Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
United States

Electronic Voting's Fundamental Flaws 370

phil reed writes "Given the latest fiasco in Florida's continuing attempts to implement a decent voting system, I thought it would be appropriate to alert Slashdot readers to the work of Dr. Rebecca Mercuri. She's been studying voting systems for many years, and has developed well-considered positions on what makes a good electronic voting system (and what makes a bad one). Her comments on the Florida 2002 election can be found in the current Risks Digest. And, if you think that creating a computer-based voting system is easy, she provides a suggested list of questions that should be answered by any developer." Mercuri's statement in Risks is well worth reading. With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.
This discussion has been archived. No new comments can be posted.

Electronic Voting's Fundamental Flaws

Comments Filter:
  • Humans involved (Score:4, Insightful)

    by kryonD ( 163018 ) on Thursday September 12, 2002 @07:10PM (#4248067) Homepage Journal
    Unfortunately, as long as their are humans involved, corruption will always be there. From the guys paid to write the software, to the DB admins, to our friends at M$ who will undoubtably provide a security-lacking OS to run the system on, voting will always be called into question when it gets as close as it did between Gore and Bush.
    • Re:Humans involved (Score:2, Insightful)

      by Anonymous Coward
      Here here.

      It seems obvious to me that for an OPEN election, the operating system should be open as well.

      If they would only use Linux as their operating system, any security flaws could be openly addressed well before the actual election. As we have seen with linux as a whole, there is a large talent pool out there ready to make bug-free solutions at zero cost. Yet the big-money MS conspiracy keeps their software in the driver's seat.
    • Re:Humans involved (Score:3, Interesting)

      by plierhead ( 570797 )

      Yeah, and the question remains - WHY even open ourselves up to this kind of risk ?

      Simple analysis shows that the morons who run these shows can even screw up simple paper-based systems that have been around for eons. And we expect to wave the "magic of open source" over them and have them turn into gurus who can build an unprecedentedly secure and massive electronic system that supports arguably the most important single process in the country ??

      Maybe if:

      • we voted every few days on some micro-issues like what the tax on gas should be for the coming month
      • it genuinely mattered that the results take longer than a few seconds after the booths close to come in
      • the current system was chronically broken
      ...then there would be some reasons to try and fix the process with compooter magic. Otherwise lets leave things be.
    • Re:Humans involved (Score:3, Interesting)

      by Otter ( 3800 )
      More importantly, there are far simpler ways to rig elections than any technical intervention: allowing individuals to vote more than once, allowing ineligible registrants to vote, the Cynthia McKinney approach of misleading phone calls to Republicans suggesting they couldn't vote in the Democratic primaries in Georgia,....

      All this hair-splitting about security comes from a simple-minded attitude that a) open-source is a magic wand that detects all software and hardware defects and b) constantly invoking a) covers the entirety of concerns about computing choices.

      One might ask -- wouldn't it be a good idea to wait a few days until it's clear what went wrong in Florida before analyzing the situation? Not at all, because it's easier to pretend it's just another IE security hole and announce that "the community" could fix everything, if only given the chance.

    • The one thing electronic voting will never be able to overcome is that there is always the possibility that ANY electronic system could be either cracked, hacked, or subverted by a corrupt programmer -- AND THERE WOULD BE NO WAY TO FIND OUT!!! .

      With paper, or some other physical object, even if some hacker corrupts the computerized counting machine, you can always do a manual recount. Plus, if power goes out and the computer loses count ... the paper stays the same.

      Sure, in 2000 Florida showed us that paper isn't perfect either -- but with electronic voting, there could be just as many foulups, but never a recount.
    • Re:Bush and Gore (Score:3, Interesting)

      Like when Bush and pals purposefully used technological miscalculations [observer.co.uk] to remove thousands of Democratic Florida voters from the voting pool. That's what I call corruption on a DB admin level.
  • Ya know.. (Score:2, Insightful)

    .. if they can't figure out how to vote by now, then maybe they shouldn't be voting.

    I'm sick and tired of hearing about Floridians bitching about the voting process. 49 of the other states get it right, so either fix it, hire someone from the other 49 states as consultant to fix your problems or STFU.

    I guess the million dollars they spent last year updating their systems didn't help much.

    And don't blame Jeb for the problems, the asshole democratic voting nazi leader down there denied his help.
    • Re:Ya know.. (Score:4, Insightful)

      by sdavid ( 556770 ) on Thursday September 12, 2002 @07:19PM (#4248119)
      We only really know how bad the Florida system was because the election was a statistical tie, leading to the recounts and a very close look at the process. I'd suspect that many states have very similar problems, for example Maryland in the current primary, and we simply aren't as aware of them.
  • by synx ( 29979 ) on Thursday September 12, 2002 @07:14PM (#4248089)
    Michael I think you don't quite know what you're talking about. First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.

    You have to remember that most open source software doesn't provide any degrees of assurance other than "it's been used by alot of people". This really isn't an option for vertically integrated solutions such as digital voting. Just how many hobbests are going to "hack on" the GNU Vote system ?

    The track record on contribution by the general public to OSS projects is pretty poor. Look at Mozilla, emacs, linux kernel, etc. Most of the significant contribution has been done by a relatively small number of persons. While lots of useful bug reports and patches have been submitted, I think for electronic voting we need a bit more than "lots of people have submitted bug patches."

    What she is talking about here is engineered assurance. OSS is a source code policy, not an engineering style.
    • Also, open source gets more secure and bugfree over time. You would think a voting system had to be correct the first time used.
      • Precisely! This is what I mean when I say "engineered assurance."

        Obviously there has to be extensive QA, but the traditional open source development style is "throw lots of people at it, trusting their data to it."

        In any case, I still refuse the slashdot editor's claim.
        • but the traditional open source development style is "throw lots of people at it, trusting their data to it."

          Do the words 'ext2 filesystem' mean anything to anybody?
          • Does the word DoubleSpace mean anything to you?
            • Does the word DoubleSpace mean anything to you?

              Damn! I will never get those files back!

              Seriously, what's your point? When you copy another corporations source and forget to take out their "Stacker" copyright strings they can sue you and win even if you have more lawyers and drive them out of business? What does that have to do with debugging being easier with source code? Like Microsoft didn't debug the code before stealing it? They are just one corporation, bugs are only shallow when there are lots of eyeballs. Do you think the proprietary voting companies stole some GNU source? And are hence afraid of having the code inspected?

