[NOTE: Here we discuss real voting machines. We discuss older counting methods and whine about how (available) computerized voting machines are a step backwards. See TechnicalSpecificationForVotingMachines and SecuringVotingMachines discuss (theoretical) computerized voting machines and how to make them an improvement on (available) voting machines of all kinds.
reports a Johns Hopkins review of the Diebold source for their voting machines:
- used simple DES for their crypto
- had a backdoor password of 1111.
This page was created to discuss computer systems for voting. When the assumption that computers could make voting safer, more efficient or more reliable was challenged, the author removed his content and called the challengers Luddites.
Well, didn't actually
call them Luddites, but implied it rather strongly. Still, lots of good discussion ensues below.
"Verify the Vote: Tell Congress to Fight for Secure Elections!"
"CTV demands open code and auditable paper trails for all electronic voting systems." --
"Machine" is not synonymous with "computer" or "touch screen". A box of paper slips is a machine.
A box of paper slips is not
a machine. There is no automation and no labor is reduced or removed.
It reduces effort and increases accuracy over memory. I think a box of paper slips is a machine. It's certainly technology.
Paper slips are no more voting technology than beating clothes over a wet rock is laundry technology. Why are we fussing over these very basic concepts?!?
I'm challenging the assumption that computers can make elections harder to steal.
It is automation
that can make elections harder to steal. The ATM in the grocery store makes it easier for you to get money from your checking account with less worry about accidental or intentional loss. ATMs are carefully guarded devices with logging and back checking on all their internal operations. I had one rip me off for $300 one time. The bank took a month, but I was credited my $300 and got an apology from the bank. Why? Because everything was carefully logged and audited via automated schema.
Some enterprising souls contacted local malls and offered to set up ATMs for cheap. For several weeks they seemed unable to dispense cash, but always accepted deposits. Then one day they were all gone and the eventually folks realized it was a scam. ATMs haven't increased financial security, just altered it. It still relies on trust, but now the trust has been moved from a human in a bank to a box in a mall.
How much value do we assign to our elections? That is how much value automation can have in reducing fraud and mistakes.
What makes you think that?
less than realistic suggestion that voting can be accomplished using "trusted people" counting paper ballots or beans is beneath the level of informed discussion. Such methods may work fine in your church or local PTA, but such counting can't be relied upon for elections involving 150 million voters casting ballots containing two or three dozen candidate's names and another dozen local and statewide referenda. As an extension, think about China moving into an age of democratically elected public officials. How are you going to count beans from 1.5 billion people?
While I personally can't count 1.5 billion beans all by myself, I can come up with dozens of ways to get fairly accurate totals if I can get a small fraction of those 1.5 billion people to help me for an hour or so. These ways are called "scalable solutions".
Let's stick to the requirements that make some sense in a 21st Century environment.
This is not to say we shouldn't use computers for this task. We're looking for requirements that a computer can satisfy better than a manual or mechanical system. Just because we're in the 21st century doesn't mean a computer makes sense for every task. Paper ballots and trusted people have been relied on for elections involving 150 million voters. It isn't obvious to all of us (especially those of us who have developed similar systems) that a touch screen is more reliable, secure or trustworthy.
We can all agree that current touch screen machines are grossly unreliable, particularly in light of what happened in the 2002 elections in Texas, Florida, and Missouri. However, it is still unrealistic to think that mechanical or strictly paper means can be used to reliably count the dozens of votes on each of potentially hundreds of millions - and, in the extreme case of China, billions
- of ballots. For one thing, handling all that paper is a real chore. The only time the paper backup should actually be used for counting is in the case of contested elections. If we can come up with a bulletproof spec for a voting machine and ballot collection & collating system then there should be many fewer of those, too.
Why does using a computer get us closer to bulletproof?
Because automation can be tested using automation, too. Multiple test sources can run multiple automated tests and the box has to pass all of them, every time.
You still need to test the tests. And then you need to test the tests of the tests.
Try not to get silly here. If any
automated test created by any
interested party fails any
component of the automated ballot collection system then everybody
can run their tests to see if there is a problem or not. Obviously, if the Democrats run some tests and come up with failures then the Greens and Communists and Republicans and Doggie Doo-Doos can all run their tests, too. If there really is a problem, it will show up. And don't forget - the tests have already
run through a gamut of publicly-available tests of the test software. This stuff is, of course, all Open Source.
