Transterrestrial Musings

Comments

My mother spent several years working with a major ATM network here in the UK (and eventually on Cirrus/Maestro). I don't have much confidence in ATM reliablity after that. ;-)

I confess I find it hard to comprehend the use of voting machinery as a rule, but I understand the US has a different culture over this. But, still... a way to make the democratic process less clear, less trustable, is generally bad news - but it's terrible news at a time when the US is politically more divided than usual, when the standard of political discourse on both sides is remarkably partisan, when there are already allegations of intent to fiddle the process... it's a very bad moment for it.

RISKs has been quiet recently, but is normally interesing reading on the topic of electronic electorality.

Posted by Andrew Gray at July 27, 2004 08:46 AM

Historically vote fraud has been overvotes-- more people voting than are registered, and all of them voting for a particular candidate (and only that candidate, ignoring the rest of the ticket). Take as an example Chicago, where the dead always vote Democrat no matter what their politics when alive. Or Philadelphia, where registration has been known to exceed the census count (including children), and civic pride results in 100% for the Democrat. So I would expect that the Democrats will stick to what they know best.

Posted by Raoul Ortega at July 27, 2004 10:00 AM

Well, I don't know about Mr. Case, but when I vote all I get is the little stub from the punchcard. There's no paper trail worth mentioning. I mean, sure in principle there's the original ballot, but suppose someone wanted to commit fraud, and I demanded to see my original ballot, and they produce a punchcard with some other chads missing than I recall punching out. Whose going to believe me when I say THAT'S not my ballot? Hell, I might not believe me myself, on account of I can't always recall exactly what I did in the voting booth on a dozen candidates and at least as many initiatives (I live in California).

The only citizen-verifiable "paper trail" worth mentioning would be a ballot with my signature on it, and even then, given the fact that my kids and secretary can forge my signature plausibly, and the prevalence of credit-card fraud, I wouldn't be too confident in that either.

In short, I think the "paper trail" is a chimera. Nothing substitutes for having faith in your election officials. If you don't have that, you might as well get out your pitchforks.

Posted by Alexander Voter at July 27, 2004 10:42 AM

Alexander - the paper provides a physical object which can be watched by multiple people. With paper you have to subvert a large number of people. With electrons, you only have to subvert one. With paper, a single corrupt official can affect only a few votes (at most a single polling station). With electrons a single corrupt official can subvert millions of votes, and do so in a way that's impossible to detect. Paper votes aren't perfect, but purely electronic voting is terrible by comparison. As a general rule, the more specialized knowledge that is requires to understand the inner workings of a voting system, the smaller the pool of potential monitors of the system, and therefore the smaller the number of people who can find errors, and the greater the relative power of a single corrupt individual.

Another point about electronic voting - computers crash, and in doing so sometimes corrupt data. When's the last time you got the blue screen of death from a piece of paper? To destroy paper requires real effort (and the things that damage paper, like fires and floods, also corrupt computers). The danger is not just corrupt officials, it is also simple ineptitude like failing to clean the punchcard machines properly, which was one of the causes of the Florida confusion. The basic principle is that if it absolutely has to be reliable, make it as simple as possible. Electronic voting utterly fails the test of simplicity.

Posted by Andrew Case at July 27, 2004 11:03 AM

Glenn Reynolds has long been a proponent of a return to paper ballots with pencil. It would take more effort to count, but we'd have a lot more confidence in the system.

Posted by Rand Simberg at July 27, 2004 11:15 AM

The amazing thing is watching the voting-machine folk _insist_ that 100% paper-free is 'better'.

What I advocate is separating 'ballot preparation' from 'voting'.

The 'ballot preparation' machine can have as many bells and whistles/help screens whatever. But it _prints_a_physical_ballot_ where there is _no_ possibility of confusion. (If you're _printing_ what the person plans to vote for - there's no reason for the _non_ selected candidates names to even appear on the prospective ballot!)