              I think hiring the company that did those NYCSubway Metrocard machines to do the interface design and hiring a few companies to write competing open-source back-ends, with 10 million dollar prizes for each bug discovered, would quickly and cheaply create a voting system that could be given to governments the world over at great benefit to everybody. This isn't even a OS thing, there shouldn't be an OS on these things, just a monolithic application that is simple, on a chip that is open(so nothing up to date), with a simple non-optimizing C compiler written in machine code bootstrapping the thing. The thing must be auditable. That means the chip, the machine code, the code. And a few corps should be hired for a professional audit before it is first deployed. The prizes for additional bugs found could be made larger if there isn't enough interest at 10 million a piece.

              Come to think of it maybe it's easier to audit a mechanical voting machine... Still if we ever want to get rid of that stupid Senator/Representitive system we'll need an electronic replacement for voting.
              • My point: the parent to my post was implying that the open source development method is somehow prone to tremendous bugginess, in this case with data storage/filesystems. The implication was that the often chaotic development of open source would lead to loss of data. I gave a refutory example from a prominent(!) closed source company.

                I agree with your points about voting systems, in the main. Basically, having an open source system can't hurt and, as Michael pointed out, can lead towards true verification.
    • I wouldn't trust any UI designed by OS programmers in the hands of people who were confused by butterfly ballots. I can just imagine the utter disaster brought about by a goldenrod-on-magenta voting system written in Tk.
    • First you say a recognized expert is kinda right, but lo and behold, if only we had open source, that would be the end of our woes.
      I agree with you--simply using open source software won't solve the problem. But if Florida had decided to use open source software they could have reviewed the code themselves--rather than having to trust the company that made the software.
    • Michael I think you don't quite know what you're talking about.

      You just figured it out? Your user id only has 5 digits!

    • Of course, not all projects with open source need be Open Source projects.

      What I mean here is that just because the code is open to review and comment, it need not be worked on by anyone outside of a central group of people. In this sense, the "open source" nature simply means that the code is open to review to be sure there are no "if (vote == "democrat") { vote = "republican" }"-type loopholes.

      IMO, publically funded software ought to be this way, anyhow. Openness is a good habit to get into (and one which our current gov't does not have).

      Off topic: The person in the cube next to me left her cell phone on her desk, and someone has been calling it every two minutes for the last hour and just letting it ring. I'm entertaining suggestions as to what I should do with the infernal device.

      • Put it on vibrate and set a keylock code. The default is probably not there, or it is something stupid like 1 2 3 4 5 (The code on my luggage :). Then forget the code, it's a good way to make a phone useless.
    • Er, just because the source is open doesn't mean that it is volenteer driven or anything else. What michael is saying is its fine if a company is contracted to produce, test, etc the code, btu upon its release to the public it should be in source code form so that we know what we are getting.
    • by xinit ( 6477 )
      It's not the contributions that matter.
      It's the auditing that matters.

      There are enough conspiracy theorists and paranoids among the coders out there that they would audit every line of code without necessarily contributing any code. That is where an open solution works - people know that the code is good because nobody's got valid paranoid rants about it.

      • Then how do you know that the code you audited is the code on the box?

        The 'conspiracy theorists' won't believe anything. They won't believe man landed on the moon, they believe the WTC was downed by the American military. They wouldn't believe the code made public was the code used.

        There are just people you can't convince of anything, the way I see it there's no point in trying to appease them in the first place.

        Myself, I'd wonder if some zealot for sticking in a Gore*=Gore+1 instead of Gore=Gore+1. Opening the code to independent review from all parties would be good enough. I believe most 'bad things' are the result of at most a handful of nutballs with an agenda, that would be the most likely scenario.

        Michael isn't. But, it seems he'd be satisfied so long as Tux was there in the corner of the screen to reassure him. To him, corporations like Microsoft are the boogeyman.

        The next rung on the nut-job ladder wouldn't be convinced no matter what happens. His logic would make him suspiscious by the very action of opening the process to his review.

        We shouldn't be wasting effort trying to appease the lunatic fringe.
      • Even without open source, there are ways to preserve an audit record for a hand count.

        For example:
        Put a small printer in a sealed compartment behind a clear window. Print a copy of the voter's ballots after they make their selections. Let them inspect and confirm their ballots. After they confirm their selections, drop the paper ballot into a hopper inside the sealed compartment. If they don't confirm the printout, the machine will void and dispose of the incorrect copy and start over.

        There you go. The speed of electronic voting with a paper trail that's at least as secure as what we have now.
    • there's open the source and then there's open source.
      You hire someone to design the system. from HW to SW.
      You allow the specs of the hardware to be open, and all the source, from firmware, to OS, to Application.
      You create a formal process for suggesting change, and submitting bugs.
      so you don't post it on source forge and allow everyone and there brother to submit patches directly into the build.

      This can help, even with vertical solutions.
    • Kneejerk anti-OSS - I love it.

      Michael is saying that open code and open hardware lead to a system that is fully verifiable, not that it's any more bug free.

      Nice marketspeak, by the way - "vertically integrated", indeed.
      • Fully verifiable is a big claim. I support OSS in every way, but I wouldn't ever claim that. How can you prove that the compiler wasn't trojaned? It's open source too? Well how about the compiler that compiled the compiler before it was self-sustaining? You'd have to trace it all the way back to whoever did the first compiler in the chain, by first compiler, I mean pure machine code. This isn't a new concept. [acm.org]

        The bottom line is, you can never, ever have 100% security, ever. You can only get kinda close. I think in this case, paper is still the best bet, and we should forget about using technology for voting, it will inevitably make voting abuse a lot easier than it already is.

        Of course, the government even goes as far as openly censoring the results of a vote they do not agree with [lp.org].
    • It's a really bad idea to assume that just because someone is an "expert", recognised or not, that they are right, especially when the topic is one different to what they are used to.

      The mechanics of electronic voting are different to conventional voting. Just because someone is an art expert doesn't mean that they could write a paint program.
    • Actually, it seems like you're the one not clear on the issues.

      The purpose of open source voting software is peer review, and more basically, adherence to the notion that elections should be conducted in a fair, public and well-understood fashion.

      There's no reason to keep the election-booth code secret and every reason not to. Notice I didn't say that the voting booths should be powered by "free software" - a whole other fish altogether.

      It's abundantly clear from the article that the vendor of the FL voting machines refused to allow meaningful inspection of their equipment and software, both to the ACM (who volunteered to audit the devices) and to parties in an election-related lawsuit (!). It's also obvious why: clearly, from the magnitude of problems experienced, had such inspection taken place, the vendor's, and the government purchaser's, rank incompetence would have been more rapidly exposed.
  • by Skyshadow ( 508 ) on Thursday September 12, 2002 @07:16PM (#4248099) Homepage
    I think there's too much emphesis on preventing fraud, as if voting fraud is somehow a new phenomenon unique to electronic voting. While security is naturally important, I think it's equally vital to have a reliable, easy-to-audit and hard-to-break system.

