Trouble with Touch Screens, Indeed
This week we've already talked about when we vote, so let's talk about how we vote.
Remember the moment some years ago when the CEOs of Big Tobacco were called before Congress to be sworn under oath and forced to testify about what they knew concerning the health effects of their product? Today, there is another industry that could meet the same fate: the voting systems industry. This time, the products in question affect the health of our democracy.
The August broadcast of the HDNet program Dan Rather Reports raised serious questions as to whether United States voting systems companies have engaged in commercial fraud by knowingly marketing defective products to jurisdictions throughout the country. The piece was called The Trouble with Touch Screens.
There is a growing body of evidence across the country that electronic voting machines are unreliable for the counting and recording of our votes and constitute a direct threat to the integrity of our elections. California Secretary of State Debra Bowen recently commissioned the most comprehensive and independent review of such voting systems, and it reached the same conclusion.
Based on her review, Secretary Bowen announced in early August that she was withdrawing certification of electronic voting systems in California, except under limited circumstances. At Why Tuesday?, we interviewed Secretary Bowen on our vlog about this landmark decision. There is also strong evidence that these systems don’t meet the federal requirements of accessibility for voters with disabilities, but Secretary Bowen is allowing California counties to use one electronic voting machine per precinct because, she asserts, “we don’t have anything better for disabled voters.”
But the Rather report goes even further. It demonstrates that Election Systems & Software, a voting machine company, may have shipped 15,000 or more potentially defective voting machines from a factory in the Philippines to the United States – and may have knowingly done so. It also demonstrates that the Sequoia voting systems company may have knowingly marketed defective paper for the printing of ballots in the 2000 election in Florida, despite warnings from its own employees that the defective paper could lead to an election disaster. Think hanging chads.
These are shocking revelations. They have led to a public call on Congress “to launch a full investigation into the increasing influence and control that private companies wage in the way we conduct our elections and to determine whether certain US voting systems companies have committed crimes under federal and state anti-fraud statutes which should be referred to the appropriate authorities for prosecution.”
The Rather report serves as a wake-up call to the nation of the dangers associated with the outsourcing of key election functions to private vendors. Whether it is the recording and counting of our votes, the maintenance of voter registration databases, or the process by which we audit and recount our elections when proprietary software is involved, we are increasingly losing public control of our public elections.
Tomorrow, we’ll take a look at the way we pay for our elections, and what that means to the voters of America.
John Bonifaz is a member of the Why Tuesday? advisory board. Jacob Soboroff is the Executive Director of Why Tuesday? and the host of their weekly vlog.
.
The next step is to say, just use optical scanners on the paper X ballots - but optical scanners can be hacked just as touchscreens can.
.
sPh
October 17, 2007 6:32 AM | Reply | Permalink
Except that, from what I have read, a recount using optical scan sheets involves feeding them back through the scanners, and only of the recount is still within a small enough percentage are hand recounts done.
So the recount can be hacked as easily as the count.
October 17, 2007 7:27 AM | Reply | Permalink
I have designed a system, using modified existing electronic touch screen machines. It gives instant vote totals, but is completely secure, and provides a paper trail for manual recounts. Parts of it can be outsourced to private companies, thus satisfying the profiteers and privatizers, while the counting machinary remains in the hands of the election commission, property of the government, open source, open to inspection, and virtually unhackable. And it's so simple to operate, a monkey could do it.
It's so simple, a monkey could design it. I did.
I have only one explanation for why a system like the one I designed hasn't already been created and put into practice, and that's that the people in control of the election process don't want a tamperproof election system.
October 17, 2007 7:37 AM | Reply | Permalink
Much of the problem here arisis from an elections "industry" and elections "professionals". They are exclusively responsible to the bi-partisan party of perpetual incumbents. That party is mostly interested in stopping "recounts" and "contests".
These lay bare little fraud but a lot of shabbiness that connotes a real contempt for political participation as distinct from political patronage.
::JRBehrman
October 17, 2007 11:30 AM | Reply | Permalink
Can someone please explain a couple of things to me?
First, why do we have to have machines at all? What is the obsession with mechanizing the counting of votes? I see no reason not to have paper ballots that can be clearly and obviously marked by anyone who can see. Some form of accomodation could be made for those with vision problems.
