Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hugh Thompson Answers Voting Machine Security Questions

Roblimo posted more than 7 years ago | from the paper-ballots-never-have-software-problems dept.

122

You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.

1) paper trail?
by ummit


This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.

Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.

There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.

Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.

I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.

2) Re:paper trail?
by Thansal


Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?

Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.

Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.

3) Largest Inherent Flaw?
by eldavojohn


In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"

Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?

One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.

Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.

4) Here is my question...
by Noryungi


Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...

How do you prove that foul play (hacking) has been involved?

Do you even have a plan in place to check the results?

Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.

What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?

Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.

5) OSS?
by Xzzy


Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.

How do you think open source could fit into this issue? Or should it?

Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.

For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.

6) Pen-and-paper voting
by NetDanzr


What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.

Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.

The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.

Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.

Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.

The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.

7) Why is it so hard?
by gorbachev


As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.

Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?

Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.

8) On Open vs. Closed Networks
by the-banker


It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.

As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).

Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?

Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.

I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:

  • What process improvements have you made as a result of vulnerabilities reported in your software?
  • What is your patch release (or update) strategy?
  • Have you had an external (and reputable) security auditing or penetration testing firm evaluate your system? Can we see a summary of their report?
  • Can we have our own security auditing firm evaluate your system?
  • Do you have a dedicated team to assess and respond to security vulnerability reports in your products?
  • What is your vulnerability response process?
  • What training do your development and testing groups receive on security?
  • What percentage of your test team is focused on security?
  • What are the terms and period of your security support agreement?
  • Do you offer security training, documentation or guidance to people that will be operating your system?
This list is by no means comprehensive but the answers will likely be illuminating. Some of the questions rely on vendor forthrightness while others use external validation. With someone technical and software security savvy on the team that's evaluating vendors though, you can get a good feel for how vendor answers compare with each other. The long term hope is that we'll have decent security standards for voting systems that are enforced. The National Institute of Standards (NIST) is making progress here and I look forward to the results.

9) The greatest threat to e-voting?
by sharkb8


Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?

Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.

Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.

10) Is the Harm Really that Great?
by logicnazi


I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?

All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.

However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.

But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.

In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?

Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.

The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

first! (-1, Redundant)

ebers (816511) | more than 7 years ago | (#16916814)

got it!

Re:first! (5, Funny)

jimmichie (993747) | more than 7 years ago | (#16916884)

I demand a recount!

No, You Can't Have A PS3 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16917058)

Not Yours

LOL [slashdot.org]

The Democrats Won (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16916828)

....hence, there's no electronic voting fraud. None whatsoever.

When the Republicans win again, it'll be a story again.

Re:The Democrats Won (2, Informative)

ebers (816511) | more than 7 years ago | (#16917110)

The democrats aren't the ones receiving public endorsements (and major contributions) from the voting machine manufacturers. http://www.commondreams.org/headlines03/0828-08.ht m [commondreams.org]

Re:The Democrats Won (3, Interesting)

Peter Simpson (112887) | more than 7 years ago | (#16917518)

I'm glad they won, but I still have a *huge* problem with the fact that touch-screen voting machines are the wrong solution to a problem that may not exist.

I have heard "they're better for blind/disabled"...and I don't believe it for a second. How do you measure this? Do blind and disabled voters agree?

I have heard "faster totals"...yeah, but - is fast better than accurate?

I have heard "saves printing costs" - at the expense of having to hire more tech-savvy voting machine attendants?

I'm not convinced at all, and I don't really care who wins, as long as we make every possible effort to insure that the winner is the person who received the most votes. It's not about Democrats, Republicans, or Green/Rainbows, it's about making sure every vote counts, and the results are auditable. It's about Democracy, folks, and it's up to all of us to make sure that every vote is accurately and verifiably counted.

Re:The Democrats Won (2, Interesting)

compro01 (777531) | more than 7 years ago | (#16917902)

i personally call BS on the inability of blind voters to vote using paper ballots. my grandma (who is 94 and has 20/400 vision, legally blind is 20/200) is able to vote just fine with our paper ballots here in Canada.

and if a person is completely blind, how in the name of whatever Deity you believe in is a touch screen that they can't see going to help?

and just how disabled are you if you can't put an X in a 1.25" circle? even if you have tourette's or something and you screw up your ballot, you can get another one as many times as you need to until you get it right.

faster? results before you go to bed (well, results when you wake up if you live in the east) isn't fast enough for you?

i'll certainly agree with you on that computerized voting machines are a solution in search of a problem.

Re:The Democrats Won (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16920722)

The Diebold in the back of the polling place last time I voted had a headset, presumably for giving voice prompts to walk a completely blind person through the process.

Re:The Democrats Won (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16918304)

"it's about making sure every vote counts"

This is a very widely accepted fallacy. As the size of the voting body rises, the chance of a perfect tally falls very quickly towards zero. Voting with any large group is a statistical process, not an exact one. Like any statistical measurement, there is a margin of error. The quality of the voting apparatus and process is only important in that it dictates the margin of error. Anytime the margin of error is greater than the margin of victory, the only sensible action is a runoff election, NOT a recount. If the margin of victory is consistently smaller than the margin of error, then perhaps we need to consider a compromise solution (e.g., scrap both candidates and start over) instead of sticking with the current "winner takes all" scenario, which pretty much guarantees that 49% of the population will be unhappy.

I'm in favor of new technologies if they can provably reduce the margin of error by a significant amount. But really we should just acknowledge that all voting systems are imperfect, and redesign our election system around the inherent uncertainty.

Re:The Democrats Won (1)

dircha (893383) | more than 7 years ago | (#16923702)

You dispute that the goal is making sure every vote counts.

"This is a very widely accepted fallacy. As the size of the voting body rises, the chance of a perfect tally falls very quickly towards zero. Voting with any large group is a statistical process, not an exact one."

On the contrary, the probability that we can correctly tally all tallyable votes - "a perfect tally" - is very close to 1.

You seem to misunderstand the function of elections. An election is not simply a poll to determine the preference of the electorate. An election is a "poll" to determine precisely the preference of members of the electorate who express a preference, where the sample size is the number members of the electorate who express a preference through the designated means - the production of a tallyable vote. There is no projection or extrapolation involved. If a member of the electorate does not show up and produce a tallyable vote, then his or her preference is uncounted. This is not a medi poll. This is not an exit poll. This is a very different kind of "poll". It is a count.

We are faced with 2 challenges, neither of which has anything significant to do with sample size and confidence level of the polling you seem to be thinking of.

The first challenge is to ensure that every voter who wishes to produce a tallyable vote, produces a tallyable vote.

The first challenge is largely independent of the method of voting and tallying the vote. We need to make sure that people are not turned away, are not threatened, are not compelled to vote one way or another, vote for only a single candidate per race, and so forth. While electronic voting can help us address some of these issues, they for the most part are independent of the actual process of tallying votes and are not, for the most part: the issue we are discussing when we discuss electronic voting.

And why you want to make the distinction between a runoff election and a recount, makes no sense. These same issues will be present should a runoff election be conducted. Whereas recounting actually makes a difference. A recount is essentially an audit. We perform an audit of a vote just as we would perform an audit of monetary transactions in a bank system. We do so to look for tampering and other sources of error. Whereas a runoff election risks disenfranchizing large numbers of voters who do not vote on the second, or third, or fourth attempt.

The second challenge, the one we are concerned with here, is to ensure that we tally every tallyable vote.

The second challenge, despite what you would have us believe, has no fundamental margin of error that is significantly more than the margin of error in a bank system totalling monetary transactions, or for that matter, your CPU performing integer addition. This is a miniscule margin of error we are talking about here.

Tallying every tallyable vote is a solved problem. We just need to get the technology out there. It is as solved as the "problem" of your bank producing monthly statements. Would you accept a statement from your bank reading: $5000.00 +/- $30? Of course not, and we don't, but it is a solved problem. Just as with voting, the challenges we face in voting are problems problems of security and deception.

And once we get this minor hurdle out of the way, as Thompson says, we can move on to the much bigger issues.

Re:The Democrats Won (1)

stevewa (930967) | more than 7 years ago | (#16918718)

Indeed the Canadians have been lovingly hand-counting paper ballots for years.

If a touch-screen experience is really that desirable, let's have a touch screen machine that spits out a human-verifiable paper ballot (and no thermal paper that fades after 30 days either!). The fact is a properly filled-out paper ballot is still the gold standard for verifiability.

