An Exit Strategy for Electronic Voting

Tags for This Article:

Populum Tag Cloud Control Panel
	Fine tune your search to access content

Articles	Links
Diaries	Products
Events	All

All time
Last 6 mos
Last month
Last week
Last 24 hrs

From:
Month Day Year

To:
Month Day Year

Alphabet Popularity	Count ON Count OFF
This Level	Sub-levels

Tag(s): 2006 Elections; 2008 Elections; Election Reform; Electronic Voting; Enemies Of Democracy; Privatization; Secrecy - Transparency; State Government; USA United States Of America; Voting Integrity
Add to My Group

August 24, 2006 at 20:43:06

An Exit Strategy for Electronic Voting

by Bruce O'Dell Page 1 of 1 page(s)

http://www.opednews.com

Even though there are fundamental technical considerations which should rule out use of electronic vote tallying technology, some of my Information Technology colleagues are still trying hard to salvage it (see, for example,
the web site of the research group called ACCURATE).

When it comes to electronic voting technology, we do not
need a better mousetrap – we need an exit strategy.

I've done my best to explain why, in detail, elsewhere – but the main points bear repeating.

Voting systems are national defense systems (!) deserving the highest level of protection. Undetected compromise of our nation's voting systems is equivalent to our being invaded and occupied by a foreign power, since the American people lose control of their lives and destinies in either case - except that "coup by covert election manipulation" occurs under the reassuring guise of business as usual. I am ashamed that my profession has enabled voting systems to be deployed with mechanisms inadequate to protect mere financial transactions - much less, to safeguard the foundation of our national sovereignty.

Voting is inherently hard to protect. All the conventional techniques for electronic auditing of transactions rely on strong proofs of identity and complete transparency. We can conduct electronic financial transactions well enough that embezzlement is the exception and not the rule because all counterparties to a financial transaction are required to provide strong, legal proof of identity to the others, all parties to electronic financial transactions are strongly motivated to verify accuracy of results, and the laws regulating resolution of financial disputes are mature. None of these conditions apply to voting. Voting is private and anonymous. You cannot provide a voter with a record of her transaction sufficient to prove how she voted after the fact (or you enable sale of votes, coercion and a host of other problems...). But if you do not provide such an unambiguous receipt, all that electronic vote-auditing protocols can do is simply enshrine a computer's assertion that it recorded your touch on a screen or your mark on an optical scan ballot as you intended. Any program that generates an electronic audit trail - no mater how complex - can easily be programmed to consistently lie about what truly happened when your choice was presented to the machine for tallying. Electronic auditing of electronic vote tallying simply shifts the issue of trust from one suspect set of software to another.

Can we ensure that machines count our votes as cast?
Our only recourse to ensure correct electronic tallying is to generate an anonymous non-volatile receipt of the voter's choices, verified by the voter, retained by electoral authorities, and always audited - by hand - after the fact. And even this approach has limitations; for VVPATs (Voter-verified paper audit trails) there is ample evidence that many people do not actually "verify" their "PAT". Optical scan ballots are a much more desirable paper record.

OK - if we always have to audit the electronic tally, how
should we do it? The conventional approach is to have election insiders audit 100% of the vote in a few percent of the precincts, days or weeks after the election, in private beyond public view. If, of course, there are any paper ballot records to audit. But as reported irregularities in Ohio in 2004 reveal, this approach is both inaccurate and highly vulnerable to gaming. In response, Jonathan Simon, Steven Freeman, Josh Mitteldorf and I have just published a paper that recommends nothing less than a 10% in-precinct hand count of all paper ballot records to be done by the public and on election night, everywhere we allow electronic tallying. This will provide 99% certainty of detecting errors or deliberate manipulation, regardless of their source, that affect 1% or more of the official electronic tally. Nothing less will provide the indisputable statistical rationale to enable candidates to actually dispute a tainted election in a toxic political environment like the one we find ourselves mired in at the moment.

But all this begs the question: if we have to always hand-audit electronic vote tallies... then what, exactly, is the point of electronic tallying?

Requiring electronic voting to enable accommodation of
voters with disabilities is a red herring – cheaper, better, non-computerized alternatives already exist. And so we advocate a 10% hand count in 100% of the precincts only as a transitional step in an exit strategy for electronic voting. Because I for one firmly believe that wherever and whenever we actually do start hand-counting ballot records in public on election night, we will find such a catalog of horrors, such unconscionable sloppiness, such pervasive backdoor manipulation of the electronic tally that the American people will rise up and demand that we take back control of our elections into our own hands – and cast and count
our paper ballots ourselves.

