Log in

electronic voting at Grace Hopper - Accretions

Fata Morgana
2004-10-10 18:39
electronic voting at Grace Hopper
Thursday afternoon at Grace Hopper, Barbara Simons and Ellen Theisen talked about the loaded issue of electronic voting. VotersUnite.org is dedicated to establishing and maintaining transparent elections, as is VerifiedVoting.org and others. As in my previous post, I'll report what they said (or at least the parts that I wrote down) with minimal interpretation, though I do have strong opinions on this matter as well.

They started off discussing overseas ballots. It turns out that Missouri, along with North Dakota and Utah, are allowing their troops overseas to vote. This sounds reasonable enough until you hear the details. First of all, there is no secret ballot at the voting site. In addition, completed ballots are scanned in and emailed to the DoD, which faxes them to election officials. This is wrong on so many levels. There could be coercion at the voting site, and forgery or "loss" would be so easy with so many steps in the process. And there are no laws against this sort of thing. Organizations including the ACM have made statements calling for permanent records for ballots, but so far none have been codified in laws.

There are several machine types for electronic voting.
  • One of the more primitive types are optical scanners, such as the bubble-scans many of us are familiar with from standardized testing. The machines can tell you if you've overvoted or if the ballot is empty, but these machines are prone to errors, and it's hard to support other languages or the blind.
  • Screen-based systems can have earphones and multi-lingual support, and can also give warnings for such things and under- and over-voting.
  • Ballot-marking systems combine these two: they have the benefits of screen-based systems, and mark or print an optical scan form. Often, though, the scan form is coded and thus can't really be checked by the voter, as is the case with the Populix machine.
  • Direct recording electronic devices, or DRE's, are becoming the most common system. Their main feature - some claim it's a benefit, though many (including the speakers and me) say it's actually a major drawback - is that these systems have no paper record that the voter verifies. So there's nothing to recount, no audit trail. These machines will be used in the 2004 election by 30% of the country, including California. The software is completely closed source. The machines made by Demonte and Acupoll also can produce paper ballots, but those made by Diebold, ESS, and Sequoia (and others) produce no paper ballots. (Sequoia is adding printers to their machines, but the printers will print on a roll of paper, raising privacy concerns. Diebold, the company that's especially been in the press, actually has both paperless and optical-scan machines, but the paperless ones are being used the most.


Some places like New Hampshire require random recounts, but some places like Florida have never done it. Because Florida never does recounts, they didn't know how to do them and kept avoiding them. California requires a recount of 1%. Since California uses the paperless Diebold machines, a random 1% of the ballots are printed at the end of the day and counted - so much for paperless elections!

In the 2002 election in Georgia, only Diebold machines were used. There were some anomalies in election. Perhaps they were legitimate, perhaps not, but with the Diebold machines, there's no way to check - no paper trail, and no access to the software. Alarmingly, Walter O'Dell, the Diebold CEO, did fundraising for Bush, though Diebold has recently issued a commitment to staying out of politics.

Recently, Diebold voting software was found by some academics on an open FTP site, who then took it for examination. They found that the encryption key was the same for all Diebold machines. Two places to get more information on this are the Hopkins report and the SAIC study of Diebold, the latter of which was produced as Maryland considered adopting Diebold machines statewide.

The Diebold voting terminals run Windows CE, and their software is written in C++. Sixteen Windows patches are needed on Diebold machines, but they make the system crash - so the system must be insecure to function. There's no requirement to audit external software, even if Diebold modified it (which they did for winCE).

Election Certification Stupidity

The software development process is completely incompatible with the election certification process. To get certified, companies have to send their code to an independent testing facility which takes TWO YEARS to verify code - and they just go down a checklist of expected problems, not any unexpected ones. Voting software manufacturers have to PAY for the results of the test. So what happens when they find a bug? Their options are to 1) hide it, 2) report it and go through re-certification which takes years and hundreds of thousands of dollars, or 3) install the changed software on machines without getting it certified. This last option seems most reasonable, and indeed, modified software has been found on machines in Indiana, California, Arizona, and Washington. When caught, the software manufacturers showed how the old certified software actually mis-tabulated votes, something that was not caught in the certification process. Additionally, the contracts between voting software manufacturers and these testing agencies are secret.