Re:The Democrats Won (1)

Dachannien (617929) | more than 7 years ago | (#16921854)

I have heard "faster totals"...yeah, but - is fast better than accurate?

Theoretically, an e-voting system should be faster and more accurate than punch-card or optical scan systems. For example, the contested votes in Florida in 2000 were counted a zillion times with a different answer each time. Some of this was due to vote ambiguity, and some was due to error on the part of recount officials - both of which can be alleviated by a properly designed e-voting system.

The problem is that the e-voting companies refuse to try to engineer a system that is failsafe and hackproof (whether they could succeed or not is another question, but it's not even a design goal at this point).

This is a problem with many root causes, such as inclusion of a level of complexity great enough to confuse poll workers, a refusal to program systems natively instead of using a non-crash-proof and multithreading OS, a refusal to make the firmware open-source, and generally a refusal to pay attention to the security issues that outside e-voting experts have been complaining about for years now.

Re:The Democrats Won (0)

Anonymous Coward | more than 7 years ago | (#16917722)

Yeah. Republicans **TRIED** to rig these elections, too, just like they did with the previous ones.

It's just that they weren't successful this time around, that's all.

Stupid putz.

Re:The Democrats Won (0)

Anonymous Coward | more than 7 years ago | (#16920104)

You, sir, are an example of exactly why this country is headed to crisis of epic proportions. The rise of "us versus them" mentality within the ranks of U.S. politics to the extent that any person of the party is, by his or her nature, crooked and hell-bent on destroying me or supressing my freedoms is tremendously difficult trend to correct. At one point, ferocious punditry was limited to the Limbaugh's and Randi Rhodes' and Al Franken's but now is a part of regular discourse.

At some point, healthy skepticism and a watchful eye of our public servants was replaced with movements so vitriolic, viscious and paranoid as to make Dr Beter and Chuck Carter flinch.

Perhaps, in some ways, its for the best. Perhaps a nation that can't exercise sufficient self-control to discuss matters like adult manner doesn't deserve the right to control its destiny. But I'm in a rather cynical mood, I suppose.

Re:The Democrats Won (0)

Anonymous Coward | more than 7 years ago | (#16923018)

If you have evidence, then let's hear it. If not, then quit your whining you sore loser.

Secure tallying (4, Interesting)

lawpoop (604919) | more than 7 years ago | (#16916900)

Problems with paper and electronic voting aside, I think what we really need is secure tallying.

What I'm envisioning is some kind of method where votes can be tallied, and the running tally can be periodically published during the count. I imagine it would have some kind of hashing technology, like PGP, where tallies are perhaps encoded in a string, and the string is published. The hashing token, or whatever mechanism allowed a vote to be legitimately added to the tally, would be passed from one voter to another, after they voted. This puts the power to count votes into the hand of the voters, rather than a poorly-trained election volunteer, a partisan, or a hackable machine. Because of the constraints of the token and hashing, a voter can only vote as they are allowed, without destroying the tally hash string.

Unfortunately, this is [X] a highly technamalogical solution, and while it might be possible, it would be difficult to get people to understand, and thus endorse it.

Re:Secure tallying (4, Interesting)

mutterc (828335) | more than 7 years ago | (#16917292)

Some places already have partial solutions to this problem. What follows is specific to Wake County, NC; your laws may vary:

At poll closing time, the optical-scan machine prints multiple copies of a totals tape, showing total ballots cast (which bloody well needs to match the number of authorization forms issued), and totals for each race.

Two of these results tapes go back to the BoE by different means (in addition to the scanner sending in its results electronically). A third is posted at the polling place.

Therefore, you can check up on the official, precinct-by-precinct, certified results by going around to the precincts and copying down these numbers. If the official tallies differ by more than the number of absentee and provisional voters in the precinct, there's a problem.

This will catch central-tallying anomalies (like someone hacking the central database). It doesn't catch problems with the individual precincts' scanners, but some random percentage of those are hand-count audited after each election to check up there.

Re:Secure tallying (1, Insightful)

corbettw (214229) | more than 7 years ago | (#16918202)

That would be a hugely bad idea. Just look at the 2000 election: the networks call the state of Florida (prematurely and incorrectly) for Gore, then when the ballots are counted it ends up going to Bush. But the turnout in Western parts of the state dropped off dramatically, since people thought "my vote doesn't count, it's already been decided". In my mind, it's better to hold off on making any pronouncements, one way or the other, until everyone has voted.

Re:Secure tallying (1)

skarphace (812333) | more than 7 years ago | (#16920552)

Just look at the 2000 election: the networks call the state of Florida (prematurely and incorrectly) for Gore, then when the ballots are counted it ends up going to Bush.
And this is one of the biggest reasons why people think that the election in Florida in 2006 was fixed.

For 50 years(or however long they've been doing it), exit polling has been an excellent indicator of how people actually vote. Now why, after 50 years(?) would the system all of a sudden fail? And we're talking multiple pollsters, not just one.

Add on top of that other suspicious behavior and election tampering, you've got yourself a pretty solid conspiracy theory.

Re:Secure tallying (0)

Anonymous Coward | more than 7 years ago | (#16920720)

Where I work, we go one further. The tally software is run on computers connected via a different LAN (Token Ring) than our main LAN (ethernet) and sent to one server which has a bridge. That server then sends directly to the Secretary of State. We can correlate the numbers at the SoS, the server and each system.

In addition - and we're doing it as I write - we have a 1% manual tally. The optical ballots are hand-counted and verified. Then the totals for each preceint are counted against the optical readers. So far, we've had very few issues.

We also do a 1% manual tally of the DRE systems. On election day, each DRE is "zeroed out" and a "zero report" is printed, showing there are no votes in the machine. That zero report is kept under lock and key along with the paper ballots for that precient.

Each machine does have a paper trail, and that paper is compared against the memory cards for that machine during our canvass operations.

All-in-all, I'd say the systems are very safe. I would never say foolproof, but pretty safe.

Re:Secure tallying (1)

LPrecure (835868) | more than 7 years ago | (#16920994)

I see a problem with publishing the vote totals DURING the election. Makes it too easy for the participants to tell where their efforts are working and where they need to rush the reinforcements.

But I've had an idea for some time for "open vote counting":

My e-voting system would be:

At the time of voting, the voter gets a receipt that shows who he voted for. The printer is an impact printer, loaded with 2-part paper. The carbon is retained by the printer.

The night of the election, the county publishes, on their web site, the machine-by-machine vote totals. (And the county- or district-wide totals).

Two weeks after the election, a CPA firm, selected at random, picks 5% of the machines at random, and verifies that the votes on the carbon matches the posted, electronic totals for that machine.

If 5% of the machines match the paper record exactly, then it's a pretty good bet that the other 95% are clean, too.

Two weeks after the audit, the carbons become public records. If the local paper wants to send people down to the courthouse to recount every single paper record (at their own expense), then knock yourselves out. If Joe Citizen kept his receipt, and he wants to check to make sure his vote is still recorded at the courthouse, then that's his right.

Re:Secure tallying (1)

lawpoop (604919) | more than 7 years ago | (#16922376)

"I see a problem with publishing the vote totals DURING the election. Makes it too easy for the participants to tell where their efforts are working and where they need to rush the reinforcements."

That's called getting out the vote. I see no problem, legally or ethically, with encouraging people to go out and vote. These 'reinforcements' have to be registered to vote ahead of time, in a specific precinct. You can't just shuttle in voters from anywhere. One person, one vote. As long as it's not voter intimidation or coercion -- i.e. forcing them to vote a certain way, nor voter fraud, such as multiple votes, there's no problem.

The 'problem' you are describing is exactly what happens now, except without the instant feedback of official results. Both the Democrat and Republican party have statistics of where their voters live and they call them during the run-up to the election to make sure they get out and vote. They have very accurate statistical records that they hone after every election to make sure that they are only calling *their* supporters, not the public at large. And they do have instant, continuous feedback in the form of exit polling, both theirs and the media's polling.

Very good (1)

matthew.paulsen (978693) | more than 7 years ago | (#16917030)

Very good discussion. This has answered questions that have been itching at the back of my mind for a while.

Why not have voting over internet? (5, Insightful)

Absolut187 (816431) | more than 7 years ago | (#16917120)

Why do we all need to vote on the same day?
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?

The voting period could span several days or weeks, instead of hours.

The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.