The 'voting machine' works the way some current machines work. You stick the paper in a sheet feeder. There's two possible responses: 1) you paper is spit back out stamped 'invalid, try again', or 2) A chime and the faceplate goes from 'Votes: n' to 'Votes: n+1'

The electronics should have an up-to-the-second count, the box of votes could be machine-sealed, but if something insane happens (EMP strike, voting machine sent through an MRI machine, who-knows-what) there _are_ physical ballots to count.

Example:
Abe and Zelda are running for President.
Bob and Yoda are running for Senator.
Carlos and Xeno are running for turnip-catcher.

The ballot-preparation machine pops up separate screens for each individual vote listing names/parties etc. So the first screen is something like 'President: Choices: Abe, Zelda, None.'

I pick None, Bob, Xeno. This leads to a sheet of paper (neatly laser printed)

"President: Intentionally did not vote.
Senator: Bob A. Name of A.Party
Turnip-catcher: Xeno Phobic, no party declared."

It would be mighty hard for someone to say with a straight face that _I_ intended to vote for Abe. I mean - I _did_ vote for Bob, who is in the same party... but it is clear I did _NOT_ choose to vote for President.

So this sheet I shove into the voting machine. If it fails (because I poured black ink on it or some other insane reason) it should come back as invalid.

The business where people don't want people to have a sheet telling how they voted to prevent 'vote selling' would work just as well as today - the ballot hasn't been counted at the point that you've got it in you hand. (So it isn't _proof_ you voted that way - just proof that you prepared at least one ballot that way.)

Posted by Al at July 27, 2004 11:41 AM

I dunno I can setup my WinXp box to log everything if I want and restrict permissions to the point where only very specific operations can exist. You'd have to move much more than a single electron to completely hide your tracks even on a relatively vunerable Wintel system.

Also there are several forms of unique identifiers and encryption that could be tied to each individual vote process that could validate it from bogus entries. For example, when I setup someones blackberry device part of the setup process requires that I move the mouse pointer around on the screen for several seconds. What this does is calculate an algorithm based upon the mouse coordinates plotted across the screen as I move the pointer. This sort of tracking could be tied in with a person undergoing a vote transaction. It will ask you to move the mouse pointer around on the screen for several seconds and this encrypts your vote with a unique indentifier that cannot be reproduced.

I'd say if you trust computers enough to enter a credit card number then you should trust it enough to submit your vote.

Posted by Hefty at July 27, 2004 11:57 AM

Sadly, electronic voting has been caught up in partisanship and Bush conspiracy theories, so there is a tendency for people on the Republican side to ignore the issue, or assume it is just more nonsense.

It isn’t.

At my job, we develop secure web based, secure health database systems. Security is a big issue. Reading about Diebold (one of the leading e-voting machine makers) made my jaw drop. They broke just about every rule of secure software design. The machines use a database that can be directly edited with "Access," with insane holes in software and hardware security. They [b]accidentally[/b] left the pathetic source code available on an FTP server on the internet. There were even “back doors” hardcoded into the software! In outside tests, their systems were easily cracked. Of course, they didn’t bother with obvious security tests in office, or ignored them. I can’t even comprehend what their software design process must have been like.

In a way, we are lucky Diebold has been involved. They aren’t the only ones with problems, but they have done so many stupid things – in design, legal moves, public statements, making uncertified software upgrades and denying it, etc – that they are impossible to ignore.

The funny thing is the people who complain the most about this stuff are the folks that know computers. We KNOW how complex these things are, and how hard it is to make them secure. And let’s be clear here: I have no expectation of perfect security. It isn’t possible. But we should expect they be as secure as other types of voting systems, and above all, there should be a way to verify that security.

At the very least, you need a paper trail. Without a paper trail, there is absolutely no way to verify the results. I know Bush won in Florida in 2000 because the results have been independently verified. With e-voting and no paper trail, I might very well believe the Bush bashers – or at least, there would be no way to prove them wrong.