Second, what is the obsession with having election results instantly or close to it? What the hell difference does it make as long as the vote is accurate and occurs within the legal time frames set out in state statutes? I don't give a damn whether the media likes it or not or even if the public "wants to know", if it takes longer to get a result you can trust who cares?
Seems to me that paper ballots can be administered and marked by anyone, are easily monitored and can be counted accurately and reliably with proper supervision and repeatedly if need be in the case of recounts.
I am not that old but my first vote was cast absentee from college. The absentee ballot that was sent to me was a single, huge piece of paper that I had to mark by hand and I had to open and mark my ballot in the presence of a notary (the notary didn't have to see how I was voting--only that I opened the sealed envelope in front of them and then marked the ballot privately though still in their presence). It was easy, fast and accurate once I found the notary.
For regular voting at a polling place as oppsed to absentee voting it would be very simple as well. Why can't we go back to paper ballots and strong supervision to prevent cheating? Seems to me we would save money and restore the integrity of our electoral system.
October 17, 2007 11:46 AM | Reply | Permalink
It isn't a "bipartisan" problem here in DuPage County Illinois where Republicans control everything including the election commission. We have Diebold TSX's and OptiScan tabulators. In response to a FOIA the exec director claimed he couldn't turn over election materials because they'd been destroyed within about 6 weeks of the 2004 election even though he was served with the FOIA immediately after the election. When informed that he'd broken both Illinois and US law he said a different Illinois law supercedes those laws. He then changed his story and said the materials still exist but remained sealed and can only be examined in very expensive recount.
There's so much hinky going on out here
if anybody wanted a perfect test case to investigate (God knows the local media won't do it) DuPage would be a great place to start. Proving vote fraud will be hard to impossible anywhere because that's the real reason behind electronic voting: making stolen elections impossible to detect. But in Dupage they're so arrogant they've outright lied about the wonders of these machines and those lies can be easily refuted.
October 17, 2007 12:12 PM | Reply | Permalink
This is why I so strongly support Oregon's Vote-By-Mail process. It's the only process I've been involved with that's convenient to the voter, easy to do, provides a paper trail, and has very good security.
~~~~~~~~~~~
Quidquid latine dictum sit, altum videtur.
Come visit PROJECT: Lucidity
Where everybody knows your name...
unless you use a pseudonym
October 17, 2007 12:53 PM | Reply | Permalink
"To err is human, but it takes a computer to really foul things up...." A cute joke from the 1970's, but it's funny because it's allegorically true.
1) (durable) Paper ballots and unaided-human counting are subject to public review, audit and recounting. As with checks, paper ballots can be subjected to audit procedures to catch and rectify counting errors.
2) To steal an entire election recorded on paper ballots requires the "assistance" of a much larger number of election-thieves who must be genuine insiders, and every additional involved person is another chance to discover dastardly deeds. A well-placed voting-machine easter egg (sold to the highest bidder by a dishonest developer) could be used in multiple precincts by late-afternoon "voters" who need only the right information from the developer, and these "voters" need not be insiders.
3) All but the most fundamentalist hand-counted-paper-ballot people believe that optical scanning is an acceptable way to produce the equivalent of "immediate returns" as an unofficial count. By and large, it is even possible to use optical scan systems for official vote counting, subject to verification using well-designed statistical audit methods,
4) Unmentioned in most of the debates about the value, security, reliability of electronic election systems is the infrequency of their use: Usually twice per year, rarely more often. This is a recipe for experiencing reliability problems due both to operator unfamiliarity and startup problems.
5) Unmentioned in most of the debates about electronic election systems is the phenomenon of "strategic allocation", wherein some precincts receive plenty of machines while other precincts do not. This technique was used to some effect in Ohio in 2004, where the turnout was large and the ballot complicated. Waiting times in certain precincts rarely exceeded 20 minutes, while waiting times in other precincts rarely fell below 2 hours. (I watched this occur by direct observation, being in a precinct that had received inadequate equipment.)
6) Cost: Storage, maintenance, software updates and similar costs turn out to be much higher than original estimates provided by the vendors.
To sum up:
Paper ballots and hand counting impose far greater risk and cost upon those who would attempt election-manipulation than is possible with electronic systems, particularly touchscreen systems, where the risks of detection are far lower.
