Hugh Thompson Answers Voting Machine Security Questions 122
You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.
1) paper trail?
by ummit
This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.
Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.
There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.
Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.
I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.
2) Re:paper trail?
by Thansal
Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?
Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.
Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.
3) Largest Inherent Flaw?
by eldavojohn
In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"
Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?
One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.
Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.
4) Here is my question...
by Noryungi
Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...
How do you prove that foul play (hacking) has been involved?
Do you even have a plan in place to check the results?
Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.
What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?
Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.
5) OSS?
by Xzzy
Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.
How do you think open source could fit into this issue? Or should it?
Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.
For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.
6) Pen-and-paper voting
by NetDanzr
What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.
Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.
The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.
Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.
Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.
The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.
7) Why is it so hard?
by gorbachev
As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.
Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?
Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.
8) On Open vs. Closed Networks
by the-banker
It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.
As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).
Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?
Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.
I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:
- What process improvements have you made as a result of vulnerabilities reported in your software?
- What is your patch release (or update) strategy?
- Have you had an external (and reputable) security auditing or penetration testing firm evaluate your system? Can we see a summary of their report?
- Can we have our own security auditing firm evaluate your system?
- Do you have a dedicated team to assess and respond to security vulnerability reports in your products?
- What is your vulnerability response process?
- What training do your development and testing groups receive on security?
- What percentage of your test team is focused on security?
- What are the terms and period of your security support agreement?
- Do you offer security training, documentation or guidance to people that will be operating your system?
9) The greatest threat to e-voting?
by sharkb8
Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?
Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.
Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.
10) Is the Harm Really that Great?
by logicnazi
I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?
All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.
However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.
But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.
In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?
Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.
The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.
The Democrats Won (Score:1, Insightful)
When the Republicans win again, it'll be a story again.
Re: (Score:1, Informative)
Re: (Score:3, Interesting)
I have heard "they're better for blind/disabled"...and I don't believe it for a second. How do you measure this? Do blind and disabled voters agree?
I have heard "faster totals"...yeah, but - is fast better than accurate?
I have heard "saves printing costs" - at the expense of having to hire more tech-savvy voting machine attendants?
I'm not convinced at
Re: (Score:3, Interesting)
and if a person is completely blind, how in the name of whatever Deity you believe in is a touch screen that they can't see going to help?
and just how disabled are you if you can't put an X in a 1.25" circle? even if you have tourette's or something and you screw up your ballot, you can get a
Re: (Score:2)
The blind voters won (Score:2)
and if a person is completely blind, how in the name of whatever Deity you believe in is a touch screen that they can't see going to help?
A Diebold HAVA-capable machine audibly reads the whole ballot and choices to the blind voter using a headset. The voter presses their choices into a keypad with a dimple on the #5 key. While the process takes much much long
Re: (Score:2)
Megamods; and even if blind voters can't use the same paper ballots as sight-advantaged (is that PC enough?) voters, wtf cares? Braille isn't the same "mechanism" as print, so why don't we re-invent the book in order to enable blind readers to read using the same "mechanism" as sight-advantaged readers? OK, I guess I just opened a can of worms.
Re:The Democrats Won (Score:5, Insightful)
This is a very widely accepted fallacy. As the size of the voting body rises, the chance of a perfect tally falls very quickly towards zero. Voting with any large group is a statistical process, not an exact one. Like any statistical measurement, there is a margin of error. The quality of the voting apparatus and process is only important in that it dictates the margin of error. Anytime the margin of error is greater than the margin of victory, the only sensible action is a runoff election, NOT a recount. If the margin of victory is consistently smaller than the margin of error, then perhaps we need to consider a compromise solution (e.g., scrap both candidates and start over) instead of sticking with the current "winner takes all" scenario, which pretty much guarantees that 49% of the population will be unhappy.
I'm in favor of new technologies if they can provably reduce the margin of error by a significant amount. But really we should just acknowledge that all voting systems are imperfect, and redesign our election system around the inherent uncertainty.
