« We Take Requests! (Sam Brownback Edition) | Main | Oops! »

April 11, 2007

Comments

Some folks here are phrasing the debate in terms of computer vs. paper. That's not the decision that happens in the real world though. The real issue is whether there is a paper trail that voters can inspect and that can be manually recounted.

Electronic systems that produce a voter verified paper trail that can be manually recounted later are great! Everyone loves them. The problem is with electronic systems that don't produce a paper trail: why should any voter believe that their vote is being correctly recorded? Even if voters do believe that, how on earth can officials perform spot checks if there are no paper artifacts?

Jes asked earlier about why Americans don't do paper balloting. I asked that same question to a political scientist who specialized in voting issues at a Technology and Culture forum a few years ago. He claimed that Americans vote on many many things in each election; he mentioned something like 30 individual decisions that needed to be made for some elections in CA. Given those numbers, the cost of pure manual counting becomes prohibitive. At least that's what he claimed.

Erasmussimo: Jesurglisac next asserts that "it's been overwhelmingly demonstrated that they're far more vulnerable to attack than any paper ballot system." I believe you misunderstand the nature of the problems with computer systems.

A few years playing around with programs with hacker friends. Degree in computing. Technical writer for computer software, eight years experience. Casual connections maintained even now with hacking community. Current IT support work.

No, Erasmussimo, I do not believe I "misunderstand" the problem with computer systems.

Are there anuy other issues, Seb, that we liberals/feminists/women have "ruthlessly suppressed" the truth about?

I just want to know where the hell is Ruth in all this?

Did you know that the Diebold machines were programmed in BASIC?!?!?! That's a hobbyist language invented in 1965, that is so obsolete that very few people use it any more. It is hopelessly antiquated, easy to hack, and lousy to program in -- and that's the language that the Diebold people chose.


Erasmussimo,

Again, I must point out: you do not know what you're talking about. Diebold machines were coded in VisualBasic, which is quite different from the BASIC invented in the 1960s. While I think it is a crummy environment to write code in, it is used by many many people today and is hardly antiquated. In terms of security vulnerabilities, I'd call it middle of the road: worse than some languages, better than others. Keep in mind however that I hate it.

Look, you really cannot tell much by how old a computer language is. My company is building an incredibly sophisticated airline reservation system in common lisp, which is certainly older than BASIC.

I can explain at length what we can infer about particular language choices, but your uninformed speculation is genuinely harmful to the discussion. Please stop.

Gary, please see here

Note:

Investigators said Tuesday they found clear evidence of fraud in the Nov. 2 election in Milwaukee, including more than 200 cases of felons voting illegally and more than 100 people who voted twice, used fake names or false addresses or voted in the name of a dead person.

What? People voted twice?

Nonetheless, it is likely that many - perhaps most - of those who committed fraud won't face prosecution because city records are so sloppy that it will be difficult to establish cases that will stand up in court.

And even now, three months after the investigation, officials have not been able to close a gap of 7,000 votes, with more ballots cast than voters listed. Officials said the gap remains at 4,609.

U.S. Attorney Steve Biskupic likened it to trying to prove "a bank embezzlement if the bank cannot tell how much money was there in the first place."

What? Local lack of accounting makes definitive proof difficult? I wish someone had mentioned that in the argument.

The fraud investigation has focused on the more than 70,000 people who registered to vote on election day, not the other 200,000-plus voters. That is because registration cards provide a paper trail, which officials said would be stronger in court than computerized records.

It is unclear what identification these 100-plus people provided at the polls to register. State law allows utility bills and leases to be used or for one voter to vouch for another.

Oh good, lack of recordkeeping combined with letting people orally vouch for each other. That sounds like it isn't easy to defraud.

On the same issue from the Harvard Law Review:

In Wisconsin, a voter turnout of nearly three million boosted John Kerry to an 11,000-vote victory — one of the nation’s closest contests — helped in no small part by the election results in Wisconsin’s major cities. Milwaukee, notably, boasted close to a 50% turnout, with over 277,000 votes cast. But a discrepancy emerged after election day, growing clearer in the days and months following: city records revealed fewer than 273,000 registered voters had actually participated in the election.3The ensuing allegations and investiga-tions in Milwaukee resemble others across the country with at least 16 states embroiled in voter fraud controversy.


And to be clear, do I take it that you don't agree with Jesurgislac's idea to help provide people with identification?

dmbeaster rightly points out that current computer systems are not as good as paper systems. I agree entirely. But the current crop of computer voting machinery is horribly bad. Just read what computer scientists have been recommending for years, and compare it with what's actually out there, and you'll see why computer systems are so wretchedly bad. This doesn't mean that it can't be done -- it means that it has been badly done, and the fixes aren't difficult to make.

dmbeaster next asserts that "There is nothing unique about a computer system that makes it more secure from insider fraud." Not true. Here, imagine the following scenario: it's the day before the election. A representative from each of the two major parties, as well as representatives of anybody else who is running for election, arrive at county headquarters. The supervisor of elections leads the group to each machine. There, each party secretly keys in a 6-digit keycode. The computer accepts the keycode and prints out a receipt with the keycode. The individual puts the receipt in an envelope. When all the machines have had their keycodes entered, everybody goes home. The next day, at elections, the machines record the votes. At the end of the day, each machine uses an encryption key derived from ALL of the keycodes to encrypt a file containing the results. It then puts that file onto a thumbdrive, and an election worker carries the thumbdrive to the county headquarters, where it's inserted into the vote counting computer. Up til this point, no single person has any way to read or alter the data in the thumbdrive. At this point, the representatives of the candidates are required to re-enter the keycode from their receipts. The combination of keycodes is used to decrypt the file.

I challenge anybody to show how an insider could break this system. Let me walk you through a few scenarios:

1. The county supervisor sneaks back to the machines the night before the election and alters the keycodes that have been entered. This in itself can be obviated by making the computers refuse additional entries without a complete reset -- which would destroy other data necessary to operate. However, even if the supervisor did succeed in replacing the keycodes, he still doesn't know the original keycodes. So when the thumbdrives come back the next night, and the representatives of the candidates enter their keycodes, the system will fail and the thumbdrives will be invalidated.

2. An election worker messes with the computers at the polling station. Of course, the computer is sealed, so it can't be opened up. The county worker has only one means of inputting anything: the touch screen. And that touch screen is under the computer's control, and the computer will record the voter data (and, while we're at it, take a photo of the voter for auditing purposes). The county worker is easily exposed when the vote counts of the computer fail to match the vote counts at registration. And his face is revealed in the audit data. Off to jail!

3. An election worker substitutes a tampered thumbdrive for the real one while transporting it to headquarters. Right. Without the encryption key, that election worker would never even get started. Any file he substituted for the real one would fail the decryption test, and when the thumbdrive he delivered is compared to the data on the voting computer, the culprit is identified. Off to jail!

You see, this stuff isn't so hard to do.

KCinDC: I don't trust our votingcomputers either - and don't think that is nutty. Advantage we have is that we don't have a winner-takes-all situation, but I strive towards computers combined with a paper trail myself.

Gah!

Erasmussimo, I'm not just talking about guarding the integrity of the process. With paper ballots, every step of the process can be observed, without any specialized training. If everything's taking place inside computers, there's nothing to observe. Maybe most people will trust the high priests who assure them that the system records their votes correctly, but a lot won't.

Maybe some day we'll have voting computers as auditable, usable, reliable, and transparent as you say, but we have precisely none like that in use today. We're already spending far more on these systems than we did on the paper-based systems, so I find it hard to believe we're going to be able to convince people to spend still more in the hope that this time we'll get it right. And even if we got such a system, no computer is going to be as reliable as a pencil.

And I run into plenty of glitches on my Mac and my Linux machine.

The county supervisor sneaks back to the machines the night before the election and alters the keycodes that have been entered.

A far greater concern would be an insider altering the vote-counting software itself.

2. An election worker messes with the computers at the polling station. Of course, the computer is sealed, so it can't be opened up. The county worker has only one means of inputting anything: the touch screen.

There's no such thing as a sealed computer. They don't exist, and they certainly don't exist if you're talking about a cheap system. You are living in a fantasy world.

Besides, even if we could somehow magic up sealed computers (which we cannot do), who seals the computer? The manufacturer? The county elections board? How do you know the software was not tampered with at the source? Even if you use open source software, how do you know that the machine is actually running open source software?

I know you think these are easy questions, but they are actually questions that have no answer.

By the way, do you have any idea how finicky cameras on a polling machine would be? How do you ensure there is proper light at a polling place? What do you do if the camera breaks halfway through election day?

"He claimed that Americans vote on many many things in each election; he mentioned something like 30 individual decisions that needed to be made for some elections in CA."

Only 30? I wish we had ballots remotely that short around here (Boulder, Colorado).

As I've written a bunch of times in a bunch of places, the advance ballot pamphlet we get, listing the text of all offices and propositions we vote on, is between 40-50 pages each election. The total number of possible choices is at least a couple of hundred. The number of offices and issues is many dozens.

Of course, that's for this particularly city and county; go one over, and the ballot is different, since all the city and county issues will be different, etc.

I take it you don't vote in American elections, given your repeated use of "claimed" for what almost anyone who did vote in America would know, which is that, generally, yeah, we have a whole lot of things to vote on (and every state is different, and within each state, every county is somewhat different, and within each county, many municipalities will be somewhat different, as regards their ballot).

Sebastian: "Gary, please see here"

Thanks.

Investigators said Tuesday they found clear evidence of fraud in the Nov. 2 election in Milwaukee, including more than 200 cases of felons voting illegally and more than 100 people who voted twice, used fake names or false addresses or voted in the name of a dead person.
Then obviously this should be/have been thoroughly further investigated and prosecuted.

"Nonetheless, it is likely that many - perhaps most - of those who committed fraud won't face prosecution because city records are so sloppy that it will be difficult to establish cases that will stand up in court."