    With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.

    The best part is that it uses no complex parts (which, according to Murphy's Law, are prone to failure on election day). Just a paper and pen -- beat that. Add a reasonable amount of physical security (deputies at each location, plus maybe a representative from each major party to observe) and you're good to go.

    This is one of those situations where overthinking and overengineering comes back to bite you.

    • Those machines are very expensive to maintain, from what I understand. They have to be stored in a highly-controlled environment, etc.
    • too much emphesis on preventing fraud, as if voting fraud is somehow a new phenomenon unique to electronic voting

      Of course it isn't, but the idea is that it might actually be viable to prevent fraud with electronic voting... although I suspect that, as geeks, we can't poke as many holes in an electronic system as you can in a paper system.

      With proper security, however, the bar gets raised a lot higher.

      I think the best system is still a card system

      Well, perhaps... except that even with arrow systems you wind up with cards that are invalid because someone mismarked them, didn't mark hard enough, the graphite wears off with enough recounts, etc. And even with these systems the recounts never produce the same numbers, and they take a considerable amount of time.

      Electronic systems have the potential of eliminating all of these issues (note trolls - I said potential, not absolute). The system will prevent you from entering a ballot that is invalid. You won't accidentilly vote for two different candidates in the same race - just not possible. And barring fraud (see above), the vote won't be questionable, it won't decay with recounts, and the recount will be nearly instantaneous (depending on how long system verification takes) and will add up the same every time (if it doesn't, you're in the land of fraud again).

      Eventually we might be able to do online voting, which would be pretty nice if done properly (big if). Sure as hell won't get that with a paper ballot. Of course, 80% of the reason to go to Internet voting could be solved just by getting into the 20th Century (yes, 20th) and allowing voting for more than 12 hours on a single workday. Come on -- week long voting shouldn't be an issue. If it's a cost problem, then a Saturday would still be better than Tuesday.

      That said, you're very right about Murphy's Law and KISS.
    • by swillden ( 191260 ) <shawn-ds@willden.org> on Friday September 13, 2002 @12:39AM (#4249423) Homepage Journal

      With that in mind, I think the best system is still a card system (specifically the "complete the arrow" system). It won't crash, it's recountible as many times as you need (no chads shaking loose in the counting machine) and it's so easy that even the retarded old people living in certain Florida counties can figure it out.

      Hear, hear. Paper and ink has huge advantages when it comes to ballots. Everyone can see exactly who they voted for, the votes can be recounted at will and, maybe most importantly, we know how to secure and audit the management of lockboxes of paper votes. Been doing it for a long time.

      The one downside of hand-marked paper ballots is that they're hard to count electronically. If electronic counting is important, I think a hybrid system is the way to go: use a nice, easy-to-use touch screen to make your selections and then have a printer mark your votes on the paper ballot in both human and machine-readable formats. Then, at tally time, you can rapidly and accurately generate a file containing all of the numbered ballots (grouped by voting district) and the votes cast. This file can then be published and anyone who wants to can tally up the votes for themselves.

      Further, you can take a random sample of the paper ballots and manually verify that the human-readable portion, the computer-readable portion and the tally file's summary of this ballot are all in perfect agreement. A relatively small sample can provide an extremely high level of confidence that the system is functioning correctly.

      With this kind of method, there is no question about the correctness of the software, whether open or closed, because if it prints the wrong selections on the human-readable portion, the voter will catch it. If it prints the wrong selections in the computer-only portion or if the counting system makes errors, the random verification will catch it. If there are errors, you can always fall back on purely manual counting.

      Electronic ballot-counting does have some advantages over manual counting: it's cheaper, faster, apolitical and the notion of a published "tally file" makes it more open and more widely verifiable.

      But, given a choice between a purely paper-based system and a purely electronic system, I'll take paper. And I'll take just about anything over those punched cards.

  • suggested list (Score:5, Insightful)

    by Sebastopol ( 189276 ) on Thursday September 12, 2002 @07:16PM (#4248101) Homepage
    I think her suggested list applies to a lot more than voting. She deserves a lot of credit, because work like hers is the dirty work no one ever wants to do... real nuts-and-bolts stuff that takes lots of thought.

    I love it -- Take that all you kiddies who say "duh, how hard could it be? I could do it in perl in an afternoon, i'm so huge!" huge you are! ;)

  • by rsteele19 ( 150541 ) on Thursday September 12, 2002 @07:20PM (#4248125) Homepage
    Michael's position that it is possible to create a fully verifiable electronic system seems to have one fundamental flaw: It is impossible to discern with certainty the processes that are occurring inside the machine.

    Consider a computer supplier that is co-opted by an unscrupulous political party. They create some sort of hardware mod that allows the contents of memory to be arbitrarily modified. Perhaps it can be controlled wirelessly. Suddenly bootable serial numbered CD-ROMS aren't a solution.

    The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon. When the vote is nothing but electrons inside a machine, this is much more difficult.

    • An electric system can be an aid for paper voting. For example, consider a ATM like interface. That system prints out a card in a font that is both human and computer readable. For example:

      President: Sally Smith

      Congress: Dave Dogood

      The voter can review the printout and return to the computer to changer their vote if they made a mistake and if there is a problem withthe OCR humans can easily count the vote with little chance of confusion.

    • Hackable hardware a problem? Sounds like Paladium is the solution!

      I wouldn't be surprised if we saw some voting machines running on MS hardware and MS OS recording votes when Gates runs for President. Wonder who would win?

    • The advantage to the pencil-and-paper system is that to my knowledge, nobody has developed paper that can cause a mark on its surface to be erased and another mark drawn while the paper is in the ballot box. People can watch the ballot go into the box, they can watch it come out, and be sure that nothing has occurred to change the vote thereupon.

      rsteele19, Mr. Schrodeinger and his cat [cornell.edu], Mr. Schrodinger, rsteele19.

      I'm sorry, I'm being pedantic. ;-)

    • by wfrp01 ( 82831 ) on Thursday September 12, 2002 @08:48PM (#4248577) Journal
      And I'd add, another aspect of discerning with certainty what's happening within the machine is that everyone has to understand it. Theoretically proveable to a handful of mathematicians and computer gurus doesn't cut it. Your grandma has to believe that the system is trustworthy. She has to comprehend how the system works. Counting holes punched in a piece of paper makes sense to people. Locking the paper up to prevent tampering, and having multiple independent auditing authorities in place makes sense to people. Cryptography does not.

