Voting Isn't Easy, Even if Cheating Is

The Open Voting Foundation's disclsosure that only one switch need be flipped to allow the machine to boot from an unverified external flash drive instead of the built-in, verified EEPROM drew more than 600 comments; some of the most interesting ones are below, in today's Backslash story summary.

Expressing a common sentiment, reader cmd finds nothing innocent about the inclusion of such a switch:

Diebold also builds automated teller machines (ATM), the definitive model for reliability and accountability.

The AccuVote machines are what they are, not due to poor design or unintentional mistake. They are the result of a deliberate intent to enable fraud on a massive scale. Viewed from this perspective, the AccuVote design is very good. The real problem comes when Diebold realizes that it needs to become better at obfuscation and makes it harder to detect the fraud.

"Electronic voting machines with no paper trail are an insult to democracy," writes pieterh. "That they come with switches to bypass even the dubious 'safeguards' provided is hardly a surprise."

Paper trails, of course, are only as good as the people guarding the paper; readers familar with more recent allegations of vote manipulation may be interested in the 1946 confrontation in Athens, Tennessee (pointed out by reader William J. Poser) between WWII veterans and the election officials.

Reader Soong, though, provides a conspiracy-free explanation for the presence of such a switch:

The ability to boot from different sources is a normal debugging feature, not in itself sinister. Should they have cleaned that up on the production model? Yeah, sure. But verifiability is ultimately a human concern anyway, not a tech one.

It all comes down to who you trust.

If you don't trust the polling place, make the voting machine tamper proof. But then you have to trust the guy who built the voting machine. You have to trust the guy who loaded the software on it at the factory or the elections office. You have to trust the guy who wrote the code. Even if you inspected the code, you have to trust him to give you a binary based on that and not pull a fast one. You have to trust his compiler to give him a binary without compiled in back doors. I feel like I probably haven't listed all the points where this voting machine chain of trust can break down.

Several readers pointed out that voters might better trust the machines as well as the process of electronic voting if regulation were more rigorous; as reader Animats puts it, "slot machine standards are much tighter":

The Nevada Gaming Control Board has technical standards for slot machines. They've had enough fraud over the years that they know what has to be done. Some highlights:

• ... must resist forced illegal entry and must retain evidence of any entry until properly cleared or until a new play is initiated. A gaming device must have a protective cover over the circuit boards that contain programs and circuitry used in the random selection process and control of the gaming device, including any electrically alterable program storage media. The cover must be designed to permit installation of a security locking mechanism by the manufacturer or end user of the gaming device.
• ... must exhibit total immunity to human body electrostatic discharges on all player-exposed areas. ...
• A gaming device may exhibit temporary disruption when subjected to electrostatic discharges of 20,000 to 27,000 volts DC ... but must exhibit a capacity to recover and complete an interrupted play without loss or corruption of any stored or displayed information and without component failure. ...
• Gaming device power supply filtering must be sufficient to prevent disruption of the device by repeated switching on and off of the AC power. ... must be impervious to influences from outside the device, including, but not limited to, electro-magnetic interference, electro-static interference, and radio frequency interference.
• All gaming devices which have control programs residing in one or more Conventional ROM Devices must employ a mechanism approved by the chairman to verify control programs and data. The mechanism used must detect at least 99.99 percent of all possible media failures. If these programs and data are to operate out of volatile RAM, the program that loads the RAM must reside on and operate from a Conventional ROM Device.
• All gaming devices having control programs or data stored on memory devices other than Conventional ROM Devices must:
  1. Employ a mechanism approved by the chairman which verifies that all control program components, including data and graphic information, are authentic copies of the approved components. The chairman may require tests to verify that components used by Nevada licensees are approved components. The verification mechanism must have an error rate of less than 1 in 10 to the 38th power and must prevent the execution of any control program component if any component is determined to be invalid. Any program component of the verification or initialization mechanism must be stored on a Conventional ROM Device that must be capable of being authenticated using a method approved by the chairman.
  2. Employ a mechanism approved by the chairman which tests unused or unallocated areas of any alterable media for unintended programs or data and tests the structure of the storage media for integrity. The mechanism must prevent further play of the gaming device if unexpected data or structural inconsistencies are found.
  3. Provide a mechanism for keeping a record, in a form approved by the chairman, anytime a control program component is added, removed, or altered on any alterable media. The record must contain a minimum of the last 10 modifications to the media and each record must contain the date and time of the action, identification of the component affected, the reason for the modification and any pertinent validation information.
  4. Provide, as a minimum, a two-stage mechanism for validating all program components on demand via a communication port and protocol approved by the chairman. The first stage of this mechanism must verify all control components. The second stage must be capable of completely authenticating all program components, including graphics and data components in a maximum of 20 minutes. The mechanism for extracting the authentication information must be stored on a Conventional ROM Device that must be capable of being authenticated by a method approved by the chairman.

