by hilzoy
From the NYT again:
"Computer scientists from California universities have hacked into three electronic voting systems used in California and elsewhere in the nation and found several ways in which vote totals could potentially be altered, according to reports released yesterday by the state.The reports, the latest to raise questions about electronic voting machines, came to light on a day when House leaders announced in Washington that they had reached an agreement on measures to revamp voting systems and increase their security.
The House bill would require every state to use paper records that would let voters verify that their ballots had been correctly cast and that would be available for recounts. (...)
The California reports said the scientists, acting at the state’s request, had hacked into systems from three of the four largest companies in the business: Diebold Election Systems, Hart InterCivic and Sequoia Voting Systems.
Thousands of their machines in varying setups are in use.
The reports said the investigators had created situations for each system “in which these weaknesses could be exploited to affect the correct recording, reporting and tallying of votes.”
Voting experts said the review could prompt the California secretary of state, Debra Bowen, to ban the use of some of the machines in the 2008 elections unless extra security precautions were taken and the election results were closely audited.
Matthew A. Bishop, a professor of computer science at the University of California, Davis, who led the team that tried to compromise the machines, said his group was surprised by how easy it was not only to pick the physical locks on the machines, but also to break through the software defenses meant to block intruders."
There's just no excuse for this. We are a wealthy nation. We have wonderful scientists. Why we cannot manage to have secure voting machines is just a mystery to me. I hope the Democrats' proposal manages to get it right; if anyone here knows about these issues and wants to comment on it, or to point us to good evaluations of what they're proposing, I'd be grateful.
Because this isn't partisan; it's our democracy.
A couple of points brought up in another article:
1. "'All information available to the secretary of state was made available to the testers,' including operating manuals, software and source codes usually kept secret by the voting machine companies"
2. "The study was designed to discover vulnerabilities in the technology of voting systems used in the state. It did not deal with any physical security measures that counties might take and 'made no assumptions about constraints on the attackers'"
3. "'The testers did not evaluate the likelihood of any attack being feasible'"
Bishop's report will probably not tell us much about how secure these things are in the real world. My guess is that we will never have a totally tamper-proof system of any kind. It's just too huge of a task with too many stages of information transfer.
On the other hand, I've read several accounts like this one, that give me the absolute jibblies. The machine they looked at in the analysis I linked is running Windows (yes, actually Windows) and can be booted directly to Windows Explorer by manipulating a file on the removable memory card.
I would have expected voting machine companies to develop proprietary operating systems for these things, or at least to use an OS that had security built in from the bottom.
Something has to be done about how these contracts are awarded. If they're done on merit, we should see a bunch of really nice machines developed in the next couple of years, based on the amount of money to be made.
Posted by: dkilmer | July 28, 2007 at 01:57 AM
..Paper ballots and a proper, state- run register that has a couple of protections from having voters removed at a whim. And probably the death- penalty for anyone exploiting systemic problems for political purposes.
I mean, it's the only thing that works, yeah?
Posted by: fleinn | July 28, 2007 at 02:54 AM
Here's a good link: Open Voting Consortium.
I'm not going to clutter things with a deep explanation of open-source, because you can find it 20 billion other places. But in short there's no excuse whatsoever for the source code that runs voting machines not to be available for public inspections. Just no excuse.
Posted by: Equal Opportunity Cynic | July 28, 2007 at 03:08 AM
Hilzoy: Why we cannot manage to have secure voting machines is just a mystery to me.
Because otherwise, how can the Republicans ensure they get into power regardless of who actually wins the election? Duh.
dkilmer: Bishop's report will probably not tell us much about how secure these things are in the real world.
You've never worked with a hacker, have you? I have: people who reverse-engineer source code for fun. Hackers don't like to read manuals even if they're available: they prefer to figure out what the source code does by logic. Passwords are a trivial problem.
If elections in the US were supervised by a professional, neutral organization whose employees were not partisan, your point about physical security would have some merit. But they're not.
Paper and pencil, locked and sealed ballot-boxes, and hand-counted votes. No electoral system is absolutely tamper-free, but that's the best.
Posted by: Jesurgislac | July 28, 2007 at 04:22 AM
Electronics are way better than paper and pencil, if done right.
It's just simple math, that started the entire IT field in the 40's.
The fact that diebold has transactionable logged systems in place to control their atms (where real money is) shows that they have the ability to do this. ACID transactionable code has existed since the 80's, and secure protocol for data transferrence has existed since the 70's.
This is 30 year old technology people. The fact that someone cannot properly implement 30 year old technology is far more telling than almost anything.
Posted by: bago | July 28, 2007 at 08:10 AM
"Because otherwise, how can the Republicans ensure they get into power regardless of who actually wins the election? Duh."
Half right. Who is in the best position to hack voting machines? Elections officials.
What are elections officials almost everywhere? Reliable members of the party which dominates the area.
Therefore, what will hacking by elections officials do? It will make parties more secure in the areas they already control.
In whose interest is this? Incumbants, who happen to chose the voting technology.
Insecure, hackable voting technology is a bipartisan scam. like ballot access laws and campaign finance 'reforms' that cripple challengers. Each party merely wants it's members to think that it's only the other party that's guilty.
Posted by: Brett Bellmore | July 28, 2007 at 08:13 AM
Ah, the familiar "They're both equally guilty!" from Brett.
Al Gore won in 2000. Bush got the Presidency.
