballot count (kept as people vote) and the machine count at the end of the day. We hand-counted all the ballots (they were bubble test style, so no hanging chads or dimples) to make sure the count was accurate. Even if someone had hacked the voting machine, there was little chance for them to bust into the voting machine to steal or alter the ballots.

Additionally, although some nefarious person could hack the machine, I have no idea when they would. Most polling places have a team of election judges present from the time the machine is unlocked until after the results have been transmitted. Judges are not supposed to linger near the voting machine for any length of time. Certainly it's important to implement appropriate safeguards in the software (such as the automatic numbering system that was disabled for the log file), but chances of election fraud due to machine tampering are pretty darn low.

Re:A little inflammatory

But the Diebold machines leave *no* paper trail - there are no paper ballots to check againts. Once the database is tampered with there is no way to reconstruct the voter's intent.

No different than from voting in South Texas

Politicians here have to spend lots to get the dead to vote... but they manage to turn out year after year. How failful to their citizenry after they're gone...

Oh My God ...

This week's sign the apocalypse is upon us -

(From the article - emphasis mine)

At the county office, there is a "host computer" with a program on it called GEMS.

GEMS receives the incoming votes and stores them in a vote ledger. But then, we found, it makes another set of books with a copy of what is in vote ledger 1. And at the same time, it makes yet a third vote ledger with another copy.

The Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden.

What's next? NASDAQ running off of Access?

Idea

Why not implement a "paper trail" through punching holes in a metal plate using a laser. Each machine would encode their votes in metal, which would be hard to falsify (the holes will have clear characteristics). The metal plates can then be removed from the machines after voting and kept available for recounts, if needed. Optical scanners could even automate recounts.

Deliberate abuse just one of many factors

I found this gem on alternet [alternet.org]:

All races of voters make errors on paper ballots. But in white counties like Leon (Tallahassee), if you make a stray mark or other error, the vote machine rejects your ballot, and you get another ballot to vote again. But in black counties like Gadsden, you make a mistake and the machine quietly accepts and voids your ballot.

While we may look at hacking or intentional fraud as one of the only (or few) potential abuses WRT electronic voting, we might forget about structural abuse like we've seen in Florida. It makes me laugh when someone comments on a vote saying "the people have spoken". We should just roll dice instead...

Re:Won't Prevent Voter Fraud

I'll respond to points 2 & 3.

The reason I've been told that one isn't allowed to ask for an ID to vote is that it would be a violation of the Constitution - specifically, the 24th Amendment [findlaw.com].

Now, you're asking yourself, "why would asking for an ID violate the prohibition of poll taxes?" Think about the time you got (or last renewed) your driver's licence. It wasn't free, was it? Ta-dah! A poll tax.

So, if you've got to show a photo ID to vote, the state's got to provide a free photo ID. And most states right now are too broke to even think about something like this.

And as far as point 3 - Purging of the voting roles led to big problems in the 2000 election in Florida. Basically, some voters that shouldn't have been purged were purged. When they showed up to vote, they were told they couldn't. Big disaster. I suspect most places would rather have voting roles with ineligible voters (99.99% of whom won't show up to vote, because they've moved or are dead - and if "they" do show up, it's unlikely anyone will find out about it, thus causing problems for the officials running the election) than voting roles missing eligible voters (who will make a huge stink if they show up and are told they can't vote, which will cause a problem for the officials running the election).

You can read about the Florida voting list purge here [gregpalast.com] if you wish, and check the mention in the U.S. Commission on Civil Rights' report here [usccr.gov].

Re:Highly Biased Article

Um ... believe it or not, when a certain group of people does something evil, saying "that group of people is doing something evil" does not constitute "bias" against that group of people. It constitutes telling the truth.

Ahhh, fuck it, why am I even bothering? Just go and watch Fox News and be happy.

Electronic voting machines are a bad idea

Electronic voting machines are a bad idea. There is NO reason to use them for general voting.

By electronic voting machine, I mean a machine with a display that allows you to select candidates and keeps the tally electronically. You the voter directly interact with this machine.

Ultimately there is no way to be 100% certain that the machine is doing what you want. The only real backup is a paper trail for a hand recount. These machines don't offer that. Result: the machine can make up numbers and you'd be hard pressed to tell.

Okay, so the machine can print out a verification receipt that you also file. That solves the problem. Of course, then what has the machine gained you? The voter still needs to verify that the printout says what it should (and what do you do if it doesn't?). This just adds an unnecessary double check that voters have to worry about.

You might as well just initially fill out a paper ballot and have a machine scan it. Machine scanned paper ballots can be simple for voters to use, simple for machines to scan, and simple for a hand recount. If a machine doesn't like the ballot it can reject it and a poll staff person can explain the situation ("The machine rejected your ballot. I can force it through, but one or more of your votes might be thrown away. Or I can shred this ballot and give you a new one. If you like, a poll staff member can help you fill out the new ballot.") This is exactly the situation here in Madison, Wisconsin and it works great. The ballots are really simple (there is a two inch arrow with a one in gap in the middle pointing to each candidate's name with, you just fill in the gap on the arrow pointing to your choice). It's easy to fill out. It's trivial for a machine to scan (it's like the fill in the bubble tests, but with much larger, easier to read fill in areas). The big arrows are trivial for a hand recounter to check. You can do occasional random hand recounts to verify that the automatic tabulators are working correctly.