Time to Recall E-Vote Machines? (voting fraud)

http://www.wired.com ^ | Oct. 06, 2003 | Kim Zetter

[getget]

As Californians head to the polls on Tuesday, voters in at least one county will cast their ballots electronically on machines that have been shown to be flawed.

Election officials around the country have been switching to new computerized polling machines with the hope of avoiding a repeat of the Florida debacle over punch-card voting that marred the 2000 presidential election.

[supercat]

The only way to go is with optically-scanned ballots. You can have 10 voting stations (simple suit case style booths) for the cost of one touch screen.

Sounds good, with a couple of slight additions: (1) have a touch-screen machine disabled or clueless people can use to vote which fills out an optical ballot like those used by everyone else; (2) have the scanner (after ensuring that the ballot is valid has no stray marks) marks the ballot with a machine-readable random unique ID and its interpretation of the cast votes; for ballots with multiple races or questions, preferably use a different ID for each question; (3) make a list of all ballots cast available to interested parties; for ballots with multiple races, preferably separate the lists for the different races; (4) have a procedure whereby interested parties can inspect some number of randomly-selected ballots.

Making the ballot contents publicly available in machine-readable format would allow any interested person to ensure the votes were counted correctly [e.g. if each ballot is one line of dashes and X's, with one character for each oval, plus a unique ID at the end, then the number of votes for Arnold should equal the number of X's in his column]; a PERL script or even EGREP could handle that.

Allowing random audits of individual ballots would do a good job of ensuring that 99% or 99.9% of the ballots were recorded correctly. If the scanner rejects ballots which are even remotely ambiguous, then every ballot should precisely match its machine-readable counterpart. If 100 ballots are selected at random and all 100 match, it's unlikely that even 2% are bad (whether intentionally or unintentionally). If 1,000 ballots are selected at random and all 1,000 match, it's unlikely that even 0.2% are bad. Pulling 1,000 ballots for verification would be a non-trivial task, but much easier and much more meaningful than doing a hand-count.

[Cosmo]

I'm havin' one of those "duh!" momments.

[jmc813]

http://www.equalccw.com/dieboldtestnotes.html

[upchuck]

The only way to go is with optically-scanned ballots.

I agree 100%. I've been working the polls for years. Paper ballots are the answer. You have an audit trail. Recounts can easily be done, etc. Been there, done that. Paper is the answer!

[supercat]

Some of the concerns articulated are valid, some are not. There is definitely some hysteria on this subject.

Agreed. The physical security of the machines is probably the biggest concern.

If the nature of the voting machine is such that manipulating it would allow people's votes to be manipulated, then it's a major concern. If the nature of the machine is such that that would be impossible, then it's not so much of a concern.

The weak link in election systems is not the machines, it is the poll workers.

Indeed; electronic systems probably provide more opportunity for both honest mistakes and deliberate "mistakes" than paper-based ones, however.

But the simpler it is the less secure it is.

Depends. Consider the old-fashioned paper ballot box. In the morning, inspect it for false compartments, trick openings, etc. and ensure it's empty. At closing, slap a few locks on it. Not exactly rocket science, but it can be quite secure.

Election security has many components, of which the software is but one. The article talks about the software, and the physical security of the hardware, and a paper trail for recounts. But there are other controls, and they are good at what they do, but they mainly relate to the number of ballots cast at each precinct, and not how each voter voted.

Something is downright wrong when someone conducting a recount in Florida can fail to insert all the ballots and report wrong results without noticing that the number of ballots counted doesn't match the number cast. So those controls certainly have to be improved...

Tracking how each voter voted transgresses the anonymity and privacy of each person's vote, which is a very, very important issue. There is a paper summary report printed from each unit which tallies the ballots recorded on each memory card, and these are checked against the tallies uploaded electronically from the memory cards.

