At this point, machines lacking a human verifiable paper trail seem to be such an obviously bad idea that I really don't care who's trying to introduce or continue the use of them, or whether they actually have some nefarious plan or whether they're just so stupid that they don't get that someone, at some point, will have a nefarious plan, and the machines will be wide open. Voting procedures are like bank vaults -- they don't need to be secure because you've heard that there's going to be some specific attempt to break in, they need to be secure because stealing money, and changing election results, are things that people generally want to do. You don't leave money lying around unsecured, and you don't leave election results lying around the same way.
It looks to my cursory reading of this stuff like hacking would require physical access to the actual machines or to their memory cards, not something you could do online -- also swinging an entire election to a party that got few votes IRL would probably require hacking a significant portion of the machines used in the election.
It's like the Interweb was closed for the day. Since when is it possible to get the first comment on a WaMo thread when you actually have something to say?
And I agree that this should be a nonpartisan issue. It's just not clear that it is one.
What you would really want to do is somehow get the sourceforge types to set up and run an open source plan to steal a specific or a couple specific elections. Publish the plans, in as detailed a fashion as possible, and make clear that the ability to steal that election now belongs to the world at large. And no felonies.
Ok, the first sentence of 2 actually brings up something I was trying to find an answer for last night, and actually [...shiver...] read Drum's comments to look for, but couldn't find. Nothing I could find in the story says that this particular voting machine (I couldn't find which model it is) doesn't have a paper trail. I take the implication that it doesn't, but I couldn't confirm it.
5 - That might be a conspiracy, or possibly a RICO violation.
While I agree with your assessment of the facts (that is, even perfectly innocent Republicans are more likely to associate concerns about election security with 'sore-loser Democrats' and be resistant to doing the obviously right thing out of simple stubbornness) I think this is one area (I think this about very few areas generally) where making it partisan is a bad idea.
Making it partisan turns instantly into "Are you accusing us of wanting to fix an election? Prove it. You can't? Then shut up. And what about JFK and LBJ, anyway." Keeping it as a straight security issue: we don't know and we don't care who might mess with election results, the problem is that whoever does it it'll be easy, is in this case much more powerful.
(I'd say differently if there were a recent rash of convictions for election fraud, but there just aren't.)
JO-
Oh, this isn't a trivial task, I figure anyone who's up for it needs both the requisite technical abilities and a fair amount of actual sneaking around. On the other hand, I can think of a dozen people I knew as undergrads at MIT who I'd expect to be able to pull something of this apparent level of difficulty -- anyone at CalTech want to stand up for the honor of your school?
That might be a conspiracy, or possibly a RICO violation.
I should doubt it would be either one (not legal advice, just blather). Publishing, say, Steal this Book is perfectly legal despit the fact that it gives instructions for committing various crimes. For a conspiracy you need an actual agreement to commit a crime, something not present where you're simply publishing instructions, and for a RICO enterprise you need even a stronger relationship than that.
7: I just meant this: Before reading Kevin's post, I assumed that CA's Secretary of State was probably a Democrat. When I found out that he'd approved Diebold machines, I figured that it was more likely that he was a Republican (I thought about putting this in terms of Bayes' theorem). And I was right. This is just one case where the assumption "People who want to install easily rigged election systems are Republicans" worked out, but I think there have been other cases.
I agree that we shouldn't present it as a partisan issue or use it as an attempted vote-getter; I'm just pointing out, to a small audience, that one party is more deeply committed to the wrong here.
(I just ran across this attack on paper trails; haven't had time to read it all.)
What about an expat? What would be the penalty for someone living outside the U.S.? Would tampering with a local U.S. election be an extradite-able offense? That would probably be a better way of rallying popular sentiment, too. It's one thing to suggest that other U.S. citizens might tamper with elections (heavens, no! nobody would ever do that! you Democrats are just paranoid and bitter!) but goddamnit if we'll let those foreigners muck with 'em.
IIRC, I think part of the problem is that they won't let anyone inspect the source code of the machines without signing an NDA (as in, if you look at it and find a problem, you can't tell anyone).
I once tried to take a picture of myself at the voting booth (my French ex was astounded by NYC machines), and the election volunteers prevented me. Do any of our lawyers understand what the law there is, and why?
16: Depending on which borough that was in and how old the regulation is (assuming it's real), I would bet that the Justice Department pre-cleared it. I base the bet on hearing a member of the Board of Elections of The City of New York, give as an example of minor things that they've had pre-cleared, the change from attaching pens to voting booths by a string to attaching them by some kind of sticky pad.
No such prohibition is mentioned in either the New York State election laws or the pollworkers manual (both .pdfs). If such a law or regulation existed, it would probably be to prevent someone from demanding that you prove to them that you voted for a specific candidate, in response either a threat or a bribe.
Thanks, w/d! I guess that even if people started taking pictures of their votes, they would probably overwhelmingly be Democrats.
The way the political discourse about elections is framed right now, with Democrats worried about the lack of paper trails and Republicans worried about the lack of identification-verification, it seems as though no meaningful compromise on either of these points is possible without both.
The last time I checked into this, the main point of weakness was the district official's machine onto which votes from the terminals are downloaded. At that stage the votes sit in an MS Access file which was either completely unsecured, or had a pretty laughable password applied to it, and no real encryption (MS Access is pretty laughable in its own right -- not something a developer should ever trust important data to). So the real threat here isn't at the voting machines, it's at the point at which votes for a precint are collected -- and that process/room is probably hard to gain access to.
Also worth noting that, in order for all these nasty facts about Diebold to come to light, the DMCA pretty much had to be violated (although nobody is being prosecuted for it, to my knowledge). It's a terrible, terrible, terrible law.
Eh, I'm a little skeptical of the Diebold worries. It's difficult for me to believe that 1) just anyone could gain physical access to a machine to change votes, 2) that the vote-tally isn't recorded and verified immediately after voting is finished, rendering tampering more difficult, 3) that the machine doesn't record keystrokes and access, not to mention alterations of ballot data. And that's just to start.
Here's a company release which addresses some concerns...http://www.diebold.com/dieboldes/pdf/realityvsfantasy.pdf
It also looks like they've come out with a model that produces a paper-trail. Not sure if that's the one that California has purchased.
1) just anyone could gain physical access to a machine to change votes
The problem isn't 'just anyone'. Landslide Lyndon wasn't just anyone when he put himself over the top in his first Senatorial election, he had a power structure that gave him access. The point of election security is to protect against insiders as well as outsiders.
2) that the vote-tally isn't recorded and verified immediately after voting is finished, rendering tampering more difficult, 3) that the machine doesn't record keystrokes and access, not to mention alterations of ballot data. And that's just to start.
On this sort of thing, I haven't the expertise to judge. However, people who do have a certain amount of expertise, including some reputable appearing organizations, appear to still be worried, and it isn't clear to me what they get out of kicking up a fuss if there isn't anything to worry about. Furthermore, I shouldn't need to be an expert to be confident in the validity of the results. If each ballot corresponds to a physical piece of paper, checked by the voter and kept physically secure and available for recount, then I don't need to be an expert.
1) not anyone, but the folks doing the counting certainly aren't guaranteed to be impartial. recall the hanging chad debacle and all the difficulties that it raised. a precinct's HQ is very vulnerable.
2) it's the process of recording that makes it susceptible. odds are that the machines themselves are impractical to compromise in a polling station setting -- but when the votes are aggregated, they go into files that are very easy to modify.
3) how do you make a system record unimpeachable data about the integrity of its data? this isn't an impossible problem, but it *is* a difficult one. you can come up with solutions involving public key cryptography, but they're only as good as their implementations (and the security practices surrounding the keys and code). A paper trail is probably simpler and better.
In a perfect world, I'd say that everyone who wants to should be able to have a hash of their vote emailed to them when the vote is actually counted. It can be done in such a way that the identity of who they voted for remains secret to everyone but the voter (even if the email is intercepted).
If each ballot corresponds to a physical piece of paper, checked by the voter and kept physically secure and available for recount, then I don't need to be an expert.
Exactly. Voter verified paper trail. That's the way to do it. Along with physical audits of random samples - pick one or two or whatever percent of the precincts and actually have real live people examine the paper records which the voters themselves verified, and compare that total with whatever the automated equipment produced.
NM has been arguing over this. There's a lawsuit, with motions and affidavits and data online:
Democrats worried about the lack of paper trails and Republicans worried about the lack of identification-verification, it seems as though no meaningful compromise on either of these points is possible without both.
Democrats should probably get on the ID bandwagon, going along with whatever the hell it is that the Republicans are worried about but demanding that the ID requirement be fulfillable by free ID's available at convenient locations nationwide (off the top of my head, every public high school or every library would do it) and with a kickass publicity campaign making sure people understood the new requirements. That Georgia mess where the new voting ID's weren't available in, say, Atlanta, the only place where someone without a driver's license would be likely to live, is obscene. (I may have the facts moderately garbled here -- I haven' t looked them up recently.)
In a perfect world, I'd say that everyone who wants to should be able to have a hash of their vote emailed to them when the vote is actually counted. It can be done in such a way that the identity of who they voted for remains secret to everyone but the voter (even if the email is intercepted).
This is still bad, because it allows the voter to prove who they voted for and thus sell their votes. When I say 'paper trail', what I want is: (1) voter goes to terminal wanting to vote for Donald Duck, and presses the buttons to do so (2) A ballot prints out -- whoops, he miskeyed. It says, in both text and whatever an optical reader would be happiest with, "Minnie Mouse." (3) No problem. The "Is that your final vote?" screen is still open. He hits "No" which puts him back on the voting screen. He votes for Donald Duck, and this time, it prints out correctly. (4) He tears up the spoiled ballot, hits "Yes, this is my final vote" and walks across the room to the ballot box, where he drops it in as an election official watches to make sure he's only dropping in one. (5) Preliminary results come from the terminals -- official results come from the optical counting of paper ballots, to be followed by a hand-count if circumstances require.
LB, as I recall, you've got the facts exactly rights about Georgia. Also, the ID wasn't free. Also, the sponsor of the law had explicity racist intentions, and the professionals in the Justice Department who argued against approving the plan were overruled by Bush political appointees.
All of which makes me think that we need to see a lot more good faith from the other side of the aisle before we work with them on voter ID. Partisan, but I think unavoidable.
This is still bad, because it allows the voter to prove who they voted for and thus sell their votes.