Infinite regress isn't silly. You're proposing that anyone can test any machine at any time? I don't think we can afford that kind of access, much less the security it would demand.
Can we afford not
to have that kind of access?
Allowing everyone to test the machines doesn't "demand" any security, it gives
us security. That way, everyone can see that the machines have not been tampered with (by anyone). If we only allow John to test the machines, perhaps John can see that the machines have not been tampered with, but how can anyone else know know that John didn't tamper with the machines? Perhaps someone could tamper in a way that's too clever for John to detect, but it's much more difficult for someone to tamper in a way that no-one could detect.
Hey, we allow any random stranger to just walk off the street and inspect the original copy of the U.S.Constitution for themselves most days 10:00 am – 7:00 pm.
I don't see how it's any more "dangerous" or "not affordable" to allow any random stranger to inspect a voting machine - the original U.S.Constitution is irreplaceable, while voting machines are easily replaced.
The Constitution is a piece of paper. The system we're discussing is software. The only way to know what a machine is executing is to examine it's memory. How will we allow multitudes to examine memory without being able to change it? Without the ability to change it, why will they believe what they are seeing are the actual instructions in memory? Or do you plan to let them bring their own data scopes?
Here's the first idea that popped into my mind - but perhaps there's an even better way. The electric motors used to drive CNC machines would erase any magnetic media, so many of them run programs stored on paper tape. We allow the multitudes to examine this paper tape (perhaps put on the wall behind glass) like they examine the constitution. We allow the multitudes to examine the interior of the voting machine (perhaps behind glass) to see that the paper tape is the only non-volatile memory in the machine.
On voting day, in a public ceremony, one person applies power to the machine, feeds the paper tape through, then locks the machine closed with a big key and a big sticky seal over the lock. Other people who don't trust that person watch him like a hawk, and if they think he tries to pull anything funny, they make him turn it off and start all over.
Another idea: On "test day", any random individual brings a paper tape and stand in line in front of a machine. When his turn comes, he cycles the power, puts in his program, runs some test ballots through, and makes sure the machine does what he expects.
How would I know the machine wasn't already programmed to execute user supplied tapes and ignore the official tape?
That's the whole point of "cycle the power" and "the only non-volatile memory".
So we let everyone inspect every voting machine to see that there's no hidden ROM in it? How is that feasible?
Exactly. You have a circuit board and a bunch of wires - you put it behind glass, just like the U.S.Constitution, and let people look at both sides of it.
But how do I know the one behind glass bears any resemblance to the thousands in use?
You (and perhaps dozens of other witnesses) simply watch on voting day as that one machine is pulled out from the glass case and plugged in.
You have to hope that witnesses at other polling places will blow the whistle on any funny business there.
How would I know that the voting data collected wasn't being ignored at some later stage in the process?
If you come to the polling place at the end of the day, you can see the person with the key break the seal and turn the key. A huge (LED ?) display on the side of the machine shows the total counts for each item on the ballot. You (and dozens of other witnesses) photograph those numbers. The next day you compare that number to the "precinct total" printed in the local newspaper. If they are the same, you know that *your* precinct was properly counted. Otherwise you take your photograph and the paper as evidence that someone messed up, and ... um ... call your lawyer or a news reporter or something.
Wait, that's assuming there's one machine per precinct. There are going to be dozens per precinct that have to be summed. The newspaper isn't big enough to print all of the pictures of all of the voting machines in a city the size of LA.
The newspaper is big enough.
How many polling places are there in LA?
According to http://www.worldatlas.com/citypops.htm
the largest cities in the U.S. are
- 16,626,000 people in New York City, USA.
- 13,129,000 people in Los Angeles, USA.
The average polling place handles more than 1000 voters (is this right?).
Not all of those people are voters.
So there must be fewer than 16,636 polling places in even the largest city in the USA.
Since my local newspaper prints information about 4,100 stocks every day (it takes 1 full page front and back), then printing information about a (hypothetical) 16,626 polling places would take less than 5 full pages (front and back).
Ah, well, if it's printed in the newspaper it must be true. Just like all of those stock market numbers.