Re: (Score:2)
"This is a very widely accepted fallacy. As the size of the voting body rises, the chance of a perfect tally falls very quickly towards zero. Voting with any large group is a statistical process, not an exact one."
On the contrary, the probability that we can correctly tally all tallyable votes - "a perfect tally" - is very close to 1.
You seem to misunderstand the function of elections. An election is not simply a poll to determine the preference of
Re: (Score:2)
That's how things are now, but I still believe we should strive for perfection and can approach it.
Sure there will always be opportunity for error, but in a properly designed E-voting system,
if there is error, the system should provide an accurate measure of how big the error was and whether it affected the outcome.
The errors that will always remain are those related to who was eligible to vote, etc. -- but once a vote is cast, it shou
Re: (Score:1)
If a touch-screen experience is really that desirable, let's have a touch screen machine that spits out a human-verifiable paper ballot (and no thermal paper that fades after 30 days either!). The fact is a properly filled-out paper ballot is still the gold standard for verifiability.
Re: (Score:2)
Theoretically, an e-voting system should be faster and more accurate than punch-card or optical scan systems. For example, the contested votes in Florida in 2000 were counted a zillion times with a different answer each time. Some of this was due to vote ambiguity, and some was due to error on the part of recount officials - both of which can be alleviated by a properly designed e-voting system.
The problem is that the e-voting compani
Re: (Score:2)
Besides, what better way to silence the forces of democracy than to allow the other side to
Secure tallying (Score:5, Interesting)
What I'm envisioning is some kind of method where votes can be tallied, and the running tally can be periodically published during the count. I imagine it would have some kind of hashing technology, like PGP, where tallies are perhaps encoded in a string, and the string is published. The hashing token, or whatever mechanism allowed a vote to be legitimately added to the tally, would be passed from one voter to another, after they voted. This puts the power to count votes into the hand of the voters, rather than a poorly-trained election volunteer, a partisan, or a hackable machine. Because of the constraints of the token and hashing, a voter can only vote as they are allowed, without destroying the tally hash string.
Unfortunately, this is [X] a highly technamalogical solution, and while it might be possible, it would be difficult to get people to understand, and thus endorse it.
Re:Secure tallying (Score:5, Interesting)
Some places already have partial solutions to this problem. What follows is specific to Wake County, NC; your laws may vary:
At poll closing time, the optical-scan machine prints multiple copies of a totals tape, showing total ballots cast (which bloody well needs to match the number of authorization forms issued), and totals for each race.
Two of these results tapes go back to the BoE by different means (in addition to the scanner sending in its results electronically). A third is posted at the polling place.
Therefore, you can check up on the official, precinct-by-precinct, certified results by going around to the precincts and copying down these numbers. If the official tallies differ by more than the number of absentee and provisional voters in the precinct, there's a problem.
This will catch central-tallying anomalies (like someone hacking the central database). It doesn't catch problems with the individual precincts' scanners, but some random percentage of those are hand-count audited after each election to check up there.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:1)
And this is one of the biggest reasons why people think that the election in Florida in 2006 was fixed.
For 50 years(or however long they've been doing it), exit polling has been an excellent indicator of how people actually vote. Now why, after 50 years(?) would the system all of a sudden fail? And we're talking multiple pollsters,
Re: (Score:1)
But I've had an idea for some time for "open vote counting":
My e-voting system would be:
At the time of voting, the voter gets a receipt that shows who he voted for. The printer is an impact printer, loaded with 2-part paper. The carbon is retained by the printer.
The night of the election, the county publishes, on
Re: (Score:2)
That's called getting out the vote. I see no problem, legally or ethically, with encouraging people to go out and vote. These 'reinforcements' have to be registered to vote ahead of time, in a specific precinct. You can't just shuttle in voters from anywhere. One person, one vote. As long as it's not voter intim
Very good (Score:1)
Comment removed (Score:5, Insightful)
Anonymity (Score:4, Insightful)
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.