We don't know who won in 2004, thanks to the wonders of electronic vote-rigging. Exit polls suggest it was Kerry. We know Bush got the Presidency.
Exit polls suggest that there was a Democratic landslide in 2006, that was turned into a narrow Democratic win with the wonders of electronic vote-rigging.
This could be a bi-partisan problem, if Democrats decide that since Republicans have no intention of going back to free and fair elections, they shouldn't bother with them either.
Right now, however, it is a Republican advantage: and the issue for the 2008 election is how to ensure that, unlike in 2000 and 2004, the Presidential candidate who wins the election gets to take office.
Posted by: Jesurgislac | July 28, 2007 at 08:33 AM
Paper and pencil, locked and sealed ballot-boxes, and hand-counted votes.
I don't really see a reason to hand count the votes as long as the ballots are maintained to allow such a count if it becomes necessary, but otherwise I concur that this would be the ideal solution.
Posted by: G'Kar | July 28, 2007 at 08:56 AM
Every developer can use public/private key transmission to secure their data. Record transmit hashes and detect anomalies at any point during data transit. Use Transactions to prevent incomplete data from corrupting your totals. Logs are cheap and easy to maintain and secure. Paper is just another layer atop that, that happens to be slow and easy to forge.
http://en.wikipedia.org/wiki/Public-key_cryptography
Posted by: bago | July 28, 2007 at 09:00 AM
The fact that someone cannot properly implement 30 year old technology is far more telling than almost anything.
ditto.
Every developer can use public/private key transmission to secure their data.
i don't see how PKE solves the problem of a compromised machine reporting its (invalid) totals. PKE will make the communication between the machine and the totaller secure, but the machine's still free to lie about the number.
Posted by: cleek | July 28, 2007 at 09:14 AM
Insecure, hackable voting technology is a bipartisan scam.
This is delusional. Are you saying that Diebold contributes equally to the Republican and Democratic parties?
Posted by: obscure | July 28, 2007 at 09:30 AM
i don't see how PKE solves the problem of a compromised machine reporting its (invalid) totals.
In principle Public-key infrastructure can be used to guarantee integrity and non-repudiation. In other words, you submit a ballot for candidates X, Y, and Z, and sign it with your private key, which results in a really long number that can only be decrypted by your public key. After the votes are tallied, you suspect your vote has been compromised. Now you provide your public key to decrypt your "vote" (the long number) and verify whether it was tallied correctly. Any tampering is going to be evident, because the tamperer doesn't have your private key to encrypt the tampered vote into a different long number that resolves to a valid vote when decrypted.
It's hard for me to see how this squares with a secret ballot, but it's no thornier than the same problem with paper receipts. In fact it's pretty analogous: at whatever point you decide to challenge your vote, you're going to have to come forward and give up the privacy of your vote. As long as you're given a unique vote ID when you vote, your vote can be retrieved that way without your name or other identifying info being stored at the same time.
I was never that good at understanding PKI but I think the above is pretty accurate.
Posted by: Equal Opportunity Cynic | July 28, 2007 at 09:34 AM
That's absurd, Bago, given cleek's objection and that part of the goal here is to ensure that even the elections officials can't cheat. Read about Punchscan if you want an example of a more cryptographically secure voting system (one based on paper ballots, no less).
Posted by: Steve | July 28, 2007 at 09:35 AM
I too agree with bago. I do virtually all my banking at ATM's and have never had a machine error, or a problem with someone hacking my account.
Yet ATM's handle money, allow for more varieties of transactions than voting machines, and print a paper receipt, with a transaction number, for verification.
Why this can't be adapted for voting is beyond me.
Posted by: Bernard Yomtov | July 28, 2007 at 09:35 AM
After the votes are tallied, you suspect your vote has been compromised.
how could you possibly suspect this ? unless the precinct totals are insanely out of character with the local demographics, why would anyone but cranks and those out for mischief challenge the recording of their own vote ?
and, it still doesn't stop the problem where the voting machine simply lies about its own total when reporting to the central totaller. and again, that's something that will only be caught if the totals seem very unusual.
It's hard for me to see how this squares with a secret ballot,
and that secrecy is a must-have feature.
Posted by: cleek | July 28, 2007 at 09:38 AM
Was Bago suggesting that individuals, rather than the voting machines, have private keys. Jeez, that's... ambitious.
Posted by: Steve | July 28, 2007 at 09:39 AM
Steve: That's not absurd at all. A well-structured PKI would be much more secure than paper receipts. There might be value in producing useless paper just to give people who don't understand PKI a sense of security. It's like the Transportation Security Administration arguably makes people jump through hoops not to make them safer, but to make them think they're safer.
Another concern that comes to mind, though, is this: Who's going to distribute the private keys? You'd like it to be someone different from the organization tallying the votes, to minimize the risk that they'd retain the distributed keys.
Posted by: Equal Opportunity Cynic | July 28, 2007 at 09:48 AM
Either it's a bipartisan scam, or Democrats/Republicans are willfully participating in their own destruction. I find it a lot easier to believe that both major parties are dirty, but then, I *am* a life member of a third party, so I don't have much reason to pretend one of them is clean.
Speaking as an, originally, EE, with computer engineering as my major, I have no doubt that purely electronic voting machines can be made secure. I have severe doubts that you can do it in such a way that their security is obvious to the average voter. And I happen to think that latter goal somewhat important.