Posted by VR at July 27, 2004 12:23 PM

Hefty - Diebold used a Jet database ("Access") on Windows CE. No encrypted fields. No checksums. Nothing. It could be modified directly with Access, there was no way to tell. They used file transfer schemes that could be intercepted. Not that I consider Windows XP very secure. If I were doing it, the end-point device would would be a pure embedded design, with no OS at all, all data transfer encrypted with multiple tracking and verification processes.

Posted by VR at July 27, 2004 12:39 PM

I dunno I can setup my WinXp box to log everything if I want and restrict permissions to the point where only very specific operations can exist.

Given no access to the source code or to the machine itself, all we have is your word on this. I have no reason to distrust you personally, but you'll understand that in the case of J Random voting machine programmer, there is no obligation on my part to trust the guy.

I'd say if you trust computers enough to enter a credit card number then you should trust it enough to submit your vote.

If there is a wrong charge on my credit card, I can find out about it when I get my statement. Furthermore, there is a dispute process that favors me (since credit card companies that screw their customers tend to go out of business). If I am still no satisfied with the level of security, I can simply refrain from using the credit card, and choose to forgo the service in question. In the case of evoting without a paper trail, there is no way to check, and the service I forgo by choosing not to use the computer is my right to vote. Not being able to buy a beanie baby on eBay is much less serious than not being able to vote.

Voting is not a commercial transaction. It is a basic right. All errors made in the process of implementing the mechanisms of voting should be skewed in favor of greater openness and greater ability to double check.

Posted by Andrew Case at July 27, 2004 12:39 PM

I live in a small town in the midwest. Flyover country as they call it.

When I vote it is on a paper ballet that uses those nice ovals that we all remember from the ACT's with a black pen.

A computer reads them, but I see no way they could be altered.

As for confusion...we're trained to fill in ovals from the day we start high school. (It may be earlier than that now...been a while since I was in school.)

I make my living serviceing computers and I do not trust any of them. With no paper trail, even something so simple as a reciept to the voter (If a voter can't find his/her reciept they've disenfranchised themselves, not the governments fault), I have no faith in electronic voting machines.

Posted by Fuloydo at July 27, 2004 01:02 PM

OK, here's my opinion of "The Way it Should Be"

You vote with a computer and it prints 2 copies of your inputs; one for you to take home and one to file. You vote for issues, not candidates. The form has a list of statements on issues and you get to reply agree, disagree, don't care or don't know. All issues have the same value, but choices 3 and 4 don't skew the results.

The candidates also vote and the computer scores the tally and matches the candidate to the public mandate. Voting cards of elected officials are made public. Of course, the elected official is also scored on his later congressional votes as to whether they match his previously stated "position"

And I want a pony for Christmas too
Dan DeLong

Posted by Dan DeLong at July 27, 2004 02:12 PM

Dan - I like your idea. You could set it up so that the elected representative's pay was directly indexed to the number of campaign promises they actually kept. Make 10 promises, keep 5, give back 50% of your pay.

I'm going to pass on the pony and ask for a TARDIS. Ponies are for girls :-)

Posted by Andrew Case at July 27, 2004 02:26 PM

The measure of a system is not whether it fails but rather how well it fails.

Example 1: if a punch voting card has a hanging chad or two holes punched where there should be one then the system has failed but failed well; the damage is relatively minor and the system still works.

Example 2: if you have a e-voting machine that has recorded ten thousand votes and then a power surge or a power loss or a hacker causes those votes to be lost or altered then the system has failed badly.

This is why paper ballots and manual counting are better in the aggregate. There may be more chance for error and it is slower but mistakes are rarely catastrophic or uncorrectable.

