July 25, 2003
Spotlight on electronic voting flaws

I've not really covered the subject of electronic voting and the problems that are inherent to its implementations - several other bloggers have done yeoman's work on the topic - but I'd still like to point out the newfound interest that the mass media has taken on the subject. None of this is really news to anyone who's followed the story - in fact, experts have warned about the problem for years. It's not that this can't be done properly, it's that the way the leading vendors have chosen to do it is flawed, both from a security perspective and an auditing one.

Rob puts his finger on the issue.


This story points to a bigger problem in the way people approach technology. Many problems that we encounter in the business world are not "technology-solvable" problems, they're process problems. For example, a given person's roles and responsibilities are not defined. Whatever the nature of the problem, technology will not solve it. People solve problems.

Same with the voting systems we use here. If we just used the machines and no other tools, fraud could run rampant. Just like with punch cards. There has to be a process for verifying a person's identity and ensuring that they only vote once.


That's exactly right. What was the problem that all this technology was supposed to solve? It was that punch card and optical scan ballots often did not record votes properly and the people who cast those votes had no way of knowing it. You could have largely solved this problem by giving people a way to check and correct their ballots before they relinquished control of them. I'll grant that some electronic voting schemes, such as the e-Slate system in Harris County, do allow for that, but at the cost of losing an unassailable audit trail and opening the door to more subtle and sophisticated means of fraud. How exactly is that improving anything?

And the crazy thing is that a lot of the issue vanishes if the voting machines simply printed out a hard copy of the ballot after the voter has checked and approved it. Drop the hard copy in a bin like before and count those. You still have the identity question to deal with, but at least now you've got ballots that people will have confidence in and a surefire way of verifying them. Seems like a slamdunk to me.

Anyway, the full report by the researchers is here. Like Ginger, I'm acquainted with Dan Wallach; in fact, one of his students, whom I also know, tipped me to these links (thanks, David!). Houston's a big ol' small town sometimes.

Posted by Charles Kuffner on July 25, 2003 to Technology, science, and math | TrackBack
Comments

Well, we've got to quit agreeing on things or I'm in big trouble with the right-wing conspiracy.

One of the first things I said when I went through e-Slate training was that they should print out a hard copy of the ballot that people would put in a box. I think it should serve as a backup and the machines should be counted, but going without a backup to me is dangerous.

I helped a bunch of people with the e-Slates on the last Election Day, and it went pretty well. Some people, those who didn't read the directions, had trouble, but mostly it went smoothly.

Posted by: Rob Booth (Slightly Rough) on July 25, 2003 6:05 PM

I find the e-Slate machines to be reasonably easy to use. Of course, I spend all day in front of a computer, so take that for what it's worth. They have had volunteers there to help the technophobic, which is good.

I'm OK with their GUI and all, I just don't understand why they were so resistant to the idea of a hardcopy. Well, no, I know exactly why they fought that: cost. Unfortunately, city councils and state assemblies don't have enough technically inclined members to insist on it for the right reasons. Maybe this will help.

The nightmare scenario, of course, is a hotly contested election combined with a software failure. That'll make Bush v. Gore look like The People's Court.

Posted by: Charles Kuffner on July 25, 2003 7:15 PM

Shouldn't the Democrats be bringing and action in Court to enjoin their use until there's confirmation that there will be a paper monitor, and/or elimination of the possibility of tampering? Shouldn't they be doing it now while there's time before the elections?

Couldn't the lawsuit cite Bush v. Gore (Equal protection prohibits discrimination against voters in Diebold jurisdictions, compared to others that can't be tampered with?)

I'm a lawyer, but my specialty is not elections or civil rights. Do you know whether whether legal action on Diebold or other flawed touch screen voting has any chance?


Posted by: Claudius on July 25, 2003 11:01 PM

Shouldn't the Democrats be bringing and action in Court to enjoin their use until there's confirmation that there will be a paper monitor, and/or elimination of the possibility of tampering? Shouldn't they be doing it now while there's time before the elections?

Couldn't the lawsuit cite Bush v. Gore (Equal protection prohibits discrimination against voters in Diebold jurisdictions, compared to others that can't be tampered with?)

I'm a lawyer, but my specialty is not elections or civil rights. Do you know whether whether legal action on Diebold or other flawed touch screen voting has any chance?


Posted by: Claudius on July 25, 2003 11:02 PM

Let me throw my 2 bits in here.

First, I was a poll watcher during the '02 meltdown and got to watch 13 hours of people using E-Slates.

I was fairly impressed with them, at least as far as ease of use was concerned. Most - probably 90% - voters handled them without a judge's assistance. That's the good side.

The bad side? I saw no audit controls at all. The only check we had was the number of votes tallied had to match the number of voters logged in (I think it was off by one). Were any votes tallied correctly? Damned if I know. Could we prove it if they weren't? Could anybody? Not that I could see.

We had to print a tape out showing total vote counts but these totals weren't actually transmitted to Harris County. Instead, the machines were physically transported to county for readout. The judge, who is a party operative, transports them and a suitably inclined bad actor would have at least an hour's access to the machines.