People who don't own computers can be given access to one.
The number of internet-capable personal computers owned by counties must be far in excess of the number of expensive Diebold machines. (Anybody know the cost of a Diebold vs. the cost of a basic Dell?). Someone at the federal government could easily create an image of a simple secure OS and browser that could be put on any x86 PC owned by a local library or school.

I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.

If hundreds of banks can make online banking work, why can't the goverment make online voting work?

Anonymity (3, Insightful)

everphilski (877346) | more than 7 years ago | (#16917328)

Why not have online voting?
The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.
Congratulations. Now your vote is tied to your social security number. The whole point of a ballot box is that the votes are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.

As to your other questions? Do you really think stretching out the vote for a week or month will increase accuracy? I have my doubts.

Re:Anonymity (1)

Absolut187 (816431) | more than 7 years ago | (#16917440)

Anonymity from whom? Certainly my plan does not preclude secrecy of my vote from other voters. Secrecy of votes even from the G-men techies running the show would be possible, using the same techniques used for anonymizing generally.

Plus, even if anonymity from the government were impossible, do you really suspect government reprisals? Implausible.
At this point in our history, government reprisal against individual citizens for their voting records is not only unlikely to be attempted, it is certain to be banned by the courts, and third it would just be plain old unfeasible.

Re:Anonymity (1)

Absolut187 (816431) | more than 7 years ago | (#16917558)


Do you really think stretching out the vote for a week or month will increase accuracy? I have my doubts.

Yes, but actually I was mainly thinking that it would improve convenience and VASTLY improve voter turn-out.

What were we at for this election?
Im sure it was pathetic. Face it, 70% Americans are too lazy to leave their houses for anything but food.

Re:Anonymity (1)

everphilski (877346) | more than 7 years ago | (#16918326)

I agree, it is pathetic, but voting is a right and a privelege, not a forced requirement. Maybe we are better off that people who don't care aren't throwing ill-advised votes in no particular direction (IE: just adding noise to the system).

Re:Anonymity (2, Interesting)

Odiumjunkie (926074) | more than 7 years ago | (#16917568)

> Congratulations. Now your vote is tied to your social security number. The whole point of a ballot box is that the votes
> are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.

The votes wouldn't need to be tied to the social security number, only the account would need to be. Have the server randomly generate voting pages where the options (A,B,C) each represent a candidate or party on a random basis (on my ballot A is democrat, on your ballot A is republican). Once your vote is submitted, the server enters your choice of candidate (democrat, republican, independent) in a central database but doesn't record who you are, but ALSO enters your choice of option (A,B,C) in a seperate database that you have access to which is tied to your social security number. The random page generated for you by the server is not retained anywhere. You can access the second database (at least for you own user id) and see that your option (A,B,C) has been recorded correctly, but no-one can use that info to tell who you voted for (except yourself, assuming you remember or keep a record of what A,B,C corresponds to. The actual results database is not tied to your SS number or user id. The whole thing could be done with open-source software, and done transparently.

People can also check that the totals for the database of candidate choices equals the totals for the database of option choices. Accuracy can be verified but anonymity is retained.

Re:Anonymity (2, Insightful)

Procyon101 (61366) | more than 7 years ago | (#16918204)

It still needs to be publicly accessible source code. One of the issues is that no one trusts the machines because no one is allowed to open the little black boxes to see what they are actually doing. In your scenario, if the implementor is still able to hide the code executing the process, then the fact that he says you are anonymous holds very little clout.

It doesn't neccissarily need to be open source (as in, the source is legally available for reuse) but it most certainly needs to be revealed source.

Re:Anonymity (1)

heinousjay (683506) | more than 7 years ago | (#16918826)

Frankly, screw the trust of Open Source geeks. You have ideals that do not match the mainstream. Why cater especially to you?

This is a serious question.

Re:Anonymity (3, Insightful)

Procyon101 (61366) | more than 7 years ago | (#16919082)

It's not about open source. It's about a visible process.

The paper ballot/hand counting system is trusted by voters because they can see the process that is going on with their votes, and for all it's flaws, at least it's not a black box where some magical incarnation happens and the winner is announced with no assurance that anything was legitimate except the politician's word.

By exposing the whole process, end to end, you have the equivelant openness of the paper ballot system. This has nothing to do with open source, which is about the free use of code... it's a stupid vote tally system and open sourcing it almost as silly as open sourcing "hello world" as any first year CS student could write one. This has everything to do with visibility and accountability for the process.

And I reject that my ideals do not match the mainstream. The mainstream doesn't have this issue with things like ATM machines, for they can directly audit every aspect of the process of counting their money without needing to see the source code of the ATM machine. They cannot directly audit the voting process and verify accuracy, hence the need for more open procedures. The fact that the issue is popular enough that HBO runs specials on the untrustability of the process leads me to believe that making the process visible is not "catering especially to me."

but open source is visible (1)

shis-ka-bob (595298) | more than 7 years ago | (#16921142)

I agree that open source is only part of the process. But certainly open source is visible to anyone that cares to view the code. So if we assume that a visible process is required, doesn't it follow that the source code needs to be visible to an auditor? What is open source if not visible? It seems to me that open source is a consequence of having a visible process, so a claim that open source has nothing to do with the openness of a ballot process is contradictory.

Re:but open source is visible (1)

Procyon101 (61366) | more than 7 years ago | (#16922132)

I disagree.

Open source is the concept that source code can be *reused* by the recipient under the conditions of the particular licence. I don't think that companies contracted to provide machines should neccissarily be forced to open their code to reuse by 3rd parties and thereby creating new competion for themselves. That said, I also don't think open source code for elections is a bad idea either. The concept of open source is different from the concept of visibility of the source code and the 2 concepts neither preclude or forces the other. For elections to be auditable, the process need only be visible.

Re:but open source is visible (1)

Procyon101 (61366) | more than 7 years ago | (#16924500)

I take that back... Open Source enforces visibility, but not the other way around :)

Re:Anonymity (4, Informative)

corbettw (214229) | more than 7 years ago | (#16918246)

How do you ensure that someone is a citizen and is allowed to vote? By having them log in, of course. Once they're logged in, what's to prevent their vote from being associated with their identity? Nothing, of course.

That's why this will never happen. Nor should it, voting should be completely private, there should not even be the slimmest chance that your vote will be recorded as belonging to you.

Re:Anonymity (1)

fremsley471 (792813) | more than 7 years ago | (#16921554)

That's why this will never happen. Nor should it, voting should be completely private, there should not even be the slimmest chance that your vote will be recorded as belonging to you.

Here in the UK the voting slips are in numbered books and are ripped out and given to you. The Poll clerk then writes your voter number on the stub. Many tales of Special Branch (the more politicized police) turning up at town halls after the election and picking up the piles of communist/facist/socialist voters to be checked against the electoral registers. It's incredible that more people haven't kicked up a fuss about it.

Re:Anonymity (0)

Anonymous Coward | more than 7 years ago | (#16921950)

There is one glaringly obvious problem with your statement...
1. Install cameras in booths to protect against voter fraud (viewing angle not at voting apparatus, of course, for privacy sake)
2. Time match video with votes recorded by the software at that time.
3. ....
4. Profit! er... well, you get the point.

If anyone wants the information, they will find a way to get it (that is what Exit Polls do now, but on a simpler less valid way). As we become more digitized and monitored as a society (for our privacy and for freedom sake!), it is inevitable that someone will connect our decisions (votes or otherwise) to us.

Re:Anonymity (1)

monkeydo (173558) | more than 7 years ago | (#16919614)

How do you know that the computer didn't record your token correctly, but your actual vote incorrectly?

Re:Anonymity (2, Insightful)

Pinkybum (960069) | more than 7 years ago | (#16919418)

So why not make it an opt in system? This is similar to absentee ballots now - so there is no difference. When I mail in my absentee ballot they definitely know who it belongs to. The parent posters online scheme is exactly the same. There is nothing stopping anybody coercing people to become an absentee balloter - why would the coercing of your actual vote be any different?

Re:Anonymity (1)

wealthychef (584778) | more than 7 years ago | (#16923118)

Interestingly, anonymity is the #1 reason I've heard as an objection to a paper trail. How do you verify that somebody's paper matches what the machine says unless you give the machine the ability tell who voted which way? As soon as you've done that, you do not have a private ballot any longer, technically. You could make it illegal to check, etc., but the ability would have to be there, or the paper trail is not very useful. I don't know a way around this. BTW, the current system is not verifiable either. After I leave the polling place, there is no way for me to verify that my vote was counted, is there?

