Posted on 03/09/2004 4:49:08 PM PST by Tumbleweed_Connection
(CBS) Today's presidential primaries in the South are not only a dry run for the issues in November -- but also for new high-tech voting machines. Judging from their use in other states so far, touch-screen voting may not be foolproof -- or tamperproof. Ads promoting computerized voting make fun of the 2000 electoral mess in Florida. "This chad. I can't tell if it's hanging. That's no way to vote,'' says one commercial. But as CBS News Correspondent Vince Gonzales reports, experts nationwide have found serious security problems with the new touch-screen voting systems. "If there's another close election, we might not be able to do any kind of meaningful recount," says Rice University computer scientist Dan Wallach. "We might not be able to really figure out who won the election." Wallach, who is affiliated with a group called verifiedvoting.org, obtained the secret programs that run the most widely used technology, made by Diebold Elections Systems. "We found a number of interesting flaws with the Diebold system, any one of which could allow somebody to corrupt an election," says Wallach. During a test, it took only seconds for Michael Wertheimer and his team of former National Security Agency experts to break into Diebold voting machines in Maryland. "It is definitely within the realm of possibility, strong possibility, that an election could be thrown and nobody would know," says Wertheimer, a computer security expert for RABA Technologies. They picked locks, reprogrammed machines -- and the so-called smart cards given to voters -- allowing them to change votes or to vote as often as they liked. It's a flaw Diebold knew about three years ago according to this internal e-mail: "Our smart card format has absolutely no security
. They could stand at the ballot station and quietly burn new cards all day." The company says it has corrected any security problems as they've been discovered. We tried to ask Diebold's president Bob Urosevich about that, but he declined to talk to CBS News, referring us to a spokesman. "When people have a chance to use these systems they see they're secure, they're accurate," says Bear. "There's many, many levels of checks and balances to insure the safety and security of the vote." For a system they can believe in, a handful of states are now requiring a paper backup be printed with every vote. "Maybe it will cost $100 a machine, maybe it will cost $500 a machine," says Wallach. "What's the price of democracy?" But it's unlikely the changes will be ready in time for this year's presidential election, in which nearly one-third of voters may cast their ballots electronically.
Is there any way to do anything meanngful with those paper ballots? Having paper ballots as a backup to the electronic ones is important, but it's also important to have a means of doing something useful with them.
How? Are they printed in machine-readable form, and are the records suitable for automatic handling? I've been sketching up what IMHO would be a much better approach to handling elections; to be posted following.
I would propose a system whose deployment cost would be between that of DRE and optical-scan systems, but which would be more resistant to insider and outisder tampering.
To protect paper ballots against alteration, there would be a 'check field' which indicated how many other marks there were on the ballot. Voters would have the option of filling this out themselves, or of letting the "electronic ballot box" do it. Although the "electronic ballot box" would accept ballots whose check field was blank, it would reject as spoiled any ballot whose check field was improperly completed.
As each ballot is inserted into the electronic ballot box, it would record some information in printed machine-readable form on the ballot itself and also in internal electronic storage; the details of this information are described below. Additionally, it would check that all votes were cast properly (no overvotes), the check field was either blank or correct (and if blank it would fill it in and then scan to confirm that it had done so correctly), and it would confirm that all marking areas were either completely blank or thoroughly filled. Ballots with excessive marks would be rejected as spoiled; those with ambiguous marks would be rejected for correction.
At the start of each election, each machine would be assigned an identifier which would uniquely define the machine and the election; this number is called the "election-machine id". This would be the same for all ballots cast by the machine in the election.
At the start of each "set" of ballots (including at the start of the election) the machine would select a number randomly but uniquely from "00" to "99" as a "set-id"; no number would be reused on a particular machine in a particular election.
As each ballot was cast, the machine would mark it with the election-machine id and the set-id. It would also randomly select and mark for each race a three-digit number called a "ballot-race id" which was unique within that race, within that set of ballots. The machine would then randomly decide whether or not to begin a new set (with a weighted function so that after the first ballot the answer would more likely be 'no' but after the 990th it would more likely be 'yes'). Starting a new set would cause a new set-id to be selected, and would make all ballot-race id's eligible for re-use.
Within each race, any ballot may be globally uniquely identified by the combination of the election-machine id, the set-id, and that ballot-id marked on that ballot for that race. This combined number will referred to as the "race-unique id". As a simple example, suppose there are three races and a ballot is marked 39921-49-501-392-948. The 39921 is the election-machine id, the 49 is the set-id, and the remaining numbers are the ballot-race id's. The "race-unique id's" for this ballot would be 39921-49-501, 39921-49-392, and 39921-49-948.
If an automated recount is necessary, the ballots could be run through a counting machine, producing a second data file similar in form to the first. Any ballot which reads unclearly would be rejected for hand inspection, but all others would be processed automatically. Doing a cross-check between the two lists would help to catch mechanical problems, and could be useful for that purpose, but would not necessarily catch fraudulent programming. For that, the third step comes in.