      Use computers to rapidly tally the votes, sure. But why use computers to do the actual voting? What's the point? What is gained? You can count the votes in real time rather than taking minutes or hours. So what? Sometimes simple is good.
  • In [slashdot.org]
    this story, particularly my comment [slashdot.org]. Items linked to at that time still applicable.
  • The problems are more human than technical. Some people just don't have the ability to walk up to a new machine, read the instructions, and follow them. If electronic solutions can not address this issue then there really isn't much reason to go electronic.

    Personally I used a touch screen in 2000, it showed a list of names, when you touched one the others disappeared to provide you with feedback as to your selection, and there were buttons to confirm and proceed or to go back. I thought it was great, but I'm sure some folks were completely baffled and had to have staff walk them through it and/or do it for them.
    • > The problems are more human than technical. Some people just don't have the ability to walk up to a new machine, read the instructions, and follow them.

      And it doesn't scare the fsck out of you that these are the people who elect the people who will write your laws?

      Citizenship, whether in a parliamentary democracy or a republic with democratically-elected legislative bodies is a two-way street -- if you claim the right to elect your own leaders, you have a responsibility to educate yourself to the point that you can make a rational choice between them.

      I'd argue that if someone's too dumb to operate a voting machine or to ask an election official how to operate one, I don't want them choosing my leaders until they've acquired (ideally) literacy, or (at least) sentience.

      The alternative is that we end up electing our leaders like the way we do jury duty, in which the defendant's fate rests in the hands of 12 people too stupid to figure out how to get out of serving.

      (For the record, I believe that jury duty is an important part of citizenship; I'm describing the present reality that jury selection has degenerated to "You have a college degree and answered the questions in a way that demonstrates you're capable of rational thought. Since counsel for $EITHER_SIDE doesn't think it can bullshit you with emotion-laden rhetoric, counsel therefore strikes you from the jury.")

  • I think her first objection in the "statement on electronic voting" pretty much sums it up. In fully electronic systems there simply is no way for voters to be reasonably sure that their votes are being counted correctly. It's always a Slashdot refrain that anything digital can be duplicated, decoded, or altered. Physical ballots are practically a must. However, I would love to enter my votes electronically and see them printed out on a ballot which I then drop in a box. They don't even have to be encoded -- just print out the names in a certain format. The counting machines can scan the papers (OCR wouldn't even be needed since the choices are predetermined).
    • Actually, there is in fact a way of validating that every single vote was accurately recorded even with a secret ballot in a completely electronic manner.

      Before everyone votes, the federal or state governments assign you a really really large random number. This random number is not correlated with any particular data, a machine just generates them and prints them out.

      This random number is then mailed to every single person who is registered to vote. When you go into vote, you insert your card into the machine and your vote is recorded with your private number.

      If you want to validate that your vote was recorded correctly, you simply hand someone your number anonymously and see what the recorded vote is.
      • This system is great, except that you totally toss anonymity out the window. One of the things that makes voting systems complex is the requirement that, once you leave the ballot box, there is *nothing* connecting you with your vote. With your system, what happens if your spouse opens your mail. You trust your spouse, don't you? What about your parents? What about that nice man up the road who collects your mail for you because you're too old and infirm to do it yourself?

        Sorry, but this is a bad system, and I would argue strongly against its adoption.

  • by mc6809e ( 214243 ) on Thursday September 12, 2002 @07:26PM (#4248172)
    There's so much focus on the tools of voting, that people don't pay much attention to the fact that there are fundamental limits to voting systems themselves.

    For example, in 1950 Kenneth Arrow proved that no voting system is fair.

    This is know as Arrow's Impossibility Theorem [byu.edu] and places fundamental mathmatical limits on what the democratic process is capable of.

    Of course, we have the worst of the worst sort of voting system here with its single-member voting districts and "one man - one vote" philosophy.

    An improvement would be proportional representation. [fairvote.org]

    This can't overcome Arrow's theorem, but its better than what we have now.

    • A great discussion of Arrow's Theorem is in

      Archimedes' Revenge: the Joys and Perils of Mathematics

      by Paul Hoffman in the chapter

      "Is democracy mathematically unsound?"

      It also has has a good discussion of the Beale ciphers and Turing machines amoung other things.

  • With all due respect, she is wrong in some respects: it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware, create an audited system for installing the code on the hardware, and make it tamper-evident so that you know the same code is still there when the machine reaches the voting booths. Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick. Mercuri is thinking in terms of vendors selling proprietary "solutions", where she's absolutely right: there's no way to verify that what people punch in is what is actually recorded.

    Is it possible? Then why hasn't it been done before? At least in the PC industry, I can't think of a single example of an uncrackable software package... Basically, to develop an immune system would require something on the order of mil-spec hardware and a goverment contract with a single vendor and the mountains of paperwork associated with it. In other words, if the feds aren't going to organize and standardize this project, it will quickly get out of hand.

    The main problem here is that people are using a complicated solution to a very very simple problem: counting! I imagine a compromise system: have a computerized voting thingie that simply prints out the completed ballot for you in an OCR (or MICR) compatible format when you're done voting. Then you have a legal record, no more chads, and the results are verifiable by traditional methods. If the government were to standardize this form of computerized paper ballot, that would allot vendors to create systems at their will, since security is no longer an issue. It's much easier to prevent tampering to pieces of paper as opposed to securing bits and bytes here and tere. Also, the public would be more accepting of such a system, and it eliminates human error from the process, and it keeps the nerds happy.

  • Palladium

    oh wait, then we'd have to trust Microsoft.
  • by mangu ( 126918 ) on Thursday September 12, 2002 @07:28PM (#4248190)
    I was in charge of a voting section in Brazil in 1998, when electronic voting was used in the whole country. I think security is an important matter, and source code for the whole system should be available to all parties. Auditing is a major concern in a totally electronic system. When I was in charge of that ballot, it recorded votes in a flash card, but I suppose that could be tampered, since the system was closed source (the OS was based on MS-DOS, although the application source code was available to political parties).

    As an improvement to that, in this year elections in Brazil a new system will be tried where the ballot prints the vote on a paper which will be shown to the voter through a transparent window, but will not be otherwise accessible before it's cut loose and drops into a sealed canvas bag. Votes will be counted electronically as before, but the canvas bag will provide a way of auditing the whole ballot, if needed.

  • But it really doesn't mean anything since everyone who points out the problems with elections equipment are routinely ignored.

    Purchasing elections systems has nothing to do with quality, trustworthiness or even sanity. It is a political decision made by politicians. There are only two questions for politicians making this decision. Is it cheap enough that I can't get raked over by the cost? Will it help/hurt the people I need to vote/notvote for me in order to hold on to power?