Congratulations. Now your vote is tied to your social security number. The whole point of a ballot box is that the votes are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.
As to your other questions? Do you really think stretching out the vote for a week or month will increase accuracy? I have my doubts.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
> are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.
The votes wouldn't need to be tied to the social security number, only the account would need to be. Have the server randomly generate voting pages where the options (A,B,C) each represent a candidate or party on a random basis (on my ballot A is democra
Re: (Score:3, Insightful)
It doesn't neccissarily need to be open source (as in, the source is legally available for reuse) but it most certainly needs to be revealed source.
Re: (Score:1)
This is a serious question.
Re:Anonymity (Score:4, Insightful)
The paper ballot/hand counting system is trusted by voters because they can see the process that is going on with their votes, and for all it's flaws, at least it's not a black box where some magical incarnation happens and the winner is announced with no assurance that anything was legitimate except the politician's word.
By exposing the whole process, end to end, you have the equivelant openness of the paper ballot system. This has nothing to do with open source, which is about the free use of code... it's a stupid vote tally system and open sourcing it almost as silly as open sourcing "hello world" as any first year CS student could write one. This has everything to do with visibility and accountability for the process.
And I reject that my ideals do not match the mainstream. The mainstream doesn't have this issue with things like ATM machines, for they can directly audit every aspect of the process of counting their money without needing to see the source code of the ATM machine. They cannot directly audit the voting process and verify accuracy, hence the need for more open procedures. The fact that the issue is popular enough that HBO runs specials on the untrustability of the process leads me to believe that making the process visible is not "catering especially to me."
but open source is visible (Score:2)
Re: (Score:2)
Open source is the concept that source code can be *reused* by the recipient under the conditions of the particular licence. I don't think that companies contracted to provide machines should neccissarily be forced to open their code to reuse by 3rd parties and thereby creating new competion for themselves. That said, I also don't think open source code for elections is a bad idea either. The concept of open source is different from the concept of visibility of the source code and the 2 concep
Re: (Score:2)
Re:Anonymity (Score:5, Informative)
That's why this will never happen. Nor should it, voting should be completely private, there should not even be the slimmest chance that your vote will be recorded as belonging to you.
Re: (Score:1)
Here in the UK the voting slips are in numbered books and are ripped out and given to you. The Poll clerk then writes your voter number on the stub. Many tales of Special Branch (the more politicized police) turning up at town halls after the election and picking up the piles of communist/facist/socialist voters to be check
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Sadly, that's not the case. The district in which I live still uses the 30+ year old lever-based voting machines. ID is not required, but verifying your signature in comparison to that on the voter registration form is. The pollster then writes a number next to your name. That number is how far in line you were. I know what my number was, so do the pollsters, and it's written right next to my name on the register, and that c
Re: (Score:3, Insightful)
Re: (Score:2, Informative)
Re: (Score:2)
Re:Why not have voting over internet? (Score:5, Insightful)
I believe the theory behind the law is to avoid gamesmanship and discouraged voters if the results are announced before voting finishes.
>Why do we need to congregate at designated areas?
Because coercion and vote buying is part of the threat model. Go into a booth where nobody can see you vote and both threats are mitigated.
>I can do my banking securely online, why not vote?
You can't, not in the age of phishing. Further answer from Bruce Schneier's blog: One of the dumber comments I hear about electronic voting goes something like this: "If we can secure multi-million-dollar financial transactions, we should be able to secure voting." Most financial security comes through audit: names are attached to every transaction, and transactions can be unwound if there are problems. Voting requires an anonymous ballot, which means that most of our anti-fraud systems from the financial world don't apply to voting. (I first explained this back in 2001.) [schneier.com]
>I just don't see security being a huge problem.