Posted by: Brett Bellmore | July 28, 2007 at 09:52 AM
I wrote,
After the votes are tallied, you suspect your vote has been compromised.
cleek wrote,
how could you possibly suspect this ? unless the precinct totals are insanely out of character with the local demographics, why would anyone but cranks and those out for mischief challenge the recording of their own vote ?
That's a problem with any evidence of individual votes, including the vaunted paper receipts. A paper receipt of your vote isn't going to do you a lot of good if you don't suspect your vote's been changed.
and, it still doesn't stop the problem where the voting machine simply lies about its own total when reporting to the central totaller. and again, that's something that will only be caught if the totals seem very unusual.
No, but PKI provides better evidence of the individual votes that were mistallied. Again, until someone recognizes an anomaly, all the secure verification of votes in the world won't help.
and that secrecy is a must-have feature.
And yet again, this isn't a unique defect of PKI. It's hard to present a paper receipt to challenge the way your vote was tallied and still remain anonymous. I suppose there might be ways to do it. If you're just submitting a vote ID and a public key for your protest, you could do it on a Web site from your living room! But a paper receipt would require you to walk into the electoral commission.
Posted by: Equal Opportunity Cynic | July 28, 2007 at 10:00 AM
Brett: "I have severe doubts that you can do it in such a way that their security is obvious to the average voter. And I happen to think that latter goal somewhat important."
I am going to faint. I agree with Brett.
To some degree it matters how secure a system is only to the point that the average voter believes it is secure. If the voters don't have a trust in a system, it doesn't mater if the system is the most totally secure system in the world.
I am not a big fan of electronic voting, but if it is going to happen, there should be a paper trail and in each election, there must be random audits by matching the paper records with the electronic totals.
Part of the problem is our contry's demand for instantaneous results. Other countries hold elections for 2 days and can take up to a week to get results. Why can't we?
Posted by: john miller | July 28, 2007 at 10:01 AM
because a 1024 bit encoding is so hard to computute and divide onto a reciept, and hashed to a log. With a nice paper barcode to recover corruption on the digital realms.
Honetly your worst threat is for reading of raw entry view of keysnoops and apps. only sllowing strongly signed packages to run within a sandbox, and allowing etheral code to live, deconsturct itself and in in a sandbox expose its functionality would be logging. client honeypot.
Use partial key bruteforece hacks to load the ddos down with so much work that they don;t scale properly. send nasty bs binary iver ports that are open expecting autho to work. Reverse flood, etv.
point is, if people bring their vote hashes to contest a count... irregularities will appear real darn quick.
Posted by: bago | July 28, 2007 at 10:02 AM
Let me take the rare opportunity to say that I agree with Brett -- his last paragraph, anyway.
Posted by: KCinDC | July 28, 2007 at 10:04 AM
What. After a count set up a web service where a user can enter their user ID and guid/hash. Then they can verify they were counted correctly. What is so hard about that?
Posted by: bago | July 28, 2007 at 10:06 AM
EOC, despite the unfortunately common use of the misleading term "receipt", few proponents of paper trails are actually advocating for something that voters take home with them. After all, that completely throws out the idea of the secret ballot, opening us up to rampant bribery and coercion.
Of course, the mass move to voting by mail already does that, and I expect to see some scandals arising from that in the next few years.
Posted by: KCinDC | July 28, 2007 at 10:08 AM
Bago, you mean aside from abandoning the secret ballot and turning the voting system into a black box that the average voter can't understand or observe?
Posted by: KCinDC | July 28, 2007 at 10:10 AM
if people bring their vote hashes to contest a count... irregularities will appear real darn quick.
again...
they will contest their vote only if they have reason to suspect the overall totals are wrong. a few percent here and there, across many precincts, might be hard to notice.
and, no paper receipt or vote hash stops the machine from lying to the central collection machine. a machine can happily tell users all day long that they voted R - yes the hash matches something calculated at vote time, hooray! - while telling the totaller that they voted R.
Posted by: cleek | July 28, 2007 at 10:16 AM
I really don't see what's wrong with pen and paper - works very well for many country. And anything can be hacked, it's not about the ATM but the server against which the data is checked.
Fundamentally though, I think there is no way out of this, but to restore public trust by combating partisanship. If you have election officials or party operatives whose sole purpose is to stand there and disenfranchise voters the US looks a lot like a Banana Republic.
Posted by: novakant | July 28, 2007 at 10:28 AM
while telling the totaller that they voted R.
of course i meant "...while telling the totaller that they voted D."
Posted by: cleek | July 28, 2007 at 10:40 AM
[blockquote]Bago, you mean aside from abandoning the secret ballot and turning the voting system into a black box that the average voter can't understand or observe[/blockquote].
So to sum up You is afeared of the black box methods that happen after you turn in yout bite.
Ves a System like this where everyone with a receipt can overturn their allegendary entries and throw the entire counting mechanism into doubt.
Dependency resolution is trackable and in the power of the people, and not in the powers of the counters. It should be open and traceable. to allow for folow up interviews on confusion.
Posted by: bago | July 28, 2007 at 10:45 AM
CRC checks, which are done over any signifigatn data transfer would find such discrepancies at a protpcol layer.
Posted by: bago | July 28, 2007 at 10:47 AM
Bago, apologies if you're not a native English speaker or have poor eyesight or something, but your 10:45 comment is simply incomprehensible. Besides, I thought you were in favor of the receipts, so why point to the ability of a few disgruntled voters to lie about their votes and throw the system into chaos?