    That second question in particular is the true driving force for all election system purchase decisions. Every politician knows if he needs old folks, poor people, rich people, republicans, democrats, dog lovers, cat lovers and an endless list of possible groups. If the elections equipment is harder for old folks, a politician who needs them will never agree.
  • Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated.

    This may be true, but what about current systems? What happens to your card after you punch it? Voters have no way of knowing if the card they punch is the one that ends up being counted...it all comes down to trust. I would rather trust a nonpartisan peice of open-source software than a group of human beings.

    No electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. Hence, no current electronic voting system has been verified as secure.

    True, this is needed. However, I am sure even current systems are more secure than punch cards. A standard A=1 B=2 cypher is more secure than a punch card.

    There are no required standards for voting displays, so computer ballots can be constructed to be as confusing (or more) than the butterfly used in Florida, giving advantage to some candidates over others.

    She brings up the point that Florida ballots were confusing. Exactly! We ALREADY have this problem with our current methods.

    Electronic balloting and tabulation makes the tasks performed by poll workers, challengers, and election officials purely procedural, and removes any opportunity to perform bipartisan checks. Any computerized election process is thus entrusted to the small group of individuals who program, construct and maintain the machines.

    An open source voting solution would be checked by everyone who had a mind to do it, and if it was non-partisan, than the actual voting procedure would be non-partisan. I would rather trust a computer to carry out a potentially emotional procedure than some human beings.

    Although convicted felons and foreign citizens are prohibited from voting in U.S. elections (in many states), there are no such laws regarding voting system manufacturers, programmers and administrative personnel. Felons and foreigners can (and do!) work at and even own some of the voting machine companies providing equipment to U.S. municipalities.

    Whoa...scary. That gets me thinking. What about the companies that make the punch cards? There could be FOREIGNERS printing those cards!

    Encryption provides no assurance of privacy or accuracy of ballots cast. Cryptographic systems, even strong ones, can be cracked or hacked, thus leaving the ballot contents along with the identity of the voter open to perusal. One of the nation's top cryptographers, Bruce Schneier, has recently expressed his concerns on this matter, and has recommended that no computer voting system be adopted unless it also provides a physical paper ballot perused by the voter and used for recount and verification. Internet voting (whether at polling places or off-site) provides avenues of system attack to the entire planet. If the major software manufacturer in the USA could not protect their own company from an Internet attack, one must understand that voting systems (created by this firm or others) will be no better (and probably worse) in terms of vulnerability. Off-site Internet voting creates unresolvable problems with authentication, leading to possible loss of voter privacy, vote-selling, and coersion. Furthermore, this form of voting does not provide equal access for convenient balloting by all citizens, especially the poor, those in rural areas not well served by Internet service providers, the elderly, and certain disabled populations. For these reasons, off-site Internet voting systems should not be used for any government election.

    Ok, it seems she is grouping electronic systems with internet-based systems. On her site, she says she is opposed to both. I admit I would doubt security of an internet-based approach, but ALL electronic solutions? Todays cryptographic algorithms are very, very secure. Just ask all the distributed computing efforts designed to break them. Once again, compare a modern cryptographic algorithm with a punch card in a locked box. Which is more secure to you? Also, an election only lasts a couple months. Afterwards, votes don't really mean much. People aren't going to crank their supercomputers for 5 years to find out if Mr. Gogfroggls Jones voted for Bush in the next Presidential Election.
  • by banky ( 9941 ) <gregg.neurobashing@com> on Thursday September 12, 2002 @07:29PM (#4248201) Homepage Journal
    I worked for the company that initially developed the device used in Florida. Our company did the UI, for creating ballots, and the reporting system.

    Ready to laugh? Target platform was a C++ CGI running on Windows 95 with Personal Web Server, using SQL Anywhere and Crystal Reports.

    I wish I could write a full article about it, but it would make a lot of people angry.

    And by the way: open code has NOTHING to do with making electronic voting. It's not a code issue. It's not a hardware issue, either. Retirees and people who can't master the 'Start' button run elections. Paper ballots fit their mindset. I know this. I travelled all over the country setting up the system. Most of the places didn't even have networks. And why should they? It was 1998 and they were still running Windows 3.1, or sometimes just DOS (Wordperfect was popular in several precincts).

    You want successful electronic voting? Then don't let your grandmother run the voting machines.
  • by oh ( 68589 ) on Thursday September 12, 2002 @07:34PM (#4248232) Journal
    This recent slashdot story [slashdot.org] links to this article [acm.org] about Ken Thompsons compiler hack. How quickly we forget.

    I would say that have two options.

    • You yourself have disassembled and audited the entire system, including CPU microcode.

    • You yourself have personaly programed, using only hardware (no software) that you yourself have audited, the entire system, including CPU microcode.

    Stick to paper. Maybe scan/count it electronicaly, but keep an audit trail that can't be modified electronicaly.
  • It is not possible to create a system that cannot be tampered with. Just because you think you're clever now, does that mean that in 5 to 20 years, nobody more clever with better technology will come along and be able to break whatever security measures you've thought up?

    On the other hand, it is possible to make a system that is at least as tamper resistant as the current system. In fact, in an earlier posting on a similar topic [slashdot.org], I suggested [slashdot.org] such a system. I haven't done a proper risks analysis, but standard Project Management process would call for one, whether in voting or making a video game.

    This system does not allow for internet voting, but I don't really care about people who can't make it to the voting booth. If they have a good reason, they can find another way to vote, and if they're too lazy, they shouldn't vote anyways.


  • FIX THE FLAG ICON! (Score:2, Informative)

    by geekoid ( 135745 )
    Yes this is off topic, but I have tried emailing about the flag Icon, but I get no respose.
    the American Flag has 13 stripes.
    red,white,red,white,red,white,red,white, red,white, red,white,red.

    I know Information about the flag the represents the very country in which /. is in can be difficult to find, but at least take the 10 seconds it would take to look up what it is suppose to look like, sheeesh.
    • Mod parent up!

      Slashdot is unknowingly showing disrespect to the USA. It doesn't bother me, and it probably doesn't bother most people, but some take that sort of thing very seriously. It is not hard to fix. Please mod that up so it gets some attention.
  • If you're interested in real electronic voting (not just replacing the punch card with a keyboard in the voting booth) I suggest you start reading here [crypto.ethz.ch].

    Open source is not the solution. Good crypto is.