Those standards cover the possibility of an "alternate program" in a slot machine, and provide a way to check for it, with logs and an external program check capability.

The Gaming Control Board of Nevada was asked to take a look at Diebold, and Nevada rejected Diebold equipment as a result.

Voting machines need tough standards like that. They don't have them.

Even if e-voting machines had a spec list that would pass at the Gaming Commission, Midnight Thunder is puzzled that tamper-proofing techniques aren't more evident on the Diebold machines:

Given taxi meters and electricity meters both have tamper seals, you would have thought that these would have visible tamper seals as well. If in doubt you could even have two tamper seals: one from Diebold and another from the voting commission, in order to ensure that both parties are satisfied with the state of the machine.

Several readers are for canning electronic voting for U.S. elections completely. Reader Iamthefallen wants to know

Has anyone answered the question regarding need for automated vote counting in a satisfactory way?

Seems to me that manual counting of votes would be vastly more secure as it would take a huge conspiracy to affect the result either way.

Counting a hundred million votes is hard, counting a thousand votes in a hundred thousand locations is easy.

Similarly, slofstra writes

Sorry, I have never seen the point of these machines. Paper ballots are auditable, user friendly, and if electronics is put into the reporting system, can be counted in a few minutes and submitted. Voting machine are a perfect example of a technology fetish at work. It would make an interesting case study to examine the economic and sociological reasons why we sometimes buy technology that we don't need, don't want and further, serves no useful purpose.

(Augmenting electronic voting machines with a paper record is a frequently raised idea; reader megaditto, for one, asks "Is it that hard to put a thermal printer behind a glass shield?" A similar system is required in Nevada voting machines already.)

Paper ballots and electronic ones aren't the only options, though; lever-based voting machines have dominated recent American national elections. Mark Walling writes

My district switched to electronic- from lever-based. in 2004, at 7:15 when I voted on lever machines, there was no line, and just about as many signatures in the book. In 2005, the line was out the door and around the corner at the same time. The person in front of me took 5 minutes to use the electronic machine. People knew how to use the old machines, and they were reliable. These new things take the old people forever to use, and then they complain that they were hard to read ...

Reader WillAffleckUW suggests skipping in-person voting completely; absentee voting is a good idea, he argues, not only in light of the flaws (demonstrated or alleged) in electronic voting methods, but because

absentee voters get a paper ballot that is not only delivered by a trusted source (the U.S. Post Office) who have a verified date/time stamp — and that the ballots can be audited, traced, and verified — now that is a reason to register permanent absentee.

Not so fast, says reader JDAustin:

I suggest you take a look at the research into the recent Washington state elections done by SoundPolitics.com. They verified close to a 20% error rate in absentee balloting. The signature verification on absentee balloting is no verification at all due to non-verification being done by those who count the ballots. Additionally, the USPS is not a trusted source, they are just another government bureaucracy. The ballots themselves cannot necessarily be traced nor verified — and even when the signatures are completely different, they are still counted. Due to the nature of voter rolls, duplicate ballots are sent out all the time due to slight variation in a person's name, and the duplicate ballots counts are not caught until after the final tally has been done and the election finished. Finally, mischievous government officials can always delay sending the military their ballots so those serving overseas do not have time to get their vote in on time. This actually happened in 2004 in Washington state.

Permanent absentee is not the solution. Neither is electronic voting.

The true solution takes elements of the recent Mexican election to prevent fraud (voter ID cards, thumb inking, precinct-based monitoring and tallying) and combine them with the best paper-based voting machine.