Re:Why not have voting over internet? (2, Insightful)

CastrTroy (595695) | more than 7 years ago | (#16917378)

The simple reason they don't want you voting at home, is because it's supposed to be a secret ballot. There's no way of knowing that the vote is secret if you are at home.

Re:Why not have voting over internet? (2, Informative)

thinbits (904652) | more than 7 years ago | (#16917604)

Not true. Here in Oregon many (most?) people vote by mail. You fill in the ballot, but the ballot in the secrecy envelope, and then put the secrecy envelope in the mailing envelope and mail it.

Re:Why not have voting over internet? (1)

lawpoop (604919) | more than 7 years ago | (#16917918)

So you are against the mail-in ballots that most states have at this point?

Re:Why not have voting over internet? (5, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#16917516)

>Why do we all need to vote on the same day?

I believe the theory behind the law is to avoid gamesmanship and discouraged voters if the results are announced before voting finishes.

>Why do we need to congregate at designated areas?

Because coercion and vote buying is part of the threat model. Go into a booth where nobody can see you vote and both threats are mitigated.

>I can do my banking securely online, why not vote?

You can't, not in the age of phishing. Further answer from Bruce Schneier's blog: One of the dumber comments I hear about electronic voting goes something like this: "If we can secure multi-million-dollar financial transactions, we should be able to secure voting." Most financial security comes through audit: names are attached to every transaction, and transactions can be unwound if there are problems. Voting requires an anonymous ballot, which means that most of our anti-fraud systems from the financial world don't apply to voting. (I first explained this back in 2001.) [schneier.com]

>I just don't see security being a huge problem.

Stolen passwords, shared passwords, forgotten passwords, keyloggers, mysterious 500 errors, undue influence applied to vulnerable voters, difficulty in reaching poor or highly mobile voters. I'd go on but I have to run an errand.

Re:Why not have voting over internet? (1)

Dare nMc (468959) | more than 7 years ago | (#16920466)

>I can do my banking securely online, why not vote?
thats been the argument about diebold, and your response is correct: even the ATM isn't all that immune from simple attacks.
http://www.theregister.co.uk/2006/11/18/mp3_player _atm_hack/ [theregister.co.uk]

but, casting your ballot by US mail has to be a greater concern than casting your ballot by internet. Despite all the 3 envelops, signed sealed... that introduces 10 ways to disqualify/discard/... a ballot, with no notice if/why feedback to the voter.

it does seam obvious a seperation of the vote from the voters ID has to occur at some point. Currently that is done physically, because that is easy to verify by the voter, ie I check my name off, and I walk off with a dozen people to vote minutes later, with something that appears annonymous dropped before I exit. Of course that isn't fool-proof, with cameras everywhere, simply adding a time stamp when inserted into the machine and comparing to video exiting the poles would easily break that anonymity, so at some point, even with the current system you just have to trust the system at some point.

So trusting a web app, that is certified, and verified, and with verifiable source code is not (in reality) taking on a significantly greater trust, it just appears much different.

I am sure a good statistion will generate a public key/ private key algorithm that allows the voter to generate proof their id was verified with a couple public key choices made by a voter after id verification, and not traceable to the original identity, and mathematically proveable.

Re:Why not have voting over internet? (1)

inKubus (199753) | more than 7 years ago | (#16922184)

The bottom line is that democracy is a farce. It's not the machines, or the voters. It's just like any other system, arranged from the top down. The person at the top has the real power. The people at them bottom entrust him with the power. How is this different than a king and serfs? It's not.

The only real difference is in our minds. We think that voting serves the same purpose that armed rebellion used to serve back in the day. We think that we can replace our leaders by voting if we don't like them. But really they are all from the same stock, multiple generations of the same families, over and over. If they aren't in government this year, they'll be in business and vice versa.

The fathers of this country knew this. It's built into the system. America is still very young but it was built to last forever. The system of checks and balances helps smooth out the instability over time. The problem is when a fluke (or fraudulent activity) arises (ie: 00 and 04) and one very small group gets ultimate power over all three branches, and has favors to cash in. A lot of great men have said that it only takes the right major crises to bring fascism... and it's for good reason. You need strong, powerful leadership during times of crisis. When most people are crying at home, depressed and unable to do anything, you need someone to stand up and make the hard decisions.

But when those decisions are mistakes, such as the decision to create a permanent state of war, etc. it seems pretty hopeless. We can only hope that some new great leader will arise and right the wrongs. It will happen eventually, somewhere. Maybe Europe will arise to be the new world leader? Maybe it will be China whom the world looks to for hope and guidance? The momentum the U.S. got from WWII is nearly played out. The baby boom will retire and we're going to be faced with the biggest economic crisis ever trying to feed 80 million vegetables. And we're worried about terrorists............

Re:Why not have voting over internet? (3, Informative)

stomv (80392) | more than 7 years ago | (#16917538)

The voting period could span several days or weeks, instead of hours.

Oregon uses vote by mail, and other states do have absentee ballots, so this process is (somewhat) available, depending on state law. An interesting side effect is that there is no campaign climax if people are voting over a two week span. Essentially, some people are choosing to vote without all available information, because they're voting before the campaigns are over.

The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password. This could be sent in the mail or given online after supplying social security number and birthday, etc.

Secret ballots allow two important things: safety from coercion, and a prevention of the selling of ones vote. You can't be coerced if your vote is a secret vote with no receipt, and you can't sell a vote if you can't prove you actually voted the way you sold. There are some cases where people don't vote in secret -- see the question above, as well as instances where people with a handicap (blindness, for example) are assisted with their vote at the polling place. But, the vast majority of votes are cast in secret. Voting online prevents these guarantees, as well as guaranteeing that the person who cast the vote is the same as the person with the right to vote. Admittedly, this guarantee isn't 100% for meatspace voting, but the threshold is generally pretty high, and the chances of getting caught -- with a police officer right outside the door -- are high enough to keep nearly all people from becoming impostors in meatspace.

Furthermore, the diffuse system we use to collect and tally votes helps to prevent a single "hack" swinging an entire election. A single person would have a hard time stuffing a ballot box to swing a major election with paper ballots; a networked election, however, doesn't have that safety.

Finally, voting is a states rights issue -- with the exception of some specific issues like race in Constitutional amendments. Therefore, the US gov't can't make rules or collect votes for the states without each state's consent.

Your last point, that

I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.


has tremendous problems. (1) What if my vote was changed and I claim it was changed? (2) What if my vote wasn't changed but I claim it was changed? (3) How does this guarantee against any other kind of tampering, incorrect addition and subtraction, etc.

Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea.

Re:Why not have voting over internet? (0)

Absolut187 (816431) | more than 7 years ago | (#16917738)

Secrecy/ Vote Selling:
Don't we have techniques for storing data without making certain connections?
I.E. store my vote, but never attach my vote to my name in a way that is visible to anyone, unless it is necessary due to allegation of fraud or mistake?

Federalism:
I'm arguing policy, not law. A constitutional amendment can quickly change the law, nevermind voluntary adoption by all 50 states.

"What if my vote wasn't changed but I claim it was changed?"
Then you are a liar, and we will look up the records and see. Fraud = prison.

"Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea."
This is the only argument you make that I am at all persuaded by.
But I still think we can make it work. The likelihood of an UNDETECTED hack is low if you have webservers run by skilled people, right?

Re:Why not have voting over internet? (3, Insightful)

stomv (80392) | more than 7 years ago | (#16918316)

Don't we have techniques for storing data without making certain connections?
I.E. store my vote, but never attach my vote to my name in a way that is visible to anyone, unless it is necessary due to allegation of fraud or mistake?


So is it attached, or isn't it? If it is, then I have to trust my government -- a government I may be trying to vote out of office -- to not look at how I voted and take reprisals. If it isn't attached, then how can it be audited? If it can't be audited, that throws out an advantage of the proposed system.

Federalism:
I'm arguing policy, not law. A constitutional amendment can quickly change the law, nevermind voluntary adoption by all 50 states.


You can't have the policy without the legal framework, and no constitutional amendment can be adopted quickly, by design. Furthermore, I'd argue that the diffuse, states-rights system we have now is superior to a federal voting system, precisely because it does help prevent the federal government from undermining the democratic process itself.

"What if my vote wasn't changed but I claim it was changed?"
Then you are a liar, and we will look up the records and see. Fraud = prison.