Not really, if the voter is the only one who knows what the receipt means. For example: the terminal says "enter 'opposite day' mode?" before the user logs out. They say yes or no. Their eventual receipt says "you voted for the democrat", but the meaning of this varies based on their still-secret choice.
Obviously you'd actually implement this differently, but it could basically work. You'd be free to take the vote-buyer's money, but he'd have no way to actually verify your vote.
Weiner's point about the digital divide is relevant, though. I certainly don't expect such a system to ever *actually* be put in place. Not anytime soon, anyway.
Oh! One other neat technological idea I had about voting: with these machines, it'll be possible to videotape everyone voting without revealing who they vote for. Just randomize the placement of buttons on the screen and put a polarizing filter over the camera lens. LCD light is polarized, so the screen would appear blank on tape (assuming the filter was properly oriented), but you could still keep a very close eye on what everyone was doing to the machines.
If any problem is likely to occur at the place of vote aggregation, why not have the machines send the unaggregated information to a lot of places, including the parties running for election and the media?
33 is an interesting idea but I think putting the machines online makes them more susceptible, not less. Currently the vulnerable moment is when the memory card is taken out of the machine and transported to the place of aggregation. If the machine is online then it's vulnerable for the whole time it's connected.
Here's an idea. Have it write to Non-volatile media (i.e. a DVD) every so often with an audit trail. Yes, it's more expensive, but it's a lot harder to screw with that kind of data. Maybe they already use some sort of NV media, I don't know.
Something that appears obvious to me (but as I keep saying I don't know much so you can talk me out of it) is that all the software should be required to be open-source. Every interested programmer in the country should be hammering on it looking for flaws and security problems long before it's used in any election.
LB, it's actually a pretty good idea. Security by obscurity usually isn't all that secure (eventually, insecurities get found out). Of course, it runs all the risks of a general oss project: splinter factions, someone has to be in control of the source, etc. A modification of this, allowing multiple groups to create their own voting systems and then letting others try to crack it, is perhaps a bit more effective, but falls along the same lines.
I'm not an expert either, but given the number of states who have purchased these machines, and Diebold's sophistication, it's difficult for me to believe that these machines are as easy to rig as the author in the link seems to believe. Reading the article, I had the impression that if one has the right password, one can easily modify files containing voting data---and that just strikes me as highly unlikely.
Andrew, Kevin's link quotes the panel of expert that the Secretary of State himself relied on in order to recertify the Diebold machines. They had harsh criticisms of Diebold, and it got recertified anyway. So I'm not inclined to put much weight on the state's use of the machines. Nor do I think Diebold's sophistication indicates much of anything; we have seen companies deliver poor product to the government before.
(And that press release is pretty underwhelming, in light of the successful hacks that have been reported.)
You don't need to look at software if you have a non-volatile recording medium (paper); where the voter can see and verify the correctness of the mark on the paper (yup, it says Donald Duck); and whatever machine counts the votes is double-checked against people counting the marks on the paper (yes, that says Donald Duck, put it in the Duck pile, which we'll count when we've sorted). Simple is good. Transparency is good, except we can use opaque paper. Trust, but verify.
My suspicion is that most incumbents have an interest in keeping a system that allows manipulation.
In fact, you don't even need the password to modify the files. You only need the password to alter it using the client program, GEMS. If you want to change the data using a script or other direct manipulation of the data file, no password is needed. Also, not only is the data stored in an insecure Access database, the user logs are stored in that format as well. Makes it really easy to delete the records that show what you did and cover your tracks.
A review of votes tallied by machine type in the 2004 presidential election in NM reports a total of 21,084 undervotes. That is, apparently 21,084 people actually took the trouble to cast a ballot but did not indicate a choice for president. The election was decided by fewer than 7,000 votes.
Breaking it down by machine used, undervoting rates ranged from fewer than 1% to more than 5%, depending on machine type. That's a rather large variance, and suggests that some machines are very prone to failing to accurately record votes.
Obviously this data isn't conclusive, but is certainly worrisome. It's from
You're all very cute with your concern for verifiable election results. Downright adorable, really.
But isn't voting itself unpatriotic? We're talking long lines at the polling place, which means time away from your traditional household and (three part-time) job(s).
What is America without stong families and hard work?
Matt, the report was narrowly focused on the question of whether an individual who was able to remove and replace a machine's memory card undetected, at some point during the voting procedure, could do so in such a way as to avoid electronic detection and alter the voting results. Essentially it finds that reprogramming the card would be possible, if the user had complete knowledge of the system. The report does not address whether it would be possible for an individual to have such undetected access, and expressly disclaims any pretense to being a comprehensive security review.
Moreover, the report relied upon the notion that the crytographic key required to change a memory card's contents would remain at the default setting, which Smith publishes in his article. But apparently California requires the key to be changed prior to the voting procedure. We don't learn anything about the procedures of other states from the article, which assumes the default setting is left in place, but I'd bet that most or all of them change it. It remains possible, according to the reviewers, for the reprogramming to occur if the user has the key, but now we're talking about a very small group of individuals.
One of the models ordered is an optical reader, and does provide for paper ballots.
Finally, there are paper counts printed immediately completion of each voting day from each machine, and the memory cards are kept sealed in place until removed in the presence of election workers. How they could be removed, reprogrammed, and replaced without detection is a feat that the article does even begin to contemplate.
Here's a quote from the California report on the procedures followed by all jurisdictions:
Different jurisdictions around the country have somewhat different procedures
for conducting an election with the Diebold AV-OS and AV-TSx systems, but all include the
following steps:
1. Before the election, the removable memory cards are initialized though the GEMS election
management system with the appropriate election description information for the precinct
the machine will be used in, and with the AccuBasic object code scripts to be used, and with
other information detailed below.
2. The initialized cards are then inserted into the voting machines (optical scan or touchscreen);
the compartment in which the card sits is locked and sealed with a tamper-evident seal of
some kind.
3. The voting machine with its enclosed card is transported to the precinct poll site where it is
stored over night (or longer) until the start of the election.
4. At the start of the election, a script on the card is used to print initial reports, including the
Zero Report, which should indicate that all the vote counters are zero (in the AV-OS) and
file of voted ballots is empty (in the AV-TSx).
6
5. All during election day, voted paper ballots are scanned and the appropriate counters on the
removable memory card are incremented (AV-OS), or the voted ballots themselves are stored
electronically on the memory card (AV-TSx), and electronic audit log records are appended
to a file on the card.
6. At the end of election day, a script from the card is used to print final reports for the day,
including vote totals.
7. Finally, one of two steps is taken, depending on the jurisdiction: either (a) the seal is broken
and the memory card is removed and transported back to a central location for canvass using
GEMS; or, (b) the entire voting machine is transported to the central location, where election
offcials break the seal, remove the memory card, and read its contents during the canvass.
The threats we are concerned about specifically involve modification of the contents of the
memory card, especially the AccuBasic object code. In other words, somewhere along the line, in
the procedure above, the attacker is able to get a memory card, arbitrarily modify its contents,
and surreptitiously place it in a voting machine for use in an election, and do so without being
immediately detected.
To my inexpert eyes, that looks pretty good. I'm sure that under certain conditions voting fraud is possible, as it would be possible under all procedures, but it seems pretty unlikely here.
Hey wait, this wouldn't have anything to do with the e-mail I received last night advertising online photos of bestial hijinx would it? Tia, have you been hanging around with Emerson?
39: I sort of assumed Diebold would know what they're doing, too. But reading about GEMS, anyone tech-savvy will realize that they didn't do a professional job on this project. MS Access is for salespeople and secretaries. This is "hired-your-nephew-to-do-it" bullshit. I realize it sounds implausible, but nobody who knows what they're doing would take this seriously.
I'm no uber-l33t programmer; I design web apps, which is not exactly glamorous work in the programming world (tho I like it). But even I know this is laughable. I can only imagine what it looks like to the CS professors who are (politely) making the case against it.
I'm trying to figure out how to say this so that it doesn't sound rude. Given that you've said that you don't have the technical knowledge to judge, how does a page full of procedures reassure you? (I should note that the linked report referred to other bugs in the programming with security implications, not encompassed by the removable card issue). I'm in a similar position, worried without the technical knowledge to be reassured by the provision of technical detail, but I know what will reassure me: a system that operates securely and checkably at my level of understanding. Paper.
I know what will reassure me: a system that operates securely and checkably at my level of understanding. Paper.
That's basically the issue. It's epistemic: the voting systems people haven't earned my trust that they're doing it right. I can't judge things like this, but comments like 54 (which I've seen from a lot of people) give me enough pause that I want to demand a system with a lot more transparency in it. As it is, we basically have to trust Diebold when they say it can't go wrong. If there were paper records there would be a backup -- the machines in Florida were fuxxored enough that they failed to pick up a reasonable number of votes, but we would have been able to get an accurate count if Harris, Bush, and the Supreme Court shitbags had let us.
(This is aside from the ballot design errors that caused a lot of people to mark their ballots wrong or, as in Duval county, non-machine-readably. Those can happen with touch-screen machines too. Often, on my ATM, I will hit what looks like the X button, and it will record as the one below it; since I am above the screen, the bit of glass that looks like X to me is actually the one over the button below it. Another reason why it would be nice to have a printout that says "You voted for Donald Duck.")
55: I don't have the technical knowledge to judge the programming, but I can certainly judge the physical security involved, which is what the procedures I copied detail. It seems substantial. There are also paper printouts already available with these machines, and those printouts are apparently used in every jurisdiction. Taken in conjunction with the electronic security, the voting process to me seems highly secure. And not just to me, but to every institution that has adopted the use of these machines.
Unless one is willing to say that every adopting jurisdiction is either 1) deliberately facilitating election-fraud, or 2) just plain fooled, or 3) bribed to accept substandard equipment, it's difficult to square the acceptance by so many sophisticated customers of a product by a sophisticated producer with an evaluation that the product is obviously and fatally flawed.
I could be completely wrong. But it's noteworthy that, as far as I know, no one has yet proven a single instance of election fraud with these machines---which is certainly what one would expect if they were so insecure. Of course, the years have established any number of instances of election fraud using paper ballots.