Stolen passwords, shared passwords, forgotten passwords, keyloggers, mysterious 500 errors, undue influence applied to vulnerable voters, difficulty in reaching poor or highly mobile voters. I'd go on but I have to run an errand.
Re: (Score:2)
thats been the argument about diebold, and your response is correct: even the ATM isn't all that immune from simple attacks.
http://www.theregister.co.uk/2006/11/18/mp3_player _atm_hack/ [theregister.co.uk]
but, casting your ballot by US mail has to be a greater concern than casting your ballot by internet. Despite all the 3 envelops, signed sealed... that introduces 10 ways to disqualify/discard/... a ballot, with no notice if/why feedback to the voter.
it does seam obvious
Re: (Score:2)
The only real difference is in our minds. We think that voting serves the same purpose that armed rebellion used to serve back in the day. We think that we can replace our leaders by voting if we don't like them.
Re:Why not have voting over internet? (Score:4, Informative)
Oregon uses vote by mail, and other states do have absentee ballots, so this process is (somewhat) available, depending on state law. An interesting side effect is that there is no campaign climax if people are voting over a two week span. Essentially, some people are choosing to vote without all available information, because they're voting before the campaigns are over.
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.
Secret ballots allow two important things: safety from coercion, and a prevention of the selling of ones vote. You can't be coerced if your vote is a secret vote with no receipt, and you can't sell a vote if you can't prove you actually voted the way you sold. There are some cases where people don't vote in secret -- see the question above, as well as instances where people with a handicap (blindness, for example) are assisted with their vote at the polling place. But, the vast majority of votes are cast in secret. Voting online prevents these guarantees, as well as guaranteeing that the person who cast the vote is the same as the person with the right to vote. Admittedly, this guarantee isn't 100% for meatspace voting, but the threshold is generally pretty high, and the chances of getting caught -- with a police officer right outside the door -- are high enough to keep nearly all people from becoming impostors in meatspace.
Furthermore, the diffuse system we use to collect and tally votes helps to prevent a single "hack" swinging an entire election. A single person would have a hard time stuffing a ballot box to swing a major election with paper ballots; a networked election, however, doesn't have that safety.
Finally, voting is a states rights issue -- with the exception of some specific issues like race in Constitutional amendments. Therefore, the US gov't can't make rules or collect votes for the states without each state's consent.
Your last point, that
I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.
has tremendous problems. (1) What if my vote was changed and I claim it was changed? (2) What if my vote wasn't changed but I claim it was changed? (3) How does this guarantee against any other kind of tampering, incorrect addition and subtraction, etc.
Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea.
Re: (Score:1)
Re:Why not have voting over internet? (Score:4, Insightful)
I.E. store my vote, but never attach my vote to my name in a way that is visible to anyone, unless it is necessary due to allegation of fraud or mistake?
So is it attached, or isn't it? If it is, then I have to trust my government -- a government I may be trying to vote out of office -- to not look at how I voted and take reprisals. If it isn't attached, then how can it be audited? If it can't be audited, that throws out an advantage of the proposed system.
Federalism:
I'm arguing policy, not law. A constitutional amendment can quickly change the law, nevermind voluntary adoption by all 50 states.
You can't have the policy without the legal framework, and no constitutional amendment can be adopted quickly, by design. Furthermore, I'd argue that the diffuse, states-rights system we have now is superior to a federal voting system, precisely because it does help prevent the federal government from undermining the democratic process itself.
"What if my vote wasn't changed but I claim it was changed?"
Then you are a liar, and we will look up the records and see. Fraud = prison.
So if my vote gets changed, I blow the whistle, and I can't prove it... then *I* go to prison. This seems like a perfect system for a totalitarian government. You vote the way *we* said you did, and if you say otherwise, to the gulag!
"Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea."
This is the only argument you make that I am at all persuaded by.
But I still think we can make it work. The likelihood of an UNDETECTED hack is low if you have webservers run by skilled people, right?