The point is that I want a system the average voter can understand and observe without having a computer science degree. If everything's happening inside computers, then there's not much for election observers to observe, and what observation is possible depends on the high priests, who may be in short supply and not universally trusted.
Posted by: KCinDC | July 28, 2007 at 11:05 AM
To those who maintain that paper ballots are the only secure way to go: if this be true, then why aren't we all using paper checks instead of credit cards and ATMs?
Posted by: Erasmussimo | July 28, 2007 at 11:23 AM
Have you ever administered a PKI, Bago? Including setting up a signing authority and handling key revocation and reissuance? It's difficult, even in closed circumstances like a military base where everyone is familiar with computers. Coming up with a system where everyone's 85-year-old grandma can use strong encryption strikes me as undoable. I suspect that eventually machine-generated optical scan ballots will become the norm, but who knows?
For those interested in this, I repeat that Punchscan is a very interesting low-tech and auditable approach (with the problem that one can prove the vote one cast after the election, but that's a problem in which any individual vote can be verified by the person who cast it).
Posted by: Steve | July 28, 2007 at 11:24 AM
To those who maintain that paper ballots are the only secure way to go: if this be true, then why aren't we all using paper checks instead of credit cards and ATMs?
Because the companies that supply ATMs and America's credit card network seem to take security seriously when designing those products, their customers fall on them like a ton of bricks when they screw up, and the people who approve the purchasing decisions seem to understand the technical considerations of what they're buying. Not one of these conditions, particularly the first, is the case when you're talking about the current generation of electronic voting systems.
Posted by: Steve | July 28, 2007 at 11:32 AM
Posted by: KCinDC | July 28, 2007 at 11:55 AM
KCinDC writes: Voting is completely different from banking, unless you're abandoning the secret ballot.
Since when is my bank statement NOT a secret? My bank records are most certainly NOT available for public inspection. I concede that ballot secrecy is compromised in the case in which one person coerces another person's vote, and requires the receipt as proof of compliance -- but let me remind you that a) such coercion is not likely to be a large factor in electoral outcomes; and b) it is deterred by criminal penalties.
Therefore, the coercion factor is a secondary consideration, and certainly does not justify the claim that voting is "completely different" from banking.
Posted by: Erasmussimo | July 28, 2007 at 12:14 PM
Brett nails it. Democrats have programmers too.
I can't see any reason why either party couldn't easily suggest super-helpful election safeguards. What is the other party going to do, say "we don't want good elections"? Neither party pushes hard on this, the only reason I can see for that is because incumbents know (or believe) they can solidify their own positions through fraud.
Not to put too fine a point on it, but you all know that California isn't exactly a Republican stronghold right?
Posted by: Sebastian Holsclaw | July 28, 2007 at 12:30 PM
"You've never worked with a hacker, have you?"
I've worked with many (I've been a software engineer for 17 years and have done reverse-engineering myself), and I don't doubt that these voting machines could be completely reverse-engineered without manuals or source code. But the "hacker" needs sufficient time and access to succeed in actually messing with the vote. This is demonstrable. So I think it's a mistake to discount the real-world environment, or even to separate discussion of it from the discussion of whether the machine itself is secure. The machine is always a machine in an environment.
Also, I'm talking about the machines we have now, and assuming that there's no time to replace them with better ones before the next election. We need to have a clear idea of what the actual danger of manipulation is, and I don't think we're going to get that from Bishop's report.
Posted by: dkilmer | July 28, 2007 at 12:38 PM
Since when is my bank statement NOT a secret?
it's not a secret to the bank.
on the other hand, the only thing the election board should know about you is: can you legally cast a vote ?
that's like having a bank know if you're eligible to have an account, but not if you have one, how much is in the account, or what you're doing with it.
Posted by: cleek | July 28, 2007 at 12:54 PM
Of course it's completely different. If someone steals money out of your bank account, then you will know it if you have records. If someone steals an election, how will you know? Knowing your bank account balance does not require trusting the bank's computer system.
Posted by: KCinDC | July 28, 2007 at 01:06 PM
I wholeheartedly agree that all voting machines systems' s/w - as in use - be open source. Revealing the source and object codes should simply be a cost of providing those systems to the public. This is done in other govt contracting venues all the time; the cost is simply built into the price.
These are state purchasing decisions, but the feds could set minimum requirements - called r.e.g.u.l.a.t.i.o.n.s - which they could enforce because those machines are also used for federal elections, and some are bought with federal tax dollars. It's a relatively small price to pay for keeping a democracy. To use an automotive analogy, change the oil, or change the engine.
Posted by: OutSourced | July 28, 2007 at 01:16 PM
I wholeheartedly agree that all voting machines systems' s/w - as in use - be open source. Revealing the source and object codes should simply be a cost of providing those systems to the public. This is done in other govt contracting venues all the time; the cost is simply built into the price.
These are state purchasing decisions, but the feds could set minimum requirements - called r.e.g.u.l.a.t.i.o.n.s - which they could enforce because those machines are also used for federal elections, and some are bought with federal tax dollars. It's a relatively small price to pay for keeping a democracy. To use an automotive analogy, change the oil, or change the engine.
Posted by: OutSourced | July 28, 2007 at 01:18 PM
KCinDC asks If someone steals an election, how will you know?