  • Maybe I'm missing something, but the place where I spent a significant portion of my life, Germany, has had pencil and paper voting with manual counting for ages and it works like a charm. The counting procedure is simple: All political parties get together in a room in each voting district and count until they are mutually (un)happy with the result. The results are then forwarded to a central office.

    Since Germany isn't significantly less populated than the US (at least in terms of order of magnitude) I don't quite see why this isn't possible here. Perhaps this whole mess is merely a case of someone violating Donald Knuth's oh so true statement: "Premature optimization is the root of all evil." How about giving good old manual labor a chance?

    • I've lived in several places that used hand-counted paper ballots -- mostly small towns in Colorado and Nevada. Make your mark, drop the paper in the box, and come back in the evening or early morning to see the results tacked to the front door of the court house.

      Given the huge unemployed population, the number of retirees in Florida (where circumstances have caused me to unhappily live these days), I can not understand why they won't use paper ballots and human labor.

      But then again, we Americans do tend to worship technology; the media bombards us with images of the latest and greatest, as if not having a PDA or a new car is the lowest of lows. I ignore such drivel, but it does seem to influence the buying habits of most people.

    • Exactly what I have posted somewhere else in this thread. I'm in the UK, we just stick a cross in a box next to the name of the least-worst guy. Then hordes of people sort all the bits of paper and count them. It takes all night, but we've never had a farce like Florida the other year. While I can see the advantages (and dangers) of online voting, I really don't see the point of using a computer to make a mark on a piece of paper over just giving the voter a pen!
  • It is not possible to "verify" the correct function of any program or hardware beyond the simplest of machines. Punch card ballots come closest to being "verifiable" than anything electronic used for voting. No electronic voting system could ever be proven to be 100% correct O.S. or not.

    Though we live with unverified and unverifiable systems all the time, planes, cars, every PC ever made, they work well enough. But the bottom line is, less complexity means less unreliability. And for that, the punch cards win hands down over ANY electronic voting system.

    Fix the damn buttterfly ballot books, but otherwise the punch card system has been working amazingly well for a long time. It is NOT broken, it does NOT need to be "fixed" with complex and unreliable technology.

  • Many of the criticisms of off-site electronic voting systems, while completely valid in general, are moot in Oregon. We have vote-by-mail here. Thus, most of the putative problems with electronic off-site voting are already here, but at least folks mis-mark ballots and the post office loses things.

    I have always thought that putting a properly-written open-source voting package on a Knoppix [knopper.net] CD and instructing voters to boot their PC off it would solve most of the problems. The advantages would be automatic tabulation of a large percentage of the vote, saving a bunch of p-mail, and clearer, easier-to-mark ballots. Those who couldn't make this solution work could always vote by mail as they do currently.

    For state-run voting kiosks, this also seems a sensible solution. A printer could be added to the system to provide an audit trail.

    What am I missing here? None of this seems hard, and the security risks seem less severe than those of the current non-electronic systems, which as we know suffer from frequent failures and occasional serious fraud. Is it just a question of insufficient experience with "new-fangled" systems? Or is there something deeper?

  • Iowa Works Well (Score:2, Informative)

    by Brown Line ( 542536 )
    My daughter, who has lived in Iowa, tells me that there they use a hybrid system: a simple computer system walks the the user through candidate selection, but punches a card itself. There's still a physical record of the voter's choices, but without hanging chads or overvotes.

    The hybrid system seems to be the best solution. The computer assists the voter, but it does not actually cast the ballot itself. To this lifelong resident of Cook County, Illinois, it sounds like a much better system than either hand-punched cards or a purely electronic system.
  • Simple (Score:2, Interesting)

    by JohnnyGTO ( 102952 )
    Let me check my vote with a key via the net after the poles close.

    Let me download all the votes and tally them for myself.

    Response swiftly to any reported inconsistancies between a voters actual vote and recorded vote, if you get enough then something is fishy (see next line).

    AND smack any voter falsely reporting an incosistancy with a large frozen pike, south florida exempt and ignored.
  • it is possible to create a fully-verified electronic system. Start with completely open code and thoroughly examined hardware...

    Look what Google [google.com] turned up... An Open Source (GNU) electronic voting initiative [samba.org]

  • I'm a big fan of technology, make my living at it, love linux, etc... but I've never been convinced that electronic voting is in any way superior to old-fashioned voting.

    Let me describe the voting system Canada has: You register much as you do here. You show up at the polling place. They cross your name off the list and hand you a hard to forge ballot. You walk behind a little screen, put an X next to the person you want to vote for and stick it in a box. At the end of the day, representatives from each party and the media open the box and count the ballots. The results are delivered in a tree - local place reports to city, city probably to county, county to province. They add up all the results and they declare a winner.

    Nothing about this fails to scale. In other words, a population 10x the size of Canada requires about 10x the number of volunteers which works out to be the same number of volunteers per capita.

    This system seems so much more workable to me, there are so many fewer opportunities for breakdown.

    • Is it Auditable? Yes, keep the ballots locked up and recount them.
    • Is it anonymous? Yes, at least as much as touch screen voting.
    • Is there any software / printers / touchscreens / whatever to fail? No.
    Why do we need millions of dollars of development and plenty of technology to fail when a bunch of pieces of paper and some pens would do fine?
  • by ocie ( 6659 )
    Fully electronic systems do not provide any way that the voter can truly verify that the ballot cast corresponds to that being recorded, transmitted, or tabulated.

    How can I verify this under the current system?
  • In reality, we don't really need electronic voting. The system as it stands now (manual counting of votes) works just fine.

    The problem is in who we allow to vote. The problems in Florida stemmed from an inability by some of the electorat to be able to properly read instructions.

    From that, we can assume that either A: These people are very stupid, or B: These people are unwilling to take the time to make sure they are casting a proper ballot (double check your votes, ask an election offical if you need help, and so on.)

    In either event, these people should not be extended the privlidge of taking part in our democratic process. I'm not saying that we should limit who gets to vote on intellegence, but I do say that somebody must have a basic level of compantancy.

    If, on the other hand, we are going to make concessions for those unwilling to learn basic skills (like punch a hole NEXT to the arrow for the canidate you want), then we need to make concessions for everybody. I missed this last election because I was called out of town at the last minute for business. I had Internet access, and would have loved to vote online.

    But somehow it's perfectly fair to jump through hoops to accomidate some retired person with pleanty of time and very little personal responsibility, but it's 'unfair' (as has been stated in some objections to online voting) to accomodate busy young people with jobs.

  • This has been bothering me for a while...

    What is it about the US system that demand an automated system? Computerized, punch cards, touch screens, OCR -- any of them -- why are they needed?