Paper ballots marked with pencils are countable in public, and subject to public audit without use of specialized equipment
Paper ballots are not subject to reliability issues with power, batteries, or screens
Paper ballots can be printed and managed under reasonable security precautions only after printing, while electronic election systems require essentially continuous security, and require much more environmental control in storage.
Paper ballots, marked with pencils are intrinsically parallelizable, and therefore are much more scalable for high turnout, high-complexity elections.
I support the use of touchscreen ballot-printers as an assistive technology to help those who would benefit from the accessibility that touchscreen systems can provide.
Simply put, the durable paper ballot is the most easily secured, scalable and auditable technology presently available.
October 17, 2007 1:03 PM | Reply | Permalink
No, I don't assume an error free process. But there are only so many errors possible in a paper ballot system. Once you put machines in the mix everything gets more complicated, more vulnerable to tampering, etc...
But what I know is that paper ballots work, that even if you have a small error rate that the ballots can be recounted accurately. In most elections the vote isn't close enough for the error rate that you cite to tip the balance and/or cause a recount. But what is for sure is that if you have reliable security combined with a transparent process and you know no one is stuffing the ballot box then you have a credible result. The moment any mechanical device or other type a machine is introduced you have the potential for fraud. Why go through all that when a little patience will yield a result everyone can trust and believe in?
October 17, 2007 1:57 PM | Reply | Permalink
We use optical scanners at my polling place. It creates a paper record. Even if the system is hacked, you could still re-count the paper ballots by hand count.
October 17, 2007 1:58 PM | Reply | Permalink
Free people, remember this maxim: "We may acquire liberty, but it is never recovered if it is once lost": Jean Jacques Rousseau
=========
Let's face it. If the goal is transparency, then we must not automate elections, because the use machines always makes it impossible to see what they are doing.
The moment we accept electronic machines for any part of the voting process, we must also accept Federal control of those very machines for the purpose of certification. Federal control is antithetical to the original thinking of the founding fathers, who wisely wanted the voting process in the control of the citizenry only, lest the powers that be end up controlling elections to keep themselves in power. The easiest in the long run, and safest for democracy is hand counted paper ballots.
October 17, 2007 3:34 PM | Reply | Permalink
This would be a problem for incompetently designed statistical audit procedures. Anyone with a basic grounding in modern audit methodology can design and implement competent statistical auditing procedures.
Electronic recorded voting systems present a set of technical challenges that would either render them *impossible* to secure, or so expensive as to be infeasible.
(For a wonderful talk by a credible developer, see
Reflections on Trusting Trust by Ken Thompson.
Also see nearly anything written by Bruce Schneier with Counterpane Systems, about the subtlety of computer system security.
October 17, 2007 8:12 PM | Reply | Permalink
"We may acquire liberty, but it is never recovered if it is once lost": Jean Jacques Rousseau. if this were true, then everyone everywhere would be enslaved. It is an obvious overstatement.
October 18, 2007 12:52 AM | Reply | Permalink
To quote a response to a criticism of a technical note on high-availability in Communications of the ACM: "Your alternate solution assumes that the channel that signals errors is itself error-free. If this is the case, there is no need for error correction and detection: simply use the signaling channel for all your communication. Unfortunately in practice it cannot be assumed that the signaling channel is error free".
There is no assurance that a recount is error free either.
I would trust a voting system designed by a team headed by Peter Neumann, Bruce Schneier, and Linus Torvalds. I would be OK with a voting system designed by less devious-but-trustworthy minds if it were Open Source hardware and software and included paper-backed audit facilities. But we ain't gonna get either: too much money and political power is at state for the big guys (Radical Right, Republican, and Democratic; federal, state, and local alike) to allow that.
sPh
October 18, 2007 6:46 AM | Reply | Permalink
I assume you have read Mike Royko's _Boss_?
sPh
October 18, 2007 6:52 AM | Reply | Permalink
Sorry, the *reprint* was in 1988... So no, I didn't read it. Though no American can fail to be aware of the depth of corruption in midcentury Chicago. Given the depth and breadth of corruption then, the presence of easily corrupted hardware/software systems would only have been worse. So I don't consider that an argument in favor of electronic voting systems. (It's a *very* good argument for transparency, though!!)