So if my vote gets changed, I blow the whistle, and I can't prove it... then *I* go to prison. This seems like a perfect system for a totalitarian government. You vote the way *we* said you did, and if you say otherwise, to the gulag!


"Voting on a network is putting all your eggs in one basket, and so is generally a terrible idea."
This is the only argument you make that I am at all persuaded by.
But I still think we can make it work. The likelihood of an UNDETECTED hack is low if you have webservers run by skilled people, right?


Low isn't good enough, if one hack can wreck massive havoc on an election. The distributed, non-networked system we have now would require a massive conspiracy to have significant odds of changing the outcome of a presidential election. State elections have similar protections because each town has a different counting system, unlinked. A networked system requires you to trust that the sysadmins are always superior to all outsiders, and are above being influenced. I'm not so sure I'm happy about that system, especially given that most people simply don't know enough about systems administration to have faith in the entire framework. Most people do know how to count, which means that they can audit a paper trail ballot even if they can't be sure the initial count is correct.

Re:Why not have voting over internet? (1)

Absolut187 (816431) | more than 7 years ago | (#16924342)


The distributed, non-networked system we have now would require a massive conspiracy to have significant odds of changing the outcome of a presidential election.

Does this statement hold true if a single company manufactures a large percentage of voting machines?
Especially when the code they run is not open to public scrutiny?

Does it hold true in Florida? :-)

Re:Why not have voting over internet? (1)

kabloom (755503) | more than 7 years ago | (#16917596)

Why do we all need to vote on the same day?
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?

Because the day we have online voting is the day I come to your house, put a gun to your head and demand you vote for George W Bush. At least at the polling place, there are poll workers to ensure that no guns make it in, and no reliable reciept makes it out.

Have a look at Three Ballot Voting [mit.edu] . Now, there are several [princeton.edu] critiques [princeton.edu] of Three Ballot voting out (I just found them, so I haven't read them) which may turn to point out that three ballot voting isn't a good idea, but the main point is that the paper is simple enough that someone can read it and understand the principles at play in an election.

Re:Why not have voting over internet? (1)

Absolut187 (816431) | more than 7 years ago | (#16917842)

there are poll workers to ensure that no guns make it in, and no reliable reciept makes it out.

Dude, it is not the unarmed 98-year old WW1 veteran at the polling place that prevents gun-wielding maniacs from forcing people to vote a certain way.

That's like claiming that the greeters at Walmart prevent armed robbery.

What prevents your scenario is the fact that 75% of America doesn't care enough to even vote, and the other 25% (generally) isn't crazy enough to pull a gun.

Re:Why not have voting over internet? (1)

monkeydo (173558) | more than 7 years ago | (#16919670)

Dude, it is not the unarmed 98-year old WW1 veteran at the polling place that prevents gun-wielding maniacs from forcing people to vote a certain way.

Of course it is. Because the 98 yo vet has to put his signature on your ballot, and he's not going to do that if there's hanky-panky going on.

Re:Why not have voting over internet? (2, Interesting)

flink (18449) | more than 7 years ago | (#16919730)

Where I vote, there is an armed uniform officer. You give your name to and address* to an election judge, they hand you a ballot and cross your name off the voter role. The ballot is paper and you mark your selections by filling in ovals with a black felt tip marker. After you come out of the booth, you give your name to to the officer who crosses you off a second list. Then you insert your ballot into the ballot box which has a built in optical scanner.

The whole process took 10 minutes from walking in the front door to walking out again. I didn't have to show ID. I can see the utility of computerized systems for giving independence to disabled voters, but I don't understand the mad rush to implement it for the general populace.

* If you are homeless, you can describe or draw where you spend most of your time on the voter registration form. I don't know how they find you in the roles, presumably there's a "none" heading under addresses.

Re:Why not have voting over internet? (1)

kabloom (755503) | more than 7 years ago | (#16920330)

The whole process took 10 minutes from walking in the front door to walking out again. I didn't have to show ID. I can see the utility of computerized systems for giving independence to disabled voters, but I don't understand the mad rush to implement it for the general populace.


Pregnant chads. Don't you remember?

Re:Why not have voting over internet? (1)

djrogers (153854) | more than 7 years ago | (#16917614)

I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.
Except that now your union rep could force you to vote the way the union wants, or I could go out and literally purchase votes to sell in a block on eBay. Any time there isn't an option for private voting, you open up a pandora's box of problems.

Re:Why not have voting over internet? (1)

Maximum Prophet (716608) | more than 7 years ago | (#16917634)

If you are allowed to vote from afar someone else can force you to vote the way they want. Husbands can fill out their wives ballots and make the wife sign it then send it in with their own. When you make everyone come down to the polling place, you verify that they are alive and no one is forcing them to vote one way or another.

Wait, you say, most states already allow voting over serveral months, from anywhere, from people who may not even be alive, with little control over whether the vote was bought, or coerced, through absentee ballots. Well, mail has been around alot longer than the internet, just give it awhile, the web will catch up to voting fraud soon enough. (:-)

Re:Why not have voting over internet? (1)

Absolut187 (816431) | more than 7 years ago | (#16924418)


Husbands can fill out their wives ballots and make the wife sign it then send it in with their own.

So.. you're saying women don't need the right to vote?
Right?

haha

Re:Why not have voting over internet? (2, Informative)

lawpoop (604919) | more than 7 years ago | (#16917798)

"Why do we all need to vote on the same day?
Why do we need to congregate at designated areas?
I can do my banking securely online, why not vote?
Why not have online voting?
"

There are some institutions in our society that have a vested interest in lower voter turnout.

As far as your first concern, your best bet would be to start a petition for a constitutional amendment. The US constitution calls for elections on the first Tuesday after a Monday in November, so that needs to be amended to have voting at any time other than the first Tuesday after a Monday in November. You need to rile up enough people to contact either their state or national representatives to call for an amendment. Here's a start for the process: [wikipedia.org]

"Article Five describes the process necessary to amend the Constitution. It establishes two methods of proposing amendments: by Congress or by a national convention requested by the states. Under the first method, Congress can propose an amendment by a two-thirds vote (of a quorum, not necessarily of the entire body) of the Senate and of the House of Representatives. Under the second method, two-thirds (2/3) of the state legislatures may convene and "apply" to Congress to hold a national convention, whereupon Congress must call such a convention for the purpose of considering amendments. As of mid-2006, only the first method (proposal by Congress) has been used."

As far as voting online, it's up to the states to decide how they want to conduct their elections. We already have mail-in voting, so I don't think it would be too much of a jump to get on-line voting.

You trust your banking because the bank (2, Insightful)

msimm (580077) | more than 7 years ago | (#16918040)

Guarantees it. In fact from experience we *know* online banking is insecure but because it still saves the banks money in the end its a cost they are willing to accept. Who is going to guarantee your vote and whats their motivation to protect your interest?

Re:Why not have voting over internet? (1)

OldeTimeGeek (725417) | more than 7 years ago | (#16918112)

Why not have online voting?

Internet voting has been pretty much dismissed for the near future until the security/availability/connectivity issues have been resolved. As it stands now, would you trust it?

The voting period could span several days or weeks, instead of hours.

I've never quite understood this. Between absentee voting, early polling at a central location, which most cities do, and the half-day or more that polls are open, how is it that people don't have the time to vote?

The federal government could fairly easily create a webserver with logins for 300 million people. Each person would be given a userid and password.

How can you be completely certain that everyone is who they say that they are and that they should be permitted to vote (not an ex-felon, etc)? And how would I know that the site I'm going to is actually an election site rather than a fraudulent one? It happens with banks now, do think that it'd be any less of a problem with voting sites?

Someone at the federal government could easily create an image of a simple secure OS and browser that could be put on any x86 PC owned by a local library or school.

Hmm, OS wars, anyone? Besides, almost all of the schools and libraries that I know of have a very limited number of computers available for use and generally don't have a whole lot of space for them. Do you propose that we deny students the ability to do work on school computers for a week while balloting takes place? Remember, if what you propose occurs, someone's going to have to come in ahead of time and reload all of the systems with the "secure OS" and voting software. Then they're going to have to come back to restore the systems to their previous configuration. Where do you think that they'll get the people/money to do this?

Re:Why not have voting over internet? (2, Insightful)

hernick (63550) | more than 7 years ago | (#16918268)

> Why not have online voting?

In asking all your questions and speculating on how easily you could design a secure voting system, you have forgotten the most important property of free and fair elections.

They are conducted by SECRET BALLOT.