I have never understood the mania for electronic voting. Its only advantage is speed. Voter error(misvoting) is still possible and the chance of a catastrophic error is magnified way out of proportion to the benefit you get in terms of speed. Why the rush to get the votes counted? It is months between the election and when the candidate takes office.

Posted by Jardinero1 at July 27, 2004 02:36 PM

What is amazing is this whole conniption started with ballot problems in Palm Beach County. As far as I know there had been no real problems there in previous elections.

What happened, did the voters get high on "stupid pills" the night before the election?

Now a county with a populace of mostly educated and experienced (elderly) votors suddenly couldn't read a ballot and didn't ask to have the "so called" Butterfly Ballot explained if they were confused.

Then the Democrats led the nation down into that whole "hanging chad/dimpled chad" fiasco while simultaneously trying to disinfranchise absentee ballots from our Armed Forces.

Here we are, spending a whole lotta money to develop a system that is actually easier to break, in reponse to an attempt to break a system that had worked pretty well for a number of years.

Rich

Posted by Rich at July 27, 2004 02:38 PM

"You could set it up so that the elected representative's pay was directly indexed to the number of campaign promises they actually kept. Make 10 promises, keep 5, give back 50% of your pay."

Sounds good, how about: If running for reelection, a candidate's stand on the issues is determined by her voting record instead of her current ballot?

Dan DeLong

Posted by Dan DeLong at July 27, 2004 02:49 PM

Andrew,

Fantastic post. This is the most straight-forward description of the potential problems with e-voting machines. I am fully, fully on board with you.

As bad as Florida was perceieved to be last time around, imagine if there was no way to recount? Would either side be happy? What recourse would there be? We ABSOULUTELY need a system with physical (paper) backups of the votes, perferably a paper copy that can be seen by the voter.

Republicans and Democrates both need a fair, uncorruptable system to ensure domestic tranquility and provide the consent of the people to be governed.

Posted by Fred K at July 27, 2004 03:06 PM

I suspect that this debate is much like the debate over carpool lanes versus light rail mass transit. That is, there's a whole lot of theory and not much empirical measurement. I'd say what's really needed here is actual experience and actual facts on ground to set alongside the speculation which may well be perfectly logical but perfectly wrong.

I'm agnostic on the whole issue. I'd like to see it tried and find out what happens.

And no, I don't think what happens will be massive social breakdown. Quite a lot of modern society functions electronically, including the aforementioned check-clearing and ATM network, hospital patient records, tax and legal records, air traffic control, electric power distribution, the GPS system and so forth. And in general we as a society have found empirically that going electronic significantly decreases overall error and increases overall reliability and security in any system, which is why we keep going electronic, of course. Why this should be so is probably quite complicated. But it is, and there are zero examples of a large-scale system which, once it went electronic, has in later years moved back to manual because people found it was just intolerably insecure or mistake-prone.

I tend to think the modern Luddism with respect to electronic systems in general is the result of folks gaining a little experience with a Windows PC and then leaping to the (unreasonable) conclusion that the kind of security an amateur using a Windows OS can expect is indicative of what a professional and a professional-level computer system can expect. This is in principle as silly as tying feathers to your arms and jumping off the roof, and concluding from the resulting broken bones that reliably safe airplanes are impossible.

Posted by Alexander Voter at July 27, 2004 03:54 PM

Yep, this all came about - or at least was accelerated - by the Florida mess. There are always some voting problems, but this time they became very public because of the extremely thin margins. So Federal money was allocated to "solve" the problem, with typical results - they bought bright shiny new hardware with it, rather than correct the systemic problems. As justification, the E-vote machine advocates contend that the machines do a better job of accurately counting votes. But, this is NOT the same as saying they are as secure against possible attacks.

It is important to understand that many voters, when they have a chance to use them, really like e-vote machines. Then, you have voting officials that have invested a great deal of time and money into these things, but don't have a clue about computer security. Computer scientists have been the most concerned about e-voting and you'd think people would pay attention to experts in the field, but there have been a number of extremely ignorant denouncements by certain California county voting officials.

