For a very comprehensive rundown of all the awful things about electronic voting from someone who has been researching it for 12 years, see the following hour long talk given at google:
It goes through all the highly nontrivial challenges around holding an election, and discusses the major failings of the technology over the years. (Mostly diebold gear as you might imagine.)
Oh for the love of Pete. Why are the voting machines connected to the tallying devices?
Wouldn't it be safer to have the voting machine output a machine readable ballot that is then read by a generic non-election specific scantron-like machine that has no understanding of what it is scanning?
This is another interesting case to follow. Matt Blaze's work here is also telling (they found a bunch of software exploits). I wonder about the forces pushing electronic voting when there are so many issues unresolved. Perhaps Anonymous should elect itself President. That would wake some folks up.
Having thought about this a bit, I don't see how you do electronic voting without giving the voter a receipt that contains a sequence number, timestamp, and current status of the machine. All encrypted, of course. That way the paper trail can be reassembled if necessary to see if it matches the end state. Hope that was explanatory enough. It also partially distributes oversight authority to all the voters instead of having it all at the poll.
There's no point in maintaining a distributed paper trail, since actually making use of it would violate anonymity and be a gigantic hassle, you might as well just keep the paper trail centralized. And if you're doing that then you might as well just go back to electronically scanned paper ballots.
For elections to be considered democratic, they must not only be fair and anonymous, but also comprehensible to all. As any electronic voting system (even an insecure one) is only comprehensible to some, electronic voting is by definition not democratic and should therefore be forbidden in any country that claims itself to be that.
Actually, in Germany the highest court declared electronic voting to be unconstitutional on the grounds of deficient comprehensibility in 2009. Maybe we can use this argument in other countries, too.
Someone with more knowledge of this please tell me: Why is physical access to the voting machine innards allowed at all? Why isn't the machine glued shut with some color changing seals to show tampering?
It doesn't seem like poll workers (or anyone other than the manufacturer, for that matter) would need access to the internals. If a machine is broken, send it back or fall back to paper voting.
For no particular reason, the prevailing stance is to avoid paper fallback so they want to preserve the ability for pollworkers to deal with problems themselves. I know, "what could possibly go wrong with that?"
There is nothing in the electronic voting debate that won't make you scratch your head wondering why they don't use known-good techniques. The only time-worthy thing to do is to oppose them until open-source solutions are accepted. Everything else will be a through-and-through scam by Diebold or one of their cohorts.
"The only time-worthy thing to do is to oppose them until open-source solutions are accepted."
Meh, I'm still unconvinced by the virtues of electronic voting at all, open source or otherwise. Little electronic currents simply have less mass than pencil marks on paper, and I mean that in a number of ways, including the fully literal one. A full accounting of cost/benefits shows the costs to be staggering once one accounts for the risks of tampering and the difficulty of preventing it, and the benefits mind-bogglingly tiny. (Heck, even if one merely accounts for the costs of materials the cost/benefit analysis isn't all that great.)
If it wasn't so darned shiny and high tech nobody would even consider electronic voting. It's just technofetishism run amok.
See, that's an example of what I mean. You simple take it as given that technology will simply solve the problem by virtue of being TECHNOLOGICAL, when a moment's thought starts poking huge gaping holes in logic.
Suppose Florida is a close race again in alt-2000 where electronic voting is widespread. But wait! In three precincts, close examination of the voting machines reveals that they have been systematically tampered with, in exactly the way described in this article, and the voting totals are unreliable. Aaaaaandd...
... now what? Count the ballots again? Can't. No such thing. Re-add the wrong numbers together for the wrong result? Hold the vote again in those precincts? That's fraught with its own serious problems. The vote is just screwed and there's basically nothing you can do about it.
"But the vote can be screwed with paper ballots too!" Yes, but it's much harder, leaves a much larger and harder to forge trail, requires vastly more effort, and is much easier to detect. (Ye olde "Benford's Law" trick will work only once, you know.) The question isn't whether computer voting "works", it's whether it's better.
And, secretly, I palmed a card. I tampered with those voting machines after the vote occurred. The vote numbers are totally accurate in my hypothetical scenario! But good luck proving that in real life.
One thing that people don't often get is that voting isn't about choosing a winner. Choosing winners is easy. It's about convincing the losers that they lost, and that the process is fair, and it's far better for them to participate in the Great Debate and sway people to their position and try to win the next election, rather than forming an armed mob and going on a rampage. Electronic voting machines make that outcome much harder. For once, Hollywood-hackability works on our side and the pervasive message that all computers are intrinsically infinitely hackable is not so far from the truth.