Then obviously Milwaukee's records procedures should be fixed. Were there indications of organized fraud, or just lousy records and some individual problems? Was this of a scale to sway the election, or just to reveal that there are problems there that need to be fixed?

"A photo ID requirement might have caught some of the problems highlighted in Tuesday's preliminary report. It notes cases of people voting in the name of a dead person or as someone else. Investigators located some people listed as voting who said they did not vote."

So this fraud and these cases were found without a photo ID requirement.

The fraud investigation has focused on the more than 70,000 people who registered to vote on election day, not the other 200,000-plus voters. That is because registration cards provide a paper trail, which officials said would be stronger in court than computerized records.
So the registration requirement and a paper trail help prevent voter fraud. As we know.
[...] said would do more to tackle specific problems.

For instance, investigators found "deputy registrars" working for registration drives had submitted at least 65 fake names, though no one apparently voted from the addresses.

In other words, this was a non-problem; the details are unclear here, but I thoroughly desire prosecution of any and all actual fraud. Of course.

It's, overall, a fairly thorough piece, and it seems to clearly indicate no evidence of significant, or widespread, fraud. Good news. Thanks for pointing to it.

Comments are piling up so fast that I can't keep up.

Morat20 asserts that it is possible to hack the central vote counting computer. This might be possible if the vote counting computer were on the Internet. It's not.

Jesurgislac takes umbrage at my statement "I believe you misunderstand the nature of the problems with computer systems." I apologize, I should have written:

"I believe you misunderstand the nature of the problems with VOTING computer systems."

The point here is that the specific problems that have been demonstrated have to do with people not understanding how to use the systems. There has been NO "overwhelming demonstration" that computer systems are intrinsically vulnerable to attack, as Jesurgislac suggests. Perhaps we'd do best to agree that, while current systems are horribly vulnerable, there's no reason why we couldn't make computer voting systems much more secure than paper balloting systems.

Common Sense berates me for claiming that the Diebold machines were programmed in BASIC. He thinks that there's an important distinction to be made between Microsoft Visual Basic and old time Basic. Sure, there are lots of differences -- but my point here is that anybody using Basic for a supposedly secure system is out of his mind. Yes, there are plenty of companies that use Visual Basic -- for insecure applications. I can't recall the details, but I know that an arm of the US Govt (I think it was DoD) prepared a list of computer languages that must be used for secure applications. I know that Java was on that list, and I think that PL/1 was on the list. I know of a certainty that Basic wasn't on that list, nor was any flavor of C. We both know why.

Please don't speculate on my expertise -- I don't want to embarrass you and I REALLY don't want to get into a penis-waving, I'm-techier-than-thou argument.

Seb,

You mentioned Steve Biskupic above. Is that Steve Biskupic a loyal bushie by an chance? Because it sounds like the same Steve Biskupic as the one who just got smacked down by a federal appeals court for convicting a democrat on evidence that was "beyond thin." Are you arguing that this Steve Biskupic has any more integrity and competence than the one that was shot down by the appeals court?


I mean, he's probably smarter and more honest than the people who implemented the iraq war, and I'm sure you are too. I just want to know if Karl Rove would describe him as a "loyal bushie."

Ack! The hits just keep comin'...

KCinDC notes that the paper ballot process can be completely in the open where everybody can see it. Again, this is theoretically true. In practice, however, there are simply too many places where the system is not open to public inspection. One of the most vulnerable of these is the process of moving the ballots to the central counting station. If you have lots of volunteer workers and inspectors, you can count the ballots right at the polling place after the polls close, but all too often there aren't enough observers to pull that off, so they transport the ballot boxes to the county headquarters -- and while the ballot box is in transit, all your security goes out the window.

Steve worries that an insider could alter the vote-counting software itself. Yes, if the insider could crack the machine open. But that's an obvious problem and one easily fixed: seal the computer box. We don't need it to be opened for any reason, so weld the thing shut. If it fails, send it back to the factory, where it can be repaired under scrutiny.

Common Sense loudly asserts that a computer cannot be sealed. I'll explain it to you: you put the computer in a metal box. You hook up power, video out, and USB ports from the computer to the exterior of the box. Then you use a wondrous device called a "welding torch" to weld the box up. It's not magic.

Common Sense goes on to wonder where the computer is sealed. Normally that would be the place where it's manufactured -- where you can have representatives of both political parties on hand to keep an eye on things. Again, this is not rocket science -- this is plain old everyday security precautions that have been in use for decades.

Common Sense also points out that cameras fail. Indeed they do. But the purpose of the cameras is to deter crime -- and they're only a second layer of protection. If a camera fails, the system doesn't fail. And besides, how is the crook to know whether the camera has failed? The deterrence value is still there even with a 50% failure rate.

Please don't speculate on my expertise -- I don't want to embarrass you and I REALLY don't want to get into a penis-waving, I'm-techier-than-thou argument.

Um, how on Earth could you embarrass me? Are you going to say something that would make MIT revoke my degrees? Are you going to say something to magically undo the years of experience I have?

My thesis was on programming language optimization through type inference. What was yours on? Tell me about your degrees and experience. Let's see a link to your thesis.

I dislike visual basic, but it is certainly possible to write moderately secure software with it, and it is certainly possible to write secure C programs as well. Certainly, many programming language runtime libraries and compilers and operating systems are written in C.

"It's, overall, a fairly thorough piece, and it seems to clearly indicate no evidence of significant, or widespread, fraud. Good news. Thanks for pointing to it."

Again you have a nicely elastic sense of the word significant (which has been illustrated across multiple threads today). This involved hundreds of votes with direct fraud, and thousands of votes tallied over the number of voters registered. It involved only the people stupid enough to use false paper records, not those who used the system of vouching for one another.

"Then obviously Milwaukee's records procedures should be fixed. Were there indications of organized fraud, or just lousy records and some individual problems? Was this of a scale to sway the election, or just to reveal that there are problems there that need to be fixed?"

This was not some individual problem, the whole system is designed to avoid a good trail. You are a researcher, there is a huge debate about the stupid loopholes in Wisconsin. You claimed to be totally unaware. Now you aren't. Have at it with your famous persistence.

If you have lots of volunteer workers and inspectors, you can count the ballots right at the polling place after the polls close, but all too often there aren't enough observers to pull that off, so they transport the ballot boxes to the county headquarters -- and while the ballot box is in transit, all your security goes out the window.

Does it? Why?

You load the sealed ballot boxes - publicly, with witnesses mandated from all parties plus an independent electoral observer - into the back of a secure van. The doors to the van are locked/sealed. The van is driven to county headquarters. Since most vans have room up front for two people besides the driver, the driver can be an independent electoral observer and two people from the two largest parties can be witnesses. At county headquarters, witnesses mandated from all parties plus an independent electoral observer confirm that the van doors are stil locked/sealed before the electoral observer unlocks them and the sealed boxes are unloaded, publicly, where everyone can witness that they are still sealed. You do this whenever you transfer sealed ballot boxes (empty or full).

Exactly how is this "security going out the window"?

Exactly how is any of this impossible in the US?

Sebastian left out this part, from the same election.

Pratt is the son of former Acting Mayor Marvin Pratt, and Omokunde is the son of U.S. Rep. Gwen Moore (D-Wis.).

Quite a bit of shenanigans went on in Milwaukee back in 2004!

I dislike visual basic, but it is certainly possible to write moderately secure software with it

I'll put in a plug for PowerBASIC.

It still would have any security weakness that is in the Windows API.

Common Sense insists upon waving his penis at me. I'll not reciprocate. Let me simply observe that, if you think a language like Basic can be made secure, well, I think you should demand a refund from MIT. And if you think that ANY language with pointers, such as C, can be made secure, then you should sue MIT for its entire endowment!

I've done some security work. I've spent time with hackers talking about security problems. I've even hacked a few programs in my day. I'll grant that it's possible to make a program resistant to hackers by all manner of clever tricks -- that's what I did. But secure? No way.

Jesurgislac wonders how it is that the US can't get enough election monitors to insure that every step of the process is scrutinized. Partly it's a matter of differentiating between volunteers and employees. For example, you can't have volunteers driving the cars -- if they had an accident, the county would get sued. Nor do that many counties have enough vehicles to insure a county vehicle at every polling station. Remember, the USA is not as densely populated as Europe, so there are lots of polling places scattered all over creation. There are lots of counties where the stuff is thrown in the back of an employee's car, who drives it -- almost always alone -- to the county central facility. I've seen some horrific videos taken by election reform people showing some little old lady driving up to the headquarters in her Cadillac, opening the trunk, walking away for five minutes with the trunk wide open, coming back with somebody to help her, and then just driving off as soon as the helper has the stuff. There was some wonderful footage in 2004 of an election reform worker finding the audit trail documents in the dumpster outside the warehouse the day after the election -- even though the results hadn't been certified. The more people there are in the loop, the more holes there are.

A reminder of the posting rules, and their requirement that people try to keep office software filters from blocking this blog by watching their choice of language, might be in order.

Sorry, Gary. I allowed my fondness for punchy phrasing to exceed my considered judgment. I figured that Common Sense wouldn't take offense, but I forgot about the software filters. I'll be more restrained in future.

Eraserissimo: Jesurgislac wonders how it is that the US can't get enough election monitors to insure that every step of the process is scrutinized.

No, that's not actually what I wondered. I wondered why you were claiming that when ballot boxes were loaded into a van for transport, it was inevitable and unavoidable that "security goes out the window" when I (no expert) could casually think of a means of ensuring that ballot boxes were securely transported from voting station to counting center.

For example, you can't have volunteers driving the cars -- if they had an accident, the county would get sued.

So in the US, the county can't pay for insurance so that volunteers can drive the van with the sealed ballot boxes?

Remember, the USA is not as densely populated as Europe, so there are lots of polling places scattered all over creation.

And I recall also that in the US, you never developed any means of transporting valuable objects securely from one place to another. In Europe, we developed this concept called a car, which led to the development of a van, which can be constructed so that it's what we call high security, with things called locks on what we call doors. And we drive these vans along things called roads from place to place. Are you with me, Er? Should I explain in more detail? Provide links?