Posted by VR at July 27, 2004 04:06 PM

Alexander Voter said:

"I'd say what's really needed here is actual experience and actual facts on ground to set alongside the speculation which may well be perfectly logical but perfectly wrong."

Right. Look at:

http://www.wired.com/news/evote/0,2645,62109,00.html?tw=wn_story_related

and the report it is based on:

http://www.raba.com/press/TA_Report_AccuVote.pdf

Quote from the article:

'William Arbaugh, a University of Maryland assistant professor of computer science who participated in the test, graded the system an "F," "with the possibility of raising it to a 'C' with extra credit -- that is, if they follow the recommendations we gave them."

"I was really surprised with the totality of the problems we found. Just about everywhere we looked we found them," Arbaugh said.'

This is the first time I think I have ever been accused of being a luddite. All I can say is, I develop secure database systems, and I think it is a big issue. Diebold especially doesn't have a clue about security. Certainly I will never trust an e-voting machine unless there is a paper trail.

Posted by VR at July 27, 2004 04:24 PM

Alexander,

the thing is how do you _test_ the security?

I'm sure Boeing groks security there is a pretty direct consequence if some of their plan leaked.

But security tends to be as high as the owner/operator of the machine perceives it needs to be. And no higher.

If you told Boeing this: "We're going to put plans for _classified_, _classified_, the 7E7 and the plane after that on 100,000 computers placed around the country. These same computers will be used for voting, and errors in excess of 0.001% will result in publication of the plans"... _that_ would get a secure system.

But the security you'll get going for low-bidder who is willing to say "This is completely secure" isn't going to be anywhere near the same. "Secure" to a casual console user is _different_ from tamper-proofing. There's techniques to determine that the 'key' is from an analysis of the heat output of the decryption chip. And what would a foreign government be willing to pay for the key?

For a voting system, it has to be _both_ actually secure... and _perceived_ to be actually secure.

A conspiracy theory that starts out "Ok, we corrupt 1300 voting officials, hire & paint 200 vans, and get 50,000 blank ballots" -> this isn't going to be a small enough effort to be secret. Period.

A conspiracy theory that starts out "We need to change 24 bits of one program, and the md5 of same" _sounds_ easier. _I_ know it is a lot tougher than it sounds.

But one of those conspiracies is _conceptually_ simpler, and would _require_ fewer people. Occam's Razor is about the only thing you can use to judge whether things are screwed up when there just isn't free access to all of the evidence. Which there wouldn't be.

All it takes to start a 'conspiracy' is one 'expert' who is willing to lie.

Posted by Al at July 27, 2004 04:43 PM

How about a conspiracy that starts:

We get our hands on a diebold voting machine. We "vote" 12345 times on it. Then we deliver it to a polling place while dressed as poll workers. Machine gets used by real voters. Results counted normally, Election changed.

Note there may be little evidence that tampering took place, and no way to seperate real votes from the fakes.

And what about power failures? Or 500 other scenarios.

The current electronic voting systems are very poorly engineered for the various failure scenarios.

Posted by Fred K at July 27, 2004 05:32 PM

"I tend to think the modern Luddism with respect to electronic systems in general is the result of folks gaining a little experience with a Windows PC and then leaping to the (unreasonable) conclusion that the kind of security an amateur using a Windows OS can expect is indicative of what a professional and a professional-level computer system can expect."

I understand what you mean, but Luddism really isn't applicable here. If anything, the reverse is occurring: those who know who have expertise with computers and technology are campaigning against it, while the only ones pushing for it are those who know the least about the technology.

Posted by Neil Halelamien at July 27, 2004 08:59 PM

I like the electronic voting because to me that could possibly help bolster voter turnout. I would really love for electronic voting to reach the point where we don't have to go anywhere to vote. We can just turn on our TV and punch in our votes from there through out Sattelite or Cable provider.