What is necessary is to either provide a means by which votes are visibly and indelibly recorded without keeping track of the sequence (e.g. having a machine print out a card, let the voter verify it, and then drop it in a drum) or else (somewhat less desirably) have multiple voting stations being used which feed into one machine, so that the order of ballots going into the machine won't strictly correspond to the order in which voters register.

With this proviso, however, that there be some separation between the person's act of voting and their ballot, accurate and efficient auditing requires ballots to be uniqely identifiable. My preference would be to have the ballots marked with a unique random ID for each race (so if there are ten races, there would be ten unique ID's), and to have the machine output a machine-readable lists of the ballots cast for each race, in order of their random IDs.

Neither the voting units nor the GEMS server are ever connected to the internet. Hackers will have get physical access to the machines. Not impossible, of course, but not easy. And difficult to execute successfully because of the acconting controls on the number of ballots cast at each precinct.

Although much has been made of hackers, the real problem is that someone with legitimate access to the machines might use that access illegitimately. None of the electronic voting systems, to my knowledge, have effective means of preventing that.

Optical scan ballots present problems of their own. Ever had a copier jam? Well, the paper handling mechanisms on the optical scan ballot readers probably don't work as well as your average copier's paper handling system.

Given the simpler paper path and more restricted choice of media, why shouldn't it work as well?

I have seen them pull 2 and 3 ballots through at the same time, jam, etc. etc., ad nauseum.

For the initial count, voters insert ballots singly. If ballots are properly ID coded, mass recounts would be unnecessary unless something goes seriously wrong with the machine count; a random audit would be both easier and more meaningful than a full recount.

Then you have the incomplete mark and incomplete erasure problem.

Have the machine reject any ballot with indeterminate marks. Erasures should be a non-issue, as ballots should be marked indelibly with pen. The purpose of recounts is to deal with the margin of error in the tabulation process. The threshold for recounts is, generally speaking, at the margin of error for the method of counting.

With any election count, there are two things that can go wrong: (1) an individual ballot may be miscounted; or (2) the result of a count may be corrupted, whether by accident or design. The only reason for having a threshhold for recounts (rather than having them always be mandatory) is that there is a limit to how much even badly corrupted counts will affect a multi-precinct result. With electronic voting the margin of error in the tabulation process is very, very small. You will get the same number every single time. Not true with the other methods. Therefore, the rationale for a recount is small. However, there may be other reasons.

The possibility of corrupted results is no smaller with electronic voting than with other methods. Unfortunately, if things do get corrupted there may be nothing to fall back upon.

Having said all of that, the Georgia Secretary of State's response to the recent brouhaha on the security of electronic voting systems has been pure spin, and pure attack on the Hopkins researcher, and not much in the way of reasoned elaboration. I will be interested to see the Diebold internal memos referenced above if they every come back on the net. I've bookmarked the page.

For any voting to be considered acceptable, IMHO, the following criteria should be met:

1. The act of casting a vote should cause an indelible physical change on the voting medium.
2. Either the voter himself should be able to see the change on the voting medium (preferable), or the mechanism should be open for inspection by interested parties so that they may verify that it works correctly. In the latter case, there must be some means to ensure that the mechanism inspected is the same as the mechanism actually used for voting. [for electronic voting systems, mechanism would include both hardware and software].
3. There should be no way, outside of fraud, for accepted vote recording media to contain anything other than valid ballots, and it should be physically impossible to alter any valid ballot so as to yield a valid ballot with different votes.
4. It should be possible to take any ballot and confirm that it was counted, and to rapidly and with high confidence confirm that the count for a candidate matches the number of media indicating that candidate.

I do not think these criteria are unreasonable, but to my knowledge no voting system currently in use meets all of them; some of the new ones don't meet any. I have worked out at least three totally-different designs which meet all of these criteria to a significant degree. In brief:

1. A Z80-based system, using low-tech hardware and open-source code, which uses bipolar PROM cartridges to hold both code and votes. If the bipolar PROM cartridges are protected against physical swapping, any alterations would be obvious.
2. A mechanical system, in which votes are punched on paper tapes, with voters being able to see their votes punched. This system would be my favorite were it not for the hardware cost, since it could combine excellent tamper-resistance and very good voter feedback with relatively easy tabulation.
3. A slightly enhanced version of the widely-used optical scan systems, to provide improved auditing abilities.