The more people there are in the loop, the more holes there are.

Not if you have rules which have to be followed for each step of the process of sealing and transporting sealed and empty or full ballot boxes from counting place to polling station and back again, which have always to be witnessed by at least two volunteers.

Your argument appears to be that because in the US you aren't capable of running elections properly, it's better to use computers...

which have always to be witnessed by at least two volunteers - one from each party, approved by the party, obviously. Or multiple volunteers if you have multiple parties. In this way in order to rig the election you have to persuade a Republican volunteer and a Democratic volunteer to spill the ballot boxes.

Yes, I grant you, running an election this way is a lot of hard work. But who said democracy had to be easy?

Ah, Jesurgislac, now I take your meaning. No, there aren't enough vans to go around in most counties. It depends, of course -- there are thousands of counties in the US. Some can handle it, but many can't. So they resort to using any means of transport ready to hand -- sometimes the cars of county employees. And when you have one person driving a car loaded with ballot boxes, without anybody supervising the loading or unloading, well, as I said, security goes out the window. And since you AREN'T wondering how the US can't get enough election workers to provide those services, that's no longer a point at issue.

You misunderstand my point about the widely scattered nature of polling places in the US. More polling places scattered over a wider area implies greater vehicle-miles to transport the ballot boxes to a central location. That's what puts so much pressure on election supervisors to enlist employees' vehicles, and why they sometimes have a single driver.

You continue to argue that, with enough people, it's easy to secure paper ballots. I agree entirely. The problem is that US counties seldom have enough people. Remember, elections here are carried out on Tuesdays. That means that only retired or unemployed people can volunteer to help. Employed people can't take a day off to volunteer. So there are never enough people to do the work.

No, there aren't enough vans to go around in most counties.

Then clearly, part of election reform in the US has to include provision of secure transport of ballot boxes between polling station and counting house.

That's what puts so much pressure on election supervisors to enlist employees' vehicles, and why they sometimes have a single driver.

Then clearly, part of election reform in the US has to include an unbreakable rule that election supervisors are not allowed to do that.

The problem is that US counties seldom have enough people. Remember, elections here are carried out on Tuesdays. That means that only retired or unemployed people can volunteer to help. Employed people can't take a day off to volunteer.

Then clearly, there has to be provision in federal law to require employers to let employees take a paid day off to volunteer for election supervision duty. It's one day every two years, and not an unexpected day, either: if a business cannot cope with an employee having a planned and predictable day's paid leave on public service no more than once every two years, it's obviously not much of a business.

The problem is, Er, that you seem to see all problems to do with computers as completely fixable - but take a completely defeatist attitude to the much simpler problems of setting up security around paper ballots. Why is that?

Wow, multiple trainwrecks in one thread. Keep it up, Sebastian and Erasmussino.

With regard to Erasmussino's nutty claims about security and properly designed systems: THERE IS NO PERFECTLY SECURE SYSTEM.

Ken Thompson, the co-creator of the C programming language, wrote an article called "Reflections on Trusting Trust". It's very interesting, but the bottom line is the following:

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.

To build a trusted system, you must have total control over all levels of the computer system: chips, hardware, firmware, kernel, operating system, the entire compiler toolchain, as well as your voting application.

Such control does not exist. And the stakes involved in a superpower election are so high that none of these levels can be trusted. Even the ones involving Intel and Microsoft. Especially those, as a matter of fact.

(See the history of US corporations' complicity in espionage against the Soviets -- I'm thinking in particular of certain modifications made to early Xerox copiers, and backdoors in oil pipeline control programs).

No, I'm not taking a defeatist attitude towards paper ballots. Both paper ballots and computer voting systems have problems, but you are insisting that computer systems cannot be made secure (which is false), and that, with enough money, paper ballot systems can be made to work. Well, with enough money, ANYTHING can be made to work. The real question is, which approach can achieve greater security at an acceptable and equal level of expenditure? We don't know the answer to this question with certainty yet, but all the indications are that the computer approach can attain a higher level of security for the same amount of spending as the paper system. Why do I believe that this is true?

First, the cost of running an election is enormous. For example, the cost of carrying out a recount of votes in the State of Washington is 15 cents per vote for a machine recount and 25 cents per vote for a manual recount:

http://www.secstate.wa.gov/office/osos_news.aspx?i=SPlmpeBt1xLxpksVqw%2Ft9w%3D%3D

If these numbers are applicable to other states, then the cost of counting votes (not setting up polling places, hiring workers, and so forth -- just counting votes) in a presidential election (100 million voters) is $25 million per election. (By the way, what they call a machine recount is not the same as the output of a computer voting system. A recount on such a system would cost next to nothing. They're talking about rescanning all the ballots.) Now, these costs are the costs of the current shoddy system. If we wanted to take it up to the level of security you're recommending, we'd be talking about much higher costs.

By contrast, the expenditures for computer voting systems are primarily capital costs, which you pay just once. Now, voting machines these days cost about $5,000 apiece. That's a huge rip-off. The basic computer technology can be had off the shelf for $500. The software could be done by an open-source effort and cost nothing. A small printer costs less than $100. The most expensive component is the touch-screen, but the POS market has been driving prices way down in the last few years. You can get a nice 15" color touchscreen for $500 RETAIL. Thus, the component costs for such a system add up to maybe $1200 at retail. Do this as a commercial operation and you could make money selling it for $2000 at current prices. Wait a few years and the price will go down even further. That's the nice thing about technology: the price goes down with time. With manual labor, the price always goes up with time.

Oh, and don't forget that we have an average of one election per year in America. Those savings really add up fast.

Anyway, these estimates are all impossible to nail down, but my point is that computer voting systems need not be expensive. The companies making voting machines right now are making huge amounts of profit at the expense of the citizens.

Oh, and just for fun, I happened onto this link for Web-based voting. You wanna do it REALLY cheap? ;-)

http://www.bigpulse.com/elections?gclid=CITGptr_u4sCFRtcUAodznfq0A

theo, it's true that you can't trust anything built by anybody else. But you can trust something done with everybody watching. That's what open source software does. There is broad agreement that open source is the best way to obtain high levels of security.

The same thing goes for the use of commodity hardware. If you buy off-the-shelf parts, then the vendor who wants to take over the world by swinging elections will have to make millions of chips to go into personal computers, all of which have this weird stuff in them that anticipates the design of the voting software so that it can twist it around. That can be done -- but it would take millions of dollars of engineering to pull it off, and even then you can't be sure you won't be caught red-handed by one of those open-source hackers. You'd be surprised how good they are at digging out odd details.

That's the whole point of the whole open-source concept: do everything out in the open where everybody can see it. That's the best way to security.

Even then, you're right that nothing is absolutely secure. Not even paper ballots. So we go for the approach that gives us the greatest degree of security for the amount of money we're willing to spend. And it sure looks as if computer voting systems are the best way to do that.

Missed this one. A good thing, I think.

"Thus, the component costs for such a system add up to maybe $1200 at retail. Do this as a commercial operation and you could make money selling it for $2000 at current prices."

I'll leave the rest alone -- I've made my point, pointed to material, and I'm content to leave it there, and to you to continue to argue your POV so long as you like -- but in response to this I'd like to make the very small point that voting equipment has to, in some reasonable fashion, take into account the various forms of handicapped voters, including the blind, the deaf, the paralyzed, and so on.

There are legal requirements to be met that deal with those factors, as well as a variety of other legal requirements that voting equipment has to meet. You'll need to figure those costs into any overall costs.

"There is broad agreement that open source is the best way to obtain high levels of security."

When speaking of computers, there's a point we can agree on.

Care to comment on Bruce's many writings that I've pointed to?

Erasmussimo, it seems like you're continuing to assume all problems with computer-based systems can be magically fixed but no problems with other systems can be. Yes, we've had all these problems with badly written software and inferior hardware and poorly trained workers, but in the future somehow none of that will happen.

And I don't understand your cost comparison. How long are you expecting to continue to use these voting machines? If there are 175,000 precincts in the country, and each had only 3 machines (which would presumably cause huge lines, especially during the times when one is broken down), then at $2000 a piece that's over $1 billion. What are you comparing that with?

Gary, I agree that handicapped people present special problems, but I don't see these problems as in any way unique to computer systems. They'd be just as tough with paper ballots.

I find myself in agreement with most of what Mr X has to say. For example, he writes:

"Computer security experts are unanimous on what to do... And they have two recommendations:

1. DRE machines must have a voter-verifiable paper audit trails...

2. Software used on DRE machines must be open to public scrutiny...

Computerized systems with these characteristics won’t be perfect -- no piece of software is -- but they’ll be much better than what we have now. We need to start treating voting software like we treat any other high-reliability system. The auditing that is conducted on slot machine software in the U.S. is significantly more meticulous than what is done to voting software. The development process for mission-critical airplane software makes voting software look like a slapdash affair. If we care about the integrity of our elections, this has to change."

All of which I am in perfect agreement with.

KCinDC, you argue that the problems of computer voting systems are more difficult than I claim, and that the problems with paper ballot systems are easier to solve than I maintain. Let me point out two factors here:

1. Computer voting systems as currently built are execrable. Just read any of the material that Gary has posted, and you'll see the same basic points made over and over: computer voting systems are fraught with idiotic errors. They're badly designed and poorly programmed. I'm saying that, since they're so badly done now, it should be very easy to build something that works. The problems we face are not major technological hurdles, they're just a matter of getting some halfway competent people working on them. Hell, I could probably build a better system using a team of game designers -- and voting would be a lot more fun! ;-)

2. Paper ballot systems have already been maxed out. There's no promising new technology on the horizon, no reason to think that the problems we know about can be fixed. Yes, with lots of cheap labor, we can make paper ballot systems work -- but we don't HAVE lots of cheap labor. The Pharoahs could build the pyramids -- we can't.