Andrew, I don't know what you mean when you say, "There are also paper printouts already available with these machines, and those printouts are apparently used in every jurisdiction." At least recently (see quoted Orlando Sentinel article), paper receipts weren't used in many jurisdictions in Florida. Are you talking about something else? As for the election fraud, the machines haven't been in use very long, many problems have been documented, and I'm not sure how we'd know that fraud occurred unless someone 'fessed up.
no one has yet proven a single instance of election fraud with these machines
Uh, shouldn't that be the other way around? Shouldn't we reject a system unless it's been proved accurate? Given that any system is going to vulnerable, given enough inside access and expertise, isn't a system with multiple redundancies and multiple independent checks best? That's the theory of double entry bookkeeping. Paper, as LB says.
Look at the New Mexico data. It certainly strongly suggests problems with electronic voting machines.
on my ATM, I will hit what looks like the X button, and it will record as the one below it
There was consderable anecdotal evidence of this happening in NM. People reported having to wail away at different spots on the screen to get the KERRY button to light up. Something about possible misalignment of the paper overlay, I think.
I just don't understand how hard this could be. We have a fucking ATM world, and I assume that's considered a pretty secure system. How hard can it be to build a voting system that is as reliable, straightforward, and secure as a system that has been in mature use for at least 15 years?
If the code that runs the machine is vulnerable, then how is any printout gathered after the fact reliable?
MagicCala operation: change code to Spew Evil instead of accurate voting data, carefully follow the procedures Andrew listed. When someone runs the report, it's still going to Spew Evil. All the procedures in the world involving handcuffed briefcases aren't going to help at that point.
I'm not sure if any of these problems presuppose any greater corruption or incompetence than occurs now. But I suspect that we don't need great levels of corruption or incompetence for a mistake or unsecured terminal to cause problems. People aren't smart with digital security.
Moreover, the appearance of honesty in an election cannot be overvalued. The first election that's close where it turns out the supervisor hadn't changed the default password will just be a mess.
Unless one is willing to say that every adopting jurisdiction is either 1) deliberately facilitating election-fraud, or 2) just plain fooled, or 3) bribed to accept substandard equipment, it's difficult to square the acceptance by so many sophisticated customers of a product by a sophisticated producer with an evaluation that the product is obviously and fatally flawed.
How do you explain the reputable voices saying that there is a significant security problem, in the absence of an independent ability to check what they're saying? I can see reasons for Diebold (and other paper-free voting systems manufacturers) to be misleadingly sanguine about the security of their systems -- they want to sell them. I can see reasons for jurisdictions to buy the systems despite their lack of proven security: carelessness, cronyism, knee-jerk resistance to what is perceived as a lefty issue, and perhaps, or perhaps not, in some instances a bad-faith wish to have a riggable system. I don't see any reasons for reputable organizations to bad-mouth these systems without a good-faith basis for their fears: this doesn't make them right, but it does mean that you can't just resolve the issue by being trusting. You have to decide who is more worthy of trust.
What caps it for me is that a secure system (by my lights) is not at all difficult to design, nor is it particularly expensive by the standards of current elections. So why not make me (and all the other concerned voices out there) happy? It's not as if the paper ballots are going to do any harm, right?
We have a fucking ATM world, and I assume that's considered a pretty secure system ...
Don't ATMs give the user a paper record of the transaction, at the time of the transaction, which allows the user to verify the accuracy of the machine? That's the essential element of what's called a voter verifiable paper trail. Voter verifies paper, and voting machine keeps a copy of the paper that's been verified by the voter. That's what many people are looking for.
My attempt to post this earlier failed, but Andrew is saying that the paper receipts are in fact in use everywhere. I didn't think so. From the Orlando Sentinel article quoted here, in 2004 at least many Florida counties did not give receipts.
This not apparently conservative group has a long rant against paper receipts and the voting reform people. I'm sympathetic to the concern about making voting lines longer (I think it's a scandal that lines can get so long; usually in Democratic-voting cities, go figure), but when they talk about recounts they lose me. The problem with Florida was that they didn't finish the recount, not that they were capable of doing one.
Albuquerque used a nice system for early voting in the city election last fall.
I went to City Hall to vote early. At the "Vote Here" counter I affirmed my identity, and the clerk looked me up on the paper voter roll, which I signed. Clerk typed my voter ID into the computer, which printed a ballot just for me. It was the Precinct 193 ballot, which allowed me to vote only for the City Council race in my district. I used JM's #2 pencil to mark the ballot. I checked it to make sure I'd filled it out correctly. I fed it into the optical scanner, which counted my vote and dropped the ballot into a locked box inside the machine, where real people could check it later to make sure the optical reader had correctly counted it (if necessary). Simple, voter verified, auditable.
I seem to remember hearing that NM elected officials in charge of selected voting machines had received whopping great campaign contributions from voting machine manufacturers, but my Google skills aren't up to finding the story. Or else it's a false memory. But that supplies a motive for picking bad machines.
Matt, the slightly older, touchscreen Diebold models allow the election workers to print a copy of the voting record immediately after voting closes. The newer model uses optical scanning, and so combines paper balloting with an electronic record (this model was included in the California deal). I have doubts about much more secure the addition of paper makes the process, given that if someone is going to be able to remove tamper-evident seals, remove the memory card, reprogram it, replace it, and replace the seal, all without anyone knowing about it (this would have to be done WHILE voting is occurring, or prior to the close of voting printout), then they're certainly going to be able to add some forged paper ballots to the mix.
As far as Diebold having an interest in producing a shoddy product... their business is security. Their election machines are high-profile items. They'd have to be remarkably stupid to go ahead with an obviously risky design.
Maybe it comes from having grown up near New Jersey, but I don't view election fraud as a lefty issue either...
With interlocking directorates, big diversified investment companies, etc., etc., it's not always possible to be sure what a business's business really is.
"As far as Diebold having an interest in producing a shoddy product... their business is security."
No, their business is maximising shareholder return. If they decide that the best way to do this is by creating secure machines, then that's what they will (try to) do. If they decide that they would make more money by dropping voting machines and concentrating on ATMs, or cruise missile guidance chips, or macaroni, or T-shirts, they'll do that.
And if they reckoned that, by making machines that could be hacked, they would be sure of getting those machines bought by certain parties who have an interest in hacking the vote, then (assuming they can deal with the risk of being prosecuted) they will probably do that too. And if they reckoned, instead, that by judicious marketing they could get their product bought whether it was secure or not, then why would they waste money making it secure? GAP could no doubt make shrapnel-proof jackets, but I'm going to buy a GAP jacket whether it's shrapnel-proof or not; so why should they bother?
Late to this conversation, but let me just give Tom and Becks a resounding second: there is no way in hell, for instance, that Diebold ATMs use Microsoft freaking Access as their database. I've built applications that were considerably less important to society than vote-tallying, and if I'd proposed using Access, I'd have been fired. And then punched repeatedly.
But Pintos are a rarity, not a norm, among car models, and designing a ballot machine surely presents simpler challenges, especially for a company that has long built ATMs, among other things, with more of an explicit focus on security, than does an entire operating system. It's certainly POSSIBLE for Diebold to have constructed a deeply flawed ballot machine, tested it, approved it, marketed, and sold it---and sold it to many sophisticated customers at that. But is it likely? I don't think so.
Ajay, I understand how corporations work. But the rationale you're proposing would be an enormous and unnecessary risk, which, over time, would almost certainly lead to massive liability and revenue loss. Diebold has an enormous interest in keeping a name as a competent designer of secure systems, whether they be ATMs or ballot machines. Selling flawed machines for a quick buck would be as tortious as it would be stupid, and could conceivably open those responsible for the company to personal liabilities.
Selling flawed machines for a quick buck would be as tortious as it would be stupid, and could conceivably open those responsible for the company to personal liabilities.
You think that means it doesn't happen? I'm a defense side commercial litigator. The only reason my job exists is that large corporations commit egregious torts constantly, and need someone to pull them out of it.
Let's talk Windows, then. Faulty products, especially in the IT world may not be the norm, but they certainly aren't a rarity.
But is it likely? I don't think so.
It isn't just likely, Andrew. It'sdocumented. Your faith in the competence of these companies is touching, though. I work in a regulated field (pharma) and we would *NEVER EVER EVER* be allowed to use a system without an independently verifiable audit trail. Why hold the very basis of the legitimacy of our government to a lower standard?
But Pintos are a rarity, not a norm, among car models
I'm betting this is just youth, but you seem to working off some sort of belief that the market is infinitely good at making the right decision. And generally I'm with you. But I don't think it's true nearly as regularly as you do.
This is basically a one-off decision: all of these governments are making the decisions for the first time. They have relatively little incentive to make sure the system works - most elections aren't going to be close enough for them to have to worry about this sort of stuff. After all, the classic complaint about having government provide goods and services is that they have no market accountability. This is precisely the sort of situation when you, as a government official, can start feeding other interests than the ones you are supposed to be feeding.
I'm not saying that Diebold must have made a shitty product; I'm saying that anyone who thinks there is some X making sure that the product isn't shitty is crazy.
82: I'm sure it does happen. Is it probable with a company like Diebold though, on a product as high-profile and as thoroughly tested as this? No. The very report that Smith cites says that the risks presented can be mitigated using appropriate access procedures, even if the bugs were to remain as they are. The procedures California adopted to safeguard the machines are quite rigorous. I don't think the products are perfect. I agree that the products can be improved, but I disagree that they are so remarkably insecure that we need someone to commit a felony to draw the public's attention to it.
83: There ARE paper trails. The older models printed out a trail at the close of voting, and the newer models use paper ballots in conjunction with electronic storage. Your link is to an August 2005 report from an organization with which I'm not familiar involving testing problems with Diebold machines. Problems that seem to have been fixed by voting time: http://phx.corporate-ir.net/phoenix.zhtml?c=106584&p=irol-newsArticle&ID=807176&highlight=
Most telling of all though, is the fact that these machines have been certified for use in 37 states, have been used at tens of thousands of polling stations by millions of people, and we have yet to hear of a single instance of election fraud by tampering with these machines.
Most telling of all though, is the fact that these machines have been certified for use in 37 states, have been used at tens of thousands of polling stations by millions of people, and we have yet to hear of a single instance of election fraud by tampering with these machines.
You don't seem to have followed the fact that one of the basic complaints about these machines is that the audit trail is weak enough that fraud, if it occured, would be extraordinarily difficult to detect. That certainly doesn't mean that I know that fraud took place in jurisdictions using paperless machines, but you can't use the fact that fraud in the use of the machines hasn't been proven as evidence of their reliability, when the complaint against them is that you can't prove fraud when it does occur.