Huh? Only if the printed number matches the number you personally witnessed is it true. If it's different, then the newspaper lies (or at least has a serious typo).
You still have to trust that, in other precincts, at least 1 of the (hopefully dozens of) witnesses will blow the whistle if their true precinct total photograph doesn't match the number printed in the local newspaper.
E-voting creates high-leverage points
The remarks about accuracy, testing, whether ballot boxes are machines, etc. miss the main danger of e-voting. The danger is that e-voting creates points of extremely high leverage in the voting process. Anyone with access to executable code that gets distributed to many machines is in a position to commit undetectable election fraud on a vast scale.
There are many other forms of election fraud: sticking fake ballots into boxes, voter intimidation, "accidentally" misplacing ballots, etc. Each individual act of these forms of fraud distorts the vote count by a few hundred to a few thousand. E-voting enables a single hidden act to distort the vote count by millions. Millions of miscounted votes are quite achievable and even undetectable if they're spread across thousands of precincts by a slightly clever, slightly random algorithm that a 12-year-old could write.
[In Canada, paper system is used; officers from different parties may observe the vote count]
this mish-mash of every state having a different system is an invitation to electoral fraud.
I disagree, for 2 reasons:
We want voting machines that count accurately, right ? So far, the only way to test machines (see TestTheSystem
) relies on the fact that different counties use different machines. Forcing all states to use the same system just makes it easier to commit fraud.
If someone comes up with an improved voting machine, there's no way that person is going to convince every state to switch at once. But that person can convince a few counties to switch - then neighboring counties can see for themselves in a side-by-side comparison that it really is better. Forcing all states to use the same system just makes it more likely we'll get stuck with some inferior system.
The Place of Trust in the Electoral Process
Please define "trusted." The term leaves lots of room for wiggle, which is exactly what we're trying to avoid.
Trust is outside the scope of this exercise. No matter what technology is used for voting, some people will have to be trusted.
Negative! Trust is exactly
what we're discussing here. The idea of using a specification for voting machines & ballot collating is that anybody can make the hardware, anybody can make the software, and anybody can test any part of the system
- even in the middle of an election! With this kind of testability you don't need to trust people. Oh, you'll still have election monitors and election judges (I have served in that capacity more than once), but you won't need to rely on their "trustworthiness," since the box and its contents are well protected by layers of security both physical and ephemeral.
What we would like to do is replace "trust" with "verification and validation." If a system's accuracy and integrity can be confirmed through automated testing schema then we can have much greater confidence in the final results. Using a formula machine with formula data collection and counting mechanisms facilitates this.
But we still have to trust the people who design, implement, run and report the tests. You can move trust around, but you can't get rid of it. Using computers may reduce the number of people we have to trust, but that doesn't make the system is more trustworthy. A small group is easier to influence in a single direction than a large group. Would you rather place trust in a single Test Administrator or thousands of local counters who's corruption falls along an evenly distributed bell curve?
No, you don't have to trust the people who design & implement the reports, etc. The idea here is that anybody can run tests on the machines, data collection, and counting systems to make sure there is no programmatic tampering. These tests can be run even while the various systems are live without screwing up the voting or vote tallying process. Thusly Republicans, Democrats, Greens, Libertarians, Communists, Hippies, John Birchers, and anydamnbody else can simultaneously
run their tests of the systems to make sure no funny business is going on. You don't need to trust people to watch other people watching still more people when you have a system like that.
How will automating this make it more trustworthy?
How does automation make the bank's ATM more trustworthy?
The above anecdote shows that it does. Imagine that a human teller had made that same $300 mistake, but didn't realize it until the end of the day. The ATM machine simply isn't smart enough to pocket the money and then lie about it, so that makes it more worthy of my trust.
The ATM programmer is smart enough to do that, though. Machines don't increase trustworthiness. They just move it to someone else.
Good point. OK, I can imagine how the ATM programmer might be able to pull that off, but with a scenario that doesn't apply to voting machines.
Getting back to voting machines: I have a bunch of paper ballots, and I run them through some computerized scanner to count them. No matter how smart the programmer is, I can count the ballots for myself and see whether or not the computer is cheating. If I run 100 batches of ballots through the machine, and later manually count only 2 or so of those batches, no matter how smart the programmer is, there's no way he can know *which* batch I will choose to count, so there's no way he can program the machine to cheat on the *other* batches. Am I missing something?