I agree that the capital cost of equipping the country with computer voting systems would be at least $1 billion, and probably more like $3 billion to $5 billion (including training and deployment). However, the cost of running elections is nothing to sneeze at, either. I was not able to find good numbers on the total cost of running an election, especially because some of the costs will remain and some will go away, and I couldn't get numbers that are broken down in a usable fashion. But I think that the best evidence here is the enthusiastic response that county elections officials have had to this technology. One of the big arguments in favor of the HAVA act was that the county people couldn't scrape together the big capital expense of buying the voting machines, and so had to continue bleeding money for the high operating cost systems. The argument was that the country as a whole would save money by shifting over to the computer voting systems. That is my recollection; I'll try to research the testimony for HAVA to see if I can find some numbers.

Oops, in the above posting, read "Mr. Schneier" for "Mr. X". I forgot to go back and fill in the correct value.

I'm not arguing that the main hurdles are technological. There's a huge gap between what's technologically possible and what actually gets implemented, and I'm not so confident that that problem is easily soluble. Most software is execrable -- maybe not as bad as the voting software we have now, but far below the standards that voting software should meet.

My recollection is that the rush to electronic machines with HAVA was a reaction to the butterfly ballot and hanging chads. Not all paper ballot systems have those problems, and I'm not convinced that we need to spend vast amounts of money and effort to switch to something that's far more complicated and less transparent. I don't see the benefit.

I'm reminded of a time when a mall I used to go to decided to switch to a computer-based system for its directory of stores. The old system was the standard non-electronic big map and listing of where all the shops were. On the new system you could type in a name to search for a business and then have it highlighted on a map on the 15-inch screen. The new system was of course easier to update. Unfortunately it could only be used by one person at a time, whereas several people at once could have used the old one if only they hadn't removed it. But at least it was modern and used a computer.

When I go to my polling place, there are 16 or 20 voting stations, because all that's required for a station is a pencil (to fill in the arrows on the optical scan ballot) and a privacy screen. During a presidential election it's useful to have that many. I seriously doubt we'd be able to afford anywhere near that many if there had to be a voting machine at each.

"Gary, I agree that handicapped people present special problems, but I don't see these problems as in any way unique to computer systems. They'd be just as tough with paper ballots."

It's not important, but you seem to have not read what I wrote, or somehow "I'll leave the rest alone -- I've made my point, pointed to material, and I'm content to leave it there, and to you to continue to argue your POV so long as you like" wasn't clear.

I didn't say a word about the subjects you address above -- not a word -- so I have no idea what comments you are responding to. Please find someone who is arguing with you to argue with. Arguments work much better that way, when they're not non-sequiturs, or in response to our imagination.

(I actually made three other points, not a single one of which did you reply to. Whatever.)

"Oops, in the above posting, read 'Mr. Schneier' for 'Mr. X'. I forgot to go back and fill in the correct value."

In that case, please go back to my last comment, and subtract one from where I said "not a single one of which did you reply to," thus meaning that you did reply to a single one of which. Naturally, I'd not have said what I said at all, if I'd understood who "Mr. X" was; as a result I simply wrinkled my brow in puzzlement, and moved on, instead.

Common Sense: Again, I must point out: you do not know what you're talking about. Diebold machines were coded in VisualBasic, which is quite different from the BASIC invented in the 1960s...

Weren't they technically coded in AccessBasic? I'm not sure what the difference is, frankly, but I think AccessBasic has even fewer cryptographic capacities.

Look, you really cannot tell much by how old a computer language is. My company is building an incredibly sophisticated airline reservation system in common lisp, which is certainly older than BASIC.

Interestingly, AFAICT lisp all but ceased to exist outside of academic circles until relatively recently. Nowadays, Scheme and CL are popping up all the damn hell over the place. Pity, really, because it's been a PITA to learn a whole new programming paradigm.

My thesis was on programming language optimization through type inference.

Heh. I approve of any abstract techie paper whose opening section contains "The Coming Plague". Mind you, I have an irrational fondness for tech papers with inappropriate language; I'm still proud of the fact that my senior thesis (on transcendental number theory, and a POS it was too) quoted Stalin.

In re voter safety, can anyone comment on the electronic voting machines in the recent Indian elections?

Well, Gary, I don't understand your recent references, so perhaps this is an ideal opportunity for us to call it a night.

Anarch, I know nothing about the machines used in the Indian elections, but I'd love to learn about what they did and how it turned out.

Weren't they technically coded in AccessBasic? I'm not sure what the difference is, frankly, but I think AccessBasic has even fewer cryptographic capacities.

I think you may be right there Anarch. I don't see much difference between them; I believe that access basic programs can still use external DLLs so crypto primitives should not be a problem.

Now, having said that, using access for anything voting related at all was incredibly stupid. The problems are not in the language though.

Interestingly, AFAICT lisp all but ceased to exist outside of academic circles until relatively recently. Nowadays, Scheme and CL are popping up all the damn hell over the place. Pity, really, because it's been a PITA to learn a whole new programming paradigm.

Yeah, there's been something of a resurgence. Tools like SLIME make it a lot more pleasant. CL doesn't really offer much in the way of new paradigms though. The object system is pretty standard (except for coolness of multimethods and eq specialization) and you can (and probably should) ignore macros for a good long while.

Ironically, it seems that people who've spent time doing python/perl/ruby can adapt to CL pretty fast. Deep down, all dynamic languages are the same I guess.

In any event, Peter Seibel's book Practical Common Lisp is an excellent intro and is free on the web.

Here is a convenient piece in tomorrow's paper.

Five years after the Bush administration began a crackdown on voter fraud, the Justice Department has turned up virtually no evidence of any organized effort to skew federal elections, according to court records and interviews.

Although Republican activists have repeatedly said fraud is so widespread that it has corrupted the political process and, possibly, cost the party election victories, about 120 people have been charged and 86 convicted as of last year.

Most of those charged have been Democrats, voting records show. Many of those charged by the Justice Department appear to have mistakenly filled out registration forms or misunderstood eligibility rules, a review of court records and interviews with prosecutors and defense lawyers show.

In Miami, an assistant United States attorney said many cases there involved what were apparently mistakes by immigrants, not fraud.

In Wisconsin, where prosecutors have lost almost twice as many cases as they won, charges were brought against voters who filled out more than one registration form and felons seemingly unaware that they were barred from voting.

One ex-convict so unfamiliar with the rules that he provided his prison-issued identification card, stamped “Offender,” when he registered just before voting.

A handful of convictions involved people who voted twice. More than 30 were linked to small vote-buying schemes in which candidates generally in sheriff’s or judge’s races paid voters for their support.

[...]

Mistakes and lapses in enforcing voting and registration rules routinely occur in elections, allowing thousands of ineligible voters to go to the polls. But the federal cases provide little evidence of widespread, organized fraud, prosecutors and election law experts said.

And so on. Of course, it's the famously liberal NY Times, so obviously their story is slanted and wrong.

I probably should nonetheless note the specific examination of Wisconsin (home of Milwaukee!):

“There was nothing that we uncovered that suggested some sort of concerted effort to tilt the election,” Richard G. Frohling, an assistant United States attorney in Milwaukee, said.

Richard L. Hasen, an expert in election law at the Loyola Law School, agreed, saying: “If they found a single case of a conspiracy to affect the outcome of a Congressional election or a statewide election, that would be significant. But what we see is isolated, small-scale activities that often have not shown any kind of criminal intent.”

For some convicted people, the consequences have been significant. Kimberly Prude, 43, has been jailed in Milwaukee for more than a year after being convicted of voting while on probation, an offense that she attributes to confusion over eligibility.

Clearly a huge problem.
[...] Some of those cases have baffled federal judges.

“I find this whole prosecution mysterious,” Judge Diane P. Wood of the United States Court of Appeals for the Seventh Circuit, in Chicago, said at a hearing in Ms. Prude’s case. “I don’t know whether the Eastern District of Wisconsin goes after every felon who accidentally votes. It is not like she voted five times. She cast one vote.”

There's a bunch more about Ms. Prude (thank goodness she's off the streets, where she might vote again!) and Wisconsin's lack of significant voter fraud, and Republicans' attempts to gin claims up.
[...] Of the hundreds of people initially suspected of violations in Milwaukee, 14 — most black, poor, Democratic and first-time voters — ever faced federal charges. United States Attorney Steven M. Biskupic would say only that there was insufficient evidence to bring other cases.

No residents of the house where Mr. Graber made his assertion were charged. Even the 14 proved frustrating for the Justice Department. It won five cases in court.

The evidence that some felons knew they that could not vote consisted simply of a form outlining 20 or more rules that they were given when put on probation and signs at local government offices, testimony shows.

The Wisconsin prosecutors lost every case on double voting.

I think this makes clear just how serious the Democratic voting fraud conspiracy is: it's so insidious, that it's reached into the courts, and fixed the results. The lack of convictions only proves the problem is even larger than Republicans claim it is.

Rape prosecutions often lose, the evidence just doesn't meet the hurdle. I suppose you think that proves....

I'd like to point out to those that missed it that that United States Attorney Steven M. Biskupic has been making the news recently and his credibility is currently... tarnished.

Oh, and Gary? Absence of evidence -- or is that evidence of absence? I can never remember.

Seb,

I believe someone raised this issue upthread, but I haven't seen an answer yet.

Can you explain what prevents states from conducting voter spot checks right now? Specifically, it seems that states could pick a precinct, go through the rolls of voters who voted in the most recent election, dispatch someone to their house and verify that that person exists, is alive, and is eligible for voting.

When investigators show up at people's houses, they can ask to see ID and they can also ask to see recent bills or other postal mail. They can ask people if they actually voted. They can cross reference the social security death index and the local death certificates for people they're unable to locate.

I can't see any reason why this sort of investigation would be illegal right now. States that performed these investigations would get a rough bound on how bad voter fraud is.

If a state did that and came up with actual numbers, I'd be much more amenable to arguments for increased voter identification.

So, why hasn't any state performed an investigation like this?

No, I'm not taking a defeatist attitude towards paper ballots.