---

Many thanks to the readers (especially those quoted above) whose comments informed this discussion.

Deja vu, the feeling that computers shouldn't vote

[andrewman327]

Again I say to the teeming masses of Slashdot: lever machines [si.edu] are the answer! They have been proven for almost 90 years! I know that many of us /.ers want a computer chip of some kind running Linux in absolutely everything, we need to learn that electronic is not always better.

Don't answer with "use paper ballots"!

[Rotten168]

C'mon, this is what got us into trouble last time. Remember hanging chads and butterfly ballots?

Open Source

[anonymous_wombat]

It should be obvious to anyone on this site that only open source code should be used in electronic voting machines. Undoubtedly, the most distinguished security researchers would all examine the code, and a very high confidence level could be achieved.

Too many hoops...

[tinrobot]

After reading through some of these... it's very apparent that securing these machines is an uphill battle. Do we really want to double seal the machines, tamper-proof the ROMS and secure the machines against a 20,000 volt discharge? Why do we need to jump through all these hoops? it's insane.

Good old-fashioned paper is the solution. It's cheap, it ensures a paper audit trail, and it's counted in public by thousands of real people who witness the count.

Of course you knew that.

Re:Diebold lobbied slashdot...

[TheNoxx]

Beyond the lines drawn for the public by the political parties, there are very few politicians that actually care about those ideals. Woe be it unto the citizen believer of his party that most of his elected officials are there to enact legislation on behalf of his beliefs; the vast majority will vote along party lines for the litmus-test issues (homosexual rights as people, abortion, etc.) as these issues do not affect the majority of elected officials. The majority of elected officials are very, very wealthy and therefore most laws do not affect them. Only flagrant disregard of the law will land a politician in jail, and in that respect, it's almost like crime: only the arrogant or idiotic find themselves in trouble, most of the time.

Every non-partisan issue, mostly those concerning government contracts, business/industry legislation, and the budget rarely fall on party lines. The lines they do fall on are unseen and concern large sums of money and lobbying groups.
Let me put it into the simplest terms: Washington is the evolutionary product of a pool of sharks that use camouflage and obfuscation as chief predatory tactics. Most everyone aside from those with political science majors and those who are very good with them will not have the slightest fucking clue as to 90% of what transpires on the grounds of the capitol. There is simply too much going on too often that is far too subtle for any investigative journalist to know what the fuck.

Diebold machines are kept with those flaws, I suspect, so that both parties can weed out anyone seen as too keenly idealistic, anyone that might upset the corruption so deeply in place that keeps so many people so wealthy, so happy.
On the other hand, one party might've been a bit to bold when they sensed they were losing power, and possibly overstepped the unspoken agreement of how far that fraud would go when during a certain election(s) for the highest office. Of course, the other party is left rather speechless and with no end to turn to, as it would mean a political suicide for all involved.

Just some creative articulation... of course.

Re:Open Source

[mi]

But how will you know, the actual machine in front of you is running the software examined?

Come on, people get fooled by spyware and "phishing" e-mails every day — at their own computer. You expect anyone to detect a problem on a system, they see for a minute or two once in two years?

I really don't care, what kind of systems are used, as long as it is not the same system. And if it happens to be the same, I hope, there is not "central repository" of its results or anything. Because everything, that is centralized, also has a single "total failure" point...

Paper is king

[WillAffleckUW]

I'm a data manager in disease research.

We use paper.

We could have gone to electronic forms with laptops, but there are a number of reasons we don't.

The primary one is user-readability, and verification of intent.

The second one is programming limitations on error checking - what is a permissable response? When dealing with human subjects - and likewise, human voters, one notices they don't always do what you want, but what they want.

Should we have electronic voting machines? Yes. For handicapped people, definitely. But, naturally, those should have a paper audit trail.

But most voting machines would do fine with optically-scanned human-readable paper ballots. In fact, what they don't want you to know is they are just as accurate as the electronic ones, in actual practice.

Now, does this mean the vote is accurate? No, because we're humans. Some people insist on voting for two candidates, or write in Donald Duck. Some people change their minds part way through.