(... oh, and if you stay tuned for long enough, we'll be able to answer that "Now What?" question sooner or later, because it is only a matter of time before the body politic is literally faced with that question, instead of merely hypothetically.)
That electronic voting has problems doesn't in any way mean that paper voting didn't have problems. The statement "nobody would even consider electronic voting" is false. Plenty of people consider electronic voting because of the hanging chads, photos of people with magnifying glasses peering at ballots, etc.
Some evidence that you've actually read what you're replying to would be nice. I made your own point better than you did when I went into more detail on the problems with paper voting!
> There is nothing in the electronic voting debate that won't make you scratch your head wondering why they don't use known-good techniques.
Corruption. Large cash payouts to Diebold execs. The literal intent to commit treason and rig the USA's presidential elections.
How else can a company capable of making ATMs that don't leak cash create such a laughable amateur attempt at an e-voting machine. Furthermore, even if the creation of these criminally bad products was an accident almost every expert in crypto/security and election theory has stepped up to say that every element of the systems is broken, from the hardware having holes to the goals being impossible even in theory.
If this didn't go high up any single weakness found would have been enough to pull every Diebold voting machine. As is there are more regulations against lawn-darts...
Their ATM machines are far from impregnable. They're harder to hack than the voting machines because the banks require it, but they aren't foolproof.
Diebold's clients when selling voting machines are often county clerks or county commissioners. Sometimes they are secretaries of state. They aren't capable, for the most part, of assessing the machines. (The ones that are might find better alternatives).
When they sell atm machines their clients are banks and when they lose money due to problems with the machines, they usually find out.
They've been making a killing out of selling this crap, pure and simple.
The short answer is all the election administration gear is rushed to market. The HAVA boondoogle created a gold fever land grab mentality. The products are shit. Not just insecure, but just complete garbage. Not to downplay the security concerns, but the poor reliability is a bigger threat. Especially since these systems fail silently and "testing" was a puppet show.
The longer answer is that all voting gear I've seen (in the USA) treat security as an afterthought. Gear in use typically get "tamper evident" seals. But they're really lame (e.g. fall off) or the gear can be backdoored.
I'm just talking the hardware here. The software situation is totally, scales of magnitude, worse.
There is a _physical_ backup for recounts.
It's verifiable. Its trustworthy, and it's secret.
If you want results faster. Volunteer at the voting place.
If you don't trust a voting place. Send an observer.
All of this can and should happen in secret in plain sight.
I know this is hard for us nerds to admit, but there are systems that do not need to be, nor should be computerized.
> There is a _physical_ backup for recounts. It's verifiable. Its trustworthy, and it's secret. If you want results faster. Volunteer at the voting place. If you don't trust a voting place. Send an observer. All of this can and should happen in secret in plain sight.
I know this is hard for us nerds to admit, but there are systems that do not need to be, nor should be computerized.
Sort of. But a poll worker could toss out ballots and you'd have no idea. A voter could toss in multiple (stolen) ballots and no one could stop it. Etc etc. There are serious problems with electronic voting, but paper ballots aren't immune to problems. Physical backups mean shit when the source is fraudulent.
No idea where you live but in Germany you can be a volunteer if you desire to monitor the process. Also you cannot put in multiple ballots. Each voter is checked off a list, a mismatch between "people who came to vote" and "ballots in the box" would be easy to spot.
You can volunteer here in the US too, but what if the volunteer commits fraud?
If there's a mismatch, what would you do? It's a secret ballot so you can't throw out the extra votes, you'd have to throw out all the votes in that ballot box.
Ballot boxes can also be lost or forgotten ... this actually happens.
Paper ballots are also usually scanned, and not counted manually, which raises the question if the scanners can be hacked. And where does the scanned result go? Disregarding electronic voting, there is already some sort of electronic system in place that deals with scanning the ballots and collecting the results, but all the focus seems to be on hacking electronic voting, not the existing voting infrastructure.
Every time I've voted (in Sweden), at least two observers check that the right number of ballot papers have been received and then they place the ballot papers in the sealed ballot box in full view of both the voter and the observers. It would be basically impossible (barring a conspiracy between the poll workers and observers) to either toss out a ballot or chuck in an extra ballot without being spotted.
It's really a shame, because Diebold knows how to do better.