Yet every problem with paper ballots that you raise, you mention as if it were completely unfixable when, in fact, the solution is obvious - as, for example, your assertion that it's impossible to get volunteers to work on elections because elections are held on a Tuesday...

The real question is, which approach can achieve greater security at an acceptable and equal level of expenditure?

Paper ballots, demonstrably.

Cost of providing completely secure machines for electronic voting - considerable, and the machines to remain secure, will have to be frequently replaced/upgraded.

Cost of buying secure vans to transport sealed ballot boxes from place to place - considerable, but once bought, the election fleet doesn't have to be replaced or upgraded nearly as often, and can be used for other purposes between elections.

Most of the other "costs" involved in staffing elections and ensuring multi-party witnesses are available to watch ballot boxes being sealed, transported, unsealed, and ballots counted, is the need to ensure that anyone who wants to (you could have limits on number per company depending on the company's size) can take a paid day off for the purpose of volunteering to help secure the US elections. Once every two years: not actually a very high cost, and distributed effectively over large numbers of people.

I'm sorry, Amos, but there has never been a Gallup poll of computer security experts, much less a standard definition of what credentials one needs to have one's opinion count in any such poll.

I'll take that as a retraction of your statement about what "most security guys" think. Thank you.

I'd prefer to start with Schneier (and started with him long ago, in fact), but since you mention a particular Wikipedia article, let me give you a quote from it, prominently placed near the top:

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."

Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security.

Not enough poll workers/volunteers?

Over here those are drafted. Usually public servants are chosen first and volunteers are given preference but anybody on the voter list can be drafted to do the job on election day. You need a good excuse to avoid doing it (more or less the same as for not showing up in court if called).

The original reasons for not voting on Sunday don't apply anymore and, even if they did, why not making election day an official holiday? And don't come to me with the argument that the economy would go to hell in that case.

I could easily imagine a modernized version of the Greek voting pebble system using "verifiable pebbles" btw

Well, Hartmut, in the UK polling clerks, presiding officers, and enumerators, are paid positions: you apply for the job via the local council, and you take a day's leave from your usual job. (This would be awkward, I suppose, in the US where people don't have nearly as much paid leave as we do.) It could be subject to abuse, but every step of the way has official party witnesses - every party taking part has a right to have an official witness at the polling station and the counting. It's up to each party to arrange who these witnesses are, of course: party members usually volunteer, and of course candidates will.

Jesurgislac completely misunderstands my comparison of paper ballot systems versus computer voting systems when declaring, "Yet every problem with paper ballots that you raise, you mention as if it were completely unfixable when, in fact, the solution is obvious - as, for example, your assertion that it's impossible to get volunteers to work on elections because elections are held on a Tuesday..."

I have repeatedly characterized the problem as one of relative security for a given level of expenditure. I have agreed that, with enough money, anything can be accomplished. And I have also pointed out that, while the solutions Jesurgislac offers are certainly viable, they are also expensive. The real question, then, is the comparative cost of the two systems. Jesurgislac offers a speculative comment that the hardware would have to be replaced "frequently" in order to remain secure. This speculation is flatly contradicted by security experience in other fields. Once a system has been secured, there is no need to tamper with it. Some of the DoD secure systems are decades old, and they're just as secure today as they were twenty years ago.

Jesurgislac misses the most important recurrent cost with computer voting systems: the cost of replacing touch screens. These devices are fragile and people stab at them brutally, wearing them out rapidly. Fortunately, the wear and tear on a computer voting touch screen will be much less than that on POS systems, so they should last quite a while. Still, they will have to be replaced.

Jesurgislac and Hartmut both suggest schemes whereby people get time off from work to serve as election assistants. Their assumption here is that, since the government need not pay the costs, there are none. This is incorrect; there are no free lunches. If you take a worker who earns $25 an hour away from his job and put them onto election work for eight hours, then you have cost somebody, somewhere, $200. You can play shell games with where the money comes from, but in the final analysis, $200 of wealth (actually, somewhat more due to idle capital) that would have been created is not created. Multiply this by the thousands upon thousands of election workers around the country and you get a sizeable sum. How sizeable? I can only guess here. A typical polling station will have 3 to 6 workers and serve several hundred voters, so let's say -- very roughly -- one worker per hundred voters. With 100 million voters, that adds up to 1 million workers. At, say, $20 per hour per worker and 8 hours per day per worker, you end up with $160 million in labor costs. So let's not sneeze at labor costs, OK?

Unfortunately, at this point it gets difficult to make a comparison with computer voting systems, because we really don't have cost figures broken out for the actual counting process. The best figures I have found are the recount charges from the State of Washington. At $0.25 per vote with paper ballots, that adds up to a mere $25 million to process 100 million votes -- EXCEPT that this applies to a single race. A typical American ballot will have several dozen voting decisions on it. If we assume 20 decisions needing to be counted per ballot, then the cost of counting votes by hand comes to $500 million -- assuming that there are no economies of scale at work.

So if we apply my earlier estimate of $3 billion to $5 billion for the total cost of deploying a computer voting system, then we find that the system will pay for itself in savings in 6 to 10 elections. Since most Americans vote in about one election per year, that means 6 to 10 years of payback time -- which is better than the cost of money.

These are very rough calculations, of course, but they're better than the hand-waving we've been doing at each other so far. If anybody wants to improve upon them, by all means please do so. I'd especially like to find the testimony on HAVA, as I suspect that it will have detailed economic analysis.

In Germany the vote counting is officially public, i.e. whoever wants can witness it without having to apply for something. Is it the same in the UK or the US?

In Germany the vote counting is officially public, i.e. whoever wants can witness it without having to apply for something. Is it the same in the UK or the US?

I think it's the same in the UK, though to be honest I've never been at a vote count to find out how easy it is to get in. I'd assume that just physically, places are limited, and official witnesses from the parties have to have priority.

And I have also pointed out that, while the solutions Jesurgislac offers are certainly viable, they are also expensive.

Not as expensive as your solutions, though.

Their assumption here is that, since the government need not pay the costs, there are none.

No. My assumption is that the costs are worth paying.

If you take a worker who earns $25 an hour away from his job and put them onto election work for eight hours, then you have cost somebody, somewhere, $200.

And your unexamined assumption is that this is too expensive?

With 100 million voters, that adds up to 1 million workers. At, say, $20 per hour per worker and 8 hours per day per worker, you end up with $160 million in labor costs. So let's not sneeze at labor costs, OK?

There are elections coming up in Scotland in the UK in May, and I found a local council's press release advertising for election workers (the total votes cast in the last general election in East Dunbartonshire were 46 724) :

· 90 Polling Clerks to work in the Polling Places helping residents cast their vote. The wages are £164.55 (gross).
· 65 Presiding Officer to manage the Polling Stations. The wages are £269.62 (gross) or £253.86 (gross) depending on number of Polling Stations.
· 130 Enumerators to count the votes. Sixty-five staff are needed for Thursday night and another sixty-five for Friday morning. The wages are £80 (net) for Thursday and £40 (net) for Friday.

So that's 285 staff for about 47 000 votes, or 1 paid staffer for every 163 votes cast. If, just for the sake of argument, you assume about the same ratio for US elections, you need 750 107 paid staffers.

This leaves out, though, what you might call the intangible value of making local people feel responsible for running elections honestly and fairly as a public service.

"If, just for the sake of argument, you assume about the same ratio for US elections, you need 750 107 paid staffers."

Setting aside what seems to be some sort of typo: Per what? We don't have constituencies; we have, instead, a wide variety of offices and propositions, and bond issues, and so on, being voted on; each ballot, as I've mentioned, being different in every municipality. We need approximately 750, or 107, paid workers, per what?

Gary, it's still morning for you, but I'm sure you're familiar with the convention of using spaces (thin spaces when available) to separate groups of three digits in numbers. (As opposed to styles that use commas or periods or apostrophe-like ticks.)

"Gary, it's still morning for you, but I'm sure you're familiar with the convention of using spaces (thin spaces when available) to separate groups of three digits in numbers."

Huh. I don't think I've ever seen that before, actually. Not that I can recall. Where is that used?

Jesurglisac, I think we're getting down to trivial disagreements. I estimated 1 million workers; you came up with 750,107. C'mon, is this really worth arguing about? The important issue is the cost comparison, and although you strongly deny a few of my statements, you don't seem to find my overall assessment worthy of challenge.

At 8:22 AM Mr. Newcombe triumphantly pranced a victory dance because he misunderstood my earlier post about computer experts. I'll have to clarify: there are no reliable polls that give us clear statistics about the opinions of security experts. However, a reading of the opinions of many separate experts clearly demonstrates that the opinion of most is that the security problems can readily be solved if only we put some competent effort into it. I provided a quote from Mr. Schneier to demonstrate this point.

Mr. Newcombe provides his own quote to the effect that there is no such thing as security. I add two additional considerations: the quote describes ABSOLUTE security: the kind of security that even the Mission Impossible team could not break. Absolute security is a form of perfection: it is unattainable and Mr. Newcombe's source is stating the obvious.

Second, as Mr. Schneier points out, there are some security experts who are pessimistic, but most are optimistic that these problems have reasonably obtainable solutions. Anybody can dig up a few outlier quotes; the real question is what the majority of experts think, and that matter seems to be clear.

The important issue is the cost comparison, and although you strongly deny a few of my statements, you don't seem to find my overall assessment worthy of challenge.

Nope. I think democracy is worth paying for to get as reliable a system as possible, and the best possible system is hand-counted paper ballots. You think it's better to aim to do it as cheaply as possible, and above all not include ordinary voters in running the elections fairly. You're right that I don't see this position as worthy of challenge: any more than I see your self-claimed credentials as an IT expert worthy of challenge.

I just got off the phone with an old friend who's more knowledgeable than I about security, having done a lot of work with the DoD. He confirmed almost every point I've made here, but did contradict me on one point: it IS possible to write secure code in both Basic and C. However, he also points out that this requires the programmer to jump through a lot of hoops to maintain security. If you want a secure application, he agrees, it's just stupid to use Basic or C.