Heck, when I vote, I sometimes decide at the polling place, as I'm voting.

My plan for secure voting, and improving democracy

[PhysicsPhil]

So we know that Diebold is capable of producing secure ATM systems, and that money is the root of all evil in politics, and that we have insufficient voter turnout. So here's my plan for a foolproof voting system. :)

Each polling station will consist of one (1) secure Diebold ATM system, which is capable of accessing the bank accounts of the Republican and Democratic parties. Voters will walk into the voting booth, and withdraw $20 from the bank account of their favourite party. At the end of the election, the party that has received the most votes/withdrawals from their account wins. To cap it off, voters have a new incentive to participate in "the process."

Alternately, the system can be turned upside-down, and people remove money from the account of their least favourite party. Not only does one side win, but the other side is bankrupt!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Don't answer with "use paper ballots"!

[soft_guy]

That was a problem with punch ballots and bad design. There are no similar problems with scan-tron type paper ballots.

Re:Don't answer with "use paper ballots"!

[Valdrax]

There are more intelligent ways to mark a piece of paper than an easily detachable pre-punched hole.

Re:It's just part of the bigger picture

[Daniel_Staal]

I like it all, except for 'revocation of voting rights' for normal voting fraud.

I don't care if they are a felon, or a muderer, or a kiddnapper or anything else. They can be in jail on death row for all I care. They still get to vote, as long as they are an adult.

Otherwise we have created a way to create classes, 'true citizens' and 'partial citizens.' Which is an enabler of discrimination.

There is no good reason to deny votes to any possible voter. No matter what.

Re:Don't answer with "use paper ballots"!

[warith]

This is "insightful"? The problems you mention are both very easy to fix.

80% of the vote being counted electronically on insecure machines by Republican-supporting corporations with no paper trail... now THAT is dangerous, on a national scale.

Re:Too many hoops...

[tinrobot]

Electronic tallying is useful because it can determine results fast. Very fast.

I'd much rather have confidence in the results than a fast turnaround.

Besides, hand counts don't take that much longer. Canada gets their results overnight.

Re:It's just part of the bigger picture

[geekoid]

Did you know felons can't vote?

I do agree with you 100%.

Now, if companies caught in voter fraud could no longer donate to campaigns, we might be onto something!

Wouldn't solve the problem

[sterno]

Ultimately what this boils down to is a trust issue. If you do not have a physical record of your vote that is impervious to digital tampering, it does not matter how much security there is. With digital voting there will always be the perception that somebody could rig the vote.

In a democracy, the perception of vote fraud is almost as dangerous as the actuality of vote fraud. If we all go into the booth and we all come out convinced that we've had our say and that it counted for something, then even when we lose, we can feel we were a part of the system. If we go into a booth and don't even have that basic reassurance, why go into the booth at all? Why work to change the system if you have reasonable suspicion that the system has been rigged against you in the first place? People in that mindset will either drop out of the system entirely, or seek to voice their feelings through alternative means (violence, etc).

We've had two national elections in a row that were close and had an air of suspicion about them. There are countless anecdotes of votes getting switched on the computers, voting machines dissapearing overnight, etc. Even if there's not actual fraud going on, all of that adds up to a suspicion of the system itself. We can't afford to have that suspicion if we want to remain a democracy.

Re:The rule of rapists and murders?

[mOdQuArK!]

Allowing criminals to vote is an important negative feedback mechanism against bad lawmakers.

One of the classic techniques for a minority to gain control over the law-making system
is to pass laws that prevent criminals from voting (why should criminals get to vote?),
then turn around and pass laws which they can use to disenfranchise the parts of the
society that might not go along with their legislative agenda.

Think about it: if your legal system basically seems common-sensical to the general
populace, then you're not going to have many criminals, and they shouldn't have much
of an effect in any given election (unless you've got a really controversial closely-divided
issue).

If the legislators are starting to run amuck, however, and are passing a lot of laws
which end up making a significant fraction of the populace criminals, then it's important
that the people being affected be able to "push back" against the legal system being
used to oppress them.