No, but you're describing many of the systems currently in use, not the imagined system the original author wanted to discuss. It doesn't use paper ballots.
I have never seen a paperless voting machine (outside of a few blurry photos). *If* they are somehow better than what we are currently using, I would love to hear about them.
In particular, I hear that paperless voting machines can print a receipt with some sort of MD5 hash or PGP ID, something that simple scanners cannot do. But I have no idea what one *does* with this PGP ID.
The original idea was to issue the PGP as a way of identifying one particular ballot. The voter could then go back to the Board of Election Commissioners and see if his ballot was recorded the way it was cast. Idea is kida fuzzy, and the folks at Open Voting Consortium went into apoplexy at the idea.
Is there anyplace in the US that's done hand counts (outside of contested elections) in the last 30 years? I can remember the punch card voting machines used in the 1972 presidential elections being set up in my elementary school. They were all optically scanned and have been ever since.''
Allow people to test the voting machines at any time? Even during
the vote? That sounds pretty cool. How is that physically possible?
run tests? How is that
Just as any multi-tasking OS can perform multiple simultaneous operations. The idea is to be able to walk up to the machine during voting hours and stick in a disk or otherwise manipulate it to check that it registers voters' intentions accurately and records their selections accurately. Details haven't been worked out yet - care to take a stab at it?
I tried, but now I'm stumped. This is as far as I got:
magic happens here
- Certified technician walks up to the machine during voting hours
- The technician is convinced that the machine records voters' intentions accurately.
The best voting system: a hybrid paper and counting system
I have worked in Montreal's last municipal election with a great voting machine. It was more like a "counting machine." So the whole voting system kept the best of both worlds: paper work (for further verification if need be) and the computer's great automation system. (These machines are made in the US by the way; they seem pretty old though 10-15 years if not 20).
This is the way it worked: a technician had already entered the names of the candidates for each election into the machine. There was one machine per site instead of one machine per table.
Every voter would enter the names of his/her choice on a 8.5 X 11 ballot using a marker. I had nothing to do the whole day so I was asking voters to hand me the markers; many had put them "by accident" in their pockets. I was a markers security guard.
Afterwards, instead of putting the ballot in the box, each voter would enter this ballot in the counting machine. The machine would read the ballot, compute the result and shove the ballot to the side.
At the end of the day, a few button clicks had the results printed in 2 minutes. I connected the machine to the phone (I think; maybe someone phoned in the results). Typically counting ballots had taken 2 to 2 1/2 hours. The machine saved a lot of time.
The machine's lone drawback was that there was only one and it has a small screen, and its operation was not very straight-forward. But it worked.
Because it was a hybrid system, the original paper ballots could be recounted. I think the city of Montreal took a wise decision by choosing this hybrid system. It's like the dual radar I saw on US ferries: one that works on AC and the other on DC.
I am very much in favour of systems that use the combination of computers (machines) and human intelligence. They really use the best each one can provide: computers count rapidly but can't think; humans can think but count slowly.
I read that in Brazil or Argentina they had a real machine where you'd enter the names of the candidates directly in the machine. Fine and dandy. This sort of system cuts on paper but it would be difficult to recount and could be tampered with. Also with the hybrid system mentioned above, voters were not disoriented; they were writing a ballot like they have always done. The drawbacks of this system far outweigh its benefits in my view.
Can this system be done on a regular computer? Certainly just by using a scanner.
"A simple program in C or C++ ..."
... or Python, or Java, or Ada, or AWK, or OCaml, or Lisp, or Scheme, or Haskell, or Ruby, or Lua, or Forth, or Self, or Eiffel, or pretty much any other language.
Sorry, folks - the use of Java is indicated here as a portion of the security measures in place. Java runs on the Java Virtual Machine, and it is easy to verify that any particular JVM runs only
approved Java bytecodes and rejects non-approved bytecodes. This is how anybody can put a program together to run the machine and anybody else can put a test program or hardware exercise application together to test it all. Java rules for this domain.
How to measure reliability ?