SECRET BALLOTS are ESSENTIAL free and fair elections.

If it is possible to check how somebody has voted, it will become easy to apply pressure on people to vote a certain way. For example, wives will tell their husbands how to vote and check over their shoulder as they cast their votes. They will check again after the election, and savagely beat their husbands if they have dared to change their vote in the meantime.

Another example is that secular progressives and humanists will no doubt send their logins and passwords to their spiritual leaders, and leave them to vote in their stead. They will let their masters vote for them. I can already see Theo de Raadt, a well-known Canadian guru, receiving thousands of voting logins and passwords from his disciples.

> I can do my banking securely online, why not vote?

Well, because banking isn't the same as voting. When banking, you want to have a complete log of all operations. When voting, nobody else must know how you voted after you did - not the government, not your spouse, not your spiritual leader. Only you must know how you voted.

This presents a set of challenges entirely different from banking.

> I just don't see security being a huge problem.

That's okay, very few people can understand why security is so hard. Amateurs who have a few basic notions think they know it all, they think they can solve the hard problems if only people would listen to them. Amateurs think that they have thought of a unique solution to all of our problems.

When you start to understand how complex those security issues really are, you see that a single man cannot solve it all, and that there are no easy answers. I do not claim to have a solution. However, I say that if it were so easy to do, there would be a good solution out there already. Since there isn't, I assume that it's a hard problem, that will require huge efforts to solve, and in the end, the solution will be imperfect.

Re:Why not have voting over internet? (1)

Noodles (39504) | more than 7 years ago | (#16918618)

The simple answer is "Vote Selling".

Critical Attention RE: your voting account! URGENT (1)

Lanoitarus (732808) | more than 7 years ago | (#16918976)

Dear Sir,

We regret to inform you that due to a recent systems error, your voting account information has been lost. In order to prevent your removal from the system and inability to vote, we sincerely ask you that you verify your identity by reply to this email with your full name, voting account number (Social), your voting password, and your address.

Thank you, Voting Accounts Administration Department

Re:Why not have voting over internet? (1)

solosaint (699000) | more than 7 years ago | (#16919004)

i agree with you, one point people havent made is that if you can vote by phone or mail, then it should be available via the internet, as they all would carry the same "vulnerabilities" such as risk of a vote being coerced. Jefferson said we need to review the constitution every 20 years, because our forefathers new countries change, people change, culture changes, and the laws need to change too. vote by internet, verifiable with a paper print out for the user (encoded so forgeries are not easy to do) and if bank transactions are easy to do online because you can trace them back to the person, then how do i we verify our current votes with our current voting practices, perhaps with our new methodology we can make this an advantage of the new world voting schema.

Re:Why not have voting over internet? (1)

TekJannsen (1001150) | more than 7 years ago | (#16920516)

Internet voting would be a great concept if implemented correctly, but if they can't get e-voting right, imagine what they'd do with internet voting.

Re:Why not have voting over internet? (1)

skarphace (812333) | more than 7 years ago | (#16920728)

The federal government could fairly easily create a webserver with logins for 300 million people.
Federal government doesn't, and probably shouldn't handle elections. I'd much prefer to leave that to state and counties.

I don't like the internet solution very much. You have an anonymity problem that people have already mentioned, you have fairly serious security concerns too, and the computer access issues. Just like what Hugh mentioned above. A central server containing all this information has the flaw of being an entrance to mass fraud.
I just don't see security being a huge problem. Every single voter could self-monitor that their vote counted by logging back in to make sure that no hacker had changed their vote.
And what happens when something does go wrong with counting? They report it and have to give up their anonymity to allow the recount of their ballot.

And of course you end up with alienating people who don't own computers or don't know how to use them. The purpose of the current system is to allow full accessibility. And if you have trouble using a machine, guess what, there's attendants there to assist you.

It's really not that hard to walk a few blocks to your polling place. So far, atleast in my state of Pennsylvania, they've done a great job of making our process accessible and easy. If there's a problem in your state/county, I'd recommend sending a letter to your DoE but I don't think internet voting is the way to go.

Re:Why not have voting over internet? (1)

Absolut187 (816431) | more than 7 years ago | (#16924442)


Federal government doesn't, and probably shouldn't handle elections. I'd much prefer to leave that to state and counties.

Yeah!
Thanks Florida!!

Awesome...

backing up with "paper trail" (2, Insightful)

GodWasAnAlien (206300) | more than 7 years ago | (#16917182)

I have decided that paper is the most reliable backup/journal mechanism.

I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation. Also, I will print the operation in english so I can verify that it did the right thing.

Then if I have a disk crash, I just just scan in each operation in sequence to restore the disk.

Yes, you probably think I am sarcastic and you will tell me that paper lets you verify the vote and allows spot audits.

I would say that the "paper trail" addresses a media/news issue rather than a technical one.

This demand for paper backup is an odd hope that 100 year old cash register technology is the best.

One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD, and show the image to the voter for verification.

Or if DVD is too high tech, use microfiche,...

Re:backing up with "paper trail" (3, Insightful)

Qzukk (229616) | more than 7 years ago | (#16917446)

One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD, and show the image to the voter for verification.

Or a hacker could accomplish the same thing as before by writing their vote, and a human readable JPEG image of their vote to DVD and show a JPEG of the voter's vote to the voter for verification.

The key is that if you want to verify that a process is working, you can't use the same process to verify it, because if the process is broken, your verification is broken too.

Re:backing up with "paper trail" (0)

Anonymous Coward | more than 7 years ago | (#16917662)

The real threat that voter-verified paper trails guard against is the disconnect between what I see and what is recorded with a digital system. In your example of a JPEG written to DVD, I (as the voter) have no guarantee that the software didn't show me one vote and record a different one to the DVD. As long as software acts as a mediator between the data and the person, you have no guarantees.

If, however, you have a human-readable hardcopy that the voter can look at and certify to himself that it is correct, then you have a solid link between the voter intent and the vote of record. The paper vote becomes the authoritive ballot, and all of the electronic reporting is just a speed hack to get the results sooner. If there ever needs to be an audit (read: recount), then we can go back to the actual record of voter intent to ensure that there was no digital hanky-panky along the way.

Re:backing up with "paper trail" (1)

Alchemar (720449) | more than 7 years ago | (#16918014)

There are actually systems that do just that. I have worked in chemical plants where every change that was made on the computer was also sent to a printer because the disk backup were not considered reliable to audit a problem. That is also the reason that most cash registers have a dual paper tape in addition to sending all information to the main computer. If something doesn't look right, they have something to audit. Most disk drive use does not need that kind of audit trail. You need to know if something is wrong, if the logs aren't reliable enough to tell you how to fix it, then you restore from a backup or reinstall. A good system will have regular backups in case the problem is also in the latest backup. If the data is not critical, then you can just reinstall and not worry about a backup. Elections are one shot. There is no "reinstall" method. The backup needs to have an audit trail instead of a snapshot so that all information can be retrieved from that one backup. You can't go to an earlier backup if the one on DVD is also corupt.

The reason that a dvd with jpg images is not practicle, is that if the machine writing the jpg to DVD was trusted enough to read the same jpg image it wrote, then you wouldn't need the verifiable trail. It could work, but it would involve removing the DVD from the voting machine, and placing it in a seperately verified DVD player to look at the image. A paper trail works, because it is assumed that the machine cannot erase or misrepresent what is on the paper. How do you verify that the jpg image the computer is showing you is the one written to the DVD and not the one that is was just suppose to have written to the DVD.

Re:backing up with "paper trail" (1)

mspohr (589790) | more than 7 years ago | (#16918584)

Our county (Placer, California) uses a system which is similar to this...

We vote on a "scantron" type sheet (fill in bubbles for candidates) and this is scanned into a reader before you leave the poll and the scanner keeps the paper form. If there are any problems reading the scan, you have the opportunity to fix it. There is also a paper trail of all of the forms that can be verified.

Paper vs Digital/Optical Media (1)

Comboman (895500) | more than 7 years ago | (#16919484)

I would say that the "paper trail" addresses a media/news issue rather than a technical one. This demand for paper backup is an odd hope that 100 year old cash register technology is the best.

A bit off-topic, but when it comes to longevity, paper records are hard to beat (with the possible exception of stone tablets). Check out this interesting article :Paper Trail - Can Digital Media Match The Longevity Of Plain Old Print? [sfgate.com]

Paper Backup (1)

abb3w (696381) | more than 7 years ago | (#16919514)

I have decided that paper is the most reliable backup/journal mechanism. I have decided that instead of using DVD media to backup, I am going to print 2d bar codes to paper for every disk operation.