As to the software, I write software for a living so I can speak with a modicum of authority. Anyone who feels any non-trivial program is bug free is either lying, an idiot or both. And this really is a non-trivial piece of software. There are a lot of lines of code here, probably 250K or so. A .01% error rate - a fantastic rate for mature code and the code in these machines is certainly not mature - would lead to 25 lines with errors.

Is that bad? A bug is a lot like a heart attack. It all depends on where it is. It may be as simple as a misformatted number or it might mean the first candidate's votes don't count.

Not only can we not audit the results, we can't audit the code - trade secrets and all that. Thus, we don't know if there's code that says if the first character of some magic number required to start the system is a Q and the time, according to WWVB, is between 0800 and 1200 on election day, 5% of all Democratic votes become Republican. Contrived example but you get the point.

Bottom line? I don't trust them without a paper audit trail. The original idea was to replace the error prone entry system, not to become the system.

Posted by: Charles M on July 25, 2003 11:05 PM

I encourage people to read the very fine work of Doug Jones, his analysis of paper voting systems is required reading for anyone interested in the integrity of the voting process:
http://www.cs.uiowa.edu/~jones/voting/paper.html
Until e-voting systems can fulfill all the basic requirements of a paper ballot system it is unworkable.
BTW, I wrote an essay that noted the problem of stuffing the e-ballot box a long time ago (includes nice streaming video too)
http://ceicher.homeunix.com/archives/000277.html

Posted by: Charles E on July 26, 2003 12:48 AM

Charles M makes a good point. But just as no one can say that a piece of software is 100% bug free, also no one can say that any voting process is going to be 100% fraud or error free. The person who claims 100% is the one who most likely has the most problems with their process.

One of the processes that's in place that does deter the malevolent precinct judge is the sign-in book. If, after the polls close, the poll watchers or election clerks note the total number of voters signed in, that serves as a check on the system. If the judge starts adding votes to the e-Slate on the way to the drop off point, that's a difference that can be tracked. For example, I printed out an extra copy of the results last election night and the judge went on his merry way with the machines. Then I checked results from the County Clerk's site. (Just out of curiosity, of course.) If those numbers hadn't matched I would have been on the phone that night.

As far as transmitting results by any other means than physically moving the machines to a central location, I'm leery. Hooking those things up to a modem/phone line gives me the creeps. I used to work cryptology in the Navy and well, any system of communication devised by man can be defeated by man.

One of the things that surprised me was the number of fleeing voters, i.e., those that left the polls without completely casting their ballot. I remember two in particular: one was a guy I thought was borderline mentally disabled (he kept asking me who to vote for) and the other was a lady who didn't speak English, Spanish, or Russian (what I speak). I specifically asked them if they had pressed the big red button and seen the American flag (signifying the ballot had been properly cast). They both assured me that they had and being busy I didn't have a chance to double-check them before they left. But they hadn't. I felt bad about it until I talked to long-time judges and they told me they had more of a fleeing voter problem with the punch cards. People just left them on the stands and left.

The good news long-term is that to commit meaningful voter fraud (i.e., sway the results of an election by a big percent), you have to get a large number of operatives commiting a little bit of fraud or a small number of operatives committing a lot of fraud. The larger number of operatives leads to mistakes and loose lips. The smaller number of operatives leads to statistical variation in turnout in a concentrated area. That can be thwarted in the long run.

The bottom line that the best security system factor is that people involved in vote tabulating and counting should know that they can go to prison if they monkey around with the results. That'll cut the number of people inclined to fraud way down.

Posted by: Rob Booth (Slightly Rough) on July 26, 2003 11:55 AM

As another who writes software for a living, I have to agree and disagree with Rob Booth. (That should get me in trouble both with the Vast Right-Wing Conspiracy and the So-Called Liberal Media!) Seriously... technology doesn't solve problems, to be sure, but it certainly can create needless ones. IMHO, the problem of loss of voter confidence introduced by the use of electronic voting systems is such a needless problem.

Personally, I advocate a return to paper ballots, together with a much stricter chain of custody of both marked and blank ballots. Can that system be cheated? of course. But it removes one big issue that any more sophisticated technology introduces: namely, how voters can have confidence that the results weren't tinkered with in ways that may not be statistically observable but nonetheless turn enough elections to have different results for society.

Yes, almost any method that involves printing or marking paper and counting the paper will be more expensive and slower than, say, eSlate (presuming the latter ever works as advertised). So what! What price democracy, and more to the point, what price public confidence in democracy?

Another not-so-minor issue: what compelling argument can any corporation offer that its vote-counting software should be proprietary? What gives any nonpublic entity the right to count the votes without a close inspection of the means by which they do so, by any interested parties? One might reasonably argue for proprietary code for, say, a refrigerator, or an automobile engine. But we're talking about the fundamental process of representative government here. I have no problem advocating a legal requirement that all voting equipment software should be publicly disclosed.

Posted by: Steve Bates on July 27, 2003 5:52 PM