If we give the voter a paper receipt to take home, that receipt could easily include information that could permit the voter to access their own voting record, without revealing it to anybody else. Indeed, we could (probably should) make the receipt an option. Most voters wouldn't bother with it, but the few who do take a receipt home can pose enough of a threat of detection to deter any election tampering.
Posted by: Erasmussimo | July 28, 2007 at 01:36 PM
With banking, the bank tells you how much money is in your account, you can see that it matches what you think you should have, and you can withdraw it. Not at all like voting.
It could permit them to access what the system claims was counted as their own vote. Without trusting the system, they have no way of knowing that their vote was counted, or even if it was, that a bunch of fake votes weren't added in. And the system is only observable and understandable by people with highly specialized knowledge (assuming we even get to the point of allowing observers), not by any random person who can read ballots, count, and see whether ballots and numbers are being handled properly. That's not a plan for restoring confidence in our electoral system or reducing conspiracy theories.Posted by: KCinDC | July 28, 2007 at 02:23 PM
In answer to:
"To those who maintain that paper ballots are the only secure way to go: if this be true, then why aren't we all using paper checks instead of credit cards and ATMs?"
1]Because in a banking system interests of both parties converge, in an election their interest diverge aproximately 50% of the time. This is Based on 100% Republican ownership of voting machine contracts.
2]In banking system the acount can fully monitored by the two [very] interested parties. Such is not the case in elections.
Most nations use paper, it is cheaper and more accurate. Everybody with an IQ over 75 can understand paper ballots which gives people ownership...a very import concept to countries that believe in Democracy.
BTW, i never thought I'd see the day i would agree with Brett even in part.
Posted by: S Brennan | July 28, 2007 at 02:42 PM
KCinDC, you need not worry about the voter's true vote being deleted; the whole point of the receipt is that it gives the voter a statement of how they voted. Sure, the computer could be programmed to tell the voter one thing and record another, but if that happened, voters who check the final results on the Web will discover that their votes were altered, and they'll have documented proof of it.
You're right that there's a possibility of ballot-box stuffing -- but that happens with paper ballots, too. I see no special, easier means of stuffing an electronic ballot box than of stuffing a physical ballot box.
S.Brennan, you're right that the interests of the two parties diverge, but the same argument applies equally forcefully to paper systems.
The basic problem here is that no system, computer or paper, is robust against cheating by election officials. The best defense is to make the whole process absolutely transparent at every point in the election. That requires observers from both major parties present during the entire process. There's no reason why the computerized process would be more insecure when independent observers are present at all times.
Posted by: Erasmussimo | July 28, 2007 at 02:59 PM
With proper crypto you can tell if your message has been edited. It will no longer have its hash/crc match. (Good reason for not releasing source until after election day) Running copies of the data to central databases would prevent local tampering, and any actions done to the central dbs would be logged to hell.
Also with encryption you can prevent ddos attacks by dropping key biys according to load, forcing clients to brute force parts of the key, which when coupled with some session control can really make things interesting.
Posted by: bago | July 28, 2007 at 03:19 PM
Insecure, hackable voting technology is a bipartisan scam
Id like to see this backed up with data rather than theorizing about incumbency... one could ignore the data about voter suppression efforts and conclude that each party could theoretically be equally guilty of such efforts when they benefit the party.
But, in fact, one party engages in wholesale voter suppression, and the other one doesn't. Now, maybe the Dems would go down that road- maybe they're no better- but that doesn't describe the current situation.
Posted by: Carleton Wu | July 28, 2007 at 03:23 PM
A system with paper ballots is also a whole lot less fragile. With electronic voting it takes very little going wrong to bring the whole system to a halt (as we saw in last year's primary in Silver Spring), especially if you can't do anything to fix the machines without having a specially certified technician, and those aren't going to be so common as to have one on standby at each precinct.
And electronic voting stations are expensive, so there won't be many at each precinct, and lines may get long, especially if some of the machines aren't working. At my polling place, on the other hand, there are probably 20 voting stations, because each requires only a pencil and a privacy screen, and 20 more could be set up in no time.
Not if the vote they see when they check is not the same as the vote that was actually counted. Sure, it's possible to set up a system in which that's going to be guaranteed, but I'm not confident it would actually be implemented correctly in the real world and, more important, the average voter hasn't been trained in cryptography and thus has no reason to trust that the vote they're "checking" is the same one that was counted. You can have people from whatever parties are interested make sure the ballot box is empty at the start, watch the ballots be collected and counted, watch the totals be reported. None of that requires people with degrees in computer science. The whole system is understandable to everybody.Posted by: KCinDC | July 28, 2007 at 03:37 PM
You know, I hate to go all tin foil hat on this but I'm begining to suspect that this is a feature not a bug.
Posted by: Fledermaus | July 28, 2007 at 03:48 PM
Sebastian: I can't see any reason why either party couldn't easily suggest super-helpful election safeguards.
In a vacuum, neither can I. In a country where the last two Presidential elections were rigged in favor of one party thanks to the lack of election safeguards, it's unsurprising that the party that benefits is a party that's uninterested. But in theory, assuming all senior members of all parties really want honest, fair, open elections, it is a bipartisan issue.
But the "hacker" needs sufficient time and access to succeed in actually messing with the vote. This is demonstrable.
Yes. And they have 15 months or so to do it. No problem.