Actually, I think Slashdot covered a story on this a couple years back, with a company that had developed a way to store around 1GB of data on a standard 8.5x11 page. 256-bit color 2D barcode at 1200dpi would do it, I guess. More seriously, I was told by a chap at the Corning Glass works that the most important material for backup there (financials data, IIR) gets printed direct to microfiche.

Alas, this seems irrelevant to voting issues.

Re:backing up with "paper trail" (1)

0xABADC0DA (867955) | more than 7 years ago | (#16919642)

One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD

You've obviously never written a JPEG decoder if you think the files are human-readable.

Also paper doesn't have to be the solution... it could be anything large enough that people can sense and permanent enough to count. For example, you could engrave your vote on say a bar of soap or write your vote in ketchup on a hamburger -- as long as everybody is issued the same voting matter. Plus, this actually encourages people to stay and watch the counting since they'd get to consume the votes afterwards. Well since they probably want to hold the votes for a couple months in case of recount you might want to petition your director of elections to use ho-ho's or twinkies.

Piece of paper? Who wants to stick around 'till 10pm to get those leftovers! Blech.

Re:backing up with "paper trail" (1)

LanMan04 (790429) | more than 7 years ago | (#16919840)

One could accomplish the same thing, by writing the vote, and a human readable JPEG image to DVD, and show the image to the voter for verification.

Sigh...no, because there is no guarantee that the image you were shown was written to the DVD.

The point of having a paper trail (on the voting side, not necessarity the counting side) is that there is no invisible "techno-magic" happening; you are sure your vote was cast correctly.
  • Voter votes on an e-voting machine (touchscreen)
  • Voter watches as printhead puts ink (representing his votes) on paper (behind glass)
  • Voter verifies that his votes were recorded correctly
  • Piece of paper is cut from roll and drops into a large, closely watched, transparent container, which clearly contains other votes
  • Every 5 seconds, a small burst of compressed air shuffles the votes in the container, to prevent vote-guessing or stratification techniques (similar to the trick of putting colored paper into a shredder to delimit the contents of the shred bag in a useful way)
Now, there are a ton of ways to hose this system if proper chain of custody is not maintained (fake boxes with fake votes, real boxes with fake votes, selective replacement, and I did throw air blast idea in as an afterthought, tech malfunction could destory the votes), but the system I outlined at least allows the voter to verify that their vote was cast in the way they wanted.

No uncertainty, no BS, you saw the paper drop into the container. Whether that container ends up being counted, or at the bottom of the Hudson, is a different story.

Re:backing up with "paper trail" (1)

GodWasAnAlien (206300) | more than 7 years ago | (#16922560)

"Sigh...no, because there is no guarantee that the image you were shown was written to the DVD"

With the current e-voting in California, the voter sees the printed vote and 2D barcode behind glass.

If you are not going to believe that the image shown was actually read from the DVD (after being written), then I assume you would not trust the 2D barcode (which is what would be re-counted, after or along with other backup mechanisms).

Re:backing up with "paper trail" (1)

LanMan04 (790429) | more than 7 years ago | (#16922716)

If you are not going to believe that the image shown was actually read from the DVD (after being written), then I assume you would not trust the 2D barcode (which is what would be re-counted, after or along with other backup mechanisms).

Exactly, I shouldn't have to "believe" anything all. The paper trail MUST be human readable and verifiable. What the heck is the point of printing out a 2D barcode behind the glass for the voter to look at? It could say anything at all, and you would have no idea.

The paper-trail should NOT be machine readable, because then the election board would do a "paper" recount, but use the electronically encoded data (which could be anything) because it's faster and easier, then say "Hey, the paper recount matched the machine results! Recount completed successfully!". WRONG

Re:backing up with "paper trail" (1)

Qzukk (229616) | more than 7 years ago | (#16923306)

With the current e-voting in California, the voter sees the printed vote and 2D barcode behind glass.

As long as the printed vote is there, then all it takes is a vigilant observer at the recount to go "hey wait, why does the pile for President Evil Overlord all have different names on the printed part of the ballot!"

In the end, elections require vigilance on behalf of all people to ensure that they are carried out in a manner faithful to the voters' intent. Hiding parts of the process within a machine makes that vigilance harder.

Tin Foil Hat required (1)

Alien54 (180860) | more than 7 years ago | (#16917336)

As seen here:

Clear Evidence 2006 Congressional Elections Hacked [opednews.com]

"We see evidence of pervasive fraud, but apparently calibrated to political conditions existing before recent developments shifted the political landscape," said attorney Jonathan Simon, co-founder of Election Defense Alliance, "so 'the fix' turned out not to be sufficient for the actual circumstances." Explained Simon, "When you set out to rig an election, you want to do just enough to win. The greater the shift from expectations, (from exit polling, pre-election polling, demographics) the greater the risk of exposure--of provoking investigation. What was plenty to win on October 1 fell short on November 7.

Re:Tin Foil Hat required (1)

Overzeetop (214511) | more than 7 years ago | (#16920814)

Yikes, that's a pretty big stretch to make - regardless of the numbers. Of course, it makes it easy to dismiss when you see the headquarters [opednews.com] of the Election Defense Alliance leaders all working at someone's kitchen table on laptops. That's to say they aren't entirely legitimate and correct, but I might put there chances at, say, 10,000 to 1. ;-)

Peter Thompson.... (2, Funny)

pwizard2 (920421) | more than 7 years ago | (#16917366)

Any relation to Jack Thompson?

Ambiguity = Not counted?! (3, Interesting)

guitaristx (791223) | more than 7 years ago | (#16917480)

Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote.

This is ridiculous! If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted. This is a terrible argument for touch-screen voting.

Think about this for a moment; this means that things like ballot ordering or candidate name has an influence on whether or not your vote will even be counted, and you wouldn't ever know.

Re:Ambiguity = Not counted?! (1)

enbody (472304) | more than 7 years ago | (#16919292)

If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted.

Optically scanned ballots can do that checking (removing that "terrible argument"). However, old pencil-and-paper cannot be anonymously scanned without impacting the privacy of the vote.

Re:Ambiguity = Not counted?! (1)

filesiteguy (695431) | more than 7 years ago | (#16924300)

We have new machines (from Seqoia) which do this. They will kick back any "wrong" ballot that cannot be counted. For instance, if you vote for two presidents it will tell you, and ask if you want to recast your vote. You always have the option of saying that you wanted to vote for two and not get counted. Here's a link about it in the LA Times... http://www.latimes.com/news/local/politics/cal/la- 110706glitches,0,2932115.story?coll=la-home-headli nes [latimes.com] ...interesting.

Dummycrats (0, Flamebait)

toddhisattva (127032) | more than 7 years ago | (#16917982)

Too bad Democrat voters are too stupid to use those great punch card systems we used to have.

After decades of practice.

Dummycrats.

Doesn't wash with me... (1)

Linux_ho (205887) | more than 7 years ago | (#16918794)

I think we should switch to optical scan ballots EVERYWHERE. Yes, the "voter filled in both candidates" problem still exists, but do we really want people that stupid influencing our political decisions anyway? If they invalidate their own ballot and don't even notice, screw 'em, that vote doesn't count. It's not like the 'hanging chad' thing where a reasonable attentive voter might not notice their ballot is invalidated.

With optical scan systems, there's always a paper trail that one can go back to. Yes, the scanning systems and vote tabulating systems are still vulnerable to attack, but at least it's POSSIBLE to do an accurate manual recount if it becomes necessary.

Why do we need a voice recognition machine that disabled people can use? That's why we have POLL WORKERS, so someone can help a disabled voter. Illiterate voters? Um... how did they vote before there were voice recognition systems? They have to either trust a poll worker or trust the voice recognition system, and if I was illiterate I think I'd rather trust a poll worker.

Re:Doesn't wash with me... (1)

indros13 (531405) | more than 7 years ago | (#16919318)

Actually, the optical scan machines can prevent the "voting for two candidates" problem. In Minnesota, the machines will reject a ballot that has a mis-vote, notifying the voter BEFORE they leave the polling place and allowing them to correct the error on a new ballot. There may be other security issues to fix with optical scan machines, but they have the advantages of paper trail, electronic tabulation, and verification before the vote is cast.