He also suggested an idea that impresses me as particularly useful: offer the voter a hardcopy of his ballot. This would be in addition to the paper trail hardcopy, and the voter's copy would be given an identification number. All the voting results are then posted on the Internet, right down to the individual votes, although they would of course remain anonymous because each ballot would be identified only by a code number. Thus, any citizen can peruse the votes to determine that they were in fact counted properly. More important, any citizen can look up his own vote to insure that it was recorded properly. If he finds that his vote for Candidate X was converted into a vote for Candidate Y, he marches straight to the District Attorney and shows them the printed ballot, and somebody's head will roll.

"He also suggested an idea that impresses me as particularly useful: offer the voter a hardcopy of his ballot."

Wonderful new idea: very insightful; I wonder why no one ever thought of this before?

Paper trails for electronic voting! This introduces an entirely new concept into the debate for everyone familiar with the issues!

Now we're getting somewhere.

Gary, I clearly differentiated between the conventional paper trail that has been urged by computer scientists for years (in which the printed ballot is stored for archival purposes) from the new idea presented by my friend, in which a SECOND copy of the ballot is given to the voter, and can be checked against the results posted on the Internet.

These are two very different ideas; don't confuse them.

Jesurglisac, you're starting to get hot under the collar; I suggest that you cool off. Perhaps I should depart this discussion in the interests of public amity, but I fear that your animus towards me would manifest itself in other discussions, and I don't want that to cripple future discussions, so I suggest that you calm down and concentrate on the ideas rather than the personalities.

Back to work:

You suggest that effective democracy is worthy any price. I disagree. I'm not willing to spend a penny more than is necessary to obtain a reliable vote count. I'm pretty sure that my opinion is shared by most citizens. Wasted money, after all, is never popular with the taxpayers.

I do believe that we can obtain a reliable vote count with computers, I have demonstrated how this is possible, and you seem to have no substantive challenges to my rough calculations. There's still plenty of room for wiggle in my numbers, but they certainly demonstrate the plausibility of my case. They don't prove anything -- neither of us has proven anything -- but they at least provide more detailed support than any of the opposing arguments I have seen.

You write, "You think it's better to aim to do it as cheaply as possible, and above all not include ordinary voters in running the elections fairly."

Come now, Jesurglisac, this is an expression of anger, not intellectual analysis. Let's focus on productive discussion, please!

Lastly, you refer disparagingly to what you call "your self-claimed credentials as an IT expert". Actually, I'm not asking anybody to take anything on my word alone. I have offered lots of factoids, any of which can be checked out quite easily. For example, I did not provide a link proving that one can weld a box shut to make it secure, and I don't ask anybody to take that claim on my authority, but should anyone wish to challenge it, go ahead.

Please, let's not get into a shouting match. Let's just concentrate on the facts and ideas, OK?

Erasmussimo,

Your brilliant idea is unworkable. If voters can produce records of their voting they can be coerced to provide those receipts and can easily sell their votes.

Also, as much as I hate to do so, I need to defend VB a little. You cannot argue that VB is fundamentally insecure without explaining why. Certainly, versions of VB that run on virtual machines should be more secure than traditional C programs. Furthermore, VB generally doesn't allow direct pointer manipulation. Again, you need to make an actual argument instead of blithely asserting things to be true.

Sorry, Erasmussimo, but I have a hard time taking you seriously when you've disregarded insights from computing professionals and matters that have already been discussed for years.

Yes, paper trails. Brilliant. It's only been discussed for the last decade or so...

Gary, I clearly differentiated between the conventional paper trail that has been urged by computer scientists for years (in which the printed ballot is stored for archival purposes) from the new idea presented by my friend, in which a SECOND copy of the ballot is given to the voter, and can be checked against the results posted on the Internet.

These are two very different ideas; don't confuse them.

Ummm, this ideas HAS been proposed. Again, been there, done that.

Erasmussimo:

However, a reading of the opinions of many separate experts clearly demonstrates that the opinion of most is that the security problems can readily be solved if only we put some competent effort into it. I provided a quote from Mr. Schneier to demonstrate this point.

[...]

Second, as Mr. Schneier points out, there are some security experts who are pessimistic, but most are optimistic that these problems have reasonably obtainable solutions. Anybody can dig up a few outlier quotes; the real question is what the majority of experts think, and that matter seems to be clear.

I'm a tad unclear on how long you've been following the issues of electronic voting, and "Mr. Schneier"'s views.

I came to the issue late, only around 1995 or so. I've only had mutual friends with Bruce since the mid-Seventies, and he didn't start buying me dinner when he and Karen came to town until long after.

I will assume that you're actually entirely unfamiliar with Bruce's writings, and views, and that of "most experts" on security, rather than deliberately misrepresenting those views, which Bruce has written about so many hundreds of times that one can find relevant summaries almost randomly in his archives.

My second cite to him, above, which you either didn't read, or chose to ignore in favor of what you want to believe:

That's my primary concern about computer voting: There is no paper ballot to fall back on. Computerized voting machines, whether they have keyboard and screen or a touch screen ATM-like interface, could easily make things worse. You have to trust the computer to record the votes properly, tabulate the votes properly, and keep accurate records. You can't go back to the paper ballots and try to figure out what the voter wanted to do. And computers are fallible; some of the computer voting machines in this election failed mysteriously and irrecoverably.

[...]

The ideal voting system would minimize the number of translation steps, and make those remaining as simple as possible. My suggestion is an ATM-style computer voting machine, but one that also prints out a paper ballot. The voter checks the paper ballot for accuracy, and then drops it into a sealed ballot box. The paper ballots are the "official" votes and can be used for recounts, and the computer provides a quick initial tally.

Even this system is not as easy to design and implement as it sounds. The computer would need to be treated like safety- and mission-critical systems: fault tolerant, redundant, carefully analyzed code. Adding the printer adds problems; it's yet another part to fail. And these machines will only be used once a year, making it even harder to get right.

But in theory, this could work. It would rely on computer software, with all those associated risks, but the paper ballots would provide the ability to recount by hand if necessary.

The only thing everyone has ever talked about since 2000 and earlier is that any voting system that uses ballots must make a paper copy available to the voter.

That's the basic, elementary, first grade, assumption, that everyone has been been talking about since the last century. This is the sort of thing I meant when I urged you to read what folks have been discussing since the mid-Nineties, and provided you links to do so.

Bruce more recently, this from last November 13th:

Electronic voting machines represent a grave threat to fair and accurate elections, a threat that every American -- Republican, Democrat or independent -- should be concerned about. Because they're computer-based, the deliberate or accidental actions of a few can swing an entire election. The solution: Paper ballots, which can be verified by voters and recounted if necessary.

[...]

Electronic voting is like an iceberg; the real threats are below the waterline where you can't see them. Paperless electronic voting machines bypass that security process, allowing a small group of people -- or even a single hacker -- to affect an election. The problem is software -- programs that are hidden from view and cannot be verified by a team of Republican and Democrat election judges, programs that can drastically change the final tallies. And because all that's left at the end of the day are those electronic tallies, there's no way to verify the results or to perform a recount. Recounts are important.

This isn't theoretical. In the U.S., there have been hundreds of documented cases of electronic voting machines distorting the vote to the detriment of candidates from both political parties: machines losing votes, machines swapping the votes for candidates, machines registering more votes for a candidate than there were voters, machines not registering votes at all. I would like to believe these are all mistakes and not deliberate fraud, but the truth is that we can't tell the difference. And these are just the problems we've caught; it's almost certain that many more problems have escaped detection because no one was paying attention.

This is both new and terrifying. For the most part, and throughout most of history, election fraud on a massive scale has been hard; it requires very public actions or a highly corrupt government -- or both. But electronic voting is different: a lone hacker can affect an election. He can do his work secretly before the machines are shipped to the polling stations. He can affect an entire area's voting machines. And he can cover his tracks completely, writing code that deletes itself after the election.

And that assumes well-designed voting machines. The actual machines being sold by companies like Diebold, Sequoia Voting Systems and Election Systems & Software are much worse. The software is badly designed. Machines are "protected" by hotel minibar keys. Vote tallies are stored in easily changeable files. Machines can be infected with viruses. Some voting software runs on Microsoft Windows, with all the bugs and crashes and security vulnerabilities that introduces. The list of inadequate security practices goes on and on.

The voting machine companies counter that such attacks are impossible because the machines are never left unattended (they're not), the memory cards that hold the votes are carefully controlled (they're not), and everything is supervised (it isn't). Yes, they're lying, but they're also missing the point.

We shouldn't -- and don't -- have to accept voting machines that might someday be secure only if a long list of operational procedures are followed precisely. We need voting machines that are secure regardless of how they're programmed, handled and used, and that can be trusted even if they're sold by a partisan company, or a company with possible ties to Venezuela.

Sounds like an impossible task, but in reality, the solution is surprisingly easy. The trick is to use electronic voting machines as ballot-generating machines. Vote by whatever automatic touch-screen system you want: a machine that keeps no records or tallies of how people voted, but only generates a paper ballot. The voter can check it for accuracy, then process it with an optical-scan machine. The second machine provides the quick initial tally, while the paper ballot provides for recounts when necessary. And absentee and backup ballots can be counted the same way.

You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota. Or run a 100% mail-in election like Oregon does. Again, paper ballots are the key.

Paper? Yes, paper. A stack of paper is harder to tamper with than a number in a computer's memory. Voters can see their vote on paper, regardless of what goes on inside the computer. And most important, everyone understands paper. We get into hassles over our cellphone bills and credit card mischarges, but when was the last time you had a problem with a $20 bill? We know how to count paper. Banks count it all the time. Both Canada and the U.K. count paper ballots with no problems, as do the Swiss. We can do it, too. In today's world of computer crashes, worms and hackers, a low-tech solution is the most secure.

There were many many links I didn't include.