Posted by: Jesurgislac | July 28, 2007 at 04:29 PM
"But in theory, assuming all senior members of all parties really want honest, fair, open elections, it is a bipartisan issue. "
Why would we we assume that *most* much less *all* senior members of either party really want honest, fair, open elections? Incumbents want to maintain power for themselves.
The Democrats have both Houses of Congress. I haven't seen a comprehensive election bill even make it through the House of Representatives. If it were just Republicans they could force a veto or a filibuster. There is a reason that hasn't happened. Surely it would be super-damaging to Republicans to be 'forced' to vote against reasonable election reform.
Posted by: Sebastian Holsclaw | July 28, 2007 at 04:37 PM
KCinDC, I don't think we need to have computer science people monitoring the activity. If we machines whose operating system was burned into ROM, and whose cases are sealed, then the only thing we need to tell election workers is "Don't let anybody take apart the boxes", which is pretty easy for any person to verify. Don't put the data on hand-carried EEPROMs, just keep the machines in contact with the central computer at the county headquarters. Encrypt the signals going both ways, require initiation by the central computer, use all the very well-developed technologies used by the banking industry and the military to keep the data secure. You wouldn't even need computer experts at the county level -- just somebody watching the computer and making sure that nobody cuts it open.
These are old, old problems that were solved decades ago by businesses, and they're even better nowadays.
Posted by: Erasmussimo | July 28, 2007 at 05:05 PM
Sebastian: Why would we we assume that *most* much less *all* senior members of either party really want honest, fair, open elections? Incumbents want to maintain power for themselves.
*shrug* Some people figure that in a democracy the best way to maintain power is to convince the electorate to vote for you. Obviously, this doesn't apply to the Bush administration, but I suspect it does apply to more politicians than you think.
However, if a party in power knows that it has become so unpopular that in any honest, fair, open election it will lose drastically to the opposition, and that party has means of rigging elections open to it, then it would take quite a commitment to democracy to accept that they will have to spend time out of power and figure out how to get the electorate to vote for them again, rather than just rigging the elections in their favor.
We've already seen that the Republican party has no commitment to democracy outside the US. The placid acceptance of the rigged results in 2000 and 2004 demonstrated no commitment to democracy inside the US.
Surely it would be super-damaging to Republicans to be 'forced' to vote against reasonable election reform.
In what way "super-damaging"? People will vote against them at the polls? If they can rig elections, why should they care?
Posted by: Jesurgislac | July 28, 2007 at 05:11 PM
I guess I'm the only one to disagree with this:
I think the former is more important, and leads to the latter; whereas the latter makes the former less attainable. The Diebold machines were thought to be Latest and Greatest voting machines, soooooo much more safe and secure than those silly hanging-chad paper ballots. The appearance of security is how we got into this mess.
We need something that IS secure, not another window dressing.
Posted by: Jeff | July 28, 2007 at 06:03 PM
The Democrats have both Houses of Congress.
Let's look at the Senate. The Dems have a 51-49 edge. That means that a single defection from the Dems would kill such a bill- the lack of such a bill might mean that the Dems know they don't have a majority (Lieberman?). Or that they know that a veto is inevitable & they'd rather spend time on something that might get through. Or that such a bill will be introduced later (they have been pretty busy since they took control about 6 months ago)- but it's not their first priority.
Or, maybe they are no more interested than the Republicans- but your conclusion is very premature.
Posted by: Carleton Wu | July 28, 2007 at 06:31 PM
"We need something that IS secure, not another window dressing."
Agreed. We need something that IS secure. We also need something that IS affordable, and IS currently available, and IS possible to roll out on a widespread basis by the next election.
There's only one voting system currently available which meets ALL the relevant criteria, and that is optical scan balloting. It's cheap, it's secure, it's robust, and it can be deployed very, very rapidly.
Posted by: Brett Bellmore | July 28, 2007 at 08:01 PM
"Let's look at the Senate. The Dems have a 51-49 edge. That means that a single defection from the Dems would kill such a bill- the lack of such a bill might mean that the Dems know they don't have a majority (Lieberman?). Or that they know that a veto is inevitable & they'd rather spend time on something that might get through."
Why would any Democrat defect on a good election reform bill? Why wouldn't some Republicans. This isn't a good explanation at all.
Posted by: Sebastian Holsclaw | July 28, 2007 at 08:31 PM
Yes. And they have 15 months or so to do it. No problem.
I meant during the vote-taking.
Posted by: dkilmer | July 28, 2007 at 09:18 PM
Hand marked paper ballots do the job just fine. There is no need to fix something that is not broken. The pressure to "improve" how we vote always comes down to two factors: someone is selling something and hopes to make a buck at the taxpayer's expense, and some politician sees personal advantage in it.
Just because it's new and hi-tech doesn't mean it's better.
Posted by: togolosh | July 28, 2007 at 10:46 PM
dkilmer: I meant during the vote-taking.
Why wait till then?
Voting machines/voting software must be designed some time in advance of the election. There is no need to suppose that a hacker determined to fix the election would wait until the first Tuesday in November to do so, or that they would have to wait till then.
Posted by: Jesurgislac | July 29, 2007 at 03:45 AM
Brett: Agreed. We need something that IS secure. We also need something that IS affordable, and IS currently available, and IS possible to roll out on a widespread basis by the next election.
So paper, pencils, hand-count ballots. That meets all the requirements. "Optical scan balloting" doesn't.