I should not comment on the unread book, but I'll respond generally by noting that Chicago in that period was characterized by deeply corrupt machine politics, which corruption was supported by multiple governments at multiple levels, every one of them so corrupt that they stand as the prime example of corruption in recent history. Lots of heavy duty organized crime, too...
My claim, among many others, is only that electronic voting systems provide evil-doers with easier, less expensive ways for their misdeeds than are required with paper ballots. My basic thesis is only that short of spending waay too much money to secure them, electronic voting systems make election fraud easier than paper ballots.
Do you think it makes any sense to consider "better vs worse"? I tried not to say "paper ballots are secure, while machines are not". I apologize for not being more clear. It's all relative, and in my opinion, paper comes out ahead because it's more transparent to review and audit than electronic systems.
October 18, 2007 7:23 AM | Reply | Permalink
Mail-in voting is by no means safe. If your vote happens to get "lost in the mail", what's your avenue of redress? None, you're screwed.
October 18, 2007 7:49 AM | Reply | Permalink
Sorry about the link-closing error in my previous post.
sPh
October 18, 2007 10:15 AM | Reply | Permalink
I have not, ever, claimed that an election using paper ballots is, in any absolute sense, correct. Nobody who has a clue about security or statistics would say such a thing.
What we advocate is a process that is known to provide a more transparent asymptotic approach toward correctness. Being an asymptotic process, when the source information is durable, repeated counting will tend to converge toward the original contents of that data. Stop iterating when the confidence interval is where you want it to be.
I am in basic agreement with your last paragraph. I allow my wife to use a Windows system only because she depends on an application that is strictly Windows-based. Every other system in my possession or control is Linux. (OpenBSD is also an excellent choice for secure computing.)
Continuing the exchange of interesting links, here's an interesting one describing a nice hack of gaming systems using a diagnostic computer: I have lost the better links to the story, but here's a quick one:
Hacking slot machines
The lesson I take away from that story is that not only must the hardware, firmware, OS, application, compilers, loaders, etc. be provably secure, but it's also the case that every single system that could change the state of the system be provably secure. Maintaining a properly secured web of trust is nontrivial.
October 18, 2007 2:50 PM | Reply | Permalink
I've discussed ballot processes with Canadian and British friends, who are mystified why the US has such a compulsion to use technology. One suggestion is that it is due to media pressure to get reportable results.
When I asked one Canadian friend if paper ballots would work only in smaller electoral districts (e.g., Parliamentary ridings), she observed that if the districts are too large, either it's time to split them, or to get more volunteer counters and judges. Either way, she saw that as a way to get more people involved in the mechanics of voting, which she saw as a very good thing.
--
Howard
*equal opportunity offense to both extremes*
"Those who cannot remember the past are condemned to repeat it" [George Santayana]
October 18, 2007 10:35 PM | Reply | Permalink
I'm guessing you are not familiar with Oregon's system.
You do not have to mail it in. In Oregon, there are drop off locations at every public building.
Plus, there is a toll-free number to call to determine if your ballot was received by the election commission.
In addition, if you do not receive your ballot in a specified time (3 days after the official mailing date), then you can go to your local library, courthouse, and a few other public buildings to pick up ballots.
~~~~~~~~~~~
Quidquid latine dictum sit, altum videtur.
Come visit PROJECT: Lucidity
Where everybody knows your name...
unless you use a pseudonym
October 19, 2007 1:34 PM | Reply | Permalink
The reader that gave you a one was unduely harsh. What you suggest is not the best system, but it is good, and way ahead of all the proprietary OS voting systems out there.
Kevin Russell Cook
October 19, 2007 5:34 PM | Reply | Permalink
No reason why we can't have it all. Paper ballots that are both easy to read and to scan can easily be designed. Along with this we need laws that, mandate audits, recounts, and the primacy of paper ballot hand counts.
The impatient could be provided with a prompt "unverified" result. Again, the certified result would only come by passing a hand count audit and, failing that, from a full hand count. Such a system would be about as reliable as any that could be devised.
There are but two reasons for not insisting on something like this, ignorance or a wish to allow for dishonest and/or incompetent systems.
Kevin Russell Cook
October 19, 2007 5:40 PM | Reply | Permalink