(moved to TestTheSystem
Canada's system is simple, and if you fully cost paper versus electronic, I believe you will find paper is cheaper. However, that is not stopping Canadian municipalities and provinces from experimenting with electronic and Internet voting anyway. I think they are going to break a system that didn't need to be fixed.
Summary of Canadian electronic voting situation
We have been discussing the implementation of voting machines on this wiki for many weeks. Yet the main question remains: are we for their implementation or against?
This may be your main question, but in the USA it isn't a question at all. Read up on the Help America Vote Act (HAVA) to see what all the fuss is about. These voting machines are here to stay. You can drag your feet and kick and scream all you want, but the USA is plunging headlong into the 21st Century via Diebold, ES&S, and a handful of other Republican-owned companies who create very tightly closed embedded systems boxes that do who-knows-what with your vote. We need to use this forum to come up with a way to make these potential democracy-killers less dangerous.
HAVA doesn't mandate touch screens. It doesn't ban paper ballots.
"If there is anything the American people have a right to know, it is how their votes are being counted." (http://why-war.com/features/2003/10/diebold.html
), as part of a protest against Diebold Election Systems (a voting machine manufacturer). Hey, the protest even has its own wiki: http://wiki.volitant.net/diebold-cd
Is this really a right?
Perhaps the other complaints on this page will give us ideas on how not
to implement voting machines.
I have worked in a great number of elections as a Returning Deputy Officer, as a secretary, a representative of a party, etc. I have done mostly the regular paper ballot system except once in a municipal election when we were using an optical scanner that would read the data.
In my view the best system is the manual paper ballot system. Mind you, in Canada we never had a single problem. The good old manual system with written ballots with a Returning Deputy Officer (the boss at the table) and a secretary both belonging to different parties scrutinizing each other and a couple of party representatives checking too. It's more costly than a computer votation system but the on-site checks and balances make it reliable.
The only advantage of the voting machine would be that it would save us 2 hours or so of counting at the end of the day. Could the Government save any money? Probably not since the voting staff are paid by the day and not by the hour.
Any advantages to knowing the results two hours ahead of time? Perhaps. I personaly don't see any.
IMHO what the US needs is what we have in Canada: a uniform and safe manual system as a start. And then a voting machine if those selling it can make a solid demonstration that it can be useful.
"Diebold with a Vengance: Secrets, lies, and electronic voting," article by Julian Sanchez November 11, 2003 (http://reason.com/links/links111103.shtml
), recommends that voting machines have open source.
"Paper Ballots," article by Glenn Harlan Reynolds 2002-11-05 (http://techcentralstation.com/110502A.html
), has a good explanation of why he thinks paper ballots are superior to all-electronic voting: "Paper ballots are both robust (resistant to fraud) and transparent (easy to understand)."
: add these 2 specifications to TechnicalSpecification
Hmm. Robust and transparent? I thought the Java and open source requirements kinda did that...
"Robust and transparent" is the requirement. "Java and open source" is one way of fulfilling that requirement. If there is a better way of fulfilling the requirement, then we should use that instead of Java.
- book by Bev Harris & David Allen
has the book downloadable a chapter at a time...
a must read...
Those interested in ElectronicVotingMachine
s that really work would be advised to look to India. http://techaos.blogspot.com/2004/05/indian-evm-compared-with-diebold.html
- Operating System/ Software
- EVM: None, the Assembly code to register number of votes is all it has.
- Diebold: Windows CE, and C++ code stored on the Internal Memory and PCMCIA cards.
Selected voting machine bugs
Non-technical specifications that don't belong on SecuringVotingMachines
- The system should be available in all regions of the voting state. Cost, fragility, power usage, security, etc. should not prevent the system from being deployed. Previous election scandals have involved certain regions having unequal access to voting grounds and inferior machines.
- The interface of the system should be as simple and straightforward as possible so that it can be used by nearly everyone eligible to vote. This includes the elderly, physically handicapped people, and people who are mentally handicapped but still eligible to vote. There should be a simple backup system available if required, possibly including human assistants.
These are good points. The part about the interface being accessible to the elderly and handicapped was going to get in there somehow anyway, so it's good to bring it up now. More detail to be added. (Note the bit about color blindness neutrality mentioned way above.)