Here is another piece from the same day, with much much more, including:

How many hundreds of these stories do we need before we conclude that electronic voting machines aren't accurate enough for elections?
That's a random pluck of Bruce on the topic; here are more. (I'm sarcastic because I'm impatient with pointing out the basics again to someone who I'm reasonably sure wasn't issuing his educated expert opinion on the topic in the Nineties, or 2000, and who has just minutes ago discovered the concept of "an idea that impresses me as particularly useful: offer the voter a hardcopy of his ballot"; I suspect that you'll be a tad impatient, and perhaps sarcastic, in 2019 when someone tells you about this bright new idea, after first lecturing you about your "ignorance," and his expertise.)

Do you still want to maintain that you've been accurately representing Bruce's views, with stuff like this? Do you really want to maintain that your quotes accurately represent Bruce's views on electronic voting bettr than mine do?

Second, as Mr. Schneier points out, there are some security experts who are pessimistic, but most are optimistic that these problems have reasonably obtainable solutions. Anybody can dig up a few outlier quotes; the real question is what the majority of experts think, and that matter seems to be clear.
I hate to bug Bruce with trivia, and I wouldn't unless it was worth it (wasting time on a blog comment thread isn't remotely important), but it's not a big deal for me to drop him an e-mail with your quotes and then provide his response, either, if it seems worth it.

I dunno if you want to plead deliberate distortion (probably not), not knowing from Bruce's very prominent writings as perhaps the foremost expert on the topic we're discussing until I introduced him here yesterday, or simple willingness to imply you're familiar with issues and writings you're not, in the course of wishfully interpreting material to suit your opinions, which is almost certainly the main explanation, but I look forward to your explanation.

One more comment from Bruce:

One of the dumber comments I hear about electronic voting goes something like this: "If we can secure multi-million-dollar financial transactions, we should be able to secure voting." Most financial security comes through audit: names are attached to every transaction, and transactions can be unwound if there are problems. Voting requires an anonymous ballot, which means that most of our anti-fraud systems from the financial world don't apply to voting. (I first explained this back in 2001M.)
But there's lots lots lots lots more where that came from.

Mr. Farber, you're not reading Mr. Scheier's statements. He is very clear that his opposition is to PAPERLESS computer voting systems. Here's part of what you posted from him:

"My suggestion is an ATM-style computer voting machine,"

Do you see the phrase "computer voting machine" in that sentence? Mr. Scheier is suggesting the same thing I'm suggesting: a computer voting system with paper backup.

I must confess to some exasperation at your posting long quotes whose purport strongly supports my proposition, and claiming the opposite. So let's be absolutely clear here:

I am championing a computer-based voting system with at least one (and possibly two) paper receipts to be used as backup. I find Mr. Scheier's suggestion that the printed ballot be the primary data source -- that's fine with me, as it could be printed with a bar code for rapid machine reading. But the important point is to take the messy process that we now rely on, which is subject to all manner of human error, and replace it with a machine process that is more reliable.

And no, I'm not saying that all machine processes are more reliable than all human processes. I'm saying that there exist some machine processes that are more reliable than the current system of voting, and that we should use those more reliable (and cheaper, to boot) systems.

Another minor item: Mr. Farber presents a quote from Mr. Scheier in which Mr. Scheier dismisses the comparison with financial computer systems on the grounds that financial systems are auditable because each transaction can be associated with a particular name. Mr. Scheier is apparently unaware of the proposal I cited earlier to provide each voter with an anonymously identified ballot for audit purposes. Yet Mr. Gwangung dismisses the originality of the idea with the statement "Ummm, this ideas HAS been proposed. Again, been there, done that."

Perhaps Mr. Scheier is not familiar with the field of computer security -- I rather doubt it. Perhaps Mr. Scheier forgot about the idea when he wrote the above. Perhaps Mr. Gwangung is incorrect. I don't know. But there is a discrepancy here.

Perhaps I should depart this discussion in the interests of public amity

Or take it over to Taking It Outside?

Either way, I'm done discussing it with you.

"Mr. Farber, you're not reading Mr. Scheier's statements."

I've been reading them for decades. We're friends, as I tried to communicate.

This even enables me to, you know, spell his name correctly. Assuming we're talking about Bruce Schneier, not the "Scheier" you repeatedly refer to .

"Perhaps Mr. Scheier is not familiar with the field of computer security -- I rather doubt it."

I give up.

Mr. Farber, your friendship with Mr. Schneier (thanks for correcting my spelling) does not permit you to reverse the meaning of his writings. He is plainly supportive of exactly the kind of computer voting system I've been championing, yet you use his words to argue the opposite. I suspect that Mr. Schneier would be cross with you should he discover how seriously you have misused his writings. Don't worry -- I won't tell. ;-)

Gary, Chicago Manual, paragraphs 8.65 and 8.66 in the 13th edition. And of course various more technical style guides. I guess my copyediting has been more mathematical and scientific than yours.

We so need a TIO thread for this... ;-)

"I guess my copyediting has been more mathematical and scientific than yours."

Yeah, I've never ever done any technical or academic copyediting; all my work has strictly been mass market, or at worst, small press.

Not to derail a productive thread or anything, but Amos, Common Sense or any other CS types out there: do you know a source -- book, online journal, whatever -- that would tell me how to formalize a definition by corecursion that doesn't use category theory and coalgebras? I'm trying to help a friend make his thesis more precise and I can't quite articulate what's needed.

I guess my copyediting has been more mathematical and scientific than yours.

IIRC, wasn't that instituted in part because of the European/American split over whether to separate the digits by periods or commas? I get really weirded out whenever I read, say, a French report that "12.000 people were at the game" -- what, you needed floating-point accuracy to measure a dozen people?

I find Mr. Scheier's suggestion that the printed ballot be the primary data source -- that's fine with me, as it could be printed with a bar code for rapid machine reading.
So you favor switching from voting machines to ballot-printing machines that produce optical-scan paper ballots? That's fine with me, especially if the ballots are designed so that they can also be completed manually in cases when the machines break down or are overwhelmed. It's a long way from the all-electronic system you we're arguing for (and I was arguing against) at the beginning, though. I'm still not sure it's worth all the expense or how possible it will be to get everyone to go for it, but it does have some advantages, particularly for people with some disabilities.

I'm not sure where the cost savings would come in, though. Wasn't eliminating the cost of handling all that paper supposed to be where we'd save all that money? Now the paper isn't going away.

Watching this little thread has been awesome. It reminds me of the funner days on talk.origins.

Erasmussimo: Let me give you some advice. Here, on the internet, you're likely to run into actual experts. And you're certain to, sooner or later, run into people who understand a subject much better than you. You might want to consider, just possibly, the fact that you could be in error.

Now, I don't know what sort of education or experience you have in software -- your resume doesn't matter (or so said the man who hired me by handing me a sheet of code and asking "What does this do?").

What matters is your level of understanding. So far, you've demonstrated the ability to:

1) Wander into a conversation about electronic voting as if a decade or more of computer voting experience, discussion, studies, and security issues had never happened.
2) Lecture people who quite obviously understand computers and computer security a LOT better than you on what they don't understand about computers and computer security.
3) Generally not make a positive impression for yourself.

For example, your response to me (took a minute to dig it out) that "Central servers can't be hacked because they're not on the internet"...

That shows your lack of domain knowledge right there. I had assumed -- stupidily -- that you had the level of competence you claimed. As such, I didn't specify what I meant by hacking vote counting servers. There are, of course, three simple ways:

1) Hack it at the software level -- malacious code built into the product. This includes last minute 'patches' (the infamous case in Georgia, in which the code was patched at the last minute without undergoing scrutiny as an example).
2) Hack it in person -- an admin misusing tools (and Diebold's auditing procedures are so poor that yes, indeed, anyone with proper access could modify records and remove the audit trail).
3) Hack it remotely -- using the connection between the voting machines and the servers.

1 and 2 are most likely, but 3 isn't impossible. I recall at least one paper outlining a way to do it.

Whoa, you're making an assumption that's new here: dual-function ballots. I don't think that's a good idea, because, as you note, they would increase the cost of the system. I don't know by how much they would increase the cost, so I'm not ready to dismiss the idea out of hand. Let's get some numbers on it first.

But yes, I've been saying all along that computer voting systems with paper trails are the way to go. Mr. Schneier has been saying much the same thing all along. Most computer security experts have been saying the same thing all along. I was NOT arguing for a computer voting system without a paper trail.

There is one fine distinction we have to be clear on. Mr. Shneier wants a computer voting system in which the printed ballots are not only the audit trail but the primary data source. I can live with that, although I'm not yet sure it's necessary. And it suffers from the added problem of physical ballot security in transportation from polling station to central location. I suppose, however, that, if carried out in tandem with properly encrypted authentication data, it could work and not add too much cost.

Mr. Morat20, you seem more intent on personal attack than discussing the issues here, and I am averse to engaging in such childish issues, but I will respond to a few substantive issues you raise:

You made some comments regarding hacking into the system, dismissing my ignorance for suggesting that the central server isn't on the Internet. May I remind you that I was responding to your statement that "I just need access to one -- the central server." It goes without saying that the central server is pretty secure because it is the CENTRAL server, the obvious point of attack, and there will be lots of people hanging around it. Yes, some of the Diebold systems are grossly inadequate, and there were even some very suspicious activities in North Carolina, Georgia, and Ohio in 2004 that suggest manipulation of the data through the central server. But again, I remind you, I am talking about a computer system built by reasonably competent people, and that would include a secure central server unconnected to the Internet and with restricted physical access.

All three of the hacks you describe are easily prevented by simple security procedures such as I have already outlined. So, yes, it's not difficult to penetrate the security of computer voting systems now -- but that says nothing about the difficulty of building secure computer voting systems. It just goes to show what a Mickey Mouse system we are using now.

Lastly, it really doesn't matter if I'm a blithering idiot -- and if you think that important, I'll happily stipulate as much. The important issue here is not Erasmussimo's competence, wisdom, good looks, or sartorial taste. What's important are the facts and issues. Where I've said something wrong, correct me. Don't just assert that I'm wrong -- give me some logic plus facts. So far, I'm reading a goodly number of feckless attacks on my competence and an insufficient supply of direct response to the points I am making.