Low isn't good enough, if one hack can wreck massive havoc on an election. The distributed, non-networked system we have now would require a massive conspiracy to have significant odds of changing the outcome of a presidential election. State elections have similar protections because each town has a different counting system, unlinked. A networked system requires you to trust that the sysadmins are always superior to all outsiders, and are above being influenced. I'm not so sure I'm happy about that system, especially given that most people simply don't know enough about systems administration to have faith in the entire framework. Most people do know how to count, which means that they can audit a paper trail ballot even if they can't be sure the initial count is correct.
Re: (Score:2)
Fair questions, all three. (Score:2)
There are few companies making a significant majority of voting machines in tUS, which is a problem. However, many of those machines do have paper trails, either via optical scans, paper-trailed electronic machines, or otherwise. So long as those paper trails can be audited, the chance of a single entity (in this case, the voting machine manufacturer) swinging an election is extremely low.
This is, of cours
Re: (Score:2)
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?
Because the day we have online voting is the day I come to your house, put a gun to your head and demand you vote for George W Bush. At least at the polling place, there are poll workers to ensure that no guns make it in, and no reliable reciept makes it out.
Have a look at Three Ballot Voting [mit.edu]. Now, there are several [princeton.edu] critiques [princeton.edu] of Three Ballot
Re: (Score:2)
Re: (Score:2)
Of course it is. Because the 98 yo vet has to put his signature on your ballot, and he's not going to do that if there's hanky-panky going on.
Re: (Score:2, Interesting)
The whole process took 10 minutes from walking in
Re: (Score:2)
Pregnant chads. Don't you remember?
Re: (Score:2)
Re: (Score:2)
Wait, you say, most states already allow voting over serveral months, from anywhere, from people who may not even be alive, with little control over whether the vote was bought
Re: (Score:2)
Re: (Score:3, Informative)
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?"
There are some institutions in our society that have a vested interest in lower voter turnout.
As far as your first concern, your best bet would be to start a petition for a constitutional amendment. The US constitution calls for elections on the first Tuesday after a Monday in November, so that needs to be amended to have voting at
You trust your banking because the bank (Score:3, Insightful)
Re: (Score:2)
Internet voting has been pretty much dismissed for the near future until the security/availability/connectivity issues have been resolved. As it stands now, would you trust it?
The voting period could span several days or weeks, instead of hours.
I've never quite understood this. Between absentee voting, early polling at a central location, which most cities do, and the half-day or more that polls are open, how is it that people don't have the time to vote?
The federal government
Re: (Score:3, Insightful)
In asking all your questions and speculating on how easily you could design a secure voting system, you have forgotten the most important property of free and fair elections.
They are conducted by SECRET BALLOT.
SECRET BALLOTS are ESSENTIAL free and fair elections.
If it is possible to check how somebody has voted, it will become easy to apply pressure on people to vote a certain way. For example, wives will tell their husbands how to vote and check over their shoulder as they c
Re: (Score:1)
Critical Attention RE: your voting account! URGENT (Score:1)
We regret to inform you that due to a recent systems error, your voting account information has been lost. In order to prevent your removal from the system and inability to vote, we sincerely ask you that you verify your identity by reply to this email with your full name, voting account number (Social), your voting password, and your address.
Thank you, Voting Accounts Administration Department
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Federal government doesn't, and probably shouldn't handle elections. I'd much prefer to leave that to state and counties.
I don't like the internet solution very much. You have an anonymity problem that people have already mentioned, you have fairly serious security concerns too, and the computer access issues. Just like what Hugh mentioned above. A central server containing all this information has the
Re: (Score:2)
Re: (Score:1)
Distributed Democracy. P2P, PGP signatures, electoral lists.
Vote from anywhere, anytime, on anything.
backing up with "paper trail" (Score:3, Insightful)
I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation. Also, I will print the operation in english so I can verify that it did the right thing.