Andrew, respecting e-voting, the gap between Diebold's (documented) practices and best practices is vast. Way. fucking. vast. Forgive my intemperance, but you write insistently, as if you were defending a principle—instead of a company, which is not even a little bit like a principle. I do not understand.
Eh, I should expect that some of the insistence comes form being the contrarian on this issue. I'll fight to the death over not very much if everyone I'm talking to is lined up against me.
One thing that I would like to know, that Andrew has been mentioning and that I can find mentioned but not fully described -- do the touch screen Diebold machines that have just been approved in California have a paper trail? I think I've seen some articles implying that they do, but I haven't seen a clear discription of what it consists of, if it does exist.
But Pintos are a rarity, not a norm, among car models, and designing a ballot machine surely presents simpler challenges
I'm bowing out of the dispute over election machines, but I do teach business ethics, so I know a bit about the Pinto. Ford knew, before producing the Pinto, that it would explode when rear-ended. And they knew how to fix the problem. But because the fix cost (according to this site) $11, they didn't do it. It wasn't a question of engineering difficulties. They did a cost-benefit analysis and concluded that it wasn't worth their while to fix the problem, at $200K per person killed and $67K per major burn injury.
The paper trail the machines produce isn't independent, though. If the machine registers touch screen entries incorrectly, then the paper trail will reproduce those same errors. I prefer the system my district uses: paper ballots where you connect the broken arrows with a felt-tip marker, then feed the card into the op-scan machine. That way, if there is any doubt about the machine tabulation, you can return to the actual ballots cast, rather than simply accepting the machine's word that it counted everything correctly, which is patently insane.
Maryland's GOP governor has lost faith in the machines, btw.
LB, there are two Diebold models approved for use in California (both tested in the linked study), the TS and the OS. The OS uses paper ballots and optically scans them. See http://www.ss.ca.gov/elections/voting_systems/accuvote_os.htm. Here's also a link to which systems were used by county in the California 2005 election. Nearly all those counties using a Diebold product used the OS model. Only two counties used the TS model which, as I said earlier, provides for a printout immediately following the close of voting (though no paper verification for each individual voter). http://www.ss.ca.gov/elections/voting_systems/ss05_systemsinuse_v1.1.pdf.
Apo, when you asked about a paper trail, I read your concern as the same focused on in the California study: that someone would change the contents of the memory card, and we would have no way of checking the original results. So we may have been talking at cross-purposes.
You raise a different issue, of whether the machine itself is correctly tallying results, and, if not, whether we can detect it. I think that even the touch-screen systems have good safeguards in place against this possibility. The machines are tested immediately before voting to ensure that the touch-screens are correctly functioning. The voter is asked during the process if she is sure about her vote. Moreover, randomly selected machines are then retested during the voting day to ensure that they are functioning correctly. If I'm misreading you again, though, and you're concerned about deliberate tampering, e.g. every third vote for candidate X is recast as for candidate Y, without the voter's knowledge, then I don't see how a paper receipt guards against this. A programmer with such incredible access as to perform such a reprogramming undetected, and provide false visual on-screen verification for the voter, could certainly provide false paper receipt printing for the voter as well.
Standpipe, I think part of my tone---though I feel very easygoing while I'm writing this---might derive from Diebold/election-fraud fatigue. I'm perfectly willing to be mistaken about these machines, but thus far I've only seen a lot of hype. The very study that a far more insistent Kevin Drum cites as evidence of a major problem states that the problems can be ameliorated by other procedures while the bugs are fixed, and the protections adopted by California are rigorous. I really would expect to see some instances of election-fraud by this point if these machines were so susceptible to it---and I haven't. I would not have expected so many jurisdictions to have approved the machines if the problems were so enormous either. To me, this casts a lot of doubt on some of the allegations of enormous malfeasance that are being thrown around, and, like everyone here, I'm just as concerned and protective about the legitimacy of our elections and our own confidence in them.
If I'm misreading you again, though, and you're concerned about deliberate tampering, e.g. every third vote for candidate X is recast as for candidate Y, without the voter's knowledge, then I don't see how a paper receipt guards against this.
It does if you retain and check the electronic results against the paper receipts (either a statistical sample, or the full thing) as part of standard procedures.
Everyone probably understood this when LB explained it, but I'm going to elaborate anyway.
The piece of paper is examined by the voter, and then left in a locked box at the voting station. Thus, if there's any question about the accuracy of the machine - bug, oopsie, fraud, whatever - you have a box full of papers, each of which implicitly says "I'm voter X and I approved this ballot". You can then count the papers, and you get a result that is totally independent of anything that might have gone wrong with the electronic system.
By having a whole independent system, complete redundancy, you've got an excellent chance of catching problems of every sort. You'll catch software errors, hardware errors, intermittent errors, difficult to reproduce errors, obscure bugs, everything.
See also Kevin clarifying, for the Meatman, that the guy who approved them was a Republican.
Posted by washerdreyer | Link to this comment | 02-27-06 8:15 AM
At this point, machines lacking a human verifiable paper trail seem to be such an obviously bad idea that I really don't care who's trying to introduce or continue the use of them, or whether they actually have some nefarious plan or whether they're just so stupid that they don't get that someone, at some point, will have a nefarious plan, and the machines will be wide open. Voting procedures are like bank vaults -- they don't need to be secure because you've heard that there's going to be some specific attempt to break in, they need to be secure because stealing money, and changing election results, are things that people generally want to do. You don't leave money lying around unsecured, and you don't leave election results lying around the same way.
Posted by LizardBreath | Link to this comment | 02-27-06 8:20 AM
It looks to my cursory reading of this stuff like hacking would require physical access to the actual machines or to their memory cards, not something you could do online -- also swinging an entire election to a party that got few votes IRL would probably require hacking a significant portion of the machines used in the election.
Posted by Jeremy Osner | Link to this comment | 02-27-06 8:22 AM
See also Kevin clarifying, for the Meatman
It's like the Interweb was closed for the day. Since when is it possible to get the first comment on a WaMo thread when you actually have something to say?
And I agree that this should be a nonpartisan issue. It's just not clear that it is one.
Posted by Matt Weiner | Link to this comment | 02-27-06 8:25 AM
What you would really want to do is somehow get the sourceforge types to set up and run an open source plan to steal a specific or a couple specific elections. Publish the plans, in as detailed a fashion as possible, and make clear that the ability to steal that election now belongs to the world at large. And no felonies.
Posted by SomeCallMeTim | Link to this comment | 02-27-06 8:31 AM
Ok, the first sentence of 2 actually brings up something I was trying to find an answer for last night, and actually [...shiver...] read Drum's comments to look for, but couldn't find. Nothing I could find in the story says that this particular voting machine (I couldn't find which model it is) doesn't have a paper trail. I take the implication that it doesn't, but I couldn't confirm it.
5 - That might be a conspiracy, or possibly a RICO violation.
Posted by washerdreyer | Link to this comment | 02-27-06 8:34 AM
It's just not clear that it is one
While I agree with your assessment of the facts (that is, even perfectly innocent Republicans are more likely to associate concerns about election security with 'sore-loser Democrats' and be resistant to doing the obviously right thing out of simple stubbornness) I think this is one area (I think this about very few areas generally) where making it partisan is a bad idea.
Making it partisan turns instantly into "Are you accusing us of wanting to fix an election? Prove it. You can't? Then shut up. And what about JFK and LBJ, anyway." Keeping it as a straight security issue: we don't know and we don't care who might mess with election results, the problem is that whoever does it it'll be easy, is in this case much more powerful.
(I'd say differently if there were a recent rash of convictions for election fraud, but there just aren't.)
JO-
Oh, this isn't a trivial task, I figure anyone who's up for it needs both the requisite technical abilities and a fair amount of actual sneaking around. On the other hand, I can think of a dozen people I knew as undergrads at MIT who I'd expect to be able to pull something of this apparent level of difficulty -- anyone at CalTech want to stand up for the honor of your school?
Posted by LizardBreath | Link to this comment | 02-27-06 8:39 AM
Or a DMCA violation, or something equally stupid.
Posted by Matthew Harvey | Link to this comment | 02-27-06 8:41 AM
That might be a conspiracy, or possibly a RICO violation.
I should doubt it would be either one (not legal advice, just blather). Publishing, say, Steal this Book is perfectly legal despit the fact that it gives instructions for committing various crimes. For a conspiracy you need an actual agreement to commit a crime, something not present where you're simply publishing instructions, and for a RICO enterprise you need even a stronger relationship than that.
Posted by LizardBreath | Link to this comment | 02-27-06 8:44 AM
7: I just meant this: Before reading Kevin's post, I assumed that CA's Secretary of State was probably a Democrat. When I found out that he'd approved Diebold machines, I figured that it was more likely that he was a Republican (I thought about putting this in terms of Bayes' theorem). And I was right. This is just one case where the assumption "People who want to install easily rigged election systems are Republicans" worked out, but I think there have been other cases.
I agree that we shouldn't present it as a partisan issue or use it as an attempted vote-getter; I'm just pointing out, to a small audience, that one party is more deeply committed to the wrong here.
(I just ran across this attack on paper trails; haven't had time to read it all.)
Posted by Matt Weiner | Link to this comment | 02-27-06 8:45 AM
What about an expat? What would be the penalty for someone living outside the U.S.? Would tampering with a local U.S. election be an extradite-able offense? That would probably be a better way of rallying popular sentiment, too. It's one thing to suggest that other U.S. citizens might tamper with elections (heavens, no! nobody would ever do that! you Democrats are just paranoid and bitter!) but goddamnit if we'll let those foreigners muck with 'em.
Posted by Becks | Link to this comment | 02-27-06 8:49 AM
If it's doable remotely, that might work.
Posted by LizardBreath | Link to this comment | 02-27-06 8:50 AM
IIRC, I think part of the problem is that they won't let anyone inspect the source code of the machines without signing an NDA (as in, if you look at it and find a problem, you can't tell anyone).
Posted by tweedledopey | Link to this comment | 02-27-06 8:53 AM
I don't dispute 9, as I hadn't worked through the elements at all.
Posted by washerdreyer | Link to this comment | 02-27-06 8:55 AM
11: I think the EU has something that covers this. And just ask Dimitry Skylarov about violating the DMCA and then stepping foot on US soil.