The breakdown of machines was a factor in the last elections iirc. I would be not at all surprised, if those breakdowns were a larger problem in the less affluent (and usually Democratic leaning) districts (that had fewer machines in the first place) even without evil intent (that I assume also played a role). I hear the same was already the case in the era of the mechanical machines. The result were long lines of admission causing many to go home without voting "voluntarily"(I probably wouldn't wait 8 hours in line to vote) or even being sent away because the precinct closed before they reached the head of the line.
Don't know how many votes were effectively suppressed by this. Paper ballots have no such natural bottleneck.
Btw, "Drafted Election Helpers" in Germany are not actually payed but only receive catering or the money equivalent, if that is not possible. With elections on an officially work-free day (Sunday, could in theory be a national holiday too) there is no loss of income.

Erasmussimo, I interpreted Schneier's quoted statement as endorsing the dual-function ballots: "You can even do away with the electronic vote-generation machines entirely and hand-mark your ballots like we do in Minnesota." It's true it might be interpreted otherwise. I don't see why designing the computer-produced ballots to be compatible with hand-marked optical-scan ballots should be that big a deal.

I think there's a vast difference between a paper audit trail, which you've mentioned as one possibility, and computer-produced paper ballots. With the first system, the vote is something mostly unobservable that's stored on a disk drive or a memory card. With the second, the vote is a physical marking on an object -- something that anyone can see and something that's more difficult to alter or destroy in significant numbers without leaving evidence and involving more people.

"I would be not at all surprised, if those breakdowns were a larger problem in the less affluent (and usually Democratic leaning) districts (that had fewer machines in the first place) even without evil intent (that I assume also played a role)."

In my state it was the impulse to go to a brilliant new improved computer voting system. Worked wonders.

Yes, KCinDC, it's possible that a dual-purpose ballot could be designed. I'd guess that it would use the conventional bubble-filling method, which is trivial for the computer to do and easy for the human to do. The optical scanning is certainly workable, but in terms of optimum reliability, I'd prefer the machine-generated results. Optical scanners can jam, mangle ballots, or misread human-marked ballots. But they're a viable solution.

You seem to place an enormous amount of weight on the tangibility of physical ballots. I can understand a healthy skepticism about the likelihood of political dirty tricks -- I myself am one of the believers that the Diebold machines were manipulated to alter electoral results -- but I'll again remind you that we really can build machines that are secure. We make the design open and available to everyone so that everyone can convince themselves that the system is secure. If the procedure for voting is secure, then the results of that procedure are secure. I recognize your fear that the average person won't understand the process, and so might be disenfranchised from the verification process, but I ask you, do you know how votes are counted in your district? Do you know where they go, who handles them, and who counts them? It's possible, but certainly you'll agree that there aren't many Americans who do know. Instead, they take the word of their representatives -- the Republican or Democratic observers -- who monitor the process. What's the difference between your party observer watching the votes being counted and your party observer watching the computers being built? You still end up trusting somebody.

You made some comments regarding hacking into the system, dismissing my ignorance for suggesting that the central server isn't on the Internet. May I remind you that I was responding to your statement that "I just need access to one -- the central server." It goes without saying that the central server is pretty secure because it is the CENTRAL server, the obvious point of attack, and there will be lots of people hanging around it.

And there's your problem, in a nutshell. It "doesn't go without saying". It's an assumption. You are assuming that the tabulating servers, their databases, their audit files, their log files, their source code, and their links with client machines are secure and well-written.

It's an unfounded assumption -- one completely at odds with the reality of electronic voting (in which even simple client machines are incapable of running smoothly) and certainly at odds with the fact that these systems are proprietary and immune to the scrutiny of election officials -- most of whom wouldn't know C from Basic, even if they had source code access.

You don't seem to grasp the very basic problems here. First and foremost -- analysis of leaked Diebold code (revealed through their own stupidity and failure to properly secure an FTP site) indicates that the entire system was so insecure a child of 10 could have broken it. An Access DB, general lack of security, auditing software that was vulnerable to anyone with DB administrative privaleges, insecure communication, and no form whatsoever of client vote verificiation.

Given that, you want us to assume that electronic voting software will be magically ultra-secure and awesome and magical and invulnerable?

How? Who is going to verify the work? Who is going to monitor the DB? Who is going to make sure the inspected source code is what is compiled and running -- not just on the servers, but the client machines? Who is going to ensure that the system is invulnerable to client-side hacks (and every client machine on the market today can be hacked even easier than the old lever machines).

And -- god forbid -- how to you verify the numbers you get are even remotely right?

You don't. Your entire argument here has been founded on assumptions. Assumptions that anyone with even the most basic knowledge of electronic voting in the US would consider laughable.

Why do we need electronic voting at all?

Suppose we went to an entirely paper system. It would presumably cost more to run. It would take much more labor for human beings to do the work. It would get slower results. That's all OK with me. Suppose it took a whole week to find out who won the elections. I don't mind that either.

If we're going to go to electronic voting, let's work out all the problems and spend about 50 years verifying that all the problems are worked out first, and then switch.

That reminds me, whenever there's talk about reliability or verification in government I like to bring up drug testing. We need regular drug and alcohol testing for legislators. Also for the President and high political appointees.

We don't let airline pilots fly drugged, it affects the public safety. How much more is the public safety threatened by drugged senators?!

"We make the design open and available to everyone so that everyone can convince themselves that the system is secure."

Because every voter has the technical knowledge to satisfactorily and accurately do that. No problem there.

After all, all the facts on the engineering of the World Trade Center buildings being available to all has made it impossible for anyone to believe that the only logical explanation for their collapse was internal demolition.

Yes, the facts being public and open is all that is needed to do away with public suspicion, misunderstanding, delusion, conspiracy theories, or even genuine reasons for concern.

That always works.

And, in general, when we discuss "security," we're referring to things like welding, and crytological code; "social engineering" and the ways people respond socially to issues of insecurity, or are manipulable, or illogical, are irrelevant, just as human error is.

Ah, I see your misunderstanding now, Mr. Morat. You believe that I am arguing in favor of the current computer voting systems. I'm not. I am arguing in favor of computer voting systems that have been secured as per the recommendations of many computer security experts. And, while I may be horrifically ignorant, perhaps you might be willing to trust those computer security experts.

Mr. Farber, once again in your flights of sarcastic eloquence you have escaped into a universe beyond the realm of my perception; perhaps you could bring it down to earth for my plodding intellect and explain your meaning?

If the voter himself inputs the printout into the optical scanner, as suggested above, I guess you save a little money on poll counters. But you lose votes, because some significant percentage of voters, especially the elderly, will find ingenious ways to screw up the task of putting paper (A) into scanner (B), especially since I have yet to see a fax or scanner that didn't use cutesy little enigmatic icons to tell you which way up. You could make the machine buzz when it can't read a page -- but they won't necessarily improve their performance the second time around, and anyway, the buzzer will probably go off at random about as often as a car alarm does, which won't help create a calm voting experience.

Sorry, that was a response to KinDC at 2:42, I hadn't realized how much traffic there was after that.

"When investigators show up at people's houses, they can ask to see ID and they can also ask to see recent bills or other postal mail. They can ask people if they actually voted. They can cross reference the social security death index and the local death certificates for people they're unable to locate.

I can't see any reason why this sort of investigation would be illegal right now. States that performed these investigations would get a rough bound on how bad voter fraud is."

It would almost certainly be seen as voter harrassment.

Trilobite, the same is true of those elderly voters attempting to manage the touch screen. (Hell, it's nearly true of me at a touch-screen ATM on a day when my fingers are particularly cold, especially when it's been miscalibrated.)

Erasmussimo, I believe that a process will be observed less effectively if only 1 percent of the population is qualified to observe it than if most random people off the street are.

It would almost certainly be seen as voter harrassment.

Seb,

Well that depends doesn't it. It certainly would if the operation were designed and run by republican party operatives who have a history of voter intimidation.

Alternatively, if you publicize this ahead of time, and make it very clear that you're doing this in a random sampling of precincts and outsource some of the work to a trusted neutral party like the league of women voters or high school students, then it would not be seen as harassment.

For that matter, you could offer people a $20 gift certificate if they could demonstrate that they were the person voting that day.

If you only do this in african american communities and you use uniformed white police officers as the investigators, then there will be problems. If you do it in a variety of areas and the work is being done by high school kids as part of their civics class, you will have far fewer problems.

Seb, am I missing something or does that take care of your concern?

I'm not particularly concerned about any of that, you need to convince the liberals here.

For that matter, you could offer people a $20 gift certificate if they could demonstrate that they were the person voting that day.

Maybe that plan could be checked out as a pilot project in Chicago, just to see how it works. So as not to show any favoritism to any particular store, cash will be handed out instead ;^)

I'm not particularly concerned about any of that, you need to convince the liberals here.

Um, no. I asked you why no state has conducted an investigation along the lines I described. You suggested that the reason is concern over voter intimidation. I countered with a means of conducting the investigation that would greatly reduce the appearance of voter intimidation.

So, now I'd like to hear either a good reason why a normal person would still suspect voter intimidation even with the safeguards I described in place OR a reason why no one has ever conducted this sort of investigation before.

It could be that I am simply smarter than everyone who has ever worked in government so no one has ever thought of this idea before. However, I doubt that.

Seb, I'm trying really hard to believe that you have real concerns about voter fraud, as opposed to a desire to reduce minority voting. However, it would be easier to do that if you showed a little interest in actual voter fraud investigations. Alternatively, you could continue to argue that we cannot ever measure voter fraud without imposing radical identification requirements.

I know of an industrialist who wanted to give a day off, paid to people who voted. No can do, said the authorities.

"I know of an industrialist who wanted to give a day off, paid to people who voted. No can do, said the authorities."

Who are the authorities who can order that a business not give employees a paid day off, and what authority did those authorities use?

The comments to this entry are closed.

Blog powered by Typepad