The people who know the input - the voters - don't know what the output of these machines are, and vice versa. This means there's no way to monitor the results of the election. Theisen likened this to "beta-testing" a parachute by jumping out of a plane with it and hoping it opens - except that with voting software, you STILL don't know whether the parachute opened when it's all over.

Answers to misc. questions

There's a common misconception in the general public that computers are accurate. Computers are fast and consistent, but they're only as accurate as they're coded to be. Pollworkers are blamed when machines malfunction, and often they're older volunteers who have little computer knowledge. Many election officials just want to get elections over with as quickly as possible, and are resistant to change. When electronic voting machines come into the picture, there's often a lot of dependence between officials and vendors - in some cases, the vendors are called in to run the election.

A major security risk is insider fraud. There has always been fraud and disenfranchisement, especially in the South, but before computerized voting, it was hands-on and involved a lot of people. Now, it's easy for one person to do it - they just need to change the code. There's no central repository for bugs in voting systems. There's an urban legend, perhaps true and perhaps not, of two Berkeley students who volunteered their apartment as a poll place. A week before the election, the machines arrived at their apartment. Sure, they were all wrapped up, but that's not much of a safeguard against tampering.

Usability in ballot design is a whole separate issue that really needs to be addressed.

Absentee ballots aren't without problems, but at least there's SOME record of your vote.

What can we do? Well, aside from voting, you can volunteer as an election official or write letters to the editor of your local newspaper calling for better procedures.

Articles to read
Comment | 6 Comments | Share | Link

2004-10-10 23:57 (UTC)
Hi Morgan, it's Joe (http://pobox.com/~joehall/nqb2/).

A slight correction the Independent Testing Authority testing of source code doesn't take two years. It averages about 3-4 months but still costs $400,000 and is still only a checklist of functional requirements (the FEC's 1990 Voting System Standards (http://sims.berkeley.edu/~jhall/fec_vss_1990_pdf/)). Some vendors submit the entire source code as one application that can be compiled to run all their products and their central tabulation and registration software... that would take longer than the 3-4 months.

I respect Ellen and Barbara immensely and know Barabara quite well... and this appears to be the only part of the above that isn't quite correct. By the way, there is a whole slew of cool articles in this month's issue of the Communications of the ACM. I recommend reading them all but definitely don't miss Barbara's assessment of Internet Voting, four Yale CS students arguing that small manipulations of the votes can swing elections, Doug Jones piece on auditing elections and Rebecca Mercuri and Jean Camp's piece will blow you away.

This is my schtick lately... I'm up to my eyeballs in it!
Reply | Thread | Link

Fata Morgana
2004-10-11 00:19 (UTC)
Re: correction
Thanks, Joe! I think Ellen was talking about the certification process - do you think she was referring to the average time spent in certification overall, including bug submittals and software adjustments?

BTW, nibot syndicated your blog on LJ as nqb2 - just wanted to make sure you knew. :~)
Reply | Parent | Thread | Link

2004-10-11 16:40 (UTC)
Re: correction
Joe here again... I'm not sure what she was talking about... maybe that's total time in certification across all states for a large vendor? Anyway, it's not terribly important because here thesis - that federal qualification and state-by-state certification is expensive, inadequate and completely and totally opaque - is reality. Hope to see you back here sometime... you're another amazing addition to the SIMS crowd.
Reply | Parent | Thread | Link

Fata Morgana
2004-10-12 21:23 (UTC)
Re: correction
Thanks, Joe!
Reply | Parent | Thread | Link

2004-10-11 00:01 (UTC)
A thesis on the subject
Reply | Thread | Link

Rylon Unit
2004-10-27 02:15 (UTC)
(no subject)
Ooh, thanks for this. If you want even more info on this, here's more collected articles:
Reply | Thread | Link

my journal
September 2013