While not perfect, I think the Brazilian electronic ballots are not vulnerable to most of the attacks I see being demonstrated against Diebold machines used elsewhere (they are certainly not as easy to attack as the one on the video). And Diebold has the know-how in house because they acquired Procomp, the company who won the last couple competitions to provide them.
I worked on the Unisys version (which was the last competition Diebold/Procomp didn't win, IIRC) and I distinctly remember our discussions about possible exploit scenarios and how to counter them (sometimes, with physical handling protocols and tamper-proof seals).
Tampering attempts could be easily detected with a paper log of votes. All that is needed is a paper based receipt logger installed in each voting machine. If tampering is suspected, review the paper log.
An advantage of electronic voting is that the machines can be designed for use by the blind. This is in fact one of the goals written into the act of Congress which funded the development of the machines originally.
Political advocacy groups for the blind oppose using paper logging, because it would mean that the only authoritative record of the vote is the one that blind people cannot personally confirm.
A machine could read the paper out to the blind vote, but that just changes which electronic device you have to trust to report the vote correctly.
A sighted person could confirm the ballot for them, but that was already possible in the past (and was how the blind voted until now). Electronic voting was an advance for the blind specifically because an individual could vote on their own with no assistance other than that provided by the machine.
From a security perspective, it is at least as plausible that the sighted assistant would manipulate the vote of the blind person as it is plausible that a hacker would manipulate the votes on an electronic system.
It can be argued that although both scenarios are plausible, hacking is more likely and has a larger impact, but arguments based on relative costs and benefits are a poor match for an emotional debate on civil rights.
Can't the printed log be output in braille as well as ASCII?
The blind voting advocacy groups sound like they are completely against anything that allows a vote log to be confirmable outside the (extremely vulnerable) blackbox voting machine. I begin to wonder where their funding comes from.
They might even make the Braille version the authorative one in case of discrepancies. It's easy enough for a sighted person to learn enough Braille to distinguish choices on a voting ballot.
"From a security perspective, it is at least as plausible that the sighted assistant would manipulate the vote of the blind person as it is plausible that a hacker would manipulate the votes on an electronic system."
No it is not, because you cannot manipulate the actions of hundreds of thousands of sighted electoral assistants undetectably, instantaneously, remotely and anonymously like you potentially can with electronic systems. This is the same thing that makes postal voting a lot more secure compared to electronic voting than it might seem at first analysis. See the talk I linked elsewhere in this discussion.
> An advantage of electronic voting is that the machines can be designed for use by the blind.
Could be, but aren't.
If you'd ever tried the 'accessibility' features of a touchscreen voting machine, you'd see the UX fail firsthand. (I've worked as a poll inspector.)
There were other truly accessible solutions. The VotePad for instance. Low-tech plastic wrapper for existing ballots. Preserving both the secret ballot and public vote count.
Alas, the inexpensive VotePad couldn't complete with the well financed crony capitalism juggernaut which brought us HAVA.
For all I care, the paper log need not even be human readable just so long as it is a physical and non-changeable log. I would like the log to be multi-format, both human readable and machine readable so the logs could be quickly scanned to validate accuracy with the electronic record.
Get a print out, then go online, punch in my number and confirm my vote.
Wouldn't this solve a lot of problems? Of course not everyone would confirm their vote, but I am sure the math can be done to see if everything checks out. Just like exit polls.
In line with what atlbeer said, it would be difficult or impossible to preserve voter anonymity (i.e. the inability to link a voter with who or what they voted for).
Funny, the attack only requires an "eighth grade science education" to execute but it took the Vulnerability Assessment Team of the Nuclear Engineering Division of the Argonne National Laboratory to develop it.
So? Some web exploits can be used by script kiddies while others require active skilled-programmer intervention, although both kinds require a clever hacker to figure them out in the first place, and we find that a useful distinction to make as well.
It's better than squirting-water-guns-into–ATMs exploit (was that Diebold?) which can be employed by attackers with nothing but a kindergarten playground education.
Ah I see they're already gearing up for their "Republicans stole the election (again)" series when Obama loses next year. Although I think this is jumping the gun a bit. Funny how these lab tests never seem to be done when it look like a Democrat is going to win (or won).
Trust me this will be a front page issue again in 2012
The irony of course is that calling into question the validity of an election is the oldest form of election rigging there is.
Electronic and Internet Voting (The Threat of Internet Voting in Public Elections) http://www.youtube.com/watch?v=_GjmRwfkRXY
It goes through all the highly nontrivial challenges around holding an election, and discusses the major failings of the technology over the years. (Mostly diebold gear as you might imagine.)