I'm not accusing my colleagues – such as Avi Rubin, Director of ACCURATE – who are working to salvage electronic voting of "being on the take". In fact I commend their hard work to expose the risks of electronic voting. But, on the other hand, as a technology professional I would refuse to work on electronic voting systems because, for all of the above reasons, I believe it to be a violation of the professional code of ethics of the Association of Computing Machinery, the world's largest and oldest computer society - of which I am a member.

The ACM Code of Ethics states in part:

"Ethical tensions can best be addressed by thoughtful consideration of fundamental principles, rather than blind reliance on detailed regulations. These Principles should influence software engineers to consider broadly who is affected by their work; to examine if they and their colleagues are treating other human beings with due respect; to consider how the public, if reasonably well informed, would view their decisions; to analyze how the least empowered will be affected by their decisions; and to consider whether their acts would be judged worthy of the ideal professional working as a software engineer. In all these judgments concern for the health, safety and welfare of the public is primary; that is, the "Public Interest" is central to this Code."

I say again: "to consider how the public, if reasonably well informed, would view their decisions". According to Zogby's latest poll, the American people, if properly informed, are hardly likely to continue to tolerate secret elections, run by insiders, "certified" by "experts", and tallied by machines. I prefer to stand with the people.

And again: "In all these judgments, concern for the health, safety and welfare of the public is primary." The issue at hand is the integrity of the systems that grant sovereignty over the world's largest economy and only superpower military. There are overwhelming indications those systems can be and likely have been hijacked in pursuit of a radical agenda contrary to the wishes of the majority of the American people.

Beyond the technical considerations that preclude placing our trust in electronic vote tallying is the most important principle of all.

We, the people, have the inalienable right to run our own elections.

My colleagues working to salvage electronic voting are free to disagree. But I wonder why such a talented group is preoccupied with inventing a better voting mousetrap when the people are fully capable of running our elections in the absence of the inappropriate technologies that have precipitated our election integrity crisis. In fact, there are a host of other, far more pressing problems that confront us technologists – consider that the public is just now waking up to one fact that security insiders have known for some time: the barbarians are at the gates of the internet. These are the kinds of problems that should demand our urgent attention so that we can protect and serve the public, who have become almost totally dependent on the technologies we provide them.

Bruce O'Dell is a self-employed information technology consultant with more than twenty five years experience who applies his broad technical expertise to his work as an election integrity activist. His current consulting practice centers on e-Commerce security and the performance and design of very large-scale computer systems for Fortune 100 clients. He recently spent a year as the chief technical architect in a company-wide security project at one of the top twenty public companies in America, led a multiple client projects for compliance with new credit card data security standards, and has designed secure "virtual cash" e-commerce protocols. In 2007 he was invited to testify on computer voting security issues to the Texas and New Hampshire legislatures. He lives just outside Minneapolis, Minnesota, and shares a love of good books with his wife - and her beautiful garden, with their talkative cat.

	Contact Author
	Contact Editor
	View Other Articles by Author

Bookmark this page: (what's this?)

(More...)

3 comments

The author currently lives in Portland Oregon and is interested in matters where society, the law and technology collide.Your reader feedback is not only welcome, but encouraged. Thank you.
Doug DingusThe author currently lives in Portland Oregon and is interested in matters where society, the law and technology collide.Your reader feedback is not only welcome, but encouraged. Thank you.

Great Article

It's all about the chain of trust, IMHO.

When the record of the vote is one and the same with the act of voting, the chain of trust is complete between the voter and the record of their vote. Intent is preserved and this is why:

When one changes physical media to indicate the vote, the intent of the vote, the action and the record of that action are all embodied in the changed media. Secondly, physical changes, we all can observe, are very difficult to modify, without leaving behind some evidence of a less than perfect vote record.

In this, the vote moves from the voters mind to the ballot, becoming the vote cast, in a trustworthy way.

When we let a machine record a vote record, then the chain of trust is then broken between voter and vote cast. This is a vote by proxy, which breaks the chain of trust between the voter and their vote cast. What then is recorded is what the machine thought the voter intent was, not the actual vote itself. This is not trustworthy and does not allow for variations in intent as the actual action of the voter is not recorded, but only an interpetation of the voters action.