With a well-designed voting system, there should be no need to trust the system designers or implementors in order to trust the vote. Unfortunately, current systems fail badly in meeting that standard.

[Pikachu_Dad]

No, The BEST way is to use the touchscreen displays coupled with a punchcard printer.

You pick up a vote card, insert it in the punch printer, use the touchscreen to pick your votes. When you press VOTE, the printer punches out your vote ticket.

Then you can go to a separate machine to verify that your vote is valid and matches what you wanted.

This way you have a paper trail.

[cookcounty]

"Alameda County, a Democratic stronghold that includes the cities of Berkeley and Oakland, converted to all-electronic voting last year at a cost of more than $12 million.

[supercat]

I believe they relied on a key encryption system. But they did not win.

I'm skeptical, but I'd be interested in seeing the paper if you can find the link. All of the computer systems I've seen use rewritable media, which would imply that it is physically possible to alter the media to show any election result whatsoever.

[supercat]

No, The BEST way is to use the touchscreen displays coupled with a punchcard printer.

I'd have such a system available for disabled people, but I don't see any advantages sufficient to justify the cost of having all voters use such machines. Not that there's anything wrong with them--they would have a few advantages--but I see insufficient benefits to justify the expense.

[supercat]

Let us know what you think.

Tough to say. The authors go even beyond my requirements as far as some of the trust issues are concerned (in particular, they provide that no election officials should be ablt to tally the votes without the cooperation of officials from the other party), and they actually seem to appreciate "insider" security risks to a much greater extent than I've seen with other systems.

On the other hand, I see a few problems with this approach:

1. Unless voters use their own cryptographic equipment, someone besides them will have access to their private key. There is nothing to prevent someone with access to a voter's private key from falsifying the person's vote.
2. If cooperation of both parties is necessary in order to count the ballots, it becomes possible for either party to "spike" the election to a greater extent than would be possible using non-electronic balloting.
3. Unless I'm misunderstanding things, people's ballots aren't really secret. Collusion by both parties would be necessary to read anyone's ballot, but such collusion (or eventual discover of enough keys by various members of both parties), along with a record of the encrypted communications, would allow someone to determine how each individual voter voted.
4. In the unlikely event that the homomorphic encryption or zero-knowledge proof has any exploitable cryptographic weaknesses, someone could vote many times with a single ballot.

As I see it, (2) is made acute by electronic election systems, but exists with any; (4) probably isn't an issue but I don't have the expertise to really say. From what I can see, though, (1) and (3) are really big problems. Am I misreading something, or do those look like problems to you too?

[supercat]

This way you have a paper trail.

My punch-tape system would also provide a paper trail. If the system is designed so that exactly one hole will get punched for each office/vacancy for each ballot, then the total number of holes punched should exactly equal the number of offices/vacancies times the number of voters (in the event that a voter does not select a candidate, the system would punch a "no candidate selected" tape for that race)

Discrete ballots, such as you suggest, do have some good characteristics but also some weaknesses:

• One requirement for a good voting method (not in my list above) is that it be impossible for a particular voter to prove how he voted. This requirement is necessary to protect against bribery or extortion. To really make it hold up, a person's votes in all races should be recorded separately on media that cannot be associated with each other. My punch-tape system meets this criterion; a discrete-ballot system would not unless there were separate ballots for each race.
• Most counterfeit-resistant seals, papers, etc. are expensive. Having a representative of each party put a counterfeit-resistant seal on every paper ballot would be prohibitively expensive, but putting such seals on each tape would be entirely practical.

I don't by any stretch dislike the idea of computer-printed ballots which are then electronically scanned; I think in some ways the punch-tape system may be better, though.