Posted by: Jesurgislac | July 29, 2007 at 03:46 AM
There is no need to suppose that a hacker determined to fix the election would wait until the first Tuesday in November to do so, or that they would have to wait till then.
Ah. I think I was misunderstanding you. You were thinking along the lines of a fairly large conspiracy. I was thinking of an outside sort of job.
Posted by: dkilmer | July 29, 2007 at 04:39 AM
Why assume that being aware of the date of the next election, and planning in advance for it, would require a "fairly large conspiracy"?
Posted by: Jesurgislac | July 29, 2007 at 07:40 AM
We need something that IS secure. We also need something that IS affordable, and IS currently available, and IS possible to roll out on a widespread basis by the next election.
If hand-counted ballots was cheap enough for the founding fathers, why has it gotten so much more expensive per capita since then?
Posted by: J Thomas | July 29, 2007 at 10:27 AM
We need something that IS secure. We also need something that IS affordable, and IS currently available, and IS possible to roll out on a widespread basis by the next election.
If hand-counted ballots was cheap enough for the founding fathers, why has it gotten so much more expensive per capita since then?
Posted by: J Thomas | July 29, 2007 at 10:27 AM
I fail to see the problem with optical scans of ballots. The ballots are still hard copies, they're easy to read, but with optical scan the initial count can be performed in a reasonably short period of time. If questions arise, it's easy enough to perform a hand count after the fact.
Posted by: G'Kar | July 29, 2007 at 10:40 AM
G'Kar, I'm also in favor of optical-scan ballots, which are (mostly) what we use here in DC, I think the problem is with the clause "if questions arise". If there's something wrong (intentionally or not) with the counting machines, but the result is not so wildly off as to be unbelievable, then questions might not arise.
We see this every election with vote totals from electronic machines. Some precincts report impossible or unlikely totals -- more votes for a candidate than the number of voters, negative totals, and so on -- and are investigated and corrected. But what about similar errors (or "errors") that produce less bizarre results?
I'd prefer that at least a random sample of the optical scan ballots always be hand-counted at some point.
Posted by: KCinDC | July 29, 2007 at 11:29 AM
Jesurgislac - We were talking about whether physical security was relevant. My point was that it *is* relevant, because physical security will determine how much access and time a potential hacker has. Let's say Bishop's team came up with a devastating hack, but it required a half hour of access, or required making a really loud noise to get access, or required a large piece of equipment. Those things would not be feasible, given decent physical security. So my point was simply that we need research that looks at the likelihood of feasible attacks. Otherwise, the public gets a skewed impression of how vulnerable the system is.
Posted by: dkilmer | July 29, 2007 at 12:06 PM
dkilmer: Let's say Bishop's team came up with a devastating hack, but it required a half hour of access, or required making a really loud noise to get access, or required a large piece of equipment.
Why assume any of that? So far, the most efficient hack for voting machines has been shown to be swapping the memory card with a preprogrammed card. For this, you needed no special equipment and less than five minutes with the machine. See Black Box Voting.
What are the advantages of electronic voting or counting? As far as I can see, there's only one: it produces a count much faster than if you were to hand-count paper ballots marked by hand.
Why is this fast count considered so important that it outweighs all the known disadvantages of electronic voting/counting?
Posted by: Jesurgislac | July 29, 2007 at 01:21 PM
Electronic voting has serious, known disadvantages. Electronic counting of human readable ballots has no disadvantages that I'm aware of, and has it all over humans for objectivity and reliablity.
The question, then, is why you're so keen on people writing down names on ballots, or whatever, instead of filling in little circles next to the printed names.
Posted by: Brett Bellmore | July 29, 2007 at 01:33 PM
KCinDC,
Having a hand count of a sample of ballots seems a reasonable precaution.
Posted by: G'Kar | July 29, 2007 at 01:38 PM
Over here the election results are in before midnight on election day and that after the ballots have been counted 3 times.
The counting is public. Election helpers are selected in the same style as for jury duty: You will receive a letter that you have been randomly selected and have to appear then and then at this and that location and have to give a pretty good explanation, if you don't.
One can also volunteer but the numbers will be filled, if not enough volunteers are there.
Even in the hair-split election Schröder vs. Stoiber there was no contesting the basic results (the only contest was over some intricacies of translating votes to mandates, not the raw numbers).
Posted by: Hartmut | July 29, 2007 at 02:06 PM
Add "by hand" to first sentence in last post.
As already mentioned, any electronic (or electric) device can malfunction (even without evil intent). The ATM machine at the bank were I have an account is out of order every few weeks for a few hours (maybe just out of money). I can still go to the counter and have them do the transaction and there is no "we will decide whether we count that provisional ballot after closing hours but we will probably not and burn it instead should a recount be ordered."
If the bank has a blackout, I can come again the other day. Not possible with elections.
Posted by: Hartmut | July 29, 2007 at 02:13 PM
That could work here. One of the profound problems with our own election system is that the people running the machinery are elected party members; In any place where the partisan ballance isn't on a razor's edge, election administration is wholely in one or the other party's hands, with predictable results that each party pretends to believe are only indulged in by the other.
Ideally what we need is some kind of "Election corps", with volunteers being sent to randomly chosen places to run the election machinery.
Posted by: Brett Bellmore | July 29, 2007 at 02:26 PM
Brett, good point!
Maybe we should ask the UN to run our elections.
Posted by: J Thomas | July 29, 2007 at 02:30 PM
Brett: Electronic counting of human readable ballots has no disadvantages that I'm aware of, and has it all over humans for objectivity and reliablity.