Unfortunately, many citizens seem to be content with the kneejerk "criminals
shouldn't be allowed to vote" reaction, and thus we end up with the situation where
more and more laws are passed, more and more citizens are disenfranchised, and
the people running the country represent the general population less and less.

Re:Paper Ballots

[mOdQuArK!]

The idea of printing a readable ballot is good, but you don't want a barcode & the readable ballot since the user can't verify that the barcode says the same thing as the readable text.

OCR has gotten good enough, especially when reading computer-printed output, that the counting machine could read the text part of the ballot without needing some sort of encoding.

Technical Dream Solution Still Wouldn't Solve it

[Oriumpor]

Look, the honest truth is people cheat to gain advantage, so we must expect this, and mitigate it whenever we (as engineers) can. So, as such the perfect Nevada Gaming Comission approved paper trail keeping, encrypted output, design would still be vulnerable to fraudulent paper ballot injection. One candidate (be they crooked or not) would demand a recount, (thinking the equipment faulty) and the paper votes would return a slightly different result in their favor.

You can't trust a citizen to be non-political completely if the vote will affect them in any way. So, essentially you need to pay someone to be your referee. And it would have to be someone who wouldn't be affected at all by the result of the vote.

So by those qualifiers we can't guarantee, ever, that every element of the existing paper vote is secure.

Two copies of your vote, one right after the other, printed and spewed into two different physical ballot boxes. The second box would contain tamper proof seals and would only be opened in the case of a full manual recount by a third party. As well as two digital copies, signed with a hash which was printed on a receipt (and mailed to an email if you like) you could verify against the other copy sent to the national voting database. Might be marginally better.

That way you can count all the votes all night and as the final results are tallied any innacuracies between the national and local databases would have to be rectified before any results were accepted from the precinct with invalid data.

Re:Diebold lobbied slashdot...

[Anonymous Coward]

The only real political party in America: The Incumbents. ( Any other distinctions are purely cosmetic to protect the guilty against accusations of forming a one-party system. )

Fatally Flawed

[CrayDrygu]

So I'm sent home with a barcode that -- from anywhere with internet access -- enables me to confirm my vote.

This same system allows anyone else to, from anywhere, force me to verify my vote to them. Your system is open to a different and entirely easier form of voting fraud -- paying off or otherwise coercing voters. Imagine if I offer to give you money if you come back with your barcode, and I can verify you voted for Bush III. Or, I threaten to break your knees if you *don't* come back with said proof.

Re:My plan for secure voting, and improving democr

[JimBobJoe]

So we know that Diebold is capable of producing secure ATM systems

This is a claim, incidentally, that has been made many times, but not substantiated. The banking industry is surprisingly clueless when it comes to security issues, and I don't think it's a safe assumption that Diebold makes ATMs which are significantly more secure.

I suspect that ATMs simply haven't undergone the level of attention that voting machines have.

Re:Diebold lobbied slashdot...

[cbacba]

Rot grows underneath, out of sight. Nothing is further from view than flash memory. This stupid BS of using voting machines is a plan for corruption and control of the voting process.

The ONLY way honest voting can be ensured is if the actual ballot cast can be checked by the balloter. And that is only part of the solution because fraudulent voting is probably the greater issue - where people are coming in with multiple id's and voting numerous times. Here, shedding light on the subject (like making video records to catch those voting multiple times - followed by criminal prosecutions of those caught)is the only way. That simple purple thumb trick done in Iraq would be vehemently opposed here in the US (and probably permanently put the democrats out of power - at least those democrats who haven't been pretending to be republicans).

As for legislating for us, a properly operating government as envisioned by our founders would have little to no effect on the majority of people. It's been a very long time now that the quip: "No one's life, liberty or property is safe when congress is in session" became a true statement.

While it should be apparent to a thinking individual that most of our societal problems today are caused by government, it's not so obvious as to how much that government is under control of elected officials or of unelected bureaucrats and minions acting in their own self interests.

Unlike the rest of the world, we are faced with a monumental problem. The prosperity achieved in our country has permitted a leviathon government so huge that it could not possibly occur anywhere else in the world because nowhere else has the resources to create such a monster. It is perhaps the first brainless multicellular creature composed of intellegent beings ever to exist, a life form of its own bent on growing and consuming.