Then if I have a disk crash, I just just scan in each operation in sequence to restore the disk.
Yes, you probably think I am sarcastic and you will tell me that paper lets you verify the vote and allows spot audits.
I would say that the "paper trail" addresses a media/news issue rather than a technical one.
This demand for paper backup is an odd hope that 100 year old cash register technology is the best.
One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD, and show the image to the voter for verification.
Or if DVD is too high tech, use microfiche,...
Re:backing up with "paper trail" (Score:4, Insightful)
Or a hacker could accomplish the same thing as before by writing their vote, and a human readable JPEG image of their vote to DVD and show a JPEG of the voter's vote to the voter for verification.
The key is that if you want to verify that a process is working, you can't use the same process to verify it, because if the process is broken, your verification is broken too.
Re: (Score:2)
Re: (Score:2)
We vote on a "scantron" type sheet (fill in bubbles for candidates) and this is scanned into a reader before you leave the poll and the scanner keeps the paper form. If there are any problems reading the scan, you have the opportunity to fix it. There is also a paper trail of all of the forms that can be verified.
Paper vs Digital/Optical Media (Score:2)
A bit off-topic, but when it comes to longevity, paper records are hard to beat (with the possible exception of stone tablets). Check out this interesting article :Paper Trail - Can Digital Media Match The Longevity Of Plain Old Print? [sfgate.com]
Paper Backup (Score:2)
I have decided that paper is the most reliable backup/journal mechanism. I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation.
Actually, I think Slashdot covered a story on this a couple years back, with a company that had developed a way to store around 1GB of data on a standard 8.5x11 page. 256-bit color 2D barcode at 1200dpi would do it, I guess. More seriously, I was told by a chap at the Corning Glass works that the most importa
Re: (Score:2)
You've obviously never written a JPEG decoder if you think the files are human-readable.
Also paper doesn't have to be the solution... it could be anything large enough that people can sense and permanent enough to count. For example, you could engrave your vote on say a bar of soap or write your vote in ketchup on a hamburger -- as long as everybody is issued the same voting matter. Plus, this actually encourag
Re: (Score:2)
Sigh...no, because there is no guarantee that the image you were shown was written to the DVD.
The point of having a paper trail (on the voting side, not necessarity the counting side) is that there is no invisible "techno-magic" happening; you are sure your vote was cast correctly.
Re: (Score:2)
With the current e-voting in California, the voter sees the printed vote and 2D barcode behind glass.
If you are not going to believe that the image shown was actually read from the DVD (after being written), then I assume you would not trust the 2D barcode (which is what would be re-counted, after or along with other backup mechanisms).
Re: (Score:2)
Exactly, I shouldn't have to "believe" anything all. The paper trail MUST be human readable and verifiable. What the heck is the point of printing out a 2D barcode behind the glass for the voter to look at? It could say anything at all, and you would have no idea.
Th
Re: (Score:2)
As long as the printed vote is there, then all it takes is a vigilant observer at the recount to go "hey wait, why does the pile for President Evil Overlord all have different names on the printed part of the ballot!"
In the end, elections require vigilance on behalf of all people to ensure that they are carried out in a manner faithful to the voters' intent. Hiding parts of the process within a machine make
Tin Foil Hat required (Score:2)
Clear Evidence 2006 Congressional Elections Hacked [opednews.com]
"We see evidence of pervasive fraud, but apparently calibrated to political conditions existing before recent developments shifted the political landscape," said attorney Jonathan Simon, co-founder of Election Defense Alliance, "so 'the fix' turned out not to be sufficient for the actual circumstances." Explained Simon, "When you set out to rig an election, you want to do just enough to win. The greater the shift from expectations, (from ex
Re: (Score:2)
Re: (Score:2)
don't get the telecom mutter and home orifice people upset with you now
Peter Thompson.... (Score:2, Funny)
Ambiguity = Not counted?! (Score:4, Interesting)
This is ridiculous! If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted. This is a terrible argument for touch-screen voting.