    In Canada, we use a simple paper and pencil ballot, that you mark off, and deposit into a ballot box. At the end of the day, they open the box, and count ballots. Within an hour votes start coming in, and within a couple of hours enough have usually come in that the winner can be accurately predicted. By the end of the night, all are counted.

    This is a secure, auditable, verifiable, robust system. During counting, each candidate has the right to have a representative verify the count. If there is a dispute about how a ballot is marked, it can be put aside for review by a judge. And in any event, you can always recount. You don't have to worry about hanging chads, or OCR, or layouts not matching up with the location of buttons.

    Why doesn't this work in the States? It can't be the population difference -- since there are 10 times as many people, there should be 10 times as many volunteers to help count. It can't be security (or what ever) -- you can't tell me that an opaque machine is more secure than having both (or more) sides looking over my shoulder as I count.

    I know this is heresy for the Slashdot crowd, but why go for costly, problem riddled, high-tech solutions when perfectly good, simple low-tech ones work as well, if not better?


  • IMHO the best way to make an all-electronic voting system would be to use some sort of smartcard system. If there were a smartcard available that could sign stuff transmitted to it with the user's private key, the voting machine would not be able to change the votes. (the card would have to have an lcd display to verify what you were signing). The machine would still be able to throw votes out, but this could be overcome by a paper list of who voted (much less obnoxious than a paper ballot) or a counter of people entering the voting booth, separate from the main system.

    Such a smartcard would actually be useful for other purposes. It would function nicely as a credit card: you could sign the bill. Nobody could steal your cash without your actual card (or with, if it had a PIN). Nobody could change the charges afterward.

    It would also be great for signing other things, like legal documents.

    That said, such cards are a long way off, unless public-key crypo dramatically improves or smartcard hardware advances rapidly. A 6805 or the like just couldnt handle it.
  • In the year 2000, Florida had some problems with their election returns (tho nothing as massive as the problems of the September, 2002, primary).

    Statistical Information

    In November, 2000, Union County had about 5000 voters distributed amongst 11 precincts, which meant that on average they had about 450 people per precinct. (This is similar to the large county where I live, except that we have far more precincts.)

    By way of comparison, in September 2002, Dade County had 754 precincts; the number of voters and intended voters is uncertain, but it appears to have been fewer than 300000, or about 400 per precinct.

    History in Union County

    During the November, 2000, election, Union used a system where each voter got a piece of paper and a marker. The paper had lists of candidates together with empty check-boxes next to the names. Voters marked their preference and deposited the papers in ballot boxes.

    When the polls closed, the workers opened the ballot boxes, sorted the papers according to the marking for the first race, and counted them. They then shuffled the papers back together, sorted them according to the markings for the second race, and counted them. This sorting and counting was done for each race.

    In November, 2000, the people in Union were in bed by midnight. No one doubted the correctness of their results.

    In September, 2002, Union County employed a system known as ``iVotronic'', details of which are unclear. Unfortunately, only about 2000 people voted in the Democrat primary.

    In September, 2002, Union County had results by 21.00 (9 p.m.) the day after the election. Scale this to a general election (5000 as opposed to 2000 voters), and one can reasonably expect results by Friday afternoon.

    It is not clear that electronic ballot counting is in fact beneficial.

    Part of the September, 2002 delay in Union was due to the fact that the machine counted everyone as a Republican. It was necessary to count ballots by hand. Fortunately, the system did provide for a paper ballot which could be counted.

    Insupportable Speculation

    For Dade, Broward, and Palm Beach, a system of electronic voting which does not produce any paper has several advantages, not least of which is the speed with which a re-count can be done. The same incorrect totals from each machine may be read and re-added in minutes, and no time-consuming counting of ballots is required.

    A properly programmed machine also offers better assurance about the outcome of the election. Dade in particular appreciates this, though there are other counties where voters have made mistakes. In Volusia, for instance, it was necessary in 1996 for the Sheriff to have his deputies correct absentee ballots where the voter had voted for the wrong candidate.

    Much safer, if one wants to affect the out-come in a close race, is to specially program only a few of the machines. The chance of detection is minimal, because testing only selects a very small number of units. The candidate that arranges for the machine to correct 30% of the votes for his opponent, but only on 10% of the machines, and only after the machine has been running for 2 1/2 hours, will be very unlikely to get caught. He's also going to win an otherwise close race.

    The system used in Union in 2000 does not admit of such automatic ballot correction: if a precinct had a certain number of voters, and the ballot box does not contain that number of papers, then you know that Something Happened.

    Knowing that Something Happened is of course not, without more, sufficient. The Sheriff in 1996 received the benefit of the corrected absentee ballots, which were essential to the outcome. I might argue that the knowledge did make a difference: he saw the hand-writing on the wall, and did not run again in 2000.

    Not knowing that Something Happened is of course essential to the security of those who must needs have election results adjusted.

  • Huh? (Score:4, Insightful)

    by autopr0n ( 534291 ) on Thursday September 12, 2002 @08:37PM (#4248542) Homepage Journal
    Bootable, hologrammed, serial-numbered CD-ROMs with individual private keys would do the trick.

    Um, how exactly? (the most obvious question is why you need a hologram, or a CD rom for that matter)

    Of course, since you didn't even provide a process to knock down, just some techno babble it would be impossible to tell you exactly why you're wrong.
  • A pure electronic voting system is always going to have problems, since there's no 'physical' or unchangeable data storage. Entries in a database can always be changed.

    What I would do, if I were in that situation, would be to have the system print out a receipt after you're finished voting. The voter would then be expected to look over the receipt to make sure its correct, and then put in a box. If they're not happy with the receipt, they could put it into a shredder and start over again.

    The counting would be done via scanners, which would be separate from the machine.

    Alternatively, you could just use paper 'fill in the bubble' ballots in the first place.

    There's no reason to use computers simply because they're 'cool'. Bubblesheet ballots work well and have little error. Using a touch screen computer is a waste of money and causes more problems then it solves.
  • Simplicity (Score:3, Insightful)

    by captaineo ( 87164 ) on Thursday September 12, 2002 @08:48PM (#4248576)
    I think the biggest problem you'd have in adopting a digital voting system would be making it simple enough so that most people could understand it.

    I'm assuming that most US citizens (myself included) would probably not be confident in, or willing to adopt, a system that they can't easily understand and trust.

    A pencil-and-paper system is simple enough that anyone can get it - check the box, a human counts it, there's your vote. Even our wacky electoral college system is probably within most people's grasp. But once you start talking about public-key encryption or digital signature algorithms, only a tiny percentage of citizens are going be able to keep up. (and most of that tiny percentage will be white males - providing endless ammunition for politically correct fear-mongering =).