To verify accuracy and legitimacy of the actual vote recording, interested parties would be allowed to randomly select ballots from the list to be examined. Any of a number of means could then be used to physically retrieve the paper ballot and inspect it (e.g. even if the ballots were physically shuffled after the original election, during a recount the machine could record the physical order in which they appear). If there is any significant malfeasance or fraud, even a fairly small sampling will likely be enough to catch it. For example, if 1% of the ballots are miscounted, there's a better-than-50% chance of catching one within 100 samples and a better-than-98% chance of catching one within 400 samples. If 0.1% are miscounted, then 1,000 samples will catch one more than 50% of the time, and 4,000 will catch one more than 98% of the time.
While recounts are statistically useless because, in case of discrepancy, there isn't any way to know what's "right", sampling as described will be much more useful and informative. Since ambiguous ballots should be rejected by the electronic ballot box, there shouldn't be even a single ballot that doesn't match the electronic record. If one is found, then something is probably wrong; to allow for the possibility of a statistical fluke, a sample larger than the original one (say twice as large) should be taken. If it comes up clean, then the original anomoly was probably a fluke. Otherwise, machines should be inspected and adjusted as needed; ballots should then be rescanned to determine if any of them read differently after adjusting the machines. If so, particular ballots that read differently should be inspected to determine why. Otherwise another, larger random sample of ballots should be examined to determine whether the previous failures were a statistical fluke.
Perhaps more important than the improved statistcal certainty provided by the use of random statistical sampling is another feature of this system: ballots can be identified for additional scrutiny. With conventional systems, if one recount yields a one result and another recount yields a different result, that may suggest a problem, but it would provide zero guidance toward solving it. By contrast, tracking ballots via random id's would allow particular ballots which read differently on different passes to be identified. If a smudge was causing misreads, the problem could be noted and the counts adjusted appropriately.
Two things I'd like to see with optical-scan paper ballots (which are IMHO the only way to go): (1) for each race, an explicit "ABSTAIN" choice; and (2) a 'check field' a voter could fill in which indicated how many abstentions there were that the voter hadn't marked. If this field not completed by the voter before a ballot was submitted, the electronic ballot box would either use a printer to mark the ballot with the correct value or else reject the ballot and instruct the voter what to mark. While a ballot with no 'check-field' marks would be either fixed by the box or returned to the voter for correction, and a ballot whose check-field indicated fewer unmarked abstentions than actually existed would returned to the voter for correction (a voter could at that point just mark more explicit abstentions), a ballot whose check-field indicated more unmarked abstentions than existed should be rejected outright. Such a procedure would ensure that no validly-cast ballot--even if it included abstentions--could be altered to reflect any additional candidate selections without becoming invalid.
OTOH, it's not such a big deal to count paper-trail 'coupons' by hand since recounts aren't that frequent, and very-rarely statewide.
Consider a simple hypothetical: a number of voting machines has been altered to count 10% of Bush votes and 50% of Nader votes as Kerry votes. How would such a thing be detected? Unless one happens to do a recount in an area served by such a machine, I would think such cheating would completely escape notice.
From what I've read, Diebold et al. have allowed some independent "code inspectors" to examine alleged what is allegedly the source code for their products, but not allowed them to compile the code and take with them a copy of the code image, or even a cryptographic hash thereof, to confirm that the code they examined is the code that's being deployed. Indeed, in many cases the code has been clearly different as evidenced by things like version numbers.
You may trust Diebold, but I see no reason why I should have to, especially when a properly-designed election protol wouldn't require anybody to trust any piece of equipment except for some pens and sheets of paper.
Why do you object to free elections?
However, I agree with you that the optically-read paper ballots are an effective way to run elections. But most of the vote-fraud is done outside of any machines, and is just as easy with your system as with the Diebold system.
It means it's impossible for anyone to be sure there aren't any 'back doors' in the system.
It would be very easy to test for the kind of thing you described in your previous post, which would be caught immediately by the current start-up testing.
Suppose the machine were set up so that it would count all Bush and Nader votes as Kerry votes between the time it saw one particular odd combination of candidate selections and another particular odd combination. One operative of fraud goes in shortly after the election starts and cast his "special" vote. Another goes in shortly before polls close. Testing the machine before and after the election will show nothing amiss, unless the testers happen to try the magic candidate combination which triggers the fraud.
These assholes are beyond belief. Can anyone - ANYONE - guarantee that the results on a paper ballot from a touch-screen system can be guaranteed to be the same result that is transmitted from the system? It's ludicrous.
Actually, one very useful improvement to current elections would be to include in all vote tallies including early returns abstain votes, uncounted ballots, and spoiled ballots. From the very first election returns, the total of votes for all candidates in a race plus the above ballot candidates should equal the number of people that voted. Any change to that total should be cause for suspicion. If this reporting had been in place, one of the problems in a Florida recount, were the ballot-handler failed to run all the ballots through the machine, would have been detected.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.