Think about this for a moment; this means that things like ballot ordering or candidate name has an influence on whether or not your vote will even be counted, and you wouldn't ever know.
Re: (Score:1)
Optically scanned ballots can do that checking (removing that "terrible argument"). However, old pencil-and-paper cannot be anonymously scanned without impacting the privacy of the vote.
Re: (Score:2)
Doesn't wash with me... (Score:2)
With optical scan systems, there's always a paper trail that one can go back to. Yes
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
The problem is, if the election is just slightly shifted, there's no recount and so nobody knows what happened. You can always randomly manually count 1-5% of the ballots, but that may or may not expose any fraud or error. Plus, as shown in Hacking Democracy,
Re: (Score:2)
These problems predated electronic voting. I didn't say optical scans are THE PERFECT SOLUTION. But I think they are a whole lot better than any other system available today. All the problems that optica
Tyranny of the Majority (Score:3, Interesting)
Haven't there already been several instances of claims of this kind? Isn't it the case that systematic problems with exit polling (and other polls) make it very difficult to make strong, credible claims about election results?
It seems like 10% is a fairly significant margin in most races, so I'm not sure why one would treat this as though it were a small thing. I do appreciate the point that somehow this may not change the structural correcting force arising from elections, but I do think that it can cause a situation where you have tyranny of the majority (or even a large minority). If a politician has a buffer zone of 10%, that may allow him to pander to one particular consituency while completely ignoring all others, as long as the buffer zone is enough to have him safely reelected. Persumably, in the fair election a politician has to aim to satisfy not just a majority of constituents but a sizable enough majority to ensure victory. So, it seems like such a vote buffer might still really lead to very significant qualitative change. If nothing else, one can look to how differently a legislature operates when the majority party has a margin of a few percent of seats versus when they have a margin of, say, 10%. In the latter case, one often sees compromise all but disappear.
I guess another way to look at it is that policy difference can be quite large, even between relatively similar political candidates. People thought, for example, that Bush and Gore were pretty similar, and in many of their policies they were (when compared to the larger spectrum of political ideologies, compare with people like Bernie Sanders or Pat Buchanan). If you believe, however, that the Iraq war would not have happened under a Gore presidency (seems at least plausible), then we're talking about thousands of U.S. soldiers dead, tens of thousands wounded, tens or hundreds of thousands of Iraqis dead, hundreds of billions of dollars spent, and the fate of an entire nation radically changed. No matter your feelings about the Iraq war, my point is only that this is, indeed, quite signficant. I'd have a hard time trying to argue to the families of all those dead and wounded that it isn't.
I appreciate the point that people aren't voting based on perfect (or, perhaps, even good) information anyway, and there are many other ways to steel elections, but it's hard to see how you can face up to facts like those just mentioned and not at least try. In any case, as Dr. Thompson alluded to, it's a false dichotomy. It's not as though you have to choose to fight only one source of fraud, and it will take different people with different expertise to combat each.
OMFG (Score:1)
Not the only danger (Score:2)
Not only that. If you shifted the vote by a huge amount (say, 100% to 0%), that would go a long way to undermining the voting system and producing panic in the population.
Unconvincing argument against pen and paper (Score:2)
Now, addressing Hugh's points to this question:
1] Disabled voters: Why in the world d
Re: (Score:2)
As for the other points.
1) The abaility for disabled to use the exact same machine is a huge,huge political point for the disabled comunity. Lawsuit have been filed over similar setup which they label "seperate but equal". If an someting even more strange from your thinking look at cochlear implants and how they are causing the "geno
Re:first! (Score:5, Funny)
Re: (Score:1)
C) give to your boss/union leader/vote buyer/abusive spouse/etc to prove who you voted for so that you can be paid or keep your job, etc.
When you walk out that do