Posted by tweedledopey | Link to this comment | 02-27-06 8:57 AM
I once tried to take a picture of myself at the voting booth (my French ex was astounded by NYC machines), and the election volunteers prevented me. Do any of our lawyers understand what the law there is, and why?
Posted by Jackmormon | Link to this comment | 02-27-06 9:05 AM
16: Depending on which borough that was in and how old the regulation is (assuming it's real), I would bet that the Justice Department pre-cleared it. I base the bet on hearing a member of the Board of Elections of The City of New York, give as an example of minor things that they've had pre-cleared, the change from attaching pens to voting booths by a string to attaching them by some kind of sticky pad.
Posted by washerdreyer | Link to this comment | 02-27-06 9:23 AM
No such prohibition is mentioned in either the New York State election laws or the pollworkers manual (both .pdfs). If such a law or regulation existed, it would probably be to prevent someone from demanding that you prove to them that you voted for a specific candidate, in response either a threat or a bribe.
Posted by washerdreyer | Link to this comment | 02-27-06 9:32 AM
Thanks, w/d! I guess that even if people started taking pictures of their votes, they would probably overwhelmingly be Democrats.
The way the political discourse about elections is framed right now, with Democrats worried about the lack of paper trails and Republicans worried about the lack of identification-verification, it seems as though no meaningful compromise on either of these points is possible without both.
Posted by Jackmormon | Link to this comment | 02-27-06 9:45 AM
The last time I checked into this, the main point of weakness was the district official's machine onto which votes from the terminals are downloaded. At that stage the votes sit in an MS Access file which was either completely unsecured, or had a pretty laughable password applied to it, and no real encryption (MS Access is pretty laughable in its own right -- not something a developer should ever trust important data to). So the real threat here isn't at the voting machines, it's at the point at which votes for a precint are collected -- and that process/room is probably hard to gain access to.
Posted by tom | Link to this comment | 02-27-06 9:46 AM
Also worth noting that, in order for all these nasty facts about Diebold to come to light, the DMCA pretty much had to be violated (although nobody is being prosecuted for it, to my knowledge). It's a terrible, terrible, terrible law.
Posted by tom | Link to this comment | 02-27-06 9:48 AM
It's not for a DMCA violation, but I did just read on MeFi that one of the Diebold whistle-blowers is being prosecuted.
Posted by Becks | Link to this comment | 02-27-06 9:58 AM
Eh, I'm a little skeptical of the Diebold worries. It's difficult for me to believe that 1) just anyone could gain physical access to a machine to change votes, 2) that the vote-tally isn't recorded and verified immediately after voting is finished, rendering tampering more difficult, 3) that the machine doesn't record keystrokes and access, not to mention alterations of ballot data. And that's just to start.
Here's a company release which addresses some concerns...http://www.diebold.com/dieboldes/pdf/realityvsfantasy.pdf
It also looks like they've come out with a model that produces a paper-trail. Not sure if that's the one that California has purchased.
Posted by Andrew | Link to this comment | 02-27-06 9:58 AM
1) just anyone could gain physical access to a machine to change votes
The problem isn't 'just anyone'. Landslide Lyndon wasn't just anyone when he put himself over the top in his first Senatorial election, he had a power structure that gave him access. The point of election security is to protect against insiders as well as outsiders.
2) that the vote-tally isn't recorded and verified immediately after voting is finished, rendering tampering more difficult, 3) that the machine doesn't record keystrokes and access, not to mention alterations of ballot data. And that's just to start.
On this sort of thing, I haven't the expertise to judge. However, people who do have a certain amount of expertise, including some reputable appearing organizations, appear to still be worried, and it isn't clear to me what they get out of kicking up a fuss if there isn't anything to worry about. Furthermore, I shouldn't need to be an expert to be confident in the validity of the results. If each ballot corresponds to a physical piece of paper, checked by the voter and kept physically secure and available for recount, then I don't need to be an expert.
Posted by LizardBreath | Link to this comment | 02-27-06 10:19 AM
23:
1) not anyone, but the folks doing the counting certainly aren't guaranteed to be impartial. recall the hanging chad debacle and all the difficulties that it raised. a precinct's HQ is very vulnerable.
2) it's the process of recording that makes it susceptible. odds are that the machines themselves are impractical to compromise in a polling station setting -- but when the votes are aggregated, they go into files that are very easy to modify.
3) how do you make a system record unimpeachable data about the integrity of its data? this isn't an impossible problem, but it *is* a difficult one. you can come up with solutions involving public key cryptography, but they're only as good as their implementations (and the security practices surrounding the keys and code). A paper trail is probably simpler and better.
In a perfect world, I'd say that everyone who wants to should be able to have a hash of their vote emailed to them when the vote is actually counted. It can be done in such a way that the identity of who they voted for remains secret to everyone but the voter (even if the email is intercepted).
Posted by tom | Link to this comment | 02-27-06 10:19 AM
It follows that in a perfect world everyone has e-mail and knows what a hash is, right? Paper just seems much simpler.
Posted by Matt Weiner | Link to this comment | 02-27-06 10:33 AM
If each ballot corresponds to a physical piece of paper, checked by the voter and kept physically secure and available for recount, then I don't need to be an expert.
Exactly. Voter verified paper trail. That's the way to do it. Along with physical audits of random samples - pick one or two or whatever percent of the precincts and actually have real live people examine the paper records which the voters themselves verified, and compare that total with whatever the automated equipment produced.
NM has been arguing over this. There's a lawsuit, with motions and affidavits and data online:
http://www.voteraction.org/index.php/static/Lopategui_Lawsuit
Some of the data on undercounts and overcounts at precincts is very suggestive, and I think it's posted there somewhere
And there's political and legislative action
http://uvotenm.org/leg.html
Posted by Michael H Schneider | Link to this comment | 02-27-06 10:33 AM
25: It's obvious that we need quantum voting. If it's been tampered with, you'll know.
Posted by tweedledopey | Link to this comment | 02-27-06 10:36 AM
Democrats worried about the lack of paper trails and Republicans worried about the lack of identification-verification, it seems as though no meaningful compromise on either of these points is possible without both.
Democrats should probably get on the ID bandwagon, going along with whatever the hell it is that the Republicans are worried about but demanding that the ID requirement be fulfillable by free ID's available at convenient locations nationwide (off the top of my head, every public high school or every library would do it) and with a kickass publicity campaign making sure people understood the new requirements. That Georgia mess where the new voting ID's weren't available in, say, Atlanta, the only place where someone without a driver's license would be likely to live, is obscene. (I may have the facts moderately garbled here -- I haven' t looked them up recently.)
In a perfect world, I'd say that everyone who wants to should be able to have a hash of their vote emailed to them when the vote is actually counted. It can be done in such a way that the identity of who they voted for remains secret to everyone but the voter (even if the email is intercepted).
This is still bad, because it allows the voter to prove who they voted for and thus sell their votes. When I say 'paper trail', what I want is: (1) voter goes to terminal wanting to vote for Donald Duck, and presses the buttons to do so (2) A ballot prints out -- whoops, he miskeyed. It says, in both text and whatever an optical reader would be happiest with, "Minnie Mouse." (3) No problem. The "Is that your final vote?" screen is still open. He hits "No" which puts him back on the voting screen. He votes for Donald Duck, and this time, it prints out correctly. (4) He tears up the spoiled ballot, hits "Yes, this is my final vote" and walks across the room to the ballot box, where he drops it in as an election official watches to make sure he's only dropping in one. (5) Preliminary results come from the terminals -- official results come from the optical counting of paper ballots, to be followed by a hand-count if circumstances require.
Posted by LizardBreath | Link to this comment | 02-27-06 10:37 AM
LB, as I recall, you've got the facts exactly rights about Georgia. Also, the ID wasn't free. Also, the sponsor of the law had explicity racist intentions, and the professionals in the Justice Department who argued against approving the plan were overruled by Bush political appointees.
All of which makes me think that we need to see a lot more good faith from the other side of the aisle before we work with them on voter ID. Partisan, but I think unavoidable.
Posted by Matt Weiner | Link to this comment | 02-27-06 10:47 AM
This is still bad, because it allows the voter to prove who they voted for and thus sell their votes.
Not really, if the voter is the only one who knows what the receipt means. For example: the terminal says "enter 'opposite day' mode?" before the user logs out. They say yes or no. Their eventual receipt says "you voted for the democrat", but the meaning of this varies based on their still-secret choice.
Obviously you'd actually implement this differently, but it could basically work. You'd be free to take the vote-buyer's money, but he'd have no way to actually verify your vote.
Weiner's point about the digital divide is relevant, though. I certainly don't expect such a system to ever *actually* be put in place. Not anytime soon, anyway.
Oh! One other neat technological idea I had about voting: with these machines, it'll be possible to videotape everyone voting without revealing who they vote for. Just randomize the placement of buttons on the screen and put a polarizing filter over the camera lens. LCD light is polarized, so the screen would appear blank on tape (assuming the filter was properly oriented), but you could still keep a very close eye on what everyone was doing to the machines.
Posted by tom | Link to this comment | 02-27-06 10:47 AM
Not that anyone asked, but this is a fairly good two page summary of problems with ID requirements (.pdf).
Posted by washerdreyer | Link to this comment | 02-27-06 10:49 AM
If any problem is likely to occur at the place of vote aggregation, why not have the machines send the unaggregated information to a lot of places, including the parties running for election and the media?
Posted by SomeCallMeTim | Link to this comment | 02-27-06 11:02 AM
33 is an interesting idea but I think putting the machines online makes them more susceptible, not less. Currently the vulnerable moment is when the memory card is taken out of the machine and transported to the place of aggregation. If the machine is online then it's vulnerable for the whole time it's connected.
Posted by Jeremy Osner | Link to this comment | 02-27-06 11:15 AM
Ideally, what you want is to have the machines disconnected from everything but power. That makes it really difficult to hack them.
Posted by tweedledopey | Link to this comment | 02-27-06 11:28 AM
Here's an idea. Have it write to Non-volatile media (i.e. a DVD) every so often with an audit trail. Yes, it's more expensive, but it's a lot harder to screw with that kind of data. Maybe they already use some sort of NV media, I don't know.
Posted by tweedledopey | Link to this comment | 02-27-06 11:30 AM
Something that appears obvious to me (but as I keep saying I don't know much so you can talk me out of it) is that all the software should be required to be open-source. Every interested programmer in the country should be hammering on it looking for flaws and security problems long before it's used in any election.