However, the "human assistant" backup and regional availability are well beyond the scope of this particular technical exercise. That kinda stuff requires legislation. Good thinking, though. Let's keep at it.
[discussion moved from TechnicalSpecificationForVotingMachines]
This is interesting, but I must point out that paper ballots meet all of the technical specifications and in some ways is superior to automated methods. I don't believe the above are necessarily specifications for voting machines, but requirements for voting in general.
The author of this page only wants to discuss "computer systems for voting", but won't change the title to reflect that. He'll move anything else to VotingMachineDiscussion. Been there, done that. -- EricHodges
Yes, Eric, exactly correct. Please read the title of the page. Go ahead, I'll wait. See? See how it says, "voting machines?" Paper is not voting machine automation. Getting a group of "trusted individuals" is not voting machine automation. Exercises in Luddite Logic® have nothing to add to the discussion of voting machine automation. If you want to talk about anything other than voting machines
then please use one of the other pages set up for that purpose. Otherwise the signal-to-noise ratio simply drops into the dirt and the page becomes useless. Is it so much to ask that you folks do this? Have we not beaten this into the ground yet? I am leaving the discussions of paper and trust and steel boxes and all that drivel pretty much alone. Why can't you leave this page to people who are here to discuss the page's topic?
[Please note the very first paragraph, "This is really, really needed in The Good Ol' US of A before we have our next major election. ..." This implies something is required beyond what is done with paper ballots. It seems to me that this item is not covered in the specification, hence my comment. What are the unique specifications for voting machines? -- not Eric]
Paper ballots are part of the voting machines used in my part of the US since I was a child. They were walk-in booths with handles that punched paper cards. These were called voting machines. They didn't have computers in them, but the cards they produced were scanned and the results fed into computers.
Please try to refrain from using the word "Luddite". It insults me and adds nothing of value to the conversation. I'm not rejecting technology, nor asking anyone else to. I've asked for a set of requirements that are best met by the sort of device you want to talk about. I've tried to come up with them and I can't. I believe it's because this is an application that doesn't benefit from adding a computer to the user interface. Perhaps you can do a better job that I can. Using the right tool for the job doesn't make one a Luddite.
It looks like we're actually getting somewhere in this discussion, since our definitions have taken on a little refinement. Before we expand much farther, can we move this thread to another page? I'm still trying to keep this page clear of too much chatter. Just the reqs, ma'am. Which page to go to? -- MartySchrader
We can delete these questions by coming up with requirements that are best met by the sort of device you want to discuss, or expanding the scope of the discussion to any system that meets the requirements. What are the user stories? How do we know when we're finished? -- EricHodges
Eric, are you suggesting that we need to go back to one of the other discussion pages and thrash out some of the non-technical issues before coming up with technical specs for the machine itself? Hmm. That might be nice if we were going to determine that the machines don't have a role in the voting process, but we already know the durn things are in place and being used - and causing problems. My approach is to deal with the devil we know, since he's right here in front of us and this kind of engineering is something we can get our hands around without a problem. I see this page of specs as being a purely technical exercise. The Bigger Issues(™) can be addressed by legislators who have multiple constituencies to please. Eh? -- MartySchrader
I don't enjoy discussing any system without some set of requirements. I can't look at this page without wondering what can be lopped off, and the only way I can figure that out is if I know what the system is supposed to accomplish. The fact that some people are using computers in voting machines doesn't make it a good idea. -- EricHodges
Actually, Eric, everybody is buidling voting machines using computers these days. Oh, and let's not forget the problem of the totalizers back at the Board of Election Commissioners office - that's how the Republicans won that special election in Ohio by swinging the total count 4% in the last twenty minutes of vote counting. Heh. So, we need specs on the tabulator as well as the vote gathering machine. Oy.
And that somehow makes it a good idea? -- EH
That makes it necessary. These machines are in place and being used right now
to affect the outcome of real elections. We need specifications for the performance and testing of electronic voting machines and central tabulators so that real elections are not corrupted (or at the minimum placed in grave doubt) by tightly closed machinery owned and operated by partisan private entities.
There are a number of organizations springing up to address this issue: www.blackboxvoting.org, www.openvotingconsortium.org, www.eff.org, etc. That is a good thing, since this discussion can't seem to get past dealing with the reality of the damnable machines in the first place.