Where modification of the vote record is concerned, it gets ugly when electronic voting is involved. Electrons can simply change states without leaving behind physical evidence. If this were not true, computers would be very different today, if not impossible.

This broken chain of trust is why we should not be allowing companies to:

make a profit on recording and counting votes

, and

render any aspect of the process secret.

Here's an exit strategy:

Whenever the issue of cost comes to the table, point out that democracy has a price. That cost can be dollars, if we are willing to hire untrustworthy proxies to handle our voting issues, or it can be in terms of time and effort by the citizens involved and impacted by the democratic process.

All proxies are untrustworthy, simply because their presence in the process breaks the chain of trust between voter and their vote cast, and also the chain between votes cast and the final tally. Any process whereby the public cannot follow a single, specific vote record from the voter to the final tally, is not a trustworthy process. How practical it is to do this does not matter, the ability to do so does as this insures the chain of trust remains intact.

Where a voter needs a proxy, let the voter make their own trust decision to their satisfaction. They could use a machine, or have another trusted person help them cast their vote. We are a nation of free people, we should not be making trust decisions like this for everyone on principle alone.

The cost in terms of people and time is a far easier and more meaningful burden to meet if we consider the merits of our general awareness of our civic duties. Making elections fast and easy detracts from their importance and that, in turn, marginalizes the debate as a whole, as if it's something we cannot be bothered with in lieu of more important things.

Democracy is only as good as the people want it to be. If our focus is on making the process as quick and easy as possible, is that not putting the focus on the wrong elements, thus diminishing the value for all?

For a solid means of voting, take a look at Oregon and their vote by mail system. All four core elemets of a trustworthy election are properly embodied in a solid balance between time, labor, cost and trust.

It's transparent in that the voter can easily know how their vote ends up in the final tally. It uses a physical vote record directly for the count, which is done by machine, but under the public eye with audits. Perfectly accpetable balance overall.

Oversight comes from the transparency and the public being able to deliver their votes directly, or by mail. Physical records at all levels allow for the necessary check on corruption inherent in electronic records.

Freedom comes from being able to deliver ones vote directly, or by mail. Being able to vote within a wide window also adds to this. Of course, one can easily vote or not, completing the picture here.

Finally, anonymonity is assured in that a sealed ballot system is used. Each voter certifies their vote by placing it within a container, sealed and signed for verification. Verifying a vote as being from a valid registered voter is kept seperate from the vote itself. Votes are kept sealed until it is time for the count where they are unsealed, counted and audited by hand to check the counter machines accuracy.

All votes are physically recorded for recounts later on, and these votes are not personally identifiable.

One other advantage of this is the large time window for voting.

It is very difficult to discourage voting when voters are not aggragated in one particular place and time. Turnout is higher in general because voting is easy and can be done when it makes sense for the voter.

Challenges, poorly crafted polls, last minute commercial slams, and other means to discourage or manupulate the votes cast are all costly as a result.

We need greater awareness of this.

(Sorry, this got really long. Maybe I'll stuff it in a diary for later....)

by Doug Dingus (3 articles, 0 quicklinks, 6 diaries, 15 comments) on Friday, August 25, 2006 at 10:37:03 AM

Senior Lecturer in Computing Science (retired), University of Texas at Austin. Previously Principal Scientist, Burroughs Corporation, Peace Corps volunteer, aerospace engineer.
Hamilton RichardsSenior Lecturer in Computing Science (retired), University of Texas at Austin. Previously Principal Scientist, Burroughs Corporation, Peace Corps volunteer, aerospace engineer.

"Chain of Trust" solution fatally flawed

This comment makes some worthy points, but like the Oregon vote-by-mail system it comends, it overlooks some serious problems.

Any scheme that enables a voter to determine whether his/her vote was counted correctly suffers from an inherent flaw-- it also enables the voter to prove how s/he voted to someone else. That ability opens the door to vote buying and voter coercion. It's to prevent such inducements that we have polling places where voters' privacy is protected and voters' ballots are secret (Oregon's mail-in voting suffers from the same flaw-- what were they thinking?).

This is one of those problems that's easier to solve if it is generalized. If a voter is convinced that the system's design and implementation guarantee that all votes are counted correctly, it follows that his/her own vote must be counted correctly. This calls for a system in which vote counting is open and transparent, based on paper ballots (not necessarily marked by hand) which can be counted as many times, in as many different ways, as necessary to satisfy skeptics.