Posted by LizardBreath | Link to this comment | 02-27-06 11:36 AM
LB, it's actually a pretty good idea. Security by obscurity usually isn't all that secure (eventually, insecurities get found out). Of course, it runs all the risks of a general oss project: splinter factions, someone has to be in control of the source, etc. A modification of this, allowing multiple groups to create their own voting systems and then letting others try to crack it, is perhaps a bit more effective, but falls along the same lines.
Posted by tweedledopey | Link to this comment | 02-27-06 11:50 AM
I'm not an expert either, but given the number of states who have purchased these machines, and Diebold's sophistication, it's difficult for me to believe that these machines are as easy to rig as the author in the link seems to believe. Reading the article, I had the impression that if one has the right password, one can easily modify files containing voting data---and that just strikes me as highly unlikely.
Posted by Andrew | Link to this comment | 02-27-06 12:03 PM
Andrew, Kevin's link quotes the panel of expert that the Secretary of State himself relied on in order to recertify the Diebold machines. They had harsh criticisms of Diebold, and it got recertified anyway. So I'm not inclined to put much weight on the state's use of the machines. Nor do I think Diebold's sophistication indicates much of anything; we have seen companies deliver poor product to the government before.
(And that press release is pretty underwhelming, in light of the successful hacks that have been reported.)
Posted by Matt Weiner | Link to this comment | 02-27-06 12:14 PM
Diebold's sophistication
What does this mean?
Posted by SomeCallMeTim | Link to this comment | 02-27-06 12:17 PM
You don't need to look at software if you have a non-volatile recording medium (paper); where the voter can see and verify the correctness of the mark on the paper (yup, it says Donald Duck); and whatever machine counts the votes is double-checked against people counting the marks on the paper (yes, that says Donald Duck, put it in the Duck pile, which we'll count when we've sorted). Simple is good. Transparency is good, except we can use opaque paper. Trust, but verify.
My suspicion is that most incumbents have an interest in keeping a system that allows manipulation.
Posted by Michael H Schneider | Link to this comment | 02-27-06 12:19 PM
In fact, you don't even need the password to modify the files. You only need the password to alter it using the client program, GEMS. If you want to change the data using a script or other direct manipulation of the data file, no password is needed. Also, not only is the data stored in an insecure Access database, the user logs are stored in that format as well. Makes it really easy to delete the records that show what you did and cover your tracks.
Posted by Becks | Link to this comment | 02-27-06 12:21 PM
41: perhaps it's a tricksy way of accusing Diebold's management of being sophists
Posted by washerdreyer | Link to this comment | 02-27-06 12:31 PM
It's not just Diebold.
A review of votes tallied by machine type in the 2004 presidential election in NM reports a total of 21,084 undervotes. That is, apparently 21,084 people actually took the trouble to cast a ballot but did not indicate a choice for president. The election was decided by fewer than 7,000 votes.
Breaking it down by machine used, undervoting rates ranged from fewer than 1% to more than 5%, depending on machine type. That's a rather large variance, and suggests that some machines are very prone to failing to accurately record votes.
Obviously this data isn't conclusive, but is certainly worrisome. It's from
http://www.voteraction.org/index.php/static/State_Data
and then the link on that page called "complete summary".
here's another tidbit from the same source:
" Dona Ana County's 207 overseas absentee ballots, none of which recorded a presidential vote, resulting in an undervote rate of 100%"
Dona Ana County is, overall, a strongly Democratic area. Weird, isn't it?
Posted by Michael H Schneider | Link to this comment | 02-27-06 12:50 PM
You're all very cute with your concern for verifiable election results. Downright adorable, really.
But isn't voting itself unpatriotic? We're talking long lines at the polling place, which means time away from your traditional household and (three part-time) job(s).
What is America without stong families and hard work?
Communist China, that's what.
Posted by Stanley | Link to this comment | 02-27-06 1:39 PM
"At this point, machines lacking a human verifiable paper trail seem to be such an obviously bad idea...."
I Do My Thing: it was pretty clear when posts first started showing up on the topic in comp.risks back in the mid-Nineties.
Posted by Gary Farber | Link to this comment | 02-27-06 1:45 PM
Useful to know. So, you know anyone who wants to go to jail for the Cause?
Posted by LizardBreath | Link to this comment | 02-27-06 1:48 PM
On Usenet, everyone fought over who would get to throw themselves under a horse for universal suffrage.
Posted by Tia | Link to this comment | 02-27-06 2:03 PM
Tia is the hero!
Posted by Becks | Link to this comment | 02-27-06 2:13 PM
Nice try, Becks, but I am not throwing myself under a horse.
Posted by Tia | Link to this comment | 02-27-06 2:23 PM
Matt, the report was narrowly focused on the question of whether an individual who was able to remove and replace a machine's memory card undetected, at some point during the voting procedure, could do so in such a way as to avoid electronic detection and alter the voting results. Essentially it finds that reprogramming the card would be possible, if the user had complete knowledge of the system. The report does not address whether it would be possible for an individual to have such undetected access, and expressly disclaims any pretense to being a comprehensive security review.
Moreover, the report relied upon the notion that the crytographic key required to change a memory card's contents would remain at the default setting, which Smith publishes in his article. But apparently California requires the key to be changed prior to the voting procedure. We don't learn anything about the procedures of other states from the article, which assumes the default setting is left in place, but I'd bet that most or all of them change it. It remains possible, according to the reviewers, for the reprogramming to occur if the user has the key, but now we're talking about a very small group of individuals.
One of the models ordered is an optical reader, and does provide for paper ballots.
Finally, there are paper counts printed immediately completion of each voting day from each machine, and the memory cards are kept sealed in place until removed in the presence of election workers. How they could be removed, reprogrammed, and replaced without detection is a feat that the article does even begin to contemplate.
Here's a quote from the California report on the procedures followed by all jurisdictions:
Different jurisdictions around the country have somewhat different procedures
for conducting an election with the Diebold AV-OS and AV-TSx systems, but all include the
following steps:
1. Before the election, the removable memory cards are initialized though the GEMS election
management system with the appropriate election description information for the precinct
the machine will be used in, and with the AccuBasic object code scripts to be used, and with
other information detailed below.
2. The initialized cards are then inserted into the voting machines (optical scan or touchscreen);
the compartment in which the card sits is locked and sealed with a tamper-evident seal of
some kind.
3. The voting machine with its enclosed card is transported to the precinct poll site where it is
stored over night (or longer) until the start of the election.
4. At the start of the election, a script on the card is used to print initial reports, including the
Zero Report, which should indicate that all the vote counters are zero (in the AV-OS) and
file of voted ballots is empty (in the AV-TSx).
6
5. All during election day, voted paper ballots are scanned and the appropriate counters on the
removable memory card are incremented (AV-OS), or the voted ballots themselves are stored
electronically on the memory card (AV-TSx), and electronic audit log records are appended
to a file on the card.
6. At the end of election day, a script from the card is used to print final reports for the day,
including vote totals.
7. Finally, one of two steps is taken, depending on the jurisdiction: either (a) the seal is broken
and the memory card is removed and transported back to a central location for canvass using
GEMS; or, (b) the entire voting machine is transported to the central location, where election
offcials break the seal, remove the memory card, and read its contents during the canvass.
The threats we are concerned about specifically involve modification of the contents of the
memory card, especially the AccuBasic object code. In other words, somewhere along the line, in
the procedure above, the attacker is able to get a memory card, arbitrarily modify its contents,
and surreptitiously place it in a voting machine for use in an election, and do so without being
immediately detected.
To my inexpert eyes, that looks pretty good. I'm sure that under certain conditions voting fraud is possible, as it would be possible under all procedures, but it seems pretty unlikely here.
Posted by Andrew | Link to this comment | 02-27-06 2:28 PM
throwing myself under a horse
Hey wait, this wouldn't have anything to do with the e-mail I received last night advertising online photos of bestial hijinx would it? Tia, have you been hanging around with Emerson?
Posted by Jeremy Osner | Link to this comment | 02-27-06 2:29 PM
39: I sort of assumed Diebold would know what they're doing, too. But reading about GEMS, anyone tech-savvy will realize that they didn't do a professional job on this project. MS Access is for salespeople and secretaries. This is "hired-your-nephew-to-do-it" bullshit. I realize it sounds implausible, but nobody who knows what they're doing would take this seriously.
I'm no uber-l33t programmer; I design web apps, which is not exactly glamorous work in the programming world (tho I like it). But even I know this is laughable. I can only imagine what it looks like to the CS professors who are (politely) making the case against it.
Posted by tom | Link to this comment | 02-27-06 2:35 PM
52:
I'm trying to figure out how to say this so that it doesn't sound rude. Given that you've said that you don't have the technical knowledge to judge, how does a page full of procedures reassure you? (I should note that the linked report referred to other bugs in the programming with security implications, not encompassed by the removable card issue). I'm in a similar position, worried without the technical knowledge to be reassured by the provision of technical detail, but I know what will reassure me: a system that operates securely and checkably at my level of understanding. Paper.
Posted by LizardBreath | Link to this comment | 02-27-06 2:42 PM
Tia, have you been hanging around with Emerson?
I was thinking of something more along these lines. Why must you people read sexual innuendo into everything?
Posted by Tia | Link to this comment | 02-27-06 2:51 PM
I know what will reassure me: a system that operates securely and checkably at my level of understanding. Paper.
That's basically the issue. It's epistemic: the voting systems people haven't earned my trust that they're doing it right. I can't judge things like this, but comments like 54 (which I've seen from a lot of people) give me enough pause that I want to demand a system with a lot more transparency in it. As it is, we basically have to trust Diebold when they say it can't go wrong. If there were paper records there would be a backup -- the machines in Florida were fuxxored enough that they failed to pick up a reasonable number of votes, but we would have been able to get an accurate count if Harris, Bush, and the Supreme Court shitbags had let us.
(This is aside from the ballot design errors that caused a lot of people to mark their ballots wrong or, as in Duval county, non-machine-readably. Those can happen with touch-screen machines too. Often, on my ATM, I will hit what looks like the X button, and it will record as the one below it; since I am above the screen, the bit of glass that looks like X to me is actually the one over the button below it. Another reason why it would be nice to have a printout that says "You voted for Donald Duck.")