Perhaps a better idea to step into this new technology would be to use a hybrid voting machine. Where you slide your paper ballot into the voting computer, perhaps a machine that resembles a touch screen terminal at a restaurant. Then, use the touch screen to select your votes and the machine will punch the holes out for you and will also log the vote electronically as well. Then, the computer will still be helping us eliminate hanging chads or inconclusive marks on the ballot and also have the redundancy of the paper system to verify the electronic voting results.

Posted by Hefty at July 28, 2004 03:14 PM

Speak of the devil - Florida lost e-vote records:

Lost Record '02 Florida Vote

Hefty, I can just imagine phished voting sites. Security would be almost impossible. Mind, I'm not against touchscreen voting systems per se, but they need to be carefully designed and regulated.

On the other hand, I think it is perfectly reasonable to expect a voter to have enough basic skill to use a punchcard or other paper ballot system.

Posted by VR at July 28, 2004 05:47 PM

Neil, I think you're wrong. No doubt a sizeable chunk of people with expertise in computers are opposed to e-voting. Obviously they're regular people like you and I, and regular people have many reasons other than the technical issues to favor or oppose e-voting.

But mostly what I hear sounds suspiciously self-serving, as in: "E-voting will be a disaster IF you don't do X and Y and Z first, and these things are complicated, so you'll need to hire experts (like me!) at fat salaries to make sure of them, and/or there must be lots of government-funded study of the issue first (and now about my grant application. . .)"

I mean, think of what lawyers say about how tricky it is to navigate the legal system. Ever think they exaggerate it juuuuuust a weensy bit in their own self-interest?

I'm not saying they're dead wrong, mind you. I would be very surprised if there weren't problems to be ironed out, as there are with all new technologies.

But so what? The possible consequences are nowhere very serious, e.g. in the way that a similar malfunction in, say, nuclear missile command-and-control technology might be. So what if a close election or two gets jacked by dumbass mistake or fiendishly clever malfeasance? The worst possible e-voting malfunction couldn't begin to approach the undemocratic effects of the routine corruption in elections which this country put up with for the first 150 years of its existence. Through which we muddled, nevertheless.

Does anyone with any real expertise really think e-voting will mean widescale massive corruption of the democratic process indefinitely? Every election from Dade County dogcatcher to U.S. President is going to be at the mercy of teenage script kiddies from now until the third millenium? We'll just never be able to iron the bugs out?

Let's face it, the hypothetical voter to whom this kind of appeal is most successfully made is just a momma's boy, afraid to try anything bold or creative because he might get his knee skinned. The prototypical Luddite, I say.

Posted by Alexander V. at July 29, 2004 01:53 AM

Even if this system COULD be made error/cheat/hack-proof, no one would ever beleive it. No one will ever really be free of that nagging suspicion that the election was a fraud.

Even if the machines perform 100% flawlessly, we have lost faith in the results. This, in turn, severely damages faith in our government, both domestically and internationally.

I don't think I'm overstating this.

For the record, I'm a Republican. I will be voting for Bush in November. I do not trust electronic voting machines one damn bit.

I've written some on this at my little site, most recently commenting a bit on this post at http://www.murdoconline.net/archives/001469.html.

Posted by murdoc at July 30, 2004 02:12 PM

See Neo-Luddites and Voting for my views.

Paper ballots are far too easy to defraud, despite the best intentions of honest polling officials. Electronic ballots are far easier (in theory) to make secure, but not if there's any Commercial Secrets involved.

Disclaimer : Until recently I worked for a firm that produced an electronic voting system. One that works, and anyone can check (Open source, no trade secrets in hardware, software, operating system or compiler). I didn't work on it, I was too busy doing spaceflight avionics are the time, another area where it just had to be 100% perfect, with no second chances.

Posted by Alan E Brain at July 31, 2004 07:39 AM

Post a comment