As the comment notes, mail-in voting offers a large time window for voting, which confers the substantial benefit of making it harder to discourage voters by skimping on equipment (as in Ohio in 2004). But mail-in voting is not the only way to achieve this worthy goal. In Travis County, Texas, polls are open for early voting as much as two weeks before the official election day. There aren't as many polling places as on election day, but they are open for longer hours, and in convenient locations such as libraries and supermarkets. Electronic voting stations make it easy to furnish each voter with the ballot style appropriate for her precinct. Unlike mail-in balloting, ballot secrecy is preserved.

Electronic voting stations make it conceivable to extend this early-voting idea beyond the boundaries of a single county. Imagine being able to vote for your own precinct's dogcatcher regardless of where you happen to be in your state --or even the entire US or at a US embassy, consulate, or military base abroad. Suitable standardization of ballot formats would enable your precinct's ballot form to be downloaded into the machine on which you make your selections. When you've made your choices, the machine prints your filled-in ballot; you check it, seal it in an envelope, and hand it to the election official, who takes the necessary steps to get it to your own precinct, where it is counted along with the ballots cast locally on election day.

With a system like that, mail-in ballots --and the attendant threats of vote buying and voter coercion-- would be unnecessary.

by Hamilton Richards (0 articles, 0 quicklinks, 0 diaries, 2 comments) on Saturday, August 26, 2006 at 4:28:54 PM

E-voting: the pluses without the minuses

To eliminate electronics from voting would be to discard the baby with the bathwater. By thinking a little more carefully about the problem, we can separate the bathwater from the baby, i.e., we can retain the benefits of electronic voting while eliminating its risks.

Electronic voting technology's advantages over hand-marked paper ballots are substantial-- e-voting caters nicely to diverse languages and multiple ballot styles, saving the cost of printing and securely storing and transporting thousands of blank ballots. They also enable many voters with disabilities to vote without assistance, i.e., privately.

The trouble starts when e-voting machines are also given the responsibility of tallying the votes. To deserve voters' trust, the process of counting the votes must be open and transparent, and there's nothing transparent about silicon circuitry. As has been said before, the purpose of counting votes is to convince the losers that they lost; if the losers can't see the votes being counted, the arguments can never be settled.

So how can we have both the benefits of e-voting and the transparency of open vote counting? Easy-- just restrict the job of the e-voting machines to printing each voter's filled-in ballot. Note that I'm not suggesting the dinky reel-to--reel "toilet paper" audit-trail printers now being retrofitted to DREs in many states. The ballots I'm suggesting would be printed in large friendly letters on 8.5 x 11 paper. They would be easy for voters to read, check, and drop into an ordinary ballot box. Would this be expensive? Suitable laser printers can be bought at retail for under $150.

After the polls close, the machine-printed ballots would be counted by hand or by optical scanning. Either way, the machine-printed ballots would eliminate the judgment calls often necessary to infer the voter's intent from ballots marked by hand. They would be free of overvotes and disqualifying stray marks. And like all paper ballots, they would remain available for recounting until the losers are finally convinced.

A system like the one I've described has been designed and prototyped by the Open Voting Consortium. You can read all about it at www.openvoting.org.

by Hamilton Richards (0 articles, 0 quicklinks, 0 diaries, 2 comments) on Saturday, August 26, 2006 at 3:30:43 PM

3 comments

24 hrs	48 hrs
72 hrs	1 week
1 month	6 months
1 year	All Time

Articles	Links
Diaries	Members
Products	Events
Polls

Articles Popularity:

GOP whistleblower names Karl Rove in Ohio's 04 election theft
by steveheller

Epilepsy Study Incriminates Aspartame in Medications
by Dr. GLEN MABSON, Phd. Epileptic Foundation of Maui dba Pacific Epilepsy Society

Exxon Valdez Oil Spill Workers vs Exxon
by Merle Savage

Fox-Owned National Geographic Uses Gorillas as Cover for Exploitation of Congo
by Georgianne Nienaber

The "Ownership Society"
by Mike Malloy

The Great Depression of 2008
by Marc McDonald

Dalai Lama: "I Love President Bush... but... Lack(s) Understanding of Reality"
by Rob Kall

Federal Judge Ruling: George W. Bush is a Felon
by Len Hart

Nine Republicans Break Party Ranks: Send Impeachment Article to Judiciary for Hearings
by Ralph Lopez

Australia Only Nation Comprehending Beijing Smog Medical Damage; Skipping Opening Ceremony August 8!
by Stephen Fox

Copyright © OpEdNews, 2002-2008