Posted by Matt Weiner | Link to this comment | 02-27-06 3:21 PM
55: I don't have the technical knowledge to judge the programming, but I can certainly judge the physical security involved, which is what the procedures I copied detail. It seems substantial. There are also paper printouts already available with these machines, and those printouts are apparently used in every jurisdiction. Taken in conjunction with the electronic security, the voting process to me seems highly secure. And not just to me, but to every institution that has adopted the use of these machines.
Unless one is willing to say that every adopting jurisdiction is either 1) deliberately facilitating election-fraud, or 2) just plain fooled, or 3) bribed to accept substandard equipment, it's difficult to square the acceptance by so many sophisticated customers of a product by a sophisticated producer with an evaluation that the product is obviously and fatally flawed.
I could be completely wrong. But it's noteworthy that, as far as I know, no one has yet proven a single instance of election fraud with these machines---which is certainly what one would expect if they were so insecure. Of course, the years have established any number of instances of election fraud using paper ballots.
Posted by Andrew | Link to this comment | 02-27-06 3:53 PM
Andrew, I don't know what you mean when you say, "There are also paper printouts already available with these machines, and those printouts are apparently used in every jurisdiction." At least recently (see quoted Orlando Sentinel article), paper receipts weren't used in many jurisdictions in Florida. Are you talking about something else? As for the election fraud, the machines haven't been in use very long, many problems have been documented, and I'm not sure how we'd know that fraud occurred unless someone 'fessed up.
I'm going with Tom's expertise here.
Posted by Matt Weiner | Link to this comment | 02-27-06 4:03 PM
no one has yet proven a single instance of election fraud with these machines
Uh, shouldn't that be the other way around? Shouldn't we reject a system unless it's been proved accurate? Given that any system is going to vulnerable, given enough inside access and expertise, isn't a system with multiple redundancies and multiple independent checks best? That's the theory of double entry bookkeeping. Paper, as LB says.
Look at the New Mexico data. It certainly strongly suggests problems with electronic voting machines.
on my ATM, I will hit what looks like the X button, and it will record as the one below it
There was consderable anecdotal evidence of this happening in NM. People reported having to wail away at different spots on the screen to get the KERRY button to light up. Something about possible misalignment of the paper overlay, I think.
Posted by Michael H Schneider | Link to this comment | 02-27-06 4:08 PM
I just don't understand how hard this could be. We have a fucking ATM world, and I assume that's considered a pretty secure system. How hard can it be to build a voting system that is as reliable, straightforward, and secure as a system that has been in mature use for at least 15 years?
Posted by SomeCallMeTim | Link to this comment | 02-27-06 4:12 PM
*raises hand*
If the code that runs the machine is vulnerable, then how is any printout gathered after the fact reliable?
MagicCala operation: change code to Spew Evil instead of accurate voting data, carefully follow the procedures Andrew listed. When someone runs the report, it's still going to Spew Evil. All the procedures in the world involving handcuffed briefcases aren't going to help at that point.
I'm not sure if any of these problems presuppose any greater corruption or incompetence than occurs now. But I suspect that we don't need great levels of corruption or incompetence for a mistake or unsecured terminal to cause problems. People aren't smart with digital security.
Moreover, the appearance of honesty in an election cannot be overvalued. The first election that's close where it turns out the supervisor hadn't changed the default password will just be a mess.
Posted by Cala | Link to this comment | 02-27-06 4:16 PM
Enough! Number two pencils all-round!
Posted by Jackmormon | Link to this comment | 02-27-06 4:22 PM
Unless one is willing to say that every adopting jurisdiction is either 1) deliberately facilitating election-fraud, or 2) just plain fooled, or 3) bribed to accept substandard equipment, it's difficult to square the acceptance by so many sophisticated customers of a product by a sophisticated producer with an evaluation that the product is obviously and fatally flawed.
How do you explain the reputable voices saying that there is a significant security problem, in the absence of an independent ability to check what they're saying? I can see reasons for Diebold (and other paper-free voting systems manufacturers) to be misleadingly sanguine about the security of their systems -- they want to sell them. I can see reasons for jurisdictions to buy the systems despite their lack of proven security: carelessness, cronyism, knee-jerk resistance to what is perceived as a lefty issue, and perhaps, or perhaps not, in some instances a bad-faith wish to have a riggable system. I don't see any reasons for reputable organizations to bad-mouth these systems without a good-faith basis for their fears: this doesn't make them right, but it does mean that you can't just resolve the issue by being trusting. You have to decide who is more worthy of trust.
What caps it for me is that a secure system (by my lights) is not at all difficult to design, nor is it particularly expensive by the standards of current elections. So why not make me (and all the other concerned voices out there) happy? It's not as if the paper ballots are going to do any harm, right?
Posted by LizardBreath | Link to this comment | 02-27-06 4:22 PM
We have a fucking ATM world, and I assume that's considered a pretty secure system ...
Don't ATMs give the user a paper record of the transaction, at the time of the transaction, which allows the user to verify the accuracy of the machine? That's the essential element of what's called a voter verifiable paper trail. Voter verifies paper, and voting machine keeps a copy of the paper that's been verified by the voter. That's what many people are looking for.
Posted by Michael H Schneider | Link to this comment | 02-27-06 4:25 PM
We have a fucking ATM world
Also, it's not like Diebold can't do it on their voting machines considering they also make freakin' ATMs.
Posted by Becks | Link to this comment | 02-27-06 4:27 PM
My attempt to post this earlier failed, but Andrew is saying that the paper receipts are in fact in use everywhere. I didn't think so. From the Orlando Sentinel article quoted here, in 2004 at least many Florida counties did not give receipts.
This not apparently conservative group has a long rant against paper receipts and the voting reform people. I'm sympathetic to the concern about making voting lines longer (I think it's a scandal that lines can get so long; usually in Democratic-voting cities, go figure), but when they talk about recounts they lose me. The problem with Florida was that they didn't finish the recount, not that they were capable of doing one.
Posted by Matt Weiner | Link to this comment | 02-27-06 4:37 PM
Albuquerque used a nice system for early voting in the city election last fall.
I went to City Hall to vote early. At the "Vote Here" counter I affirmed my identity, and the clerk looked me up on the paper voter roll, which I signed. Clerk typed my voter ID into the computer, which printed a ballot just for me. It was the Precinct 193 ballot, which allowed me to vote only for the City Council race in my district. I used JM's #2 pencil to mark the ballot. I checked it to make sure I'd filled it out correctly. I fed it into the optical scanner, which counted my vote and dropped the ballot into a locked box inside the machine, where real people could check it later to make sure the optical reader had correctly counted it (if necessary). Simple, voter verified, auditable.
I seem to remember hearing that NM elected officials in charge of selected voting machines had received whopping great campaign contributions from voting machine manufacturers, but my Google skills aren't up to finding the story. Or else it's a false memory. But that supplies a motive for picking bad machines.
Posted by Michael H Schneider | Link to this comment | 02-27-06 4:38 PM
Wow, Michael, that sounds suspiciously easy.
Posted by Jackmormon | Link to this comment | 02-27-06 4:58 PM
The question is, how did he get his hands on your pencil?
Posted by LizardBreath | Link to this comment | 02-27-06 5:04 PM
(all together now) at the Mineshaft.
Posted by Matt Weiner | Link to this comment | 02-27-06 5:11 PM
Matt, the slightly older, touchscreen Diebold models allow the election workers to print a copy of the voting record immediately after voting closes. The newer model uses optical scanning, and so combines paper balloting with an electronic record (this model was included in the California deal). I have doubts about much more secure the addition of paper makes the process, given that if someone is going to be able to remove tamper-evident seals, remove the memory card, reprogram it, replace it, and replace the seal, all without anyone knowing about it (this would have to be done WHILE voting is occurring, or prior to the close of voting printout), then they're certainly going to be able to add some forged paper ballots to the mix.
As far as Diebold having an interest in producing a shoddy product... their business is security. Their election machines are high-profile items. They'd have to be remarkably stupid to go ahead with an obviously risky design.
Maybe it comes from having grown up near New Jersey, but I don't view election fraud as a lefty issue either...
Posted by Andrew | Link to this comment | 02-27-06 5:36 PM
As far as Diebold having an interest in producing a shoddy product... their business is security.
Which is to say, there never was a problem with the Pinto - cars are Ford's business.
Posted by SomeCallMeTim | Link to this comment | 02-27-06 5:42 PM
It was Catherine the Great who supposedly threw herself under a horse, but that was a rural legend.
Posted by John Emerson | Link to this comment | 02-27-06 5:45 PM
"Their business is...."
With interlocking directorates, big diversified investment companies, etc., etc., it's not always possible to be sure what a business's business really is.
Posted by John Emerson | Link to this comment | 02-27-06 5:49 PM
Two words:
1. early
2. often
GOTV!
Posted by eb | Link to this comment | 02-28-06 12:02 AM
there never was a problem with the Pinto - cars are Ford's business.
There never was a problem with Windows - secure operating systems are Microsoft's business.
Posted by apostropher | Link to this comment | 02-28-06 12:04 AM
"As far as Diebold having an interest in producing a shoddy product... their business is security."
No, their business is maximising shareholder return. If they decide that the best way to do this is by creating secure machines, then that's what they will (try to) do. If they decide that they would make more money by dropping voting machines and concentrating on ATMs, or cruise missile guidance chips, or macaroni, or T-shirts, they'll do that.
And if they reckoned that, by making machines that could be hacked, they would be sure of getting those machines bought by certain parties who have an interest in hacking the vote, then (assuming they can deal with the risk of being prosecuted) they will probably do that too. And if they reckoned, instead, that by judicious marketing they could get their product bought whether it was secure or not, then why would they waste money making it secure? GAP could no doubt make shrapnel-proof jackets, but I'm going to buy a GAP jacket whether it's shrapnel-proof or not; so why should they bother?
Posted by ajay | Link to this comment | 02-28-06 3:18 AM
And by "judicious marketing" I mean, of course, "bribing elected officials".
Posted by ajay | Link to this comment | 02-28-06 3:20 AM
Late to this conversation, but let me just give Tom and Becks a resounding second: there is no way in hell, for instance, that Diebold ATMs use Microsoft freaking Access as their database. I've built applications that were considerably less important to society than vote-tallying, and if I'd proposed using Access, I'd have been fired. And then punched repeatedly.