Who checks that it's working right, and who do they work for? Whereas hand-counting ballots is something that can be done with eyeball supervision from representatives of all parties, plus independent electoral observers. In a really close election, each ballot can be scrutinized by eye. Again, why is speed so much more important than accuracy, openness, and reliability?
Ideally what we need is some kind of "Election corps", with volunteers being sent to randomly chosen places to run the election machinery.
Well, yeah. A nation-wide independent, non-partisan organisation, whose mission it is to run free, fair, and honest elections. Other countries have such a body: why not the US?
Posted by: Jesurgislac | July 29, 2007 at 03:08 PM
"Whereas hand-counting ballots is something that can be done with eyeball supervision from representatives of all parties,"
That's true, but the simple, unavoidable fact is that eyeballs are less reliable than photocells. You can make up for it with redundant counts cross checked against each other, of course, and you can use election observers to watch for monkey business, (I've served as one before.) but I see no good reason not to use electronics where it actually has some advantage.
Posted by: Brett Bellmore | July 29, 2007 at 04:38 PM
That's true, but the simple, unavoidable fact is that eyeballs are less reliable than photocells.
You keep saying this: but it's not actually true. Photocells are faster than eyeballs: but less reliable. And in order to check photocell operation, you need eyeballs.
Posted by: Jesurgislac | July 29, 2007 at 05:07 PM
Electronics are way better than paper and pencil, if done right.
Paper and pencil work. Implementing them is a proven set of techniques with a long history.
When you're dealing with a critical system (such as, say, voting in a democracy), you don't discard what works. Tell you what - run electronic voting in parallel with paper and pencil for the next 6 elections or so, with people attempting to fiddle the e-books, and if there's no discrepencies, then consider it.
Posted by: Phoenician in a time of Romans | July 29, 2007 at 06:29 PM
Another shortcoming of the ATM/banking analogy is that the important thing in an election is sum of all the transactions. Even though someone can verify each individual transaction, we do not trust the bank when it announces the sum of all the transactions (say, for purposes of determining how many loans it can make); we require audits, and more audits, and from time to time we put bank officials who get caught cheating in jail.
I'm a long-time computer-science type, and I would much prefer paper ballots with automated counting. I feel much more confident that we can manage the physical security associated with paper ballots, that they make audits (recounts) meaningful, and that they are harder to subvert than an end-to-end electronic system.
Posted by: Michael Cain | July 30, 2007 at 12:23 PM
I have severe doubts that you can do it in such a way that their security is obvious to the average voter. And I happen to think that latter goal somewhat important.
Exactly right. And, any approach in which there is no physical, hard copy record of the vote will not achieve the latter goal.
Mark your vote on a piece of paper. Secure the physical ballots and maintain a credible, auditable chain of physical custody. Tally by optical scan or by hand count, whatever floats your boat and meets your budget.
Technology's great. It's fast and cheap. In the case at hand, there are more important concerns than fast and cheap.
Thanks -
Posted by: russell | July 30, 2007 at 10:18 PM
Optical scan....
Yes! When they count the votes, have video cameras watching. Post the videos.
Probably nobody will watch, but they *could*.
Posted by: J Thomas | July 31, 2007 at 12:10 PM
Speaking as another software engineer, encryption is a useful tool but not a panacea. For example, I might have a program communicating with hardware and I'm worrying about a MitM attack. So I encrypt my data inside my program (I trust it because I wrote it), send it over the wire, and decrypt it in my hardware (again, I trust it because I write the firmware). This is a good use for encryption, because the parties on both ends are trusted.
With voting machines, you have information inside a trusted system (your head) that you transfer unencrypted to an untrusted system (the voting machine), then expect the untrusted system to do the right thing. This is clearly problematic, and I've never met anyone who can do strong encryption in their head.
Imagine a program that has two buttons P and Q. P casts a vote for candidate P. Q is supposed to cast a vote for candidate Q, but due to a clever hack actually casts a vote for P 10% of the time. Something that intellectually simple could defeat any amount of complex system you could throw at it.
You can't achieve 100% security in the design of a computer system; you have to enact a good policy. We could have the voting machine print out a paper ballot, the voter reviews it, and puts it in a secure ballot box. We then count the paper ballots to old-fashioned way.
I think the advantage to this type of system is that the votes don't just get counted multiple times, but in multiple ways. We have a quick "unconfirmed" result that is then verified.
Posted by: Matthew | August 01, 2007 at 01:24 AM
In Violation of Federal Law, Ohio's 2004 Presidential Election Records Are Destroyed or Missing:
Uh huh.Posted by: Jesurgislac | August 01, 2007 at 04:30 AM
But I cannot help but wonder what point there is to President Bush addressing the nation about a relatively minor accident
Easy.
Because it goes to infrastructure. One of the 4 primary functions of government (others being, public safety, education and defense). No matter how it is spun, it is the tax cutting GOP that is going to take it in the kneecaps for this. I'm not saying all that criticism is legitimate, its just where the primary blame for all this is going to lay.
The GOP has neglected infrastructure, unless it benefits them politically or financially for the past generation.
Bush should have said something about it, but turning it into "terrorism! fear! fear! fear!" was SOP.
It would be pathetic if it wasn't so incredibly tragic.
Posted by: Simp | August 03, 2007 at 01:29 AM