    A digital voting system of the necessary sophistication would be beyond most people's understanding, and thus subject to claims of manipulation. (regardless of the system's actual resistance to fraud)
  • We in Brazil are proud to have one of the world's oldest, largest electronic voting systems. [thestandard.com]
  • During the election fiasco of 2000, Bruce Schneier went into the security side of this in great detail [counterpane.com]. You need human verifiable voting slips, but it can be done, at least for the most part.
  • Hanging chad (Score:3, Insightful)

    by geoswan ( 316494 ) on Thursday September 12, 2002 @09:13PM (#4248654) Journal
    Slashdot readers will remember the worldwide attention was focussed on "hanging chad". Certain Florida counties used automated voting machines that where voters punched out holes in hollerith cards to select their candidates. Gores votes were wildly underrepresented in these counties.

    Well, eleven months ago Douglas Jones [uiowa.edu] submitted an article to the RISKS digest [ncl.ac.uk] pointing to an longer online article that explained in detail how all the spoiled Gore votes arose [uiowa.edu]. It turns out the debacle was completely predictable. It was due to a known artifact of those particular voting machines. One which had caused a scandalous shortfall in those same counties, in a Senate election in 1988.

    Briefly, Jones disassembled an example of the votomatic machines in question. He found that there was a structural bar behind the slots through which the chads were to be poked. Jones's investigation proved that candidates whose holes were to be punched over those bars were practically guaranteed to jam. Whoever designed the ballots laid them out so Gore's chads were directly over that bar.

    Slashdot editor Michael's comment on voting reliability and trustworthiness strikes me as naive. Don't worship the technologoical fix! Michael addresses providing an audit trail for the vote casting and tabulation software. This is not as important as providing an audit trail of the actual votes cast.

  • by Alessandro ( 157191 ) on Thursday September 12, 2002 @11:21PM (#4249170)
    I voted in the Tuesday primary and amazingly enough, I managed to do so with a minimum of fuss. It surprises me that we didn't actually have many more problems. After many years of using punch card voting, the state has inflicted a new computer voting system on us. The majority of the poll workers are elderly people who tend not to be very comfortable with new technology. The Miami Herald reported today that most of the poll workers received minimal training and it consisted of watching a video. If you were going to implement such a system, wouldn't you try it out or test it in a wide scale first?

    Dade and Broward counties, where most of the problems occurred, are also two of the most populated counties in Florida with the highest numbers of elderly and poor people. Imagine implementing a whole new voting system without doing a wide scale dry run. The kind of massive problems that we witnessed here where to be expected. What also wasn't addressed where the kind of organizational details like having enough poll workers of both political parties at each polling place. That meant that some polling places could not open. We still had the usual record keeping problems, registered voters not appearing in the voter rolls and poorly trained poll workers. What is inexcusable is that with a new system being tried out for the very first time they did not have enough techs available to handle the inevitable problems. They didn't even have a good way to communicate to all polling places to stay open an extra 2 hours. Never mind that many of the voting machines were not ready on time and were sent out to the polling places without the right programming. Then strangely enough, the voting machines would not boot properly. Why weren't the machines tested before sending the out on the field? We are not counting girl scout cookies here! What kind of moron would take brand new untested technology and put it out to be managed by poorly trained technophobes and expect less that a complete disaster?

    Before you start giving the poll workers a hard time consider the fact that they had to be at the polling place by 6:00 AM and that they would have to stay till poll closing time. There is only one set of people working the polling sites. There is no second watch. You go home after the polls close. After the last person votes you get to break down the machines and collect the votes and so forth. So conservatively, if the polling window is not extended like it was, the earliest you'd get out would be 8:00 PM. Thats 14 hours minimum. Then you add an extra 2 hours and you have to stay around till 10:00 PM. All this and you only had lunch around noon sometime. By 11:00 PM some of these old folks must have been hypoglycemic!

    The problem is not only with the closed, non-auditable, poorly explained, even worse implemented voting system. Its with the people who picked it and the people picked to organize its implementation. To begin with the Florida government has to be the biggest group of imbeciles you could ever hope to put together in one room (that includes our esteemed governor, Jeb Bush). Their main purpose in life seems to be making other "more progressive" states like Alabama, Arkansas and Mississippi look good in comparison. The only thing more screwed up than our voting systems is our child foster care system, which is also managed and organized by the same group of geniuses in Tallahassee.

    My problem with a closed implementation of a voting system is that I have no way of knowing that the machine recorded my actual vote. I have no way of knowing that the machine simply didn't make up a vote or just make believe it never existed. I know no voting system can ever be completely tamper proof and fraud free. You may not need computers to tamper with an election but they make doing so much more efficient. Some of the polling places with the most problems where in poor black neighborhoods. At some of these only one vote out of thousands cast were recorded. All the other votes vanished into the ether.

    All I want to know is how come Afghanistan, a 4th wold nation in complete ruins, managed to have an election and we cannot.
  • by ArdentCritic ( 608273 ) on Friday September 13, 2002 @12:26AM (#4249385)
    As it turns out, open code and "thoroughly examined hardware" do not a secure system make. The problem is that the code has to get compiled, and it has to run on an operating system, and that has to run on a computer. Even if the code and hardware (if one can examine the microcode) appears to be entirely pristine, Ken Thompson explained in his classic 1984 essay "Reflections on Trusting Trust" (available online, do a Google search) that the compiler that compiled all of that code can be rigged such that malicious code can be concealed. For example: Since the dates of US National Elections are fixed to infinity (they are always the 1st Tuesday in November) and since many voting systems (as well as computer systems) rely on real-time clocks, it is certainly plausible to create a hardware trap that only goes off on election day. And that trap doesn't have to be in the voting system either, there's tallying devices, reporting software, and so on. It's a nightmare. The only sane solution is to rely on a voter-verified physical audit trail that can be READ BY HUMANS in case of the necessity for a recount. There's a lot of ways this can be performed (including one by David Chaum that allows the voter to verify that their ballot actually was entered into the final tallies), and true improvements in voting systems will only occur when this is recognized and the "trust us" mentality (including one that says we should trust the people who will supposedly verify all the open code) is abandoned. Please read the extensive writings on Rebecca's website www.notablesoftware.com/evote.html as well as Peter Neumann's for more information on the subject. And for those of you who are convinced, PLEASE encourage all communities who happened to purchase fully-electronic voting systems to have them retrofitted with printers BEFORE the November general election. Brazil is doing just that, right now, with 3% of the 400,000 voting machines they purchased back in 2000 (more may follow).

Promising costs nothing, it's the delivering that kills you.