Posted by Matthew Harvey | Link to this comment | 02-28-06 6:06 AM
But Pintos are a rarity, not a norm, among car models, and designing a ballot machine surely presents simpler challenges, especially for a company that has long built ATMs, among other things, with more of an explicit focus on security, than does an entire operating system. It's certainly POSSIBLE for Diebold to have constructed a deeply flawed ballot machine, tested it, approved it, marketed, and sold it---and sold it to many sophisticated customers at that. But is it likely? I don't think so.
Ajay, I understand how corporations work. But the rationale you're proposing would be an enormous and unnecessary risk, which, over time, would almost certainly lead to massive liability and revenue loss. Diebold has an enormous interest in keeping a name as a competent designer of secure systems, whether they be ATMs or ballot machines. Selling flawed machines for a quick buck would be as tortious as it would be stupid, and could conceivably open those responsible for the company to personal liabilities.
Posted by Andrew | Link to this comment | 02-28-06 7:25 AM
Selling flawed machines for a quick buck would be as tortious as it would be stupid, and could conceivably open those responsible for the company to personal liabilities.
You think that means it doesn't happen? I'm a defense side commercial litigator. The only reason my job exists is that large corporations commit egregious torts constantly, and need someone to pull them out of it.
Posted by LizardBreath | Link to this comment | 02-28-06 7:33 AM
But Pintos are a rarity, not a norm
Let's talk Windows, then. Faulty products, especially in the IT world may not be the norm, but they certainly aren't a rarity.
But is it likely? I don't think so.
It isn't just likely, Andrew. It's documented. Your faith in the competence of these companies is touching, though. I work in a regulated field (pharma) and we would *NEVER EVER EVER* be allowed to use a system without an independently verifiable audit trail. Why hold the very basis of the legitimacy of our government to a lower standard?
Posted by apostropher | Link to this comment | 02-28-06 7:40 AM
But Pintos are a rarity, not a norm, among car models
I'm betting this is just youth, but you seem to working off some sort of belief that the market is infinitely good at making the right decision. And generally I'm with you. But I don't think it's true nearly as regularly as you do.
This is basically a one-off decision: all of these governments are making the decisions for the first time. They have relatively little incentive to make sure the system works - most elections aren't going to be close enough for them to have to worry about this sort of stuff. After all, the classic complaint about having government provide goods and services is that they have no market accountability. This is precisely the sort of situation when you, as a government official, can start feeding other interests than the ones you are supposed to be feeding.
I'm not saying that Diebold must have made a shitty product; I'm saying that anyone who thinks there is some X making sure that the product isn't shitty is crazy.
(Wolfson!)
Posted by SomeCallMeTim | Link to this comment | 02-28-06 8:04 AM
82: I'm sure it does happen. Is it probable with a company like Diebold though, on a product as high-profile and as thoroughly tested as this? No. The very report that Smith cites says that the risks presented can be mitigated using appropriate access procedures, even if the bugs were to remain as they are. The procedures California adopted to safeguard the machines are quite rigorous. I don't think the products are perfect. I agree that the products can be improved, but I disagree that they are so remarkably insecure that we need someone to commit a felony to draw the public's attention to it.
83: There ARE paper trails. The older models printed out a trail at the close of voting, and the newer models use paper ballots in conjunction with electronic storage. Your link is to an August 2005 report from an organization with which I'm not familiar involving testing problems with Diebold machines. Problems that seem to have been fixed by voting time: http://phx.corporate-ir.net/phoenix.zhtml?c=106584&p=irol-newsArticle&ID=807176&highlight=
Most telling of all though, is the fact that these machines have been certified for use in 37 states, have been used at tens of thousands of polling stations by millions of people, and we have yet to hear of a single instance of election fraud by tampering with these machines.
Posted by Andrew | Link to this comment | 02-28-06 8:23 AM
Most telling of all though, is the fact that these machines have been certified for use in 37 states, have been used at tens of thousands of polling stations by millions of people, and we have yet to hear of a single instance of election fraud by tampering with these machines.
You don't seem to have followed the fact that one of the basic complaints about these machines is that the audit trail is weak enough that fraud, if it occured, would be extraordinarily difficult to detect. That certainly doesn't mean that I know that fraud took place in jurisdictions using paperless machines, but you can't use the fact that fraud in the use of the machines hasn't been proven as evidence of their reliability, when the complaint against them is that you can't prove fraud when it does occur.
Posted by LizardBreath | Link to this comment | 02-28-06 8:40 AM
Andrew, respecting e-voting, the gap between Diebold's (documented) practices and best practices is vast. Way. fucking. vast. Forgive my intemperance, but you write insistently, as if you were defending a principle—instead of a company, which is not even a little bit like a principle. I do not understand.
Posted by Standpipe Bridgeplate | Link to this comment | 02-28-06 8:48 AM
as if you were defending a principle—instead of a company, which is not even a little bit like a principle.
I'm leery of disagreeing with you, SB, but I believe that, in Red theology, the difference is not quite so vast as you seem to think.
Posted by SomeCallMeTim | Link to this comment | 02-28-06 8:53 AM
Eh, I should expect that some of the insistence comes form being the contrarian on this issue. I'll fight to the death over not very much if everyone I'm talking to is lined up against me.
One thing that I would like to know, that Andrew has been mentioning and that I can find mentioned but not fully described -- do the touch screen Diebold machines that have just been approved in California have a paper trail? I think I've seen some articles implying that they do, but I haven't seen a clear discription of what it consists of, if it does exist.
Posted by LizardBreath | Link to this comment | 02-28-06 8:53 AM
But Pintos are a rarity, not a norm, among car models, and designing a ballot machine surely presents simpler challenges
I'm bowing out of the dispute over election machines, but I do teach business ethics, so I know a bit about the Pinto. Ford knew, before producing the Pinto, that it would explode when rear-ended. And they knew how to fix the problem. But because the fix cost (according to this site) $11, they didn't do it. It wasn't a question of engineering difficulties. They did a cost-benefit analysis and concluded that it wasn't worth their while to fix the problem, at $200K per person killed and $67K per major burn injury.
And that's one reason I don't trust corporations.
Posted by Matt Weiner | Link to this comment | 02-28-06 8:53 AM
The paper trail the machines produce isn't independent, though. If the machine registers touch screen entries incorrectly, then the paper trail will reproduce those same errors. I prefer the system my district uses: paper ballots where you connect the broken arrows with a felt-tip marker, then feed the card into the op-scan machine. That way, if there is any doubt about the machine tabulation, you can return to the actual ballots cast, rather than simply accepting the machine's word that it counted everything correctly, which is patently insane.
Maryland's GOP governor has lost faith in the machines, btw.
Posted by apostropher | Link to this comment | 02-28-06 9:03 AM
The paper trail the machines produce isn't independent, though.
Well, that's the thing. The paper trail is useless unless the voter can see it and change it if it's incorrect.
Posted by LizardBreath | Link to this comment | 02-28-06 9:06 AM
LB, there are two Diebold models approved for use in California (both tested in the linked study), the TS and the OS. The OS uses paper ballots and optically scans them. See http://www.ss.ca.gov/elections/voting_systems/accuvote_os.htm. Here's also a link to which systems were used by county in the California 2005 election. Nearly all those counties using a Diebold product used the OS model. Only two counties used the TS model which, as I said earlier, provides for a printout immediately following the close of voting (though no paper verification for each individual voter). http://www.ss.ca.gov/elections/voting_systems/ss05_systemsinuse_v1.1.pdf.
Apo, when you asked about a paper trail, I read your concern as the same focused on in the California study: that someone would change the contents of the memory card, and we would have no way of checking the original results. So we may have been talking at cross-purposes.
You raise a different issue, of whether the machine itself is correctly tallying results, and, if not, whether we can detect it. I think that even the touch-screen systems have good safeguards in place against this possibility. The machines are tested immediately before voting to ensure that the touch-screens are correctly functioning. The voter is asked during the process if she is sure about her vote. Moreover, randomly selected machines are then retested during the voting day to ensure that they are functioning correctly. If I'm misreading you again, though, and you're concerned about deliberate tampering, e.g. every third vote for candidate X is recast as for candidate Y, without the voter's knowledge, then I don't see how a paper receipt guards against this. A programmer with such incredible access as to perform such a reprogramming undetected, and provide false visual on-screen verification for the voter, could certainly provide false paper receipt printing for the voter as well.
Standpipe, I think part of my tone---though I feel very easygoing while I'm writing this---might derive from Diebold/election-fraud fatigue. I'm perfectly willing to be mistaken about these machines, but thus far I've only seen a lot of hype. The very study that a far more insistent Kevin Drum cites as evidence of a major problem states that the problems can be ameliorated by other procedures while the bugs are fixed, and the protections adopted by California are rigorous. I really would expect to see some instances of election-fraud by this point if these machines were so susceptible to it---and I haven't. I would not have expected so many jurisdictions to have approved the machines if the problems were so enormous either. To me, this casts a lot of doubt on some of the allegations of enormous malfeasance that are being thrown around, and, like everyone here, I'm just as concerned and protective about the legitimacy of our elections and our own confidence in them.
Posted by Andrew | Link to this comment | 02-28-06 11:49 AM
If I'm misreading you again, though, and you're concerned about deliberate tampering, e.g. every third vote for candidate X is recast as for candidate Y, without the voter's knowledge, then I don't see how a paper receipt guards against this.
It does if you retain and check the electronic results against the paper receipts (either a statistical sample, or the full thing) as part of standard procedures.
Posted by LizardBreath | Link to this comment | 02-28-06 11:54 AM
Or if you simply retain and check the equipment for the reprogramming.
Posted by Andrew | Link to this comment | 02-28-06 12:10 PM
Everyone probably understood this when LB explained it, but I'm going to elaborate anyway.
The piece of paper is examined by the voter, and then left in a locked box at the voting station. Thus, if there's any question about the accuracy of the machine - bug, oopsie, fraud, whatever - you have a box full of papers, each of which implicitly says "I'm voter X and I approved this ballot". You can then count the papers, and you get a result that is totally independent of anything that might have gone wrong with the electronic system.
By having a whole independent system, complete redundancy, you've got an excellent chance of catching problems of every sort. You'll catch software errors, hardware errors, intermittent errors, difficult to reproduce errors, obscure bugs, everything.
Posted by Michael H Schneider | Link to this comment | 02-28-06 12:18 PM