Re:Doesn't wash with me... (1)

caldaan (583572) | more than 7 years ago | (#16920142)

At least in my county in Michigan the optical scan kicks out over votes as well. The verifiable paper trail is important. Especially when one candidate ends up with negative votes..

Tyranny of the Majority (2, Interesting)

internic (453511) | more than 7 years ago | (#16918854)

10) Is the Harm Really that Great? by logicnazi

[snip]

All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history.

Haven't there already been several instances of claims of this kind? Isn't it the case that systematic problems with exit polling (and other polls) make it very difficult to make strong, credible claims about election results?

Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.

However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.

But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. ...

It seems like 10% is a fairly significant margin in most races, so I'm not sure why one would treat this as though it were a small thing. I do appreciate the point that somehow this may not change the structural correcting force arising from elections, but I do think that it can cause a situation where you have tyranny of the majority (or even a large minority). If a politician has a buffer zone of 10%, that may allow him to pander to one particular consituency while completely ignoring all others, as long as the buffer zone is enough to have him safely reelected. Persumably, in the fair election a politician has to aim to satisfy not just a majority of constituents but a sizable enough majority to ensure victory. So, it seems like such a vote buffer might still really lead to very significant qualitative change. If nothing else, one can look to how differently a legislature operates when the majority party has a margin of a few percent of seats versus when they have a margin of, say, 10%. In the latter case, one often sees compromise all but disappear.

I guess another way to look at it is that policy difference can be quite large, even between relatively similar political candidates. People thought, for example, that Bush and Gore were pretty similar, and in many of their policies they were (when compared to the larger spectrum of political ideologies, compare with people like Bernie Sanders or Pat Buchanan). If you believe, however, that the Iraq war would not have happened under a Gore presidency (seems at least plausible), then we're talking about thousands of U.S. soldiers dead, tens of thousands wounded, tens or hundreds of thousands of Iraqis dead, hundreds of billions of dollars spent, and the fate of an entire nation radically changed. No matter your feelings about the Iraq war, my point is only that this is, indeed, quite signficant. I'd have a hard time trying to argue to the families of all those dead and wounded that it isn't.

I appreciate the point that people aren't voting based on perfect (or, perhaps, even good) information anyway, and there are many other ways to steel elections, but it's hard to see how you can face up to facts like those just mentioned and not at least try. In any case, as Dr. Thompson alluded to, it's a false dichotomy. It's not as though you have to choose to fight only one source of fraud, and it will take different people with different expertise to combat each.

Printed tallies (0)

Anonymous Coward | more than 7 years ago | (#16918910)

If the hacker can alter the tallies in the machine -- why can't he also alter the tallies that the machine prints out? I mean, once data enters a computer, whomever 0wn3d the computer also owns the data coming out of it. A paper trail won't help.

Maybe machines that create or mark paper ballots from our input, and we can then compare that to the original.

e-Voting? (0)

Anonymous Coward | more than 7 years ago | (#16919298)

Actually here in Toronto we had a type e-Voting system done up for the municipal elections.

You are actually given a paper ballot to fill out. You take the paper ballot to the ballot box which is then put into what looks like a scanner of some sort and it put into a taped up box. The scanner detects if your ballot is valid or not and I presume if it isnt the give you another ballot (since if it was invalid it wouldnt be counted on a manual recount). After that I think its just a matter of calling in the results to wherever the central office is and telling them who gets to celebrate.

The beauty of this system is that it works on the same principles we've used for the last 100+ years in elections. Paper ballots, technology that people are comfortable with using. If any problems arise you can always pull out the paper ballots and count them by hand. As any security professional will tell you having back-ups is always good.

Also I'm sure the machines in the US that use hard drives could all be given 2 Hard Drives and a RAID1 on them. That way both drives would have to fail for anything bad to happen. We all know that in the 24 or so hours that these machines are going to be in operation that the odds of both hard drives failing at the same time would be minimal unless someone dropped it, then again you could always do like the OLPC project and put internal USB drives in there since its not likely you need more than 2 GB to record down a few thousand votes :)

Printers not required (0)

Anonymous Coward | more than 7 years ago | (#16919410)

Picture this if you will... (i rip off tool lines ok..)

I'm using this past Nov. election as example.

Current: You go to vote. You sign the registrar, go over and get your e-voting ticket, and head to an open e-voting machine. Type in e-voting ticket number & choose your candidates, and hit the big red button(vote).

Future: You go to vote. You sign the registrar, move over to get your e-voting ticket, which is also a flash print paper, for vote comparison( think about the size of a scantron, or smaller...). You go to open e-voting machine, insert the paper into an imager cover on the right. You place your ticket in there, close latch. Once it seems it has the ticket, an e-voting number is now assigned and burned into the paper. Now you proceed to choose your candidates. You double check then hit the red button (vote). This does 2 things: 1 submits all choices to normal voting database, and also burns an image of all elections, and the candidate names you chose onto the scantron, flash paper. No printing. The image is burned on, and easily readible, IN ENGLISH!!!!!!!!! T Once finished, you lift the latch, remove your ticket. You proceed to leave the booth, tearing at the perferation halfway down, to put your ticket into a ballot box, to be counted and compared against the electronic voting database. The bottom half is an exact visual copy of the top, which is for your own record. It contains your e-voting number assigned by the system and the list of candidates you chose. The same thing that will be used for the hand count.

First, you eliminate the need for people printing something. Nothing is printed at the registrar table, it is all done at the voting machines. And, its not actually printed, its flash scanned onto the paper. No moving parts. It uses light, and light-reactive paper. Second, you have 2 counting measures here: electronic, and ballot. Third, you have a visually verifiable record of the manaul count ballot for yourself that you can
A) take home
B) submit to 3rd party independent vote trackers

This type of system, with 2 count types, and a voter able to retain a record, for possible submission to 3rd party independent vote tracking, would ease most of my worries about the count. Oh, did I mention if there is a greater than 0.001% discrepency between the electronic and paper ballots, the vote is redone???

.....

I find it hypocritcal, yet all to American that voting has been sold out to capitalism, all under the approval and support of our elected officials. I think the irony in our democratic process just exploded. Don't you?

OMFG (1)

yesthatmcgurk (1011297) | more than 7 years ago | (#16920392)

I cannot believe that this PhD's only concerns over paper trails and voting is the cost factor. THE biggest issue with paper trails is that they are reciepts of a voter's record. If voters are allowed to leave the polling place with an official record of how they voted in their posession, they are vulnerable to both bribery and extortion. The opportunity for groups to apply pressure to voters to make certain ballot choices and then present the proof afterwards for either a cash reward or a guarantee of safety from physical harm is not only possible but almost guaranteed if this were to happen. A paper trail is important, and can be done under one and only one situation. Voters make their choices and sumbit their ballots. A paper record is produced. The record details their votes and has a code which links it directly with the vote cast. The voter examines their ballot, agrees that it is a correct representation of their choices, then places this ballot in a sealed and locked ballot box. Without that paper ballot's existance, the voter's vote is invalidated. Issues still remain with this system. Something similar to the old style ballot submission method must be done. The paper ballot must be placed into a container which allows the ballot to be identified as true, and to be scanned to be verified as matching with an existing cast ballot. The container must hide the ballot record from the eyes of handlers. This way the voter can present the ballot to a volunteer. The volunteer can identify the ballot is real, and scan it. Once scanned, the ballot must be transferred to the ballot box to be kept in case a manual recount is ordered. Unless these steps are taken, paper reciepts of voters choices are a liability rather than a safeguard to the system. That this supposed expert didn't say anything about this is extremely disheartening to me.

Re:OMFG (0)

Anonymous Coward | more than 7 years ago | (#16921010)

I don't know where you voted, but that's how the receipt method works. You don't get anything to take home.

Not the only danger (1)

maiden_taiwan (516943) | more than 7 years ago | (#16920654)

...the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.

Not only that. If you shifted the vote by a huge amount (say, 100% to 0%), that would go a long way to undermining the voting system and producing panic in the population.

Paper as storage medium (0)

Anonymous Coward | more than 7 years ago | (#16923110)

voting security is all about the storage medium:
* paper is readable by the human eye and a voting machine can't change it once it's printed.
* computer memory can only be written and read with a computer, so the voter has to trust the hopefully not manipulated software to store and read his vote as he intended, he has no chance to check it himself. also computer memory can be changed in an instant without leaving a trace.

that's the two big reasons why voting machines without paper should be discarded as cars without safety belts or x-raying without lead-cover.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?